chore(release): build 01.02.00-rc [skip ci]

- SQL schema validation (empty files, version-named updates)
- Manifest file references (verify files/folders exist on disk)
- Form XML validation (well-formed, has field/fieldset elements)
- Deprecated Joomla API check (JFactory, JText, etc — advisory)
- Template output escaping (unescaped <?= $var ?> — advisory)
- Namespace consistency (PHP namespace matches manifest)
- SPDX license header check (advisory)
- Service provider check (interfaces, return statement)

.gitignore

@@ -113,7 +113,7 @@ releases/
 build/
 dist/
 out/
-site/
+/site/
 *.map
 *.css.map
 *.js.map

.mokogitea/manifest.xml

@@ -9,7 +9,7 @@
     <name>Template-Joomla</name>
     <org>MokoConsulting</org>
     <description>Template repository for Joomla extensions (plugins, modules, components, templates)</description>
-    <version>01.01.00</version>
+    <version>01.02.00</version>
     <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
   </identity>
   <governance>

.mokogitea/workflows/auto-bump.yml

@@ -1,66 +1,65 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/auto-bump.yml
+# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
+# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
+# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
+
-name: "Universal: Auto Version Bump"
+name: "Universal: Auto Version Bump"
-
+
-on:
+on:
-  push:
+  push:
-    branches:
+    branches:
-      - dev
+      - rc
-      - rc
+      - 'feature/**'
-      - 'feature/**'
+      - 'patch/**'
-      - 'patch/**'
+
-
+env:
-env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
-
+permissions:
-permissions:
+  contents: write
-  contents: write
+
-
+jobs:
-jobs:
+  bump:
-  bump:
+    name: Version Bump
-    name: Version Bump
+    runs-on: release
-    runs-on: release
+    if: >-
-    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip bump]') &&
-      !contains(github.event.head_commit.message, '[skip bump]') &&
+      !startsWith(github.event.head_commit.message, 'Merge pull request')
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
+
-
+    steps:
-    steps:
+      - name: Checkout
-      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
-        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 1
-          fetch-depth: 1
+
-
+      - name: Setup moko-platform tools
-      - name: Setup moko-platform tools
+        run: |
-        run: |
+          if ! command -v composer &> /dev/null; then
-          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
-          fi
+          if [ -d "/opt/moko-platform/cli" ]; then
-          if [ -d "/opt/moko-platform/cli" ]; then
+            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
+          else
-          else
+            git clone --depth 1 --branch main --quiet \
-            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
+              /tmp/moko-platform-api
-              /tmp/moko-platform-api
+            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
+            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
+          fi
-          fi
+
-
+      - name: Bump version
-      - name: Bump version
+        run: |
-        run: |
+          php ${MOKO_CLI}/version_auto_bump.php \
-          php ${MOKO_CLI}/version_auto_bump.php \
+            --path . --branch "${GITHUB_REF_NAME}" \
-            --path . --branch "${GITHUB_REF_NAME}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"

.mokogitea/workflows/auto-release.yml

@@ -1,285 +1,147 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
+# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
+# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
+# BRIEF: Universal build & release � detects platform from manifest.xml
-#
+#
-# +========================================================================+
+# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
+# +========================================================================+
-# |                                                                        |
+# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
+# |                                                                        |
-# |  Platform-specific:                                                    |
+# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    joomla:   XML manifest, type-prefixed packages                      |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
+# |    generic:  README-only, no update stream                             |
-# |                                                                        |
+# |                                                                        |
-# +========================================================================+
+# +========================================================================+
-
+
-name: "Universal: Build & Release"
+name: "Universal: Build & Release"
-
+
-on:
+on:
-  pull_request:
+  pull_request:
-    types: [opened, closed]
+    types: [opened, closed]
-    branches:
+    branches:
-      - main
+      - main
-  workflow_dispatch:
+  workflow_dispatch:
-    inputs:
+    inputs:
-      action:
+      action:
-        description: 'Action to perform'
+        description: 'Action to perform'
-        required: false
+        required: false
-        type: choice
+        type: choice
-        default: release
+        default: release
-        options:
+        options:
-          - release
+          - release
-          - promote-rc
+          - promote-rc
-
+
-env:
+env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
+
-permissions:
+permissions:
-  contents: write
+  contents: write
-
+
-jobs:
+jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
+  promote-rc:
-    name: Promote to RC
+    name: Promote to RC
-    runs-on: release
+    runs-on: release
-    if: >-
+    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
+      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
+
-    steps:
+    steps:
-      - name: Checkout repository
+      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
+        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
+          fetch-depth: 1
-
+
-      - name: Setup moko-platform tools
+      - name: Setup moko-platform tools
-        env:
+        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
+        run: |
-          if ! command -v composer &> /dev/null; then
+          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+            echo Using pre-installed /opt/moko-platform
-          fi
+            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
-          # Always fetch latest CLI tools — never use stale cache from previous runs
+          else
-          rm -rf /tmp/moko-platform-api
+            echo Falling back to fresh clone
-          git clone --depth 1 --branch main --quiet \
+            if ! command -v composer > /dev/null 2>&1; then
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
-            /tmp/moko-platform-api
+            fi
-          cd /tmp/moko-platform-api
+            rm -rf /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
-
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
-      - name: Rename branch to rc
+            cd /tmp/moko-platform-api
-        run: |
+            composer install --no-dev --no-interaction --quiet
-          php /tmp/moko-platform-api/cli/branch_rename.php \
+            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
-            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
+          fi
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+
-            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
+      - name: Rename branch to rc
-            --pr "${{ github.event.pull_request.number }}"
+        run: |
-
+          php ${MOKO_CLI}/branch_rename.php \
-      - name: Checkout rc and configure git
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-        run: |
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-          git fetch origin rc
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-          git checkout rc
+            --pr "${{ github.event.pull_request.number }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+
-          git config --local user.name "gitea-actions[bot]"
+      - name: Checkout rc and configure git
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+        run: |
-
+          git fetch origin rc
-      - name: Publish RC release
+          git checkout rc
-        run: |
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          php /tmp/moko-platform-api/cli/release_publish.php \
+          git config --local user.name "gitea-actions[bot]"
-            --path . --stability rc --bump minor --branch rc \
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+
-            --skip-update-stream
+      - name: Publish RC release
-
+        run: |
-      - name: Summary
+          php ${MOKO_CLI}/release_publish.php \
-        if: always()
+            --path . --stability rc --bump minor --branch rc \
-        run: |
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+
-          echo "Branch renamed to rc, minor bump, RC release built (updates.xml managed by Gitea Pages)" >> $GITHUB_STEP_SUMMARY
+      - name: Update RC release notes from CHANGELOG.md
-
+        run: |
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-  release:
+
-    name: Build & Release Pipeline
+          if [ -f "CHANGELOG.md" ]; then
-    runs-on: release
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
-    if: >-
+            [ -z "$NOTES" ] && NOTES="Release candidate"
-      github.event.pull_request.merged == true ||
+          else
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
+            NOTES="Release candidate"
-
+          fi
-    steps:
+
-      - name: Checkout repository
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+            "${API_BASE}/releases/tags/release-candidate" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-        with:
+
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          if [ -n "$RELEASE_ID" ]; then
-          fetch-depth: 0
+            python3 -c "
-
+          import json, urllib.request
-      - name: Configure git for bot pushes
+          body = open('/dev/stdin').read()
-        run: |
+          payload = json.dumps({'body': body}).encode()
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          req = urllib.request.Request(
-          git config --local user.name "gitea-actions[bot]"
+              '${API_BASE}/releases/${RELEASE_ID}',
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+              data=payload, method='PATCH',
-
+              headers={
-      - name: Check for merge conflict markers
+                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
-        run: |
+                  'Content-Type': 'application/json'
-          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
+              })
-          if [ -n "$CONFLICTS" ]; then
+          urllib.request.urlopen(req)
-            echo "::error::Merge conflict markers found — aborting release"
+          " <<< "$NOTES"
-            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
+            echo "RC release notes updated from CHANGELOG.md"
-            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
-            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
+
-            echo '```' >> $GITHUB_STEP_SUMMARY
+      - name: Summary
-            exit 1
+        if: always()
-          fi
+        run: |
-          echo "No conflict markers found"
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-
+          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      - name: "Publish stable release"
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --skip-update-stream
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
-            --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-            --branch main 2>&1 || true
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      - name: "Step 11: Delete rc branch and recreate dev from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          # Delete rc branch (ephemeral — created by promote-rc)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/rc" 2>/dev/null \
-            && echo "Deleted rc branch" || echo "rc branch not found"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-
-      - name: "Step 12: Create version branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          BRANCH_NAME="version/${VERSION}"
-          MAIN_SHA=$(git rev-parse HEAD)
-
-          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
-          # Create version/XX.YY.ZZ from main
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Post-release: Reset dev version"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            --branch dev --path . 2>&1 || true
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi

.mokogitea/workflows/ci-generic.yml

@@ -0,0 +1,197 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
+# PATH: /.gitea/workflows/ci-generic.yml
+# VERSION: 01.00.00
+# BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
+
+name: "Generic: Project CI"
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+      - dev/**
+      - rc/**
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Lint & Validate ───────────────────────────────────────────────────
+  lint:
+    name: Lint & Validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+          echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+          php -v
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install PHP dependencies
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          fi
+
+      - name: Install Node.js dependencies
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "package.json" ]; then
+            npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
+          fi
+
+      - name: PHP syntax check
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              echo "::error file=${file}::PHP syntax error"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
+
+          echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
+          if [ "$ERRORS" -eq 0 ]; then
+            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: TypeScript/JavaScript lint
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "node_modules/.bin/eslint" ]; then
+            npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
+            echo "## ESLint" >> $GITHUB_STEP_SUMMARY
+            echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
+          elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
+            echo "::warning::ESLint config found but eslint not installed"
+          else
+            echo "No ESLint configured — skipping"
+          fi
+
+      - name: TypeScript compile check
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
+            npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
+            echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
+            echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: PHPStan static analysis
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
+            vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
+          fi
+
+  # ── Tests ─────────────────────────────────────────────────────────────
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    needs: lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          [ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          [ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
+
+      - name: Run PHP tests
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "vendor/bin/phpunit" ]; then
+            vendor/bin/phpunit --testdox 2>&1
+            echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
+            echo "::warning::PHPUnit config found but phpunit not installed"
+          else
+            echo "No PHPUnit configured — skipping"
+          fi
+
+      - name: Run Node.js tests
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
+            npm test 2>&1
+            echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No test script in package.json — skipping"
+          fi
+
+      - name: Build check
+        run: |
+          if [ -f "Makefile" ]; then
+            make build 2>&1 || echo "::warning::Build failed or not configured"
+          elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
+            npm run build 2>&1 || echo "::warning::Build failed"
+          fi

.mokogitea/workflows/ci-joomla.yml

@@ -245,10 +245,413 @@ jobs:
             echo "All ${CHECKED} directories contain index.html." >> $GITHUB_STEP_SUMMARY
           fi
 
+      - name: Check config.xml and access.xml for components
+        run: |
+          echo "### Component Config & ACL Check" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find all component manifests (XML with type="component")
+          COMP_MANIFESTS=$(find . -maxdepth 4 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*" -exec grep -l '<extension[^>]*type="component"' {} ; 2>/dev/null || true)
+
+          if [ -z "$COMP_MANIFESTS" ]; then
+            echo "No component extensions found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for MANIFEST in $COMP_MANIFESTS; do
+              COMP_DIR=$(dirname "$MANIFEST")
+              COMP_NAME=$(basename "$COMP_DIR")
+              echo "Component: `${COMP_NAME}` (manifest: `${MANIFEST}`)" >> $GITHUB_STEP_SUMMARY
+
+              # Check access.xml exists
+              ACCESS_FILE=$(find "$COMP_DIR" -name "access.xml" -not -path "./.git/*" 2>/dev/null | head -1)
+              if [ -z "$ACCESS_FILE" ]; then
+                echo "- Missing `access.xml` — ACL permissions will not work." >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                if command -v php &> /dev/null; then
+                  if ! php -r "@simplexml_load_file('$ACCESS_FILE') ?: exit(1);" 2>/dev/null; then
+                    echo "- `access.xml` is not well-formed XML." >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    for ACTION in core.admin core.manage; do
+                      if ! grep -q "name=\"${ACTION}\"" "$ACCESS_FILE" 2>/dev/null; then
+                        echo "- `access.xml` missing required action: `${ACTION}`" >> $GITHUB_STEP_SUMMARY
+                        ERRORS=$((ERRORS + 1))
+                      fi
+                    done
+                    echo "- `access.xml`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+
+              # Check config.xml exists
+              CONFIG_FILE=$(find "$COMP_DIR" -name "config.xml" -not -path "./.git/*" 2>/dev/null | head -1)
+              if [ -z "$CONFIG_FILE" ]; then
+                echo "- Missing `config.xml` — component Options page will be empty." >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                if command -v php &> /dev/null; then
+                  if ! php -r "@simplexml_load_file('$CONFIG_FILE') ?: exit(1);" 2>/dev/null; then
+                    echo "- `config.xml` is not well-formed XML." >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    echo "- `config.xml`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} config/ACL issue(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Component config & ACL check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SQL schema validation
+        run: |
+          echo "### SQL Schema Validation" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find SQL files in source/htdocs
+          SQL_FILES=$(find . -name "*.sql" -path "*/sql/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$SQL_FILES" ]; then
+            echo "No SQL files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$SQL_FILES" | wc -l) SQL file(s)" >> $GITHUB_STEP_SUMMARY
+
+            for FILE in $SQL_FILES; do
+              # Basic syntax check: balanced parentheses, no empty files
+              SIZE=$(wc -c < "$FILE" | tr -d ' ')
+              if [ "$SIZE" -eq 0 ]; then
+                echo "- Empty SQL file: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              # Check for common SQL errors
+              if grep -qP '^\s*$' "$FILE" && [ "$SIZE" -lt 5 ]; then
+                echo "- Whitespace-only SQL file: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+                continue
+              fi
+
+              echo "- \`${FILE}\`: ${SIZE} bytes" >> $GITHUB_STEP_SUMMARY
+            done
+
+            # Check update SQL files follow version numbering pattern
+            UPDATE_DIR=$(find . -path "*/sql/updates/mysql" -type d -not -path "./.git/*" 2>/dev/null | head -1)
+            if [ -n "$UPDATE_DIR" ]; then
+              BAD_NAMES=0
+              for UFILE in "$UPDATE_DIR"/*.sql; do
+                [ ! -f "$UFILE" ] && continue
+                BASENAME=$(basename "$UFILE" .sql)
+                if ! echo "$BASENAME" | grep -qP '^\d+\.\d+\.\d+'; then
+                  echo "- Update file \`${UFILE}\` does not follow version naming (expected X.Y.Z.sql)" >> $GITHUB_STEP_SUMMARY
+                  BAD_NAMES=$((BAD_NAMES + 1))
+                fi
+              done
+              if [ "$BAD_NAMES" -gt 0 ]; then
+                ERRORS=$((ERRORS + BAD_NAMES))
+              fi
+            fi
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} SQL issue(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**SQL schema validation passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Manifest file references check
+        run: |
+          echo "### Manifest File References" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -z "$MANIFEST" ]; then
+            echo "No manifest found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            MANIFEST_DIR=$(dirname "$MANIFEST")
+
+            # Check <filename> references
+            FILENAMES=$(grep -oP '<filename[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+            for F in $FILENAMES; do
+              if [ ! -f "${MANIFEST_DIR}/${F}" ] && [ ! -d "${MANIFEST_DIR}/${F}" ]; then
+                echo "- Missing: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+
+            # Check <folder> references
+            FOLDERS=$(grep -oP '<folder[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+            for F in $FOLDERS; do
+              if [ ! -d "${MANIFEST_DIR}/${F}" ]; then
+                echo "- Missing folder: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+
+            # Check <file> references in package manifests (ZIP files won't exist in source)
+            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
+            if [ "$EXT_TYPE" != "package" ]; then
+              FILES=$(grep -oP '<file[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+              for F in $FILES; do
+                if [ ! -f "${MANIFEST_DIR}/${F}" ]; then
+                  echo "- Missing file: \`${F}\` (referenced in manifest)" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                fi
+              done
+            fi
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} missing file reference(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Manifest file references check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Form XML validation
+        run: |
+          echo "### Form XML Validation" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          FORM_FILES=$(find . -name "*.xml" -path "*/forms/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$FORM_FILES" ]; then
+            echo "No form XML files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$FORM_FILES" | wc -l) form file(s)" >> $GITHUB_STEP_SUMMARY
+            for FILE in $FORM_FILES; do
+              if command -v php &> /dev/null; then
+                if ! php -r "@simplexml_load_file('$FILE') ?: exit(1);" 2>/dev/null; then
+                  echo "- \`${FILE}\`: malformed XML" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                else
+                  # Check for valid Joomla form structure
+                  if ! grep -qE '<form|<field|<fieldset' "$FILE" 2>/dev/null; then
+                    echo "- \`${FILE}\`: no \`<form>\`, \`<field>\`, or \`<fieldset>\` elements found" >> $GITHUB_STEP_SUMMARY
+                    ERRORS=$((ERRORS + 1))
+                  else
+                    echo "- \`${FILE}\`: valid" >> $GITHUB_STEP_SUMMARY
+                  fi
+                fi
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} form XML issue(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Form XML validation passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Deprecated Joomla API check
+        continue-on-error: true
+        run: |
+          echo "### Deprecated Joomla API Check" >> $GITHUB_STEP_SUMMARY
+          WARNINGS=0
+
+          SRC_DIR=""
+          for DIR in source/ src/ htdocs/; do
+            [ -d "$DIR" ] && SRC_DIR="$DIR" && break
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            # Joomla 3/4 deprecated patterns that break in Joomla 6
+            PATTERNS=(
+              'JFactory::'
+              'JText::'
+              'JHtml::'
+              'JRoute::'
+              'JUri::'
+              'JLog::'
+              'JTable::'
+              'JInput'
+              'CMSFactory::\$application'
+              'JApplicationCms'
+            )
+
+            for PATTERN in "${PATTERNS[@]}"; do
+              HITS=$(grep -rnl "$PATTERN" "$SRC_DIR" --include="*.php" 2>/dev/null || true)
+              if [ -n "$HITS" ]; then
+                COUNT=$(echo "$HITS" | wc -l)
+                echo "- \`${PATTERN}\` found in ${COUNT} file(s)" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + COUNT))
+              fi
+            done
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$WARNINGS" -gt 0 ]; then
+              echo "**${WARNINGS} deprecated API usage(s) found.** These will break in Joomla 6." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**No deprecated APIs found.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Template output escaping check
+        continue-on-error: true
+        run: |
+          echo "### Template Output Escaping" >> $GITHUB_STEP_SUMMARY
+          WARNINGS=0
+
+          TMPL_FILES=$(find . -name "*.php" -path "*/tmpl/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$TMPL_FILES" ]; then
+            echo "No template files found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Found $(echo "$TMPL_FILES" | wc -l) template file(s)" >> $GITHUB_STEP_SUMMARY
+
+            for FILE in $TMPL_FILES; do
+              # Check for unescaped output: <?= $var ?> or echo $var without escape()
+              UNESCAPED=$(grep -nP '<\?=\s*\$(?!this->escape)' "$FILE" 2>/dev/null || true)
+              if [ -n "$UNESCAPED" ]; then
+                HITS=$(echo "$UNESCAPED" | wc -l)
+                echo "- \`${FILE}\`: ${HITS} unescaped \`<?= \$var ?>\` output(s) — use \`<?= \$this->escape(\$var) ?>\`" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + HITS))
+              fi
+
+              # Check for echo without escaping in template context
+              RAW_ECHO=$(grep -nP '^\s*echo\s+\$(?!this->escape)' "$FILE" 2>/dev/null || true)
+              if [ -n "$RAW_ECHO" ]; then
+                HITS=$(echo "$RAW_ECHO" | wc -l)
+                echo "- \`${FILE}\`: ${HITS} raw \`echo \$var\` — consider \`echo \$this->escape(\$var)\`" >> $GITHUB_STEP_SUMMARY
+                WARNINGS=$((WARNINGS + HITS))
+              fi
+            done
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$WARNINGS" -gt 0 ]; then
+              echo "**${WARNINGS} potential XSS risk(s) in templates.** Review unescaped output." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**All template output appears properly escaped.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Namespace consistency check
+        run: |
+          echo "### Namespace Consistency" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find component/plugin manifests with <namespace> tags
+          MANIFESTS=$(find . -maxdepth 4 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*" -exec grep -l '<namespace' {} \; 2>/dev/null || true)
+
+          if [ -z "$MANIFESTS" ]; then
+            echo "No manifests with \`<namespace>\` found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for MANIFEST in $MANIFESTS; do
+              NS_PATH=$(grep -oP '<namespace[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null | head -1)
+              [ -z "$NS_PATH" ] && continue
+              MANIFEST_DIR=$(dirname "$MANIFEST")
+
+              echo "Manifest: \`${MANIFEST}\` → namespace \`${NS_PATH}\`" >> $GITHUB_STEP_SUMMARY
+
+              # Check PHP files have matching namespace
+              while IFS= read -r -d '' PHP_FILE; do
+                FILE_NS=$(grep -oP '^\s*namespace\s+\K[^;]+' "$PHP_FILE" 2>/dev/null | head -1)
+                [ -z "$FILE_NS" ] && continue
+
+                # Namespace should start with the manifest namespace path
+                if ! echo "$FILE_NS" | grep -qF "${NS_PATH}"; then
+                  echo "- \`${PHP_FILE}\`: namespace \`${FILE_NS}\` doesn't match manifest \`${NS_PATH}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                fi
+              done < <(find "$MANIFEST_DIR" -name "*.php" -path "*/src/*" -not -path "./vendor/*" -print0 2>/dev/null)
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} namespace mismatch(es).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Namespace consistency check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SPDX license header check
+        continue-on-error: true
+        run: |
+          echo "### SPDX License Headers" >> $GITHUB_STEP_SUMMARY
+          MISSING=0
+
+          SRC_DIR=""
+          for DIR in source/ src/ htdocs/; do
+            [ -d "$DIR" ] && SRC_DIR="$DIR" && break
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            TOTAL=0
+            while IFS= read -r -d '' FILE; do
+              TOTAL=$((TOTAL + 1))
+              if ! head -10 "$FILE" | grep -qi "SPDX"; then
+                echo "- Missing SPDX header: \`${FILE}\`" >> $GITHUB_STEP_SUMMARY
+                MISSING=$((MISSING + 1))
+              fi
+            done < <(find "$SRC_DIR" -name "*.php" -not -path "./vendor/*" -print0)
+
+            echo "" >> $GITHUB_STEP_SUMMARY
+            if [ "$MISSING" -gt 0 ]; then
+              echo "**${MISSING}/${TOTAL} PHP file(s) missing SPDX license header.**" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "**All ${TOTAL} PHP files have SPDX headers.**" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+      - name: Service provider check
+        run: |
+          echo "### Service Provider Check" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          PROVIDERS=$(find . -name "provider.php" -path "*/services/*" -not -path "./.git/*" -not -path "./vendor/*" 2>/dev/null)
+          if [ -z "$PROVIDERS" ]; then
+            echo "No service providers found — skipping." >> $GITHUB_STEP_SUMMARY
+          else
+            for FILE in $PROVIDERS; do
+              # Must return a ServiceProviderInterface
+              if ! grep -qP 'ServiceProviderInterface|ComponentInterface|MVCFactoryInterface|DispatcherInterface' "$FILE" 2>/dev/null; then
+                echo "- \`${FILE}\`: does not reference ServiceProviderInterface or component interfaces" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                echo "- \`${FILE}\`: valid service provider" >> $GITHUB_STEP_SUMMARY
+              fi
+
+              # Must have return statement
+              if ! grep -qP '^\s*return\s+new\s+' "$FILE" 2>/dev/null; then
+                echo "- \`${FILE}\`: missing \`return new ...\` statement" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            done
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} service provider issue(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Service provider check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
   release-readiness:
     name: Release Readiness Check
     runs-on: ubuntu-latest
     if: github.event_name == 'pull_request' && github.base_ref == 'main'
+    continue-on-error: true
 
     steps:
       - name: Checkout repository

.mokogitea/workflows/issue-branch.yml

@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 01.01.00
+# VERSION: 01.02.00
 # BRIEF: Auto-create feature branch when an issue is opened
 
 name: "Universal: Issue Branch"

.mokogitea/workflows/notify.yml

@@ -18,7 +18,6 @@ on:
       - "Joomla Build & Release"
       - "Joomla Extension CI"
       - "Deploy"
-      - "Cascade Main → Dev"
     types:
       - completed
 

.mokogitea/workflows/pre-release.yml

@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: mokoplatform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
 # PATH: /templates/workflows/universal/pre-release.yml.template
 # VERSION: 05.01.00
 # BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
@@ -58,21 +58,26 @@ jobs:
           token: ${{ secrets.MOKOGITEA_TOKEN }}
           ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
 
-      - name: Setup moko-platform tools
+      - name: Setup mokoplatform tools
         env:
           MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
-          if ! command -v composer &> /dev/null; then
+          # Use pre-installed /opt/mokoplatform if available (updated by cron every 6h)
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          if [ -f /opt/mokoplatform/cli/version_bump.php ] && [ -f /opt/mokoplatform/cli/manifest_element.php ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokoplatform
+            echo MOKO_CLI=/opt/mokoplatform/cli >> $GITHUB_ENV
+          else
+            echo Falling back to fresh clone
+            if ! command -v composer > /dev/null 2>&1; then
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
+            fi
+            rm -rf /tmp/mokoplatform-api
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokoplatform-api
+            cd /tmp/mokoplatform-api && composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokoplatform-api/cli >> $GITHUB_ENV
           fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
 
       - name: Detect platform
         id: platform
@@ -96,20 +101,26 @@ jobs:
             release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
           esac
 
-          # Read current version (bump already handled by push workflow)
+          # Bump version via CLI: patch for dev/alpha/beta, minor for RC
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
+          case "$STABILITY" in
-          [ -z "$VERSION" ] && VERSION="00.00.01"
+            release-candidate) BUMP="minor" ;;
+            *)                 BUMP="patch" ;;
+          esac
 
-          # Strip any existing suffix from version before applying stability
+          php ${MOKO_CLI}/version_bump.php --path . $([ "$BUMP" = "minor" ] && echo "--minor") 2>/dev/null || true
+
+          # Set stability suffix and verify consistency
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "00.00.01")
           VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
 
           php ${MOKO_CLI}/version_set_platform.php \
             --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-
-          # Verify version consistency across all files
           php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
 
-          # Update VERSION variable with suffix
+          # Ensure licensing tags (updateservers, dlid) if enabled in manifest.xml
+          php ${MOKO_CLI}/manifest_licensing.php --path . --fix 2>/dev/null || true
+
+          # Append suffix for output
           if [ -n "$SUFFIX" ]; then
             VERSION="${VERSION}${SUFFIX}"
           fi
@@ -155,19 +166,39 @@ jobs:
             --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --branch dev --prerelease
 
-      - name: Ensure prerelease flag
+      - name: Update release notes from CHANGELOG.md
         run: |
           TAG="${{ steps.meta.outputs.tag }}"
+          VERSION="${{ steps.meta.outputs.version }}"
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          # Get release ID by tag and force prerelease=true
+
-          RELEASE_ID=$(curl -s "${API_BASE}/releases/tags/${TAG}" \
+          # Extract [Unreleased] section from changelog (everything between [Unreleased] and next ## heading)
-            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" | jq -r '.id // empty')
+          if [ -f "CHANGELOG.md" ]; then
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+            [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+          else
+            NOTES="Release ${VERSION}"
+          fi
+
+          # Update release body via API
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${TAG}" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
           if [ -n "$RELEASE_ID" ]; then
-            curl -s -X PATCH "${API_BASE}/releases/${RELEASE_ID}" \
+            python3 -c "
-              -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
+          import json, urllib.request
-              -H "Content-Type: application/json" \
+          body = open('/dev/stdin').read()
-              -d '{"prerelease": true}'
+          payload = json.dumps({'body': body}).encode()
-            echo "Marked release ${TAG} (id=${RELEASE_ID}) as prerelease"
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=payload, method='PATCH',
+              headers={
+                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
+                  'Content-Type': 'application/json'
+              })
+          urllib.request.urlopen(req)
+          " <<< "$NOTES"
+            echo "Release notes updated from CHANGELOG.md"
           fi
 
       - name: Build package and upload
@@ -181,55 +212,8 @@ jobs:
             --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
             --repo "${GITEA_REPO}" --output /tmp || true
 
-      - name: Update updates.xml
+      # updates.xml is generated dynamically by MokoGitea license server
-        if: steps.platform.outputs.platform == 'joomla'
+      # No need to build, commit, or sync updates.xml from workflows
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
 
       - name: "Delete lesser pre-release channels (cascade)"
         continue-on-error: true

.mokogitea/workflows/rc-revert.yml

@@ -0,0 +1,66 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoPlatform.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.mokogitea/workflows/rc-revert.yml
+# VERSION: 09.23.00
+# BRIEF: Rename rc/ branch back to dev/ when PR is closed without merge
+
+name: "RC Revert"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  revert:
+    name: Rename rc/ back to dev/
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == false &&
+      startsWith(github.event.pull_request.head.ref, 'rc/')
+
+    steps:
+      - name: Rename branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          SUFFIX="${BRANCH#rc/}"
+          DEV_BRANCH="dev/${SUFFIX}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Create dev/ branch from rc/ branch
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
+            "${API}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "201" ]; then
+            echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
+            exit 1
+          fi
+
+          # Delete rc/ branch
+          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
+          fi
+
+          echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
+          echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/repo-health.yml

@@ -33,7 +33,8 @@ on:
           - scripts
           - repo
   pull_request:
-  push:
+    branches:
+      - main
 
 permissions:
   contents: read

.mokogitea/workflows/update-server.yml

@@ -1,312 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/update-server.yml
-# VERSION: 05.00.00
-# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
-#
-# Thin wrapper around moko-platform CLI tools.
-# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#
-# Joomla filters update entries by the user's "Minimum Stability" setting.
-
-name: "Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update Server
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform 2>/dev/null || true
-          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
-            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve stability and bump version
-        id: meta
-        run: |
-          BRANCH="${{ github.ref_name }}"
-
-          # Configure git for bot pushes
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Auto-bump patch version
-          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
-
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Strip any existing suffix before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          # Determine stability from branch or manual input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          else
-            STABILITY="development"
-          fi
-
-          # Version suffix per stability stream
-          case "$STABILITY" in
-            development) SUFFIX="-dev";  TAG="development" ;;
-            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)        SUFFIX="-beta";  TAG="beta" ;;
-            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
-            *)           SUFFIX="";       TAG="stable" ;;
-          esac
-
-          # Propagate version with stability suffix to all manifest files
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Re-read version (now includes suffix from version_set_platform)
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
-
-          # Commit version bump if changed
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      - name: Create release and upload package
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Create or update Gitea release
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
-
-          # Build package and upload
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push updates.xml
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push
-          }
-
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            python3 -c "
-          import base64, json, urllib.request, sys
-          with open('updates.xml', 'rb') as f:
-              content = base64.b64encode(f.read()).decode()
-          payload = json.dumps({
-              'content': content,
-              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
-              'branch': 'main'
-          }).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/contents/updates.xml',
-              data=payload, method='PUT',
-              headers={
-                  'Authorization': 'token ${GITEA_TOKEN}',
-                  'Content-Type': 'application/json'
-              })
-          try:
-              urllib.request.urlopen(req)
-              print('updates.xml synced to main')
-          except Exception as e:
-              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-          "
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # Permission check: admin or maintain role required
-          ACTOR="${{ github.actor }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          DISPLAY="${{ steps.meta.outputs.display_version }}"
-          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/workflow-sync-trigger.yml

@@ -0,0 +1,67 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoPlatform.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
+# VERSION: 01.00.00
+# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
+
+name: "Universal: Workflow Sync Trigger"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    name: Sync workflows to live repos
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')
+
+    steps:
+      - name: Determine platform from repo name
+        id: platform
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          case "$REPO" in
+            Template-Joomla)   PLATFORM="joomla" ;;
+            Template-Dolibarr) PLATFORM="dolibarr" ;;
+            Template-Go)       PLATFORM="go" ;;
+            Template-MCP)      PLATFORM="mcp" ;;
+            Template-Generic)  PLATFORM="" ;;
+            *)                 PLATFORM="" ;;
+          esac
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform: ${PLATFORM:-all}"
+
+      - name: Run workflow sync
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          MOKOPLATFORM="/opt/mokoplatform"
+          if [ ! -f "${MOKOPLATFORM}/cli/workflow_sync.php" ]; then
+            echo "::error::mokoplatform not found at ${MOKOPLATFORM}"
+            exit 1
+          fi
+
+          ARGS="--token ${MOKOGITEA_TOKEN}"
+          ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
+          ARGS="${ARGS} --phase repos"
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ -n "$PLATFORM" ]; then
+            ARGS="${ARGS} --platform-filter ${PLATFORM}"
+          fi
+
+          php "${MOKOPLATFORM}/cli/workflow_sync.php" ${ARGS}

CODE_OF_CONDUCT.md

@@ -14,7 +14,7 @@
 	DEFGROUP: MokoStandards-Template-Joomla-Plugin
 	INGROUP: MokoStandards-Template-Joomla-Plugin.Documentation
 	REPO: https://github.com/mokoconsulting-tech/MokoStandards-Template-Joomla-Plugin/
-  VERSION: 01.01.00
+  VERSION: 01.02.00
   PATH: ./CODE_OF_CONDUCT.md
   BRIEF: Community expectations and enforcement guidelines
   NOTE: Adapted with attribution from the Contributor Covenant v2.1

GOVERNANCE.md

@@ -19,7 +19,7 @@
  DEFGROUP: mokoconsulting-tech.MokoStandards-Template-Joomla-Plugin
  INGROUP: MokoStandards.Governance
  REPO: https://github.com/mokoconsulting-tech/MokoStandards-Template-Joomla-Plugin
- VERSION: 01.01.00
+ VERSION: 01.02.00
  PATH: /GOVERNANCE.md
  BRIEF: Project governance rules, roles, and decision process for MokoStandards-Template-Joomla-Plugin
 -->

SECURITY.md

@@ -23,7 +23,7 @@ DEFGROUP: MokoStandards-Template-Joomla-Plugin
 INGROUP: MokoStandards-Template-Joomla-Plugin.Documentation
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-Template-Joomla-Plugin
 PATH: /SECURITY.md
-VERSION: 01.01.00
+VERSION: 01.02.00
 BRIEF: Security vulnerability reporting and handling policy
 -->