fix(ci): auto-bump package.json patch version before npm publish

chore: bump version to 1.3.0
refactor: rename manifest tools to metadata, remove auto-derived fields
2026-06-10 10:28:39 +00:00 · 2026-06-10 05:26:29 -05:00 · 2026-06-10 04:55:09 -05:00 · 2026-06-10 02:22:51 +00:00 · 2026-06-10 02:20:29 +00:00 · 2026-06-09 10:45:23 -05:00
25 changed files with 3004 additions and 2297 deletions
@@ -0,0 +1,251 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 # SPDX-License-Identifier: GPL-3.0-or-later
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.gitea/workflows/branch-protection.yml
 # BRIEF: Apply standardised branch protection rules to all governed repositories
 #
 # +========================================================================+
 # |                   BRANCH PROTECTION SETUP                              |
 # +========================================================================+
 # |                                                                        |
 # |  Applies protection rules for: main, dev, rc, beta, alpha       |
 # |                                                                        |
 # |  main  — Require PR, block rejected reviews, no force push             |
 # |  dev   — Allow push, no force push, no delete                          |
 # |  rc  — Allow push, no force push, no delete                          |
 # |  beta — Allow push, no force push, no delete                         |
 # |  alpha — Allow push, no force push, no delete                        |
 # |                                                                        |
 # |  jmiller has override authority on all branches.                       |
 # |                                                                        |
 # +========================================================================+
 name: Branch Protection Setup
 on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
  workflow_dispatch:
    inputs:
      dry_run:
        description: 'Preview mode (no changes)'
        required: false
        type: boolean
        default: false
      repos:
        description: 'Comma-separated repo names (empty = all governed repos)'
        required: false
        type: string
        default: ''
 env:
  GITEA_URL: https://git.mokoconsulting.tech
  GITEA_ORG: MokoConsulting
 permissions:
  contents: read
 jobs:
  protect:
    name: Apply Branch Protection Rules
    runs-on: ubuntu-latest
    steps:
      - name: Determine target repos
        id: repos
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"
          # Platform/standards/infra repos to exclude
          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
          if [ -n "${{ inputs.repos }}" ]; then
            # User-specified repos
            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
          else
            # Fetch all org repos
            PAGE=1
            REPOS=""
            while true; do
              BATCH=$(curl -sS \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
                | jq -r '.[].name // empty')
              [ -z "$BATCH" ] && break
              REPOS="$REPOS $BATCH"
              PAGE=$((PAGE + 1))
            done
            # Filter out excluded repos
            FILTERED=""
            for REPO in $REPOS; do
              SKIP=false
              for EX in $EXCLUDE; do
                if [ "$REPO" = "$EX" ]; then
                  SKIP=true
                  break
                fi
              done
              if [ "$SKIP" = "false" ]; then
                FILTERED="$FILTERED $REPO"
              fi
            done
            REPOS="$FILTERED"
          fi
          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
          COUNT=$(echo "$REPOS" | wc -w)
          echo "📋 Target repos (${COUNT}): $REPOS"
      - name: Apply protection rules
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
          REPOS="${{ steps.repos.outputs.repos }}"
          SUCCESS=0
          FAILED=0
          SKIPPED=0
          # ── Rule definitions ──────────────────────────────────────
          # Only the CI bot (jmiller token) can push directly.
          # All human contributors must use PRs.
          # Force push disabled on all branches.
          RULE_MAIN='{
            "rule_name": "main",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "dismiss_stale_approvals": true,
            "block_on_rejected_reviews": true,
            "block_on_outdated_branch": false,
            "priority": 1
          }'
          RULE_DEV='{
            "rule_name": "dev",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 2
          }'
          RULE_RC='{
            "rule_name": "rc",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 3
          }'
          RULE_BETA='{
            "rule_name": "beta",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 4
          }'
          RULE_ALPHA='{
            "rule_name": "alpha",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 5
          }'
          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
          RULE_NAMES=("main" "dev" "rc" "beta" "alpha")
          # ── Apply rules to each repo ──────────────────────────────
          for REPO in $REPOS; do
            echo ""
            echo "═══ ${REPO} ═══"
            for i in "${!RULES[@]}"; do
              RULE="${RULES[$i]}"
              NAME="${RULE_NAMES[$i]}"
              if [ "$DRY_RUN" = "true" ]; then
                echo "  [DRY RUN] Would apply rule: ${NAME}"
                SKIPPED=$((SKIPPED + 1))
                continue
              fi
              # Delete existing rule if present (idempotent recreate)
              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
              curl -sS -o /dev/null -w "" \
                -X DELETE \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
              # Create rule
              RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "$RULE" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
              HTTP=$(echo "$RESPONSE" | tail -1)
              BODY=$(echo "$RESPONSE" | sed '$d')
              if [ "$HTTP" = "201" ]; then
                echo "  ✅ ${NAME}"
                SUCCESS=$((SUCCESS + 1))
              else
                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
                FAILED=$((FAILED + 1))
              fi
            done
          done
          # ── Summary ───────────────────────────────────────────────
          echo ""
          echo "════════════════════════════════════════"
          echo "  ✅ Success: ${SUCCESS}"
          echo "  ❌ Failed:  ${FAILED}"
          echo "  ⏭️  Skipped: ${SKIPPED}"
          echo "════════════════════════════════════════"
          if [ "$FAILED" -gt 0 ]; then
            echo "::warning::${FAILED} rule(s) failed to apply"
          fi
@@ -0,0 +1,66 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Release
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.mokogitea/workflows/auto-bump.yml
 # VERSION: 09.02.00
 # BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
 name: "Universal: Auto Version Bump"
 on:
  push:
    branches:
      - dev
      - rc
      - 'feature/**'
      - 'patch/**'
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
 permissions:
  contents: write
 jobs:
  bump:
    name: Version Bump
    runs-on: release
    if: >-
      !contains(github.event.head_commit.message, '[skip ci]') &&
      !contains(github.event.head_commit.message, '[skip bump]') &&
      !startsWith(github.event.head_commit.message, 'Merge pull request')
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 1
      - name: Setup moko-platform tools
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
          if [ -d "/opt/moko-platform/cli" ]; then
            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
          else
            git clone --depth 1 --branch main --quiet \
              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
              /tmp/moko-platform-api
            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
          fi
      - name: Bump version
        run: |
          php ${MOKO_CLI}/version_auto_bump.php \
            --path . --branch "${GITHUB_REF_NAME}" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
@@ -17,7 +17,7 @@
 # |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
 # |                                                                        |
 # |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    joomla:   XML manifest, type-prefixed packages                      |
 # |    dolibarr: mod*.class.php, update.txt, dev version reset             |
 # |    generic:  README-only, no update stream                             |
 # |                                                                        |
@@ -27,13 +27,19 @@ name: "Universal: Build & Release"
 on:
  pull_request:
-    types: [closed]
+    types: [opened, closed]
    branches:
      - main
    paths:
      - 'src/**'
      - 'htdocs/**'
  workflow_dispatch:
    inputs:
      action:
        description: 'Action to perform'
        required: false
        type: choice
        default: release
        options:
          - release
          - promote-rc
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
@@ -45,662 +51,228 @@ permissions:
  contents: write
 jobs:
-  release:
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-    name: Build & Release Pipeline
+  promote-rc:
    name: Promote to RC
    runs-on: release
    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
+          fetch-depth: 1
      - name: Setup moko-platform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
        run: |
-          # Ensure PHP + Composer are available
+          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
-          if ! command -v composer &> /dev/null; then
+            echo Using pre-installed /opt/moko-platform
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
          fi
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
            /tmp/moko-platform-api
          cd /tmp/moko-platform-api
          composer install --no-dev --no-interaction --quiet
      # -- PLATFORM DETECTION ---------------------------------------------------
      - name: Detect platform
        id: platform
        run: |
          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1 || true)
          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
      - name: "Step 1: Read version"
        id: version
        run: |
          VERSION=$(php /tmp/moko-platform-api/cli/version_read.php --path .)
          if [ -z "$VERSION" ]; then
            echo "::error::No VERSION in README.md"
            echo "skip=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
          MAJOR=$(echo "$VERSION" | cut -d. -f1)
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "release_tag=v${MAJOR}" >> "$GITHUB_OUTPUT"
          echo "skip=false" >> "$GITHUB_OUTPUT"
      - name: "Step 1b: Bump version"
        id: bump
        if: steps.version.outputs.skip != 'true'
        run: |
          MOKO_API="/tmp/moko-platform-api/cli"
          BUMP=$(php ${MOKO_API}/version_bump.php --path . --minor)
          VERSION=$(echo "$BUMP" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
          [ -z "$VERSION" ] && VERSION=$(php ${MOKO_API}/version_read.php --path .)
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "Bumped to: ${VERSION}"
      - name: Check if already released
        if: steps.version.outputs.skip != 'true'
        id: check
        run: |
          TAG="${{ steps.version.outputs.release_tag }}"
          BRANCH="${{ steps.version.outputs.branch }}"
          TAG_EXISTS=false
          BRANCH_EXISTS=false
          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
          # Tag and branch may persist across patch releases — never skip
          echo "already_released=false" >> "$GITHUB_OUTPUT"
      # -- SANITY CHECKS -------------------------------------------------------
      - name: "Sanity: Pre-release validation"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.already_released != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          ERRORS=0
          PLATFORM="${{ steps.platform.outputs.platform }}"
          MANIFEST="${{ steps.platform.outputs.manifest }}"
          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
          echo "## Pre-Release Sanity Checks (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          # -- Version drift check (must pass before release) --------
          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
          if [ "$README_VER" != "$VERSION" ]; then
            echo "- Version drift: README says \`${README_VER}\` but releasing \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
            ERRORS=$((ERRORS+1))
          else
-            echo "- Version consistent: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            echo Falling back to fresh clone
-          fi
+            if ! command -v composer > /dev/null 2>&1; then
-
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
          # Check CHANGELOG version matches
          CL_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' CHANGELOG.md 2>/dev/null | head -1)
          if [ -n "$CL_VER" ] && [ "$CL_VER" != "$VERSION" ]; then
            echo "- CHANGELOG drift: \`${CL_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
            ERRORS=$((ERRORS+1))
          fi
          # Check composer.json version if present
          if [ -f "composer.json" ]; then
            COMP_VER=$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' composer.json 2>/dev/null | head -1)
            if [ -n "$COMP_VER" ] && [ "$COMP_VER" != "$VERSION" ]; then
              echo "- composer.json drift: \`${COMP_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
              ERRORS=$((ERRORS+1))
            fi
            rm -rf /tmp/moko-platform-api
            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
            cd /tmp/moko-platform-api
            composer install --no-dev --no-interaction --quiet
            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
          fi
-          # Common checks
+      - name: Rename branch to rc
          if [ ! -f "LICENSE" ]; then
            echo "- Missing LICENSE file" >> $GITHUB_STEP_SUMMARY
            ERRORS=$((ERRORS+1))
          else
            echo "- LICENSE present" >> $GITHUB_STEP_SUMMARY
          fi
          if [ ! -d "src" ] && [ ! -d "htdocs" ]; then
            echo "- Warning: No src/ or htdocs/ directory" >> $GITHUB_STEP_SUMMARY
          else
            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
          fi
          # -- Platform-specific checks --------
          case "$PLATFORM" in
            joomla)
              if [ -n "$MANIFEST" ]; then
                XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
                if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
                  echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
                  ERRORS=$((ERRORS+1))
                else
                  echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
                fi
                TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
                echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
              else
                echo "- No Joomla XML manifest (WaaS site)" >> $GITHUB_STEP_SUMMARY
              fi ;;
            dolibarr)
              if [ -n "$MOD_FILE" ]; then
                MOD_VER=$(sed -n "s/.*\\\$this->version = '\([^']*\)'.*/\1/p" "$MOD_FILE" 2>/dev/null | head -1)
                if [ -n "$MOD_VER" ] && [ "$MOD_VER" != "$VERSION" ]; then
                  echo "- Module drift: \`${MOD_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
                  ERRORS=$((ERRORS+1))
                else
                  echo "- Module version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
                fi
              else
                echo "- No mod*.class.php found" >> $GITHUB_STEP_SUMMARY
                ERRORS=$((ERRORS+1))
              fi
              if [ ! -f "update.txt" ]; then
                echo "- Missing update.txt" >> $GITHUB_STEP_SUMMARY
                ERRORS=$((ERRORS+1))
              fi ;;
            *) echo "- Generic platform � no manifest checks" >> $GITHUB_STEP_SUMMARY ;;
          esac
          echo "" >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -gt 0 ]; then
            echo "**${ERRORS} error(s) — release may be incomplete**" >> $GITHUB_STEP_SUMMARY
          else
            echo "**All sanity checks passed**" >> $GITHUB_STEP_SUMMARY
          fi
      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
      # Always runs — every version change on main archives to version/XX.YY
      - name: "Step 2: Version archive branch"
        if: steps.check.outputs.already_released != 'true'
        run: |
-          BRANCH="${{ steps.version.outputs.branch }}"
+          php ${MOKO_CLI}/branch_rename.php \
-          IS_MINOR="${{ steps.version.outputs.is_minor }}"
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
            --pr "${{ github.event.pull_request.number }}"
-          # Check if branch exists
+      - name: Checkout rc and configure git
          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
            git push origin HEAD:"$BRANCH" --force
            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
          else
            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
            git push origin "$BRANCH" --force
            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          fi
      # -- STEP 3: Set platform version ----------------------------------------
      - name: "Step 3: Set platform version"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.already_released != 'true'
        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          git fetch origin rc
-          php /tmp/moko-platform-api/cli/version_set_platform.php \
+          git checkout rc
            --path . --version "$VERSION" --branch main
      # -- STEP 4: Update version badges ----------------------------------------
      - name: "Step 4: Update version badges"
        if: steps.version.outputs.skip != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
      - name: "Step 5: Write update stream"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.platform.outputs.platform == 'joomla'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          php /tmp/moko-platform-api/cli/updates_xml_build.php \
            --path . --version "${VERSION}" --stability stable \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            --github-output
      - name: Commit release changes
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.already_released != 'true'
        run: |
          if git diff --quiet && git diff --cached --quiet; then
            echo "No changes to commit"
            exit 0
          fi
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          # Set push URL with token for branch-protected repos
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git commit -m "chore(release): build ${VERSION} [skip ci]" \
            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
          git push -u origin HEAD
-      # -- STEP 6: Create tag ---------------------------------------------------
+      - name: Publish RC release
      - name: "Step 6: Create git tag"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.tag_exists != 'true' &&
          steps.version.outputs.is_minor == 'true'
        run: |
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          php ${MOKO_CLI}/release_publish.php \
-          # Only create the major release tag if it doesn't exist yet
+            --path . --stability rc --bump minor --branch rc \
-          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
+            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-            git tag "$RELEASE_TAG"
+
-            git push origin "$RELEASE_TAG"
+      - name: Summary
-            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+        if: always()
        run: |
          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY
  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
  release:
    name: Build & Release Pipeline
    runs-on: release
    if: >-
      github.event.pull_request.merged == true ||
      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
    steps:
      - name: Checkout repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0
      - name: Configure git for bot pushes
        run: |
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
      - name: Check for merge conflict markers
        run: |
          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
          if [ -n "$CONFLICTS" ]; then
            echo "::error::Merge conflict markers found — aborting release"
            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "No conflict markers found"
      - name: Setup moko-platform tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
        run: |
          if [ -f /opt/moko-platform/cli/version_bump.php ] && [ -f /opt/moko-platform/vendor/autoload.php ]; then
            echo Using pre-installed /opt/moko-platform
            echo MOKO_CLI=/opt/moko-platform/cli >> $GITHUB_ENV
          else
-            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
+            echo Falling back to fresh clone
-          fi
+            if ! command -v composer > /dev/null 2>&1; then
-          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
+              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
      # -- STEP 7: Create or update Gitea Release --------------------------------
      - name: "Step 7: Gitea Release"
        if: >-
          steps.version.outputs.skip != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          BRANCH="${{ steps.version.outputs.branch }}"
          MAJOR="${{ steps.version.outputs.major }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Reuse metadata from Step 5 (single source of truth)
          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
          # Fallbacks if Step 5 was skipped
          if [ -z "$EXT_ELEMENT" ]; then
            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
          fi
          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"
          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
          TYPE_PREFIX=""
          case "${EXT_TYPE}" in
            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
            module)    TYPE_PREFIX="mod_" ;;
            component) TYPE_PREFIX="com_" ;;
            template)  TYPE_PREFIX="tpl_" ;;
            library)   TYPE_PREFIX="lib_" ;;
            package)   TYPE_PREFIX="pkg_" ;;
          esac
          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
          # Delete existing release if present (overwrite, not append)
          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
          if [ -n "$EXISTING_ID" ]; then
            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
            echo "Deleted previous stable release (id: ${EXISTING_ID})"
          fi
          # Create fresh release
          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            -H "Content-Type: application/json" \
            "${API_BASE}/releases" \
            -d "$(python3 -c "import json; print(json.dumps({
              'tag_name': '${RELEASE_TAG}',
              'name': '${RELEASE_NAME}',
              'body': '''## ${VERSION} ($(date +%Y-%m-%d))\n${NOTES}''',
              'target_commitish': '${BRANCH}'
            }))")"
          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
      - name: "Step 8: Build package and update checksum"
        if: >-
          steps.version.outputs.skip != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          REPO="${{ github.repository }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # All ZIPs upload to the major release tag (vXX)
          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -z "$RELEASE_ID" ]; then
            echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
            exit 0
          fi
          # Find extension element name from manifest
          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
          [ -z "$MANIFEST" ] && exit 0
          # Reuse element from Step 5, with same fallback chain
          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
          if [ -z "$EXT_ELEMENT" ]; then
            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
          fi
          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
          TYPE_PREFIX=""
          case "${EXT_TYPE}" in
            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
            module)    TYPE_PREFIX="mod_" ;;
            component) TYPE_PREFIX="com_" ;;
            template)  TYPE_PREFIX="tpl_" ;;
            library)   TYPE_PREFIX="lib_" ;;
            package)   TYPE_PREFIX="pkg_" ;;
          esac
          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
          # -- Build install packages from src/ ----------------------------
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/"; exit 0; }
          # ZIP package (type-aware via moko-platform PHP API)
          php /tmp/moko-platform-api/cli/joomla_build.php             --path . --version "${VERSION}" --output /tmp
          # Match the expected ZIP_NAME for upload
          BUILT_ZIP=$(ls /tmp/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip 2>/dev/null | head -1 || true)
          if [ -n "$BUILT_ZIP" ] && [ "$BUILT_ZIP" != "/tmp/${ZIP_NAME}" ]; then
            mv "$BUILT_ZIP" "/tmp/${ZIP_NAME}"
          fi
          # tar.gz package (flat source archive)
          tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR"             --exclude='.ftpignore' --exclude='sftp-config*'             --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
          ZIP_SIZE=$(stat -c%s "/tmp/${ZIP_NAME}" 2>/dev/null || stat -f%z "/tmp/${ZIP_NAME}" 2>/dev/null || echo "unknown")
          TAR_SIZE=$(stat -c%s "/tmp/${TAR_NAME}" 2>/dev/null || stat -f%z "/tmp/${TAR_NAME}" 2>/dev/null || echo "unknown")
          # -- Calculate SHA-256 for both ----------------------------------
          SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
          # -- Delete existing assets with same name before uploading ------
          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
            ASSET_ID=$(echo "$ASSETS" | python3 -c "
          import sys,json
          assets = json.load(sys.stdin)
          for a in assets:
              if a['name'] == '${ASSET_NAME}':
                  print(a['id']); break
          " 2>/dev/null || true)
            if [ -n "$ASSET_ID" ]; then
              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
            fi
          done
          # -- Upload both to release tag ----------------------------------
          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${ZIP_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"/tmp/${TAR_NAME}" \
            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
          # -- Update updates.xml with both download formats ---------------
          if [ -f "updates.xml" ]; then
            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
            # Use Python to update only the stable entry's downloads + sha256
            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
            python3 << 'PYEOF'
          import re, os
          with open("updates.xml") as f:
              content = f.read()
          zip_url = os.environ["PY_ZIP_URL"]
          tar_url = os.environ["PY_TAR_URL"]
          sha = os.environ["PY_SHA"]
          # Find the stable update block and replace its downloads + sha256
          def replace_stable(m):
              block = m.group(0)
              # Replace downloads block
              new_downloads = (
                  "    <downloads>\n"
                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
                  "    </downloads>"
              )
              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
              # Add or replace sha256
              if '<sha256>' in block:
                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
              else:
                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
              return block
          content = re.sub(
              r'  <update>.*?<tag>stable</tag>.*?</update>',
              replace_stable,
              content,
              flags=re.DOTALL
          )
          with open("updates.xml", "w") as f:
              f.write(content)
          PYEOF
            CURRENT_BRANCH="${{ github.ref_name }}"
            git add updates.xml
            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
            git push || true
            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
            GA_TOKEN="${{ secrets.GA_TOKEN }}"
            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
            if [ -n "$FILE_SHA" ]; then
              CONTENT=$(base64 -w0 updates.xml)
              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                "${API}/contents/updates.xml" \
                -d "$(jq -n \
                  --arg content "$CONTENT" \
                  --arg sha "$FILE_SHA" \
                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
                  --arg branch "main" \
                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
                )" > /dev/null 2>&1 \
                && echo "updates.xml synced to main via API" \
                || echo "WARNING: failed to sync updates.xml to main"
            else
              echo "WARNING: could not get updates.xml SHA from main"
            fi
            rm -rf /tmp/moko-platform-api
            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git
            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/moko-platform-api
            cd /tmp/moko-platform-api
            composer install --no-dev --no-interaction --quiet
            echo MOKO_CLI=/tmp/moko-platform-api/cli >> $GITHUB_ENV
          fi
-          echo "### Packages" >> $GITHUB_STEP_SUMMARY
+      - name: "Determine version bump level"
-          echo "" >> $GITHUB_STEP_SUMMARY
+        id: bump
          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
          echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
      # -- STEP 8b: Update release description with changelog + SHA ----------------
      - name: "Step 8b: Update release body with changelog and SHA"
        if: steps.version.outputs.skip != 'true'
        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          # Fix/patch branches: version was already bumped by pre-release, just strip suffix
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          # Feature/dev branches: bump minor for the new stable release
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          case "$HEAD_REF" in
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+            fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+            *)                               BUMP="minor" ;;
          # Build TYPE_PREFIX to match Step 8's ZIP naming
          TYPE_PREFIX=""
          case "${EXT_TYPE}" in
            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
            module)    TYPE_PREFIX="mod_" ;;
            component) TYPE_PREFIX="com_" ;;
            template)  TYPE_PREFIX="tpl_" ;;
            library)   TYPE_PREFIX="lib_" ;;
            package)   TYPE_PREFIX="pkg_" ;;
          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
+          echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"
-          # Get SHA from the built files
+      - name: "Publish stable release"
-          SHA256_ZIP=""
+        run: |
-          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          BUMP_FLAG=""
-          SHA256_TAR=""
+          if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
-          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
+            BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
          fi
          php ${MOKO_CLI}/release_publish.php \
            --path . --stability stable ${BUMP_FLAG} --branch main \
            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-          # Extract latest changelog entry (strip the ## header to avoid duplicate)
+      - name: Update release notes from CHANGELOG.md
-          CHANGELOG=""
+        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Extract [Unreleased] section from changelog
          if [ -f "CHANGELOG.md" ]; then
-            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
-            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
+            [ -z "$NOTES" ] && NOTES="Stable release"
          else
            NOTES="Stable release"
          fi
-          # Build release body (single header, no duplicate from changelog)
+          # Update release body via API
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-          if [ -n "$CHANGELOG" ]; then
+            "${API_BASE}/releases/tags/stable" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
            BODY="${BODY}${CHANGELOG}\n\n"
          fi
          BODY="${BODY}---\n\n### Checksums\n\n"
          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
-          # Get release ID and update body
+          if [ -n "$RELEASE_ID" ]; then
          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
            python3 -c "
          import json, urllib.request
-          body = '''$(printf '%b' "$BODY")'''
+          body = open('/dev/stdin').read()
-          data = json.dumps({'body': body}).encode()
+          payload = json.dumps({'body': body}).encode()
          req = urllib.request.Request(
              '${API_BASE}/releases/${RELEASE_ID}',
-              data=data,
+              data=payload, method='PATCH',
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={
-              method='PATCH'
+                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
-          )
+                  'Content-Type': 'application/json'
              })
          urllib.request.urlopen(req)
-          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
+          " <<< "$NOTES"
            echo "Release notes updated from CHANGELOG.md"
          fi
      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
      - name: "Step 9: Mirror release to GitHub"
        if: >-
          steps.version.outputs.skip != 'true' &&
-          steps.version.outputs.stability == 'stable' &&
+          secrets.GH_MIRROR_TOKEN != ''
          secrets.GH_TOKEN != ''
        continue-on-error: true
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }}
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          MAJOR="${{ steps.version.outputs.major }}"
          BRANCH="${{ steps.version.outputs.branch }}"
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
+          php ${MOKO_CLI}/release_mirror.php \
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+            --version "$VERSION" --tag "$RELEASE_TAG" \
-          echo "$NOTES" > /tmp/release_notes.md
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+            --branch main 2>&1 || true
-
+          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
          if [ -z "$EXISTING" ]; then
            gh release create "$RELEASE_TAG" \
              --repo "$GH_REPO" \
              --title "v${MAJOR} (latest: ${VERSION})" \
              --notes-file /tmp/release_notes.md \
              --target "$BRANCH" || true
          else
            gh release edit "$RELEASE_TAG" \
              --repo "$GH_REPO" \
              --title "v${MAJOR} (latest: ${VERSION})" || true
          fi
          # Upload assets to GitHub mirror
          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
            if [ -f "$PKG" ]; then
              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
            fi
          done
          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
      - name: "Step 10: Push main to GitHub mirror"
        if: >-
          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_MIRROR_TOKEN != ''
        continue-on-error: true
        run: |
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
          git fetch origin main --depth=1
          git push github origin/main:refs/heads/main --force 2>/dev/null \
            && echo "main branch pushed to GitHub mirror" \
            || echo "WARNING: GitHub mirror push failed"
-      # -- Clean up lesser pre-releases (cascade) ---------------------------------
+      - name: "Step 11: Delete rc branch and recreate dev from main"
      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
      - name: "Delete lesser pre-release channels"
        continue-on-error: true
        run: |
          php /tmp/moko-platform-api/cli/release_cascade.php \
            --stability stable \
            --token "${{ secrets.GA_TOKEN }}" \
            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            --gitea-url "${GITEA_URL}" 2>/dev/null || true
      - name: "Step 11: Delete and recreate dev branch from main"
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          # Delete rc branch (ephemeral — created by promote-rc)
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
            "${API_BASE}/branches/rc" 2>/dev/null \
            && echo "Deleted rc branch" || echo "rc branch not found"
          # Delete dev branch
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -712,30 +284,37 @@ jobs:
            "${API_BASE}/branches" \
            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-
+      - name: "Step 12: Create version branch from main"
-      # -- Dolibarr post-release: Reset dev version -----------------------------
+        if: steps.version.outputs.skip != 'true'
      - name: "Dolibarr: Reset dev version"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.platform.outputs.platform == 'dolibarr' &&
          steps.platform.outputs.mod_file != ''
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
+          BRANCH_NAME="version/${VERSION}"
-          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
+          MAIN_SHA=$(git rev-parse HEAD)
-          FILE_SHA=$(echo "$FILE_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+
-          FILE_CONTENT=$(echo "$FILE_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
+          # Delete old version branch if it exists (same version re-release)
-          if [ -n "$FILE_SHA" ] && [ -n "$FILE_CONTENT" ]; then
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-            UPDATED=$(echo "$FILE_CONTENT" | sed "s/\$this->version = '[^']*'/\$this->version = 'development'/")
+
-            ENCODED=$(echo "$UPDATED" | base64 -w0)
+          # Create version/XX.YY.ZZ from main
-            curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" "${API_BASE}/contents/${ENCODED_PATH}" \
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-              -d "$(jq -n --arg content \"$ENCODED\" --arg sha \"$FILE_SHA\" --arg msg \"chore(version): reset dev version [skip ci]\" --arg branch \"dev\" '{content:$content,sha:$sha,message:$msg,branch:$branch}')" > /dev/null 2>&1 || true
+
-          fi
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
      # -- Dolibarr post-release: Reset dev version -----------------------------
      - name: "Post-release: Reset dev version"
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/version_reset_dev.php \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
            --branch dev --path . 2>&1 || true
      # -- Summary --------------------------------------------------------------
      - name: Pipeline Summary
@@ -0,0 +1,48 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.mokogitea/workflows/branch-cleanup.yml
 # VERSION: 01.00.00
 # BRIEF: Delete feature branches after PR merge
 name: "Branch Cleanup"
 on:
  pull_request:
    types: [closed]
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  cleanup:
    name: Delete merged branch
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request.merged == true &&
      github.event.pull_request.head.ref != 'dev' &&
      github.event.pull_request.head.ref != 'main'
    steps:
      - name: Delete source branch
        run: |
          BRANCH="${{ github.event.pull_request.head.ref }}"
          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API}/${ENCODED}" 2>/dev/null || true)
          if [ "$STATUS" = "204" ]; then
            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          elif [ "$STATUS" = "404" ]; then
            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          else
            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
          fi
@@ -1,213 +1,10 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# DISABLED — auto-release Step 11 recreates dev from main after every release.
-#
+# Cascade-dev is redundant and causes version conflicts when both main and dev
-# SPDX-License-Identifier: GPL-3.0-or-later
+# have different version numbers in templateDetails.xml / manifest.xml.
-#
+name: "Cascade Main → Dev (DISABLED)"
-# FILE INFORMATION
+on: workflow_dispatch
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Maintenance
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/cascade-dev.yml.template
 # VERSION: 02.00.00
 # BRIEF: Forward-merge main → all open branches after every push to main
 #
 # +========================================================================+
 # |                CASCADE MAIN → ALL BRANCHES                             |
 # +========================================================================+
 # |                                                                        |
 # |  Triggers on every push to main (PR merges, bot commits, etc.)         |
 # |                                                                        |
 # |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
 # |  2. For each: create PR (main → branch), auto-merge if clean           |
 # |  3. On conflict: leave PR open for manual resolution                   |
 # |                                                                        |
 # +========================================================================+
 name: "Universal: Cascade Main → Dev"
 on:
  push:
    branches:
      - main
  workflow_dispatch:
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 permissions:
  contents: write
  pull-requests: write
 jobs:
-  cascade:
+  noop:
    name: Cascade main → branches
    runs-on: ubuntu-latest
    if: >-
      !contains(github.event.head_commit.message, '[skip ci]') &&
      !contains(github.event.head_commit.message, '[skip cascade]')
    steps:
-      - name: Discover target branches
+      - run: echo "Cascade disabled — auto-release handles dev recreation"
        id: branches
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Fetch all branches (paginated)
          PAGE=1
          ALL_BRANCHES=""
          while true; do
            BATCH=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/branches?page=${PAGE}&limit=50" \
              | jq -r '.[].name // empty')
            [ -z "$BATCH" ] && break
            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
            PAGE=$((PAGE + 1))
          done
          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
          TARGETS=""
          for BRANCH in $ALL_BRANCHES; do
            case "$BRANCH" in
              dev|dev/*|rc/*|beta/*|alpha/*)
                TARGETS="$TARGETS $BRANCH"
                ;;
            esac
          done
          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
          if [ -z "$TARGETS" ]; then
            echo "targets=" >> "$GITHUB_OUTPUT"
            echo "ℹ️  No cascade target branches found"
          else
            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
            COUNT=$(echo "$TARGETS" | wc -w)
            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
          fi
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
          TARGETS="${{ steps.branches.outputs.targets }}"
          SUCCESS=0
          CONFLICTS=0
          SKIPPED=0
          FAILED=0
          for BRANCH in $TARGETS; do
            echo ""
            echo "═══ main → ${BRANCH} ═══"
            # Check if branch is already up to date
            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
            RESPONSE=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/compare/${ENCODED_BRANCH}...main")
            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
            if [ "$AHEAD" -eq 0 ]; then
              echo "  ✅ Already up to date"
              SKIPPED=$((SKIPPED + 1))
              continue
            fi
            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
            # Check for existing cascade PR
            EXISTING=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
            PR_NUMBER=""
            if [ "$EXISTING_COUNT" -gt 0 ]; then
              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
            else
              # Create cascade PR
              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "{
                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
                  \"head\": \"main\",
                  \"base\": \"${BRANCH}\"
                }" \
                "${API}/pulls")
              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
              BODY=$(echo "$PR_RESPONSE" | sed '$d')
              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
                FAILED=$((FAILED + 1))
                continue
              fi
              echo "  ✅ Created PR #${PR_NUMBER}"
            fi
            # Try auto-merge
            PR_DATA=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/pulls/${PR_NUMBER}")
            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
            if [ "$MERGEABLE" != "true" ]; then
              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
              CONFLICTS=$((CONFLICTS + 1))
              continue
            fi
            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
              -X POST \
              -H "Authorization: token ${GA_TOKEN}" \
              -H "Content-Type: application/json" \
              -d "{
                \"Do\": \"merge\",
                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
                \"delete_branch_after_merge\": false
              }" \
              "${API}/pulls/${PR_NUMBER}/merge")
            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
              echo "  ✅ Merged — ${BRANCH} is in sync"
              SUCCESS=$((SUCCESS + 1))
            else
              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
              CONFLICTS=$((CONFLICTS + 1))
            fi
          done
          # Summary
          echo ""
          echo "════════════════════════════════════════"
          echo "  ✅ Merged:    ${SUCCESS}"
          echo "  ⚠️  Conflicts: ${CONFLICTS}"
          echo "  ⏭️  Up to date: ${SKIPPED}"
          echo "  ❌ Failed:    ${FAILED}"
          echo "════════════════════════════════════════"
          if [ "$FAILED" -gt 0 ]; then
            exit 1
          fi
@@ -0,0 +1,204 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.CI
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
 # PATH: /.gitea/workflows/ci-generic.yml
 # VERSION: 01.00.00
 # BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
 name: "Generic: Project CI"
 on:
  push:
    branches:
      - main
      - dev
      - dev/**
      - rc/**
      - version/**
  pull_request:
    branches:
      - main
      - dev
      - dev/**
      - rc/**
  workflow_dispatch:
 permissions:
  contents: read
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  # ── Lint & Validate ───────────────────────────────────────────────────
  lint:
    name: Lint & Validate
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Detect toolchain
        id: detect
        run: |
          HAS_PHP=false
          HAS_NODE=false
          [ -f "composer.json" ] && HAS_PHP=true
          [ -f "package.json" ] && HAS_NODE=true
          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
          echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
      - name: Setup PHP
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
          fi
          php -v
      - name: Setup Node.js
        if: steps.detect.outputs.has_node == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install PHP dependencies
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "composer.json" ]; then
            composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
          fi
      - name: Install Node.js dependencies
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "package.json" ]; then
            npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
          fi
      - name: PHP syntax check
        if: steps.detect.outputs.has_php == 'true'
        run: |
          ERRORS=0
          while IFS= read -r -d '' file; do
            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
              echo "::error file=${file}::PHP syntax error"
              ERRORS=$((ERRORS + 1))
            fi
          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
          echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -eq 0 ]; then
            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
          else
            echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
      - name: TypeScript/JavaScript lint
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "node_modules/.bin/eslint" ]; then
            npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
            echo "## ESLint" >> $GITHUB_STEP_SUMMARY
            echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
          elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
            echo "::warning::ESLint config found but eslint not installed"
          else
            echo "No ESLint configured — skipping"
          fi
      - name: TypeScript compile check
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
            npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
            echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
            echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
          fi
      - name: PHPStan static analysis
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
            vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
          fi
  # ── Tests ─────────────────────────────────────────────────────────────
  test:
    name: Tests
    runs-on: ubuntu-latest
    needs: lint
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Detect toolchain
        id: detect
        run: |
          HAS_PHP=false
          HAS_NODE=false
          [ -f "composer.json" ] && HAS_PHP=true
          [ -f "package.json" ] && HAS_NODE=true
          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
      - name: Setup PHP
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
          fi
      - name: Setup Node.js
        if: steps.detect.outputs.has_node == 'true'
        uses: actions/setup-node@v4
        with:
          node-version: '20'
      - name: Install dependencies
        run: |
          [ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
          [ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
      - name: Run PHP tests
        if: steps.detect.outputs.has_php == 'true'
        run: |
          if [ -f "vendor/bin/phpunit" ]; then
            vendor/bin/phpunit --testdox 2>&1
            echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
          elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
            echo "::warning::PHPUnit config found but phpunit not installed"
          else
            echo "No PHPUnit configured — skipping"
          fi
      - name: Run Node.js tests
        if: steps.detect.outputs.has_node == 'true'
        run: |
          if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
            npm test 2>&1
            echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
          else
            echo "No test script in package.json — skipping"
          fi
      - name: Build check
        run: |
          if [ -f "Makefile" ]; then
            make build 2>&1 || echo "::warning::Build failed or not configured"
          elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
            npm run build 2>&1 || echo "::warning::Build failed"
          fi
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Maintenance
+# INGROUP: MokoStandards.Maintenance
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
 # PATH: /.gitea/workflows/cleanup.yml
 # VERSION: 01.00.00
 # BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Deploy
+# INGROUP: MokoStandards.Deploy
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
 # PATH: /templates/workflows/joomla/deploy-manual.yml.template
 # VERSION: 04.07.00
 # BRIEF: Manual SFTP deploy to dev server for Joomla repos
@@ -40,7 +40,7 @@ jobs:
        run: |
          php -v && composer --version
-      - name: Setup moko-platform tools
+      - name: Setup MokoStandards tools
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
@@ -48,10 +48,10 @@ jobs:
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/moko-platform-api 2>/dev/null || true
+            /tmp/mokostandards-api 2>/dev/null || true
-          if [ -d "/tmp/moko-platform-api" ] && [ -f "/tmp/moko-platform-api/composer.json" ]; then
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
          fi
      - name: Check FTP configuration
@@ -101,28 +101,15 @@ jobs:
          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
-          PLATFORM=$(php /tmp/moko-platform-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/moko-platform-api/deploy/deploy-joomla.php" ]; then
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
-            php /tmp/moko-platform-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
          else
-            php /tmp/moko-platform-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
          fi
          rm -f /tmp/deploy_key /tmp/sftp-config.json
      - name: Post-deploy health check
        if: success() && steps.check.outputs.skip != 'true'
        run: |
          if [ -f "deploy/health-check.php" ]; then
            SITE_URL="${{ vars.DEV_SITE_URL }}"
            if [ -n "$SITE_URL" ]; then
              php deploy/health-check.php --url "$SITE_URL" --checks http --timeout 30 || echo "::warning::Health check failed after deploy"
            else
              echo "DEV_SITE_URL not configured, skipping health check"
            fi
          fi
      - name: Summary
        if: always()
        run: |
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Security
+# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
 # PATH: /templates/workflows/gitleaks.yml.template
 # VERSION: 01.00.00
 # BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
@@ -0,0 +1,73 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
 # VERSION: 01.00.00
 # BRIEF: Auto-create feature branch when an issue is opened
 name: "Universal: Issue Branch"
 on:
  issues:
    types: [opened]
 permissions:
  contents: write
  issues: write
 env:
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
 jobs:
  create-branch:
    name: Create feature branch
    runs-on: ubuntu-latest
    steps:
      - name: Create branch and comment
        run: |
          TOKEN="${{ secrets.GA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"
          # Build slug from title: lowercase, replace non-alnum with dash, trim
          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
          # Check dev branch exists
          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
            -H "Authorization: token ${TOKEN}" \
            "${API}/branches/dev" 2>/dev/null || echo "000")
          if [ "${DEV_EXISTS}" != "200" ]; then
            echo "No dev branch -- skipping"
            exit 0
          fi
          # Create branch from dev
          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
            -H "Authorization: token ${TOKEN}" \
            -H "Content-Type: application/json" \
            "${API}/branches" \
            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
          if [ "${HTTP}" = "201" ]; then
            echo "Created branch: ${BRANCH}"
            # Comment on issue with branch link
            REPO_URL="${GITEA_URL}/${{ github.repository }}"
            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
            curl -sf -X POST \
              -H "Authorization: token ${TOKEN}" \
              -H "Content-Type: application/json" \
              "${API}/issues/${ISSUE_NUM}/comments" \
              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
            echo "Commented on issue #${ISSUE_NUM}"
          else
            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
          fi
@@ -88,15 +88,17 @@ jobs:
      # ── Version ──────────────────────────────────────────────────────
      - name: Setup MokoStandards tools
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
        run: |
-          git clone --depth 1 --branch version/04 --quiet \
+          if [ -d /opt/mokoplatform/api/cli ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
-            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
+            ln -sf /opt/mokoplatform /tmp/mokostandards
-            /tmp/mokostandards
+            echo "Using pre-installed /opt/mokoplatform"
-          cd /tmp/mokostandards
+          elif [ -d /opt/moko-platform/api/cli ]; then
-          composer install --no-dev --no-interaction --quiet
+            ln -sf /opt/moko-platform /tmp/mokostandards
            echo "Using pre-installed /opt/moko-platform"
          else
            echo "::warning::MokoStandards tools not found on runner"
            echo "MOKO_SKIP=true" >> "$GITHUB_ENV"
          fi
      - name: Read version from README.md
        id: version
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Notifications
+# INGROUP: MokoStandards.Notifications
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
 # PATH: /.gitea/workflows/notify.yml
 # VERSION: 01.00.00
 # BRIEF: Push notifications via ntfy on release success or workflow failure
@@ -0,0 +1,54 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 # SPDX-License-Identifier: GPL-3.0-or-later
 name: "Publish to npm"
 on:
  push:
    branches:
      - main
  workflow_dispatch:
 jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'
      - name: Install dependencies
        run: npm install
      - name: Build
        run: npm run build
      - name: Auto-bump patch version
        run: |
          PKG_NAME=$(node -p "require('./package.json').name")
          CURRENT=$(node -p "require('./package.json').version")
          PUBLISHED=$(npm view "${PKG_NAME}@latest" version 2>/dev/null || echo "0.0.0")
          if [ "$CURRENT" = "$PUBLISHED" ]; then
            npm version patch --no-git-tag-version
            NEW_VER=$(node -p "require('./package.json').version")
            echo "Bumped ${CURRENT} -> ${NEW_VER}"
            git config user.name "github-actions[bot]"
            git config user.email "github-actions[bot]@users.noreply.github.com"
            git add package.json
            git commit -m "chore: bump to ${NEW_VER} [skip ci]"
            git push
          else
            echo "Version ${CURRENT} not yet published, using as-is."
          fi
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
      - name: Publish
        run: npm publish --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
@@ -7,7 +7,7 @@
 # INGROUP: moko-platform.CI
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/universal/pr-check.yml.template
-# VERSION: 05.00.00
+# VERSION: 09.23.00
 # BRIEF: PR gate — branch policy + code validation before merge
 name: "Universal: PR Check"
@@ -52,22 +52,22 @@ jobs:
                REASON="Fix branches must target 'dev', not '${BASE}'"
              fi
              ;;
            patch/*)
              if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
                ALLOWED=false
                REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
              fi
              ;;
            hotfix/*)
              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
                ALLOWED=false
                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
              fi
              ;;
-            alpha/*|beta/*)
+            rc)
              if [ "$BASE" != "dev" ]; then
                ALLOWED=false
                REASON="Pre-release branches must target 'dev', not '${BASE}'"
              fi
              ;;
            rc/*)
              if [ "$BASE" != "main" ]; then
                ALLOWED=false
-                REASON="Release candidate branches must target 'main', not '${BASE}'"
+                REASON="RC branch can only merge into 'main', not '${BASE}'"
              fi
              ;;
            dev)
@@ -105,6 +105,19 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check for merge conflict markers
        run: |
          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
          if [ -n "$CONFLICTS" ]; then
            echo "::error::Merge conflict markers found in source files"
            echo "## Conflict Markers Found" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "No conflict markers found"
      - name: Detect platform
        id: platform
        run: |
@@ -134,6 +147,98 @@ jobs:
          echo "PHP lint: ${ERRORS} error(s)"
          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
      - name: Joomla JEXEC guard check
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          while IFS= read -r -d '' file; do
            # Skip vendor, node_modules, and index.html stub files
            case "$file" in ./vendor/*|./node_modules/*) continue ;; esac
            # Check first 10 lines for JEXEC or JPATH guard
            if ! head -20 "$file" | grep -qE "defined\s*\(\s*['\"](_JEXEC|JPATH_BASE|\\\\JPATH_PLATFORM)['\"]"; then
              echo "::error file=${file}::Missing JEXEC guard: ${file}"
              ERRORS=$((ERRORS + 1))
            fi
          done < <(find . -name "*.php" -path "*/src/*" -not -path "./.git/*" -not -path "./vendor/*" -print0)
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::${ERRORS} PHP file(s) missing defined('_JEXEC') or die guard"
            echo "## JEXEC Guard Check: Failed" >> $GITHUB_STEP_SUMMARY
            echo "${ERRORS} file(s) in src/ are missing the Joomla execution guard." >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "JEXEC guard: OK"
      - name: Joomla directory listing protection
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          MISSING=0
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && exit 0
          while IFS= read -r dir; do
            if [ ! -f "${dir}/index.html" ]; then
              echo "::warning::Missing index.html in ${dir} (directory listing protection)"
              MISSING=$((MISSING + 1))
            fi
          done < <(find "$SOURCE_DIR" -type d -not -path "./.git/*" -not -path "*/vendor/*" -not -path "*/node_modules/*")
          if [ "$MISSING" -gt 0 ]; then
            echo "## Directory Protection" >> $GITHUB_STEP_SUMMARY
            echo "${MISSING} director(ies) missing index.html" >> $GITHUB_STEP_SUMMARY
          fi
          echo "Directory protection: ${MISSING} missing (advisory)"
      - name: Joomla script file and asset checks
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
          [ -z "$MANIFEST" ] && exit 0
          MANIFEST_DIR=$(dirname "$MANIFEST")
          # Check scriptfile exists if declared
          SCRIPTFILE=$(sed -n 's/.*<scriptfile>\([^<]*\)<\/scriptfile>.*/\1/p' "$MANIFEST" 2>/dev/null)
          if [ -n "$SCRIPTFILE" ]; then
            if [ ! -f "${MANIFEST_DIR}/${SCRIPTFILE}" ]; then
              echo "::error::Manifest declares <scriptfile>${SCRIPTFILE}</scriptfile> but file not found at ${MANIFEST_DIR}/${SCRIPTFILE}"
              ERRORS=$((ERRORS + 1))
            else
              echo "Script file: ${MANIFEST_DIR}/${SCRIPTFILE} (OK)"
            fi
          fi
          # Require joomla.asset.json and validate it
          ASSET_JSON=$(find "$MANIFEST_DIR" -name "joomla.asset.json" -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -z "$ASSET_JSON" ]; then
            echo "::error::joomla.asset.json not found — Joomla asset system is required"
            ERRORS=$((ERRORS + 1))
          else
            if command -v php &> /dev/null; then
              php -r "json_decode(file_get_contents('$ASSET_JSON')); if(json_last_error()!==JSON_ERROR_NONE){echo json_last_error_msg();exit(1);}" 2>&1 || {
                echo "::error::joomla.asset.json is not valid JSON"
                ERRORS=$((ERRORS + 1))
              }
            fi
            echo "joomla.asset.json: valid"
          fi
          # Validate all XML files in src/ are well-formed
          XML_ERRORS=0
          if command -v php &> /dev/null; then
            while IFS= read -r -d '' xmlfile; do
              if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$xmlfile'); if(!\$x){foreach(libxml_get_errors() as \$e) echo trim(\$e->message) . ' in $xmlfile'; exit(1);}" 2>&1; then
                XML_ERRORS=$((XML_ERRORS + 1))
              fi
            done < <(find "$MANIFEST_DIR" -name "*.xml" -not -path "./.git/*" -print0)
          fi
          if [ "$XML_ERRORS" -gt 0 ]; then
            echo "::error::${XML_ERRORS} XML file(s) are malformed"
            ERRORS=$((ERRORS + 1))
          else
            echo "XML well-formedness: OK"
          fi
          [ "$ERRORS" -gt 0 ] && exit 1
          echo "Joomla asset checks: OK"
      - name: Validate platform manifest
        run: |
          PLATFORM="${{ steps.platform.outputs.platform }}"
@@ -151,6 +256,13 @@ jobs:
              for ELEMENT in name version description; do
                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
              done
              # Block legacy raw/branch update server URLs on MokoGitea
              RAW_URLS=$(grep -n 'raw/branch' "$MANIFEST" | grep -i 'mokoconsulting\|mokogitea\|git\.mokoconsulting\.tech' || true)
              if [ -n "$RAW_URLS" ]; then
                echo "::error::Manifest contains legacy raw/branch update server URL on MokoGitea. Use the Gitea Pages URL instead (e.g. /{REPO}/updates.xml not /{REPO}/raw/branch/main/updates.xml)"
                echo "$RAW_URLS"
                exit 1
              fi
              echo "Joomla manifest valid"
              ;;
            dolibarr)
@@ -183,6 +295,160 @@ jobs:
              ;;
          esac
      - name: Validate Joomla language files
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          WARNINGS=0
          # Require both en-GB and en-US language directories
          LANG_ROOT=$(find . -path "*/language" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -z "$LANG_ROOT" ]; then
            echo "No language/ directory found — skipping"
            exit 0
          fi
          if [ ! -d "$LANG_ROOT/en-GB" ]; then
            echo "::error::Missing en-GB language directory (${LANG_ROOT}/en-GB)"
            ERRORS=$((ERRORS + 1))
          fi
          if [ ! -d "$LANG_ROOT/en-US" ]; then
            echo "::error::Missing en-US language directory (${LANG_ROOT}/en-US)"
            ERRORS=$((ERRORS + 1))
          fi
          # Check that en-GB and en-US have matching .ini files
          if [ -d "$LANG_ROOT/en-GB" ] && [ -d "$LANG_ROOT/en-US" ]; then
            for GB_INI in "$LANG_ROOT/en-GB"/*.ini; do
              [ ! -f "$GB_INI" ] && continue
              US_INI="$LANG_ROOT/en-US/$(basename "$GB_INI")"
              if [ ! -f "$US_INI" ]; then
                echo "::error::$(basename "$GB_INI") exists in en-GB but missing from en-US"
                ERRORS=$((ERRORS + 1))
              fi
            done
            for US_INI in "$LANG_ROOT/en-US"/*.ini; do
              [ ! -f "$US_INI" ] && continue
              GB_INI="$LANG_ROOT/en-GB/$(basename "$US_INI")"
              if [ ! -f "$GB_INI" ]; then
                echo "::error::$(basename "$US_INI") exists in en-US but missing from en-GB"
                ERRORS=$((ERRORS + 1))
              fi
            done
          fi
          # Find all .ini language files
          INI_FILES=$(find . -path "*/language/*/*.ini" -not -path "./.git/*" 2>/dev/null)
          if [ -z "$INI_FILES" ]; then
            echo "No .ini language files found"
            [ "$ERRORS" -gt 0 ] && exit 1
            exit 0
          fi
          echo "Found $(echo "$INI_FILES" | wc -l) language file(s)"
          for FILE in $INI_FILES; do
            FNAME=$(basename "$FILE")
            LINENUM=0
            SEEN_KEYS=""
            while IFS= read -r line || [ -n "$line" ]; do
              LINENUM=$((LINENUM + 1))
              # Skip empty lines and comments
              [ -z "$line" ] && continue
              echo "$line" | grep -qE '^\s*;' && continue
              echo "$line" | grep -qE '^\s*$' && continue
              # Must match KEY="VALUE" format
              if ! echo "$line" | grep -qE '^[A-Z_][A-Z0-9_]*=".*"$'; then
                echo "::error file=${FILE},line=${LINENUM}::Malformed line: ${line}"
                ERRORS=$((ERRORS + 1))
                continue
              fi
              # Extract key and check for duplicates
              KEY=$(echo "$line" | sed 's/=.*//')
              if echo "$SEEN_KEYS" | grep -qx "$KEY"; then
                echo "::error file=${FILE},line=${LINENUM}::Duplicate key: ${KEY}"
                ERRORS=$((ERRORS + 1))
              fi
              SEEN_KEYS="${SEEN_KEYS}
          ${KEY}"
            done < "$FILE"
            echo "  ${FILE}: checked ${LINENUM} lines"
          done
          # Cross-check en-GB vs en-US key consistency
          GB_DIR=$(find . -path "*/language/en-GB" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          US_DIR=$(find . -path "*/language/en-US" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -n "$GB_DIR" ] && [ -n "$US_DIR" ]; then
            for GB_FILE in "$GB_DIR"/*.ini; do
              [ ! -f "$GB_FILE" ] && continue
              FNAME=$(basename "$GB_FILE")
              US_FILE="$US_DIR/$FNAME"
              [ ! -f "$US_FILE" ] && continue
              GB_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$GB_FILE" 2>/dev/null | sort)
              US_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$US_FILE" 2>/dev/null | sort)
              # Keys in en-GB but not en-US
              MISSING_US=$(comm -23 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
              if [ -n "$MISSING_US" ]; then
                echo "::warning::Keys in en-GB/$FNAME but missing from en-US/$FNAME:"
                echo "$MISSING_US" | while read -r k; do echo "  - $k"; done
                WARNINGS=$((WARNINGS + 1))
              fi
              # Keys in en-US but not en-GB
              MISSING_GB=$(comm -13 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
              if [ -n "$MISSING_GB" ]; then
                echo "::warning::Keys in en-US/$FNAME but missing from en-GB/$FNAME:"
                echo "$MISSING_GB" | while read -r k; do echo "  - $k"; done
                WARNINGS=$((WARNINGS + 1))
              fi
            done
          fi
          {
            echo "### Language File Validation"
            echo "| Metric | Count |"
            echo "|---|---|"
            echo "| Files checked | $(echo "$INI_FILES" | wc -l) |"
            echo "| Errors | ${ERRORS} |"
            echo "| Warnings | ${WARNINGS} |"
          } >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::Language validation failed with ${ERRORS} error(s)"
            exit 1
          fi
          echo "Language files: OK (${WARNINGS} warning(s))"
      - name: Check changelog has unreleased entry
        run: |
          if [ ! -f "CHANGELOG.md" ]; then
            echo "::warning::No CHANGELOG.md found"
            exit 0
          fi
          # Check for content under [Unreleased] section
          if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
            echo "::error::CHANGELOG.md missing [Unreleased] section"
            exit 1
          fi
          # Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
          UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
          if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
            echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
            echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
            echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
            echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
      - name: Verify package source
        run: |
          SOURCE_DIR="src"
@@ -194,3 +460,49 @@ jobs:
          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
          echo "Source: ${FILE_COUNT} files"
          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
  # ── Pre-Release RC Build ─────────────────────────────────────────────────
  pre-release:
    name: Build RC Package
    runs-on: ubuntu-latest
    needs: [branch-policy, validate]
    steps:
      - name: Trigger RC pre-release
        env:
          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: ${{ github.head_ref }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
  # ── Issue Reporter ──────────────────────────────────────────────────────
  report-issues:
    name: Report Issues
    runs-on: ubuntu-latest
    needs: [branch-policy, validate]
    if: >-
      always() &&
      needs.validate.result == 'failure'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          sparse-checkout: automation/ci-issue-reporter.sh
          sparse-checkout-cone-mode: false
      - name: "File issue for PR validation failure"
        env:
          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          chmod +x automation/ci-issue-reporter.sh
          ./automation/ci-issue-reporter.sh \
            --gate "PR Validation" \
            --workflow "PR Check" \
            --severity error \
            --details "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
@@ -7,240 +7,5 @@
 # INGROUP: moko-platform.Release
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.00.00
+# VERSION: 05.01.00
-# BRIEF: Manual pre-release — builds dev/alpha/beta/rc packages from any branch
+# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches
 name: "Universal: Pre-Release"
 on:
  workflow_dispatch:
    inputs:
      stability:
        description: 'Pre-release channel'
        required: true
        type: choice
        options:
          - development
          - alpha
          - beta
          - release-candidate
 permissions:
  contents: write
 env:
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 jobs:
  build:
    name: "Build Pre-Release (${{ inputs.stability }})"
    runs-on: release
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          token: ${{ secrets.GA_TOKEN }}
      - name: Setup PHP
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
          fi
      - name: Setup moko-platform tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
          git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git"             /tmp/moko-platform-api
      - name: Detect platform
        id: platform
        run: |
          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
      - name: Resolve metadata
        id: meta
        run: |
          STABILITY="${{ inputs.stability }}"
          MOKO_API="/tmp/moko-platform-api/cli"
          case "$STABILITY" in
            development)        SUFFIX="-dev";   TAG="development" ;;
            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
            beta)               SUFFIX="-beta";  TAG="beta" ;;
            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
          esac
          # Bump patch version
          BUMP_OUTPUT=$(php ${MOKO_API}/version_bump.php --path .)
          VERSION=$(echo "$BUMP_OUTPUT" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
          [ -z "$VERSION" ] && VERSION=$(php ${MOKO_API}/version_read.php --path .)
          echo "Version: ${VERSION}"
          # Update platform-specific manifest
          php ${MOKO_API}/version_set_platform.php --path . --version "${VERSION}"
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): bump to ${VERSION} [skip ci]"
            git push origin HEAD 2>&1
          }
          # Detect element from Joomla/Dolibarr manifest
          PLATFORM="${{ steps.platform.outputs.platform }}"
          EXT_ELEMENT=$(php ${MOKO_API}/manifest_read.php --path . --field name 2>/dev/null | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
          # For Joomla, prefer <element> tag
          if [ "$PLATFORM" = "joomla" ]; then
            MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
            if [ -n "$MANIFEST" ]; then
              ELEM=$(grep -oP "<element>\K[^<]+" "$MANIFEST" 2>/dev/null | head -1)
              [ -n "$ELEM" ] && EXT_ELEMENT="$ELEM"
            fi
          fi
          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
      - name: Build package
        id: zip
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          SUFFIX="${{ steps.meta.outputs.suffix }}"
          PLATFORM="${{ steps.platform.outputs.platform }}"
          if [ "$PLATFORM" = "joomla" ]; then
            php /tmp/moko-platform-api/cli/joomla_build.php               --path . --version "${VERSION}" --suffix "${SUFFIX}"               --output build --github-output
          else
            # Generic build: zip src/ directory
            SOURCE_DIR="src"
            [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
            [ ! -d "$SOURCE_DIR" ] && { echo "::error::No src/ or htdocs/"; exit 1; }
            EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
            ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
            mkdir -p build
            cd "$SOURCE_DIR" && zip -r "../build/${ZIP_NAME}" . && cd ..
            SHA256=$(sha256sum "build/${ZIP_NAME}" | cut -d' ' -f1)
            echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
            echo "zip_path=build/${ZIP_NAME}" >> "$GITHUB_OUTPUT"
            echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
          fi
      - name: Create or replace Gitea release
        id: release
        continue-on-error: true
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          SHA256="${{ steps.zip.outputs.sha256 }}"
          ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
          TOKEN="${{ secrets.GA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          BRANCH=$(git branch --show-current)
          BODY="## ${VERSION} ($(date +%Y-%m-%d))
          **Channel:** ${STABILITY}
          **SHA-256:** \`${SHA256}\`"
          # Delete existing release
          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
          if [ -n "$EXISTING_ID" ]; then
            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
              "${API}/tags/${TAG}" 2>/dev/null || true
          fi
          # Create release
          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
            -H "Content-Type: application/json" \
            "${API}/releases" \
            -d "$(jq -n \
              --arg tag "$TAG" \
              --arg target "$BRANCH" \
              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
              --arg body "$BODY" \
              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
            )" | jq -r '.id')
          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
          # Upload ZIP
          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
            -H "Content-Type: application/octet-stream" \
            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
            --data-binary "@${{ steps.zip.outputs.zip_path }}"
          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
      - name: "Update updates.xml"
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          SHA256="${{ steps.zip.outputs.sha256 }}"
          php /tmp/moko-platform-api/cli/updates_xml_build.php             --path . --version "$VERSION" --stability "$STABILITY"             --sha "$SHA256"             --gitea-url "$GITEA_URL" --org "$GITEA_ORG" --repo "$GITEA_REPO"
          if ! git diff --quiet updates.xml 2>/dev/null; then
            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
            git config --local user.name "gitea-actions[bot]"
            git add updates.xml
            git commit -m "chore: update $STABILITY channel $VERSION [skip ci]"
            git push origin HEAD 2>&1 || echo "WARNING: push failed"
          fi
      - name: "Sync updates.xml to all branches"
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          php /tmp/moko-platform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
      - name: "Delete lesser pre-release channels (cascade)"
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.GA_TOKEN }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
          case "$STABILITY" in
            release-candidate) TAGS_TO_DELETE="beta alpha development" ;;
            beta)              TAGS_TO_DELETE="alpha development" ;;
            alpha)             TAGS_TO_DELETE="development" ;;
            *)                 TAGS_TO_DELETE="" ;;
          esac
          [ -z "$TAGS_TO_DELETE" ] && exit 0
          for TAG in $TAGS_TO_DELETE; do
            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
            fi
          done
@@ -10,8 +10,8 @@
 # INGROUP: moko-platform.Validation
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/joomla/repo_health.yml.template
-# VERSION: 04.06.00
+# VERSION: 09.23.00
-# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
+# BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
 # ============================================================================
 name: "Generic: Repo Health"
@@ -24,13 +24,12 @@ on:
  workflow_dispatch:
    inputs:
      profile:
-        description: 'Validation profile: all, release, scripts, or repo'
+        description: 'Validation profile: all, scripts, or repo'
        required: true
        default: all
        type: choice
        options:
          - all
          - release
          - scripts
          - repo
  pull_request:
@@ -40,16 +39,12 @@ permissions:
  contents: read
 env:
  # Release policy - Repository Variables Only
  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
  # Scripts governance policy
  SCRIPTS_REQUIRED_DIRS:
  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
  # Repo health policy
-  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.gitea/workflows/
+  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.mokogitea/workflows/
  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
  REPO_DISALLOWED_DIRS:
  REPO_DISALLOWED_FILES: TODO.md,todo.md
@@ -60,7 +55,7 @@ env:
  # File / directory variables
  DOCS_INDEX: docs/docs-index.md
  SCRIPT_DIR: scripts
-  WORKFLOWS_DIR: .gitea/workflows
+  WORKFLOWS_DIR: .mokogitea/workflows
  SHELLCHECK_PATTERN: '*.sh'
  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
@@ -81,7 +76,7 @@ jobs:
      - name: Check actor permission (admin only)
        id: perm
        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
@@ -138,101 +133,6 @@ jobs:
          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
          exit 1
  release_config:
    name: Release configuration
    needs: access_check
    if: ${{ needs.access_check.outputs.allowed == 'true' }}
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Guardrails release vars
        env:
          PROFILE_RAW: ${{ github.event.inputs.profile }}
          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
        run: |
          set -euo pipefail
          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
            all|release|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac
          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
            {
              printf '%s\n' '### Release configuration (Repository Variables)'
              printf '%s\n' "Profile: ${profile}"
              printf '%s\n' 'Status: SKIPPED'
              printf '%s\n' 'Reason: profile excludes release validation'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 0
          fi
          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
          missing=()
          missing_optional=()
          for k in "${required[@]}"; do
            v="${!k:-}"
            [ -z "${v}" ] && missing+=("${k}")
          done
          for k in "${optional[@]}"; do
            v="${!k:-}"
            [ -z "${v}" ] && missing_optional+=("${k}")
          done
          {
            printf '%s\n' '### Release configuration (Repository Variables)'
            printf '%s\n' "Profile: ${profile}"
            printf '%s\n' '| Variable | Status |'
            printf '%s\n' '|---|---|'
            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
            printf '\n'
          } >> "${GITHUB_STEP_SUMMARY}"
          if [ "${#missing_optional[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Missing optional repository variables'
              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          fi
          if [ "${#missing[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Missing required repository variables'
              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 1
          fi
          {
            printf '%s\n' '### Repository variables validation result'
            printf '%s\n' 'Status: OK'
            printf '%s\n' 'All required repository variables present.'
            printf '%s\n' ''
            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
            printf '\n'
          } >> "${GITHUB_STEP_SUMMARY}"
  scripts_governance:
    name: Scripts governance
    needs: access_check
@@ -256,14 +156,14 @@ jobs:
          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
+          if [ "${profile}" = 'repo' ]; then
            {
              printf '%s\n' '### Scripts governance'
              printf '%s\n' "Profile: ${profile}"
@@ -370,14 +270,14 @@ jobs:
          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
-            all|release|scripts|repo) ;;
+            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
+          if [ "${profile}" = 'scripts' ]; then
            {
              printf '%s\n' '### Repository health'
              printf '%s\n' "Profile: ${profile}"
@@ -704,7 +604,7 @@ jobs:
            printf '%s\n' '| Domain | Status | Notes |'
            printf '%s\n' '|---|---|---|'
            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
-            printf '%s\n' '| Release variables | OK | Repository variables validation |'
+            printf '%s\n' '| Release policy | N/A | Releases handled by MokoGitea |'
            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
@@ -767,3 +667,45 @@ jobs:
          echo "### Site Health" >> $GITHUB_STEP_SUMMARY
          echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY
  # ═══════════════════════════════════════════════════════════════════════
  # Issue Reporter — file issues for failed gates
  # ═══════════════════════════════════════════════════════════════════════
  report-issues:
    name: "Report Issues"
    runs-on: ubuntu-latest
    needs: [access_check, scripts_governance, repo_health]
    if: >-
      always() &&
      (needs.scripts_governance.result == 'failure' ||
       needs.repo_health.result == 'failure')
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          sparse-checkout: automation/ci-issue-reporter.sh
          sparse-checkout-cone-mode: false
      - name: "File issues for failed gates"
        env:
          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          chmod +x automation/ci-issue-reporter.sh
          REPORTER="./automation/ci-issue-reporter.sh"
          WF="Repo Health"
          report_gate() {
            local gate="$1" result="$2" details="$3"
            if [ "$result" = "failure" ]; then
              "$REPORTER" --gate "$gate" --details "$details" --workflow "$WF" --severity error
            fi
          }
          report_gate "Scripts Governance" \
            "${{ needs.scripts_governance.result }}" \
            "Scripts directory policy violations detected. Review required and allowed directories."
          report_gate "Repository Health" \
            "${{ needs.repo_health.result }}" \
            "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Security
+# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
 # PATH: /.gitea/workflows/security-audit.yml
 # VERSION: 01.00.00
 # BRIEF: Dependency vulnerability scanning for composer and npm packages
@@ -80,19 +80,3 @@ jobs:
            -H "Priority: high" \
            -d "Security audit found vulnerabilities. Review dependency updates." \
            "${NTFY_URL}/${NTFY_TOPIC}" || true
      - name: Joomla version audit
        if: always()
        run: |
          if [ -f "monitoring/joomla-version-audit.php" ] && [ -n "$JOOMLA_SITES" ]; then
            echo "$JOOMLA_SITES" > /tmp/sites.json
            php monitoring/joomla-version-audit.php --sites /tmp/sites.json || true
            echo "### Joomla Version Audit" >> $GITHUB_STEP_SUMMARY
            rm -f /tmp/sites.json
          else
            echo "Joomla audit skipped (no script or JOOMLA_SITES_JSON not configured)"
          fi
        env:
          JOOMLA_SITES: ${{ vars.JOOMLA_SITES_JSON }}
@@ -47,22 +47,19 @@ jobs:
          token: ${{ secrets.GH_TOKEN || github.token }}
          fetch-depth: 0
      - name: Set up PHP
        uses: shivammathur/setup-php@fcafdd6392932010c2bd5094439b8e33be2a8a09 # v2.37.0
        with:
          php-version: '8.1'
          tools: composer
      - name: Setup MokoStandards tools
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
        run: |
-          git clone --depth 1 --branch version/04 --quiet \
+          # Use pre-installed mokoplatform on runner host (symlink /opt/mokoplatform -> /opt/moko-platform)
-            "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
+          if [ -d /opt/mokoplatform/api/cli ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
-            /tmp/mokostandards
+            ln -sf /opt/mokoplatform /tmp/mokostandards
-          cd /tmp/mokostandards
+            echo "Using pre-installed /opt/mokoplatform"
-          composer install --no-dev --no-interaction --quiet
+          elif [ -d /opt/moko-platform/api/cli ]; then
            ln -sf /opt/moko-platform /tmp/mokostandards
            echo "Using pre-installed /opt/moko-platform"
          else
            echo "::warning::MokoStandards tools not found on runner - skipping"
            echo "MOKO_SKIP=true" >> "$GITHUB_ENV"
          fi
      - name: Auto-bump patch version
        if: ${{ github.event_name == 'push' && github.actor != 'github-actions[bot]' }}
@@ -0,0 +1,312 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/update-server.yml
 # VERSION: 05.00.00
 # BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
 #
 # Thin wrapper around moko-platform CLI tools.
 # Builds packages, updates updates.xml, and optionally deploys via SFTP.
 #
 # Joomla filters update entries by the user's "Minimum Stability" setting.
 name: "Update Server"
 on:
  push:
    branches:
      - 'dev'
      - 'dev/**'
      - 'alpha/**'
      - 'beta/**'
      - 'rc/**'
    paths:
      - 'src/**'
      - 'htdocs/**'
  pull_request:
    types: [closed]
    branches:
      - 'dev'
      - 'dev/**'
      - 'alpha/**'
      - 'beta/**'
      - 'rc/**'
    paths:
      - 'src/**'
      - 'htdocs/**'
  workflow_dispatch:
    inputs:
      stability:
        description: 'Stability tag'
        required: true
        default: 'development'
        type: choice
        options:
          - development
          - alpha
          - beta
          - rc
          - stable
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 permissions:
  contents: write
 jobs:
  update-xml:
    name: Update Server
    runs-on: release
    if: >-
      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0
      - name: Setup moko-platform tools
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
          # Always fetch latest CLI tools — never use stale cache from previous runs
          rm -rf /tmp/moko-platform
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
            /tmp/moko-platform 2>/dev/null || true
          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
          fi
          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
      - name: Detect platform
        id: platform
        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
      - name: Resolve stability and bump version
        id: meta
        run: |
          BRANCH="${{ github.ref_name }}"
          # Configure git for bot pushes
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          # Auto-bump patch version
          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
          # Strip any existing suffix before applying stability
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          # Determine stability from branch or manual input
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            STABILITY="${{ inputs.stability }}"
          elif [[ "$BRANCH" == rc/* ]]; then
            STABILITY="rc"
          elif [[ "$BRANCH" == beta/* ]]; then
            STABILITY="beta"
          elif [[ "$BRANCH" == alpha/* ]]; then
            STABILITY="alpha"
          else
            STABILITY="development"
          fi
          # Version suffix per stability stream
          case "$STABILITY" in
            development) SUFFIX="-dev";  TAG="development" ;;
            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
            beta)        SUFFIX="-beta";  TAG="beta" ;;
            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
            *)           SUFFIX="";       TAG="stable" ;;
          esac
          # Propagate version with stability suffix to all manifest files
          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Re-read version (now includes suffix from version_set_platform)
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
          # Commit version bump if changed
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
            git push
          }
      - name: Create release and upload package
        id: package
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Create or update Gitea release
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
          # Build package and upload
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      - name: Update updates.xml
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          SHA256="${{ steps.package.outputs.sha256_zip }}"
          if [ ! -f "updates.xml" ]; then
            echo "No updates.xml — skipping"
            exit 0
          fi
          SHA_FLAG=""
          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
          php ${MOKO_CLI}/updates_xml_build.php \
            --path . --version "${VERSION}" --stability "${STABILITY}" \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            ${SHA_FLAG}
          # Commit and push updates.xml
          git add updates.xml
          git diff --cached --quiet || {
            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
            git push
          }
      - name: Sync updates.xml to main
        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
            python3 -c "
          import base64, json, urllib.request, sys
          with open('updates.xml', 'rb') as f:
              content = base64.b64encode(f.read()).decode()
          payload = json.dumps({
              'content': content,
              'sha': '${FILE_SHA}',
              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
              'branch': 'main'
          }).encode()
          req = urllib.request.Request(
              '${API_BASE}/contents/updates.xml',
              data=payload, method='PUT',
              headers={
                  'Authorization': 'token ${GITEA_TOKEN}',
                  'Content-Type': 'application/json'
              })
          try:
              urllib.request.urlopen(req)
              print('updates.xml synced to main')
          except Exception as e:
              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
          "
          fi
      - name: SFTP deploy to dev server
        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
        env:
          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
        run: |
          # Permission check: admin or maintain role required
          ACTOR="${{ github.actor }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
          case "$PERMISSION" in
            admin|maintain|write) ;;
            *)
              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
              exit 0
              ;;
          esac
          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
          [ ! -d "$SOURCE_DIR" ] && exit 0
          PORT="${DEV_PORT:-22}"
          REMOTE="${DEV_PATH%/}"
          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
          if [ -n "$DEV_KEY" ]; then
            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
          else
            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
          fi
          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
          fi
          rm -f /tmp/deploy_key /tmp/sftp-config.json
          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
      - name: Summary
        if: always()
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          DISPLAY="${{ steps.meta.outputs.display_version }}"
          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -13,6 +13,23 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - `gitea_org_issue_statuses_list` -- list issue status definitions for an org
 - `gitea_org_issue_priorities_list` -- list issue priority definitions for an org
 - `gitea_org_issue_types_list` -- list issue type definitions for an org
 - `gitea_issue_set_status` -- set/clear status on an issue (convenience wrapper)
 - `gitea_issue_set_priority` -- set/clear priority on an issue (convenience wrapper)
 - `gitea_issue_create` now accepts `status_id`, `priority_id`, `type_id` params
 - `gitea_issue_update` now accepts `status_id`, `priority_id`, `type_id` params
 ### Changed
 - Migrated all workflow and template paths from `.github/` to `.mokogitea/`
 - Template source paths updated: `templates/gitea/` to `templates/mokogitea/`
 - HCL definition files removed -- Template repos are now the canonical source
 ### Added
 - `branch-cleanup.yml`: auto-delete merged feature branches after PR merge
 ### Changed
 - **Renamed** package from `@mokoconsulting/gitea-api-mcp` to `@mokoconsulting/mokogitea-api-mcp` to distinguish Moko's forked Gitea MCP from upstream
 - **Renamed** McpServer name and bin entry to `mokogitea-api-mcp`
@@ -1,189 +1,161 @@
-<!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Contributing to Moko Consulting Projects
 SPDX-License-Identifier: GPL-3.0-or-later
 DEFGROUP: gitea-api-mcp.Documentation
 REPO: https://git.mokoconsulting.tech/MokoConsulting/gitea-api-mcp
 -->
-# Contributing to gitea-api-mcp
+Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
-Thank you for your interest in contributing to gitea-api-mcp. This document provides guidelines and information for contributors.
+## Branching Workflow
 ## Table of Contents
 - [Getting Started](#getting-started)
 - [Development Setup](#development-setup)
 - [Gitea API Explorer](#gitea-api-explorer)
 - [Code Style](#code-style)
 - [Commit Conventions](#commit-conventions)
 - [Branch Protection Rules](#branch-protection-rules)
 - [Pull Request Process](#pull-request-process)
 - [Adding a New Tool](#adding-a-new-tool)
 ## Getting Started
 1. Fork the repository on Gitea: https://git.mokoconsulting.tech/MokoConsulting/gitea-api-mcp
 2. Clone your fork locally
 3. Create a feature branch from `main`
 4. Make your changes
 5. Submit a pull request
 ## Development Setup
 ```bash
 git clone https://git.mokoconsulting.tech/YourUsername/gitea-api-mcp.git
 cd gitea-api-mcp
 npm install
 npm run build
 ```
 For live recompilation during development:
 ```bash
 npm run dev
 ```
 Ensure you have a valid `~/.gitea-api-mcp.json` config file pointing to a test Gitea instance before testing.
 ## Gitea API Explorer
 When adding or modifying tools, refer to your Gitea instance's built-in API explorer:
 ```
-https://your-gitea-instance/api/swagger
+feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
 ```
-For the Moko Consulting instance:
+### Step by step
 1. **Create a feature branch** from `dev`:
   ```bash
   git checkout dev && git pull
   git checkout -b feature/my-change
   ```
 2. **Work and commit** on your feature branch. Push to origin.
 3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
 4. **When ready for release**, open a **draft PR**: `dev` → `main`.
   - This automatically renames the source branch to `rc` (release candidate)
   - An RC pre-release is built and uploaded
 5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
   - When the draft PR is created, the branch is renamed to `rc`
 6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
 7. **Merging to main** triggers the stable release pipeline:
   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
   - Stability suffix stripped (clean version)
   - Gitea release created with ZIP/tar.gz packages
   - `updates.xml` updated (Joomla extensions)
   - `dev` branch recreated from `main`
 ### Branch summary
 | Branch | Purpose | Created by |
 |--------|---------|-----------|
 | `feature/*` | New features and fixes | Developer |
 | `dev` | Integration branch | Auto-recreated after release |
 | `alpha` | Alpha pre-release testing | Manual rename from `dev` |
 | `beta` | Beta pre-release testing | Manual rename from `alpha` |
 | `rc` | Release candidate | Auto-renamed on draft PR to main |
 | `main` | Stable releases | Protected, merge only |
 | `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
 ### Protected branches
 | Branch | Direct push | Merge via |
 |--------|------------|-----------|
 | `main` | Blocked (CI bot whitelisted) | PR merge only |
 | `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
 | `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
 | `alpha` | Blocked (CI bot whitelisted) | Manual rename |
 | `beta` | Blocked (CI bot whitelisted) | Manual rename |
 | `feature/*` | Open | N/A (source branch) |
 ## Version Policy
 ### Format
 All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
 - **XX** — Major version (breaking changes)
 - **YY** — Minor version (new features, bumped on release to main)
 - **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
 Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
 ### Stability suffixes
 Each branch appends a suffix to indicate stability:
 | Branch | Suffix | Example |
 |--------|--------|---------|
 | `main` | (none) | `02.09.00` |
 | `dev` | `-dev` | `02.09.01-dev` |
 | `feature/*` | `-dev` | `02.09.01-dev` |
 | `alpha` | `-alpha` | `02.09.01-alpha` |
 | `beta` | `-beta` | `02.09.01-beta` |
 | `rc` | `-rc` | `02.09.01-rc` |
 ### Auto version bump
 On every push to `dev`, `feature/*`, or `patch/*`:
 1. Patch version incremented
 2. Stability suffix `-dev` applied
 3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
 4. Commit created with `[skip ci]` to avoid loops
 ### Release version flow
 Version bumps happen at specific release events:
 | Event | Bump | Example |
 |-------|------|---------|
 | Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
 | Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
 | RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
 | Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
 ### Release stream copies
 When a higher-stability release is published, copies are created for all lesser streams with the same base version:
 - **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
 - **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
 This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
 ### Version files
 The version tools update all files containing version stamps:
 - `.mokogitea/manifest.xml` (canonical source)
 - Joomla XML manifests (`<version>` tag)
 - `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
 - `package.json`, `pyproject.toml`
 - Any text file with a `VERSION: XX.YY.ZZ` label
 Files synced from other repos (with a `# REPO:` header) are not touched.
 ## Code Standards
 - **PHP**: PSR-12, tabs for indentation
 - **Copyright**: all files must include the Moko Consulting copyright header
 - **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
 - **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
 ## Commit Messages
 Use conventional commit format:
 ```
-https://git.mokoconsulting.tech/api/swagger
+type(scope): short description
 Optional body with context.
 Authored-by: Moko Consulting
 ```
-The Swagger UI provides:
+Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
 - Full endpoint documentation with request/response schemas
 - Interactive API testing ("Try it out" button)
 - Authentication configuration for testing
 - Parameter type and validation details
-## Code Style
+Special flags in commit messages:
 - `[skip ci]` — skip all CI workflows
 - `[skip bump]` — skip auto version bump only
- Use TypeScript strict mode
+## Reporting Issues
 - Follow the existing patterns in `src/index.ts` for tool registration
 - Use the `OwnerRepo`, `PaginationParams`, and `ConnectionParam` shared parameter objects
 - Format responses through `formatResponse()`
 - Include mokostandards file headers on all new source files
-### File Header Template
+Use the repository's issue tracker with the appropriate template.
-```typescript
+---
 /* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 *
 * This file is part of a Moko Consulting project.
 *
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
 * DEFGROUP: gitea-api-mcp.<GroupName>
 * INGROUP: gitea-api-mcp
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/gitea-api-mcp
 * PATH: /src/<filename>.ts
 * VERSION: 01.00.00
 * BRIEF: <One-line description>
 */
 ```
-## Commit Conventions
+*Moko Consulting <hello@mokoconsulting.tech>*
 This project uses [Conventional Commits](https://www.conventionalcommits.org/):
 ```
 <type>(<scope>): <description>
 [optional body]
 [optional footer(s)]
 ```
 ### Types
 | Type | Description |
 |------|-------------|
 | `feat` | New feature (new tool, new parameter) |
 | `fix` | Bug fix |
 | `docs` | Documentation only |
 | `refactor` | Code change that neither fixes a bug nor adds a feature |
 | `chore` | Build process, dependency updates |
 | `test` | Adding or updating tests |
 ### Scope
 Use the tool category as scope when applicable:
 ```
 feat(issues): add gitea_issue_lock tool
 fix(client): handle 204 No Content responses
 docs(readme): update tool count
 ```
 ## Branch Protection Rules
 The `main` branch has the following protections:
 - Direct pushes to `main` are not allowed
 - All changes must come through pull requests
 - At least one approval is required before merging
 - Status checks must pass before merging
 - Force pushes are disabled
 ### Branch Naming
 ```
 feat/short-description
 fix/issue-number-description
 docs/what-changed
 refactor/what-changed
 ```
 ## Pull Request Process
 1. Ensure your branch is up to date with `main`
 2. Update documentation if you added or changed tools
 3. Update `CHANGELOG.md` under an `[Unreleased]` section
 4. Fill out the PR template with a clear description
 5. Request review from a maintainer
 6. Address any review feedback
 7. Squash-merge will be used for final integration
 ## Adding a New Tool
 1. Identify the Gitea API endpoint in the Swagger explorer
 2. Add the tool registration in `src/index.ts` under the appropriate category section
 3. Follow the existing parameter patterns:
   - Use `OwnerRepo` for tools that operate on a specific repository
   - Use `PaginationParams` for list endpoints
   - Always include `ConnectionParam` for multi-connection support
 4. Use `z.string().describe('...')` for all parameters with clear descriptions
 5. Route through `formatResponse()` for consistent output
 6. Update the tool tables in `README.md` and `docs/API.md`
 7. Add the tool to `CHANGELOG.md`
 ### Example
 ```typescript
 server.tool(
  'gitea_example_action',
  'Description of what this tool does',
  {
    ...OwnerRepo,
    some_param: z.string().describe('What this parameter controls'),
    ...PaginationParams,
    ...ConnectionParam,
  },
  async ({ owner, repo, some_param, page, limit, connection }) => {
    const params: Record<string, string> = { ...pageQuery({ page, limit }) };
    if (some_param) params['some_param'] = some_param;
    return formatResponse(
      await clientFor(connection).get(`/repos/${owner}/${repo}/example`, params),
    );
  },
 );
 ```
@@ -0,0 +1,237 @@
 #!/usr/bin/env bash
 # ============================================================================
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Automation.CI
 # INGROUP: moko-platform.Automation
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /automation/ci-issue-reporter.sh
 # VERSION: 09.23.00
 # BRIEF: Creates or updates a Gitea issue when a CI gate fails.
 #        Deduplicates by searching open issues with the "ci-auto" label
 #        whose title matches the gate. If a matching issue exists, a comment
 #        is appended instead of opening a duplicate.
 # ============================================================================
 set -euo pipefail
 # ── Defaults ────────────────────────────────────────────────────────────────
 GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
 GITEA_TOKEN="${GITEA_TOKEN:-}"
 REPO="${GITHUB_REPOSITORY:-}"
 RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
 LABEL_NAME="ci-auto"
 LABEL_COLOR="#e11d48"
 GATE=""
 DETAILS=""
 SEVERITY="error"
 WORKFLOW=""
 # ── Parse arguments ─────────────────────────────────────────────────────────
 usage() {
  cat <<EOF
 Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
 Required:
  --gate      CI gate name (e.g. "Code Quality", "Self-Health")
  --details   Human-readable failure description
 Optional:
  --severity  "error" (default) or "warning"
  --workflow  Workflow name for the issue title
  --repo      owner/repo (default: \$GITHUB_REPOSITORY)
  --run-url   URL to the CI run (auto-detected from env)
  --token     Gitea API token (default: \$GITEA_TOKEN)
  --url       Gitea base URL (default: \$GITEA_URL)
 EOF
  exit 1
 }
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --gate)     GATE="$2";       shift 2 ;;
    --details)  DETAILS="$2";    shift 2 ;;
    --severity) SEVERITY="$2";   shift 2 ;;
    --workflow) WORKFLOW="$2";   shift 2 ;;
    --repo)     REPO="$2";      shift 2 ;;
    --run-url)  RUN_URL="$2";   shift 2 ;;
    --token)    GITEA_TOKEN="$2"; shift 2 ;;
    --url)      GITEA_URL="$2"; shift 2 ;;
    -h|--help)  usage ;;
    *)          echo "Unknown option: $1"; usage ;;
  esac
 done
 [[ -z "$GATE" ]]         && { echo "ERROR: --gate is required"; usage; }
 [[ -z "$DETAILS" ]]      && { echo "ERROR: --details is required"; usage; }
 [[ -z "$GITEA_TOKEN" ]]  && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
 [[ -z "$REPO" ]]         && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
 API="${GITEA_URL}/api/v1/repos/${REPO}"
 # ── Build title ─────────────────────────────────────────────────────────────
 if [[ -n "$WORKFLOW" ]]; then
  TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
 else
  TITLE="[CI] ${GATE} failed"
 fi
 # ── Ensure label exists ─────────────────────────────────────────────────────
 ensure_label() {
  local exists
  exists=$(curl -sf -o /dev/null -w '%{http_code}' \
    -H "Authorization: token ${GITEA_TOKEN}" \
    "${API}/labels" 2>/dev/null || echo "000")
  if [[ "$exists" == "200" ]]; then
    # Check if label already exists
    local found
    found=$(curl -sf \
      -H "Authorization: token ${GITEA_TOKEN}" \
      "${API}/labels" 2>/dev/null \
      | grep -o "\"name\":\"${LABEL_NAME}\"" || true)
    if [[ -z "$found" ]]; then
      curl -sf -X POST \
        -H "Authorization: token ${GITEA_TOKEN}" \
        -H "Content-Type: application/json" \
        "${API}/labels" \
        -d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
        > /dev/null 2>&1 || true
    fi
  fi
 }
 # ── Search for existing open issue ──────────────────────────────────────────
 find_existing_issue() {
  # URL-encode the gate name for the query
  local query
  query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
  local response
  response=$(curl -sf \
    -H "Authorization: token ${GITEA_TOKEN}" \
    "${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
    2>/dev/null || echo "[]")
  # Extract the first matching issue number
  echo "$response" \
    | grep -oP '"number":\s*\K[0-9]+' \
    | head -1
 }
 # ── Build issue body ────────────────────────────────────────────────────────
 build_body() {
  local severity_badge
  if [[ "$SEVERITY" == "error" ]]; then
    severity_badge="**Severity:** Error"
  else
    severity_badge="**Severity:** Warning"
  fi
  cat <<BODY
 ## CI Gate Failure: ${GATE}
 ${severity_badge}
 **Workflow:** ${WORKFLOW:-unknown}
 **Branch:** ${GITHUB_REF_NAME:-unknown}
 **Commit:** \`${GITHUB_SHA:0:8}\`
 **Run:** [View CI run](${RUN_URL})
 ### Details
 ${DETAILS}
 ### Resolution
 Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
 ---
 *Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
 BODY
 }
 # ── Build comment body (for existing issues) ────────────────────────────────
 build_comment() {
  cat <<COMMENT
 ### CI failure recurrence
 **Branch:** ${GITHUB_REF_NAME:-unknown}
 **Commit:** \`${GITHUB_SHA:0:8}\`
 **Run:** [View CI run](${RUN_URL})
 ${DETAILS}
 COMMENT
 }
 # ── Main ────────────────────────────────────────────────────────────────────
 ensure_label
 EXISTING=$(find_existing_issue)
 if [[ -n "$EXISTING" ]]; then
  # Append comment to existing issue
  COMMENT_BODY=$(build_comment)
  COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
 import sys, json
 print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
  HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    "${API}/issues/${EXISTING}/comments" \
    -d "${COMMENT_JSON}" 2>/dev/null || echo "000")
  if [[ "$HTTP" == "201" ]]; then
    echo "Commented on existing issue #${EXISTING}"
  else
    echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
  fi
 else
  # Create new issue
  ISSUE_BODY=$(build_body)
  ISSUE_JSON=$(python3 -c "
 import sys, json
 body = sys.stdin.read()
 print(json.dumps({
    'title': sys.argv[1],
    'body': body,
    'labels': []
 }))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
  # Create the issue
  RESPONSE=$(curl -sf -X POST \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    "${API}/issues" \
    -d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
  ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
  if [[ -n "$ISSUE_NUM" ]]; then
    # Apply label (separate call — more reliable across Gitea versions)
    LABEL_ID=$(curl -sf \
      -H "Authorization: token ${GITEA_TOKEN}" \
      "${API}/labels" 2>/dev/null \
      | grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
      | head -1 || true)
    if [[ -n "$LABEL_ID" ]]; then
      curl -sf -X POST \
        -H "Authorization: token ${GITEA_TOKEN}" \
        -H "Content-Type: application/json" \
        "${API}/issues/${ISSUE_NUM}/labels" \
        -d "{\"labels\":[${LABEL_ID}]}" \
        > /dev/null 2>&1 || true
    fi
    echo "Created issue #${ISSUE_NUM}: ${TITLE}"
  else
    echo "WARNING: Failed to create issue"
    echo "Response: ${RESPONSE}"
  fi
 fi
@@ -1,6 +1,6 @@
 {
 	"name": "@mokoconsulting/mcp-mokogitea-api",
-	"version": "1.0.0",
+	"version": "1.3.0",
 	"description": "MCP server for Gitea REST API v1 operations",
 	"type": "module",
 	"main": "dist/index.js",
@@ -51,8 +51,8 @@ export class GiteaClient {
 		return this.request(this.buildUrl(endpoint), 'PUT', body);
 	}
-	async delete(endpoint: string): Promise<ApiResponse> {
+	async delete(endpoint: string, body?: unknown): Promise<ApiResponse> {
-		return this.request(this.buildUrl(endpoint), 'DELETE');
+		return this.request(this.buildUrl(endpoint), 'DELETE', body);
 	}
 	private buildUrl(endpoint: string, params?: Record<string, string>): string {
@@ -309,8 +309,7 @@ server.tool(
 		const client = clientFor(connection);
 		const body: Record<string, unknown> = { sha, message };
 		if (branch) body.branch = branch;
-		// Gitea DELETE with body needs special handling
+		return formatResponse(await client.delete(`/repos/${owner}/${repo}/contents/${filepath}`, body));
 		return formatResponse(await client.post(`/repos/${owner}/${repo}/contents/${filepath}`, { ...body, _method: 'DELETE' }));
 	},
 );
@@ -436,24 +435,30 @@ server.tool(
 		...OwnerRepo,
 		title: z.string().describe('Issue title'),
 		body: z.string().optional().describe('Issue body (markdown)'),
-		labels: z.array(z.number()).optional().describe('Label IDs'),
+		labels: z.array(z.union([z.number(), z.string()])).optional().describe('Label IDs or names (use gitea_labels_list to discover available labels)'),
 		milestone: z.number().optional().describe('Milestone ID'),
 		assignees: z.array(z.string()).optional().describe('Usernames to assign'),
 		status_id: z.number().optional().describe('Issue status definition ID (use gitea_org_issue_statuses_list to discover)'),
 		priority_id: z.number().optional().describe('Issue priority definition ID (use gitea_org_issue_priorities_list to discover)'),
 		type_id: z.number().optional().describe('Issue type definition ID (use gitea_org_issue_types_list to discover)'),
 		...ConnectionParam,
 	},
-	async ({ owner, repo, title, body: issueBody, labels, milestone, assignees, connection }) => {
+	async ({ owner, repo, title, body: issueBody, labels, milestone, assignees, status_id, priority_id, type_id, connection }) => {
 		const body: Record<string, unknown> = { title };
 		if (issueBody) body.body = issueBody;
 		if (labels) body.labels = labels;
 		if (milestone) body.milestone = milestone;
 		if (assignees) body.assignees = assignees;
 		if (status_id !== undefined) body.status_id = status_id;
 		if (priority_id !== undefined) body.priority_id = priority_id;
 		if (type_id !== undefined) body.type_id = type_id;
 		return formatResponse(await clientFor(connection).post(`/repos/${owner}/${repo}/issues`, body));
 	},
 );
 server.tool(
 	'gitea_issue_update',
-	'Update an issue',
+	'Update an issue (supports title, body, state, assignees, milestone, and org-level metadata)',
 	{
 		...OwnerRepo,
 		number: z.number().describe('Issue number'),
@@ -462,19 +467,53 @@ server.tool(
 		state: z.enum(['open', 'closed']).optional().describe('State'),
 		assignees: z.array(z.string()).optional().describe('Assignees'),
 		milestone: z.number().optional().describe('Milestone ID'),
 		status_id: z.number().optional().describe('Issue status definition ID (use gitea_org_issue_statuses_list to discover; 0 to clear)'),
 		priority_id: z.number().optional().describe('Issue priority definition ID (use gitea_org_issue_priorities_list to discover; 0 to clear)'),
 		type_id: z.number().optional().describe('Issue type definition ID (use gitea_org_issue_types_list to discover; 0 to clear)'),
 		...ConnectionParam,
 	},
-	async ({ owner, repo, number, title, body: issueBody, state, assignees, milestone, connection }) => {
+	async ({ owner, repo, number, title, body: issueBody, state, assignees, milestone, status_id, priority_id, type_id, connection }) => {
 		const body: Record<string, unknown> = {};
 		if (title !== undefined) body.title = title;
 		if (issueBody !== undefined) body.body = issueBody;
 		if (state) body.state = state;
 		if (assignees) body.assignees = assignees;
 		if (milestone !== undefined) body.milestone = milestone;
 		if (status_id !== undefined) body.status_id = status_id;
 		if (priority_id !== undefined) body.priority_id = priority_id;
 		if (type_id !== undefined) body.type_id = type_id;
 		return formatResponse(await clientFor(connection).patch(`/repos/${owner}/${repo}/issues/${number}`, body));
 	},
 );
 server.tool(
 	'gitea_issue_set_status',
 	'Set or clear the status on an issue (convenience wrapper around issue update)',
 	{
 		...OwnerRepo,
 		number: z.number().describe('Issue number'),
 		status_id: z.number().describe('Status definition ID (0 to clear)'),
 		...ConnectionParam,
 	},
 	async ({ owner, repo, number, status_id, connection }) => {
 		return formatResponse(await clientFor(connection).patch(`/repos/${owner}/${repo}/issues/${number}`, { status_id }));
 	},
 );
 server.tool(
 	'gitea_issue_set_priority',
 	'Set or clear the priority on an issue (convenience wrapper around issue update)',
 	{
 		...OwnerRepo,
 		number: z.number().describe('Issue number'),
 		priority_id: z.number().describe('Priority definition ID (0 to clear)'),
 		...ConnectionParam,
 	},
 	async ({ owner, repo, number, priority_id, connection }) => {
 		return formatResponse(await clientFor(connection).patch(`/repos/${owner}/${repo}/issues/${number}`, { priority_id }));
 	},
 );
 server.tool(
 	'gitea_issue_comments_list',
 	'List comments on an issue',
@@ -502,7 +541,7 @@ server.tool(
 	{
 		q: z.string().describe('Search query'),
 		state: z.enum(['open', 'closed', 'all']).optional().describe('State filter'),
-		labels: z.string().optional().describe('Comma-separated label IDs'),
+		labels: z.string().optional().describe('Comma-separated label IDs or names'),
 		type: z.enum(['issues', 'pulls']).optional().describe('Filter type'),
 		...PaginationParams,
 		...ConnectionParam,
@@ -520,7 +559,7 @@ server.tool(
 server.tool(
 	'gitea_labels_list',
-	'List labels in a repository',
+	'List all labels in a repository (includes id, name, color, description — use to discover available type/priority/status labels)',
 	{ ...OwnerRepo, ...PaginationParams, ...ConnectionParam },
 	async ({ owner, repo, page, limit, connection }) => formatResponse(await clientFor(connection).get(`/repos/${owner}/${repo}/labels`, pageQuery({ page, limit }))),
 );
@@ -618,7 +657,7 @@ server.tool(
 		head: z.string().describe('Source branch'),
 		base: z.string().describe('Target branch'),
 		body: z.string().optional().describe('PR description (markdown)'),
-		labels: z.array(z.number()).optional().describe('Label IDs'),
+		labels: z.array(z.union([z.number(), z.string()])).optional().describe('Label IDs or names (use gitea_labels_list to discover available labels)'),
 		milestone: z.number().optional().describe('Milestone ID'),
 		assignees: z.array(z.string()).optional().describe('Assignees'),
 		...ConnectionParam,
@@ -930,6 +969,29 @@ server.tool(
 	async ({ org, page, limit, connection }) => formatResponse(await clientFor(connection).get(`/orgs/${org}/members`, pageQuery({ page, limit }))),
 );
 // ── Organization Issue Metadata ──────────────────────────────────────────
 server.tool(
 	'gitea_org_issue_statuses_list',
 	'List issue status definitions for an organization (id, name, color, closes_issue — use to discover valid status_id values)',
 	{ org: z.string().describe('Organization name'), ...ConnectionParam },
 	async ({ org, connection }) => formatResponse(await clientFor(connection).get(`/orgs/${org}/issue-statuses`)),
 );
 server.tool(
 	'gitea_org_issue_priorities_list',
 	'List issue priority definitions for an organization (id, name, color, is_default — use to discover valid priority_id values)',
 	{ org: z.string().describe('Organization name'), ...ConnectionParam },
 	async ({ org, connection }) => formatResponse(await clientFor(connection).get(`/orgs/${org}/issue-priorities`)),
 );
 server.tool(
 	'gitea_org_issue_types_list',
 	'List issue type definitions for an organization (id, name, color, is_default — use to discover valid type_id values)',
 	{ org: z.string().describe('Organization name'), ...ConnectionParam },
 	async ({ org, connection }) => formatResponse(await clientFor(connection).get(`/orgs/${org}/issue-types`)),
 );
 // ── Users ───────────────────────────────────────────────────────────────
 server.tool(
@@ -1179,7 +1241,7 @@ server.tool(
 server.tool(
 	'gitea_org_labels_list',
-	'List labels for an organization (shared across repos)',
+	'List labels for an organization (shared across repos — includes id, name, color, description for type/priority/status discovery)',
 	{
 		org: z.string().describe('Organization name'),
 		...PaginationParams,
@@ -1489,7 +1551,7 @@ server.tool(
 	{
 		...OwnerRepo,
 		number: z.number().describe('Issue/PR number'),
-		labels: z.array(z.number()).describe('Label IDs to set'),
+		labels: z.array(z.union([z.number(), z.string()])).describe('Label IDs or names to set (use gitea_labels_list to discover available labels)'),
 		...ConnectionParam,
 	},
 	async ({ owner, repo, number, labels, connection }) => formatResponse(await clientFor(connection).put(`/repos/${owner}/${repo}/issues/${number}/labels`, { labels })),
@@ -1561,7 +1623,7 @@ server.tool(
 			case 'POST': return formatResponse(await client.post(endpoint, body));
 			case 'PUT': return formatResponse(await client.put(endpoint, body));
 			case 'PATCH': return formatResponse(await client.patch(endpoint, body));
-			case 'DELETE': return formatResponse(await client.delete(endpoint));
+			case 'DELETE': return formatResponse(await client.delete(endpoint, body));
 		}
 	},
 );
@@ -1581,6 +1643,52 @@ server.tool(
 	},
 );
 // ── Metadata ────────────────────────────────────────────────────────────
 server.tool(
 	'gitea_metadata_get',
 	'Get repo metadata (project identity, governance, distribution, build settings)',
 	{
 		owner: z.string().describe('Repository owner'),
 		repo: z.string().describe('Repository name'),
 		...ConnectionParam,
 	},
 	async ({ owner, repo, connection }) => {
 		const c = clientFor(connection);
 		return formatResponse(await c.get(`/repos/${owner}/${repo}/metadata`));
 	},
 );
 server.tool(
 	'gitea_metadata_update',
 	'Update repo metadata settings (merges with existing — only provided fields are changed)',
 	{
 		owner: z.string().describe('Repository owner'),
 		repo: z.string().describe('Repository name'),
 		name: z.string().optional().describe('Project name'),
 		org: z.string().optional().describe('Organization'),
 		version: z.string().optional().describe('Version string (e.g. 06.00.00)'),
 		version_prefix: z.string().optional().describe('Tag prefix for version display (e.g. v1.26.1-moko.)'),
 		license_spdx: z.string().optional().describe('SPDX license identifier'),
 		platform: z.string().optional().describe('Platform (joomla, wordpress, dolibarr, go, mcp, platform, generic)'),
 		info_url: z.string().optional().describe('Extension info/product page URL'),
 		target_version: z.string().optional().describe('Target platform version regex (e.g. (5|6)\\.*)'),
 		php_minimum: z.string().optional().describe('Minimum PHP version (e.g. 8.1)'),
 		package_type: z.string().optional().describe('Extension type (component, module, plugin, package, template, library, file)'),
 		entry_point: z.string().optional().describe('Build entry point path'),
 		...ConnectionParam,
 	},
 	async ({ owner, repo, connection, ...fields }) => {
 		const c = clientFor(connection);
 		const current = await c.get(`/repos/${owner}/${repo}/metadata`);
 		const merged = { ...(current.data as Record<string, unknown>) };
 		for (const [k, v] of Object.entries(fields)) {
 			if (v !== undefined) merged[k] = v;
 		}
 		return formatResponse(await c.put(`/repos/${owner}/${repo}/metadata`, merged));
 	},
 );
 // ── Start Server ────────────────────────────────────────────────────────
 async function main(): Promise<void> {