chore: rename Setup step to moko-platform [skip ci]

feat(ci): deploy auto-release to dev [skip ci]
chore: force-sync .mokogitea/ISSUE_TEMPLATE/version.md [skip ci]
2026-05-16 22:19:23 +00:00 · 2026-05-16 18:58:36 +00:00 · 2026-05-12 19:16:24 +00:00 · 2026-05-12 19:16:24 +00:00 · 2026-05-12 19:16:23 +00:00 · 2026-05-12 19:16:23 +00:00
45 changed files with 7112 additions and 348 deletions
@@ -0,0 +1,59 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(cd:*)",
+      "mcp__joomla-api__joomla_plugins_list",
+      "mcp__gitea-moko__get_repository_tree",
+      "mcp__joomla-api__joomla_api_request",
+      "Bash(curl:*)",
+      "mcp__gitea-moko__search_repos",
+      "Bash(TOKEN=\"29367101e6edf28375e0a03cef30a7dfc7eb2186\"\ncurl -sS -H \"Authorization: token $TOKEN\" \"https://git.mokoconsulting.tech/api/v1/repos/MokoConsulting/MokoOnyx/contents/.gitea/workflows/release.yml?ref=main\" | head -200)",
+      "mcp__gitea-moko__list_releases",
+      "mcp__gitea-moko__delete_release",
+      "mcp__gitea-moko__get_latest_release",
+      "mcp__gitea-moko__actions_run_read",
+      "Read(//a/MokoStandards-API/.gitea/**)",
+      "Read(//a/MokoStandards-API/**)",
+      "Read(//a/MokoStandards-Template-Joomla-Template/.gitea/workflows/**)",
+      "Read(//a/MokoStandards-Template-Joomla-Module/.gitea/workflows/**)",
+      "Read(//a/MokoStandards-Template-Joomla-Component/.gitea/workflows/**)",
+      "Read(//a/MokoStandards-Template-Joomla-Package/.gitea/workflows/**)",
+      "Read(//a/MokoStandards-Template-Joomla-Library/.gitea/workflows/**)",
+      "Read(//a/MokoJGDPC/.gitea/workflows/**)",
+      "Read(//a/MokoCassiopeia/.gitea/workflows/**)",
+      "Read(//a/MokoJoomHero/.gitea/workflows/**)",
+      "Read(//a/MokoJoomTOS/.gitea/workflows/**)",
+      "Read(//a/MokoWaaS/.gitea/workflows/**)",
+      "Read(//a/MokoWaaSAnnounce/.gitea/workflows/**)",
+      "Bash(REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce\"\n\nfor REPO in $REPOS; do\n  echo \"=== $REPO ===\"\n  cd \"A:/$REPO\"\n  git pull --rebase origin main 2>&1 | tail -1\n  rm -f .gitea/workflows/*.yml\n  cp A:/MokoOnyx/.gitea/workflows/*.yml .gitea/workflows/\n  git add .gitea/workflows/\n  if git diff --cached --quiet; then\n    echo \"  No changes\"\n  else\n    git commit -m \"feat: expand workflow suite \\(10 workflows from MokoOnyx\\)\n\nCo-Authored-By: Claude Opus 4.6 \\(1M context\\) <noreply@anthropic.com>\"\n    git push origin main 2>&1 | tail -1\n  fi\n  echo \"\"\ndone)",
+      "mcp__gitea-moko__actions_config_read",
+      "mcp__gitea-moko__actions_config_write",
+      "Bash(REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce MokoStandards-Template-Joomla-Plugin MokoStandards-Template-Joomla-Template MokoStandards-Template-Joomla-Module MokoStandards-Template-Joomla-Component MokoStandards-Template-Joomla-Package MokoStandards-Template-Joomla-Library MokoStandards-API\"\n\nfor REPO in $REPOS; do\n  echo \"=== $REPO ===\"\n  cd \"A:/$REPO\"\n  git pull --rebase origin main 2>&1 | tail -1\n  cp A:/MokoOnyx/.gitea/workflows/pre-release.yml .gitea/workflows/pre-release.yml\n  git add .gitea/workflows/pre-release.yml\n  if git diff --cached --quiet; then\n    echo \"  No changes\"\n  else\n    git commit -m \"feat: add pre-release workflow for manual dev/alpha/beta/rc builds\n\nCo-Authored-By: Claude Opus 4.6 \\(1M context\\) <noreply@anthropic.com>\"\n    git push origin main 2>&1 | tail -1\n  fi\n  echo \"\"\ndone)",
+      "Bash(tail -1 rm .gitea/workflows/deploy.yml git add .gitea/workflows/deploy.yml git commit -m \"chore: remove auto-deploy workflow \\(deploy is manual only\\):*)",
+      "mcp__gitea-moko__pull_request_write",
+      "mcp__gitea-moko__actions_run_write",
+      "Bash(REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce MokoStandards-Template-Joomla-Plugin MokoStandards-Template-Joomla-Template MokoStandards-Template-Joomla-Module MokoStandards-Template-Joomla-Component MokoStandards-Template-Joomla-Package MokoStandards-Template-Joomla-Library MokoStandards-API\" __NEW_LINE_0c05a93337c7dba4__ for REPO in $REPOS)",
+      "Bash(do cd:*)",
+      "Bash(then echo \"$REPO: no changes\" else git commit -m \"fix: add patch version bump to pre-release workflow:*)",
+      "Bash(for REPO in client-clarksvillefurs client-kiddieland)",
+      "Bash(do echo:*)",
+      "Read(//a/MokoStandards-Template-Client/.gitea/workflows/**)",
+      "Bash(then echo \"  No changes\" else git commit -m \"feat: add standard client workflow suite + media sync:*)",
+      "Bash(for:*)",
+      "mcp__gitea-moko__create_repo",
+      "Bash(REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce MokoStandards-Template-Joomla\" __NEW_LINE_ef3af20e9774ebe9__ for REPO in $REPOS)",
+      "Bash(then echo \"$REPO: no changes\" else git commit -m \"fix: version bump logic — stable=minor, pre-release=patch:*)",
+      "Bash(then continue fi git commit -m \"fix: version bump logic — pre-release=patch with rollover:*)",
+      "Bash(REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce MokoStandards-Template-Joomla\" __NEW_LINE_a82c045e0ae69651__ for REPO in $REPOS)",
+      "Bash(then continue:*)",
+      "Bash(fi git commit -m \"fix: stable release = major version bump \\(XX+1.00.00\\):*)",
+      "mcp__gitea-moko__get_release",
+      "Bash(ALL_REPOS=\"MokoDPCalendarAPI MokoJGDPC MokoCassiopeia MokoJoomHero MokoJoomTOS MokoWaaS MokoWaaSAnnounce MokoStandards-Template-Joomla\" __NEW_LINE_fbd28532f2d35636__ for REPO in $ALL_REPOS)",
+      "Bash(fi git commit -m \"fix: include element name in stable release title:*)"
+    ]
+  },
+  "enableAllProjectMcpServers": true,
+  "enabledMcpjsonServers": [
+    "joomla-api"
+  ]
+}
@@ -1,38 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  MokoStandards Repository Manifest
-  Auto-generated by MokoStandards bulk sync.
-  Manual edits to <governance> and <last-synced> may be overwritten.
-  See: docs/standards/mokostandards-file-spec.md
-->
-<mokostandards xmlns="https://standards.mokoconsulting.tech/mokostandards/1.0" schema-version="1.0">
-  <identity>
-    <name>MokoDPCalendarAPI</name>
-    <org>MokoConsulting</org>
-    <description>Joomla Web Services plugin exposing DPCalendar events, calendars, and locations via REST API</description>
-    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
-  </identity>
-  <governance>
-    <platform>waas-component</platform>
-    <standards-version>04.07.00</standards-version>
-    <standards-source>https://git.mokoconsulting.tech/MokoConsulting/MokoStandards</standards-source>
-    <last-synced>2026-05-02T23:06:16+00:00</last-synced>
-  </governance>
-  <build>
-    <language>PHP</language>
-    <package-type>joomla-extension</package-type>
-    <entry-point>src/mokodpcalendarapi.xml</entry-point>
-  </build>
-  <scripts>
-    <script name="package" phase="build">
-      <command>make package</command>
-      <description>Package via make</description>
-      <runner>make</runner>
-    </script>
-    <script name="clean" phase="build">
-      <command>make clean</command>
-      <description>Clean via make</description>
-      <runner>make</runner>
-    </script>
-  </scripts>
-</mokostandards>
@@ -6,35 +6,24 @@
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Release
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/auto-release.yml.template
-# VERSION: 04.06.00
-# BRIEF: Joomla build & release — ZIP package, updates.xml, SHA-256 checksum
+# PATH: /templates/workflows/universal/auto-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Universal build & release � detects platform from manifest.xml
 #
 # +========================================================================+
-# |                    BUILD & RELEASE PIPELINE (JOOMLA)                   |
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
 # +========================================================================+
 # |                                                                        |
-# |  Triggers on push to main (skips bot commits + [skip ci]):             |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
 # |                                                                        |
-# |  Every push:                                                           |
-# |    1. Read version from README.md                                      |
-# |    3. Set platform version (Joomla <version>)                          |
-# |    4. Update [VERSION: XX.YY.ZZ] badges in markdown files              |
-# |    5. Write updates.xml (Joomla update server XML)                      |
-# |    6. Create git tag vXX.YY.ZZ                                        |
-# |    7a. Patch: update existing Gitea Release for this minor             |
-# |    8. Build ZIP, upload asset, write SHA-256 to updates.xml             |
-# |                                                                        |
-# |  Every version change: archives main -> version/XX.YY branch           |
-# |  All patches release (including 00). Patch 00/01 = full pipeline.      |
-# |  First release only (patch == 01):                                     |
-# |    7b. Create new Gitea Release                                        |
-# |                                                                        |
-# |  GitHub mirror: stable/rc releases only (continue-on-error)            |
+# |  Platform-specific:                                                    |
+# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    generic:  README-only, no update stream                             |
 # |                                                                        |
 # +========================================================================+

-name: Build & Release
+name: "Universal: Build & Release"

 on:
  pull_request:
@@ -69,7 +58,7 @@ jobs:
          token: ${{ secrets.GA_TOKEN }}
          fetch-depth: 0

-      - name: Setup MokoStandards tools
+      - name: Setup moko-platform
        env:
          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
@@ -81,15 +70,74 @@ jobs:
          fi
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api
-          cd /tmp/mokostandards-api
-          composer install --no-dev --no-interaction --quiet
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d /tmp/mokostandards-api ]; then
+            cd /tmp/mokostandards-api
+            composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+          echo "MokoStandards tools: $([ -d /tmp/mokostandards-api ] && echo 'available' || echo 'unavailable (using fallback)')"
+
+
+      # -- PLATFORM DETECTION ---------------------------------------------------
+      - name: Detect platform
+        id: platform
+        run: |
+          # 1. Try explicit platform from manifest (.mokogitea takes precedence)
+          if [ -f ".mokogitea/manifest.xml" ]; then
+            PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          elif [ -f ".gitea/manifest.xml" ]; then
+            PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .gitea/manifest.xml 2>/dev/null | head -1)
+          fi
+
+          # 2. Auto-sense from file structure if no manifest
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          CB_MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<cbplugin' {} \; 2>/dev/null | head -1)
+          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+
+          if [ -z "$PLATFORM" ]; then
+            if [ -n "$CB_MANIFEST" ]; then
+              PLATFORM="joomla"
+              MANIFEST="$CB_MANIFEST"
+            elif [ -n "$MANIFEST" ]; then
+              PLATFORM="joomla"
+            elif [ -n "$MOD_FILE" ]; then
+              PLATFORM="dolibarr"
+            else
+              PLATFORM="generic"
+            fi
+          fi
+
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform detected: ${PLATFORM}"
+          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
+          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
+
+          # Detect update file methodology
+          if [ "$PLATFORM" = "joomla" ]; then
+            echo "update_method=updates.xml" >> "$GITHUB_OUTPUT"
+            echo "Update method: Joomla updates.xml"
+          elif [ "$PLATFORM" = "dolibarr" ]; then
+            echo "update_method=update.txt" >> "$GITHUB_OUTPUT"
+            echo "Update method: Dolibarr update.txt"
+          else
+            echo "update_method=none" >> "$GITHUB_OUTPUT"
+            echo "Update method: none (generic)"
+          fi

      # -- STEP 1: Read version -----------------------------------------------
      - name: "Step 1: Read version from README.md"
        id: version
        run: |
-          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null)
+          # Try MokoStandards PHP tool first, fall back to direct parsing
+          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || true)
+          if [ -z "$VERSION" ]; then
+            # Fallback: read from README table format "| **Version** | XX.YY.ZZ |"
+            VERSION=$(sed -n 's/.*\*\*Version\*\*[[:space:]]*|[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+          fi
+          if [ -z "$VERSION" ]; then
+            # Fallback: read VERSION: XX.YY.ZZ pattern from any file
+            VERSION=$(grep -rh "VERSION:[[:space:]]*[0-9]" README.md CHANGELOG.md 2>/dev/null | sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' | head -1)
+          fi
          if [ -z "$VERSION" ]; then
            echo "No VERSION in README.md — skipping release"
            echo "skip=true" >> "$GITHUB_OUTPUT"
@@ -117,48 +165,36 @@ jobs:
            echo "Version: $VERSION (patch — platform version + badges only)"
          fi

-      # -- STEP 1b: Bump major version (stable = major bump, reset minor+patch) -
-      - name: "Step 1b: Bump major version for stable release"
+      # -- STEP 1b: Promote CHANGELOG [Unreleased] to current version -----------
+      - name: "Step 1b: Promote CHANGELOG for release"
        if: steps.version.outputs.skip != 'true'
        id: bump
        run: |
-          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          [ -z "$CURRENT" ] && { echo "skip=true" >> "$GITHUB_OUTPUT"; exit 0; }
-
-          MAJOR=$((10#$(echo "$CURRENT" | cut -d. -f1)))
-
-          # Major bump, reset minor and patch
-          MAJOR=$((MAJOR + 1))
-
-          VERSION=$(printf "%02d.00.00" $MAJOR)
+          VERSION="${{ steps.version.outputs.version }}"
          TODAY=$(date +%Y-%m-%d)

-          echo "Stable bump: ${CURRENT} → ${VERSION} (major)"
-
-          # Update README.md
-          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${VERSION}/" README.md
-
-          # Update manifest
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            MANIFEST_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-            [ -n "$MANIFEST_VER" ] && sed -i "s|<version>${MANIFEST_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
-            sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
+          # Promote [Unreleased] section in CHANGELOG.md to release version
+          if [ -f "CHANGELOG.md" ] && grep -qi "Unreleased" CHANGELOG.md; then
+            sed -i "s|## \[Unreleased\]|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
+            sed -i "s|## Unreleased|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
+            sed -i "2i ## [Unreleased]" CHANGELOG.md
+            sed -i "3i \\ " CHANGELOG.md
+            echo "CHANGELOG promoted to [${VERSION}]"
          fi

-          # Commit and push
+          # Commit changelog promotion if changed
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
-            git commit -m "chore(version): bump ${CURRENT} → ${VERSION} (major) [skip ci]"
+            git commit -m "chore(release): promote CHANGELOG ${VERSION} [skip ci]"
            git push origin HEAD:main 2>&1
          }

-          # Override version output for rest of pipeline
+          # Pass through version (no bump — release uses version as-is from dev)
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "major=$(printf "%02d" $MAJOR)" >> "$GITHUB_OUTPUT"
+          echo "major=${{ steps.version.outputs.major }}" >> "$GITHUB_OUTPUT"

      - name: Check if already released
        if: steps.version.outputs.skip != 'true'
@@ -188,7 +224,10 @@ jobs:
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          ERRORS=0

-          echo "## Pre-Release Sanity Checks (Joomla)" >> $GITHUB_STEP_SUMMARY
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          MANIFEST="${{ steps.platform.outputs.manifest }}"
+          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          echo "## Pre-Release Sanity Checks (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY

          # -- Version drift check (must pass before release) --------
@@ -230,29 +269,41 @@ jobs:
            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
          fi

-          # -- Joomla: manifest version drift --------
-          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
-              echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS+1))
-            else
-              echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-          fi
-
-          # -- Joomla: XML manifest existence --------
-          if [ -z "$MANIFEST" ]; then
-            echo "- No Joomla XML manifest found" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # -- Joomla: extension type check --------
-            TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
-            echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
-          fi
+          # -- Platform-specific checks --------
+          case "$PLATFORM" in
+            joomla)
+              if [ -n "$MANIFEST" ]; then
+                XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+                if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
+                  echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS+1))
+                else
+                  echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                fi
+                TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
+                echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
+              else
+                echo "- No Joomla XML manifest (WaaS site)" >> $GITHUB_STEP_SUMMARY
+              fi ;;
+            dolibarr)
+              if [ -n "$MOD_FILE" ]; then
+                MOD_VER=$(sed -n "s/.*\\\$this->version = '\([^']*\)'.*/\1/p" "$MOD_FILE" 2>/dev/null | head -1)
+                if [ -n "$MOD_VER" ] && [ "$MOD_VER" != "$VERSION" ]; then
+                  echo "- Module drift: \`${MOD_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS+1))
+                else
+                  echo "- Module version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                fi
+              else
+                echo "- No mod*.class.php found" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS+1))
+              fi
+              if [ ! -f "update.txt" ]; then
+                echo "- Missing update.txt" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS+1))
+              fi ;;
+            *) echo "- Generic platform � no manifest checks" >> $GITHUB_STEP_SUMMARY ;;
+          esac

          echo "" >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -gt 0 ]; then
@@ -288,8 +339,19 @@ jobs:
          steps.check.outputs.already_released != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/mokostandards-api/cli/version_set_platform.php \
-            --path . --version "$VERSION" --branch main
+          if [ -f /tmp/mokostandards-api/cli/version_set_platform.php ]; then
+            php /tmp/mokostandards-api/cli/version_set_platform.php \
+              --path . --version "$VERSION" --branch main
+          else
+            # Fallback: update version in templateDetails.xml directly
+            MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+            if [ -n "$MANIFEST" ]; then
+              sed -i "s|<version>[^<]*</version>|<version>${VERSION}</version>|" "$MANIFEST"
+              sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>$(date +%Y-%m-%d)</creationDate>|" "$MANIFEST"
+            fi
+            # Update README version table
+            sed -i "s/|\s*\*\*Version\*\*\s*|[^|]*/| **Version** | ${VERSION} /" README.md 2>/dev/null || true
+          fi

      # -- STEP 4: Update version badges ----------------------------------------
      - name: "Step 4: Update version badges"
@@ -305,7 +367,8 @@ jobs:
          done

      # -- STEP 5: Write updates.xml (Joomla update server) ---------------------
-      - name: "Step 5: Write updates.xml"
+      - name: "Step 5: Write update stream"
+        id: updates
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.check.outputs.already_released != 'true'
@@ -314,35 +377,76 @@ jobs:
          REPO="${{ github.repository }}"

          # -- Parse extension metadata from XML manifest ----------------
+          # Check for Joomla <extension> or Community Builder <cbplugin>
          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -z "$MANIFEST" ]; then
-            echo "Warning: No Joomla XML manifest found — skipping updates.xml" >> $GITHUB_STEP_SUMMARY
+          CB_MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<cbplugin' {} \; 2>/dev/null | head -1)
+          IS_CB="false"
+
+          if [ -z "$MANIFEST" ] && [ -z "$CB_MANIFEST" ]; then
+            echo "Warning: No Joomla/CB XML manifest found — skipping updates.xml" >> $GITHUB_STEP_SUMMARY
            exit 0
          fi

+          # CB plugin takes precedence if no standard manifest
+          if [ -z "$MANIFEST" ] && [ -n "$CB_MANIFEST" ]; then
+            MANIFEST="$CB_MANIFEST"
+            IS_CB="true"
+          fi
+
          # Extract fields using sed (portable — no grep -P)
          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          if [ "$IS_CB" = "true" ]; then
+            EXT_TYPE="cb_plugin"
+            EXT_ELEMENT=$(sed -n 's/.*<cbplugin[^>]*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+            EXT_CLIENT=""
+            EXT_FOLDER="cb"
+          else
+            EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
+            EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+            EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          fi
          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)

+          # If EXT_NAME is a language key (e.g. PLG_SYSTEM_MOKOJGDPC), resolve from .ini
+          if echo "$EXT_NAME" | grep -qE '^[A-Z_]+$'; then
+            INI_NAME=$(find . -name "*.sys.ini" -path "*/en-GB/*" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
+            [ -z "$INI_NAME" ] && INI_NAME=$(find . -name "*.sys.ini" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
+            [ -n "$INI_NAME" ] && EXT_NAME="$INI_NAME"
+          fi
+
          # Fallbacks
          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"

          # Derive element if not in manifest:
-          # 1. Try XML filename (e.g. mokowaas.xml → mokowaas)
-          # 2. Fall back to repo name (lowercased)
+          # 1. plugin="xxx" attribute (plugins)
+          # 2. module="xxx" attribute (modules)
+          # 3. XML filename (components, packages)
+          # 4. Repo name fallback (templates, anything else)
          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          fi
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*module="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          fi
+          if [ -z "$EXT_ELEMENT" ]; then
+            FNAME=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
            # If filename is generic (templateDetails, manifest), use repo name
-            case "$EXT_ELEMENT" in
-              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+            case "$FNAME" in
+              templatedetails|manifest) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+              *) EXT_ELEMENT="$FNAME" ;;
            esac
          fi
+          # Final fallback
+          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+
+          # Save for Steps 7, 8, 8b
+          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
+          echo "ext_name=${EXT_NAME}" >> "$GITHUB_OUTPUT"
+          echo "ext_type=${EXT_TYPE}" >> "$GITHUB_OUTPUT"
+          echo "ext_folder=${EXT_FOLDER}" >> "$GITHUB_OUTPUT"

          # Build client tag: plugins and frontend modules need <client>site</client>
          CLIENT_TAG=""
@@ -369,7 +473,19 @@ jobs:
            PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
          fi

-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/stable/${EXT_ELEMENT}-${VERSION}.zip"
+          # Build TYPE_PREFIX for download URL
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+            cb_plugin) TYPE_PREFIX="cb_" ;;
+          esac
+
+          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/stable/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/stable"

          # -- Build update entry for a given stability tag
@@ -464,21 +580,33 @@ jobs:
          MAJOR="${{ steps.version.outputs.major }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

-          # Auto-detect extension element for release naming
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          EXT_ELEMENT=""
-          if [ -n "$MANIFEST" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            case "$EXT_ELEMENT" in templatedetails|manifest) EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;; esac
-          else
+          # Reuse metadata from Step 5 (single source of truth)
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+
+          # Fallbacks if Step 5 was skipped
+          if [ -z "$EXT_ELEMENT" ]; then
            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
          fi
+          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"

-          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
+          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"

-          RELEASE_NAME="${EXT_ELEMENT} ${VERSION} (stable)"
+          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+            cb_plugin) TYPE_PREFIX="cb_" ;;
+          esac
+          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"

          # Delete existing release if present (overwrite, not append)
          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
@@ -506,7 +634,7 @@ jobs:
          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY

      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
-      - name: "Step 8: Build Joomla package and update checksum"
+      - name: "Step 8: Build package and update checksum"
        if: >-
          steps.version.outputs.skip != 'true'
        run: |
@@ -528,9 +656,29 @@ jobs:
          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
          [ -z "$MANIFEST" ] && exit 0

-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1 || basename "$MANIFEST" .xml)
-          ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${EXT_ELEMENT}-${VERSION}.tar.gz"
+          # Reuse element from Step 5, with same fallback chain
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          fi
+          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+            cb_plugin) TYPE_PREFIX="cb_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"

          # -- Build install packages from src/ ----------------------------
          SOURCE_DIR="src"
@@ -661,7 +809,7 @@ jobs:
            fi
          fi

-          echo "### Joomla Packages" >> $GITHUB_STEP_SUMMARY
+          echo "### Packages" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
@@ -670,65 +818,75 @@ jobs:
          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY

-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      # -- STEP 8b: Update release description with changelog + SHA ----------------
+      - name: "Step 8b: Update release body with changelog and SHA"
+        if: steps.version.outputs.skip != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          MAJOR="${{ steps.version.outputs.major }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"

-          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-          echo "$NOTES" > /tmp/release_notes.md
+          # Build TYPE_PREFIX to match Step 8's ZIP naming
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+            cb_plugin) TYPE_PREFIX="cb_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"

-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          # Get SHA from the built files
+          SHA256_ZIP=""
+          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          SHA256_TAR=""
+          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)

-          if [ -z "$EXISTING" ]; then
-            gh release create "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" \
-              --notes-file /tmp/release_notes.md \
-              --target "$BRANCH" || true
-          else
-            gh release edit "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" || true
+          # Extract latest changelog entry (strip the ## header to avoid duplicate)
+          CHANGELOG=""
+          if [ -f "CHANGELOG.md" ]; then
+            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
+            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
          fi

-          # Upload assets to GitHub mirror
-          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
-            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
-            fi
-          done
-          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+          # Build release body (single header, no duplicate from changelog)
+          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
+          if [ -n "$CHANGELOG" ]; then
+            BODY="${BODY}${CHANGELOG}\n\n"
+          fi
+          BODY="${BODY}---\n\n### Checksums\n\n"
+          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
+          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
+          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"

-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
+          # Get release ID and update body
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = '''$(printf '%b' "$BODY")'''
+          data = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=data,
+              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              method='PATCH'
+          )
+          urllib.request.urlopen(req)
+          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- (GitHub mirror removed — Gitea is the sole release platform) ----------

      # -- Clean up lesser pre-releases (cascade) ---------------------------------
      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
@@ -759,11 +917,104 @@ jobs:
          done
          echo "Cleaned up ${DELETED} pre-release channel(s)" >> $GITHUB_STEP_SUMMARY

+      # -- STEP 11: Reset dev branch and bump to next minor -------------------------
+      - name: "Step 11: Reset dev and bump to next minor"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+
+          # Delete dev branch
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+
+          # Recreate dev from main
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/branches" \
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+
+          # Calculate next minor version for dev
+          MAJOR=$((10#$(echo "$VERSION" | cut -d. -f1)))
+          MINOR=$((10#$(echo "$VERSION" | cut -d. -f2)))
+          MINOR=$((MINOR + 1))
+          if [ $MINOR -gt 99 ]; then
+            MINOR=0
+            MAJOR=$((MAJOR + 1))
+          fi
+          NEXT=$(printf "%02d.%02d.00" $MAJOR $MINOR)
+
+          # Bump version on dev via API (README + manifest)
+          # Update README.md on dev
+          README_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/README.md?ref=dev" 2>/dev/null || true)
+          README_SHA=$(echo "$README_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+          README_CONTENT=$(echo "$README_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
+          if [ -n "$README_SHA" ] && [ -n "$README_CONTENT" ]; then
+            UPDATED=$(echo "$README_CONTENT" | sed "s/${VERSION}/${NEXT}/g")
+            ENCODED=$(echo "$UPDATED" | base64 -w0)
+            curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" \
+              "${API_BASE}/contents/README.md" \
+              -d "$(python3 -c "import json; print(json.dumps({'content':'${ENCODED}','sha':'${README_SHA}','message':'chore(version): bump ${VERSION} → ${NEXT} (dev) [skip ci]','branch':'dev'}))")" > /dev/null 2>&1 || true
+          fi
+
+          # Update manifest on dev (Joomla or Dolibarr)
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST_PATH="${{ steps.platform.outputs.manifest }}"
+              [ -n "$MANIFEST_PATH" ] && MANIFEST_PATH=$(echo "$MANIFEST_PATH" | sed 's|^\./||')
+              if [ -n "$MANIFEST_PATH" ]; then
+                ENCODED_PATH=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${MANIFEST_PATH}'))")
+                MF_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
+                MF_SHA=$(echo "$MF_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+                MF_CONTENT=$(echo "$MF_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
+                if [ -n "$MF_SHA" ] && [ -n "$MF_CONTENT" ]; then
+                  UPDATED=$(echo "$MF_CONTENT" | sed "s|<version>${VERSION}</version>|<version>${NEXT}</version>|")
+                  ENCODED=$(echo "$UPDATED" | base64 -w0)
+                  curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" \
+                    "${API_BASE}/contents/${ENCODED_PATH}" \
+                    -d "$(python3 -c "import json; print(json.dumps({'content':'${ENCODED}','sha':'${MF_SHA}','message':'chore(version): bump ${VERSION} → ${NEXT} (dev) [skip ci]','branch':'dev'}))")" > /dev/null 2>&1 || true
+                fi
+              fi
+              ;;
+            dolibarr)
+              # Dolibarr handled by separate step below
+              ;;
+          esac
+
+          echo "Dev branch bumped to ${NEXT}" >> $GITHUB_STEP_SUMMARY
+
+
+      # -- Dolibarr post-release: Reset dev version -----------------------------
+      - name: "Dolibarr: Reset dev version"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.platform.outputs.platform == 'dolibarr' &&
+          steps.platform.outputs.mod_file != ''
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
+          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
+          FILE_SHA=$(echo "$FILE_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+          FILE_CONTENT=$(echo "$FILE_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
+          if [ -n "$FILE_SHA" ] && [ -n "$FILE_CONTENT" ]; then
+            UPDATED=$(echo "$FILE_CONTENT" | sed "s/\$this->version = '[^']*'/\$this->version = 'development'/")
+            ENCODED=$(echo "$UPDATED" | base64 -w0)
+            curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" "${API_BASE}/contents/${ENCODED_PATH}" \
+              -d "$(jq -n --arg content \"$ENCODED\" --arg sha \"$FILE_SHA\" --arg msg \"chore(version): reset dev version [skip ci]\" --arg branch \"dev\" '{content:$content,sha:$sha,message:$msg,branch:$branch}')" > /dev/null 2>&1 || true
+          fi
+
      # -- Summary --------------------------------------------------------------
      - name: Pipeline Summary
        if: always()
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
@@ -771,10 +1022,11 @@ jobs:
            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
          else
            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (Joomla)" >> $GITHUB_STEP_SUMMARY
+            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,110 @@
+---
+name: Architecture Decision Record (ADR)
+about: Propose or document an architectural decision
+title: '[ADR] '
+labels: 'architecture, decision'
+assignees: ''
+
+---
+
+
+## ADR Number
+ADR-XXXX
+
+## Status
+- [ ] Proposed
+- [ ] Accepted
+- [ ] Deprecated
+- [ ] Superseded by ADR-XXXX
+
+## Context
+Describe the issue or problem that motivates this decision.
+
+## Decision
+State the architecture decision and provide rationale.
+
+## Consequences
+### Positive
+- List positive consequences
+
+### Negative
+- List negative consequences or trade-offs
+
+### Neutral
+- List neutral aspects
+
+## Alternatives Considered
+### Alternative 1
+- Description
+- Pros
+- Cons
+- Why not chosen
+
+### Alternative 2
+- Description
+- Pros
+- Cons
+- Why not chosen
+
+## Implementation Plan
+1. Step 1
+2. Step 2
+3. Step 3
+
+## Stakeholders
+- **Decision Makers**: @user1, @user2
+- **Consulted**: @user3, @user4
+- **Informed**: team-name
+
+## Technical Details
+### Architecture Diagram
+```
+[Add diagram or link]
+```
+
+### Dependencies
+- Dependency 1
+- Dependency 2
+
+### Impact Analysis
+- **Performance**: [Impact description]
+- **Security**: [Impact description]
+- **Scalability**: [Impact description]
+- **Maintainability**: [Impact description]
+
+## Testing Strategy
+- [ ] Unit tests
+- [ ] Integration tests
+- [ ] Performance tests
+- [ ] Security tests
+
+## Documentation
+- [ ] Architecture documentation updated
+- [ ] API documentation updated
+- [ ] Developer guide updated
+- [ ] Runbook created
+
+## Migration Path
+Describe how to migrate from current state to new architecture.
+
+## Rollback Plan
+Describe how to rollback if issues occur.
+
+## Timeline
+- **Proposal Date**:
+- **Decision Date**:
+- **Implementation Start**:
+- **Expected Completion**:
+
+## References
+- Related ADRs:
+- External resources:
+- RFCs:
+
+## Review Checklist
+- [ ] Aligns with enterprise architecture principles
+- [ ] Security implications reviewed
+- [ ] Performance implications reviewed
+- [ ] Cost implications reviewed
+- [ ] Compliance requirements met
+- [ ] Team consensus achieved
@@ -0,0 +1,48 @@
+---
+name: Bug Report
+about: Report a bug or issue with the project
+title: '[BUG] '
+labels: 'bug'
+assignees: ''
+
+---
+
+
+## Bug Description
+A clear and concise description of what the bug is.
+
+## Steps to Reproduce
+1. Go to '...'
+2. Click on '...'
+3. Scroll down to '...'
+4. See error
+
+## Expected Behavior
+A clear and concise description of what you expected to happen.
+
+## Actual Behavior
+A clear and concise description of what actually happened.
+
+## Screenshots
+If applicable, add screenshots to help explain your problem.
+
+## Environment
+- **Project**: [e.g., MokoDoliTools, moko-cassiopeia]
+- **Version**: [e.g., 1.2.3]
+- **Platform**: [e.g., Dolibarr 18.0, Joomla 5.0]
+- **PHP Version**: [e.g., 8.1]
+- **Database**: [e.g., MySQL 8.0, PostgreSQL 14]
+- **Browser** (if applicable): [e.g., Chrome 120, Firefox 121]
+- **OS**: [e.g., Ubuntu 22.04, Windows 11]
+
+## Additional Context
+Add any other context about the problem here.
+
+## Possible Solution
+If you have suggestions on how to fix the issue, please describe them here.
+
+## Checklist
+- [ ] I have searched for similar issues before creating this one
+- [ ] I have provided all the requested information
+- [ ] I have tested this on the latest stable version
+- [ ] I have checked the documentation and couldn't find a solution
@@ -0,0 +1,18 @@
+---
+blank_issues_enabled: true
+contact_links:
+  - name: 💼 Enterprise Support
+    url: https://mokoconsulting.tech/enterprise
+    about: Enterprise-level support and consultation services
+  - name: 💬 Ask a Question
+    url: https://mokoconsulting.tech/
+    about: Get help or ask questions through our website
+  - name: 📚 MokoStandards Documentation
+    url: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+    about: View our coding standards and best practices
+  - name: 🔒 Report a Security Vulnerability
+    url: https://git.mokoconsulting.tech/mokoconsulting-tech/.github-private/security/advisories/new
+    about: Report security vulnerabilities privately (for critical issues)
+  - name: 💡 Community Discussions
+    url: https://github.com/orgs/mokoconsulting-tech/discussions
+    about: Join community discussions and Q&A
@@ -0,0 +1,52 @@
+---
+name: Documentation Issue
+about: Report an issue with documentation
+title: '[DOCS] '
+labels: 'documentation'
+assignees: ''
+
+---
+
+
+## Documentation Issue
+
+**Location**: 
+<!-- Specify the file, page, or section with the issue -->
+
+## Issue Type
+<!-- Mark the relevant option with an "x" -->
+- [ ] Typo or grammar error
+- [ ] Outdated information
+- [ ] Missing documentation
+- [ ] Unclear explanation
+- [ ] Broken links
+- [ ] Missing examples
+- [ ] Other (specify below)
+
+## Description
+<!-- Clearly describe the documentation issue -->
+
+## Current Content
+<!-- Quote or describe the current documentation (if applicable) -->
+```
+Current text here
+```
+
+## Suggested Improvement
+<!-- Provide your suggestion for how to improve the documentation -->
+```
+Suggested text here
+```
+
+## Additional Context
+<!-- Add any other context, screenshots, or references -->
+
+## Standards Alignment
+- [ ] Follows MokoStandards documentation guidelines
+- [ ] Uses en_US/en_GB localization
+- [ ] Includes proper SPDX headers where applicable
+
+## Checklist
+- [ ] I have searched for similar documentation issues
+- [ ] I have provided a clear description
+- [ ] I have suggested an improvement (if applicable)
@@ -0,0 +1,51 @@
+---
+name: Feature Request
+about: Suggest a new feature or enhancement
+title: '[FEATURE] '
+labels: 'enhancement'
+assignees: ''
+
+---
+
+
+## Feature Description
+A clear and concise description of the feature you'd like to see.
+
+## Problem or Use Case
+Describe the problem this feature would solve or the use case it addresses.
+Ex. I'm always frustrated when [...]
+
+## Proposed Solution
+A clear and concise description of what you want to happen.
+
+## Alternative Solutions
+A clear and concise description of any alternative solutions or features you've considered.
+
+## Benefits
+Describe how this feature would benefit users:
+- Who would use this feature?
+- What problems does it solve?
+- What value does it add?
+
+## Implementation Details (Optional)
+If you have ideas about how this could be implemented, share them here:
+- Technical approach
+- Files/components that might need changes
+- Any concerns or challenges you foresee
+
+## Additional Context
+Add any other context, mockups, or screenshots about the feature request here.
+
+## Relevant Standards
+Does this relate to any standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+- [ ] Accessibility (WCAG 2.1 AA)
+- [ ] Localization (en_US/en_GB)
+- [ ] Security best practices
+- [ ] Code quality standards
+- [ ] Other: [specify]
+
+## Checklist
+- [ ] I have searched for similar feature requests before creating this one
+- [ ] I have clearly described the use case and benefits
+- [ ] I have considered alternative solutions
+- [ ] This feature aligns with the project's goals and scope
@@ -0,0 +1,87 @@
+---
+name: Joomla Extension Issue
+about: Report an issue with a Joomla extension
+title: '[JOOMLA] '
+labels: 'joomla'
+assignees: ''
+
+---
+
+
+## Issue Type
+- [ ] Component Issue
+- [ ] Module Issue
+- [ ] Plugin Issue
+- [ ] Template Issue
+
+## Extension Details
+- **Extension Name**: [e.g., moko-cassiopeia]
+- **Extension Version**: [e.g., 1.2.3]
+- **Extension Type**: [Component / Module / Plugin / Template]
+
+## Joomla Environment
+- **Joomla Version**: [e.g., 4.4.0, 5.0.0]
+- **PHP Version**: [e.g., 8.1.0]
+- **Database**: [MySQL / PostgreSQL / MariaDB]
+- **Database Version**: [e.g., 8.0]
+- **Server**: [Apache / Nginx / IIS]
+- **Hosting**: [Shared / VPS / Dedicated / Cloud]
+
+## Issue Description
+Provide a clear and detailed description of the issue.
+
+## Steps to Reproduce
+1. Go to '...'
+2. Click on '...'
+3. Configure '...'
+4. See error
+
+## Expected Behavior
+What you expected to happen.
+
+## Actual Behavior
+What actually happened.
+
+## Error Messages
+```
+# Paste any error messages from Joomla error logs
+# Location: administrator/logs/error.php
+```
+
+## Browser Console Errors
+```javascript
+// Paste any JavaScript console errors (F12 in browser)
+```
+
+## Screenshots
+Add screenshots to help explain the issue.
+
+## Configuration
+```ini
+# Paste extension configuration (sanitize sensitive data)
+```
+
+## Installed Extensions
+List other installed extensions that might conflict:
+- Extension 1 (version)
+- Extension 2 (version)
+
+## Template Overrides
+- [ ] Using template overrides
+- [ ] Custom CSS
+- [ ] Custom JavaScript
+
+## Additional Context
+- **Multilingual Site**: [Yes / No]
+- **Cache Enabled**: [Yes / No]
+- **Debug Mode**: [Yes / No]
+- **SEF URLs**: [Yes / No]
+
+## Checklist
+- [ ] I have cleared Joomla cache
+- [ ] I have disabled other extensions to test for conflicts
+- [ ] I have checked Joomla error logs
+- [ ] I have tested with a default Joomla template
+- [ ] I have checked browser console for JavaScript errors
+- [ ] I have searched for similar issues
+- [ ] I am using a supported Joomla version
@@ -0,0 +1,82 @@
+---
+name: Question
+about: Ask a question about usage, features, or best practices
+title: '[QUESTION] '
+labels: ['question']
+assignees: ['jmiller']
+---
+
+
+## Question
+
+**Your question:**
+
+
+## Context
+
+**What are you trying to accomplish?**
+
+
+**What have you already tried?**
+
+
+**Category**:
+- [ ] Script usage
+- [ ] Configuration
+- [ ] Workflow setup
+- [ ] Documentation interpretation
+- [ ] Best practices
+- [ ] Integration
+- [ ] Other: __________
+
+## Environment (if relevant)
+
+**Your setup**:
+- Operating System:
+- Version:
+
+## What You've Researched
+
+**Documentation reviewed**:
+- [ ] README.md
+- [ ] Project documentation
+- [ ] Other (specify): __________
+
+**Similar issues/questions found**:
+- #
+- #
+
+## Expected Outcome
+
+**What result are you hoping for?**
+
+
+## Code/Configuration Samples
+
+**Relevant code or configuration** (if applicable):
+
+```bash
+# Your code here
+```
+
+## Additional Context
+
+**Any other relevant information:**
+
+
+**Screenshots** (if helpful):
+
+
+## Urgency
+
+- [ ] Urgent (blocking work)
+- [ ] Normal (can work on other things meanwhile)
+- [ ] Low priority (just curious)
+
+## Checklist
+
+- [ ] I have searched existing issues and discussions
+- [ ] I have reviewed relevant documentation
+- [ ] I have provided sufficient context
+- [ ] I have included code/configuration samples if relevant
+- [ ] This is a genuine question (not a bug report or feature request)
@@ -0,0 +1,126 @@
+---
+name: Request for Comments (RFC)
+about: Propose a significant change for community discussion
+title: '[RFC] '
+labels: 'rfc, discussion'
+assignees: ''
+
+---
+
+
+## RFC Summary
+One-paragraph summary of the proposal.
+
+## Motivation
+Why are we doing this? What use cases does it support? What is the expected outcome?
+
+## Detailed Design
+### Overview
+Provide a detailed explanation of the proposed change.
+
+### API Changes (if applicable)
+```php
+// Before
+function oldApi($param1) { }
+
+// After
+function newApi($param1, $param2) { }
+```
+
+### User Experience Changes
+Describe how users will interact with this change.
+
+### Implementation Approach
+High-level implementation strategy.
+
+## Drawbacks
+Why should we *not* do this?
+
+## Alternatives
+What other designs have been considered? What is the impact of not doing this?
+
+### Alternative 1
+- Description
+- Trade-offs
+
+### Alternative 2
+- Description
+- Trade-offs
+
+## Adoption Strategy
+How will existing users adopt this? Is this a breaking change?
+
+### Migration Guide
+```bash
+# Steps to migrate
+```
+
+### Deprecation Timeline
+- **Announcement**:
+- **Deprecation**:
+- **Removal**:
+
+## Unresolved Questions
+- Question 1
+- Question 2
+
+## Future Possibilities
+What future work does this enable?
+
+## Impact Assessment
+### Performance
+Expected performance impact.
+
+### Security
+Security considerations and implications.
+
+### Compatibility
+- **Backward Compatible**: [Yes / No]
+- **Breaking Changes**: [List]
+
+### Maintenance
+Long-term maintenance considerations.
+
+## Community Input
+### Stakeholders
+- [ ] Core team
+- [ ] Module developers
+- [ ] End users
+- [ ] Enterprise customers
+
+### Feedback Period
+**Duration**: [e.g., 2 weeks]
+**Deadline**: [date]
+
+## Implementation Timeline
+### Phase 1: Design
+- [ ] RFC discussion
+- [ ] Design finalization
+- [ ] Approval
+
+### Phase 2: Implementation
+- [ ] Core implementation
+- [ ] Tests
+- [ ] Documentation
+
+### Phase 3: Release
+- [ ] Beta release
+- [ ] Feedback collection
+- [ ] Stable release
+
+## Success Metrics
+How will we measure success?
+- Metric 1
+- Metric 2
+
+## References
+- Related RFCs:
+- External documentation:
+- Prior art:
+
+## Open Questions for Community
+1. Question 1?
+2. Question 2?
+
+---
+**Note**: This RFC is open for community discussion. Please provide feedback in the comments below.
@@ -0,0 +1,51 @@
+---
+name: Security Vulnerability Report
+about: Report a security vulnerability (use only for non-critical issues)
+title: '[SECURITY] '
+labels: 'security'
+assignees: ''
+
+---
+
+
+## ⚠️ IMPORTANT: Private Disclosure Required
+
+**For critical security vulnerabilities, DO NOT use this template.**
+Follow the process in [SECURITY.md](../SECURITY.md) for responsible disclosure.
+
+Use this template only for:
+- Security improvements
+- Non-critical security suggestions
+- Security documentation updates
+
+---
+
+## Security Issue
+
+**Severity**: 
+<!-- Low, Medium, or informational only -->
+
+## Description
+<!-- Describe the security concern or improvement suggestion -->
+
+## Affected Components
+<!-- List the affected files, features, or components -->
+
+## Suggested Mitigation
+<!-- Describe how this could be addressed -->
+
+## Standards Reference
+Does this relate to security standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+- [ ] SPDX license identifiers
+- [ ] Secret management
+- [ ] Dependency security
+- [ ] Access control
+- [ ] Other: [specify]
+
+## Additional Context
+<!-- Add any other context about the security concern -->
+
+## Checklist
+- [ ] This is NOT a critical vulnerability requiring private disclosure
+- [ ] I have reviewed the SECURITY.md policy
+- [ ] I have provided sufficient detail for evaluation
@@ -0,0 +1,24 @@
+---
+name: Version Bump
+about: Request or track a version change
+title: '[VERSION] '
+labels: 'version, type: version'
+assignees: 'jmiller'
+---
+
+## Version Change
+
+**Current version**: <!-- e.g., 01.02.03 -->
+**Requested version**: <!-- e.g., 01.03.00 -->
+**Change type**: <!-- patch / minor / major -->
+
+## Reason
+
+<!-- Why is this version bump needed? -->
+
+## Checklist
+
+- [ ] README.md `VERSION:` field updated
+- [ ] CHANGELOG.md entry added
+- [ ] Module descriptor version updated (Dolibarr: `$this->version`, Joomla: `<version>`)
+- [ ] All file headers will be auto-propagated by `sync-version-on-merge` workflow
@@ -0,0 +1,949 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/joomla/auto-release.yml.template
+# VERSION: 04.06.00
+# BRIEF: Joomla build & release — ZIP package, updates.xml, SHA-256 checksum
+#
+# +========================================================================+
+# |                    BUILD & RELEASE PIPELINE (JOOMLA)                   |
+# +========================================================================+
+# |                                                                        |
+# |  Triggers on push to main (skips bot commits + [skip ci]):             |
+# |                                                                        |
+# |  Every push:                                                           |
+# |    1. Read version from README.md                                      |
+# |    3. Set platform version (Joomla <version>)                          |
+# |    4. Update [VERSION: XX.YY.ZZ] badges in markdown files              |
+# |    5. Write updates.xml (Joomla update server XML)                      |
+# |    6. Create git tag vXX.YY.ZZ                                        |
+# |    7a. Patch: update existing Gitea Release for this minor             |
+# |    8. Build ZIP, upload asset, write SHA-256 to updates.xml             |
+# |                                                                        |
+# |  Every version change: archives main -> version/XX.YY branch           |
+# |  All patches release (including 00). Patch 00/01 = full pipeline.      |
+# |  First release only (patch == 01):                                     |
+# |    7b. Create new Gitea Release                                        |
+# |                                                                        |
+# |  GitHub mirror: stable/rc releases only (continue-on-error)            |
+# |                                                                        |
+# +========================================================================+
+
+name: Build & Release
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Build & Release Pipeline
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup MokoStandards tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+        run: |
+          # Ensure PHP + Composer are available
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api
+          cd /tmp/mokostandards-api
+          composer install --no-dev --no-interaction --quiet
+
+      # -- STEP 1: Read version -----------------------------------------------
+      - name: "Step 1: Read version from README.md"
+        id: version
+        run: |
+          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null)
+          if [ -z "$VERSION" ]; then
+            echo "No VERSION in README.md — skipping release"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          # Derive major.minor for branch naming (patches update existing branch)
+          MINOR=$(echo "$VERSION" | awk -F. '{printf "%s.%s", $1, $2}')
+          PATCH=$(echo "$VERSION" | awk -F. '{print $3}')
+
+          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
+          MINOR_NUM=$(echo "$VERSION" | awk -F. '{print $2}')
+
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+          echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "minor=$MINOR" >> "$GITHUB_OUTPUT"
+          echo "major=$MAJOR" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          echo "stability=stable" >> "$GITHUB_OUTPUT"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          if [ "$PATCH" = "00" ] || [ "$PATCH" = "01" ]; then
+            echo "is_minor=true" >> "$GITHUB_OUTPUT"
+            echo "Version: $VERSION (first release for this minor — full pipeline)"
+          else
+            echo "is_minor=false" >> "$GITHUB_OUTPUT"
+            echo "Version: $VERSION (patch — platform version + badges only)"
+          fi
+
+      # -- STEP 1b: Bump minor version (stable = minor bump, reset patch) ------
+      - name: "Step 1b: Bump minor version for stable release"
+        if: steps.version.outputs.skip != 'true'
+        id: bump
+        run: |
+          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+          [ -z "$CURRENT" ] && { echo "skip=true" >> "$GITHUB_OUTPUT"; exit 0; }
+
+          MAJOR=$((10#$(echo "$CURRENT" | cut -d. -f1)))
+          MINOR=$((10#$(echo "$CURRENT" | cut -d. -f2)))
+
+          # Minor bump, reset patch. Rollover if minor > 99
+          MINOR=$((MINOR + 1))
+          if [ $MINOR -gt 99 ]; then
+            MINOR=0
+            MAJOR=$((MAJOR + 1))
+          fi
+
+          VERSION=$(printf "%02d.%02d.00" $MAJOR $MINOR)
+          TODAY=$(date +%Y-%m-%d)
+
+          echo "Stable bump: ${CURRENT} → ${VERSION} (minor)"
+
+          # Update README.md
+          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${VERSION}/" README.md
+
+          # Update manifest
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          if [ -n "$MANIFEST" ]; then
+            MANIFEST_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
+            [ -n "$MANIFEST_VER" ] && sed -i "s|<version>${MANIFEST_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
+            sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
+          fi
+
+          # Promote [Unreleased] section in CHANGELOG.md to new version
+          if [ -f "CHANGELOG.md" ] && grep -qi "Unreleased" CHANGELOG.md; then
+            sed -i "s|## \[Unreleased\]|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
+            sed -i "s|## Unreleased|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
+            sed -i "2i ## [Unreleased]" CHANGELOG.md
+            sed -i "3i \\ " CHANGELOG.md
+            echo "CHANGELOG promoted to [${VERSION}]"
+          fi
+
+          # Commit and push
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git diff --cached --quiet || {
+            git commit -m "chore(version): bump ${CURRENT} → ${VERSION} [skip ci]"
+            git push origin HEAD:main 2>&1
+          }
+
+          # Override version output for rest of pipeline
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "major=$(printf "%02d" $MAJOR)" >> "$GITHUB_OUTPUT"
+
+      - name: Check if already released
+        if: steps.version.outputs.skip != 'true'
+        id: check
+        run: |
+          TAG="${{ steps.version.outputs.release_tag }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+
+          TAG_EXISTS=false
+          BRANCH_EXISTS=false
+
+          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
+          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
+
+          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
+          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
+
+          # Tag and branch may persist across patch releases — never skip
+          echo "already_released=false" >> "$GITHUB_OUTPUT"
+
+      # -- SANITY CHECKS -------------------------------------------------------
+      - name: "Sanity: Pre-release validation"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          ERRORS=0
+
+          echo "## Pre-Release Sanity Checks (Joomla)" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # -- Version drift check (must pass before release) --------
+          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+          if [ "$README_VER" != "$VERSION" ]; then
+            echo "- Version drift: README says \`${README_VER}\` but releasing \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          else
+            echo "- Version consistent: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Check CHANGELOG version matches
+          CL_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' CHANGELOG.md 2>/dev/null | head -1)
+          if [ -n "$CL_VER" ] && [ "$CL_VER" != "$VERSION" ]; then
+            echo "- CHANGELOG drift: \`${CL_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          fi
+
+          # Check composer.json version if present
+          if [ -f "composer.json" ]; then
+            COMP_VER=$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' composer.json 2>/dev/null | head -1)
+            if [ -n "$COMP_VER" ] && [ "$COMP_VER" != "$VERSION" ]; then
+              echo "- composer.json drift: \`${COMP_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS+1))
+            fi
+          fi
+
+          # Common checks
+          if [ ! -f "LICENSE" ]; then
+            echo "- Missing LICENSE file" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          else
+            echo "- LICENSE present" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if [ ! -d "src" ] && [ ! -d "htdocs" ]; then
+            echo "- Warning: No src/ or htdocs/ directory" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # -- Joomla: manifest version drift --------
+          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          if [ -n "$MANIFEST" ]; then
+            XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
+              echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS+1))
+            else
+              echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            fi
+          fi
+
+          # -- Joomla: XML manifest existence --------
+          if [ -z "$MANIFEST" ]; then
+            echo "- No Joomla XML manifest found" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          else
+            echo "- Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
+
+            # -- Joomla: extension type check --------
+            TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
+            echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "**${ERRORS} error(s) — release may be incomplete**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "**All sanity checks passed**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
+      # Always runs — every version change on main archives to version/XX.YY
+      - name: "Step 2: Version archive branch"
+        if: steps.check.outputs.already_released != 'true'
+        run: |
+          BRANCH="${{ steps.version.outputs.branch }}"
+          IS_MINOR="${{ steps.version.outputs.is_minor }}"
+          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
+
+          # Check if branch exists
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            git push origin HEAD:"$BRANCH" --force
+            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
+          else
+            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
+            git push origin "$BRANCH" --force
+            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 3: Set platform version ----------------------------------------
+      - name: "Step 3: Set platform version"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          php /tmp/mokostandards-api/cli/version_set_platform.php \
+            --path . --version "$VERSION" --branch main
+
+      # -- STEP 4: Update version badges ----------------------------------------
+      - name: "Step 4: Update version badges"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          find . -name "*.md" ! -path "./.git/*" ! -path "./vendor/*" | while read -r f; do
+            if grep -q '\[VERSION:' "$f" 2>/dev/null; then
+              sed -i "s/\[VERSION:[[:space:]]*[0-9]\{2\}\.[0-9]\{2\}\.[0-9]\{2\}\]/[VERSION: ${VERSION}]/" "$f"
+            fi
+          done
+
+      # -- STEP 5: Write updates.xml (Joomla update server) ---------------------
+      - name: "Step 5: Write updates.xml"
+        id: updates
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          REPO="${{ github.repository }}"
+
+          # -- Parse extension metadata from XML manifest ----------------
+          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          if [ -z "$MANIFEST" ]; then
+            echo "Warning: No Joomla XML manifest found — skipping updates.xml" >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+
+          # Extract fields using sed (portable — no grep -P)
+          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
+          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
+
+          # If EXT_NAME is a language key (e.g. PLG_SYSTEM_MOKOJGDPC), resolve from .ini
+          if echo "$EXT_NAME" | grep -qE '^[A-Z_]+$'; then
+            INI_NAME=$(find . -name "*.sys.ini" -path "*/en-GB/*" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
+            [ -z "$INI_NAME" ] && INI_NAME=$(find . -name "*.sys.ini" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
+            [ -n "$INI_NAME" ] && EXT_NAME="$INI_NAME"
+          fi
+
+          # Fallbacks
+          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
+          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
+
+          # Derive element if not in manifest:
+          # 1. plugin="xxx" attribute (plugins)
+          # 2. module="xxx" attribute (modules)
+          # 3. XML filename (components, packages)
+          # 4. Repo name fallback (templates, anything else)
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          fi
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*module="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          fi
+          if [ -z "$EXT_ELEMENT" ]; then
+            FNAME=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            # If filename is generic (templateDetails, manifest), use repo name
+            case "$FNAME" in
+              templatedetails|manifest) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+              *) EXT_ELEMENT="$FNAME" ;;
+            esac
+          fi
+          # Final fallback
+          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+
+          # Save for Steps 7, 8, 8b
+          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
+          echo "ext_name=${EXT_NAME}" >> "$GITHUB_OUTPUT"
+          echo "ext_type=${EXT_TYPE}" >> "$GITHUB_OUTPUT"
+          echo "ext_folder=${EXT_FOLDER}" >> "$GITHUB_OUTPUT"
+
+          # Build client tag: plugins and frontend modules need <client>site</client>
+          CLIENT_TAG=""
+          if [ -n "$EXT_CLIENT" ]; then
+            CLIENT_TAG="<client>${EXT_CLIENT}</client>"
+          elif [ "$EXT_TYPE" = "module" ] || [ "$EXT_TYPE" = "plugin" ]; then
+            CLIENT_TAG="<client>site</client>"
+          fi
+
+          # Build folder tag for plugins (required for Joomla to match the update)
+          FOLDER_TAG=""
+          if [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ]; then
+            FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
+          fi
+
+          # Build targetplatform (fallback to Joomla 5 if not in manifest)
+          if [ -z "$TARGET_PLATFORM" ]; then
+            TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
+          fi
+
+          # Build php_minimum tag
+          PHP_TAG=""
+          if [ -n "$PHP_MINIMUM" ]; then
+            PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
+          fi
+
+          # Build TYPE_PREFIX for download URL
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+
+          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/stable/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/stable"
+
+          # -- Build update entry for a given stability tag
+          build_entry() {
+            local TAG_NAME="$1"
+            printf '%s\n' '  <update>'
+            printf '%s\n' "    <name>${EXT_NAME}</name>"
+            printf '%s\n' "    <description>${EXT_NAME} update</description>"
+            printf '%s\n' "    <element>${EXT_ELEMENT}</element>"
+            printf '%s\n' "    <type>${EXT_TYPE}</type>"
+            printf '%s\n' "    <version>${VERSION}</version>"
+            [ -n "$CLIENT_TAG" ] && printf '%s\n' "    ${CLIENT_TAG}"
+            [ -n "$FOLDER_TAG" ] && printf '%s\n' "    ${FOLDER_TAG}"
+            printf '%s\n' "    <tags><tag>${TAG_NAME}</tag></tags>"
+            printf '%s\n' "    <infourl title=\"${EXT_NAME}\">${INFO_URL}</infourl>"
+            printf '%s\n' '    <downloads>'
+            printf '%s\n' "      <downloadurl type=\"full\" format=\"zip\">${DOWNLOAD_URL}</downloadurl>"
+            printf '%s\n' '    </downloads>'
+            printf '%s\n' "    ${TARGET_PLATFORM}"
+            [ -n "$PHP_TAG" ] && printf '%s\n' "    ${PHP_TAG}"
+            printf '%s\n' '    <maintainer>Moko Consulting</maintainer>'
+            printf '%s\n' '    <maintainerurl>https://mokoconsulting.tech</maintainerurl>'
+            printf '%s\n' '  </update>'
+          }
+
+          # -- Write updates.xml with cascading channels
+          # Stable release updates ALL channels (development, alpha, beta, rc, stable)
+          {
+            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>"
+            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting <hello@mokoconsulting.tech>"
+            printf '%s\n' " SPDX-License-Identifier: GPL-3.0-or-later"
+            printf '%s\n' " VERSION: ${VERSION}"
+            printf '%s\n' " -->"
+            printf '%s\n' ""
+            printf '%s\n' '<updates>'
+            build_entry "development"
+            build_entry "alpha"
+            build_entry "beta"
+            build_entry "rc"
+            build_entry "stable"
+            printf '%s\n' '</updates>'
+          } > updates.xml
+
+          echo "updates.xml: ${VERSION} (all channels updated to stable)" >> $GITHUB_STEP_SUMMARY
+
+      # -- Commit all changes ---------------------------------------------------
+      - name: Commit release changes
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          if git diff --quiet && git diff --cached --quiet; then
+            echo "No changes to commit"
+            exit 0
+          fi
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          # Set push URL with token for branch-protected repos
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git commit -m "chore(release): build ${VERSION} [skip ci]" \
+            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+          git push -u origin HEAD
+
+      # -- STEP 6: Create tag ---------------------------------------------------
+      - name: "Step 6: Create git tag"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.tag_exists != 'true' &&
+          steps.version.outputs.is_minor == 'true'
+        run: |
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          # Only create the major release tag if it doesn't exist yet
+          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
+            git tag "$RELEASE_TAG"
+            git push origin "$RELEASE_TAG"
+            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 7: Create or update Gitea Release --------------------------------
+      - name: "Step 7: Gitea Release"
+        if: >-
+          steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Reuse metadata from Step 5 (single source of truth)
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+
+          # Fallbacks if Step 5 was skipped
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          fi
+          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"
+
+          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
+          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+
+          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
+
+          # Delete existing release if present (overwrite, not append)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$EXISTING_ID" ]; then
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
+            echo "Deleted previous stable release (id: ${EXISTING_ID})"
+          fi
+
+          # Create fresh release
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/releases" \
+            -d "$(python3 -c "import json; print(json.dumps({
+              'tag_name': '${RELEASE_TAG}',
+              'name': '${RELEASE_NAME}',
+              'body': '''## ${VERSION} ($(date +%Y-%m-%d))\n${NOTES}''',
+              'target_commitish': '${BRANCH}'
+            }))")"
+          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
+      - name: "Step 8: Build Joomla package and update checksum"
+        if: >-
+          steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # All ZIPs upload to the major release tag (vXX)
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+          if [ -z "$RELEASE_ID" ]; then
+            echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
+            exit 0
+          fi
+
+          # Find extension element name from manifest
+          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+          [ -z "$MANIFEST" ] && exit 0
+
+          # Reuse element from Step 5, with same fallback chain
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          fi
+          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
+
+          # -- Build install packages from src/ ----------------------------
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ — skipping package"; exit 0; }
+
+          EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
+
+          # ZIP package
+          cd "$SOURCE_DIR"
+          zip -r "/tmp/${ZIP_NAME}" . -x $EXCLUDES
+          cd ..
+
+          # tar.gz package
+          tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
+            --exclude='.ftpignore' --exclude='sftp-config*' \
+            --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
+
+          ZIP_SIZE=$(stat -c%s "/tmp/${ZIP_NAME}" 2>/dev/null || stat -f%z "/tmp/${ZIP_NAME}" 2>/dev/null || echo "unknown")
+          TAR_SIZE=$(stat -c%s "/tmp/${TAR_NAME}" 2>/dev/null || stat -f%z "/tmp/${TAR_NAME}" 2>/dev/null || echo "unknown")
+
+          # -- Calculate SHA-256 for both ----------------------------------
+          SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
+
+          # -- Delete existing assets with same name before uploading ------
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
+          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
+            ASSET_ID=$(echo "$ASSETS" | python3 -c "
+          import sys,json
+          assets = json.load(sys.stdin)
+          for a in assets:
+              if a['name'] == '${ASSET_NAME}':
+                  print(a['id']); break
+          " 2>/dev/null || true)
+            if [ -n "$ASSET_ID" ]; then
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
+            fi
+          done
+
+          # -- Upload both to release tag ----------------------------------
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${ZIP_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
+
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${TAR_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
+
+          # -- Update updates.xml with both download formats ---------------
+          if [ -f "updates.xml" ]; then
+            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
+            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
+
+            # Use Python to update only the stable entry's downloads + sha256
+            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
+            python3 << 'PYEOF'
+          import re, os
+
+          with open("updates.xml") as f:
+              content = f.read()
+
+          zip_url = os.environ["PY_ZIP_URL"]
+          tar_url = os.environ["PY_TAR_URL"]
+          sha = os.environ["PY_SHA"]
+
+          # Find the stable update block and replace its downloads + sha256
+          def replace_stable(m):
+              block = m.group(0)
+              # Replace downloads block
+              new_downloads = (
+                  "    <downloads>\n"
+                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
+                  "    </downloads>"
+              )
+              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
+              # Add or replace sha256
+              if '<sha256>' in block:
+                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
+              else:
+                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
+              return block
+
+          content = re.sub(
+              r'  <update>.*?<tag>stable</tag>.*?</update>',
+              replace_stable,
+              content,
+              flags=re.DOTALL
+          )
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+            CURRENT_BRANCH="${{ github.ref_name }}"
+            git add updates.xml
+            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
+            git push || true
+
+            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
+            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
+
+            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
+
+            if [ -n "$FILE_SHA" ]; then
+              CONTENT=$(base64 -w0 updates.xml)
+              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                "${API}/contents/updates.xml" \
+                -d "$(jq -n \
+                  --arg content "$CONTENT" \
+                  --arg sha "$FILE_SHA" \
+                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
+                  --arg branch "main" \
+                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
+                )" > /dev/null 2>&1 \
+                && echo "updates.xml synced to main via API" \
+                || echo "WARNING: failed to sync updates.xml to main"
+            else
+              echo "WARNING: could not get updates.xml SHA from main"
+            fi
+          fi
+
+          echo "### Joomla Packages" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
+          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
+          echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
+          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 8b: Update release description with changelog + SHA ----------------
+      - name: "Step 8b: Update release body with changelog and SHA"
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+
+          # Build TYPE_PREFIX to match Step 8's ZIP naming
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
+
+          # Get SHA from the built files
+          SHA256_ZIP=""
+          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          SHA256_TAR=""
+          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
+
+          # Extract latest changelog entry (strip the ## header to avoid duplicate)
+          CHANGELOG=""
+          if [ -f "CHANGELOG.md" ]; then
+            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
+            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
+          fi
+
+          # Build release body (single header, no duplicate from changelog)
+          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
+          if [ -n "$CHANGELOG" ]; then
+            BODY="${BODY}${CHANGELOG}\n\n"
+          fi
+          BODY="${BODY}---\n\n### Checksums\n\n"
+          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
+          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
+          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
+
+          # Get release ID and update body
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = '''$(printf '%b' "$BODY")'''
+          data = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=data,
+              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              method='PATCH'
+          )
+          urllib.request.urlopen(req)
+          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+      - name: "Step 9: Mirror release to GitHub"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.version.outputs.stability == 'stable' &&
+          secrets.GH_TOKEN != ''
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+
+          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
+          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+          echo "$NOTES" > /tmp/release_notes.md
+
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+
+          if [ -z "$EXISTING" ]; then
+            gh release create "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" \
+              --notes-file /tmp/release_notes.md \
+              --target "$BRANCH" || true
+          else
+            gh release edit "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" || true
+          fi
+
+          # Upload assets to GitHub mirror
+          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
+            if [ -f "$PKG" ]; then
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+            fi
+          done
+          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
+      - name: "Step 10: Push main to GitHub mirror"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_TOKEN != ''
+        continue-on-error: true
+        run: |
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
+          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git fetch origin main --depth=1
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
+            && echo "main branch pushed to GitHub mirror" \
+            || echo "WARNING: GitHub mirror push failed"
+
+      # -- Clean up lesser pre-releases (cascade) ---------------------------------
+      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
+      - name: "Delete lesser pre-release channels"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+
+          # Stable deletes all pre-release channels
+          TAGS_TO_DELETE="development alpha beta release-candidate"
+
+          DELETED=0
+          for TAG in $TAGS_TO_DELETE; do
+            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
+              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
+              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
+              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
+              DELETED=$((DELETED + 1))
+            fi
+          done
+          echo "Cleaned up ${DELETED} pre-release channel(s)" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 11: Reset dev branch from main ------------------------------------
+      - name: "Step 11: Delete and recreate dev branch from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+
+          # Delete dev branch
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+
+          # Recreate dev from main (now includes version bump + changelog promotion)
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/branches" \
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+
+          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
+
+      # -- Summary --------------------------------------------------------------
+      - name: Pipeline Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
+            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
+            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
+            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "## Build & Release Complete (Joomla)" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -0,0 +1,213 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Maintenance
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/cascade-dev.yml.template
+# VERSION: 02.00.00
+# BRIEF: Forward-merge main → all open branches after every push to main
+#
+# +========================================================================+
+# |                CASCADE MAIN → ALL BRANCHES                             |
+# +========================================================================+
+# |                                                                        |
+# |  Triggers on every push to main (PR merges, bot commits, etc.)         |
+# |                                                                        |
+# |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
+# |  2. For each: create PR (main → branch), auto-merge if clean           |
+# |  3. On conflict: leave PR open for manual resolution                   |
+# |                                                                        |
+# +========================================================================+
+
+name: Cascade Main → Dev
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  cascade:
+    name: Cascade main → branches
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip cascade]')
+
+    steps:
+      - name: Discover target branches
+        id: branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Fetch all branches (paginated)
+          PAGE=1
+          ALL_BRANCHES=""
+          while true; do
+            BATCH=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/branches?page=${PAGE}&limit=50" \
+              | jq -r '.[].name // empty')
+            [ -z "$BATCH" ] && break
+            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
+            PAGE=$((PAGE + 1))
+          done
+
+          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
+          TARGETS=""
+          for BRANCH in $ALL_BRANCHES; do
+            case "$BRANCH" in
+              dev|dev/*|rc/*|beta/*|alpha/*)
+                TARGETS="$TARGETS $BRANCH"
+                ;;
+            esac
+          done
+
+          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
+
+          if [ -z "$TARGETS" ]; then
+            echo "targets=" >> "$GITHUB_OUTPUT"
+            echo "ℹ️  No cascade target branches found"
+          else
+            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
+            COUNT=$(echo "$TARGETS" | wc -w)
+            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
+          fi
+
+      - name: Cascade to all target branches
+        if: steps.branches.outputs.targets != ''
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          SHORT_SHA="${GITHUB_SHA:0:7}"
+          TARGETS="${{ steps.branches.outputs.targets }}"
+
+          SUCCESS=0
+          CONFLICTS=0
+          SKIPPED=0
+          FAILED=0
+
+          for BRANCH in $TARGETS; do
+            echo ""
+            echo "═══ main → ${BRANCH} ═══"
+
+            # Check if branch is already up to date
+            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
+            RESPONSE=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/compare/${ENCODED_BRANCH}...main")
+
+            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
+
+            if [ "$AHEAD" -eq 0 ]; then
+              echo "  ✅ Already up to date"
+              SKIPPED=$((SKIPPED + 1))
+              continue
+            fi
+
+            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
+
+            # Check for existing cascade PR
+            EXISTING=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
+
+            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
+            PR_NUMBER=""
+
+            if [ "$EXISTING_COUNT" -gt 0 ]; then
+              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
+              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
+            else
+              # Create cascade PR
+              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "{
+                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
+                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
+                  \"head\": \"main\",
+                  \"base\": \"${BRANCH}\"
+                }" \
+                "${API}/pulls")
+
+              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
+              BODY=$(echo "$PR_RESPONSE" | sed '$d')
+              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
+
+              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
+                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
+                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
+                FAILED=$((FAILED + 1))
+                continue
+              fi
+
+              echo "  ✅ Created PR #${PR_NUMBER}"
+            fi
+
+            # Try auto-merge
+            PR_DATA=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls/${PR_NUMBER}")
+
+            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
+
+            if [ "$MERGEABLE" != "true" ]; then
+              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+              continue
+            fi
+
+            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+              -X POST \
+              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              -d "{
+                \"Do\": \"merge\",
+                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
+                \"delete_branch_after_merge\": false
+              }" \
+              "${API}/pulls/${PR_NUMBER}/merge")
+
+            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
+
+            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
+              echo "  ✅ Merged — ${BRANCH} is in sync"
+              SUCCESS=$((SUCCESS + 1))
+            else
+              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
+              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+            fi
+          done
+
+          # Summary
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Merged:    ${SUCCESS}"
+          echo "  ⚠️  Conflicts: ${CONFLICTS}"
+          echo "  ⏭️  Up to date: ${SKIPPED}"
+          echo "  ❌ Failed:    ${FAILED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            exit 1
+          fi
@@ -375,3 +375,76 @@ jobs:
          else
            echo "No phpunit.xml found — skipping tests." >> $GITHUB_STEP_SUMMARY
          fi
+
+  static-analysis:
+    name: PHPStan Analysis
+    runs-on: ubuntu-latest
+    needs: lint-and-validate
+    continue-on-error: true
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: php -v && composer --version
+
+      - name: Install dependencies
+        env:
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install --no-interaction --prefer-dist --optimize-autoloader
+          fi
+
+      - name: Install PHPStan
+        run: |
+          if ! command -v vendor/bin/phpstan &> /dev/null; then
+            composer require --dev phpstan/phpstan --no-interaction 2>/dev/null || \
+              composer global require phpstan/phpstan --no-interaction
+          fi
+
+      - name: Run PHPStan
+        run: |
+          echo "### PHPStan Static Analysis" >> $GITHUB_STEP_SUMMARY
+          PHPSTAN="vendor/bin/phpstan"
+          if [ ! -f "$PHPSTAN" ]; then
+            PHPSTAN=$(composer global config bin-dir --absolute 2>/dev/null)/phpstan
+          fi
+
+          # Determine source directory
+          SRC_DIR=""
+          for DIR in src/ htdocs/ lib/; do
+            if [ -d "$DIR" ]; then
+              SRC_DIR="$DIR"
+              break
+            fi
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found (src/, htdocs/, lib/) — skipping." >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+
+          # Use repo phpstan.neon if present, otherwise use baseline config
+          ARGS="analyse ${SRC_DIR} --memory-limit=512M --no-progress --error-format=table"
+          if [ -f "phpstan.neon" ] || [ -f "phpstan.neon.dist" ]; then
+            echo "Using project PHPStan config." >> $GITHUB_STEP_SUMMARY
+          else
+            ARGS="$ARGS --level=3"
+            echo "No phpstan.neon found — using level 3 (type inference)." >> $GITHUB_STEP_SUMMARY
+          fi
+
+          $PHPSTAN $ARGS 2>&1 | tee /tmp/phpstan-output.txt
+          EXIT=${PIPESTATUS[0]}
+
+          if [ $EXIT -eq 0 ]; then
+            echo "**No errors found.**" >> $GITHUB_STEP_SUMMARY
+          else
+            ERRORS=$(grep -c "ERROR" /tmp/phpstan-output.txt 2>/dev/null || echo "some")
+            echo "**${ERRORS} error(s) found.** Review output above." >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            tail -30 /tmp/phpstan-output.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+          exit $EXIT
@@ -0,0 +1,96 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/gitleaks.yml.template
+# VERSION: 01.00.00
+# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
+#
+# +========================================================================+
+# |                        SECRET SCANNING                                 |
+# +========================================================================+
+# |                                                                        |
+# |  Scans commits for leaked secrets using Gitleaks.                      |
+# |                                                                        |
+# |  - PR scan: only new commits in the PR                                 |
+# |  - Scheduled: full repo scan weekly                                    |
+# |  - Alerts via ntfy on findings                                         |
+# |                                                                        |
+# +========================================================================+
+
+name: Secret Scanning
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'dev/**'
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  gitleaks:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Scan for secrets
+        id: scan
+        run: |
+          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
+          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # Scan only PR commits
+            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if gitleaks detect $ARGS 2>&1; then
+            echo "result=clean" >> "$GITHUB_OUTPUT"
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "result=found" >> "$GITHUB_OUTPUT"
+            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
+            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Notify on findings
+        if: failure() && steps.scan.outputs.result == 'found'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} — secrets detected in code" \
+            -H "Tags: rotating_light,key" \
+            -H "Priority: urgent" \
+            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -18,6 +18,7 @@ on:
      - "Joomla Build & Release"
      - "Joomla Extension CI"
      - "Deploy"
+      - "Cascade Main → Dev"
    types:
      - completed

@@ -0,0 +1,90 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# Enforces branch merge policy:
+#   feature/* → dev only
+#   fix/*     → dev only
+#   hotfix/*  → dev or main (emergency)
+#   dev       → main only
+#   alpha/*   → dev only
+#   beta/*    → dev only
+#   rc/*      → main only
+
+name: Branch Policy Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  check-target:
+    name: Verify merge target
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch policy
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            alpha/*|beta/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Pre-release branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            rc/*)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Release candidate branches must target 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo ""
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
@@ -278,7 +278,7 @@ jobs:
              f.write(content)
          PYEOF

-          # Commit and push
+          # Commit and push to current branch
          if ! git diff --quiet updates.xml 2>/dev/null; then
            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
            git config --local user.name "gitea-actions[bot]"
@@ -287,6 +287,28 @@ jobs:
            git push origin HEAD 2>&1 || echo "WARNING: push failed"
          fi

+      - name: "Sync updates.xml to all branches"
+        run: |
+          CURRENT_BRANCH="${{ github.ref_name }}"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+
+          # Sync updates.xml to main and dev (whichever isn't current)
+          for BRANCH in main dev; do
+            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
+
+            echo "Syncing updates.xml → ${BRANCH}"
+            git fetch origin "${BRANCH}" 2>/dev/null || continue
+            git checkout "origin/${BRANCH}" -- . 2>/dev/null || continue
+            git checkout "${CURRENT_BRANCH}" -- updates.xml
+            if ! git diff --quiet updates.xml 2>/dev/null; then
+              git add updates.xml
+              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
+              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
+            fi
+            git checkout "${CURRENT_BRANCH}" 2>/dev/null
+          done
+
      - name: "Delete lesser pre-release channels (cascade)"
        continue-on-error: true
        run: |
@@ -64,7 +64,7 @@ env:
  # File / directory variables
  DOCS_INDEX: docs/docs-index.md
  SCRIPT_DIR: scripts
-  WORKFLOWS_DIR: .github/workflows
+  WORKFLOWS_DIR: .gitea/workflows
  SHELLCHECK_PATTERN: '*.sh'
  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
@@ -0,0 +1,193 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Workflows
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /templates/workflows/sync-roadmap-wiki.yml.template
+# VERSION: 04.06.00
+# BRIEF: Syncs project board state to a Roadmap wiki page
+
+name: Sync Roadmap to Wiki
+
+on:
+  # Run when project issues change
+  issues:
+    types: [opened, closed, reopened, labeled, unlabeled, milestoned, demilestoned]
+
+  # Run on milestone changes
+  milestone:
+    types: [created, closed, opened, edited, deleted]
+
+  # Manual trigger
+  workflow_dispatch:
+
+  # Weekly refresh to catch any drift
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  contents: write
+  issues: read
+
+jobs:
+  sync-roadmap:
+    name: Generate Roadmap Wiki
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Generate Roadmap from Projects
+        env:
+          GITEA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_URL: ${{ github.server_url }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+        run: |
+          set -euo pipefail
+
+          API="${GITEA_URL}/api/v1"
+          AUTH="Authorization: token ${GITEA_TOKEN}"
+          REPO="${REPO_OWNER}/${REPO_NAME}"
+
+          # Fetch milestones (open + closed)
+          MILESTONES_OPEN=$(curl -sf -H "$AUTH" "${API}/repos/${REPO}/milestones?state=open&limit=50" || echo "[]")
+          MILESTONES_CLOSED=$(curl -sf -H "$AUTH" "${API}/repos/${REPO}/milestones?state=closed&limit=50" || echo "[]")
+
+          # Fetch all open issues
+          ISSUES_OPEN=$(curl -sf -H "$AUTH" "${API}/repos/${REPO}/issues?state=open&type=issues&limit=50" || echo "[]")
+          ISSUES_CLOSED=$(curl -sf -H "$AUTH" "${API}/repos/${REPO}/issues?state=closed&type=issues&limit=50&sort=updated&direction=desc" || echo "[]")
+
+          # Fetch labels for categorization
+          LABELS=$(curl -sf -H "$AUTH" "${API}/repos/${REPO}/labels?limit=50" || echo "[]")
+
+          # Build the roadmap markdown
+          cat > /tmp/roadmap.md << 'HEADER'
+          # Roadmap
+
+          > Auto-generated from project milestones and issues.
+          > Last updated: TIMESTAMP
+
+          HEADER
+          sed -i "s|TIMESTAMP|$(date -u '+%Y-%m-%d %H:%M UTC')|" /tmp/roadmap.md
+
+          # --- Active Milestones ---
+          echo "## Active Milestones" >> /tmp/roadmap.md
+          echo "" >> /tmp/roadmap.md
+
+          MILESTONE_COUNT=$(echo "$MILESTONES_OPEN" | jq 'length')
+          if [ "$MILESTONE_COUNT" -eq 0 ]; then
+            echo "_No active milestones._" >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+          else
+            echo "$MILESTONES_OPEN" | jq -r '.[] | @base64' | while read -r ms; do
+              _jq() { echo "$ms" | base64 -d | jq -r "$1"; }
+              TITLE=$(_jq '.title')
+              DESC=$(_jq '.description // ""')
+              DUE=$(_jq '.due_on // ""')
+              OPEN=$(_jq '.open_issues')
+              CLOSED=$(_jq '.closed_issues')
+              TOTAL=$((OPEN + CLOSED))
+
+              if [ "$TOTAL" -gt 0 ]; then
+                PCT=$((CLOSED * 100 / TOTAL))
+              else
+                PCT=0
+              fi
+
+              echo "### ${TITLE}" >> /tmp/roadmap.md
+              if [ -n "$DUE" ] && [ "$DUE" != "null" ] && [ "$DUE" != "0001-01-01T00:00:00Z" ]; then
+                DUE_FMT=$(date -d "$DUE" '+%B %d, %Y' 2>/dev/null || echo "$DUE")
+                echo "**Due:** ${DUE_FMT}" >> /tmp/roadmap.md
+              fi
+              if [ -n "$DESC" ] && [ "$DESC" != "null" ]; then
+                echo "" >> /tmp/roadmap.md
+                echo "$DESC" >> /tmp/roadmap.md
+              fi
+              echo "" >> /tmp/roadmap.md
+              echo "**Progress:** ${CLOSED}/${TOTAL} (${PCT}%)" >> /tmp/roadmap.md
+              echo "" >> /tmp/roadmap.md
+
+              # List issues in this milestone
+              MS_ID=$(_jq '.id')
+              MS_ISSUES=$(echo "$ISSUES_OPEN" | jq --arg id "$MS_ID" '[.[] | select(.milestone.id == ($id | tonumber))]')
+              MS_DONE=$(echo "$ISSUES_CLOSED" | jq --arg id "$MS_ID" '[.[] | select(.milestone.id == ($id | tonumber))]')
+
+              if [ "$(echo "$MS_DONE" | jq 'length')" -gt 0 ]; then
+                echo "$MS_DONE" | jq -r '.[] | "- [x] " + .title + " (#" + (.number | tostring) + ")"' >> /tmp/roadmap.md
+              fi
+              if [ "$(echo "$MS_ISSUES" | jq 'length')" -gt 0 ]; then
+                echo "$MS_ISSUES" | jq -r '.[] | "- [ ] " + .title + " (#" + (.number | tostring) + ")"' >> /tmp/roadmap.md
+              fi
+              echo "" >> /tmp/roadmap.md
+            done
+          fi
+
+          # --- Backlog (issues without milestones) ---
+          BACKLOG=$(echo "$ISSUES_OPEN" | jq '[.[] | select(.milestone == null)]')
+          BACKLOG_COUNT=$(echo "$BACKLOG" | jq 'length')
+
+          if [ "$BACKLOG_COUNT" -gt 0 ]; then
+            echo "## Backlog" >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+            echo "_Issues not yet assigned to a milestone._" >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+
+            # Group by label if possible
+            echo "$BACKLOG" | jq -r '.[] | "- [ ] " + .title + " (#" + (.number | tostring) + ")" + (if (.labels | length) > 0 then " `" + (.labels | map(.name) | join("`, `")) + "`" else "" end)' >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+          fi
+
+          # --- Completed Milestones ---
+          CLOSED_COUNT=$(echo "$MILESTONES_CLOSED" | jq 'length')
+          if [ "$CLOSED_COUNT" -gt 0 ]; then
+            echo "## Completed" >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+            echo "$MILESTONES_CLOSED" | jq -r '.[] | "- ~~" + .title + "~~ ✓ (" + (.closed_issues | tostring) + " issues)"' >> /tmp/roadmap.md
+            echo "" >> /tmp/roadmap.md
+          fi
+
+          echo "---" >> /tmp/roadmap.md
+          echo "_Generated by [sync-roadmap-wiki](${GITEA_URL}/${REPO}/actions) workflow._" >> /tmp/roadmap.md
+
+          echo "=== Generated Roadmap ==="
+          cat /tmp/roadmap.md
+
+      - name: Push Roadmap to Wiki
+        env:
+          GITEA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_URL: ${{ github.server_url }}
+          REPO_OWNER: ${{ github.repository_owner }}
+          REPO_NAME: ${{ github.event.repository.name }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+          AUTH="Authorization: token ${GITEA_TOKEN}"
+          REPO="${REPO_OWNER}/${REPO_NAME}"
+
+          CONTENT_B64=$(base64 -w0 /tmp/roadmap.md)
+
+          # Check if Roadmap wiki page exists
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -H "$AUTH" "${API}/repos/${REPO}/wiki/page/Roadmap" || echo "404")
+
+          if [ "$STATUS" = "200" ]; then
+            # Update existing page
+            curl -sf -X PATCH -H "$AUTH" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/wiki/page/Roadmap" \
+              -d "{\"title\": \"Roadmap\", \"content_base64\": \"${CONTENT_B64}\", \"message\": \"chore: sync roadmap from project board\"}" \
+              && echo "Roadmap wiki page updated"
+          else
+            # Create new page
+            curl -sf -X POST -H "$AUTH" -H "Content-Type: application/json" \
+              "${API}/repos/${REPO}/wiki/new" \
+              -d "{\"title\": \"Roadmap\", \"content_base64\": \"${CONTENT_B64}\", \"message\": \"chore: create roadmap from project board\"}" \
+              && echo "Roadmap wiki page created"
+          fi
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Roadmap Sync" >> $GITHUB_STEP_SUMMARY
+          echo "Roadmap wiki page synced from milestones and issues." >> $GITHUB_STEP_SUMMARY
+          echo "View it at: ${{ github.server_url }}/${{ github.repository }}/wiki/Roadmap" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,213 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Maintenance
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/cascade-dev.yml.template
+# VERSION: 02.00.00
+# BRIEF: Forward-merge main → all open branches after every push to main
+#
+# +========================================================================+
+# |                CASCADE MAIN → ALL BRANCHES                             |
+# +========================================================================+
+# |                                                                        |
+# |  Triggers on every push to main (PR merges, bot commits, etc.)         |
+# |                                                                        |
+# |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
+# |  2. For each: create PR (main → branch), auto-merge if clean           |
+# |  3. On conflict: leave PR open for manual resolution                   |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Cascade Main → Dev"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  cascade:
+    name: Cascade main → branches
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip cascade]')
+
+    steps:
+      - name: Discover target branches
+        id: branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Fetch all branches (paginated)
+          PAGE=1
+          ALL_BRANCHES=""
+          while true; do
+            BATCH=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/branches?page=${PAGE}&limit=50" \
+              | jq -r '.[].name // empty')
+            [ -z "$BATCH" ] && break
+            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
+            PAGE=$((PAGE + 1))
+          done
+
+          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
+          TARGETS=""
+          for BRANCH in $ALL_BRANCHES; do
+            case "$BRANCH" in
+              dev|dev/*|rc/*|beta/*|alpha/*)
+                TARGETS="$TARGETS $BRANCH"
+                ;;
+            esac
+          done
+
+          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
+
+          if [ -z "$TARGETS" ]; then
+            echo "targets=" >> "$GITHUB_OUTPUT"
+            echo "ℹ️  No cascade target branches found"
+          else
+            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
+            COUNT=$(echo "$TARGETS" | wc -w)
+            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
+          fi
+
+      - name: Cascade to all target branches
+        if: steps.branches.outputs.targets != ''
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          SHORT_SHA="${GITHUB_SHA:0:7}"
+          TARGETS="${{ steps.branches.outputs.targets }}"
+
+          SUCCESS=0
+          CONFLICTS=0
+          SKIPPED=0
+          FAILED=0
+
+          for BRANCH in $TARGETS; do
+            echo ""
+            echo "═══ main → ${BRANCH} ═══"
+
+            # Check if branch is already up to date
+            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
+            RESPONSE=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/compare/${ENCODED_BRANCH}...main")
+
+            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
+
+            if [ "$AHEAD" -eq 0 ]; then
+              echo "  ✅ Already up to date"
+              SKIPPED=$((SKIPPED + 1))
+              continue
+            fi
+
+            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
+
+            # Check for existing cascade PR
+            EXISTING=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
+
+            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
+            PR_NUMBER=""
+
+            if [ "$EXISTING_COUNT" -gt 0 ]; then
+              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
+              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
+            else
+              # Create cascade PR
+              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "{
+                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
+                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
+                  \"head\": \"main\",
+                  \"base\": \"${BRANCH}\"
+                }" \
+                "${API}/pulls")
+
+              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
+              BODY=$(echo "$PR_RESPONSE" | sed '$d')
+              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
+
+              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
+                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
+                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
+                FAILED=$((FAILED + 1))
+                continue
+              fi
+
+              echo "  ✅ Created PR #${PR_NUMBER}"
+            fi
+
+            # Try auto-merge
+            PR_DATA=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls/${PR_NUMBER}")
+
+            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
+
+            if [ "$MERGEABLE" != "true" ]; then
+              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+              continue
+            fi
+
+            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+              -X POST \
+              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              -d "{
+                \"Do\": \"merge\",
+                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
+                \"delete_branch_after_merge\": false
+              }" \
+              "${API}/pulls/${PR_NUMBER}/merge")
+
+            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
+
+            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
+              echo "  ✅ Merged — ${BRANCH} is in sync"
+              SUCCESS=$((SUCCESS + 1))
+            else
+              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
+              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+            fi
+          done
+
+          # Summary
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Merged:    ${SUCCESS}"
+          echo "  ⚠️  Conflicts: ${CONFLICTS}"
+          echo "  ⏭️  Up to date: ${SKIPPED}"
+          echo "  ❌ Failed:    ${FAILED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            exit 1
+          fi
@@ -0,0 +1,450 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# This file is part of a Moko Consulting project.
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow.Template
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/joomla/ci-joomla.yml.template
+# VERSION: 04.06.00
+# BRIEF: CI workflow for Joomla extensions — lint, validate, test
+
+name: "Joomla: Extension CI"
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'dev/**'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  lint-and-validate:
+    name: Lint & Validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: |
+          php -v && composer --version
+
+      - name: Clone MokoStandards
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+        run: |
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api
+
+      - name: Install dependencies
+        env:
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install \
+              --no-interaction \
+              --prefer-dist \
+              --optimize-autoloader
+          else
+            echo "No composer.json found — skipping dependency install"
+          fi
+
+      - name: PHP syntax check
+        run: |
+          ERRORS=0
+          for DIR in src/ htdocs/; do
+            if [ -d "$DIR" ]; then
+              FOUND=1
+              while IFS= read -r -d '' FILE; do
+                OUTPUT=$(php -l "$FILE" 2>&1)
+                if echo "$OUTPUT" | grep -q "Parse error"; then
+                  echo "::error file=${FILE}::${OUTPUT}"
+                  ERRORS=$((ERRORS + 1))
+                fi
+              done < <(find "$DIR" -name "*.php" -print0)
+            fi
+          done
+          echo "### PHP Syntax Check" >> $GITHUB_STEP_SUMMARY
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "**${ERRORS} syntax error(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: XML manifest validation
+        run: |
+          echo "### XML Manifest Validation" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Find the extension manifest (XML with <extension tag)
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -z "$MANIFEST" ]; then
+            echo "No Joomla extension manifest found (XML file with \`<extension\` tag)." >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS + 1))
+          else
+            echo "Manifest found: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
+
+            # Validate well-formed XML
+            php -r "
+              \$xml = @simplexml_load_file('$MANIFEST');
+              if (\$xml === false) {
+                echo 'INVALID';
+                exit(1);
+              }
+              echo 'VALID';
+            " > /tmp/xml_result 2>&1
+            XML_RESULT=$(cat /tmp/xml_result)
+            if [ "$XML_RESULT" != "VALID" ]; then
+              echo "Manifest is not well-formed XML." >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS + 1))
+            else
+              echo "Manifest is well-formed XML." >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # Check required tags: name, version, author, namespace (Joomla 5+)
+            for TAG in name version author namespace; do
+              if ! grep -q "<${TAG}>" "$MANIFEST" 2>/dev/null; then
+                echo "Missing required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              else
+                echo "Found required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
+              fi
+            done
+          fi
+
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**${ERRORS} manifest issue(s) found.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**Manifest validation passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Check language files referenced in manifest
+        run: |
+          echo "### Language File Check" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -n "$MANIFEST" ]; then
+            # Extract language file references from manifest
+            LANG_FILES=$(grep -oP 'language\s+tag="[^"]*"[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
+            if [ -z "$LANG_FILES" ]; then
+              echo "No language file references found in manifest — skipping." >> $GITHUB_STEP_SUMMARY
+            else
+              while IFS= read -r LANG_FILE; do
+                LANG_FILE=$(echo "$LANG_FILE" | xargs)
+                if [ -z "$LANG_FILE" ]; then
+                  continue
+                fi
+                # Check in common locations
+                FOUND=0
+                for BASE in "." "src" "htdocs"; do
+                  if [ -f "${BASE}/${LANG_FILE}" ]; then
+                    FOUND=1
+                    break
+                  fi
+                done
+                if [ "$FOUND" -eq 0 ]; then
+                  echo "Missing language file: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS + 1))
+                else
+                  echo "Language file present: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
+                fi
+              done <<< "$LANG_FILES"
+            fi
+          else
+            echo "No manifest found — skipping language check." >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if [ "${ERRORS}" -gt 0 ]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**${ERRORS} missing language file(s).**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**Language file check passed.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Check index.html files in directories
+        run: |
+          echo "### Index.html Check" >> $GITHUB_STEP_SUMMARY
+          MISSING=0
+          CHECKED=0
+
+          for DIR in src/ htdocs/; do
+            if [ -d "$DIR" ]; then
+              while IFS= read -r -d '' SUBDIR; do
+                CHECKED=$((CHECKED + 1))
+                if [ ! -f "${SUBDIR}/index.html" ]; then
+                  echo "Missing index.html in: \`${SUBDIR}\`" >> $GITHUB_STEP_SUMMARY
+                  MISSING=$((MISSING + 1))
+                fi
+              done < <(find "$DIR" -type d -print0)
+            fi
+          done
+
+          if [ "${CHECKED}" -eq 0 ]; then
+            echo "No src/ or htdocs/ directories found — skipping." >> $GITHUB_STEP_SUMMARY
+          elif [ "${MISSING}" -gt 0 ]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**${MISSING} director(ies) missing index.html out of ${CHECKED} checked.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "All ${CHECKED} directories contain index.html." >> $GITHUB_STEP_SUMMARY
+          fi
+
+  release-readiness:
+    name: Release Readiness Check
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request' && github.base_ref == 'main'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Validate release readiness
+        run: |
+          echo "## Release Readiness" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          ERRORS=0
+
+          # Extract version from README.md
+          README_VERSION=$(grep -oP '^\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' README.md | head -1)
+          if [ -z "$README_VERSION" ]; then
+            echo "No VERSION found in README.md FILE INFORMATION block." >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS + 1))
+          else
+            echo "README version: \`${README_VERSION}\`" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Find the extension manifest
+          MANIFEST=""
+          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
+            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
+              MANIFEST="$XML_FILE"
+              break
+            fi
+          done
+
+          if [ -z "$MANIFEST" ]; then
+            echo "No Joomla extension manifest found." >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS + 1))
+          else
+            echo "Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
+
+            # Check <version> matches README VERSION
+            MANIFEST_VERSION=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
+            if [ -z "$MANIFEST_VERSION" ]; then
+              echo "No \`<version>\` tag in manifest." >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS + 1))
+            elif [ -n "$README_VERSION" ] && [ "$MANIFEST_VERSION" != "$README_VERSION" ]; then
+              echo "Manifest version \`${MANIFEST_VERSION}\` does not match README \`${README_VERSION}\`." >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS + 1))
+            else
+              echo "Manifest version: \`${MANIFEST_VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # Check extension type, element, client attributes
+            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
+            if [ -z "$EXT_TYPE" ]; then
+              echo "Missing \`type\` attribute on \`<extension>\` tag." >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS + 1))
+            else
+              echo "Extension type: \`${EXT_TYPE}\`" >> $GITHUB_STEP_SUMMARY
+            fi
+
+            # Element check (component/module/plugin name)
+            HAS_ELEMENT=$(grep -cP '<(element|name)>' "$MANIFEST" 2>/dev/null || echo "0")
+            if [ "$HAS_ELEMENT" -eq 0 ]; then
+              echo "Missing \`<element>\` or \`<name>\` in manifest." >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS + 1))
+            fi
+
+            # Client attribute for site/admin modules and plugins
+            if echo "$EXT_TYPE" | grep -qP "^(module|plugin)$"; then
+              HAS_CLIENT=$(grep -cP '<extension[^>]*\bclient=' "$MANIFEST" 2>/dev/null || echo "0")
+              if [ "$HAS_CLIENT" -eq 0 ]; then
+                echo "Missing \`client\` attribute for ${EXT_TYPE} extension." >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS + 1))
+              fi
+            fi
+          fi
+
+          # Check updates.xml exists
+          if [ -f "updates.xml" ] || [ -f "updates.xml" ]; then
+            echo "Update XML present." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No updates.xml found." >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          # Check CHANGELOG.md exists
+          if [ -f "CHANGELOG.md" ]; then
+            echo "CHANGELOG.md present." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No CHANGELOG.md found." >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ $ERRORS -gt 0 ]; then
+            echo "**${ERRORS} issue(s) must be resolved before release.**" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          else
+            echo "**Extension is ready for release.**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+  test:
+    name: Tests (PHP ${{ matrix.php }})
+    runs-on: ubuntu-latest
+    needs: lint-and-validate
+
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ['8.2', '8.3']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP ${{ matrix.php }}
+        run: |
+          php -v && composer --version
+
+      - name: Install dependencies
+        env:
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install \
+              --no-interaction \
+              --prefer-dist \
+              --optimize-autoloader
+          else
+            echo "No composer.json found — skipping dependency install"
+          fi
+
+      - name: Run tests
+        run: |
+          echo "### Test Results (PHP ${{ matrix.php }})" >> $GITHUB_STEP_SUMMARY
+          if [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
+            vendor/bin/phpunit --testdox 2>&1 | tee /tmp/test-output.log
+            EXIT=${PIPESTATUS[0]}
+            if [ $EXIT -eq 0 ]; then
+              echo "All tests passed." >> $GITHUB_STEP_SUMMARY
+            else
+              echo "Test failures detected — see log." >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              cat /tmp/test-output.log >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+            fi
+            exit $EXIT
+          else
+            echo "No phpunit.xml found — skipping tests." >> $GITHUB_STEP_SUMMARY
+          fi
+
+  static-analysis:
+    name: PHPStan Analysis
+    runs-on: ubuntu-latest
+    needs: lint-and-validate
+    continue-on-error: true
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: php -v && composer --version
+
+      - name: Install dependencies
+        env:
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install --no-interaction --prefer-dist --optimize-autoloader
+          fi
+
+      - name: Install PHPStan
+        run: |
+          if ! command -v vendor/bin/phpstan &> /dev/null; then
+            composer require --dev phpstan/phpstan --no-interaction 2>/dev/null || \
+              composer global require phpstan/phpstan --no-interaction
+          fi
+
+      - name: Run PHPStan
+        run: |
+          echo "### PHPStan Static Analysis" >> $GITHUB_STEP_SUMMARY
+          PHPSTAN="vendor/bin/phpstan"
+          if [ ! -f "$PHPSTAN" ]; then
+            PHPSTAN=$(composer global config bin-dir --absolute 2>/dev/null)/phpstan
+          fi
+
+          # Determine source directory
+          SRC_DIR=""
+          for DIR in src/ htdocs/ lib/; do
+            if [ -d "$DIR" ]; then
+              SRC_DIR="$DIR"
+              break
+            fi
+          done
+
+          if [ -z "$SRC_DIR" ]; then
+            echo "No source directory found (src/, htdocs/, lib/) — skipping." >> $GITHUB_STEP_SUMMARY
+            exit 0
+          fi
+
+          # Use repo phpstan.neon if present, otherwise use baseline config
+          ARGS="analyse ${SRC_DIR} --memory-limit=512M --no-progress --error-format=table"
+          if [ -f "phpstan.neon" ] || [ -f "phpstan.neon.dist" ]; then
+            echo "Using project PHPStan config." >> $GITHUB_STEP_SUMMARY
+          else
+            ARGS="$ARGS --level=3"
+            echo "No phpstan.neon found — using level 3 (type inference)." >> $GITHUB_STEP_SUMMARY
+          fi
+
+          $PHPSTAN $ARGS 2>&1 | tee /tmp/phpstan-output.txt
+          EXIT=${PIPESTATUS[0]}
+
+          if [ $EXIT -eq 0 ]; then
+            echo "**No errors found.**" >> $GITHUB_STEP_SUMMARY
+          else
+            ERRORS=$(grep -c "ERROR" /tmp/phpstan-output.txt 2>/dev/null || echo "some")
+            echo "**${ERRORS} error(s) found.** Review output above." >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            tail -30 /tmp/phpstan-output.txt >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
+          exit $EXIT
@@ -0,0 +1,87 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
+
+name: "Universal: Repository Cleanup"
+
+on:
+  schedule:
+    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  cleanup:
+    name: Clean Merged Branches
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Delete merged branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Merged Branch Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+
+          # List branches via API
+          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/branches?limit=50" | jq -r '.[].name')
+
+          DELETED=0
+          for BRANCH in $BRANCHES; do
+            # Skip protected branches
+            case "$BRANCH" in
+              main|master|develop|release/*|hotfix/*) continue ;;
+            esac
+
+            # Check if branch is merged into main
+            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
+              echo "  Deleting merged branch: ${BRANCH}"
+              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/branches/${BRANCH}" 2>/dev/null || true
+              DELETED=$((DELETED + 1))
+            fi
+          done
+
+          echo "Deleted ${DELETED} merged branch(es)"
+
+      - name: Clean old workflow runs
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Workflow Run Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
+
+          # Get old completed runs
+          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/actions/runs?status=completed&limit=50" | \
+            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
+
+          DELETED=0
+          for RUN_ID in $RUNS; do
+            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
+            DELETED=$((DELETED + 1))
+          done
+
+          echo "Deleted ${DELETED} old workflow run(s)"
@@ -0,0 +1,126 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Deploy
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+# PATH: /templates/workflows/joomla/deploy-manual.yml.template
+# VERSION: 04.07.00
+# BRIEF: Manual SFTP deploy to dev server for Joomla repos
+
+name: "Universal: Deploy to Dev (Manual)"
+
+on:
+  workflow_dispatch:
+    inputs:
+      clear_remote:
+        description: 'Delete all remote files before uploading'
+        required: false
+        default: 'false'
+        type: boolean
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: SFTP Deploy to Dev
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: |
+          php -v && composer --version
+
+      - name: Setup MokoStandards tools
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Check FTP configuration
+        id: check
+        env:
+          HOST: ${{ vars.DEV_FTP_HOST }}
+          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
+          PORT: ${{ vars.DEV_FTP_PORT }}
+        run: |
+          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
+            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          echo "host=$HOST" >> "$GITHUB_OUTPUT"
+
+          REMOTE="${PATH_VAR%/}"
+          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
+
+          [ -z "$PORT" ] && PORT="22"
+          echo "port=$PORT" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy via SFTP
+        if: steps.check.outputs.skip != 'true'
+        env:
+          SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
+          SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+          SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
+            > /tmp/sftp-config.json
+
+          if [ -n "$SFTP_KEY" ]; then
+            echo "$SFTP_KEY" > /tmp/deploy_key
+            chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
+          fi
+
+          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
+          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
+
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+          else
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+          fi
+
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+
+      - name: Summary
+        if: always()
+        run: |
+          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
+            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+            echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -0,0 +1,96 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/gitleaks.yml.template
+# VERSION: 01.00.00
+# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
+#
+# +========================================================================+
+# |                        SECRET SCANNING                                 |
+# +========================================================================+
+# |                                                                        |
+# |  Scans commits for leaked secrets using Gitleaks.                      |
+# |                                                                        |
+# |  - PR scan: only new commits in the PR                                 |
+# |  - Scheduled: full repo scan weekly                                    |
+# |  - Alerts via ntfy on findings                                         |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Secret Scanning"
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'dev/**'
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  gitleaks:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Scan for secrets
+        id: scan
+        run: |
+          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
+          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # Scan only PR commits
+            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if gitleaks detect $ARGS 2>&1; then
+            echo "result=clean" >> "$GITHUB_OUTPUT"
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "result=found" >> "$GITHUB_OUTPUT"
+            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
+            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Notify on findings
+        if: failure() && steps.scan.outputs.result == 'found'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} — secrets detected in code" \
+            -H "Tags: rotating_light,key" \
+            -H "Priority: urgent" \
+            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -0,0 +1,71 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Notifications
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/notify.yml
+# VERSION: 01.00.00
+# BRIEF: Push notifications via ntfy on release success or workflow failure
+
+name: "Universal: Notifications"
+
+on:
+  workflow_run:
+    workflows:
+      - "Joomla Build & Release"
+      - "Joomla Extension CI"
+      - "Deploy"
+      - "Cascade Main → Dev"
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
+
+jobs:
+  notify:
+    name: Send Notification
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.workflow_run.conclusion == 'success' ||
+      github.event.workflow_run.conclusion == 'failure'
+
+    steps:
+      - name: Notify on success (releases only)
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          contains(github.event.workflow_run.name, 'Release')
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} released" \
+            -H "Tags: white_check_mark,package" \
+            -H "Priority: default" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} completed successfully." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
+
+      - name: Notify on failure
+        if: github.event.workflow_run.conclusion == 'failure'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} workflow failed" \
+            -H "Tags: x,warning" \
+            -H "Priority: high" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} failed. Check the run for details." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
@@ -0,0 +1,196 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/universal/pr-check.yml.template
+# VERSION: 05.00.00
+# BRIEF: PR gate — branch policy + code validation before merge
+
+name: "Universal: PR Check"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Branch Policy ──────────────────────────────────────────────────────
+  branch-policy:
+    name: Branch Policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch merge target
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            alpha/*|beta/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Pre-release branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            rc/*)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Release candidate branches must target 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
+
+  # ── Code Validation ────────────────────────────────────────────────────
+  validate:
+    name: Validate PR
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect platform
+        id: platform
+        run: |
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
+          [ -z "$PLATFORM" ] && PLATFORM="generic"
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: PHP syntax check
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          echo "PHP lint: ${ERRORS} error(s)"
+          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
+
+      - name: Validate platform manifest
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+              if [ -z "$MANIFEST" ]; then
+                echo "::warning::No Joomla manifest found (WaaS site)"
+                exit 0
+              fi
+              echo "Manifest: ${MANIFEST}"
+              if command -v php &> /dev/null; then
+                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
+              fi
+              for ELEMENT in name version description; do
+                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
+              done
+              echo "Joomla manifest valid"
+              ;;
+            dolibarr)
+              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+              if [ -z "$MOD_FILE" ]; then
+                echo "::error::No mod*.class.php found"
+                exit 1
+              fi
+              echo "Dolibarr module: ${MOD_FILE}"
+              ;;
+            *)
+              echo "Generic platform — no manifest validation"
+              ;;
+          esac
+
+      - name: Check update stream format
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              if [ -f "updates.xml" ]; then
+                if command -v php &> /dev/null; then
+                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
+                fi
+                echo "updates.xml valid"
+              fi
+              ;;
+            dolibarr)
+              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
+              ;;
+          esac
+
+      - name: Verify package source
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ ! -d "$SOURCE_DIR" ]; then
+            echo "::warning::No src/ or htdocs/ directory"
+            exit 0
+          fi
+          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
+          echo "Source: ${FILE_COUNT} files"
+          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
@@ -0,0 +1,384 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /templates/workflows/universal/pre-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Manual pre-release — builds dev/alpha/beta/rc packages from any branch
+
+name: "Universal: Pre-Release"
+
+on:
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Pre-release channel'
+        required: true
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - release-candidate
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+jobs:
+  build:
+    name: "Build Pre-Release (${{ inputs.stability }})"
+    runs-on: release
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Setup PHP
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip >/dev/null 2>&1
+          fi
+
+      - name: Detect platform
+        id: platform
+        run: |
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
+          [ -z "$PLATFORM" ] && PLATFORM="generic"
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
+          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
+
+      - name: Resolve metadata
+        id: meta
+        run: |
+          STABILITY="${{ inputs.stability }}"
+
+          case "$STABILITY" in
+            development)        SUFFIX="-dev";   TAG="development" ;;
+            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)               SUFFIX="-beta";  TAG="beta" ;;
+            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
+          esac
+
+          # Read and bump patch version (with rollover)
+          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+          [ -z "$CURRENT" ] && CURRENT="00.00.00"
+
+          MAJOR=$(echo "$CURRENT" | cut -d. -f1)
+          MINOR=$(echo "$CURRENT" | cut -d. -f2)
+          PATCH=$(echo "$CURRENT" | cut -d. -f3)
+
+          # Patch bump with rollover: ZZ=99 → bump minor, YY=99 → bump major
+          NEW_PATCH=$((10#$PATCH + 1))
+          NEW_MINOR=$((10#$MINOR))
+          NEW_MAJOR=$((10#$MAJOR))
+
+          if [ $NEW_PATCH -gt 99 ]; then
+            NEW_PATCH=0
+            NEW_MINOR=$((NEW_MINOR + 1))
+          fi
+          if [ $NEW_MINOR -gt 99 ]; then
+            NEW_MINOR=0
+            NEW_MAJOR=$((NEW_MAJOR + 1))
+          fi
+
+          VERSION=$(printf "%02d.%02d.%02d" $NEW_MAJOR $NEW_MINOR $NEW_PATCH)
+          TODAY=$(date +%Y-%m-%d)
+
+          echo "Bumping: ${CURRENT} → ${VERSION} (patch)"
+
+          # Update README.md
+          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${VERSION}/" README.md
+
+          # Update platform-specific manifest
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          MANIFEST="${{ steps.platform.outputs.manifest }}"
+          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          case "$PLATFORM" in
+            joomla)
+              if [ -n "$MANIFEST" ]; then
+                MANIFEST_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
+                sed -i "s|<version>${MANIFEST_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
+                sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
+              fi
+              ;;
+            dolibarr)
+              if [ -n "$MOD_FILE" ]; then
+                sed -i "s/\$this->version = '[^']*'/\$this->version = '${VERSION}'/" "$MOD_FILE"
+              fi
+              ;;
+            *) ;;
+          esac
+
+          # Commit version bump
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git diff --cached --quiet || {
+            git commit -m "chore(version): bump ${CURRENT} → ${VERSION} [skip ci]"
+            git push origin HEAD 2>&1
+          }
+
+          # Auto-detect element (platform-aware)
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST="${{ steps.platform.outputs.manifest }}"
+              EXT_ELEMENT=""
+              if [ -n "$MANIFEST" ]; then
+                EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+                if [ -z "$EXT_ELEMENT" ]; then
+                  EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+                  case "$EXT_ELEMENT" in
+                    templatedetails|manifest) EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+                  esac
+                fi
+              else
+                EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+              fi
+              ;;
+            dolibarr)
+              MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+              if [ -n "$MOD_FILE" ]; then
+                MOD_BASENAME=$(basename "$MOD_FILE" .class.php)
+                EXT_ELEMENT=$(echo "$MOD_BASENAME" | sed 's/^mod//' | tr '[:upper:]' '[:lower:]')
+              else
+                EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+              fi
+              ;;
+            *)
+              EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+              ;;
+          esac
+
+          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
+          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
+
+          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
+
+      - name: Build package
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ ! -d "$SOURCE_DIR" ]; then
+            echo "::error::No src/ or htdocs/ directory"
+            exit 1
+          fi
+
+          mkdir -p build/package
+          rsync -a \
+            --exclude='sftp-config*' \
+            --exclude='.ftpignore' \
+            --exclude='*.ppk' \
+            --exclude='*.pem' \
+            --exclude='*.key' \
+            --exclude='.env*' \
+            --exclude='*.local' \
+            --exclude='.build-trigger' \
+            "${SOURCE_DIR}/" build/package/
+
+      - name: Create ZIP
+        id: zip
+        run: |
+          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
+          cd build/package
+          zip -r "../${ZIP_NAME}" .
+          cd ..
+
+          SHA256=$(sha256sum "${ZIP_NAME}" | cut -d' ' -f1)
+          echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
+          echo "ZIP: ${ZIP_NAME} (SHA: ${SHA256:0:16}...)"
+
+      - name: Create or replace Gitea release
+        id: release
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"
+          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
+          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          BRANCH=$(git branch --show-current)
+
+          BODY="## ${VERSION} ($(date +%Y-%m-%d))
+          **Channel:** ${STABILITY}
+          **SHA-256:** \`${SHA256}\`"
+
+          # Delete existing release
+          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
+            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
+          if [ -n "$EXISTING_ID" ]; then
+            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
+            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+              "${API}/tags/${TAG}" 2>/dev/null || true
+          fi
+
+          # Create release
+          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API}/releases" \
+            -d "$(jq -n \
+              --arg tag "$TAG" \
+              --arg target "$BRANCH" \
+              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
+              --arg body "$BODY" \
+              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
+            )" | jq -r '.id')
+
+          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
+
+          # Upload ZIP
+          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
+            --data-binary "@build/${ZIP_NAME}"
+
+          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
+
+      - name: Update updates.xml
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          VERSION="${{ steps.meta.outputs.version }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"
+          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
+          TAG="${{ steps.meta.outputs.tag }}"
+          DATE=$(date +%Y-%m-%d)
+
+          if [ ! -f "updates.xml" ]; then
+            echo "No updates.xml — skipping"
+            exit 0
+          fi
+
+          export PY_STABILITY="$STABILITY" PY_VERSION="$VERSION" PY_SHA256="$SHA256" \
+                 PY_ZIP_NAME="$ZIP_NAME" PY_TAG="$TAG" PY_DATE="$DATE" \
+                 PY_GITEA_ORG="$GITEA_ORG" PY_GITEA_REPO="$GITEA_REPO"
+          python3 << 'PYEOF'
+          import re, os
+
+          stability  = os.environ["PY_STABILITY"]
+          version    = os.environ["PY_VERSION"]
+          sha256     = os.environ["PY_SHA256"]
+          zip_name   = os.environ["PY_ZIP_NAME"]
+          tag        = os.environ["PY_TAG"]
+          date       = os.environ["PY_DATE"]
+          gitea_org  = os.environ["PY_GITEA_ORG"]
+          gitea_repo = os.environ["PY_GITEA_REPO"]
+          download_url = f"https://git.mokoconsulting.tech/{gitea_org}/{gitea_repo}/releases/download/{tag}/{zip_name}"
+
+          with open("updates.xml", "r") as f:
+              content = f.read()
+
+          # Map stability to XML tag name
+          tag_map = {"development": "development", "alpha": "alpha", "beta": "beta", "release-candidate": "rc"}
+          xml_tag = tag_map.get(stability, stability)
+
+          pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(xml_tag) + r"</tag>.*?</update>)"
+          match = re.search(pattern, content, re.DOTALL)
+          if match:
+              block = match.group(1)
+              updated = re.sub(r"<version>[^<]*</version>", f"<version>{version}</version>", block)
+              updated = re.sub(r"<creationDate>[^<]*</creationDate>", f"<creationDate>{date}</creationDate>", updated)
+              if "<sha256>" in updated:
+                  updated = re.sub(r"<sha256>[^<]*</sha256>", f"<sha256>{sha256}</sha256>", updated)
+              else:
+                  updated = updated.replace("</downloads>", f"</downloads>\n    <sha256>{sha256}</sha256>")
+              updated = re.sub(r"(<downloadurl[^>]*>)[^<]*(</downloadurl>)", rf"\g<1>{download_url}\g<2>", updated)
+              content = content.replace(block, updated)
+              print(f"Updated {xml_tag} channel: version={version}")
+          else:
+              print(f"WARNING: No <tag>{xml_tag}</tag> block in updates.xml")
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+          # Commit and push to current branch
+          if ! git diff --quiet updates.xml 2>/dev/null; then
+            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+            git config --local user.name "gitea-actions[bot]"
+            git add updates.xml
+            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
+            git push origin HEAD 2>&1 || echo "WARNING: push failed"
+          fi
+
+      - name: "Sync updates.xml to all branches"
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          CURRENT_BRANCH="${{ github.ref_name }}"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+
+          # Sync updates.xml to main and dev (whichever isn't current)
+          for BRANCH in main dev; do
+            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
+
+            echo "Syncing updates.xml → ${BRANCH}"
+            git fetch origin "${BRANCH}" 2>/dev/null || continue
+            git checkout "origin/${BRANCH}" -- . 2>/dev/null || continue
+            git checkout "${CURRENT_BRANCH}" -- updates.xml
+            if ! git diff --quiet updates.xml 2>/dev/null; then
+              git add updates.xml
+              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
+              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
+            fi
+            git checkout "${CURRENT_BRANCH}" 2>/dev/null
+          done
+
+      - name: "Delete lesser pre-release channels (cascade)"
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+
+          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
+          case "$STABILITY" in
+            release-candidate) TAGS_TO_DELETE="beta alpha development" ;;
+            beta)              TAGS_TO_DELETE="alpha development" ;;
+            alpha)             TAGS_TO_DELETE="development" ;;
+            *)                 TAGS_TO_DELETE="" ;;
+          esac
+
+          [ -z "$TAGS_TO_DELETE" ] && exit 0
+
+          for TAG in $TAGS_TO_DELETE; do
+            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
+              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
+              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
+              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
+            fi
+          done
@@ -0,0 +1,766 @@
+# ============================================================================
+# Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
+#
+# This file is part of a Moko Consulting project.
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Validation
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/joomla/repo_health.yml.template
+# VERSION: 04.06.00
+# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
+# ============================================================================
+
+name: "Joomla: Repo Health"
+
+concurrency:
+  group: repo-health-${{ github.repository }}-${{ github.ref }}
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  workflow_dispatch:
+    inputs:
+      profile:
+        description: 'Validation profile: all, release, scripts, or repo'
+        required: true
+        default: all
+        type: choice
+        options:
+          - all
+          - release
+          - scripts
+          - repo
+  pull_request:
+  push:
+
+permissions:
+  contents: read
+
+env:
+  # Release policy - Repository Variables Only
+  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
+  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
+
+  # Scripts governance policy
+  SCRIPTS_REQUIRED_DIRS:
+  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
+
+  # Repo health policy
+  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.gitea/workflows/
+  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
+  REPO_DISALLOWED_DIRS:
+  REPO_DISALLOWED_FILES: TODO.md,todo.md
+
+  # Extended checks toggles
+  EXTENDED_CHECKS: "true"
+
+  # File / directory variables
+  DOCS_INDEX: docs/docs-index.md
+  SCRIPT_DIR: scripts
+  WORKFLOWS_DIR: .gitea/workflows
+  SHELLCHECK_PATTERN: '*.sh'
+  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  access_check:
+    name: Access control
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+
+    outputs:
+      allowed: ${{ steps.perm.outputs.allowed }}
+      permission: ${{ steps.perm.outputs.permission }}
+
+    steps:
+      - name: Check actor permission (admin only)
+        id: perm
+        env:
+          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          REPO: ${{ github.repository }}
+          ACTOR: ${{ github.actor }}
+        run: |
+          set -euo pipefail
+          ALLOWED=false
+          PERMISSION=unknown
+          METHOD=""
+
+          # Hardcoded authorized users — always allowed
+          case "$ACTOR" in
+            jmiller|gitea-actions[bot])
+              ALLOWED=true
+              PERMISSION=admin
+              METHOD="hardcoded allowlist"
+              ;;
+            *)
+              # Detect platform and check permissions via API
+              API_BASE="${GITHUB_API_URL:-${GITEA_API_URL:-https://api.github.com}}"
+              RESP=$(curl -sf -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}')
+              PERMISSION=$(echo "$RESP" | grep -oP '"permission"\s*:\s*"\K[^"]+' || echo "unknown")
+              if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "maintain" ] || [ "$PERMISSION" = "owner" ]; then
+                ALLOWED=true
+              fi
+              METHOD="collaborator API"
+              ;;
+          esac
+
+          echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT"
+          echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"
+
+          {
+            echo "## Access Authorization"
+            echo ""
+            echo "| Field | Value |"
+            echo "|-------|-------|"
+            echo "| **Actor** | \`${ACTOR}\` |"
+            echo "| **Repository** | \`${REPO}\` |"
+            echo "| **Permission** | \`${PERMISSION}\` |"
+            echo "| **Method** | ${METHOD} |"
+            echo "| **Authorized** | ${ALLOWED} |"
+            echo ""
+            if [ "$ALLOWED" = "true" ]; then
+              echo "${ACTOR} authorized (${METHOD})"
+            else
+              echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
+            fi
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+      - name: Deny execution when not permitted
+        if: ${{ steps.perm.outputs.allowed != 'true' }}
+        run: |
+          set -euo pipefail
+          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
+          exit 1
+
+  release_config:
+    name: Release configuration
+    needs: access_check
+    if: ${{ needs.access_check.outputs.allowed == 'true' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Guardrails release vars
+        env:
+          PROFILE_RAW: ${{ github.event.inputs.profile }}
+          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
+          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
+        run: |
+          set -euo pipefail
+
+          profile="${PROFILE_RAW:-all}"
+          case "${profile}" in
+            all|release|scripts|repo) ;;
+            *)
+              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
+              exit 1
+              ;;
+          esac
+
+          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
+            {
+              printf '%s\n' '### Release configuration (Repository Variables)'
+              printf '%s\n' "Profile: ${profile}"
+              printf '%s\n' 'Status: SKIPPED'
+              printf '%s\n' 'Reason: profile excludes release validation'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 0
+          fi
+
+          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
+          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
+
+          missing=()
+          missing_optional=()
+
+          for k in "${required[@]}"; do
+            v="${!k:-}"
+            [ -z "${v}" ] && missing+=("${k}")
+          done
+
+          for k in "${optional[@]}"; do
+            v="${!k:-}"
+            [ -z "${v}" ] && missing_optional+=("${k}")
+          done
+
+          {
+            printf '%s\n' '### Release configuration (Repository Variables)'
+            printf '%s\n' "Profile: ${profile}"
+            printf '%s\n' '| Variable | Status |'
+            printf '%s\n' '|---|---|'
+            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
+            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
+            printf '\n'
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+          if [ "${#missing_optional[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Missing optional repository variables'
+              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+          if [ "${#missing[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Missing required repository variables'
+              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 1
+          fi
+
+          {
+            printf '%s\n' '### Repository variables validation result'
+            printf '%s\n' 'Status: OK'
+            printf '%s\n' 'All required repository variables present.'
+            printf '%s\n' ''
+            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
+            printf '\n'
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+  scripts_governance:
+    name: Scripts governance
+    needs: access_check
+    if: ${{ needs.access_check.outputs.allowed == 'true' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Scripts folder checks
+        env:
+          PROFILE_RAW: ${{ github.event.inputs.profile }}
+        run: |
+          set -euo pipefail
+
+          profile="${PROFILE_RAW:-all}"
+          case "${profile}" in
+            all|release|scripts|repo) ;;
+            *)
+              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
+              exit 1
+              ;;
+          esac
+
+          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
+            {
+              printf '%s\n' '### Scripts governance'
+              printf '%s\n' "Profile: ${profile}"
+              printf '%s\n' 'Status: SKIPPED'
+              printf '%s\n' 'Reason: profile excludes scripts governance'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 0
+          fi
+
+          if [ ! -d "${SCRIPT_DIR}" ]; then
+            {
+              printf '%s\n' '### Scripts governance'
+              printf '%s\n' 'Status: OK (advisory)'
+              printf '%s\n' 'scripts/ directory not present. No scripts governance enforced.'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 0
+          fi
+
+          IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"
+          IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"
+
+          missing_dirs=()
+          unapproved_dirs=()
+
+          for d in "${required_dirs[@]}"; do
+            req="${d%/}"
+            [ ! -d "${req}" ] && missing_dirs+=("${req}/")
+          done
+
+          while IFS= read -r d; do
+            allowed=false
+            for a in "${allowed_dirs[@]}"; do
+              a_norm="${a%/}"
+              [ "${d%/}" = "${a_norm}" ] && allowed=true
+            done
+            [ "${allowed}" = false ] && unapproved_dirs+=("${d%/}/")
+          done < <(find "${SCRIPT_DIR}" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sed 's#^\./##')
+
+          {
+            printf '%s\n' '### Scripts governance'
+            printf '%s\n' "Profile: ${profile}"
+            printf '%s\n' '| Area | Status | Notes |'
+            printf '%s\n' '|---|---|---|'
+
+            if [ "${#missing_dirs[@]}" -gt 0 ]; then
+              printf '%s\n' '| Required directories | Warning | Missing required subfolders |'
+            else
+              printf '%s\n' '| Required directories | OK | All required subfolders present |'
+            fi
+
+            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
+              printf '%s\n' '| Directory policy | Warning | Unapproved directories detected |'
+            else
+              printf '%s\n' '| Directory policy | OK | No unapproved directories |'
+            fi
+
+            printf '%s\n' '| Enforcement mode | Advisory | scripts folder is optional |'
+            printf '\n'
+
+            if [ "${#missing_dirs[@]}" -gt 0 ]; then
+              printf '%s\n' 'Missing required script directories:'
+              for m in "${missing_dirs[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '\n'
+            else
+              printf '%s\n' 'Missing required script directories: none.'
+              printf '\n'
+            fi
+
+            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
+              printf '%s\n' 'Unapproved script directories detected:'
+              for m in "${unapproved_dirs[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '\n'
+            else
+              printf '%s\n' 'Unapproved script directories detected: none.'
+              printf '\n'
+            fi
+
+            printf '%s\n' 'Scripts governance completed in advisory mode.'
+            printf '\n'
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+  repo_health:
+    name: Repository health
+    needs: access_check
+    if: ${{ needs.access_check.outputs.allowed == 'true' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+
+      - name: Repository health checks
+        env:
+          PROFILE_RAW: ${{ github.event.inputs.profile }}
+        run: |
+          set -euo pipefail
+
+          profile="${PROFILE_RAW:-all}"
+          case "${profile}" in
+            all|release|scripts|repo) ;;
+            *)
+              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
+              exit 1
+              ;;
+          esac
+
+          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
+            {
+              printf '%s\n' '### Repository health'
+              printf '%s\n' "Profile: ${profile}"
+              printf '%s\n' 'Status: SKIPPED'
+              printf '%s\n' 'Reason: profile excludes repository health'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 0
+          fi
+
+          # Source directory: src/ or htdocs/ (either is valid)
+          if [ -d "src" ]; then
+            SOURCE_DIR="src"
+          elif [ -d "htdocs" ]; then
+            SOURCE_DIR="htdocs"
+          else
+            missing_required+=("src/ or htdocs/ (source directory required)")
+          fi
+
+          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
+          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
+          IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"
+          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES}"
+
+          missing_required=()
+          missing_optional=()
+
+          for item in "${required_artifacts[@]}"; do
+            if printf '%s' "${item}" | grep -q '/$'; then
+              d="${item%/}"
+              [ ! -d "${d}" ] && missing_required+=("${item}")
+            else
+              [ ! -f "${item}" ] && missing_required+=("${item}")
+            fi
+          done
+
+          for f in "${optional_files[@]}"; do
+            if printf '%s' "${f}" | grep -q '/$'; then
+              d="${f%/}"
+              [ ! -d "${d}" ] && missing_optional+=("${f}")
+            else
+              [ ! -f "${f}" ] && missing_optional+=("${f}")
+            fi
+          done
+
+          for d in "${disallowed_dirs[@]}"; do
+            d_norm="${d%/}"
+            [ -d "${d_norm}" ] && missing_required+=("${d_norm}/ (disallowed)")
+          done
+
+          for f in "${disallowed_files[@]}"; do
+            [ -f "${f}" ] && missing_required+=("${f} (disallowed)")
+          done
+
+          git fetch origin --prune
+
+          dev_paths=()
+          dev_branches=()
+
+          while IFS= read -r b; do
+            name="${b#origin/}"
+            if [ "${name}" = 'dev' ]; then
+              dev_branches+=("${name}")
+            else
+              dev_paths+=("${name}")
+            fi
+          done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')
+
+          if [ "${#dev_paths[@]}" -eq 0 ]; then
+            missing_required+=("dev/* branch (e.g. dev/01.00.00)")
+          fi
+
+          if [ "${#dev_branches[@]}" -gt 0 ]; then
+            missing_required+=("invalid branch dev (must be dev/<version>)")
+          fi
+
+          content_warnings=()
+
+          if [ -f 'CHANGELOG.md' ] && ! grep -Eq '^# Changelog' CHANGELOG.md; then
+            content_warnings+=("CHANGELOG.md missing '# Changelog' header")
+          fi
+
+          if [ -f 'CHANGELOG.md' ] && grep -Eq '^[# ]*Unreleased' CHANGELOG.md; then
+            content_warnings+=("CHANGELOG.md contains Unreleased section (review release readiness)")
+          fi
+
+          if [ -f 'LICENSE' ] && ! grep -qiE 'GNU GENERAL PUBLIC LICENSE|GPL' LICENSE; then
+            content_warnings+=("LICENSE does not look like a GPL text")
+          fi
+
+          if [ -f 'README.md' ] && ! grep -qiE 'moko|Moko' README.md; then
+            content_warnings+=("README.md missing expected brand keyword")
+          fi
+
+          export PROFILE_RAW="${profile}"
+          export MISSING_REQUIRED="$(printf '%s\n' "${missing_required[@]:-}")"
+          export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
+          export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"
+
+          report_json="$(python3 - <<'PY'
+          import json
+          import os
+
+          profile = os.environ.get('PROFILE_RAW') or 'all'
+
+          missing_required = os.environ.get('MISSING_REQUIRED', '').splitlines() if os.environ.get('MISSING_REQUIRED') else []
+          missing_optional = os.environ.get('MISSING_OPTIONAL', '').splitlines() if os.environ.get('MISSING_OPTIONAL') else []
+          content_warnings = os.environ.get('CONTENT_WARNINGS', '').splitlines() if os.environ.get('CONTENT_WARNINGS') else []
+
+          out = {
+            'profile': profile,
+            'missing_required': [x for x in missing_required if x],
+            'missing_optional': [x for x in missing_optional if x],
+            'content_warnings': [x for x in content_warnings if x],
+          }
+
+          print(json.dumps(out, indent=2))
+          PY
+          )"
+
+          {
+            printf '%s\n' '### Repository health'
+            printf '%s\n' "Profile: ${profile}"
+            printf '%s\n' '| Metric | Value |'
+            printf '%s\n' '|---|---|'
+            printf '%s\n' "| Missing required | ${#missing_required[@]} |"
+            printf '%s\n' "| Missing optional | ${#missing_optional[@]} |"
+            printf '%s\n' "| Content warnings | ${#content_warnings[@]} |"
+            printf '\n'
+
+            printf '%s\n' '### Guardrails report (JSON)'
+            printf '%s\n' '```json'
+            printf '%s\n' "${report_json}"
+            printf '%s\n' '```'
+            printf '\n'
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+          if [ "${#missing_required[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Missing required repo artifacts'
+              for m in "${missing_required[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository artifacts.'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+            exit 1
+          fi
+
+          if [ "${#missing_optional[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Missing optional repo artifacts'
+              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+          if [ "${#content_warnings[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Repo content warnings'
+              for m in "${content_warnings[@]}"; do printf '%s\n' "- ${m}"; done
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+          # -- Joomla-specific checks --
+          joomla_findings=()
+
+          MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
+          if [ -z "${MANIFEST}" ]; then
+            joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
+          else
+            if ! grep -qP '<version>' "${MANIFEST}"; then
+              joomla_findings+=("XML manifest: <version> tag missing")
+            fi
+            if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
+              joomla_findings+=("XML manifest: type attribute missing or invalid")
+            fi
+            if ! grep -qP '<name>' "${MANIFEST}"; then
+              joomla_findings+=("XML manifest: <name> tag missing")
+            fi
+            if ! grep -qP '<author>' "${MANIFEST}"; then
+              joomla_findings+=("XML manifest: <author> tag missing")
+            fi
+            if ! grep -qP '<namespace' "${MANIFEST}"; then
+              joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
+            fi
+          fi
+
+          INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
+          if [ "${INI_COUNT}" -eq 0 ]; then
+            joomla_findings+=("No .ini language files found")
+          fi
+
+          if [ ! -f 'updates.xml' ]; then
+            joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
+          fi
+
+          INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
+          for dir in "${INDEX_DIRS[@]}"; do
+            if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
+              joomla_findings+=("${dir}/index.html missing (directory listing protection)")
+            fi
+          done
+
+          if [ "${#joomla_findings[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Joomla extension checks'
+              printf '%s\n' '| Check | Status |'
+              printf '%s\n' '|---|---|'
+              for f in "${joomla_findings[@]}"; do
+                printf '%s\n' "| ${f} | Warning |"
+              done
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          else
+            {
+              printf '%s\n' '### Joomla extension checks'
+              printf '%s\n' 'All Joomla-specific checks passed.'
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+          extended_enabled="${EXTENDED_CHECKS:-true}"
+          extended_findings=()
+
+          if [ "${extended_enabled}" = 'true' ]; then
+            if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
+              :
+            else
+              extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
+            fi
+
+            if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
+              bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
+              if [ -n "${bad_refs}" ]; then
+                extended_findings+=("Workflows reference actions @main/@master (pin versions): see log excerpt")
+                {
+                  printf '%s\n' '### Workflow pinning advisory'
+                  printf '%s\n' 'Found uses: entries pinned to main/master:'
+                  printf '%s\n' '```'
+                  printf '%s\n' "${bad_refs}"
+                  printf '%s\n' '```'
+                  printf '\n'
+                } >> "${GITHUB_STEP_SUMMARY}"
+              fi
+            fi
+
+            if [ -f "${DOCS_INDEX}" ]; then
+              missing_links="$(python3 - <<'PY'
+              import os
+              import re
+
+              idx = os.environ.get('DOCS_INDEX', 'docs/docs-index.md')
+              base = os.getcwd()
+
+              bad = []
+              pat = re.compile(r'\[[^\]]+\]\(([^)]+)\)')
+
+              with open(idx, 'r', encoding='utf-8') as f:
+                for line in f:
+                  for m in pat.findall(line):
+                    link = m.strip()
+                    if link.startswith('http://') or link.startswith('https://') or link.startswith('#') or link.startswith('mailto:'):
+                      continue
+                    if link.startswith('/'):
+                      rel = link.lstrip('/')
+                    else:
+                      rel = os.path.normpath(os.path.join(os.path.dirname(idx), link))
+                    rel = rel.split('#', 1)[0]
+                    rel = rel.split('?', 1)[0]
+                    if not rel:
+                      continue
+                    p = os.path.join(base, rel)
+                    if not os.path.exists(p):
+                      bad.append(rel)
+
+              print('\n'.join(sorted(set(bad))))
+              PY
+              )"
+              if [ -n "${missing_links}" ]; then
+                extended_findings+=("docs/docs-index.md contains broken relative links")
+                {
+                  printf '%s\n' '### Docs index link integrity'
+                  printf '%s\n' 'Broken relative links:'
+                  while IFS= read -r l; do [ -n "${l}" ] && printf '%s\n' "- ${l}"; done <<< "${missing_links}"
+                  printf '\n'
+                } >> "${GITHUB_STEP_SUMMARY}"
+              fi
+            fi
+
+            if [ -d "${SCRIPT_DIR}" ]; then
+              if ! command -v shellcheck >/dev/null 2>&1; then
+                sudo apt-get update -qq
+                sudo apt-get install -y shellcheck >/dev/null
+              fi
+
+              sc_out=''
+              while IFS= read -r shf; do
+                [ -z "${shf}" ] && continue
+                out_one="$(shellcheck -S warning -x "${shf}" 2>/dev/null || true)"
+                if [ -n "${out_one}" ]; then
+                  sc_out="${sc_out}${out_one}\n"
+                fi
+              done < <(find "${SCRIPT_DIR}" -type f -name "${SHELLCHECK_PATTERN}" 2>/dev/null | sort)
+
+              if [ -n "${sc_out}" ]; then
+                extended_findings+=("ShellCheck warnings detected (advisory)")
+                sc_head="$(printf '%s' "${sc_out}" | head -n 200)"
+                {
+                  printf '%s\n' '### ShellCheck (advisory)'
+                  printf '%s\n' '```'
+                  printf '%s\n' "${sc_head}"
+                  printf '%s\n' '```'
+                  printf '\n'
+                } >> "${GITHUB_STEP_SUMMARY}"
+              fi
+            fi
+
+            spdx_missing=()
+            IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
+            spdx_args=()
+            for g in "${spdx_globs[@]}"; do spdx_args+=("${g}"); done
+
+            while IFS= read -r f; do
+              [ -z "${f}" ] && continue
+              if ! head -n 40 "${f}" | grep -q 'SPDX-License-Identifier:'; then
+                spdx_missing+=("${f}")
+              fi
+            done < <(git ls-files "${spdx_args[@]}" 2>/dev/null || true)
+
+            if [ "${#spdx_missing[@]}" -gt 0 ]; then
+              extended_findings+=("SPDX header missing in some tracked files (advisory)")
+              {
+                printf '%s\n' '### SPDX header advisory'
+                printf '%s\n' 'Files missing SPDX-License-Identifier (first 40 lines scan):'
+                for f in "${spdx_missing[@]}"; do printf '%s\n' "- ${f}"; done
+                printf '\n'
+              } >> "${GITHUB_STEP_SUMMARY}"
+            fi
+
+            stale_cutoff_days=180
+            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
+            if [ -n "${stale_branches}" ]; then
+              extended_findings+=("Stale remote branches detected (advisory)")
+              {
+                printf '%s\n' '### Git hygiene advisory'
+                printf '%s\n' "Branches with last commit older than ${stale_cutoff_days} days (sample up to 50):"
+                while IFS= read -r b; do [ -n "${b}" ] && printf '%s\n' "- ${b}"; done <<< "${stale_branches}"
+                printf '\n'
+              } >> "${GITHUB_STEP_SUMMARY}"
+            fi
+          fi
+
+          {
+            printf '%s\n' '### Guardrails coverage matrix'
+            printf '%s\n' '| Domain | Status | Notes |'
+            printf '%s\n' '|---|---|---|'
+            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
+            printf '%s\n' '| Release variables | OK | Repository variables validation |'
+            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
+            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
+            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
+            if [ "${extended_enabled}" = 'true' ]; then
+              if [ "${#extended_findings[@]}" -gt 0 ]; then
+                printf '%s\n' '| Extended checks | Warning | See extended findings below |'
+              else
+                printf '%s\n' '| Extended checks | OK | No findings |'
+              fi
+            else
+              printf '%s\n' '| Extended checks | SKIPPED | EXTENDED_CHECKS disabled |'
+            fi
+            printf '\n'
+          } >> "${GITHUB_STEP_SUMMARY}"
+
+          if [ "${extended_enabled}" = 'true' ] && [ "${#extended_findings[@]}" -gt 0 ]; then
+            {
+              printf '%s\n' '### Extended findings (advisory)'
+              for f in "${extended_findings[@]}"; do printf '%s\n' "- ${f}"; done
+              printf '\n'
+            } >> "${GITHUB_STEP_SUMMARY}"
+          fi
+
+          printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
@@ -0,0 +1,82 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/security-audit.yml
+# VERSION: 01.00.00
+# BRIEF: Dependency vulnerability scanning for composer and npm packages
+
+name: "Universal: Security Audit"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'composer.json'
+      - 'composer.lock'
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Composer audit
+        if: hashFiles('composer.lock') != ''
+        run: |
+          echo "=== Composer Security Audit ==="
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
+          fi
+          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
+          RESULT=$?
+          if [ $RESULT -ne 0 ]; then
+            echo "::warning::Composer vulnerabilities found"
+            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
+          else
+            echo "No known vulnerabilities in composer dependencies"
+          fi
+
+      - name: NPM audit
+        if: hashFiles('package-lock.json') != ''
+        run: |
+          echo "=== NPM Security Audit ==="
+          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
+          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
+            echo "No known vulnerabilities in npm dependencies"
+          else
+            echo "::warning::NPM vulnerabilities found"
+            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
+          fi
+
+      - name: Notify on vulnerabilities
+        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} has vulnerable dependencies" \
+            -H "Tags: lock,warning" \
+            -H "Priority: high" \
+            -d "Security audit found vulnerabilities. Review dependency updates." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -0,0 +1,464 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Joomla
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/joomla/update-server.yml.template
+# VERSION: 04.06.00
+# BRIEF: Update Joomla update server XML feed with stable/rc/dev entries
+#
+# Writes updates.xml with multiple <update> entries:
+#   - <tag>stable</tag>     on push to main (from auto-release)
+#   - <tag>rc</tag>         on push to rc/**
+#   - <tag>development</tag> on push to dev or dev/**
+#
+# Joomla filters by user's "Minimum Stability" setting.
+
+name: "Joomla: Update Server"
+
+on:
+  push:
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  pull_request:
+    types: [closed]
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Stability tag'
+        required: true
+        default: 'development'
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - rc
+          - stable
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  update-xml:
+    name: Update updates.xml
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup MokoStandards tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Generate updates.xml entry
+        id: update
+        run: |
+          BRANCH="${{ github.ref_name }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
+
+          # Auto-bump patch on all branches (dev, alpha, beta, rc)
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          BUMPED=$(php /tmp/mokostandards-api/cli/version_bump.php --path . 2>/dev/null || true)
+          if [ -n "$BUMPED" ]; then
+            VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
+            git add -A
+            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
+            git push 2>/dev/null || true
+          fi
+
+          # Determine stability from branch or input
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            STABILITY="${{ inputs.stability }}"
+          elif [[ "$BRANCH" == rc/* ]]; then
+            STABILITY="rc"
+          elif [[ "$BRANCH" == beta/* ]]; then
+            STABILITY="beta"
+          elif [[ "$BRANCH" == alpha/* ]]; then
+            STABILITY="alpha"
+          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
+            STABILITY="development"
+          else
+            STABILITY="stable"
+          fi
+
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+
+          # Parse manifest (portable — no grep -P)
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          if [ -z "$MANIFEST" ]; then
+            echo "No Joomla manifest found — skipping"
+            exit 0
+          fi
+
+          # Extract fields using sed (works on all runners)
+          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
+          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
+          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
+
+          # Fallbacks
+          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
+          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
+
+          # Derive element if not in manifest: try XML filename, then repo name
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            case "$EXT_ELEMENT" in
+              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+            esac
+          fi
+
+          # Use manifest version if README version is empty
+          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
+
+          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
+
+          CLIENT_TAG=""
+          [ -n "$EXT_CLIENT" ] && CLIENT_TAG="<client>${EXT_CLIENT}</client>"
+          [ -z "$CLIENT_TAG" ] && ([ "$EXT_TYPE" = "module" ] || [ "$EXT_TYPE" = "plugin" ]) && CLIENT_TAG="<client>site</client>"
+
+          FOLDER_TAG=""
+          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
+
+          PHP_TAG=""
+          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
+
+          # Version suffix for non-stable
+          DISPLAY_VERSION="$VERSION"
+          case "$STABILITY" in
+            development) DISPLAY_VERSION="${VERSION}-dev" ;;
+            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
+            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
+            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
+          esac
+
+          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
+
+          # Each stability level has its own release tag
+          case "$STABILITY" in
+            development) RELEASE_TAG="development" ;;
+            alpha)       RELEASE_TAG="alpha" ;;
+            beta)        RELEASE_TAG="beta" ;;
+            rc)          RELEASE_TAG="release-candidate" ;;
+            *)           RELEASE_TAG="v${MAJOR}" ;;
+          esac
+
+          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
+          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
+          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
+
+          # -- Build install packages (ZIP + tar.gz) --------------------
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ -d "$SOURCE_DIR" ]; then
+            EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
+            TAR_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.tar.gz"
+
+            cd "$SOURCE_DIR"
+            zip -r "/tmp/${PACKAGE_NAME}" . -x $EXCLUDES
+            cd ..
+            tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
+              --exclude='.ftpignore' --exclude='sftp-config*' \
+              --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
+
+            SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
+
+            # Ensure release exists on Gitea
+            RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+            RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+            if [ -z "$RELEASE_ID" ]; then
+              # Create release
+              RELEASE_JSON=$(curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                -H "Content-Type: application/json" \
+                "${API_BASE}/releases" \
+                -d "$(python3 -c "import json; print(json.dumps({
+                  'tag_name': '${RELEASE_TAG}',
+                  'name': '${RELEASE_TAG} (${DISPLAY_VERSION})',
+                  'body': '${STABILITY} release',
+                  'prerelease': True,
+                  'target_commitish': 'main'
+                }))")" 2>/dev/null || true)
+              RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+            fi
+
+            if [ -n "$RELEASE_ID" ]; then
+              # Delete existing assets with same name before uploading
+              ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
+              for ASSET_FILE in "$PACKAGE_NAME" "$TAR_NAME"; do
+                ASSET_ID=$(echo "$ASSETS" | python3 -c "
+          import sys,json
+          assets = json.load(sys.stdin)
+          for a in assets:
+              if a['name'] == '${ASSET_FILE}':
+                  print(a['id']); break
+          " 2>/dev/null || true)
+                if [ -n "$ASSET_ID" ]; then
+                  curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                    "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
+                fi
+              done
+
+              # Upload both formats
+              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                -H "Content-Type: application/octet-stream" \
+                --data-binary @"/tmp/${PACKAGE_NAME}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${PACKAGE_NAME}" > /dev/null 2>&1 || true
+
+              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                -H "Content-Type: application/octet-stream" \
+                --data-binary @"/tmp/${TAR_NAME}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
+            fi
+
+            echo "Packages: ${PACKAGE_NAME} + ${TAR_NAME} (SHA: ${SHA256})" >> $GITHUB_STEP_SUMMARY
+          else
+            SHA256=""
+          fi
+
+          # -- Build the new entry (canonical format matching release.yml) --
+          NEW_ENTRY=""
+          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
+          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
+          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
+          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
+          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
+          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
+          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
+          NEW_ENTRY="${NEW_ENTRY}  </update>"
+
+          # -- Write new entry to temp file --------------------------------
+          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
+
+          # -- Merge into updates.xml ----------------------------------------
+          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
+          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
+          TARGETS=""
+          for entry in $CASCADE_MAP; do
+            key="${entry%%:*}"
+            vals="${entry#*:}"
+            if [ "$key" = "${STABILITY}" ]; then
+              TARGETS="$vals"
+              break
+            fi
+          done
+          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
+
+          echo "Cascade: ${STABILITY} → ${TARGETS}"
+
+          # Create updates.xml if missing
+          if [ ! -f "updates.xml" ]; then
+            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
+            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
+            printf '%s\n' "<updates>" >> updates.xml
+            printf '%s\n' "</updates>" >> updates.xml
+          fi
+
+          # Update existing blocks or create missing ones
+          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
+          python3 << 'PYEOF'
+          import re, os
+
+          targets = os.environ["PY_TARGETS"].split(",")
+          version = os.environ["PY_VERSION"]
+          date = os.environ["PY_DATE"]
+
+          with open("updates.xml") as f:
+              content = f.read()
+          with open("/tmp/new_entry.xml") as f:
+              new_entry_template = f.read()
+
+          for tag in targets:
+              tag = tag.strip()
+              # Build entry with this tag's name
+              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
+
+              # Try to find existing block (handles both single-line and multi-line <tags>)
+              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
+              match = re.search(block_pattern, content, re.DOTALL)
+
+              if match:
+                  # Update in place — replace entire block
+                  content = content.replace(match.group(1), new_entry.strip())
+                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
+              else:
+                  # Create — insert before </updates>
+                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
+                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
+
+          # Clean up excessive blank lines
+          content = re.sub(r"\n{3,}", "\n\n", content)
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+          # Commit
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git add updates.xml
+          git diff --cached --quiet || {
+            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            git push
+          }
+
+      # -- Sync updates.xml to main (for non-main branches) ----------------------
+      - name: Sync updates.xml to main
+        if: github.ref_name != 'main'
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+
+          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
+            CONTENT=$(base64 -w0 updates.xml)
+            curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              "${API_BASE}/contents/updates.xml" \
+              -d "$(python3 -c "import json; print(json.dumps({
+                'content': '${CONTENT}',
+                'sha': '${FILE_SHA}',
+                'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
+                'branch': 'main'
+              }))")" > /dev/null 2>&1 \
+              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
+              || echo "WARNING: failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "WARNING: could not get updates.xml SHA from main" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SFTP deploy to dev server
+        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
+        env:
+          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
+          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
+          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
+          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
+          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
+          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
+          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+        run: |
+          # -- Permission check: admin or maintain role required --------
+          ACTOR="${{ github.actor }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
+          case "$PERMISSION" in
+            admin|maintain|write) ;;
+            *)
+              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
+              exit 0
+              ;;
+          esac
+
+          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
+
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && exit 0
+
+          PORT="${DEV_PORT:-22}"
+          REMOTE="${DEV_PATH%/}"
+          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
+          if [ -n "$DEV_KEY" ]; then
+            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
+          fi
+
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          elif [ -f "/tmp/mokostandards-api/deploy/deploy-sftp.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          fi
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY
@@ -12,6 +12,30 @@ All notable changes to this project will be documented in this file.

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).

+## [03.01.00] — 2026-05-09
+
+### Added
+- Bookings API: list, get via `/v1/dpcalendar/bookings`
+- Tickets API: list, get via `/v1/dpcalendar/tickets`
+- ICS/iCal export: single event and full calendar export
+- Recurring event occurrence expansion with RRULE support
+- Bulk event creation via `POST /v1/dpcalendar/events/bulk`
+- Calendar-level iCal export via `/v1/dpcalendar/calendars/{id}/ical`
+- CORS support with preflight handling
+- ETag caching for conditional GET requests
+- Location expansion on events via `?expand=locations`
+- Advanced filtering: date ranges, featured, access level, language
+- Sorting and field selection on all list endpoints
+- Search across event titles and descriptions
+- Pagination with total count metadata
+
+### Changed
+- Version aligned across manifest and source files
+- Production-ready error handling with proper HTTP status codes
+
+### Fixed
+- Version header consistency between manifest.xml and PHP source
+
 ## [01.00.00] — 2026-04-26

 ### Added
@@ -1,94 +1,269 @@
-<!--	Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-
-	This file is part of a Moko Consulting project.
-
-	SPDX-LICENSE-IDENTIFIER: GPL-3.0-or-later
-
-	# FILE INFORMATION
-	DEFGROUP: MokoDPCalendarAPI.Documentation
-	INGROUP: MokoDPCalendarAPI
-	REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI
-	VERSION: 03.00.00
-	PATH: ./README.md
-	BRIEF: Joomla Web Services plugin for DPCalendar
-->
-
-[![Version](https://img.shields.io/badge/version-01.00.00-blue.svg?logo=v&logoColor=white)](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable)
-[![License](https://img.shields.io/badge/license-GPL--3.0--or--later-green.svg?logo=gnu&logoColor=white)](LICENSE)
-[![PHP](https://img.shields.io/badge/PHP-8.1%2B-777BB4.svg?logo=php&logoColor=white)](https://www.php.net)
-
 # MokoDPCalendarAPI

-A Joomla 5/6 Web Services plugin that exposes DPCalendar events, calendars, and locations through the Joomla REST API (`/api/index.php/v1`).
+Joomla Web Services plugin exposing **18 REST endpoints** for DPCalendar events, calendars, locations, bookings, and tickets.

-Enables AI assistants (via joomla-api-mcp) and external integrations to create, read, update, and delete DPCalendar content programmatically.
+![PHP 8.1+](https://img.shields.io/badge/PHP-8.1%2B-777BB4?style=flat-square&logo=php&logoColor=white) ![Joomla 5.x/6.x](https://img.shields.io/badge/Joomla-5.x%20%7C%206.x-5091CD?style=flat-square&logo=joomla&logoColor=white) ![License](https://img.shields.io/badge/license-GPL--3.0--or--later-green?style=flat-square) ![Version](https://img.shields.io/badge/version-03.01.00-blue?style=flat-square) ![Wiki](https://img.shields.io/badge/wiki-MokoDPCalendarAPI-blue?style=flat-square)

-## Table of Contents
+---

- [Background](#background)
- [Install](#install)
- [API Endpoints](#api-endpoints)
- [Contributing](#contributing)
- [License](#license)
+## Features

-## Background
+- **18 REST endpoints** across 5 resources (events, calendars, locations, bookings, tickets)
+- **CRUD operations** for events including bulk creation
+- **iCal export** for events and calendars (`.ics` format)
+- **Recurring event expansion** -- RRULE processing with EXDATE support
+- **Pagination** with `limit`/`offset` (max 100 per page)
+- **Sorting** by 6 fields with ascending/descending order
+- **Filtering** by date range, category, search term, featured, access level, language
+- **Field selection** -- request only the fields you need
+- **Location expansion** -- inline location data with events via `expand=locations`
+- **ETag caching** with HTTP 304 Not Modified support
+- **CORS headers** for cross-origin requests

-DPCalendar does not ship with a Web Services plugin. This plugin fills that gap by registering REST API routes for:
+---

- **Events** — CRUD with date filtering, category scoping, and recurrence support
- **Calendars** — List and manage calendar categories
- **Locations** — List and manage event locations
+## Requirements

-## Install
+| Requirement | Version |
+|---|---|
+| **PHP** | 8.1+ |
+| **Joomla** | 5.x or 6.x |
+| **DPCalendar** | Required (component must be installed) |

-1. Download the latest release ZIP
-2. **System > Install > Extensions** in Joomla admin
-3. Upload and install the ZIP
-4. **System > Manage > Plugins** — enable **Web Services - DPCalendar**
+---

-## API Endpoints
+## Installation

-All endpoints require `Authorization: Bearer <token>`.
+1. Download the latest release package from [Releases](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases)
+2. In Joomla Admin, go to **System > Install > Extensions**
+3. Upload the `.zip` package
+4. Navigate to **System > Plugins** and search for `"Web Services - DPCalendar"`
+5. Enable the plugin

-### Events
+See the [INSTALLATION](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/wiki/INSTALLATION) wiki page for detailed instructions.

-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | `/v1/dpcalendar/events` | List events |
-| GET | `/v1/dpcalendar/events/{id}` | Get event |
-| POST | `/v1/dpcalendar/events` | Create event |
-| PATCH | `/v1/dpcalendar/events/{id}` | Update event |
-| DELETE | `/v1/dpcalendar/events/{id}` | Delete event |
+---

-### Calendars
+## Authentication

-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | `/v1/dpcalendar/calendars` | List calendars |
-| GET | `/v1/dpcalendar/calendars/{id}` | Get calendar |
+All API requests require a Joomla API token passed via the `Authorization` header:

-### Locations
+```
+Authorization: Bearer <your-joomla-api-token>
+```

-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | `/v1/dpcalendar/locations` | List locations |
-| GET | `/v1/dpcalendar/locations/{id}` | Get location |
-| POST | `/v1/dpcalendar/locations` | Create location |
-| PATCH | `/v1/dpcalendar/locations/{id}` | Update location |
-| DELETE | `/v1/dpcalendar/locations/{id}` | Delete location |
+Generate a token in **Joomla Admin > Users > Manage > [User] > Joomla API Token tab**.
+
+---
+
+## Endpoints
+
+Base path: `/api/index.php/v1`
+
+### Events (8 endpoints)
+
+| Method | Path | Description |
+|---|---|---|
+| `GET` | `/dpcalendar/events` | List events with filtering, sorting, pagination |
+| `GET` | `/dpcalendar/events/{id}` | Get a single event by ID |
+| `POST` | `/dpcalendar/events` | Create a new event |
+| `POST` | `/dpcalendar/events/bulk` | Bulk create multiple events |
+| `PATCH` | `/dpcalendar/events/{id}` | Update an existing event |
+| `DELETE` | `/dpcalendar/events/{id}` | Trash an event (soft delete) |
+| `GET` | `/dpcalendar/events/{id}/ical` | Export event as iCal (.ics) |
+| `GET` | `/dpcalendar/events/{id}/occurrences` | List occurrences of a recurring event |
+
+### Calendars (3 endpoints)
+
+| Method | Path | Description |
+|---|---|---|
+| `GET` | `/dpcalendar/calendars` | List all calendars |
+| `GET` | `/dpcalendar/calendars/{id}` | Get a single calendar by ID |
+| `GET` | `/dpcalendar/calendars/{id}/ical` | Export calendar as iCal (.ics) |
+
+### Locations (2 endpoints)
+
+| Method | Path | Description |
+|---|---|---|
+| `GET` | `/dpcalendar/locations` | List all locations |
+| `GET` | `/dpcalendar/locations/{id}` | Get a single location by ID |
+
+### Bookings (2 endpoints)
+
+| Method | Path | Description |
+|---|---|---|
+| `GET` | `/dpcalendar/bookings` | List all bookings |
+| `GET` | `/dpcalendar/bookings/{id}` | Get a single booking (with tickets) |
+
+### Tickets (2 endpoints)
+
+| Method | Path | Description |
+|---|---|---|
+| `GET` | `/dpcalendar/tickets` | List all tickets |
+| `GET` | `/dpcalendar/tickets/{id}` | Get a single ticket |
+
+---
+
+## Query Parameters
+
+### Pagination
+
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `page[limit]` | integer | 20 | Results per page (max 100) |
+| `page[offset]` | integer | 0 | Number of results to skip |
+
+### Sorting
+
+| Parameter | Type | Description |
+|---|---|---|
+| `sort` | string | Sort field. Prefix with `-` for descending. |
+
+**Supported sort fields:** `id`, `title`, `start_date`, `end_date`, `catid`, `created`
+
+Example: `?sort=-start_date` (newest first)
+
+### Filtering
+
+| Parameter | Type | Description |
+|---|---|---|
+| `filter[search]` | string | Search events by title or description |
+| `filter[start_date]` | string | Events starting on or after this date (ISO 8601) |
+| `filter[end_date]` | string | Events ending on or before this date (ISO 8601) |
+| `filter[catid]` | integer | Filter by calendar/category ID |
+| `filter[featured]` | integer | `1` = featured only, `0` = non-featured only |
+| `filter[access]` | integer | Filter by Joomla access level |
+| `filter[language]` | string | Filter by language tag (e.g., `en-GB`) |
+
+### Field Selection
+
+| Parameter | Type | Description |
+|---|---|---|
+| `fields[events]` | string | Comma-separated list of fields to return |
+
+Example: `?fields[events]=id,title,start_date,end_date`
+
+### Expansion
+
+| Parameter | Type | Description |
+|---|---|---|
+| `expand` | string | Include related data. Supported: `locations` |
+
+---
+
+## Examples
+
+### List upcoming events
+
+```bash
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  "https://example.com/api/index.php/v1/dpcalendar/events?filter[start_date]=2026-01-01&sort=start_date&page[limit]=10"
+```
+
+### Get a single event
+
+```bash
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  "https://example.com/api/index.php/v1/dpcalendar/events/42"
+```
+
+### Create an event
+
+```bash
+curl -s -X POST \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/vnd.api+json" \
+  -d '{
+    "title": "Monthly Meetup",
+    "catid": 8,
+    "start_date": "2026-06-15 18:00:00",
+    "end_date": "2026-06-15 20:00:00",
+    "description": "<p>Join us for the monthly meetup!</p>"
+  }' \
+  "https://example.com/api/index.php/v1/dpcalendar/events"
+```
+
+### Bulk create events
+
+```bash
+curl -s -X POST \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Content-Type: application/json" \
+  -H "Accept: application/vnd.api+json" \
+  -d '[
+    {"title": "Event A", "catid": 8, "start_date": "2026-07-01 10:00:00", "end_date": "2026-07-01 12:00:00"},
+    {"title": "Event B", "catid": 8, "start_date": "2026-07-02 10:00:00", "end_date": "2026-07-02 12:00:00"}
+  ]' \
+  "https://example.com/api/index.php/v1/dpcalendar/events/bulk"
+```
+
+### Export calendar as iCal
+
+```bash
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: text/calendar" \
+  "https://example.com/api/index.php/v1/dpcalendar/calendars/8/ical"
+```
+
+### Get recurring event occurrences
+
+```bash
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  "https://example.com/api/index.php/v1/dpcalendar/events/42/occurrences"
+```
+
+### List events with location expansion
+
+```bash
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  "https://example.com/api/index.php/v1/dpcalendar/events?expand=locations"
+```
+
+### ETag caching (conditional request)
+
+```bash
+# First request -- note the ETag in response headers
+curl -sI \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  "https://example.com/api/index.php/v1/dpcalendar/events"
+
+# Subsequent request -- returns 304 if unchanged
+curl -s \
+  -H "Authorization: Bearer YOUR_TOKEN" \
+  -H "Accept: application/vnd.api+json" \
+  -H 'If-None-Match: "etag-value-from-previous-response"' \
+  "https://example.com/api/index.php/v1/dpcalendar/events"
+```
+
+---
+
+## Documentation
+
+Full documentation is available on the [Wiki](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/wiki), including:
+
+| Page | Description |
+|---|---|
+| [Home](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/wiki/Home) | Overview and quick reference |
+| [INSTALLATION](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/wiki/INSTALLATION) | Installation guide for Joomla 5.x/6.x |
+| [API-Reference](https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/wiki/API-Reference) | Complete endpoint documentation |
+
+---

 ## License

-GPL-3.0-or-later — see [LICENSE](LICENSE).
+This project is licensed under the GNU General Public License v3.0 or later -- see the [LICENSE](LICENSE) file.

-Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+---

-## Maintainers
-
-[@jmiller](https://git.mokoconsulting.tech/jmiller)
-
-## Revision History
-
-| Date | Version | Author | Notes |
-| --- | --- | --- | --- |
-| 2026-04-26 | 1.0.0 | jmiller | Initial Web Services plugin for DPCalendar |
+*[Moko Consulting](https://mokoconsulting.tech) -- [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)*
@@ -1,41 +0,0 @@
-# Installation
-
-## Prerequisites
-
- Joomla 5.x or 6.x
- DPCalendar 9.x+ installed and enabled
- PHP 8.1+
-
-## Install from Release
-
-1. Download the latest ZIP from Releases
-2. In Joomla admin: **System > Install > Extensions**
-3. Upload and install the ZIP
-4. Go to **System > Manage > Plugins**
-5. Search for "DPCalendar" and enable **Web Services - DPCalendar**
-
-## Install from Source
-
-```sh
-git clone https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI.git
-cd MokoDPCalendarAPI
-```
-
-Install the `src/` directory as a Joomla extension via Install from Folder or symlink.
-
-## Verify
-
-```sh
-curl -s https://your-site.com/api/index.php/v1/dpcalendar/events \
-  -H "Authorization: Bearer YOUR_API_TOKEN" \
-  -H "Accept: application/vnd.api+json"
-```
-
-## Troubleshooting
-
-### "Resource not found"
- Ensure the plugin is enabled in Plugins manager
- Verify DPCalendar component is installed
-
-### Empty responses
- Check API user has access to the calendars
@@ -3,17 +3,17 @@
 Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI
- VERSION: 01.00.00
+ VERSION: 03.01.00
 -->
 <extension type="plugin" group="webservices" method="upgrade">
-	<name>Web Services - DPCalendar API</name>
+	<name>Moko Web Services - DPCalendar API</name>
 	<author>Moko Consulting</author>
-	<creationDate>2026-05-04</creationDate>
+	<creationDate>2026-05-10</creationDate>
 	<copyright>Copyright (C) 2026 Moko Consulting</copyright>
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>03.00.00</version>
+	<version>03.02.00</version>
 	<description>Exposes DPCalendar events, calendars, and locations via the Joomla Web Services API</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoDPCalendarAPI</namespace>
 	<files>
@@ -6,7 +6,7 @@
 *
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI
 * PATH: /src/src/Extension/MokoDPCalendarAPI.php
- * VERSION: 02.00.00
+ * VERSION: 03.01.00
 * BRIEF: Plugin class — registers and handles DPCalendar API routes
 */

@@ -46,9 +46,11 @@ final class MokoDPCalendarAPI extends CMSPlugin
 		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/locations', 'locations.displayList', [], $defaults));
 		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/locations/:id', 'locations.displayItem', ['id' => '(\d+)'], $defaults));

-		// Bookings
+		// Bookings + Tickets
 		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/bookings', 'bookings.displayList', [], $defaults));
 		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/bookings/:id', 'bookings.displayItem', ['id' => '(\d+)'], $defaults));
+		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/tickets', 'tickets.displayList', [], $defaults));
+		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/tickets/:id', 'tickets.displayItem', ['id' => '(\d+)'], $defaults));

 		// ICS export (calendar-level)
 		$router->addRoute(new Route(['GET'], 'v1/dpcalendar/calendars/:id/ical', 'calendars.ical', ['id' => '(\d+)'], $defaults));
@@ -62,7 +64,7 @@ final class MokoDPCalendarAPI extends CMSPlugin
 		$controller = $input->get('controller', '', 'string');
 		$task = $input->get('task', '', 'string');

-		$validControllers = ['events', 'calendars', 'locations', 'bookings'];
+		$validControllers = ['events', 'calendars', 'locations', 'bookings', 'tickets'];
 		if (!in_array($controller, $validControllers, true)) {
 			return;
 		}
@@ -70,6 +72,14 @@ final class MokoDPCalendarAPI extends CMSPlugin
 		$id = $input->getInt('id', 0);
 		$method = $app->input->getMethod();

+		// Handle CORS preflight
+		if ($method === 'OPTIONS') {
+			$this->setCorsHeaders($app);
+			$app->setHeader('Content-Length', '0', true);
+			$app->sendHeaders();
+			$app->close();
+		}
+
 		try {
 			$data = match (true) {
 				// Events
@@ -95,11 +105,16 @@ final class MokoDPCalendarAPI extends CMSPlugin
 				$controller === 'bookings' && $method === 'GET' && !$id => $this->listBookings($input),
 				$controller === 'bookings' && $method === 'GET' && $id > 0 => $this->getBooking($id),

+				// Tickets
+				$controller === 'tickets' && $method === 'GET' && !$id => $this->listTickets($input),
+				$controller === 'tickets' && $method === 'GET' && $id > 0 => $this->getTicket($id),
+
 				default => throw new \RuntimeException('Method not allowed', 405),
 			};

 			// ICS responses bypass JSON
 			if (is_string($data)) {
+				$this->setCorsHeaders($app);
 				$app->setHeader('Content-Type', 'text/calendar; charset=utf-8', true);
 				$app->setHeader('Content-Disposition', 'attachment; filename="export.ics"', true);
 				$app->sendHeaders();
@@ -116,16 +131,41 @@ final class MokoDPCalendarAPI extends CMSPlugin

 	// ── Response helpers ─────────────────────────────────────────────

+	private function setCorsHeaders($app): void
+	{
+		$app->setHeader('Access-Control-Allow-Origin', '*', true);
+		$app->setHeader('Access-Control-Allow-Methods', 'GET, POST, PATCH, DELETE, OPTIONS', true);
+		$app->setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Joomla-Token', true);
+		$app->setHeader('Access-Control-Max-Age', '86400', true);
+	}
+
 	private function sendResponse($app, array $data): void
 	{
+		$this->setCorsHeaders($app);
 		$app->setHeader('Content-Type', 'application/vnd.api+json', true);
+
+		// ETag for caching
+		$json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+		$etag = '"' . md5($json) . '"';
+		$app->setHeader('ETag', $etag, true);
+		$app->setHeader('Cache-Control', 'private, max-age=60', true);
+
+		// Return 304 if client has current version
+		$ifNoneMatch = $_SERVER['HTTP_IF_NONE_MATCH'] ?? '';
+		if ($ifNoneMatch === $etag) {
+			http_response_code(304);
+			$app->sendHeaders();
+			$app->close();
+		}
+
 		$app->sendHeaders();
-		echo json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES);
+		echo $json;
 		$app->close();
 	}

 	private function sendError($app, int $code, string $message): void
 	{
+		$this->setCorsHeaders($app);
 		http_response_code($code);
 		$app->setHeader('Content-Type', 'application/vnd.api+json', true);
 		$app->sendHeaders();
@@ -232,6 +272,18 @@ final class MokoDPCalendarAPI extends CMSPlugin
 				->bind(':featured', $featVal, ParameterType::INTEGER);
 		}

+		$accessLevel = $input->getInt('access', 0);
+		if ($accessLevel) {
+			$query->where($db->quoteName('e.access') . ' = :access')
+				->bind(':access', $accessLevel, ParameterType::INTEGER);
+		}
+
+		$lang = $input->getString('language', '');
+		if ($lang) {
+			$query->where('(' . $db->quoteName('e.language') . ' = :lang OR ' . $db->quoteName('e.language') . ' = ' . $db->quote('*') . ')')
+				->bind(':lang', $lang);
+		}
+
 		// Count total
 		$countQuery = clone $query;
 		$countQuery->clear('select')->clear('order')->select('COUNT(*)');
@@ -742,6 +794,59 @@ final class MokoDPCalendarAPI extends CMSPlugin
 		return ['data' => $result];
 	}

+	// ── Tickets ──────────────────────────────────────────────────────
+
+	private function listTickets($input): array
+	{
+		$db = $this->getDb();
+		[$limit, $offset] = $this->getPagination($input);
+
+		$query = $db->getQuery(true)
+			->select('t.id, t.uid, t.booking_id, t.event_id, t.name, t.email, t.state, t.price, t.created')
+			->from($db->quoteName('#__dpcalendar_tickets', 't'))
+			->order('t.created DESC');
+
+		$eventId = $input->getInt('event_id', 0);
+		if ($eventId) {
+			$query->where($db->quoteName('t.event_id') . ' = :event_id')
+				->bind(':event_id', $eventId, ParameterType::INTEGER);
+		}
+
+		$bookingId = $input->getInt('booking_id', 0);
+		if ($bookingId) {
+			$query->where($db->quoteName('t.booking_id') . ' = :booking_id')
+				->bind(':booking_id', $bookingId, ParameterType::INTEGER);
+		}
+
+		$countQuery = clone $query;
+		$countQuery->clear('select')->clear('order')->select('COUNT(*)');
+		$total = (int) $db->setQuery($countQuery)->loadResult();
+
+		$db->setQuery($query, $offset, $limit);
+		$items = $db->loadAssocList() ?: [];
+
+		return [
+			'data' => $items,
+			'meta' => ['total-items' => $total, 'limit' => $limit, 'offset' => $offset],
+		];
+	}
+
+	private function getTicket(int $id): array
+	{
+		$db = $this->getDb();
+		$query = $db->getQuery(true)
+			->select('t.*')
+			->from($db->quoteName('#__dpcalendar_tickets', 't'))
+			->where($db->quoteName('t.id') . ' = :id')
+			->bind(':id', $id, ParameterType::INTEGER);
+
+		$result = $db->setQuery($query)->loadAssoc();
+		if (!$result) {
+			throw new \RuntimeException('Ticket not found', 404);
+		}
+		return ['data' => $result];
+	}
+
 	// ── ICS/iCal Export ──────────────────────────────────────────────

 	private function eventToIcal(int $id): string
@@ -1,96 +1,96 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 02.00.00
+ VERSION: 03.02.00
 -->

 <updates>
  <update>
-    <name>Web Services - DPCalendar API</name>
-    <description>Web Services - DPCalendar API update</description>
+    <name>Moko Web Services - DPCalendar API</name>
+    <description>Moko Web Services - DPCalendar API update</description>
    <element>mokodpcalendarapi</element>
    <type>plugin</type>
-    <version>02.00.00</version>
+    <version>03.02.00</version>
    <client>site</client>
    <folder>webservices</folder>
    <tags><tag>development</tag></tags>
-    <infourl title="Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
+    <infourl title="Moko Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-02.00.00.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-03.02.00.zip</downloadurl>
    </downloads>
-    <sha256>94e05c821073273b9a4dae17b4e89aab97e9d32a5b397d38e19c1ae75ebb9f8b</sha256>
+    <sha256>652b87468d39eb4a513b6b0aae3a563abf7662f0ee3b837b724ee3b6e19a08fb</sha256>
    <targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
  </update>
  <update>
-    <name>Web Services - DPCalendar API</name>
-    <description>Web Services - DPCalendar API update</description>
+    <name>Moko Web Services - DPCalendar API</name>
+    <description>Moko Web Services - DPCalendar API update</description>
    <element>mokodpcalendarapi</element>
    <type>plugin</type>
-    <version>02.00.00</version>
+    <version>03.02.00</version>
    <client>site</client>
    <folder>webservices</folder>
    <tags><tag>alpha</tag></tags>
-    <infourl title="Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
+    <infourl title="Moko Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-02.00.00.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-03.02.00.zip</downloadurl>
    </downloads>
-    <sha256>94e05c821073273b9a4dae17b4e89aab97e9d32a5b397d38e19c1ae75ebb9f8b</sha256>
+    <sha256>652b87468d39eb4a513b6b0aae3a563abf7662f0ee3b837b724ee3b6e19a08fb</sha256>
    <targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
  </update>
  <update>
-    <name>Web Services - DPCalendar API</name>
-    <description>Web Services - DPCalendar API update</description>
+    <name>Moko Web Services - DPCalendar API</name>
+    <description>Moko Web Services - DPCalendar API update</description>
    <element>mokodpcalendarapi</element>
    <type>plugin</type>
-    <version>02.00.00</version>
+    <version>03.02.00</version>
    <client>site</client>
    <folder>webservices</folder>
    <tags><tag>beta</tag></tags>
-    <infourl title="Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
+    <infourl title="Moko Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-02.00.00.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-03.02.00.zip</downloadurl>
    </downloads>
-    <sha256>94e05c821073273b9a4dae17b4e89aab97e9d32a5b397d38e19c1ae75ebb9f8b</sha256>
+    <sha256>652b87468d39eb4a513b6b0aae3a563abf7662f0ee3b837b724ee3b6e19a08fb</sha256>
    <targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
  </update>
  <update>
-    <name>Web Services - DPCalendar API</name>
-    <description>Web Services - DPCalendar API update</description>
+    <name>Moko Web Services - DPCalendar API</name>
+    <description>Moko Web Services - DPCalendar API update</description>
    <element>mokodpcalendarapi</element>
    <type>plugin</type>
-    <version>02.00.00</version>
+    <version>03.02.00</version>
    <client>site</client>
    <folder>webservices</folder>
    <tags><tag>rc</tag></tags>
-    <infourl title="Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
+    <infourl title="Moko Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-02.00.00.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-03.02.00.zip</downloadurl>
    </downloads>
-    <sha256>94e05c821073273b9a4dae17b4e89aab97e9d32a5b397d38e19c1ae75ebb9f8b</sha256>
+    <sha256>652b87468d39eb4a513b6b0aae3a563abf7662f0ee3b837b724ee3b6e19a08fb</sha256>
    <targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
  </update>
  <update>
-    <name>Web Services - DPCalendar API</name>
-    <description>Web Services - DPCalendar API update</description>
+    <name>Moko Web Services - DPCalendar API</name>
+    <description>Moko Web Services - DPCalendar API update</description>
    <element>mokodpcalendarapi</element>
    <type>plugin</type>
-    <version>02.00.00</version>
+    <version>03.02.00</version>
    <client>site</client>
    <folder>webservices</folder>
    <tags><tag>stable</tag></tags>
-    <infourl title="Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
+    <infourl title="Moko Web Services - DPCalendar API">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-02.00.00.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoDPCalendarAPI/releases/download/stable/-03.02.00.zip</downloadurl>
    </downloads>
-    <sha256>94e05c821073273b9a4dae17b4e89aab97e9d32a5b397d38e19c1ae75ebb9f8b</sha256>
+    <sha256>652b87468d39eb4a513b6b0aae3a563abf7662f0ee3b837b724ee3b6e19a08fb</sha256>
    <targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>