feat: make metadata/manifest GET endpoint publicly accessible (#676 )

Remove reqRepoReader auth requirement from GET /repos/{owner}/{repo}/metadata and /manifest endpoints. PUT (update) still requires token + admin.
2026-06-21 10:18:07 -05:00
66 changed files with 2048 additions and 4344 deletions
@@ -57,7 +57,7 @@ jobs:
      - name: Determine target repos
        id: repos
        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"

@@ -74,7 +74,7 @@ jobs:
            REPOS=""
            while true; do
              BATCH=$(curl -sS \
-                -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
                | jq -r '.[].name // empty')
              [ -z "$BATCH" ] && break
@@ -105,7 +105,7 @@ jobs:

      - name: Apply protection rules
        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
@@ -214,13 +214,13 @@ jobs:
              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
              curl -sS -o /dev/null -w "" \
                -X DELETE \
-                -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true

              # Create rule
              RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
-                -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "$RULE" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
@@ -1,66 +1,66 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: mokocli.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
-# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
-name: "Universal: Auto Version Bump"
-
-on:
-  push:
-    branches:
-      - dev
-      - rc
-      - 'feature/**'
-      - 'patch/**'
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-permissions:
-  contents: write
-
-jobs:
-  bump:
-    name: Version Bump
-    runs-on: release
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip bump]') &&
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup mokocli tools
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          if [ -d "/opt/mokocli/cli" ]; then
-            echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
-          else
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokocli.git" \
-              /tmp/mokocli
-            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
-          fi
-
-      - name: Bump version
-        run: |
-          php ${MOKO_CLI}/version_auto_bump.php \
-            --path . --branch "${GITHUB_REF_NAME}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/auto-bump.yml
+# VERSION: 09.02.00
+# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
+
+name: "Universal: Auto Version Bump"
+
+on:
+  push:
+    branches:
+      - dev
+      - rc
+      - 'feature/**'
+      - 'patch/**'
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+permissions:
+  contents: write
+
+jobs:
+  bump:
+    name: Version Bump
+    runs-on: release
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip bump]') &&
+      !startsWith(github.event.head_commit.message, 'Merge pull request')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup mokocli tools
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          if [ -d "/opt/mokocli/cli" ]; then
+            echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
+          else
+            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokocli.git" \
+              /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
+          fi
+
+      - name: Bump version
+        run: |
+          php ${MOKO_CLI}/version_auto_bump.php \
+            --path . --branch "${GITHUB_REF_NAME}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
+            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
@@ -10,9 +10,9 @@
 # VERSION: 05.00.00
 # BRIEF: Universal build & release � detects platform from manifest.xml
 #
-# +=======================================================================+
+# +========================================================================+
 # |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +=======================================================================+
+# +========================================================================+
 # |                                                                        |
 # |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
 # |                                                                        |
@@ -21,24 +21,15 @@
 # |    dolibarr: mod*.class.php, update.txt, dev version reset             |
 # |    generic:  README-only, no update stream                             |
 # |                                                                        |
-# +=======================================================================+
+# +========================================================================+

 name: "Universal: Build & Release"

 on:
  pull_request:
-    types: [opened, synchronize, closed]
+    types: [opened, closed]
    branches:
      - main
-    paths-ignore:
-      - '.mokogitea/workflows/**'
-      - '*.md'
-      - 'wiki/**'
-      - '.editorconfig'
-      - '.gitignore'
-      - '.gitattributes'
-      - '.gitmessage'
-      - 'LICENSE' 
  workflow_dispatch:
    inputs:
      action:
@@ -52,7 +43,7 @@ on:

 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}

@@ -60,13 +51,12 @@ permissions:
  contents: write

 jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────────
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
  promote-rc:
    name: Promote to RC
    runs-on: release
    if: >-
      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event.action == 'synchronize' && github.event.pull_request.merged != true) ||
      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')

    steps:
@@ -102,7 +92,7 @@ jobs:
          php ${MOKO_CLI}/branch_rename.php \
            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
            --pr "${{ github.event.pull_request.number }}"

      - name: Checkout rc and configure git
@@ -121,7 +111,7 @@ jobs:

      - name: Update RC release notes from CHANGELOG.md
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Extract [Unreleased] section from changelog
@@ -159,7 +149,7 @@ jobs:
          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
          echo "Branch renamed to rc, minor bump, RC release built" >> $GITHUB_STEP_SUMMARY

-  # ── Merged PR → Build & Release (or promote RC to stable) ─────────────────────────
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
  release:
    name: Build & Release Pipeline
    runs-on: release
@@ -251,50 +241,14 @@ jobs:
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          [ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [[ "$PLATFORM" == joomla* ]]; then
-            echo "tag=stable" >> "$GITHUB_OUTPUT"
-            echo "release_tag=stable" >> "$GITHUB_OUTPUT"
-          else
-            echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"
-            echo "release_tag=v${VERSION}" >> "$GITHUB_OUTPUT"
-          fi
+          echo "tag=stable" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
          echo "branch=main" >> "$GITHUB_OUTPUT"
          echo "Published version: ${VERSION}"

-      - name: "Create semver tag for non-Joomla repos"
-        id: semver
-        if: |
-          steps.version.outputs.skip != 'true' &&
-          !startsWith(steps.platform.outputs.platform, 'joomla')
-        run: |
-          VERSION="${{ steps.version.outputs.version }}"
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          SEMVER_TAG="v${VERSION}"
-
-          echo "Creating semver tag: ${SEMVER_TAG}"
-
-          # Create the git tag via API
-          HTTP_CODE=$(curl -sf -o /dev/null -w "%{http_code}" \
-            -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/tags" \
-            -d "{\"tag_name\":\"${SEMVER_TAG}\",\"target\":\"main\",\"message\":\"Release ${VERSION}\"}" 2>/dev/null || echo "000")
-
-          if [ "$HTTP_CODE" = "201" ] || [ "$HTTP_CODE" = "200" ]; then
-            echo "Created semver tag: ${SEMVER_TAG}"
-          elif [ "$HTTP_CODE" = "409" ]; then
-            echo "Semver tag ${SEMVER_TAG} already exists (skipped)"
-          else
-            echo "::warning::Failed to create semver tag ${SEMVER_TAG} (HTTP ${HTTP_CODE})"
-          fi
-
-          echo "semver_tag=${SEMVER_TAG}" >> "$GITHUB_OUTPUT"
-
      - name: Update release notes and promote changelog
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Get the stable release info (version and ID)
@@ -363,7 +317,7 @@ jobs:
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_mirror.php \
            --version "$VERSION" --tag "$RELEASE_TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
@@ -392,7 +346,7 @@ jobs:
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          # Delete rc branch (ephemeral — created by promote-rc)
@@ -416,7 +370,7 @@ jobs:
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          BRANCH_NAME="version/${VERSION}"
@@ -437,7 +391,7 @@ jobs:
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/version_reset_dev.php \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
            --branch dev --path . 2>&1 || true
@@ -463,5 +417,5 @@ jobs:
            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${MOKOGITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
          fi
@@ -1,68 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: mokocli.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
-# PATH: /.mokogitea/workflows/ci-issue-reporter.yml
-# VERSION: 01.00.00
-# BRIEF: Reusable workflow — creates/updates a Gitea issue when a CI gate fails.
-#        Clones MokoCLI and runs cli/ci_issue_reporter.sh.
-
-name: "Universal: CI Issue Reporter"
-
-on:
-  workflow_call:
-    inputs:
-      gate:
-        description: "CI gate name (e.g. PR Validation, Repository Health)"
-        required: true
-        type: string
-      details:
-        description: "Human-readable failure description"
-        required: true
-        type: string
-      severity:
-        description: "error or warning"
-        required: false
-        type: string
-        default: "error"
-      workflow:
-        description: "Workflow name for the issue title"
-        required: false
-        type: string
-        default: ""
-    secrets:
-      MOKOGITEA_TOKEN:
-        required: true
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  report:
-    name: "Report: ${{ inputs.gate }}"
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Clone MokoCLI
-        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
-          MOKOGITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
-          git clone --depth 1 --filter=blob:none --sparse "${MOKOGITEA_URL}/MokoConsulting/MokoCLI.git" /tmp/mokocli
-          cd /tmp/mokocli && git sparse-checkout set cli/ci_issue_reporter.sh
-
-      - name: Report CI failure
-        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-        run: |
-          chmod +x /tmp/mokocli/cli/ci_issue_reporter.sh
-          /tmp/mokocli/cli/ci_issue_reporter.sh \
-            --gate "${{ inputs.gate }}" \
-            --details "${{ inputs.details }}" \
-            --severity "${{ inputs.severity }}" \
-            --workflow "${{ inputs.workflow }}"
@@ -21,7 +21,7 @@ permissions:
  contents: write

 env:
-  MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}

 jobs:
  cleanup:
@@ -33,17 +33,17 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          token: ${{ secrets.GA_TOKEN }}

      - name: Delete merged branches
        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          echo "=== Merged Branch Cleanup ==="
-          API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"

          # List branches via API
-          BRANCHES=$(curl -sS -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
            "${API}/branches?limit=50" | jq -r '.[].name')

          DELETED=0
@@ -56,7 +56,7 @@ jobs:
            # Check if branch is merged into main
            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
              echo "  Deleting merged branch: ${BRANCH}"
-              curl -sS -X DELETE -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
                "${API}/branches/${BRANCH}" 2>/dev/null || true
              DELETED=$((DELETED + 1))
            fi
@@ -66,20 +66,20 @@ jobs:

      - name: Clean old workflow runs
        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          echo "=== Workflow Run Cleanup ==="
-          API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)

          # Get old completed runs
-          RUNS=$(curl -sS -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
            "${API}/actions/runs?status=completed&limit=50" | \
            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)

          DELETED=0
          for RUN_ID in $RUNS; do
-            curl -sS -X DELETE -H "Authorization: token ${MOKOGITEA_TOKEN}" \
+            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
            DELETED=$((DELETED + 1))
          done
@@ -0,0 +1,76 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: "Publish to Composer"
+
+on:
+  push:
+    tags:
+      - 'v*'
+      - '[0-9]*.[0-9]*.[0-9]*'
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  publish:
+    name: Publish Package
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip publish]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+
+      - name: Install dependencies
+        run: composer install --no-dev --no-interaction --prefer-dist --quiet
+
+      - name: Determine version
+        id: version
+        run: |
+          VERSION=$(php -r "echo json_decode(file_get_contents('composer.json'))->version;")
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Package version: ${VERSION}"
+
+      # Gitea Composer Registry — auto-publishes from tags
+      # The tag push itself registers the package at:
+      # https://git.mokoconsulting.tech/api/packages/MokoConsulting/composer
+      - name: Verify Gitea registry
+        run: |
+          echo "Gitea Composer registry auto-publishes from tags."
+          echo "Package available at: ${GITEA_URL}/api/packages/MokoConsulting/composer"
+          echo "Install: composer require mokoconsulting/mokocli"
+
+      # Packagist — notify of new version
+      - name: Notify Packagist
+        if: secrets.PACKAGIST_TOKEN != ''
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "Notifying Packagist of version ${VERSION}..."
+          curl -sf -X POST \
+            -H "Content-Type: application/json" \
+            -d '{"repository":{"url":"https://git.mokoconsulting.tech/MokoConsulting/mokocli"}}' \
+            "https://packagist.org/api/update-package?username=mokoconsulting&apiToken=${{ secrets.PACKAGIST_TOKEN }}" \
+            && echo "Packagist notified" \
+            || echo "::warning::Packagist notification failed (package may not be registered yet)"
+
+      - name: Summary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "## Composer Package Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Registry | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Gitea | \`composer require mokoconsulting/mokocli:${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Packagist | \`composer require mokoconsulting/mokocli\` |" >> $GITHUB_STEP_SUMMARY
@@ -1,109 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-# BRIEF: Build and deploy MokoGitea to dev environment on push to dev branch.
-#        Production deploy (deploy-mokogitea.yml) only succeeds if dev is healthy.
-
-name: Deploy MokoGitea (Dev)
-
-on:
-  push:
-    branches:
-      - dev
-
-concurrency:
-  group: deploy-mokogitea-dev
-  cancel-in-progress: true
-
-env:
-  REGISTRY: git.mokoconsulting.tech
-  IMAGE: mokoconsulting/mokogitea
-  DEPLOY_HOST: git.mokoconsulting.tech
-  DEPLOY_PORT: 2918
-  DEPLOY_USER: mokoconsulting
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  deploy-dev:
-    name: "Build & Deploy to Dev"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout source
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Determine version
-        id: config
-        run: |
-          VERSION=$(git describe --tags --always 2>/dev/null || echo "dev-$(git rev-parse --short HEAD)")
-          echo "tag=${VERSION}-dev" >> $GITHUB_OUTPUT
-          echo "Version: ${VERSION}-dev"
-
-      - name: Write deploy key
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_SSH_KEY }}
-        run: |
-          mkdir -p ~/.ssh
-          echo "$DEPLOY_KEY" > ~/.ssh/deploy_key
-          chmod 600 ~/.ssh/deploy_key
-
-      - name: Build and deploy to dev via SSH
-        env:
-          REGISTRY_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          TAG: ${{ steps.config.outputs.tag }}
-        run: |
-          HEALTH_FMT='${{ '{{' }}.State.Health.Status${{ '}}' }}'
-
-          ssh -i ~/.ssh/deploy_key -p ${{ env.DEPLOY_PORT }} \
-            -o ConnectTimeout=30 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
-            -o ServerAliveInterval=30 -o ServerAliveCountMax=10 \
-            ${{ env.DEPLOY_USER }}@${{ env.DEPLOY_HOST }} bash -s <<DEPLOY_EOF
-          set -e
-          echo 'SSH connected to dev environment'
-
-          echo 'Cleaning Docker build cache...'
-          docker builder prune -af 2>/dev/null || true
-          docker image prune -af 2>/dev/null || true
-
-          echo 'Pulling source...'
-          SOURCE_DIR=/opt/gitea-dev/source
-          if [ ! -d \$SOURCE_DIR/.git ]; then
-            git clone -b dev https://git.mokoconsulting.tech/MokoConsulting/MokoGitea-Fork.git \$SOURCE_DIR
-          fi
-          cd \$SOURCE_DIR
-          git remote set-url origin https://git.mokoconsulting.tech/MokoConsulting/MokoGitea-Fork.git 2>/dev/null || true
-          git fetch origin dev
-          git reset --hard origin/dev
-
-          echo 'Building Docker image...'
-          docker build --no-cache --build-arg GOFLAGS='-p 1' \
-            --tag ${{ env.REGISTRY }}/${{ env.IMAGE }}:\$TAG \
-            -f Dockerfile .
-
-          echo 'Pushing to registry...'
-          echo '\$REGISTRY_TOKEN' | docker login ${{ env.REGISTRY }} -u ${{ env.DEPLOY_USER }} --password-stdin
-          docker push ${{ env.REGISTRY }}/${{ env.IMAGE }}:\$TAG
-
-          echo 'Restarting dev container...'
-          cd /opt/gitea-dev
-          sed -i "s|${{ env.IMAGE }}:[^ ]*|${{ env.IMAGE }}:\$TAG|" docker-compose.yml
-          docker compose up -d mokogitea-dev
-
-          echo 'Health check...'
-          for i in 1 2 3 4 5 6 7 8; do
-            sleep 15
-            if docker inspect --format='\$HEALTH_FMT' mokogitea-dev 2>/dev/null | grep -q healthy; then
-              echo 'Dev container healthy!'
-              exit 0
-            fi
-            echo "Waiting... (attempt \$i/8)"
-          done
-          echo 'Health check failed'
-          docker logs mokogitea-dev --tail 20
-          exit 1
-          DEPLOY_EOF
-
-      - name: Verify dev instance
-        run: |
-          sleep 5
-          curl -sf https://git.dev.mokoconsulting.tech/api/healthz && echo " Dev API healthy"
@@ -42,10 +42,10 @@ jobs:

      - name: Setup MokoStandards tools
        env:
-          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
@@ -36,23 +36,7 @@ env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true

 jobs:
-  check-dev:
-    name: "Verify dev environment is healthy"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check dev health
-        run: |
-          echo "Checking git.dev.mokoconsulting.tech health..."
-          if curl -sf --max-time 10 https://git.dev.mokoconsulting.tech/api/healthz; then
-            echo " Dev environment is healthy — proceeding with production deploy"
-          else
-            echo "::error::Dev environment is NOT healthy — blocking production deploy"
-            echo "Deploy to dev first (push to dev branch) and verify it passes before merging to main."
-            exit 1
-          fi
-
  deploy:
-    needs: check-dev
    runs-on: ubuntu-latest
    steps:
      - name: Checkout source (for version detection)
@@ -19,7 +19,7 @@ permissions:
  issues: write

 env:
-  MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}

 jobs:
  create-branch:
@@ -28,8 +28,8 @@ jobs:
    steps:
      - name: Create branch and comment
        run: |
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          API="${MOKOGITEA_URL}/api/v1/repos/${{ github.repository }}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          ISSUE_NUM="${{ github.event.issue.number }}"
          ISSUE_TITLE="${{ github.event.issue.title }}"

@@ -58,7 +58,7 @@ jobs:
            echo "Created branch: ${BRANCH}"

            # Comment on issue with branch link
-            REPO_URL="${MOKOGITEA_URL}/${{ github.repository }}"
+            REPO_URL="${GITEA_URL}/${{ github.repository }}"
            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"

            curl -sf -X POST \
@@ -0,0 +1,51 @@
+name: Publish MCP to npm
+on:
+  push:
+    branches: [main]
+    paths:
+      - '.mokogitea/mcp/**'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install and build
+        working-directory: .mokogitea/mcp
+        run: |
+          npm ci
+          npx tsc
+
+      - name: Check version change
+        id: version
+        working-directory: .mokogitea/mcp
+        run: |
+          LOCAL_VERSION=$(node -p "require('./package.json').version")
+          NPM_VERSION=$(npm view @mokoconsulting/mokogitea-mcp version 2>/dev/null || echo "0.0.0")
+          if [ "$LOCAL_VERSION" != "$NPM_VERSION" ]; then
+            echo "changed=true" >> $GITHUB_OUTPUT
+            echo "Version changed: $NPM_VERSION -> $LOCAL_VERSION"
+          else
+            echo "changed=false" >> $GITHUB_OUTPUT
+            echo "Version unchanged: $LOCAL_VERSION"
+          fi
+
+      - name: Publish to npm
+        if: steps.version.outputs.changed == 'true'
+        working-directory: .mokogitea/mcp
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish to Gitea registry
+        if: steps.version.outputs.changed == 'true'
+        working-directory: .mokogitea/mcp
+        run: |
+          npm publish --registry ${{ github.server_url }}/api/packages/${{ github.repository_owner }}/npm/ \
+            --//$(echo "${{ github.server_url }}" | sed 's|https://||')/api/packages/${{ github.repository_owner }}/npm/:_authToken=${{ secrets.MOKOGITEA_TOKEN }}
@@ -40,7 +40,7 @@ permissions:
  contents: write

 env:
-  MOKOGITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}

@@ -88,20 +88,8 @@ jobs:
          php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
          php ${MOKO_CLI}/manifest_read.php --path . --github-output

-      - name: Check platform eligibility (Joomla only)
-        id: eligibility
-        run: |
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [[ "$PLATFORM" == joomla* ]] || [[ "$PLATFORM" == "joomla" ]]; then
-            echo "proceed=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "proceed=false" >> "$GITHUB_OUTPUT"
-            echo "::notice::Platform '$PLATFORM' — non-Joomla, skipping pre-release auto-bump"
-          fi
-
      - name: Resolve metadata and bump version
        id: meta
-        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          # Auto-detect stability from branch name on push, or use input on dispatch
          if [ "${{ github.event_name }}" = "push" ]; then
@@ -178,22 +166,20 @@ jobs:

      - name: Create release
        id: release
-        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease

      - name: Update release notes from CHANGELOG.md
-        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          TAG="${{ steps.meta.outputs.tag }}"
          VERSION="${{ steps.meta.outputs.version }}"
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

          # Extract [Unreleased] section from changelog (everything between [Unreleased] and next ## heading)
          if [ -f "CHANGELOG.md" ]; then
@@ -226,11 +212,10 @@ jobs:

      - name: Build package and upload
        id: package
-        if: steps.eligibility.outputs.proceed == 'true'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
@@ -240,10 +225,9 @@ jobs:
      # No need to build, commit, or sync updates.xml from workflows

      - name: "Delete lesser pre-release channels (cascade)"
-        if: steps.eligibility.outputs.proceed == 'true'
        continue-on-error: true
        run: |
-          API_BASE="${MOKOGITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"

          php ${MOKO_CLI}/release_cascade.php \
@@ -0,0 +1,82 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/security-audit.yml
+# VERSION: 01.00.00
+# BRIEF: Dependency vulnerability scanning for composer and npm packages
+
+name: "Universal: Security Audit"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'composer.json'
+      - 'composer.lock'
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Composer audit
+        if: hashFiles('composer.lock') != ''
+        run: |
+          echo "=== Composer Security Audit ==="
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
+          fi
+          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
+          RESULT=$?
+          if [ $RESULT -ne 0 ]; then
+            echo "::warning::Composer vulnerabilities found"
+            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
+          else
+            echo "No known vulnerabilities in composer dependencies"
+          fi
+
+      - name: NPM audit
+        if: hashFiles('package-lock.json') != ''
+        run: |
+          echo "=== NPM Security Audit ==="
+          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
+          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
+            echo "No known vulnerabilities in npm dependencies"
+          else
+            echo "::warning::NPM vulnerabilities found"
+            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
+          fi
+
+      - name: Notify on vulnerabilities
+        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} has vulnerable dependencies" \
+            -H "Tags: lock,warning" \
+            -H "Priority: high" \
+            -d "Security audit found vulnerabilities. Review dependency updates." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -1,130 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow.Template
-# INGROUP: MokoStandards.CI
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla
-# PATH: /.mokogitea/workflows/version-set.yml
-# VERSION: 01.00.00
-# BRIEF: Set or reset the extension version across all version-bearing files
-
-name: "Joomla: Set Version"
-
-on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: "Version number (e.g. 01.00.00)"
-        required: true
-        type: string
-      branch:
-        description: "Branch to update (default: current)"
-        required: false
-        type: string
-
-permissions:
-  contents: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  set-version:
-    name: Set Version to ${{ inputs.version }}
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Validate version format
-        run: |
-          VERSION="${{ inputs.version }}"
-          if ! echo "$VERSION" | grep -qP '^\d{2}\.\d{2}\.\d{2}$'; then
-            echo "::error::Invalid version format '${VERSION}' — expected XX.YY.ZZ (e.g. 01.00.00)"
-            exit 1
-          fi
-          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN || github.token }}
-          ref: ${{ inputs.branch || github.ref }}
-          fetch-depth: 1
-
-      - name: Update manifest version
-        run: |
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 3 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -z "$MANIFEST" ]; then
-            echo "::warning::No Joomla extension manifest found — skipping manifest update"
-          else
-            OLD_VER=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
-            sed -i "s|<version>${OLD_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
-            echo "Manifest: ${OLD_VER} → ${VERSION} (${MANIFEST})"
-          fi
-
-      - name: Update README.md version
-        run: |
-          if [ -f "README.md" ]; then
-            if grep -qP '^\s*VERSION:\s*\d' README.md; then
-              sed -i -E "s/(VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" README.md
-              echo "README.md version updated to ${VERSION}"
-            else
-              echo "::warning::No VERSION line found in README.md — skipping"
-            fi
-          fi
-
-      - name: Update CHANGELOG.md
-        run: |
-          if [ -f "CHANGELOG.md" ]; then
-            DATE=$(date +%Y-%m-%d)
-            # Check if this version already has an entry
-            if grep -q "^\#\# \[${VERSION}\]" CHANGELOG.md; then
-              echo "CHANGELOG.md already has entry for ${VERSION} — skipping"
-            else
-              # Insert new version entry after [Unreleased] or at the top after header
-              if grep -q '^\#\# \[Unreleased\]' CHANGELOG.md; then
-                sed -i "/^\#\# \[Unreleased\]/a\\\\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
-              else
-                sed -i "/^\# Changelog/a\\\\n## [Unreleased]\n\n## [${VERSION}] --- ${DATE}" CHANGELOG.md
-              fi
-              echo "CHANGELOG.md: added entry for ${VERSION}"
-            fi
-          else
-            echo "::warning::No CHANGELOG.md found — skipping"
-          fi
-
-      - name: Update FILE INFORMATION blocks
-        run: |
-          # Update VERSION in file header blocks (# VERSION: XX.YY.ZZ)
-          find . -maxdepth 1 -type f \( -name "*.yml" -o -name "*.yaml" -o -name "*.php" -o -name "*.md" \) \
-            -not -path "./.git/*" -not -path "./vendor/*" -print0 2>/dev/null | \
-          while IFS= read -r -d '' FILE; do
-            if head -20 "$FILE" | grep -qP '^\s*#?\s*VERSION:\s*\d{2}\.\d{2}\.\d{2}'; then
-              sed -i -E "s/(#?\s*VERSION:\s*)[0-9]{2}\.[0-9]{2}\.[0-9]{2}/\1${VERSION}/" "$FILE"
-              echo "Updated FILE INFORMATION VERSION in ${FILE}"
-            fi
-          done
-
-      - name: Commit and push
-        run: |
-          git config user.name "Moko Consulting [bot]"
-          git config user.email "hello@mokoconsulting.tech"
-          git add -A
-          if git diff --cached --quiet; then
-            echo "No version changes detected — nothing to commit"
-          else
-            git commit -m "chore: set version to ${VERSION} [skip bump]
-
-Authored-by: Moko Consulting"
-            git push
-            echo "### Version Set" >> $GITHUB_STEP_SUMMARY
-            echo "Version updated to \`${VERSION}\` on branch \`${GITHUB_REF_NAME}\`" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -13,7 +13,6 @@
 name: "Universal: Workflow Sync Trigger"

 on:
-  workflow_dispatch:
  pull_request:
    types: [closed]
    branches:
@@ -27,9 +26,8 @@ jobs:
    name: Sync workflows to live repos
    runs-on: ubuntu-latest
    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true &&
-      !contains(github.event.pull_request.title, '[skip sync]'))
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')

    steps:
      - name: Determine platform from repo name
@@ -51,14 +49,8 @@ jobs:
        env:
          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
        run: |
-          MOKOGITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
-          git clone --depth 1 "${MOKOGITEA_URL}/MokoConsulting/mokocli.git" /tmp/mokocli
-
-      - name: Install PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            apt-get update -qq && apt-get install -y -qq php-cli php-json php-curl > /dev/null 2>&1
-          fi
+          GITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
+          git clone --depth 1 "${GITEA_URL}/MokoConsulting/mokocli.git" /tmp/mokocli

      - name: Install dependencies
        run: |
@@ -3,19 +3,6 @@
 ## [Unreleased]

 ### Added
- API token scope `read:licensing` / `write:licensing` for licensing endpoints (#697)
- Edit API token scopes: PATCH /users/{username}/tokens/{id} API endpoint + web UI edit button (#697)
- Wiki full-text search: case-insensitive search across all wiki page titles and content (#550)
- Wiki search API: GET /wiki/search?q=term with paginated JSON results (#550)
- Metadata deploy fields: deploy_host, deploy_port, deploy_user, deploy_path, docker_image, docker_registry, container_name, health_url (#692)
- Metadata API partial updates: PUT /metadata now merges only sent fields instead of replacing all
- Wiki revision diff: line-by-line diff view per commit in wiki page history (#667)
- Wiki categories: YAML frontmatter `categories:` with category index page (#668)
- Wiki template transclusion: `{{template:Name|key=val}}` with `_Template/` folder (#671)
- Wiki enhanced ToC: collapsible, inline via frontmatter, sticky sidebar (#673)
- Wiki folder ACL: `_access.yml` per-folder write protection (#674)
- Wiki print view and ZIP export of all wiki pages (#675)
- Wiki features documentation page in org wiki (standards/Wiki-Features)
 - DLID licensing system: license, entitlement, activation, product_tier, audit_log tables (v359 migration)
 - License CRUD with CRC32-checksummed DLID generation and format validation
 - Entitlement model with tier-based rebuild and custom entitlement preservation
@@ -23,43 +10,6 @@
 - 13 seeded product tiers from base to enterprise
 - DLID-gated update XML endpoint: GET /api/v1/licensing/updates/{product}.xml
 - Profile repo fallback chain: .mokogitea > .profile > .github
- Metadata/manifest GET endpoint publicly accessible without auth (#676)
- Org wiki: folder-based collapsible tree sidebar, _Sidebar.md overrides (#680)
- Wiki backlinks: "What links here" page showing all pages referencing current page (#669)
- Wiki wikilinks: [[Page Name]] and [[Page|Display Text]] syntax with red links for missing pages (#666)
- Required baseline issue statuses: Open and Closed are indestructible (is_required flag) (#681)
- Issue status API response includes is_required field
- Wiki recent changes page: cross-page edit activity with pagination (#670)
- Wiki page rename with automatic redirects via YAML frontmatter (#672)
-
-### Fixed
- Cherry-pick upstream v1.26.2: handle empty pull request files view to allow reviews (#37783)
- Cherry-pick upstream v1.26.2: fix "run as root" check with snap container detection (#37622)
- Cherry-pick upstream: ack re-sent UpdateLog finalize idempotently (#37885)
- Cherry-pick upstream: reject workflow_dispatch for workflows without that trigger (#37660)
- Cherry-pick upstream: keep action run title clickable when commit subject is a URL (#37867)
- Cherry-pick upstream: exclude workflow_call from workflow trigger detection (#37894)
- API token edit: reject empty scope update requests with 400 instead of silently succeeding
- Workflow token auth: pr-check.yml pre-release dispatch was silently failing due to env var / curl reference mismatch
- Workflow tokens: standardize all GA_TOKEN/GITEA_TOKEN/GITEA_URL env vars to MOKOGITEA_TOKEN/MOKOGITEA_URL across all workflow files in 5 template repos + MokoCLI (65+ files)
- CI issue reporter: rename GITEA_TOKEN/GITEA_URL to MOKOGITEA_TOKEN/MOKOGITEA_URL in automation/ci-issue-reporter.sh
- Workflow sync trigger: add workflow_dispatch event, fix if-condition to allow manual dispatch, add PHP install step for non-PHP runners
- Licensing API: handle DB write errors in UpdateLicense, UpdateTier, DeleteTier instead of silently discarding
- Wiki API: fix findEntryForFile URL-decode fallback for non-ASCII page names
- Metadata settings template 500 error: removed reference to deleted Version field
- Wiki recent changes: use commit.MessageTitle() instead of commit.Message()
- Wiki backlinks: proper URL encoding for subdirectory pages
- Wiki wikilinks: page existence lookup normalizes spaces and hyphens
- Issue statuses template: garbled em-dash character replaced
-
-### Changed
- Issue status seed defaults: Open, In Progress, Waiting, In Review, Closed, Won't Fix
- Pre-release workflow: auto-bump skipped for non-Joomla repos (platform check)
- CI issue reporter: moved to MokoCLI (cli/ci_issue_reporter.sh), pr-check and repo-health now use ci-issue-reporter.yml reusable workflow
-
-### Removed
- Workflows: gitleaks.yml, npm-publish.yml, notify.yml, workflow-sync-trigger.yml, composer-publish.yml, deploy-manual.yml, security-audit.yml (not applicable to Go repo)
- automation/ci-issue-reporter.sh: moved to MokoCLI as centralized CLI tool

 ## [06.19.00] --- 2026-06-20

@@ -1,30 +1,38 @@
 # MokoGitea

-Custom Gitea fork with enhanced wiki system, DLID licensing, issue statuses, org metadata, and project board API.
+Moko fork of Gitea — adding project board REST API endpoints and custom enhancements

-![Language](https://img.shields.io/badge/Go-00ADD8?style=flat-square&logo=go&logoColor=white) ![License](https://img.shields.io/badge/license-GPL--3.0--or--later-green?style=flat-square)
+![Language](https://img.shields.io/badge/Go-00ADD8?style=flat-square&logo=go&logoColor=white) ![License](https://img.shields.io/badge/license-GPL--3.0--or--later-green?style=flat-square) ![Wiki](https://img.shields.io/badge/wiki-MokoGitea-blue?style=flat-square)
+
+
+Custom Gitea fork with Project Board API

 ---

-## Key Features
+## Pages

- **Wiki System** -- wikilinks, categories, backlinks, template transclusion, revision diffs, rename redirects, folder ACL, enhanced ToC, print view, ZIP export ([details](https://git.mokoconsulting.tech/MokoConsulting/.mokogitea/wiki/standards/Wiki-Features))
- **DLID Licensing** -- license management, entitlements, domain activations, ed25519-signed downloads
- **API Token Scope Editing** -- edit token scopes via API (PATCH) or web UI after creation
- **Issue Statuses** -- custom workflow statuses per org with required baseline protection
- **Org Metadata** -- per-repo metadata API (public GET, admin PUT), platform detection for versioning
- **Project Board API** -- REST endpoints for project columns and cards
- **Dev Deploy Gate** -- builds deploy to dev environment first, production checks dev health
+- [Branding](https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/wiki/Branding)
+- [Deployment](https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/wiki/Deployment)
+- [Project API](Project API)
+- [roadmap](https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/wiki/roadmap)
+
+---
+
+**Category:** Infrastructure | **Platform:** [MokoPlatform wiki](https://code.mokoconsulting.tech/MokoConsulting/MokoPlatform/wiki)
+
+---
+
+
+
+---

 ## Documentation

- [Org Wiki](https://git.mokoconsulting.tech/MokoConsulting/.mokogitea/wiki/) -- standards, CLI reference, API docs
- [Wiki Features](https://git.mokoconsulting.tech/MokoConsulting/.mokogitea/wiki/standards/Wiki-Features) -- all 10 wiki enhancements
- [Licensing API](https://git.mokoconsulting.tech/MokoConsulting/.mokogitea/wiki/api/Licensing-API)
+Full documentation is available on the [Wiki](https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/wiki).

 ## Contributing

-See the [org wiki](https://git.mokoconsulting.tech/MokoConsulting/.mokogitea/wiki/) for development guidelines, coding standards, and contribution instructions.
+See the wiki for development guidelines and contribution instructions.

 ## License

@@ -32,4 +40,4 @@ This project is licensed under the GNU General Public License v3.0 or later -- s

 ---

-*[Moko Consulting](https://mokoconsulting.tech)*
+*[Moko Consulting](https://mokoconsulting.tech) -- [MokoStandards](https://code.mokoconsulting.tech/MokoConsulting/MokoPlatform/wiki/Home)*
@@ -0,0 +1,237 @@
+#!/usr/bin/env bash
+# ============================================================================
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Automation.CI
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /automation/ci-issue-reporter.sh
+# VERSION: 09.23.00
+# BRIEF: Creates or updates a Gitea issue when a CI gate fails.
+#        Deduplicates by searching open issues with the "ci-auto" label
+#        whose title matches the gate. If a matching issue exists, a comment
+#        is appended instead of opening a duplicate.
+# ============================================================================
+
+set -euo pipefail
+
+# ── Defaults ────────────────────────────────────────────────────────────────
+GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
+GITEA_TOKEN="${GITEA_TOKEN:-}"
+REPO="${GITHUB_REPOSITORY:-}"
+RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
+LABEL_NAME="ci-auto"
+LABEL_COLOR="#e11d48"
+
+GATE=""
+DETAILS=""
+SEVERITY="error"
+WORKFLOW=""
+
+# ── Parse arguments ─────────────────────────────────────────────────────────
+usage() {
+  cat <<EOF
+Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
+
+Required:
+  --gate      CI gate name (e.g. "Code Quality", "Self-Health")
+  --details   Human-readable failure description
+
+Optional:
+  --severity  "error" (default) or "warning"
+  --workflow  Workflow name for the issue title
+  --repo      owner/repo (default: \$GITHUB_REPOSITORY)
+  --run-url   URL to the CI run (auto-detected from env)
+  --token     Gitea API token (default: \$GITEA_TOKEN)
+  --url       Gitea base URL (default: \$GITEA_URL)
+EOF
+  exit 1
+}
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --gate)     GATE="$2";       shift 2 ;;
+    --details)  DETAILS="$2";    shift 2 ;;
+    --severity) SEVERITY="$2";   shift 2 ;;
+    --workflow) WORKFLOW="$2";   shift 2 ;;
+    --repo)     REPO="$2";      shift 2 ;;
+    --run-url)  RUN_URL="$2";   shift 2 ;;
+    --token)    GITEA_TOKEN="$2"; shift 2 ;;
+    --url)      GITEA_URL="$2"; shift 2 ;;
+    -h|--help)  usage ;;
+    *)          echo "Unknown option: $1"; usage ;;
+  esac
+done
+
+[[ -z "$GATE" ]]         && { echo "ERROR: --gate is required"; usage; }
+[[ -z "$DETAILS" ]]      && { echo "ERROR: --details is required"; usage; }
+[[ -z "$GITEA_TOKEN" ]]  && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
+[[ -z "$REPO" ]]         && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
+
+API="${GITEA_URL}/api/v1/repos/${REPO}"
+
+# ── Build title ─────────────────────────────────────────────────────────────
+if [[ -n "$WORKFLOW" ]]; then
+  TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
+else
+  TITLE="[CI] ${GATE} failed"
+fi
+
+# ── Ensure label exists ─────────────────────────────────────────────────────
+ensure_label() {
+  local exists
+  exists=$(curl -sf -o /dev/null -w '%{http_code}' \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/labels" 2>/dev/null || echo "000")
+
+  if [[ "$exists" == "200" ]]; then
+    # Check if label already exists
+    local found
+    found=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -o "\"name\":\"${LABEL_NAME}\"" || true)
+
+    if [[ -z "$found" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/labels" \
+        -d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
+        > /dev/null 2>&1 || true
+    fi
+  fi
+}
+
+# ── Search for existing open issue ──────────────────────────────────────────
+find_existing_issue() {
+  # URL-encode the gate name for the query
+  local query
+  query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
+
+  local response
+  response=$(curl -sf \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    "${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
+    2>/dev/null || echo "[]")
+
+  # Extract the first matching issue number
+  echo "$response" \
+    | grep -oP '"number":\s*\K[0-9]+' \
+    | head -1
+}
+
+# ── Build issue body ────────────────────────────────────────────────────────
+build_body() {
+  local severity_badge
+  if [[ "$SEVERITY" == "error" ]]; then
+    severity_badge="**Severity:** Error"
+  else
+    severity_badge="**Severity:** Warning"
+  fi
+
+  cat <<BODY
+## CI Gate Failure: ${GATE}
+
+${severity_badge}
+**Workflow:** ${WORKFLOW:-unknown}
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+### Details
+
+${DETAILS}
+
+### Resolution
+
+Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
+
+---
+*Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
+BODY
+}
+
+# ── Build comment body (for existing issues) ────────────────────────────────
+build_comment() {
+  cat <<COMMENT
+### CI failure recurrence
+
+**Branch:** ${GITHUB_REF_NAME:-unknown}
+**Commit:** \`${GITHUB_SHA:0:8}\`
+**Run:** [View CI run](${RUN_URL})
+
+${DETAILS}
+COMMENT
+}
+
+# ── Main ────────────────────────────────────────────────────────────────────
+ensure_label
+
+EXISTING=$(find_existing_issue)
+
+if [[ -n "$EXISTING" ]]; then
+  # Append comment to existing issue
+  COMMENT_BODY=$(build_comment)
+  COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
+import sys, json
+print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
+
+  HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues/${EXISTING}/comments" \
+    -d "${COMMENT_JSON}" 2>/dev/null || echo "000")
+
+  if [[ "$HTTP" == "201" ]]; then
+    echo "Commented on existing issue #${EXISTING}"
+  else
+    echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
+  fi
+else
+  # Create new issue
+  ISSUE_BODY=$(build_body)
+  ISSUE_JSON=$(python3 -c "
+import sys, json
+body = sys.stdin.read()
+print(json.dumps({
+    'title': sys.argv[1],
+    'body': body,
+    'labels': []
+}))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
+
+  # Create the issue
+  RESPONSE=$(curl -sf -X POST \
+    -H "Authorization: token ${GITEA_TOKEN}" \
+    -H "Content-Type: application/json" \
+    "${API}/issues" \
+    -d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
+
+  ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
+
+  if [[ -n "$ISSUE_NUM" ]]; then
+    # Apply label (separate call — more reliable across Gitea versions)
+    LABEL_ID=$(curl -sf \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      "${API}/labels" 2>/dev/null \
+      | grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
+      | head -1 || true)
+
+    if [[ -n "$LABEL_ID" ]]; then
+      curl -sf -X POST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        "${API}/issues/${ISSUE_NUM}/labels" \
+        -d "{\"labels\":[${LABEL_ID}]}" \
+        > /dev/null 2>&1 || true
+    fi
+
+    echo "Created issue #${ISSUE_NUM}: ${TITLE}"
+  else
+    echo "WARNING: Failed to create issue"
+    echo "Response: ${RESPONSE}"
+  fi
+fi
@@ -24,7 +24,6 @@ const (
 	AccessTokenScopeCategoryIssue
 	AccessTokenScopeCategoryRepository
 	AccessTokenScopeCategoryUser
-	AccessTokenScopeCategoryLicensing
 )

 // AllAccessTokenScopeCategories contains all access token scope categories
@@ -38,7 +37,6 @@ var AllAccessTokenScopeCategories = []AccessTokenScopeCategory{
 	AccessTokenScopeCategoryIssue,
 	AccessTokenScopeCategoryRepository,
 	AccessTokenScopeCategoryUser,
-	AccessTokenScopeCategoryLicensing,
 }

 // AccessTokenScopeLevel represents the access levels without a given scope category
@@ -84,9 +82,6 @@ const (

 	AccessTokenScopeReadUser  AccessTokenScope = "read:user"
 	AccessTokenScopeWriteUser AccessTokenScope = "write:user"
-
-	AccessTokenScopeReadLicensing  AccessTokenScope = "read:licensing"
-	AccessTokenScopeWriteLicensing AccessTokenScope = "write:licensing"
 )

 // accessTokenScopeBitmap represents a bitmap of access token scopes.
@@ -98,8 +93,7 @@ const (
 	accessTokenScopeAllBits accessTokenScopeBitmap = accessTokenScopeWriteActivityPubBits |
 		accessTokenScopeWriteAdminBits | accessTokenScopeWriteMiscBits | accessTokenScopeWriteNotificationBits |
 		accessTokenScopeWriteOrganizationBits | accessTokenScopeWritePackageBits | accessTokenScopeWriteIssueBits |
-		accessTokenScopeWriteRepositoryBits | accessTokenScopeWriteUserBits |
-		accessTokenScopeWriteLicensingBits
+		accessTokenScopeWriteRepositoryBits | accessTokenScopeWriteUserBits

 	accessTokenScopePublicOnlyBits accessTokenScopeBitmap = 1 << iota

@@ -130,9 +124,6 @@ const (
 	accessTokenScopeReadUserBits  accessTokenScopeBitmap = 1 << iota
 	accessTokenScopeWriteUserBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadUserBits

-	accessTokenScopeReadLicensingBits  accessTokenScopeBitmap = 1 << iota
-	accessTokenScopeWriteLicensingBits accessTokenScopeBitmap = 1<<iota | accessTokenScopeReadLicensingBits
-
 	// The current implementation only supports up to 64 token scopes.
 	// If we need to support > 64 scopes,
 	// refactoring the whole implementation in this file (and only this file) is needed.
@@ -151,7 +142,6 @@ var allAccessTokenScopes = []AccessTokenScope{
 	AccessTokenScopeWriteIssue, AccessTokenScopeReadIssue,
 	AccessTokenScopeWriteRepository, AccessTokenScopeReadRepository,
 	AccessTokenScopeWriteUser, AccessTokenScopeReadUser,
-	AccessTokenScopeWriteLicensing, AccessTokenScopeReadLicensing,
 }

 // allAccessTokenScopeBits contains all access token scopes.
@@ -176,8 +166,6 @@ var allAccessTokenScopeBits = map[AccessTokenScope]accessTokenScopeBitmap{
 	AccessTokenScopeWriteRepository:   accessTokenScopeWriteRepositoryBits,
 	AccessTokenScopeReadUser:          accessTokenScopeReadUserBits,
 	AccessTokenScopeWriteUser:         accessTokenScopeWriteUserBits,
-	AccessTokenScopeReadLicensing:     accessTokenScopeReadLicensingBits,
-	AccessTokenScopeWriteLicensing:    accessTokenScopeWriteLicensingBits,
 }

 // readAccessTokenScopes maps a scope category to the read permission scope
@@ -192,7 +180,6 @@ var accessTokenScopes = map[AccessTokenScopeLevel]map[AccessTokenScopeCategory]A
 		AccessTokenScopeCategoryIssue:        AccessTokenScopeReadIssue,
 		AccessTokenScopeCategoryRepository:   AccessTokenScopeReadRepository,
 		AccessTokenScopeCategoryUser:         AccessTokenScopeReadUser,
-		AccessTokenScopeCategoryLicensing:    AccessTokenScopeReadLicensing,
 	},
 	Write: {
 		AccessTokenScopeCategoryActivityPub:  AccessTokenScopeWriteActivityPub,
@@ -204,7 +191,6 @@ var accessTokenScopes = map[AccessTokenScopeLevel]map[AccessTokenScopeCategory]A
 		AccessTokenScopeCategoryIssue:        AccessTokenScopeWriteIssue,
 		AccessTokenScopeCategoryRepository:   AccessTokenScopeWriteRepository,
 		AccessTokenScopeCategoryUser:         AccessTokenScopeWriteUser,
-		AccessTokenScopeCategoryLicensing:    AccessTokenScopeWriteLicensing,
 	},
 }

@@ -384,7 +370,7 @@ func (bitmap accessTokenScopeBitmap) toScope() AccessTokenScope {
 	scope := AccessTokenScope(strings.Join(scopes, ","))
 	scope = AccessTokenScope(strings.ReplaceAll(
 		string(scope),
-		"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user,write:licensing",
+		"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user",
 		"all",
 	))
 	return scope
@@ -17,13 +17,13 @@ type scopeTestNormalize struct {
 }

 func TestAccessTokenScope_Normalize(t *testing.T) {
-	assert.Equal(t, []string{"activitypub", "admin", "issue", "licensing", "misc", "notification", "organization", "package", "repository", "user"}, GetAccessTokenCategories())
+	assert.Equal(t, []string{"activitypub", "admin", "issue", "misc", "notification", "organization", "package", "repository", "user"}, GetAccessTokenCategories())
 	tests := []scopeTestNormalize{
 		{"", "", nil},
 		{"write:misc,write:notification,read:package,write:notification,public-only", "public-only,write:misc,write:notification,read:package", nil},
 		{"all", "all", nil},
-		{"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user,write:licensing", "all", nil},
-		{"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user,write:licensing,public-only", "public-only,all", nil},
+		{"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user", "all", nil},
+		{"write:activitypub,write:admin,write:misc,write:notification,write:organization,write:package,write:issue,write:repository,write:user,public-only", "public-only,all", nil},
 	}

 	for _, scope := range GetAccessTokenCategories() {
@@ -22,7 +22,6 @@ type IssueStatusDef struct {
 	Color       string             `xorm:"VARCHAR(7)"`  // hex color, e.g. "#e11d48"
 	Description string             `xorm:"TEXT"`
 	ClosesIssue bool               `xorm:"NOT NULL DEFAULT false 'closes_issue'"`
-	IsRequired  bool               `xorm:"NOT NULL DEFAULT false 'is_required'"` // cannot be deleted
 	SortOrder   int                `xorm:"NOT NULL DEFAULT 0 'sort_order'"`
 	IsActive    bool               `xorm:"NOT NULL DEFAULT true 'is_active'"`
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED 'created_unix'"`
@@ -57,15 +56,14 @@ func GetIssueStatusDefsByOrg(ctx context.Context, orgID int64) ([]*IssueStatusDe
 }

 // seedDefaultIssueStatuses creates the standard status presets for an org.
-// Open and Closed are required (is_required=true) and cannot be deleted.
 func seedDefaultIssueStatuses(ctx context.Context, orgID int64) error {
 	defaults := []*IssueStatusDef{
-		{OrgID: orgID, Name: "Open", Color: "#2563eb", Description: "New or active issue", ClosesIssue: false, IsRequired: true, SortOrder: 0, IsActive: true},
-		{OrgID: orgID, Name: "In Progress", Color: "#7c3aed", Description: "Work is actively being done", SortOrder: 1, IsActive: true},
-		{OrgID: orgID, Name: "Waiting", Color: "#f59e0b", Description: "Blocked or waiting for input", SortOrder: 2, IsActive: true},
-		{OrgID: orgID, Name: "In Review", Color: "#0891b2", Description: "PR submitted, awaiting review", SortOrder: 3, IsActive: true},
-		{OrgID: orgID, Name: "Closed", Color: "#16a34a", Description: "Completed or resolved", ClosesIssue: true, IsRequired: true, SortOrder: 4, IsActive: true},
+		{OrgID: orgID, Name: "In Progress", Color: "#2563eb", Description: "Work is actively being done", SortOrder: 1, IsActive: true},
+		{OrgID: orgID, Name: "Needs Info", Color: "#f59e0b", Description: "Waiting for more information", SortOrder: 2, IsActive: true},
+		{OrgID: orgID, Name: "Blocked", Color: "#dc2626", Description: "Cannot proceed due to dependency", SortOrder: 3, IsActive: true},
+		{OrgID: orgID, Name: "Resolved", Color: "#16a34a", Description: "Fix implemented and verified", ClosesIssue: true, SortOrder: 4, IsActive: true},
 		{OrgID: orgID, Name: "Won't Fix", Color: "#6b7280", Description: "Decided not to address", ClosesIssue: true, SortOrder: 5, IsActive: true},
+		{OrgID: orgID, Name: "Duplicate", Color: "#8b5cf6", Description: "Already tracked elsewhere", ClosesIssue: true, SortOrder: 6, IsActive: true},
 	}
 	for _, d := range defaults {
 		if _, err := db.GetEngine(ctx).Insert(d); err != nil {
@@ -113,37 +111,13 @@ func UpdateIssueStatusDef(ctx context.Context, def *IssueStatusDef) error {
 	return err
 }

-// ErrStatusRequired is returned when trying to delete a required status.
-type ErrStatusRequired struct {
-	ID   int64
-	Name string
-}
-
-func (e ErrStatusRequired) Error() string {
-	return "status is required and cannot be deleted"
-}
-
-// IsErrStatusRequired checks if an error is ErrStatusRequired.
-func IsErrStatusRequired(err error) bool {
-	_, ok := err.(ErrStatusRequired)
-	return ok
-}
-
 // DeleteIssueStatusDef deletes a status definition and clears references on issues.
-// Returns ErrStatusRequired if the status is marked as required.
 func DeleteIssueStatusDef(ctx context.Context, id int64) error {
-	def, err := GetIssueStatusDefByID(ctx, id)
-	if err != nil {
-		return err
-	}
-	if def.IsRequired {
-		return ErrStatusRequired{ID: def.ID, Name: def.Name}
-	}
 	// Clear status_id on all issues that reference this definition
 	if _, err := db.GetEngine(ctx).Exec("UPDATE issue SET status_id = 0 WHERE status_id = ?", id); err != nil {
 		return err
 	}
-	_, err = db.GetEngine(ctx).ID(id).Delete(new(IssueStatusDef))
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(IssueStatusDef))
 	return err
 }

@@ -436,7 +436,6 @@ func prepareMigrationTasks() []*migration {
 		newMigration(356, "Rename package_type to extension_type in repo manifest", v1_27.RenamePackageTypeToExtensionType),
 		newMigration(357, "Drop display_name from repo manifest and update stream config", v1_27.DropDisplayNameColumns),
 		newMigration(358, "Add licensing tables (license, entitlement, activation, product_tier)", v1_27.AddLicensingTables),
-		newMigration(359, "Add deploy fields to repo manifest", v1_27.AddDeployFieldsToRepoManifest),
 	}
 	return preparedMigrations
 }
@@ -1,23 +0,0 @@
-// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
-// SPDX-License-Identifier: GPL-3.0-or-later
-
-package v1_27
-
-import (
-	"xorm.io/xorm"
-)
-
-// AddDeployFieldsToRepoManifest adds deploy configuration columns to repo_manifest.
-func AddDeployFieldsToRepoManifest(x *xorm.Engine) error {
-	type RepoManifest struct {
-		DeployHost      string `xorm:"VARCHAR(255) 'deploy_host'"`
-		DeployPort      string `xorm:"VARCHAR(10) 'deploy_port'"`
-		DeployUser      string `xorm:"VARCHAR(100) 'deploy_user'"`
-		DeployPath      string `xorm:"TEXT 'deploy_path'"`
-		DockerImage     string `xorm:"VARCHAR(255) 'docker_image'"`
-		DockerRegistry  string `xorm:"VARCHAR(255) 'docker_registry'"`
-		ContainerName   string `xorm:"VARCHAR(100) 'container_name'"`
-		HealthURL       string `xorm:"TEXT 'health_url'"`
-	}
-	return x.Sync(new(RepoManifest))
-}
@@ -50,16 +50,6 @@ type RepoMetadata struct {
 	ExtensionType string `xorm:"VARCHAR(50) 'extension_type'"` // component, module, plugin, package, template, library, file
 	EntryPoint  string `xorm:"TEXT 'entry_point'"`          // build entry point path

-	// deploy section
-	DeployHost     string `xorm:"VARCHAR(255) 'deploy_host'"`     // SSH host for deploy
-	DeployPort     string `xorm:"VARCHAR(10) 'deploy_port'"`      // SSH port (default 2918)
-	DeployUser     string `xorm:"VARCHAR(100) 'deploy_user'"`     // SSH user
-	DeployPath     string `xorm:"TEXT 'deploy_path'"`              // remote path for source/compose
-	DockerImage    string `xorm:"VARCHAR(255) 'docker_image'"`    // e.g. mokoconsulting/mokogitea
-	DockerRegistry string `xorm:"VARCHAR(255) 'docker_registry'"` // e.g. git.mokoconsulting.tech
-	ContainerName  string `xorm:"VARCHAR(100) 'container_name'"`  // Docker container name
-	HealthURL      string `xorm:"TEXT 'health_url'"`               // health check URL after deploy
-
 	CreatedUnix timeutil.TimeStamp `xorm:"INDEX CREATED 'created_unix'"`
 	UpdatedUnix timeutil.TimeStamp `xorm:"UPDATED 'updated_unix'"`
 }
@@ -298,9 +298,6 @@ func toGitContext(input map[string]any) *model.GithubContext {
 	return gitContext
 }

-// workflowCallEvent is only fired by another workflow's `uses:`, so it is excluded from trigger detection.
-const workflowCallEvent = "workflow_call"
-
 func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 	switch rawOn.Kind {
 	case yaml.ScalarNode:
@@ -309,9 +306,6 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		if err != nil {
 			return nil, err
 		}
-		if val == workflowCallEvent {
-			return []*Event{}, nil
-		}
 		return []*Event{
 			{Name: val},
 		}, nil
@@ -325,9 +319,6 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		for _, v := range val {
 			switch t := v.(type) {
 			case string:
-				if t == workflowCallEvent {
-					continue
-				}
 				res = append(res, &Event{Name: t})
 			default:
 				return nil, fmt.Errorf("invalid type %T", t)
@@ -341,9 +332,6 @@ func ParseRawOn(rawOn *yaml.Node) ([]*Event, error) {
 		}
 		res := make([]*Event, 0, len(events))
 		for i, k := range events {
-			if k == workflowCallEvent {
-				continue
-			}
 			v := triggers[i]
 			switch v.Kind {
 			case yaml.ScalarNode:
@@ -254,53 +254,6 @@ func TestParseRawOn(t *testing.T) {
 				},
 			},
 		},
-		{
-			// `workflow_call` is only fired by another workflow's `uses:`, so ParseRawOn intentionally excludes it from trigger detection.
-			input: `on:
-  workflow_call:
-    inputs:
-      env:
-        type: string
-        required: true
-    outputs:
-      sha:
-        value: ${{ jobs.build.outputs.commit }}
-    secrets:
-      DEPLOY_KEY:
-        required: true
-`,
-			result: []*Event{},
-		},
-		{
-			// Mixed: a workflow that is both callable AND triggered by push. Only the "push" event surfaces.
-			input: `on:
-  workflow_call:
-    inputs:
-      env:
-        type: string
-  push:
-    branches: [main]
-`,
-			result: []*Event{
-				{
-					Name: "push",
-					acts: map[string][]string{"branches": {"main"}},
-				},
-			},
-		},
-		{
-			// Scalar form: a purely reusable workflow has no event triggers.
-			input:  "on: workflow_call",
-			result: []*Event{},
-		},
-		{
-			// Sequence form: `workflow_call` is excluded while sibling events are kept.
-			input: "on:\n  - push\n  - workflow_call\n  - pull_request",
-			result: []*Event{
-				{Name: "push"},
-				{Name: "pull_request"},
-			},
-		},
 	}
 	for _, kase := range kases {
 		t.Run(kase.input, func(t *testing.T) {
@@ -175,25 +175,16 @@ var emojiProcessors = []processor{
 	emojiProcessor,
 }

-// isBareURLSubject reports whether the (HTML-escaped) commit subject content
-// is entirely a single URL, ignoring leading/trailing whitespace.
-func isBareURLSubject(content string) bool {
-	s := strings.TrimSpace(html.UnescapeString(content))
-	if s == "" {
-		return false
-	}
-	m := common.GlobalVars().LinkRegex.FindStringIndex(s)
-	return m != nil && m[0] == 0 && m[1] == len(s)
-}
-
 // PostProcessCommitMessageSubject will use the same logic as PostProcess and
 // PostProcessCommitMessage, but will disable the shortLinkProcessor and
-// emailAddressProcessor, and wraps the whole subject in defaultLink.
+// emailAddressProcessor, will add a defaultLinkProcessor if defaultLink is set,
+// which changes every text node into a link to the passed default link.
 func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content string) (string, error) {
 	procs := []processor{
 		fullIssuePatternProcessor,
 		comparePatternProcessor,
 		fullHashPatternProcessor,
+		linkProcessor,
 		mentionProcessor,
 		issueIndexPatternProcessor,
 		commitCrossReferencePatternProcessor,
@@ -201,15 +192,6 @@ func PostProcessCommitMessageSubject(ctx *RenderContext, defaultLink, content st
 		emojiShortCodeProcessor,
 		emojiProcessor,
 	}
-	// When the whole subject is a bare URL, linkProcessor would turn it into
-	// a competing anchor and hijack the surrounding defaultLink wrapper, leaving
-	// the subject visually unclickable. Match GitHub: render such subjects as
-	// plain text inside defaultLink. Partial URLs inside larger text still become
-	// their own links (nested anchors aren't legal HTML, so the outer defaultLink
-	// naturally breaks on that span, same as on GitHub).
-	if !isBareURLSubject(content) {
-		procs = append(procs, linkProcessor)
-	}
 	procs = append(procs, func(ctx *RenderContext, node *html.Node) {
 		ch := &html.Node{Parent: node, Type: html.TextNode, Data: node.Data}
 		node.Type = html.ElementNode
@@ -14,7 +14,6 @@ import (
 	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
 	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/optional"
 	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/user"
-	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/util"
 )

 // settings
@@ -198,38 +197,32 @@ func loadLoginNotificationFrom(cfg ConfigProvider) {

 func loadRunModeFrom(rootCfg ConfigProvider) {
 	rootSec := rootCfg.Section("")
-	mustNotRunAsRoot(rootSec)
-
-	runModeValue := os.Getenv("GITEA_RUN_MODE")
-	runModeValue = util.IfZero(runModeValue, rootSec.Key("RUN_MODE").String())
-	// non-dev mode is treated as prod mode, to protect users from accidentally running in dev mode if there is a typo in this value.
-	IsProd = !strings.EqualFold(runModeValue, "dev") // TODO: can use case-sensitive comparing in the future
-	RunMode = util.Iif(IsProd, "prod", "dev")
-
-	// there is a separate check: mustCurrentRunUserMatch (IsRunUserMatchCurrentUser)
 	RunUser = rootSec.Key("RUN_USER").MustString(user.CurrentUsername())
-}
-
-func mustNotRunAsRoot(rootSec ConfigSection) {
-	if os.Getuid() != 0 {
-		return
-	}
-
-	mustRunAsRoot := os.Getenv("SNAP") != "" && os.Getenv("SNAP_NAME") != "" // snap container runs the app as uid=0
-	if mustRunAsRoot {
-		return
-	}

 	// The following is a purposefully undocumented option. Please do not run Gitea as root. It will only cause future headaches.
 	// Please don't use root as a bandaid to "fix" something that is broken, instead the broken thing should instead be fixed properly.
-	allowRunAsRoot := ConfigSectionKeyBool(rootSec, "I_AM_BEING_UNSAFE_RUNNING_AS_ROOT") || // check gitea config
-		optional.ParseBool(os.Getenv("GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")).Value() // check gitea env var
-
-	if !allowRunAsRoot {
-		// Special thanks to VLC which inspired the wording of this messaging.
-		log.Fatal("Gitea is not supposed to be run as root. If you need to use privileged TCP ports please instead use `setcap` and the `cap_net_bind_service` permission.")
+	unsafeAllowRunAsRoot := ConfigSectionKeyBool(rootSec, "I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")
+	unsafeAllowRunAsRoot = unsafeAllowRunAsRoot || optional.ParseBool(os.Getenv("GITEA_I_AM_BEING_UNSAFE_RUNNING_AS_ROOT")).Value()
+	RunMode = os.Getenv("GITEA_RUN_MODE")
+	if RunMode == "" {
+		RunMode = rootSec.Key("RUN_MODE").MustString("prod")
+	}
+
+	// non-dev mode is treated as prod mode, to protect users from accidentally running in dev mode if there is a typo in this value.
+	RunMode = strings.ToLower(RunMode)
+	if RunMode != "dev" {
+		RunMode = "prod"
+	}
+	IsProd = RunMode != "dev"
+
+	// check if we run as root
+	if os.Getuid() == 0 {
+		if !unsafeAllowRunAsRoot {
+			// Special thanks to VLC which inspired the wording of this messaging.
+			log.Fatal("Gitea is not supposed to be run as root. Sorry. If you need to use privileged TCP ports please instead use setcap and the `cap_net_bind_service` permission")
+		}
+		log.Critical("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
 	}
-	log.Warn("You are running Gitea using the root user, and have purposely chosen to skip built-in protections around this. You have been warned against this.")
 }

 // HasInstallLock checks the install-lock in ConfigProvider directly, because sometimes the config file is not loaded into setting variables yet.
@@ -165,7 +165,6 @@ type IssueStatusDef struct {
 	Color       string `json:"color"`
 	Description string `json:"description"`
 	ClosesIssue bool   `json:"closes_issue"`
-	IsRequired  bool   `json:"is_required"`
 	SortOrder   int    `json:"sort_order"`
 }

@@ -40,16 +40,6 @@ type CreateAccessTokenOption struct {
 	Scopes []string `json:"scopes"`
 }

-// EditAccessTokenOption options when editing access token scopes
-// swagger:model EditAccessTokenOption
-type EditAccessTokenOption struct {
-	// The new name for the token (optional)
-	Name string `json:"name"`
-	// The new scopes for the token
-	// example: ["read:repository", "write:issue"]
-	Scopes []string `json:"scopes"`
-}
-
 // CreateOAuth2ApplicationOptions holds options to create an oauth2 application
 type CreateOAuth2ApplicationOptions struct {
 	// The name of the OAuth2 application
@@ -140,18 +140,6 @@ com 88fc37a3c0a4dda553bdcfc80c178a58247f42fb mit
 		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject(testInput(), "https://example.com/link", mockRepo))
 	})

-	t.Run("RenderCommitMessageLinkSubjectURLOnly", func(t *testing.T) {
-		// a bare URL in the subject must not hijack the default link
-		expected := `<a href="https://example.com/link" class="muted">https://example.com/file.bin</a>`
-		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("https://example.com/file.bin", "https://example.com/link", mockRepo))
-	})
-
-	t.Run("RenderCommitMessageLinkSubjectPartialURL", func(t *testing.T) {
-		// a URL embedded in larger subject text still becomes its own link
-		expected := `<a href="https://example.com/link" class="muted">see </a><a href="https://example.com/x" data-markdown-generated-content="">https://example.com/x</a><a href="https://example.com/link" class="muted"> here</a>`
-		assert.EqualValues(t, expected, newTestRenderUtils(t).RenderCommitMessageLinkSubject("see https://example.com/x here", "https://example.com/link", mockRepo))
-	})
-
 	t.Run("RenderIssueTitle", func(t *testing.T) {
 		defer test.MockVariableValue(&markup.RenderBehaviorForTesting.DisableAdditionalAttributes, true)()
 		expected := `  space @mention-user<SPACE><SPACE>
@@ -855,8 +855,6 @@
  "settings.access_token_deletion_confirm_action": "Delete",
  "settings.access_token_deletion_desc": "Deleting a token will revoke access to your account for applications using it. This cannot be undone. Continue?",
  "settings.delete_token_success": "The token has been deleted. Applications using it no longer have access to your account.",
-  "settings.edit_token_scopes": "Edit Token Scopes",
-  "settings.update_token_success": "Token scopes have been updated successfully.",
  "settings.repo_and_org_access": "Repository and Organization Access",
  "settings.permissions_public_only": "Public only",
  "settings.permissions_access_all": "All (public, private, and limited)",
@@ -261,32 +261,16 @@ func (s *Service) UpdateLog(
 	}
 	ack := task.LogLength

-	// Trim rows the runner already had acked.
-	var rows []*runnerv1.LogRow
-	if req.Msg.Index <= ack && int64(len(req.Msg.Rows))+req.Msg.Index > ack {
-		rows = req.Msg.Rows[ack-req.Msg.Index:]
+	if len(req.Msg.Rows) == 0 || req.Msg.Index > ack || int64(len(req.Msg.Rows))+req.Msg.Index <= ack {
+		res.Msg.AckIndex = ack
+		return res, nil
 	}

-	// Ack a re-sent finalize idempotently. Appending new rows past the seal errors.
 	if task.LogInStorage {
-		if len(rows) > 0 {
-			return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
-		}
-		res.Msg.AckIndex = ack
-		return res, nil
+		return nil, status.Errorf(codes.AlreadyExists, "log file has been archived")
 	}

-	// Bail unless we have new rows or a NoMore to finalize. Even with
-	// NoMore, bail when the runner has outrun the server — archiving a
-	// log with a gap is worse than asking it to retry.
-	if len(rows) == 0 && (!req.Msg.NoMore || req.Msg.Index > ack) {
-		res.Msg.AckIndex = ack
-		return res, nil
-	}
-
-	// WriteLogs is called even with no rows: with offset==0 it bootstraps
-	// an empty DBFS file so TransferLogs below has something to read when
-	// the runner finalizes a task that produced no log output.
+	rows := req.Msg.Rows[ack-req.Msg.Index:]
 	ns, err := actions.WriteLogs(ctx, task.LogFilename, task.LogSize, rows)
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "unable to append logs to dbfs file: %v", err)
@@ -294,9 +294,6 @@ func checkTokenPublicOnly() func(ctx *context.APIContext) {
 					ctx.APIError(http.StatusForbidden, "token scope is limited to public packages")
 					return
 				}
-			case auth_model.AccessTokenScopeCategoryLicensing:
-				ctx.APIError(http.StatusForbidden, "token scope is limited to public resources, licensing is not available")
-				return
 			}
 		}
 	}
@@ -1007,9 +1004,7 @@ func Routes() *web.Router {
 				m.Group("/tokens", func() {
 					m.Combo("").Get(user.ListAccessTokens).
 						Post(bind(api.CreateAccessTokenOption{}), reqToken(), user.CreateAccessToken)
-					m.Combo("/{id}").
-						Patch(bind(api.EditAccessTokenOption{}), reqToken(), user.UpdateAccessToken).
-						Delete(reqToken(), user.DeleteAccessToken)
+					m.Combo("/{id}").Delete(reqToken(), user.DeleteAccessToken)
 				}, reqSelfOrAdmin(), reqBasicOrRevProxyAuth())

 				m.Get("/activities/feeds", user.ListUserActivityFeeds)
@@ -1319,7 +1314,6 @@ func Routes() *web.Router {
 					m.Get("/revisions/*", repo.ListPageRevisions)
 					m.Post("/new", reqToken(), mustNotBeArchived, reqRepoWriter(unit.TypeWiki), bind(api.CreateWikiPageOptions{}), repo.NewWikiPage)
 					m.Get("/pages", repo.ListWikiPages)
-					m.Get("/search", repo.SearchWikiPages)
 				}, mustEnableWiki)
 				m.Post("/markup", reqToken(), bind(api.MarkupOption{}), misc.Markup)
 				m.Post("/markdown", reqToken(), bind(api.MarkdownOption{}), misc.Markdown)
@@ -1897,7 +1891,7 @@ func Routes() *web.Router {

 			// Authenticated license detail
 			m.Get("/{dlid}/status", reqToken(), licensing.Status)
-		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryLicensing))
+		})
 	}, sudo())

 	return m
@@ -207,10 +207,7 @@ func UpdateLicense(ctx *context.APIContext) {
 	}
 	if len(cols) > 0 {
 		cols = append(cols, "updated_at")
-		if _, err := db.GetEngine(ctx).ID(id).Cols(cols...).Update(license); err != nil {
-			ctx.APIErrorInternal(err)
-			return
-		}
+		db.GetEngine(ctx).ID(id).Cols(cols...).Update(license)
 	}

 	ctx.JSON(http.StatusOK, licenseToJSON(ctx, license))
@@ -402,10 +399,7 @@ func UpdateTier(ctx *context.APIContext) {
 	}

 	if len(cols) > 0 {
-		if _, err := db.GetEngine(ctx).ID(id).Cols(cols...).Update(tier); err != nil {
-			ctx.APIErrorInternal(err)
-			return
-		}
+		db.GetEngine(ctx).ID(id).Cols(cols...).Update(tier)
 	}

 	ctx.JSON(http.StatusOK, tierToJSON(tier))
@@ -433,10 +427,7 @@ func DeleteTier(ctx *context.APIContext) {
 		return
 	}

-	if _, err := db.GetEngine(ctx).ID(id).Delete(new(licensing_model.ProductTier)); err != nil {
-		ctx.APIErrorInternal(err)
-		return
-	}
+	db.GetEngine(ctx).ID(id).Delete(new(licensing_model.ProductTier))
 	ctx.Status(http.StatusNoContent)
 }

@@ -11,19 +11,6 @@ import (
 	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
 )

-// checkOrgVisibility returns true if the current user can view org metadata.
-// Public orgs are visible to everyone. Private/limited orgs require authentication.
-func checkOrgVisibility(ctx *context.APIContext) bool {
-	if ctx.Org.Organization.Visibility == api.VisibleTypePublic {
-		return true
-	}
-	if ctx.Doer == nil {
-		ctx.APIErrorNotFound()
-		return false
-	}
-	return true
-}
-
 // ListIssueStatuses returns active issue status definitions for an org.
 func ListIssueStatuses(ctx *context.APIContext) {
 	// swagger:operation GET /orgs/{org}/issue-statuses organization orgListIssueStatuses
@@ -47,10 +34,6 @@ func ListIssueStatuses(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	if !checkOrgVisibility(ctx) {
-		return
-	}
-
 	defs, err := issues_model.GetIssueStatusDefsByOrg(ctx, ctx.Org.Organization.ID)
 	if err != nil {
 		ctx.APIErrorInternal(err)
@@ -64,7 +47,6 @@ func ListIssueStatuses(ctx *context.APIContext) {
 			Color:       d.Color,
 			Description: d.Description,
 			ClosesIssue: d.ClosesIssue,
-			IsRequired:  d.IsRequired,
 			SortOrder:   d.SortOrder,
 		})
 	}
@@ -94,10 +76,6 @@ func ListIssuePriorities(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	if !checkOrgVisibility(ctx) {
-		return
-	}
-
 	defs, err := issues_model.GetIssuePriorityDefsByOrg(ctx, ctx.Org.Organization.ID)
 	if err != nil {
 		ctx.APIErrorInternal(err)
@@ -140,10 +118,6 @@ func ListIssueTypes(ctx *context.APIContext) {
 	//   "404":
 	//     "$ref": "#/responses/notFound"

-	if !checkOrgVisibility(ctx) {
-		return
-	}
-
 	defs, err := issues_model.GetIssueTypeDefsByOrg(ctx, ctx.Org.Organization.ID)
 	if err != nil {
 		ctx.APIErrorInternal(err)
@@ -1081,8 +1081,6 @@ func ActionsDispatchWorkflow(ctx *context.APIContext) {
 			ctx.APIError(http.StatusNotFound, err)
 		} else if errors.Is(err, util.ErrPermissionDenied) {
 			ctx.APIError(http.StatusForbidden, err)
-		} else if errors.Is(err, util.ErrInvalidArgument) {
-			ctx.APIError(http.StatusUnprocessableEntity, err)
 		} else {
 			ctx.APIErrorInternal(err)
 		}
@@ -32,16 +32,6 @@ type apiMetadata struct {
 	Language         string `json:"language"`
 	ExtensionType      string `json:"extension_type"`
 	EntryPoint       string `json:"entry_point"`
-
-	// deploy
-	DeployHost     string `json:"deploy_host,omitempty"`
-	DeployPort     string `json:"deploy_port,omitempty"`
-	DeployUser     string `json:"deploy_user,omitempty"`
-	DeployPath     string `json:"deploy_path,omitempty"`
-	DockerImage    string `json:"docker_image,omitempty"`
-	DockerRegistry string `json:"docker_registry,omitempty"`
-	ContainerName  string `json:"container_name,omitempty"`
-	HealthURL      string `json:"health_url,omitempty"`
 }

 // GetRepoMetadata returns the manifest settings for a repository.
@@ -91,14 +81,6 @@ func GetRepoMetadata(ctx *context.APIContext) {
 		Language:         m.Language,
 		ExtensionType:      m.ExtensionType,
 		EntryPoint:       m.EntryPoint,
-		DeployHost:       m.DeployHost,
-		DeployPort:       m.DeployPort,
-		DeployUser:       m.DeployUser,
-		DeployPath:       m.DeployPath,
-		DockerImage:      m.DockerImage,
-		DockerRegistry:   m.DockerRegistry,
-		ContainerName:    m.ContainerName,
-		HealthURL:        m.HealthURL,
 	})
 }

@@ -114,58 +96,34 @@ func UpdateRepoMetadata(ctx *context.APIContext) {
 	// responses:
 	//   "200":
 	//     "$ref": "#/responses/Manifest"
-	// Decode into a map to detect which fields were actually sent.
-	var raw map[string]any
-	if err := json.NewDecoder(ctx.Req.Body).Decode(&raw); err != nil {
+	var req apiMetadata
+	if err := json.NewDecoder(ctx.Req.Body).Decode(&req); err != nil {
 		ctx.APIError(http.StatusBadRequest, err)
 		return
 	}

-	// Load existing metadata (or create defaults).
-	m, _ := repo_model.GetRepoMetadata(ctx, ctx.Repo.Repository.ID)
-	if m == nil {
-		m = &repo_model.RepoMetadata{
-			RepoID:      ctx.Repo.Repository.ID,
-			Name:        ctx.Repo.Repository.Name,
-			Org:         ctx.Repo.Repository.OwnerName,
-			Description: ctx.Repo.Repository.Description,
-		}
-	}
+	m := &repo_model.RepoMetadata{
+		RepoID:           ctx.Repo.Repository.ID,
+		Name:             req.Name,
+		Org:              req.Org,
+		Description:      req.Description,

-	// Apply only the fields present in the request.
-	setStr := func(key string, target *string) {
-		if v, ok := raw[key]; ok {
-			if s, ok := v.(string); ok {
-				*target = s
-			}
-		}
+		LicenseSPDX:      req.LicenseSPDX,
+		LicenseName:      req.LicenseName,
+		VersionPrefix:    req.VersionPrefix,
+		ElementName:      req.ElementName,
+		Platform:         req.Platform,
+		StandardsVersion: req.StandardsVersion,
+		StandardsSource:  req.StandardsSource,
+		Maintainer:       req.Maintainer,
+		MaintainerURL:    req.MaintainerURL,
+		InfoURL:          req.InfoURL,
+		TargetVersion:    req.TargetVersion,
+		PHPMinimum:       req.PHPMinimum,
+		Language:         req.Language,
+		ExtensionType:      req.ExtensionType,
+		EntryPoint:       req.EntryPoint,
 	}
-	setStr("name", &m.Name)
-	setStr("org", &m.Org)
-	setStr("description", &m.Description)
-	setStr("license_spdx", &m.LicenseSPDX)
-	setStr("license_name", &m.LicenseName)
-	setStr("version_prefix", &m.VersionPrefix)
-	setStr("element_name", &m.ElementName)
-	setStr("platform", &m.Platform)
-	setStr("standards_version", &m.StandardsVersion)
-	setStr("standards_source", &m.StandardsSource)
-	setStr("maintainer", &m.Maintainer)
-	setStr("maintainer_url", &m.MaintainerURL)
-	setStr("info_url", &m.InfoURL)
-	setStr("target_version", &m.TargetVersion)
-	setStr("php_minimum", &m.PHPMinimum)
-	setStr("language", &m.Language)
-	setStr("extension_type", &m.ExtensionType)
-	setStr("entry_point", &m.EntryPoint)
-	setStr("deploy_host", &m.DeployHost)
-	setStr("deploy_port", &m.DeployPort)
-	setStr("deploy_user", &m.DeployUser)
-	setStr("deploy_path", &m.DeployPath)
-	setStr("docker_image", &m.DockerImage)
-	setStr("docker_registry", &m.DockerRegistry)
-	setStr("container_name", &m.ContainerName)
-	setStr("health_url", &m.HealthURL)

 	if err := repo_model.CreateOrUpdateRepoMetadata(ctx, m); err != nil {
 		ctx.APIErrorInternal(err)
@@ -193,13 +151,5 @@ func UpdateRepoMetadata(ctx *context.APIContext) {
 		Language:         m.Language,
 		ExtensionType:      m.ExtensionType,
 		EntryPoint:       m.EntryPoint,
-		DeployHost:       m.DeployHost,
-		DeployPort:       m.DeployPort,
-		DeployUser:       m.DeployUser,
-		DeployPath:       m.DeployPath,
-		DockerImage:      m.DockerImage,
-		DockerRegistry:   m.DockerRegistry,
-		ContainerName:    m.ContainerName,
-		HealthURL:        m.HealthURL,
 	})
 }
@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
-	"strings"

 	repo_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/git"
@@ -462,148 +461,10 @@ func ListPageRevisions(ctx *context.APIContext) {
 	ctx.JSON(http.StatusOK, convert.ToWikiCommitList(commitsHistory, commitsCount))
 }

-// SearchWikiPages searches wiki page titles and content.
-func SearchWikiPages(ctx *context.APIContext) {
-	// swagger:operation GET /repos/{owner}/{repo}/wiki/search repository repoSearchWikiPages
-	// ---
-	// summary: Search wiki pages
-	// produces:
-	// - application/json
-	// parameters:
-	// - name: owner
-	//   in: path
-	//   description: owner of the repo
-	//   type: string
-	//   required: true
-	// - name: repo
-	//   in: path
-	//   description: name of the repo
-	//   type: string
-	//   required: true
-	// - name: q
-	//   in: query
-	//   description: search query
-	//   type: string
-	//   required: true
-	// - name: page
-	//   in: query
-	//   description: page number of results to return (1-based)
-	//   type: integer
-	// - name: limit
-	//   in: query
-	//   description: page size of results
-	//   type: integer
-	// responses:
-	//   "200":
-	//     description: "SearchResults"
-	//   "404":
-	//     "$ref": "#/responses/notFound"
-
-	query := strings.TrimSpace(ctx.FormString("q"))
-	if query == "" {
-		ctx.JSON(http.StatusOK, []interface{}{})
-		return
-	}
-
-	wikiRepo, commit := findWikiRepoCommit(ctx)
-	if wikiRepo != nil {
-		defer wikiRepo.Close()
-	}
-	if ctx.Written() {
-		return
-	}
-
-	queryLower := strings.ToLower(query)
-
-	type WikiSearchResult struct {
-		PageName string `json:"page_name"`
-		PageURL  string `json:"page_url"`
-		Context  string `json:"context,omitempty"`
-	}
-
-	entries, err := commit.ListEntriesRecursiveFast()
-	if err != nil {
-		ctx.APIErrorInternal(err)
-		return
-	}
-
-	var results []WikiSearchResult
-	for _, entry := range entries {
-		if !entry.IsRegular() || !strings.HasSuffix(entry.Name(), ".md") {
-			continue
-		}
-		baseName := strings.TrimSuffix(entry.Name(), ".md")
-		// Extract just the filename without path for special file check
-		parts := strings.Split(baseName, "/")
-		shortName := parts[len(parts)-1]
-		if shortName == "_Sidebar" || shortName == "_Footer" {
-			continue
-		}
-
-		blob := entry.Blob()
-		content, err := blob.GetBlobContent(setting.UI.MaxDisplayFileSize)
-		if err != nil {
-			continue
-		}
-
-		titleMatch := strings.Contains(strings.ToLower(baseName), queryLower)
-		contentMatch := strings.Contains(strings.ToLower(content), queryLower)
-
-		if !titleMatch && !contentMatch {
-			continue
-		}
-
-		contextLine := ""
-		if contentMatch {
-			for _, line := range strings.Split(content, "\n") {
-				if strings.Contains(strings.ToLower(line), queryLower) {
-					contextLine = strings.TrimSpace(line)
-					if len(contextLine) > 200 {
-						contextLine = contextLine[:200] + "..."
-					}
-					break
-				}
-			}
-		}
-
-		wikiName, err := wiki_service.GitPathToWebPath(entry.Name())
-		if err != nil {
-			continue
-		}
-		_, displayName := wiki_service.WebPathToUserTitle(wikiName)
-
-		results = append(results, WikiSearchResult{
-			PageName: displayName,
-			PageURL:  string(wikiName),
-			Context:  contextLine,
-		})
-	}
-
-	// Pagination
-	page := max(ctx.FormInt("page"), 1)
-	limit := ctx.FormInt("limit")
-	if limit <= 0 {
-		limit = setting.API.DefaultPagingNum
-	}
-	total := len(results)
-	start := (page - 1) * limit
-	end := start + limit
-	if start > total {
-		start = total
-	}
-	if end > total {
-		end = total
-	}
-
-	ctx.SetLinkHeader(int64(total), limit)
-	ctx.SetTotalCountHeader(int64(total))
-	ctx.JSON(http.StatusOK, results[start:end])
-}
-
 // findEntryForFile finds the tree entry for a target filepath.
 func findEntryForFile(commit *git.Commit, target string) (*git.TreeEntry, error) {
 	entry, err := commit.GetTreeEntryByPath(target)
-	if err != nil && !git.IsErrNotExist(err) {
+	if err != nil {
 		return nil, err
 	}
 	if entry != nil {
@@ -209,106 +209,6 @@ func DeleteAccessToken(ctx *context.APIContext) {
 	ctx.Status(http.StatusNoContent)
 }

-// UpdateAccessToken update access token scopes
-func UpdateAccessToken(ctx *context.APIContext) {
-	// swagger:operation PATCH /users/{username}/tokens/{id} user userUpdateAccessToken
-	// ---
-	// summary: Update an access token's scopes
-	// consumes:
-	// - application/json
-	// produces:
-	// - application/json
-	// parameters:
-	// - name: username
-	//   in: path
-	//   description: username of the user whose token is to be updated
-	//   type: string
-	//   required: true
-	// - name: id
-	//   in: path
-	//   description: id of the token to update
-	//   type: integer
-	//   format: int64
-	//   required: true
-	// - name: body
-	//   in: body
-	//   schema:
-	//     "$ref": "#/definitions/EditAccessTokenOption"
-	// responses:
-	//   "200":
-	//     "$ref": "#/responses/AccessToken"
-	//   "400":
-	//     "$ref": "#/responses/error"
-	//   "403":
-	//     "$ref": "#/responses/forbidden"
-	//   "404":
-	//     "$ref": "#/responses/notFound"
-
-	tokenID, _ := strconv.ParseInt(ctx.PathParam("id"), 0, 64)
-	if tokenID == 0 {
-		ctx.APIErrorNotFound()
-		return
-	}
-
-	tokens, err := db.Find[auth_model.AccessToken](ctx, auth_model.ListAccessTokensOptions{
-		UserID: ctx.ContextUser.ID,
-	})
-	if err != nil {
-		ctx.APIErrorInternal(err)
-		return
-	}
-
-	var token *auth_model.AccessToken
-	for _, t := range tokens {
-		if t.ID == tokenID {
-			token = t
-			break
-		}
-	}
-	if token == nil {
-		ctx.APIErrorNotFound()
-		return
-	}
-
-	form := web.GetForm(ctx).(*api.EditAccessTokenOption)
-
-	if form.Name == "" && len(form.Scopes) == 0 {
-		ctx.APIError(http.StatusBadRequest, "must provide name or scopes to update")
-		return
-	}
-
-	if form.Name != "" {
-		token.Name = form.Name
-	}
-
-	if len(form.Scopes) > 0 {
-		scope, err := auth_model.AccessTokenScope(strings.Join(form.Scopes, ",")).Normalize()
-		if err != nil {
-			ctx.APIError(http.StatusBadRequest, fmt.Errorf("invalid access token scope: %w", err))
-			return
-		}
-		if scope == "" {
-			ctx.APIError(http.StatusBadRequest, "access token must have a scope")
-			return
-		}
-		token.Scope = scope
-	}
-
-	if err := auth_model.UpdateAccessToken(ctx, token); err != nil {
-		ctx.APIErrorInternal(err)
-		return
-	}
-
-	ctx.JSON(http.StatusOK, &api.AccessToken{
-		ID:             token.ID,
-		Name:           token.Name,
-		TokenLastEight: token.TokenLastEight,
-		Scopes:         token.Scope.StringSlice(),
-		Created:        token.CreatedUnix.AsTime(),
-		Updated:        token.UpdatedUnix.AsTime(),
-	})
-}
-
 // CreateOauth2Application is the handler to create a new OAuth2 Application for the authenticated user
 func CreateOauth2Application(ctx *context.APIContext) {
 	// swagger:operation POST /user/applications/oauth2 user userCreateOAuth2Application
@@ -103,11 +103,6 @@ func SettingsIssueStatusesDeletePost(ctx *context.Context) {
 	}

 	if err := issues_model.DeleteIssueStatusDef(ctx, id); err != nil {
-		if issues_model.IsErrStatusRequired(err) {
-			ctx.Flash.Error("Cannot delete required status: " + def.Name)
-			ctx.Redirect(ctx.Org.OrgLink + "/settings/issue-statuses")
-			return
-		}
 		ctx.ServerError("DeleteIssueStatusDef", err)
 		return
 	}
@@ -29,14 +29,6 @@ type OrgWikiPage struct {
 	SubURL string
 }

-// OrgWikiTreeNode represents a node in the org wiki folder tree for sidebar navigation.
-type OrgWikiTreeNode struct {
-	Name     string
-	SubURL   string
-	IsDir    bool
-	Children []*OrgWikiTreeNode
-}
-
 // Wiki renders the org wiki tab.
 func Wiki(ctx *context.Context) {
 	org := ctx.Org.Organization
@@ -79,9 +71,31 @@ func Wiki(ctx *context.Context) {
 	}
 	ctx.Data["WikiRepoLink"] = wikiRepo.Link()

-	// Build folder tree for sidebar navigation.
-	wikiTree := buildOrgWikiTree(commit)
-	ctx.Data["WikiTree"] = wikiTree
+	// Build page list from repo root.
+	entries, err := commit.ListEntries()
+	if err != nil {
+		ctx.ServerError("ListEntries", err)
+		return
+	}
+	pages := make([]OrgWikiPage, 0, len(entries))
+	for _, entry := range entries {
+		if !entry.IsRegular() {
+			continue
+		}
+		name := entry.Name()
+		if !isMarkdownFile(name) {
+			continue
+		}
+		displayName := strings.TrimSuffix(name, path.Ext(name))
+		if strings.EqualFold(displayName, "_sidebar") || strings.EqualFold(displayName, "_footer") {
+			continue
+		}
+		pages = append(pages, OrgWikiPage{
+			Name:   displayName,
+			SubURL: displayName,
+		})
+	}
+	ctx.Data["Pages"] = pages

 	// Determine which page to render.
 	pageName := ctx.PathParamRaw("*")
@@ -143,68 +157,6 @@ func Wiki(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplOrgWiki)
 }

-// buildOrgWikiTree builds a hierarchical folder tree from the org wiki git repo.
-// Shows up to 2 levels deep (folders and their immediate children).
-func buildOrgWikiTree(commit *git.Commit) []*OrgWikiTreeNode {
-	if commit == nil {
-		return nil
-	}
-	entries, err := commit.ListEntries()
-	if err != nil {
-		return nil
-	}
-
-	var topLevel []*OrgWikiTreeNode
-
-	for _, entry := range entries {
-		name := entry.Name()
-		if entry.IsDir() {
-			node := &OrgWikiTreeNode{
-				Name:   name,
-				SubURL: name,
-				IsDir:  true,
-			}
-			// List children of this directory (1 level deep).
-			subTree := entry.Tree()
-			if subTree != nil {
-				children, _ := subTree.ListEntries()
-				for _, child := range children {
-					childName := child.Name()
-					if child.IsDir() {
-						node.Children = append(node.Children, &OrgWikiTreeNode{
-							Name:   childName,
-							SubURL: name + "/" + childName,
-							IsDir:  true,
-						})
-					} else if isMarkdownFile(childName) {
-						displayName := strings.TrimSuffix(childName, path.Ext(childName))
-						if strings.EqualFold(displayName, "_sidebar") || strings.EqualFold(displayName, "_footer") {
-							continue
-						}
-						node.Children = append(node.Children, &OrgWikiTreeNode{
-							Name:   displayName,
-							SubURL: name + "/" + displayName,
-							IsDir:  false,
-						})
-					}
-				}
-			}
-			topLevel = append(topLevel, node)
-		} else if isMarkdownFile(name) {
-			displayName := strings.TrimSuffix(name, path.Ext(name))
-			if strings.EqualFold(displayName, "_sidebar") || strings.EqualFold(displayName, "_footer") {
-				continue
-			}
-			topLevel = append(topLevel, &OrgWikiTreeNode{
-				Name:   displayName,
-				SubURL: displayName,
-				IsDir:  false,
-			})
-		}
-	}
-	return topLevel
-}
-
 // findOrgWikiCommit locates the profile repo's wiki and returns its HEAD commit.
 // The org wiki lives in the .wiki.git sidecar of the profile repo (e.g. .mokogitea.wiki.git).
 // Tries fallback repo names (.profile, .github) if the primary doesn't exist.
@@ -681,8 +681,6 @@ func indexCommit(commits []*git.Commit, commitID string) *git.Commit {

 // ViewPullFiles render pull request changed files list page
 func viewPullFiles(ctx *context.Context, beforeCommitID, afterCommitID string) {
-	var err error
-
 	ctx.Data["PageIsPullList"] = true
 	ctx.Data["PageIsPullFiles"] = true

@@ -707,47 +705,44 @@ func viewPullFiles(ctx *context.Context, beforeCommitID, afterCommitID string) {

 	headCommitID := prCompareInfo.HeadCommitID
 	isSingleCommit := beforeCommitID == "" && afterCommitID != ""
-	isShowAllCommits := (beforeCommitID == "" || beforeCommitID == prCompareInfo.CompareBase) && (afterCommitID == "" || afterCommitID == headCommitID)
-
 	ctx.Data["IsShowingOnlySingleCommit"] = isSingleCommit
+	isShowAllCommits := (beforeCommitID == "" || beforeCommitID == prCompareInfo.CompareBase) && (afterCommitID == "" || afterCommitID == headCommitID)
 	ctx.Data["IsShowingAllCommits"] = isShowAllCommits

-	afterCommitID = util.IfZero(afterCommitID, headCommitID)
-	afterCommit := indexCommit(prCompareInfo.Commits, afterCommitID)
-	if afterCommit == nil && afterCommitID == headCommitID {
-		afterCommit, err = gitRepo.GetCommit(afterCommitID)
-		if err != nil {
-			ctx.ServerError("GetCommit(afterCommitID)", err)
-			return
-		}
+	if afterCommitID == "" || afterCommitID == headCommitID {
+		afterCommitID = headCommitID
 	}
+	afterCommit := indexCommit(prCompareInfo.Commits, afterCommitID)
 	if afterCommit == nil {
-		ctx.NotFound(nil)
+		ctx.HTTPError(http.StatusBadRequest, "after commit not found in PR commits")
 		return
 	}

 	var beforeCommit *git.Commit
-	if isSingleCommit {
-		beforeCommit, err = afterCommit.Parent(0)
-		if err != nil {
-			ctx.ServerError("afterCommit.Parent", err)
-			return
-		}
-		beforeCommitID = beforeCommit.ID.String()
-	} else {
-		beforeCommitID = util.IfZero(beforeCommitID, prCompareInfo.CompareBase)
-		beforeCommit = indexCommit(prCompareInfo.Commits, beforeCommitID)
-		if beforeCommit == nil && beforeCommitID == prCompareInfo.CompareBase {
+	var err error
+	if !isSingleCommit {
+		if beforeCommitID == "" || beforeCommitID == prCompareInfo.CompareBase {
+			beforeCommitID = prCompareInfo.CompareBase
+			// merge base commit is not in the list of the pull request commits
 			beforeCommit, err = gitRepo.GetCommit(beforeCommitID)
 			if err != nil {
-				ctx.ServerError("GetCommit(beforeCommitID)", err)
+				ctx.ServerError("GetCommit", err)
+				return
+			}
+		} else {
+			beforeCommit = indexCommit(prCompareInfo.Commits, beforeCommitID)
+			if beforeCommit == nil {
+				ctx.HTTPError(http.StatusBadRequest, "before commit not found in PR commits")
 				return
 			}
 		}
-	}
-	if beforeCommit == nil {
-		ctx.NotFound(nil)
-		return
+	} else {
+		beforeCommit, err = afterCommit.Parent(0)
+		if err != nil {
+			ctx.ServerError("Parent", err)
+			return
+		}
+		beforeCommitID = beforeCommit.ID.String()
 	}

 	ctx.Data["CompareInfo"] = prCompareInfo
@@ -123,14 +123,6 @@ func saveMetadata(ctx *context.Context) {
 		manifest.Maintainer = existing.Maintainer
 		manifest.MaintainerURL = existing.MaintainerURL
 		manifest.Language = existing.Language
-		manifest.DeployHost = existing.DeployHost
-		manifest.DeployPort = existing.DeployPort
-		manifest.DeployUser = existing.DeployUser
-		manifest.DeployPath = existing.DeployPath
-		manifest.DockerImage = existing.DockerImage
-		manifest.DockerRegistry = existing.DockerRegistry
-		manifest.ContainerName = existing.ContainerName
-		manifest.HealthURL = existing.HealthURL
 	}

 	if err := repo_model.CreateOrUpdateRepoMetadata(ctx, manifest); err != nil {
@@ -90,59 +90,6 @@ func ApplicationsPost(ctx *context.Context) {
 	ctx.Redirect(setting.AppSubURL + "/user/settings/applications")
 }

-// EditApplication response for editing user access token scopes
-func EditApplication(ctx *context.Context) {
-	tokenID := ctx.FormInt64("id")
-
-	tokens, err := db.Find[auth_model.AccessToken](ctx, auth_model.ListAccessTokensOptions{UserID: ctx.Doer.ID})
-	if err != nil {
-		ctx.ServerError("ListAccessTokens", err)
-		return
-	}
-
-	var token *auth_model.AccessToken
-	for _, t := range tokens {
-		if t.ID == tokenID {
-			token = t
-			break
-		}
-	}
-	if token == nil {
-		ctx.Flash.Error("Token not found")
-		ctx.JSONRedirect(setting.AppSubURL + "/user/settings/applications")
-		return
-	}
-
-	_ = ctx.Req.ParseForm()
-	var scopeNames []string
-	const accessTokenScopePrefix = "scope-"
-	for k, v := range ctx.Req.Form {
-		if strings.HasPrefix(k, accessTokenScopePrefix) {
-			scopeNames = append(scopeNames, v...)
-		}
-	}
-
-	scope, err := auth_model.AccessTokenScope(strings.Join(scopeNames, ",")).Normalize()
-	if err != nil {
-		ctx.ServerError("GetScope", err)
-		return
-	}
-	if !scope.HasPermissionScope() {
-		ctx.Flash.Error(ctx.Tr("settings.at_least_one_permission"))
-		ctx.JSONRedirect(setting.AppSubURL + "/user/settings/applications")
-		return
-	}
-
-	token.Scope = scope
-	if err := auth_model.UpdateAccessToken(ctx, token); err != nil {
-		ctx.ServerError("UpdateAccessToken", err)
-		return
-	}
-
-	ctx.Flash.Success(ctx.Tr("settings.update_token_success"))
-	ctx.JSONRedirect(setting.AppSubURL + "/user/settings/applications")
-}
-
 // DeleteApplication response for delete user access token
 func DeleteApplication(ctx *context.Context) {
 	if err := auth_model.DeleteAccessTokenByID(ctx, ctx.FormInt64("id"), ctx.Doer.ID); err != nil {
@@ -680,7 +680,6 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 			// access token applications
 			m.Combo("").Get(user_setting.Applications).
 				Post(web.Bind(forms.NewAccessTokenForm{}), user_setting.ApplicationsPost)
-			m.Post("/edit", user_setting.EditApplication)
 			m.Post("/delete", user_setting.DeleteApplication)
 		})

@@ -140,17 +140,11 @@ func DispatchActionWorkflow(ctx reqctx.RequestContext, doer *user_model.User, re
 	workflow := &model.Workflow{
 		RawOn: singleWorkflow.RawOn,
 	}
-	workflowDispatch := workflow.WorkflowDispatchConfig()
-	if workflowDispatch == nil {
-		return 0, util.ErrorWrapTranslatable(
-			util.NewInvalidArgumentErrorf("workflow %q has no workflow_dispatch event trigger", workflowID),
-			"actions.workflow.has_no_workflow_dispatch", workflowID,
-		)
-	}
-
 	inputsWithDefaults := make(map[string]any)
-	if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
-		return 0, err
+	if workflowDispatch := workflow.WorkflowDispatchConfig(); workflowDispatch != nil {
+		if err = processInputs(workflowDispatch, inputsWithDefaults); err != nil {
+			return 0, err
+		}
 	}

 	// ctx.Req.PostForm -> WorkflowDispatchPayload.Inputs -> ActionRun.EventPayload -> runner: ghc.Event
@@ -73,6 +73,7 @@ parts:

    override-build: |
      set -x
+      sed -i 's/os.Getuid()/1/g' modules/setting/setting.go
      npm install -g pnpm
      TAGS="bindata pam cert" make build
      install -D gitea "${SNAPCRAFT_PART_INSTALL}/gitea"
@@ -28,7 +28,6 @@
 				</td>
 				<td>
 					<strong>{{.Name}}</strong>
-					{{if .IsRequired}}<span class="ui mini blue label" title="Required status - cannot be deleted">{{svg "octicon-lock" 10}} required</span>{{end}}
 					{{if not .IsActive}}<span class="ui mini grey label">{{ctx.Locale.Tr "org.settings.issue_status_inactive"}}</span>{{end}}
 					{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}
 				</td>
@@ -41,14 +40,10 @@
 				</td>
 				<td>{{.SortOrder}}</td>
 				<td class="tw-text-right">
-					{{if .IsRequired}}
-						<span class="ui tiny icon button disabled" title="Required - cannot be deleted">{{svg "octicon-lock" 14}}</span>
-					{{else}}
 					<form method="post" action="{{$.OrgLink}}/settings/issue-statuses/{{.ID}}/delete" class="tw-inline">
 						{{$.CsrfTokenHtml}}
 						<button class="ui tiny red icon button" type="submit" title="{{ctx.Locale.Tr "remove"}}">{{svg "octicon-trash" 14}}</button>
 					</form>
-					{{end}}
 				</td>
 			</tr>
 			{{end}}
@@ -11,7 +11,7 @@
 					This organization doesn't have a wiki yet.
 				</div>
 				<p class="tw-text-center">
-					Enable the wiki on the <code>.mokogitea</code> (public) or <code>.mokogitea-private</code> (members-only)
+					Enable the wiki on the <code>.profile</code> (public) or <code>.profile-private</code> (members-only)
 					repository to get started.
 				</p>
 			</div>
@@ -47,59 +47,34 @@
 							<p>The page "{{.CurrentPage}}" does not exist in this wiki.</p>
 						</div>
 					</div>
-					{{if .WikiTree}}
+					{{if .Pages}}
 						<h4>Available pages:</h4>
 						<ul>
-							{{range .WikiTree}}
-								{{if .IsDir}}
-									{{range .Children}}
-										<li><a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}">{{.Name}}</a></li>
-									{{end}}
-								{{else}}
-									<li><a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}">{{.Name}}</a></li>
-								{{end}}
+							{{range .Pages}}
+								<li><a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}">{{.Name}}</a></li>
 							{{end}}
 						</ul>
 					{{end}}
 				</div>
 			{{else}}
 				<div class="wiki-content-parts">
-					<div class="render-content markup wiki-content-main {{if or .WikiSidebarHTML .WikiTree}}with-sidebar{{end}}">
+					<div class="render-content markup wiki-content-main {{if or .WikiSidebarHTML .Pages}}with-sidebar{{end}}">
 						{{.WikiContent}}
 					</div>

-					{{if or .WikiSidebarHTML .WikiTree}}
+					{{if or .WikiSidebarHTML .Pages}}
 					<div class="render-content markup wiki-content-sidebar">
 						{{if .WikiSidebarHTML}}
 							{{.WikiSidebarHTML}}
-						{{else if .WikiTree}}
+							<div class="ui divider"></div>
+						{{end}}
+						{{if .Pages}}
 							<strong>{{svg "octicon-list-unordered" 14}} Pages</strong>
 							<ul class="wiki-tree-list">
-								{{range .WikiTree}}
+								{{range .Pages}}
 									<li>
-										{{if .IsDir}}
-											<details open>
-												<summary>{{svg "octicon-file-directory" 14}} <strong>{{.Name}}</strong></summary>
-												{{if .Children}}
-												<ul>
-													{{range .Children}}
-														<li>
-															{{if .IsDir}}
-																{{svg "octicon-file-directory" 14}}
-																<a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}"><strong>{{.Name}}</strong></a>
-															{{else}}
-																{{svg "octicon-file" 14}}
-																<a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}" {{if eq $.CurrentPage .Name}}class="active"{{end}}>{{.Name}}</a>
-															{{end}}
-														</li>
-													{{end}}
-												</ul>
-												{{end}}
-											</details>
-										{{else}}
-											{{svg "octicon-file" 14}}
-											<a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}" {{if eq $.CurrentPage .Name}}class="active"{{end}}>{{.Name}}</a>
-										{{end}}
+										{{svg "octicon-file" 14}}
+										<a href="{{$.Org.HomeLink}}/-/wiki/{{.SubURL}}" {{if eq $.CurrentPage .Name}}class="active"{{end}}>{{.Name}}</a>
 									</li>
 								{{end}}
 							</ul>
@@ -21,7 +21,11 @@
 				<input name="org" value="{{.Manifest.Org}}" placeholder="Organization">
 			</div>
 		</div>
-		<div class="three fields">
+		<div class="four fields">
+			<div class="field">
+				<label>Version</label>
+				<input name="version" value="{{.Manifest.Version}}" placeholder="e.g. 06.00.00">
+			</div>
 			<div class="field">
 				<label>Version Prefix</label>
 				<input name="version_prefix" value="{{.Manifest.VersionPrefix}}" placeholder="e.g. v1.26.1-moko.">
@@ -1,42 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{.Title}}" class="page-content repository wiki">
-	{{template "repo/header" .}}
-	<div class="ui container">
-		<div class="repo-button-row">
-			<div class="tw-flex tw-items-center tw-gap-2">
-				<a class="ui small button" href="{{.RepoLink}}/wiki/{{.PageURL}}">
-					{{svg "octicon-arrow-left" 14}} Back to {{.title}}
-				</a>
-			</div>
-		</div>
-
-		<h2>{{svg "octicon-cross-reference" 20}} What links here: {{.title}}</h2>
-
-		{{if .Backlinks}}
-		<div class="ui relaxed divided list">
-			{{range .Backlinks}}
-			<div class="item">
-				<div class="content">
-					<a class="header" href="{{$.RepoLink}}/wiki/{{.PageURL}}">{{.PageName}}</a>
-					{{if .Context}}
-					<div class="description">
-						<code class="tw-text-sm">{{.Context}}</code>
-					</div>
-					{{end}}
-				</div>
-			</div>
-			{{end}}
-		</div>
-		<p class="tw-mt-4 text grey">{{.BacklinkCount}} {{if eq .BacklinkCount 1}}page{{else}}pages{{end}} linking here.</p>
-		{{else}}
-		<div class="ui placeholder segment">
-			<div class="ui icon header">
-				{{svg "octicon-unlink" 48}}
-				<br>
-				No pages link to "{{.title}}"
-			</div>
-		</div>
-		{{end}}
-	</div>
-</div>
-{{template "base/footer" .}}
@@ -1,36 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{.Title}}" class="page-content repository wiki">
-	{{template "repo/header" .}}
-	<div class="ui container">
-		<div class="repo-button-row tw-flex tw-items-center tw-gap-2 tw-mb-4">
-			<div class="tw-flex-1">
-				<a class="ui small button" href="{{.RepoLink}}/wiki/">
-					{{svg "octicon-arrow-left" 14}} Back to wiki
-				</a>
-			</div>
-		</div>
-
-		<h2>{{svg "octicon-tag" 20}} Category: {{.CategoryName}}</h2>
-
-		{{if .CategoryPages}}
-		<div class="ui relaxed divided list">
-			{{range .CategoryPages}}
-			<div class="item">
-				{{svg "octicon-file" 14}}
-				<a href="{{$.RepoLink}}/wiki/{{.SubURL}}">{{.Name}}</a>
-			</div>
-			{{end}}
-		</div>
-		<p class="tw-mt-4 text grey">{{.CategoryCount}} {{if eq .CategoryCount 1}}page{{else}}pages{{end}} in this category.</p>
-		{{else}}
-		<div class="ui placeholder segment">
-			<div class="ui icon header">
-				{{svg "octicon-tag" 48}}
-				<br>
-				No pages in category "{{.CategoryName}}"
-			</div>
-		</div>
-		{{end}}
-	</div>
-</div>
-{{template "base/footer" .}}
@@ -1,51 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{.Title}}" class="page-content repository wiki">
-	{{template "repo/header" .}}
-	<div class="ui container">
-		<div class="repo-button-row tw-flex tw-items-center tw-gap-2 tw-mb-4">
-			<div class="tw-flex-1">
-				<a href="{{.RepoLink}}/wiki/{{.PageURL}}">{{svg "octicon-arrow-left" 14}} {{.title}}</a>
-				&middot;
-				<a href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_revision">Revision history</a>
-			</div>
-		</div>
-
-		<div class="ui segment">
-			<h3>{{svg "octicon-diff" 20}} Changes in <code>{{.CommitID}}</code></h3>
-			<p>
-				<strong>{{.CommitAuthor}}</strong> &mdash; {{.CommitMessage}}
-				<br>
-				<small class="text grey">{{DateUtils.TimeSince .CommitWhen}}</small>
-			</p>
-
-			{{if .IsNewPage}}
-				<div class="ui info message">New page created</div>
-			{{else if .IsDeletedPage}}
-				<div class="ui warning message">Page deleted</div>
-			{{else if not .HasDiff}}
-				<div class="ui info message">No content changes in this revision</div>
-			{{end}}
-
-			{{if .HasDiff}}
-			<div class="diff-file-box" style="overflow-x: auto;">
-				<table class="chroma" style="width: 100%; border-collapse: collapse; font-family: monospace; font-size: 13px;">
-					{{range .DiffLines}}
-					<tr class="{{if eq .Type "add"}}diff-line-add{{else if eq .Type "del"}}diff-line-del{{else}}diff-line-context{{end}}">
-						<td style="width: 40px; text-align: right; padding: 0 8px; color: #999; user-select: none; {{if eq .Type "add"}}background: #e6ffec;{{else if eq .Type "del"}}background: #ffebe9;{{else}}background: #f6f8fa;{{end}}">
-							{{if .OldNum}}{{.OldNum}}{{end}}
-						</td>
-						<td style="width: 40px; text-align: right; padding: 0 8px; color: #999; user-select: none; {{if eq .Type "add"}}background: #e6ffec;{{else if eq .Type "del"}}background: #ffebe9;{{else}}background: #f6f8fa;{{end}}">
-							{{if .NewNum}}{{.NewNum}}{{end}}
-						</td>
-						<td style="padding: 0 8px; white-space: pre-wrap; word-break: break-all; {{if eq .Type "add"}}background: #e6ffec;{{else if eq .Type "del"}}background: #ffebe9;{{else}}background: #fff;{{end}}">
-							{{if eq .Type "add"}}+{{else if eq .Type "del"}}-{{else}} {{end}} {{.Content}}
-						</td>
-					</tr>
-					{{end}}
-				</table>
-			</div>
-			{{end}}
-		</div>
-	</div>
-</div>
-{{template "base/footer" .}}
@@ -1,40 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-	<meta charset="utf-8">
-	<title>{{.Title}}</title>
-	<style>
-		body {
-			font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
-			max-width: 800px;
-			margin: 0 auto;
-			padding: 40px 20px;
-			color: #333;
-			line-height: 1.6;
-		}
-		h1 { font-size: 2em; border-bottom: 1px solid #eee; padding-bottom: 0.3em; }
-		h2 { font-size: 1.5em; border-bottom: 1px solid #eee; padding-bottom: 0.3em; }
-		code { background: #f6f8fa; padding: 2px 6px; border-radius: 3px; font-size: 85%; }
-		pre { background: #f6f8fa; padding: 16px; border-radius: 6px; overflow-x: auto; }
-		pre code { background: none; padding: 0; }
-		table { border-collapse: collapse; width: 100%; }
-		th, td { border: 1px solid #ddd; padding: 8px 12px; text-align: left; }
-		th { background: #f6f8fa; }
-		img { max-width: 100%; }
-		blockquote { border-left: 4px solid #ddd; margin: 0; padding: 0 16px; color: #666; }
-		a { color: #0366d6; }
-		@media print {
-			body { padding: 0; }
-			a { color: inherit; text-decoration: none; }
-		}
-	</style>
-</head>
-<body>
-	<h1>{{.Title}}</h1>
-	{{.WikiContentHTML}}
-	<hr>
-	<p style="font-size: 12px; color: #999;">
-		Printed from wiki &middot; {{.Title}}
-	</p>
-</body>
-</html>
@@ -1,72 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{.Title}}" class="page-content repository wiki">
-	{{template "repo/header" .}}
-	<div class="ui container">
-		<div class="repo-button-row tw-flex tw-items-center tw-gap-2 tw-mb-4">
-			<div class="tw-flex-1">
-				<h2>{{svg "octicon-history" 20}} Recent changes</h2>
-			</div>
-			<a class="ui small button" href="{{.RepoLink}}/wiki/">
-				{{svg "octicon-arrow-left" 14}} Back to wiki
-			</a>
-		</div>
-
-		{{if .RecentChanges}}
-		<table class="ui compact table">
-			<thead>
-				<tr>
-					<th>Page</th>
-					<th>Author</th>
-					<th>Edit summary</th>
-					<th>When</th>
-					<th>Commit</th>
-				</tr>
-			</thead>
-			<tbody>
-				{{range .RecentChanges}}
-				<tr>
-					<td>
-						{{if .PageURL}}
-							{{svg "octicon-file" 14}}
-							<a href="{{$.RepoLink}}/wiki/{{.PageURL}}">{{.PageName}}</a>
-						{{else if .PageName}}
-							{{svg "octicon-file" 14}} {{.PageName}}
-						{{else}}
-							<span class="text grey">—</span>
-						{{end}}
-					</td>
-					<td>{{.Author}}</td>
-					<td class="gt-ellipsis" style="max-width: 400px;">{{.Message}}</td>
-					<td>{{DateUtils.TimeSince .When}}</td>
-					<td><code class="tw-text-xs">{{.SHA}}</code></td>
-				</tr>
-				{{end}}
-			</tbody>
-		</table>
-
-		<div class="tw-flex tw-justify-between tw-mt-4">
-			{{if .HasPrevPage}}
-				<a class="ui small button" href="{{.RepoLink}}/wiki/?action=_recent&page={{Eval .CurrentPage "-" 1}}">
-					{{svg "octicon-chevron-left" 14}} Newer
-				</a>
-			{{else}}
-				<span></span>
-			{{end}}
-			{{if .HasNextPage}}
-				<a class="ui small button" href="{{.RepoLink}}/wiki/?action=_recent&page={{Eval .CurrentPage "+" 1}}">
-					Older {{svg "octicon-chevron-right" 14}}
-				</a>
-			{{end}}
-		</div>
-		{{else}}
-		<div class="ui placeholder segment">
-			<div class="ui icon header">
-				{{svg "octicon-history" 48}}
-				<br>
-				No recent changes
-			</div>
-		</div>
-		{{end}}
-	</div>
-</div>
-{{template "base/footer" .}}
@@ -1,52 +0,0 @@
-{{template "base/head" .}}
-<div role="main" aria-label="{{.Title}}" class="page-content repository wiki">
-	{{template "repo/header" .}}
-	<div class="ui container">
-		<div class="repo-button-row">
-			<div class="tw-flex tw-items-center tw-gap-2">
-				<a class="ui small button" href="{{.RepoLink}}/wiki/">
-					{{svg "octicon-arrow-left" 14}} Back to wiki
-				</a>
-			</div>
-		</div>
-
-		<h2>{{svg "octicon-search" 20}} Wiki search</h2>
-
-		<form class="ui form tw-mb-4" action="{{.RepoLink}}/wiki/" method="get">
-			<input type="hidden" name="action" value="_search">
-			<div class="ui action input tw-w-full">
-				<input type="text" name="q" value="{{.Query}}" placeholder="Search wiki pages..." autofocus>
-				<button class="ui primary button" type="submit">{{svg "octicon-search" 14}} Search</button>
-			</div>
-		</form>
-
-		{{if .Query}}
-		{{if .Results}}
-		<div class="ui relaxed divided list">
-			{{range .Results}}
-			<div class="item">
-				<div class="content">
-					<a class="header" href="{{$.RepoLink}}/wiki/{{.PageURL}}">{{.PageName}}</a>
-					{{if .Context}}
-					<div class="description">
-						<code class="tw-text-sm">{{.Context}}</code>
-					</div>
-					{{end}}
-				</div>
-			</div>
-			{{end}}
-		</div>
-		<p class="tw-mt-4 text grey">{{.ResultCount}} {{if eq .ResultCount 1}}result{{else}}results{{end}} for "{{.Query}}"</p>
-		{{else}}
-		<div class="ui placeholder segment">
-			<div class="ui icon header">
-				{{svg "octicon-search" 48}}
-				<br>
-				No results for "{{.Query}}"
-			</div>
-		</div>
-		{{end}}
-		{{end}}
-	</div>
-</div>
-{{template "base/footer" .}}
@@ -20,10 +20,6 @@
 						</div>
 						<div class="scrolling menu">
 							<a class="item muted" href="{{.RepoLink}}/wiki/?action=_pages">{{ctx.Locale.Tr "repo.wiki.pages"}}</a>
-							<a class="item muted" href="{{.RepoLink}}/wiki/?action=_search">{{svg "octicon-search" 14}} Search wiki</a>
-							<a class="item muted" href="{{.RepoLink}}/wiki/?action=_recent">{{svg "octicon-history" 14}} Recent changes</a>
-t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print" target="_blank">{{svg "octicon-browser" 14}} Print view</a>
-							<a class="item muted" href="{{.RepoLink}}/wiki/?action=_export&format=zip">{{svg "octicon-download" 14}} Export wiki (ZIP)</a>
 							<div class="divider"></div>
 							{{range .Pages}}
 								<a class="item {{if eq $.Title .Name}}selected{{end}}" href="{{$.RepoLink}}/wiki/{{.SubURL}}">{{.Name}}</a>
@@ -38,8 +34,6 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 			<div class="flex-text-block tw-flex-wrap tw-justify-end">
 				<div class="flex-text-block tw-flex-1 tw-min-w-[300px]">
 					<a class="ui basic button tw-px-3 tw-gap-3" title="{{ctx.Locale.Tr "repo.wiki.file_revision"}}" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_revision" >{{if .CommitCount}}<span>{{.CommitCount}}</span> {{end}}{{svg "octicon-history"}}</a>
-					<a class="ui basic button tw-px-3" title="What links here" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_backlinks">{{svg "octicon-cross-reference"}}</a>
-					{{if .LastCommitID}}<a class="ui basic button tw-px-3" title="View last change" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_diff&commit={{.LastCommitID}}">{{svg "octicon-diff"}}</a>{{end}}
 					<div class="tw-flex-1 gt-ellipsis">
 						{{$title}}
 						<div class="ui sub header gt-ellipsis">
@@ -53,7 +47,7 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 						<a class="ui small button unescape-button tw-hidden" data-unicode-content-selector=".wiki-content-parts">{{ctx.Locale.Tr "repo.unescape_control_characters"}}</a>
 						<a class="ui small button escape-button" data-unicode-content-selector=".wiki-content-parts">{{ctx.Locale.Tr "repo.escape_control_characters"}}</a>
 					{{end}}
-					{{if and .CanWriteWiki (not .Repository.IsMirror) (not .WikiFolderProtected)}}
+					{{if and .CanWriteWiki (not .Repository.IsMirror)}}
 						<a class="ui small button" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_edit">{{ctx.Locale.Tr "repo.wiki.edit_page_button"}}</a>
 						<a class="ui small primary button" href="{{.RepoLink}}/wiki?action=_new">{{ctx.Locale.Tr "repo.wiki.new_page_button"}}</a>
 						<a class="ui small red button link-action" href data-modal-confirm="#repo-wiki-delete-page-modal" data-url="{{.RepoLink}}/wiki/{{.PageURL}}?action=_delete">{{ctx.Locale.Tr "repo.wiki.delete_page_button"}}</a>
@@ -75,12 +69,6 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 			{{end}}
 		{{end}}

-		{{if .WikiFolderProtected}}
-			<div class="ui warning message">
-				<p>{{svg "octicon-lock" 14}} This page is in a protected folder. Only users with the required role can edit it.</p>
-			</div>
-		{{end}}
-
 		{{if .FormatWarning}}
 			<div class="ui negative message">
 				<p>{{.FormatWarning}}</p>
@@ -115,30 +103,13 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 		<div class="wiki-content-parts">
 			{{if .WikiSidebarTocHTML}}
 			<div class="render-content markup wiki-content-sidebar wiki-content-toc">
-				<details open>
-					<summary><strong>{{svg "octicon-list-unordered" 14}} Contents</strong></summary>
-					{{.WikiSidebarTocHTML}}
-				</details>
+				{{.WikiSidebarTocHTML}}
 			</div>
 			{{end}}

 			<div class="render-content markup wiki-content-main {{if or .WikiSidebarTocHTML .WikiSidebarHTML .WikiTree}}with-sidebar{{end}}">
 				{{template "repo/unicode_escape_prompt" dict "EscapeStatus" .EscapeStatus}}
-				{{if .WikiInlineTocHTML}}
-				<details open class="wiki-toc-inline tw-mb-4">
-					<summary><strong>{{svg "octicon-list-unordered" 14}} Contents</strong></summary>
-					{{.WikiInlineTocHTML}}
-				</details>
-				{{end}}
 				{{.WikiContentHTML}}
-				{{if .WikiCategories}}
-				<div class="tw-mt-4 tw-pt-2" style="border-top: 1px solid var(--color-secondary);">
-					{{svg "octicon-tag" 14}} Categories:
-					{{range .WikiCategories}}
-						<a class="ui small label" href="{{$.RepoLink}}/wiki/?action=_category&name={{.}}">{{.}}</a>
-					{{end}}
-				</div>
-				{{end}}
 			</div>

 			{{if .WikiTree}}
@@ -150,7 +121,6 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 							{{if .IsDir}}
 								{{svg "octicon-file-directory" 14}}
 								<a href="{{$.RepoLink}}/wiki/{{.SubURL}}"><strong>{{.Name}}</strong></a>
-								{{if .Protected}}{{svg "octicon-lock" 12}}{{end}}
 								{{if .Children}}
 								<ul>
 									{{range .Children}}
@@ -158,7 +128,6 @@ t						<a class="item muted" href="{{.RepoLink}}/wiki/{{.PageURL}}?action=_print
 											{{if .IsDir}}
 												{{svg "octicon-file-directory" 14}}
 												<a href="{{$.RepoLink}}/wiki/{{.SubURL}}"><strong>{{.Name}}</strong></a>
-												{{if .Protected}}{{svg "octicon-lock" 12}}{{end}}
 											{{else}}
 												{{svg "octicon-file" 14}}
 												<a href="{{$.RepoLink}}/wiki/{{.SubURL}}" {{if eq $.PageURL .SubURL}}class="active"{{end}}>{{.Name}}</a>
@@ -40,10 +40,6 @@
 							</div>
 						</div>
 						<div class="item-trailing">
-								<button class="ui primary tiny button edit-token-button" data-modal-id="edit-token" data-id="{{.ID}}" data-scopes="{{StringUtils.Join (.Scope.StringSlice) ","}}">
-									{{svg "octicon-pencil"}}
-									{{ctx.Locale.Tr "edit"}}
-								</button>
 								<button class="ui red tiny button delete-button" data-modal-id="delete-token" data-url="{{$.Link}}/delete" data-id="{{.ID}}">
 									{{svg "octicon-trash"}}
 									{{ctx.Locale.Tr "settings.delete_token"}}
@@ -96,82 +92,6 @@
 		{{end}}
 	</div>

-<div class="ui modal" id="edit-token">
-	<div class="header">
-		{{svg "octicon-pencil"}}
-		{{ctx.Locale.Tr "settings.edit_token_scopes"}}
-	</div>
-	<div class="content">
-		<form class="ui form" id="edit-token-form" action="{{.Link}}/edit" method="post">
-			{{.CsrfTokenHtml}}
-			<input type="hidden" name="id" value="">
-			<div class="field">
-				<div class="tw-my-2">{{ctx.Locale.Tr "settings.repo_and_org_access"}}</div>
-				<label class="gt-checkbox">
-					<input type="radio" name="scope-public-only" value="{{$.AccessTokenScopePublicOnly}}"> {{ctx.Locale.Tr "settings.permissions_public_only"}}
-				</label>
-				<label class="gt-checkbox">
-					<input type="radio" name="scope-public-only" value="" checked> {{ctx.Locale.Tr "settings.permissions_access_all"}}
-				</label>
-			</div>
-			<div>
-				<div class="tw-my-2">{{ctx.Locale.Tr "settings.permissions_list"}}</div>
-				<table class="ui table unstackable tw-my-2">
-				{{range $category := .TokenCategories}}
-					<tr>
-						<td>{{$category}}</td>
-						<td><label class="gt-checkbox"><input type="radio" name="scope-{{$category}}" value="" checked> {{ctx.Locale.Tr "settings.permission_no_access"}}</label></td>
-						<td><label class="gt-checkbox"><input type="radio" name="scope-{{$category}}" value="read:{{$category}}"> {{ctx.Locale.Tr "settings.permission_read"}}</label></td>
-						<td><label class="gt-checkbox"><input type="radio" name="scope-{{$category}}" value="write:{{$category}}"> {{ctx.Locale.Tr "settings.permission_write"}}</label></td>
-					</tr>
-				{{end}}
-				</table>
-			</div>
-		</form>
-	</div>
-	<div class="actions">
-		<button class="ui cancel button">{{ctx.Locale.Tr "cancel"}}</button>
-		<button class="ui primary button" id="edit-token-submit">{{ctx.Locale.Tr "save"}}</button>
-	</div>
-</div>
-
-<script>
-document.addEventListener('DOMContentLoaded', () => {
-	for (const btn of document.querySelectorAll('.edit-token-button')) {
-		btn.addEventListener('click', (e) => {
-			const modal = document.getElementById('edit-token');
-			const form = document.getElementById('edit-token-form');
-			const id = e.currentTarget.getAttribute('data-id');
-			const scopes = (e.currentTarget.getAttribute('data-scopes') || '').split(',').filter(Boolean);
-
-			form.querySelector('input[name="id"]').value = id;
-
-			// Reset all radios to defaults
-			for (const radio of form.querySelectorAll('input[type="radio"]')) {
-				radio.checked = radio.value === '';
-			}
-
-			// Set current scopes
-			for (const scope of scopes) {
-				if (scope === 'public-only') {
-					const radio = form.querySelector('input[name="scope-public-only"][value="public-only"]');
-					if (radio) radio.checked = true;
-				} else {
-					const radio = form.querySelector(`input[name="scope-${scope.split(':')[1]}"][value="${scope}"]`);
-					if (radio) radio.checked = true;
-				}
-			}
-
-			$(modal).modal('show');
-		});
-	}
-
-	document.getElementById('edit-token-submit')?.addEventListener('click', () => {
-		document.getElementById('edit-token-form')?.submit();
-	});
-});
-</script>
-
 <div class="ui g-modal-confirm delete modal" id="delete-token">
 	<div class="header">
 		{{svg "octicon-trash"}}
@@ -1,91 +0,0 @@
-// Copyright 2026 The Gitea Authors. All rights reserved.
-// SPDX-License-Identifier: MIT
-
-package integration
-
-import (
-	"fmt"
-	"net/url"
-	"os"
-	"testing"
-
-	actions_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/actions"
-	auth_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/auth"
-	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/dbfs"
-	repo_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
-	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unittest"
-	user_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
-	actions_module "code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/actions"
-	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/storage"
-
-	runnerv1 "code.gitea.io/actions-proto-go/runner/v1"
-	"connectrpc.com/connect"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// Regression for https://gitea.com/gitea/runner/issues/950: a runner that
-// finalizes a task with no log output sends UpdateLog{Rows:[], NoMore:true}.
-// The previous short-circuit on len(Rows)==0 skipped TransferLogs, leaving
-// an orphan dbfs_data row. Verify the row is now archived and removed.
-func TestActionsLogFinalizeWithoutRows(t *testing.T) {
-	onGiteaRun(t, func(t *testing.T, _ *url.URL) {
-		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-		session := loginUser(t, user2.Name)
-		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository, auth_model.AccessTokenScopeWriteUser)
-
-		apiRepo := createActionsTestRepo(t, token, "actions-finalize-no-rows", false)
-		repo := unittest.AssertExistsAndLoadBean(t, &repo_model.Repository{ID: apiRepo.ID})
-
-		runner := newMockRunner()
-		runner.registerAsRepoRunner(t, user2.Name, repo.Name, "mock-runner", []string{"ubuntu-latest"}, false)
-
-		const wfTreePath = ".gitea/workflows/finalize-no-rows.yml"
-		wfFileContent := fmt.Sprintf(`name: finalize-no-rows
-on:
-  push:
-    paths:
-      - '%s'
-jobs:
-  job1:
-    runs-on: ubuntu-latest
-    steps:
-      - run: noop
-`, wfTreePath)
-		createWorkflowFile(t, token, user2.Name, repo.Name, wfTreePath, getWorkflowCreateFileOptions(user2, repo.DefaultBranch, "trigger", wfFileContent))
-
-		task := runner.fetchTask(t)
-
-		resp, err := runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(&runnerv1.UpdateLogRequest{
-			TaskId: task.Id,
-			Index:  0,
-			Rows:   nil,
-			NoMore: true,
-		}))
-		require.NoError(t, err)
-		assert.EqualValues(t, 0, resp.Msg.AckIndex)
-
-		freshTask := unittest.AssertExistsAndLoadBean(t, &actions_model.ActionTask{ID: task.Id})
-		require.True(t, freshTask.LogInStorage, "log_in_storage must flip after empty NoMore=true")
-
-		_, err = storage.Actions.Stat(freshTask.LogFilename)
-		assert.NoError(t, err, "archived log must exist in storage")
-
-		_, err = dbfs.Open(t.Context(), actions_module.DBFSPrefix+freshTask.LogFilename)
-		assert.ErrorIs(t, err, os.ErrNotExist, "DBFS row must be cleaned up after TransferLogs")
-
-		// The runner re-sends its final UpdateLog when the response was lost.
-		// A sealed log must ack the re-send and still reject new appended rows.
-		t.Run("re-sent finalize is idempotent", func(t *testing.T) {
-			finalize := &runnerv1.UpdateLogRequest{TaskId: task.Id, Index: 0, Rows: nil, NoMore: true}
-			resp, err := runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(finalize))
-			require.NoError(t, err)
-			assert.EqualValues(t, 0, resp.Msg.AckIndex)
-
-			_, err = runner.client.runnerServiceClient.UpdateLog(t.Context(), connect.NewRequest(&runnerv1.UpdateLogRequest{
-				TaskId: task.Id, Index: 0, Rows: []*runnerv1.LogRow{{Content: "late"}}, NoMore: true,
-			}))
-			require.Error(t, err, "appending rows past the seal must be rejected")
-		})
-	})
-}
@@ -931,76 +931,6 @@ jobs:
 	})
 }

-func TestWorkflowDispatchPublicApiRequiresWorkflowDispatchTrigger(t *testing.T) {
-	onGiteaRun(t, func(t *testing.T, u *url.URL) {
-		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
-		session := loginUser(t, user2.Name)
-		token := getTokenForLoggedInUser(t, session, auth_model.AccessTokenScopeWriteRepository)
-
-		repo, err := repo_service.CreateRepository(t.Context(), user2, user2, repo_service.CreateRepoOptions{
-			Name:          "workflow-dispatch-requires-trigger",
-			Description:   "test workflow dispatch requires workflow_dispatch",
-			AutoInit:      true,
-			Gitignores:    "Go",
-			License:       "MIT",
-			Readme:        "Default",
-			DefaultBranch: "main",
-			IsPrivate:     false,
-		})
-		require.NoError(t, err)
-		require.NotNil(t, repo)
-
-		addWorkflowToBaseResp, err := files_service.ChangeRepoFiles(t.Context(), repo, user2, &files_service.ChangeRepoFilesOptions{
-			Files: []*files_service.ChangeRepoFile{
-				{
-					Operation: "create",
-					TreePath:  ".gitea/workflows/push-only.yml",
-					ContentReader: strings.NewReader(`
-on:
-  push:
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo helloworld
-`),
-				},
-			},
-			Message:   "add workflow",
-			OldBranch: "main",
-			NewBranch: "main",
-			Author: &files_service.IdentityOptions{
-				GitUserName:  user2.Name,
-				GitUserEmail: user2.Email,
-			},
-			Committer: &files_service.IdentityOptions{
-				GitUserName:  user2.Name,
-				GitUserEmail: user2.Email,
-			},
-			Dates: &files_service.CommitDateOptions{
-				Author:    time.Now(),
-				Committer: time.Now(),
-			},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, addWorkflowToBaseResp)
-
-		values := url.Values{}
-		values.Set("ref", "main")
-		req := NewRequestWithURLValues(t, "POST", fmt.Sprintf("/api/v1/repos/%s/actions/workflows/push-only.yml/dispatches", repo.FullName()), values).
-			AddTokenAuth(token)
-		resp := MakeRequest(t, req, http.StatusUnprocessableEntity)
-		apiError := DecodeJSON(t, resp, &api.APIError{})
-		assert.Contains(t, apiError.Message, "has no workflow_dispatch event trigger")
-
-		unittest.AssertNotExistsBean(t, &actions_model.ActionRun{
-			RepoID:     repo.ID,
-			Event:      "workflow_dispatch",
-			WorkflowID: "push-only.yml",
-		})
-	})
-}
-
 func TestWorkflowDispatchPublicApiWithInputs(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
 		user2 := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2})
@@ -140,29 +140,20 @@ func TestPullCreate_EmptyChangesWithDifferentCommits(t *testing.T) {
 func TestPullCreate_EmptyChangesWithSameCommits(t *testing.T) {
 	onGiteaRun(t, func(t *testing.T, u *url.URL) {
 		session := loginUser(t, "user1")
-
-		testCreateBranch(t, session, "user2", "repo1", "branch/master", "empty-pr-branch", http.StatusSeeOther)
-		resp := testPullCreateDirectly(t, session, createPullRequestOptions{
-			BaseRepoOwner: "user2",
-			BaseRepoName:  "repo1",
-			BaseBranch:    "master",
-			HeadBranch:    "empty-pr-branch",
-			Title:         "empty pr test",
-		})
-		prURL := test.RedirectURL(resp)
-
-		// check the "merge box" text
-		req := NewRequest(t, "GET", prURL)
-		resp = session.MakeRequest(t, req, http.StatusOK)
+		testRepoFork(t, session, "user2", "repo1", "user1", "repo1", "")
+		testCreateBranch(t, session, "user1", "repo1", "branch/master", "status1", http.StatusSeeOther)
+		req := NewRequestWithValues(t, "POST", "/user1/repo1/compare/master...status1",
+			map[string]string{
+				"title": "pull request from status1",
+			},
+		)
+		session.MakeRequest(t, req, http.StatusOK)
+		req = NewRequest(t, "GET", "/user1/repo1/pulls/1")
+		resp := session.MakeRequest(t, req, http.StatusOK)
 		doc := NewHTMLParser(t, resp.Body)
+
 		text := strings.TrimSpace(doc.doc.Find(".merge-section").Text())
 		assert.Contains(t, text, "This branch is already included in the target branch. There is nothing to merge.")
-
-		// check the "files" tab content
-		req = NewRequest(t, "GET", prURL+"/files")
-		resp = session.MakeRequest(t, req, http.StatusOK)
-		doc = NewHTMLParser(t, resp.Body)
-		assert.Equal(t, "Diff Content Not Available", strings.TrimSpace(doc.Find("#diff-container").Text()))
 	})
 }

@@ -86,34 +86,3 @@
    max-width: unset;
  }
 }
-
-/* Wikilinks: red links for non-existent pages */
-.wiki .wiki-link-new {
-  color: var(--color-red);
-}
-
-.wiki .wiki-link-new:hover {
-  color: var(--color-red);
-  text-decoration: underline;
-}
-
-/* Wiki inline ToC */
-.wiki .wiki-toc-inline {
-  border: 1px solid var(--color-secondary);
-  border-radius: 4px;
-  padding: 8px 16px;
-  background: var(--color-box-body);
-}
-
-.wiki .wiki-toc-inline summary {
-  cursor: pointer;
-  user-select: none;
-}
-
-/* Sticky sidebar ToC */
-.wiki .wiki-content-toc {
-  position: sticky;
-  top: 16px;
-  max-height: calc(100vh - 100px);
-  overflow-y: auto;
-}