fix(updates): correct dlid prefix and align XML with Joomla standard

- Fix downloadkey prefix: "&dlid=" → "dlid=" (Joomla handles the separator)
- Reorder XML fields to match Akeeba/Joomla convention
- Add sha512 and php_minimum optional fields to update XML struct

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.mokogitea/manifest.xml

@@ -4,13 +4,13 @@
         <name>MokoGitea</name>
         <org>MokoConsulting</org>
         <description>Moko fork of Gitea — adding project board REST API endpoints and custom enhancements</description>
-        <version>05.13.00</version>
+        <version>05.14.00</version>
         <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
     </identity>
     <governance>
         <platform>go</platform>
         <standards-version>05.00.00</standards-version>
-        <standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
+        <standards-source>https://code.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
     </governance>
     <build>
         <language>Go</language>

.mokogitea/workflows/auto-bump.yml

@@ -1,66 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
-name: "Universal: Auto Version Bump"
-
-on:
-  push:
-    branches:
-      - dev
-      - rc
-      - 'feature/**'
-      - 'patch/**'
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-permissions:
-  contents: write
-
-jobs:
-  bump:
-    name: Version Bump
-    runs-on: release
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip bump]') &&
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          if [ -d "/opt/moko-platform/cli" ]; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-          else
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              /tmp/moko-platform-api
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-          fi
-
-      - name: Bump version
-        run: |
-          php ${MOKO_CLI}/version_auto_bump.php \
-            --path . --branch "${GITHUB_REF_NAME}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"

.mokogitea/workflows/auto-release.yml

@@ -1,270 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
-#
-# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
-# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
-# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Build & Release"
-
-on:
-  pull_request:
-    types: [opened, closed]
-    branches:
-      - main
-  workflow_dispatch:
-    inputs:
-      action:
-        description: 'Action to perform'
-        required: false
-        type: choice
-        default: release
-        options:
-          - release
-          - promote-rc
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
-    name: Promote to RC
-    runs-on: release
-    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-      - name: Rename branch to rc
-        run: |
-          php /tmp/moko-platform-api/cli/branch_rename.php \
-            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-            --pr "${{ github.event.pull_request.number }}"
-
-      - name: Checkout rc and configure git
-        run: |
-          git fetch origin rc
-          git checkout rc
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Publish RC release
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability rc --bump minor --branch rc \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Branch renamed to rc, minor bump, RC + lesser stream releases built, updates.xml synced" >> $GITHUB_STEP_SUMMARY
-
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true ||
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure git for bot pushes
-        run: |
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      - name: "Publish stable release"
-        run: |
-          php /tmp/moko-platform-api/cli/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}"
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
-            --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-            --branch main 2>&1 || true
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_MIRROR_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      - name: "Step 11: Delete rc branch and recreate dev from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          # Delete rc branch (ephemeral — created by promote-rc)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/rc" 2>/dev/null \
-            && echo "Deleted rc branch" || echo "rc branch not found"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-
-      - name: "Step 12: Create version branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          BRANCH_NAME="version/${VERSION}"
-          MAIN_SHA=$(git rev-parse HEAD)
-
-          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
-          # Create version/XX.YY.ZZ from main
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Post-release: Reset dev version"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            --branch dev --path . 2>&1 || true
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi

.mokogitea/workflows/cascade-dev.yml

@@ -1,10 +0,0 @@
-# DISABLED — auto-release Step 11 recreates dev from main after every release.
-# Cascade-dev is redundant and causes version conflicts when both main and dev
-# have different version numbers in templateDetails.xml / manifest.xml.
-name: "Cascade Main → Dev (DISABLED)"
-on: workflow_dispatch
-jobs:
-  noop:
-    runs-on: ubuntu-latest
-    steps:
-      - run: echo "Cascade disabled — auto-release handles dev recreation"

.mokogitea/workflows/issue-branch.yml

@@ -5,7 +5,7 @@
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
-# VERSION: 05.13.00
+# VERSION: 05.14.00
 # BRIEF: Auto-create feature branch when an issue is opened
 
 name: "Universal: Issue Branch"

.mokogitea/workflows/pre-release.yml

@@ -1,233 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
-
-name: "Universal: Pre-Release"
-
-on:
-  pull_request:
-    types: [closed]
-    branches:
-      - dev
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
-    runs-on: release
-    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform-api
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: |
-          php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve metadata and bump version
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability || 'development' }}"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Read current version (bump already handled by push workflow)
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
-          [ -z "$VERSION" ] && VERSION="00.00.01"
-
-          # Strip any existing suffix from version before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-
-          # Verify version consistency across all files
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Update VERSION variable with suffix
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          # Commit version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
-
-          # Auto-detect element via manifest_element.php
-          php ${MOKO_CLI}/manifest_element.php \
-            --path . --version "$VERSION" --stability "$STABILITY" \
-            --repo "${GITEA_REPO}" --github-output
-
-          # Read back element outputs
-          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Create release
-        id: release
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch dev --prerelease
-
-      - name: Build package and upload
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          php ${MOKO_CLI}/release_cascade.php \
-            --stability "${{ steps.meta.outputs.stability }}" \
-            --token "${TOKEN}" \
-            --api-base "${API_BASE}"
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/update-server.yml

@@ -1,312 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/update-server.yml
-# VERSION: 05.00.00
-# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
-#
-# Thin wrapper around moko-platform CLI tools.
-# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#
-# Joomla filters update entries by the user's "Minimum Stability" setting.
-
-name: "Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update Server
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          # Always fetch latest CLI tools — never use stale cache from previous runs
-          rm -rf /tmp/moko-platform
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform 2>/dev/null || true
-          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
-            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve stability and bump version
-        id: meta
-        run: |
-          BRANCH="${{ github.ref_name }}"
-
-          # Configure git for bot pushes
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Auto-bump patch version
-          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
-
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Strip any existing suffix before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          # Determine stability from branch or manual input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          else
-            STABILITY="development"
-          fi
-
-          # Version suffix per stability stream
-          case "$STABILITY" in
-            development) SUFFIX="-dev";  TAG="development" ;;
-            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)        SUFFIX="-beta";  TAG="beta" ;;
-            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
-            *)           SUFFIX="";       TAG="stable" ;;
-          esac
-
-          # Propagate version with stability suffix to all manifest files
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Re-read version (now includes suffix from version_set_platform)
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
-
-          # Commit version bump if changed
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      - name: Create release and upload package
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Create or update Gitea release
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
-
-          # Build package and upload
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push updates.xml
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push
-          }
-
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            python3 -c "
-          import base64, json, urllib.request, sys
-          with open('updates.xml', 'rb') as f:
-              content = base64.b64encode(f.read()).decode()
-          payload = json.dumps({
-              'content': content,
-              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
-              'branch': 'main'
-          }).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/contents/updates.xml',
-              data=payload, method='PUT',
-              headers={
-                  'Authorization': 'token ${GITEA_TOKEN}',
-                  'Content-Type': 'application/json'
-              })
-          try:
-              urllib.request.urlopen(req)
-              print('updates.xml synced to main')
-          except Exception as e:
-              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-          "
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # Permission check: admin or maintain role required
-          ACTOR="${{ github.actor }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          DISPLAY="${{ steps.meta.outputs.display_version }}"
-          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY

models/licenses/license_key.go

@@ -24,16 +24,19 @@ type LicenseKey struct {
 	ID                int64              `xorm:"pk autoincr"`
 	PackageID         int64              `xorm:"INDEX NOT NULL"`           // FK to license_package
 	OwnerID           int64              `xorm:"INDEX NOT NULL"`           // org or user that issued it
-	KeyHash           string             `xorm:"UNIQUE NOT NULL"`          // SHA-256 of the raw key
+	KeyHash           string             `xorm:"UNIQUE NOT NULL"`          // SHA-256 of the raw key (for fast lookup)
+	KeyRaw            string             `xorm:"TEXT"`                     // plaintext key (viewable by admins)
 	KeyPrefix         string             `xorm:"NOT NULL"`                 // first 8 chars for display
 	LicenseeName      string             `xorm:""`                         // customer name
 	LicenseeEmail     string             `xorm:""`                         // customer email
 	DomainRestriction string             `xorm:"TEXT"`                     // comma-separated allowed domains
 	MaxSites          int                `xorm:"NOT NULL DEFAULT 0"`       // 0 = use package default
+	PaymentRef        string             `xorm:"UNIQUE"`                   // idempotency key from payment system
 	IsInternal        bool               `xorm:"NOT NULL DEFAULT false"`   // true = base org/repo key
 	IsActive          bool               `xorm:"NOT NULL DEFAULT true"`
 	StartsUnix        timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // custom start, 0 = creation
 	ExpiresUnix       timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // 0 = never
+	LastHeartbeatUnix timeutil.TimeStamp `xorm:"NOT NULL DEFAULT 0"`      // last successful validation
 	CreatedUnix       timeutil.TimeStamp `xorm:"INDEX CREATED"`
 	UpdatedUnix       timeutil.TimeStamp `xorm:"UPDATED"`
 }
@@ -58,8 +61,7 @@ func HashKey(rawKey string) string {
 	return hex.EncodeToString(h[:])
 }
 
-// CreateLicenseKey generates a new key, hashes it, stores it, and returns the raw key.
-// The raw key is only available at creation time.
+// CreateLicenseKey generates a new key, stores it in plaintext and hashed, and returns the raw key.
 func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err error) {
 	rawKey, err = GenerateKeyString()
 	if err != nil {
@@ -67,6 +69,7 @@ func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err
 	}
 
 	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
 	key.KeyPrefix = rawKey[:12] + "..."
 
 	if _, err := db.GetEngine(ctx).Insert(key); err != nil {
@@ -75,6 +78,19 @@ func CreateLicenseKey(ctx context.Context, key *LicenseKey) (rawKey string, err
 	return rawKey, nil
 }
 
+// CreateLicenseKeyCustom stores a key with a user-provided raw key string.
+func CreateLicenseKeyCustom(ctx context.Context, key *LicenseKey, rawKey string) error {
+	key.KeyHash = HashKey(rawKey)
+	key.KeyRaw = rawKey
+	if len(rawKey) > 12 {
+		key.KeyPrefix = rawKey[:12] + "..."
+	} else {
+		key.KeyPrefix = rawKey
+	}
+	_, err := db.GetEngine(ctx).Insert(key)
+	return err
+}
+
 // GetLicenseKeyByHash looks up a key by its SHA-256 hash.
 func GetLicenseKeyByHash(ctx context.Context, hash string) (*LicenseKey, error) {
 	key := new(LicenseKey)
@@ -113,6 +129,22 @@ func ListLicenseKeysByPackage(ctx context.Context, packageID int64) ([]*LicenseK
 	return keys, db.GetEngine(ctx).Where("package_id = ?", packageID).Find(&keys)
 }
 
+// GetLicenseKeyByPaymentRef looks up a key by its payment reference (idempotency).
+func GetLicenseKeyByPaymentRef(ctx context.Context, paymentRef string) (*LicenseKey, error) {
+	if paymentRef == "" {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	key := new(LicenseKey)
+	has, err := db.GetEngine(ctx).Where("payment_ref = ?", paymentRef).Get(key)
+	if err != nil {
+		return nil, err
+	}
+	if !has {
+		return nil, db.ErrNotExist{Resource: "LicenseKey"}
+	}
+	return key, nil
+}
+
 // CountKeysByPackage returns the number of keys for a package.
 func CountKeysByPackage(ctx context.Context, packageID int64) (int64, error) {
 	return db.GetEngine(ctx).Where("package_id = ?", packageID).Count(new(LicenseKey))
@@ -124,6 +156,28 @@ func UpdateLicenseKey(ctx context.Context, key *LicenseKey) error {
 	return err
 }
 
+// DeleteLicenseKey permanently removes a license key by ID.
+func DeleteLicenseKey(ctx context.Context, id int64) error {
+	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
+	return err
+}
+
+// DeleteExpiredKeys removes keys that expired more than the given duration ago.
+func DeleteExpiredKeys(ctx context.Context, olderThanDays int) (int64, error) {
+	cutoff := timeutil.TimeStampNow() - timeutil.TimeStamp(int64(olderThanDays)*86400)
+	return db.GetEngine(ctx).
+		Where("expires_unix > 0 AND expires_unix < ? AND is_internal = ?", cutoff, false).
+		Delete(new(LicenseKey))
+}
+
+// TouchHeartbeat updates the last heartbeat timestamp for a key.
+func TouchHeartbeat(ctx context.Context, keyID int64) error {
+	_, err := db.GetEngine(ctx).ID(keyID).
+		Cols("last_heartbeat_unix").
+		Update(&LicenseKey{LastHeartbeatUnix: timeutil.TimeStampNow()})
+	return err
+}
+
 // DeleteLicenseKey deletes a license key by ID.
 func DeleteLicenseKey(ctx context.Context, id int64) error {
 	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicenseKey))
@@ -132,7 +186,11 @@ func DeleteLicenseKey(ctx context.Context, id int64) error {
 
 // ValidateLicenseKey validates a raw key string against the database.
 // Returns the key record and its associated package, or an error.
-func ValidateLicenseKey(ctx context.Context, rawKey string) (*LicenseKey, *LicensePackage, error) {
+// The domain parameter is optional — when provided, it is checked against
+// the key's DomainRestriction list and the MaxSites limit.
+// On first heartbeat with a domain, if no DomainRestriction is set, the domain
+// is automatically associated as the key's restriction (lock-on-first-use).
+func ValidateLicenseKey(ctx context.Context, rawKey, domain string) (*LicenseKey, *LicensePackage, error) {
 	hash := HashKey(rawKey)
 	key, err := GetLicenseKeyByHash(ctx, hash)
 	if err != nil {
@@ -160,5 +218,103 @@ func ValidateLicenseKey(ctx context.Context, rawKey string) (*LicenseKey, *Licen
 		return nil, nil, fmt.Errorf("license package is deactivated")
 	}
 
+	// Domain restriction check — skip for internal/master keys.
+	if domain != "" && !key.IsInternal {
+		if key.DomainRestriction != "" {
+			allowed := false
+			for _, d := range strings.Split(key.DomainRestriction, ",") {
+				if strings.EqualFold(strings.TrimSpace(d), domain) {
+					allowed = true
+					break
+				}
+			}
+			if !allowed {
+				return nil, nil, fmt.Errorf("domain not allowed for this license key")
+			}
+		} else {
+			// No domain restriction set — auto-associate on first heartbeat.
+			// Append this domain to the restriction list, enforcing max_sites.
+			maxSites := key.MaxSites
+			if maxSites == 0 {
+				maxSites = pkg.MaxSites
+			}
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown {
+				if maxSites > 0 {
+					uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+					if err != nil {
+						return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+					}
+					if uniqueDomains >= int64(maxSites) {
+						return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+					}
+				}
+				// Append this domain to the key's restriction list.
+				_ = updateDomainRestriction(ctx, key.ID, domain)
+				if key.DomainRestriction == "" {
+					key.DomainRestriction = domain
+				} else {
+					key.DomainRestriction = key.DomainRestriction + "," + domain
+				}
+			}
+		}
+
+		// Site limit check: use key's MaxSites, fall back to package default.
+		maxSites := key.MaxSites
+		if maxSites == 0 {
+			maxSites = pkg.MaxSites
+		}
+		if maxSites > 0 {
+			uniqueDomains, err := CountUniqueDomainsByKey(ctx, key.ID)
+			if err != nil {
+				return nil, nil, fmt.Errorf("failed to count domains: %w", err)
+			}
+			// Allow if this domain is already recorded, or if under the limit.
+			domainKnown, _ := IsDomainKnownForKey(ctx, key.ID, domain)
+			if !domainKnown && uniqueDomains >= int64(maxSites) {
+				return nil, nil, fmt.Errorf("site limit reached (%d/%d)", uniqueDomains, maxSites)
+			}
+		}
+	}
+
 	return key, pkg, nil
 }
+
+// updateDomainRestriction appends a domain to a key's DomainRestriction field in the DB.
+func updateDomainRestriction(ctx context.Context, keyID int64, domain string) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+	if key.DomainRestriction == "" {
+		key.DomainRestriction = domain
+	} else {
+		key.DomainRestriction = key.DomainRestriction + "," + domain
+	}
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("domain_restriction").Update(key)
+	return err
+}
+
+// RenewLicenseKey extends the expiration of a key by the given number of days
+// from the current expiry (or from now if already expired/no expiry set).
+func RenewLicenseKey(ctx context.Context, keyID int64, days int) error {
+	key, err := GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		return err
+	}
+
+	now := timeutil.TimeStampNow()
+	var base timeutil.TimeStamp
+	if key.ExpiresUnix > 0 && key.ExpiresUnix > now {
+		// Key still valid — extend from current expiry.
+		base = key.ExpiresUnix
+	} else {
+		// Key expired or has no expiry — extend from now.
+		base = now
+	}
+
+	key.ExpiresUnix = base + timeutil.TimeStamp(int64(days)*86400)
+	key.IsActive = true
+	_, err = db.GetEngine(ctx).ID(keyID).Cols("expires_unix", "is_active").Update(key)
+	return err
+}

models/licenses/license_key_usage.go

@@ -47,3 +47,19 @@ func GetRecentUsage(ctx context.Context, keyID int64, limit int) ([]*LicenseKeyU
 func CountUsageByKey(ctx context.Context, keyID int64) (int64, error) {
 	return db.GetEngine(ctx).Where("key_id = ?", keyID).Count(new(LicenseKeyUsage))
 }
+
+// CountUniqueDomainsByKey returns the number of distinct domains that have used a key.
+func CountUniqueDomainsByKey(ctx context.Context, keyID int64) (int64, error) {
+	count, err := db.GetEngine(ctx).
+		Where("key_id = ? AND domain != ''", keyID).
+		Distinct("domain").
+		Count(new(LicenseKeyUsage))
+	return count, err
+}
+
+// IsDomainKnownForKey checks whether a specific domain has already been recorded for a key.
+func IsDomainKnownForKey(ctx context.Context, keyID int64, domain string) (bool, error) {
+	return db.GetEngine(ctx).
+		Where("key_id = ? AND domain = ?", keyID, domain).
+		Exist(new(LicenseKeyUsage))
+}

models/licenses/license_package.go

@@ -83,6 +83,11 @@ func UpdateLicensePackage(ctx context.Context, pkg *LicensePackage) error {
 	return err
 }
 
+// CountOrgPackages returns the number of license packages for an organization.
+func CountOrgPackages(ctx context.Context, orgID int64) (int64, error) {
+	return db.GetEngine(ctx).Where("owner_id = ?", orgID).Count(new(LicensePackage))
+}
+
 // DeleteLicensePackage deletes a license package by ID.
 func DeleteLicensePackage(ctx context.Context, id int64) error {
 	_, err := db.GetEngine(ctx).ID(id).Delete(new(LicensePackage))

models/licenses/update_stream_config.go

@@ -24,6 +24,9 @@ type UpdateStreamConfig struct {
 	OwnerID     int64              `xorm:"INDEX NOT NULL"`         // org or user
 	RepoID      int64              `xorm:"INDEX NOT NULL DEFAULT 0"` // 0 = org-level default
 	StreamMode  string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, custom
+	Platform    string             `xorm:"NOT NULL DEFAULT 'joomla'"` // joomla, dolibarr, both
+	LicensingEnabled bool          `xorm:"NOT NULL DEFAULT false"`    // master toggle for licensing system
+	RequireKey  bool               `xorm:"NOT NULL DEFAULT false"`    // require license key for update feed
 	// CustomStreams is a JSON array of stream definitions.
 	// Each entry: {"name":"lts","suffix":"-lts","description":"Long-term support"}
 	CustomStreams string            `xorm:"TEXT"`

models/migrations/migrations.go

@@ -414,6 +414,8 @@ func prepareMigrationTasks() []*migration {
 		newMigration(334, "Add actions user whitelist to protected branches", v1_27.AddActionsUserWhitelistToProtectedBranch),
 		newMigration(335, "Add license key tables for update server", v1_27.AddLicenseKeyTables),
 		newMigration(336, "Add update stream config table", v1_27.AddUpdateStreamConfigTable),
+		newMigration(337, "Add key_plain column to license_key", v1_27.AddKeyPlainToLicenseKey),
+		newMigration(338, "Add platform and require_key to update_stream_config", v1_27.AddPlatformAndRequireKeyToStreamConfig),
 	}
 	return preparedMigrations
 }

models/migrations/v1_27/v337.go

@@ -0,0 +1,20 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type licenseKey337 struct {
+	ID       int64  `xorm:"pk autoincr"`
+	KeyPlain string `xorm:""`
+}
+
+func (licenseKey337) TableName() string {
+	return "license_key"
+}
+
+// AddKeyPlainToLicenseKey adds the key_plain column to license_key table.
+func AddKeyPlainToLicenseKey(x *xorm.Engine) error {
+	return x.Sync(new(licenseKey337))
+}

models/migrations/v1_27/v338.go

@@ -0,0 +1,22 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import "xorm.io/xorm"
+
+type updateStreamConfig338 struct {
+	ID         int64  `xorm:"pk autoincr"`
+	Platform   string `xorm:"NOT NULL DEFAULT 'joomla'"`
+	RequireKey bool   `xorm:"NOT NULL DEFAULT false"`
+}
+
+func (updateStreamConfig338) TableName() string {
+	return "update_stream_config"
+}
+
+// AddPlatformAndRequireKeyToStreamConfig adds platform and require_key
+// columns to update_stream_config.
+func AddPlatformAndRequireKeyToStreamConfig(x *xorm.Engine) error {
+	return x.Sync(new(updateStreamConfig338))
+}

models/organization/team_list.go

@@ -31,6 +31,11 @@ func (t TeamList) UnitMaxAccess(tp unit.Type) perm.AccessMode {
 		if team.IsOwnerTeam() {
 			return perm.AccessModeOwner
 		}
+		// Admin-level teams implicitly have admin access to all units,
+		// even units added after the team was created (no TeamUnit record needed).
+		if team.HasAdminAccess() && maxAccess < perm.AccessModeAdmin {
+			maxAccess = perm.AccessModeAdmin
+		}
 		for _, teamUnit := range team.Units {
 			if teamUnit.Type != tp {
 				continue

models/organization/team_repo.go

@@ -52,7 +52,7 @@ func RemoveTeamRepo(ctx context.Context, teamID, repoID int64) error {
 
 // GetTeamsWithAccessToAnyRepoUnit returns all teams in an organization that have given access level to the repository special unit.
 // This function is only used for finding some teams that can be used as branch protection allowlist or reviewers, it isn't really used for access control.
-// FIXME: TEAM-UNIT-PERMISSION this logic is not complete, search the fixme keyword to see more details
+// Note: admin-level teams (authorize >= Admin) implicitly have access to all units.
 func GetTeamsWithAccessToAnyRepoUnit(ctx context.Context, orgID, repoID int64, mode perm.AccessMode, unitType unit.Type, unitTypesMore ...unit.Type) (teams []*Team, err error) {
 	teamIDs, err := getTeamIDsWithAccessToAnyRepoUnit(ctx, orgID, repoID, mode, unitType, unitTypesMore...)
 	if err != nil {

models/unit/unit.go

@@ -33,9 +33,7 @@ const (
 	TypeProjects        // 8 Projects
 	TypePackages        // 9 Packages
 	TypeActions         // 10 Actions
-
-	// FIXME: TEAM-UNIT-PERMISSION: the team unit "admin" permission's design is not right, when a new unit is added in the future,
-	// admin team won't inherit the correct admin permission for the new unit, need to have a complete fix before adding any new unit.
+	TypeLicenses        // 11 Licenses
 )
 
 // Value returns integer value for unit type (used by template)
@@ -65,6 +63,7 @@ var (
 		TypeProjects,
 		TypePackages,
 		TypeActions,
+		TypeLicenses,
 	}
 
 	// DefaultRepoUnits contains the default unit types
@@ -328,6 +327,15 @@ var (
 		perm.AccessModeOwner,
 	}
 
+	UnitLicenses = Unit{
+		TypeLicenses,
+		"repo.licenses",
+		"/licenses",
+		"repo.licenses.desc",
+		8,
+		perm.AccessModeOwner,
+	}
+
 	// Units contains all the units
 	Units = map[Type]Unit{
 		TypeCode:            UnitCode,
@@ -340,6 +348,7 @@ var (
 		TypeProjects:        UnitProjects,
 		TypePackages:        UnitPackages,
 		TypeActions:         UnitActions,
+		TypeLicenses:        UnitLicenses,
 	}
 )
 

modules/structs/license_key.go

@@ -60,6 +60,8 @@ type LicenseKey struct {
 	// swagger:strfmt date-time
 	ExpiresAt *time.Time `json:"expires_at"`
 	// swagger:strfmt date-time
+	LastHeartbeat *time.Time `json:"last_heartbeat,omitempty"`
+	// swagger:strfmt date-time
 	Created time.Time `json:"created_at"`
 }
 
@@ -93,6 +95,32 @@ type EditLicenseKeyOption struct {
 	ExpiresAt         *time.Time `json:"expires_at"`
 }
 
+// PurchaseLicenseKeyOption options for purchasing a license key via webhook.
+type PurchaseLicenseKeyOption struct {
+	PackageID    int64  `json:"package_id" binding:"Required"`
+	LicenseeName string `json:"licensee_name"`
+	LicenseeEmail string `json:"licensee_email"`
+	Domain       string `json:"domain"`
+	PaymentRef   string `json:"payment_ref"`
+}
+
+// ValidateLicenseKeyOption options for validating a license key.
+type ValidateLicenseKeyOption struct {
+	Key    string `json:"key" binding:"Required"`
+	Domain string `json:"domain"`
+}
+
+// ValidateLicenseKeyResponse is the response from license key validation.
+type ValidateLicenseKeyResponse struct {
+	Valid       bool       `json:"valid"`
+	Message     string     `json:"message,omitempty"`
+	PackageName string     `json:"package_name,omitempty"`
+	Channels    string     `json:"channels,omitempty"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty"`
+	SitesUsed   int64      `json:"sites_used"`
+	MaxSites    int        `json:"max_sites"`
+}
+
 // LicenseKeyUsage represents a usage tracking entry.
 type LicenseKeyUsage struct {
 	ID          int64  `json:"id"`

options/locale/locale_en-US.json

@@ -2147,7 +2147,16 @@
   "repo.settings.unit_visibility": "Visibility",
   "repo.settings.unit_visibility_private": "Private (follow repo visibility)",
   "repo.settings.unit_visibility_public": "Public (anyone can read)",
-  "repo.settings.unit_visibility_releases_help": "Update feeds (updates.xml, dolibarr.json) are always accessible regardless of this setting. Set to Public to also show the releases page to anonymous visitors.",
+  "repo.settings.unit_visibility_releases_help": "Controls whether the releases page is visible to anonymous visitors.",
+  "repo.settings.licensing_section": "Licensing & Updates",
+  "repo.settings.licensing_section_desc": "Manage commercial license keys and gated update feeds for this repository. When enabled, the Licenses tab appears and release tags must follow update stream naming.",
+  "repo.settings.update_platform": "Update Feed Format",
+  "repo.settings.update_platform_both": "Both (Joomla + Dolibarr)",
+  "repo.settings.update_platform_help": "Choose which update feed format to generate. All formats support license key validation.",
+  "repo.settings.require_update_key": "Require license key for update feeds",
+  "repo.settings.require_update_key_help": "When enabled, update feeds return empty results unless a valid license key is provided. Joomla clients will see a Download Key field in Update Sites.",
+  "repo.settings.enable_licensing": "Enable licensing for this repository",
+  "repo.settings.enable_licensing_help": "Show the Licenses tab and enable license key management for this repository.",
   "repo.settings.packages_desc": "Enable Repository Packages Registry",
   "repo.settings.projects_desc": "Enable Projects",
   "repo.settings.projects_mode_desc": "Projects Mode (which kinds of projects to show)",
@@ -2626,7 +2635,7 @@
   "repo.licenses.active": "Active",
   "repo.licenses.inactive": "Inactive",
   "repo.licenses.none": "No License Packages",
-  "repo.licenses.none_desc": "License packages can be created via the API to gate access to update streams.",
+  "repo.licenses.none_desc": "Create a license package to start managing keys and gating update feeds.",
   "repo.licenses.issued_keys": "Issued Keys",
   "repo.licenses.key_prefix": "Key",
   "repo.licenses.licensee": "Licensee",
@@ -2635,17 +2644,51 @@
   "repo.licenses.new_package": "New Package",
   "repo.licenses.description": "Description",
   "repo.licenses.max_sites": "Max Sites",
-  "repo.licenses.channels_help": "Comma-separated channel names (e.g. stable,release-candidate). Leave empty for all channels.",
-  "repo.licenses.create_package": "Create Package",
+  "repo.licenses.channels_help": "Select which update channels this package grants access to. Leave all unchecked for all channels.",
+  "repo.licenses.create_package": "Create License Package",
+  "repo.licenses.create_new_package": "Create New License Package",
   "repo.licenses.package_created": "License package created successfully.",
   "repo.licenses.generate_key": "Generate Key",
   "repo.licenses.key_created": "License Key Created",
-  "repo.licenses.key_created_copy": "Copy this key now. It will not be shown again.",
+  "repo.licenses.key_created_copy": "Your new license key is shown below. You can also view and copy it from the keys table at any time.",
   "repo.licenses.revoke": "Revoke",
+  "repo.licenses.edit_package": "Edit License Package",
+  "repo.licenses.delete_package": "Delete Package",
+  "repo.licenses.package_updated": "License package updated.",
+  "repo.licenses.package_deleted": "License package deleted.",
   "repo.licenses.key_revoked": "License key revoked.",
   "repo.licenses.master_key_created": "Master License Key Created",
   "repo.licenses.master_key_created_copy": "This is your organization master key with unlimited access to all update channels. Copy it now — it will not be shown again.",
   "repo.licenses.update_feeds": "Update Feed URLs",
+  "repo.licenses.edit_key": "Edit License Key",
+  "repo.licenses.licensee_name": "Licensee Name",
+  "repo.licenses.licensee_email": "Licensee Email",
+  "repo.licenses.domain_restriction": "Domain Restriction",
+  "repo.licenses.domain_restriction_help": "Comma-separated list of allowed domains. Leave empty for no restriction.",
+  "repo.licenses.use_package_default": "use package default",
+  "repo.licenses.expires_at": "Expires At",
+  "repo.licenses.expires_at_help": "Leave empty for no expiry (lifetime).",
+  "repo.licenses.key_updated": "License key updated.",
+  "repo.licenses.last_seen": "Last Seen",
+  "repo.licenses.confirm_delete_package": "Delete this package? This action cannot be undone.",
+  "repo.licenses.confirm_revoke_key": "Revoke this license key? The licensee will immediately lose access to update feeds.",
+  "repo.licenses.feed_joomla_xml": "Joomla XML",
+  "repo.licenses.feed_dolibarr_json": "Dolibarr JSON",
+  "repo.licenses.feed_joomla_updates": "Joomla updates.xml",
+  "repo.licenses.feed_dolibarr_updates": "Dolibarr JSON",
+  "repo.licenses.master_label": "Master",
+  "repo.licenses.unlimited": "unlimited",
+  "repo.licenses.active_help_package": "Deactivating blocks new key creation and disables all issued keys.",
+  "repo.licenses.active_help_key": "Deactivating immediately blocks update feed access for this licensee.",
+  "repo.licenses.renew": "Renew",
+  "repo.licenses.key_renewed": "License key renewed for %d days.",
+  "repo.licenses.confirm_renew_key": "Renew this license key? The expiration will be extended by the package duration.",
+  "repo.licenses.desc": "License packages and keys for gating update feeds.",
+  "repo.licenses.custom_key_placeholder": "Custom key (optional)",
+  "repo.licenses.custom_key_help": "Leave empty to auto-generate. Site admins and org owners can set a custom key value.",
+  "repo.licenses.delete_key": "Delete Key",
+  "repo.licenses.confirm_delete_key": "Permanently delete this license key? This cannot be undone.",
+  "repo.licenses.key_deleted": "License key deleted.",
   "repo.release.draft": "Draft",
   "repo.release.prerelease": "Pre-Release",
   "repo.release.stable": "Stable",
@@ -2787,6 +2830,26 @@
   "org.form.create_org_not_allowed": "You are not allowed to create an organization.",
   "org.settings": "Settings",
   "org.settings.options": "Organization",
+  "org.settings.update_streams": "Licensing & Update Streams",
+  "org.settings.licensing": "Licensing",
+  "org.settings.licensing_desc": "Control commercial license key management and gated update feeds across all repositories in this organization.",
+  "org.settings.enable_licensing": "Enable licensing for this organization",
+  "org.settings.enable_licensing_help": "Show the Licenses page in the org menu and enable license key management. Individual repos can also enable licensing independently.",
+  "org.settings.require_key": "Require license key for all update feeds",
+  "org.settings.require_key_help": "Update feeds return empty results unless a valid key is provided. Joomla clients will see a Download Key field. Individual repos can override this.",
+  "org.settings.update_streams_heading": "Update Streams",
+  "org.settings.update_streams_desc": "Configure the default update streams for all repositories. Release tags are matched to streams by their suffix. Repos can override with per-repo settings.",
+  "org.settings.stream_mode": "Stream Mode",
+  "org.settings.stream_mode_joomla": "Standard Joomla streams (stable, release-candidate, beta, alpha, development)",
+  "org.settings.stream_mode_custom": "Custom streams (define your own channels and tag patterns)",
+  "org.settings.default_streams": "Active Streams",
+  "org.settings.stream_name": "Channel",
+  "org.settings.stream_suffix": "Tag Suffix",
+  "org.settings.no_suffix": "none (stable)",
+  "org.settings.streams_tag_help": "When licensing is active, release tags with prerelease suffixes must match one of the streams above (e.g. v1.0.0-rc1 matches the -rc stream).",
+  "org.settings.custom_streams": "Custom Stream Definitions (JSON)",
+  "org.settings.custom_streams_help": "JSON array of stream objects. Each needs: name, suffix, description. Example: [{\"name\":\"lts\",\"suffix\":\"-lts\",\"description\":\"Long-term support\"}]",
+  "org.settings.update_streams_saved": "Settings saved.",
   "org.settings.full_name": "Full Name",
   "org.settings.email": "Contact Email Address",
   "org.settings.website": "Website",

routers/api/v1/api.go

@@ -1351,11 +1351,14 @@ func Routes() *web.Router {
 					m.Combo("").Get(repo.ListLicensePackages).
 						Post(bind(api.CreateLicensePackageOption{}), repo.CreateLicensePackage)
 				}, reqToken(), reqAdmin())
+				m.Post("/license-keys/validate", bind(api.ValidateLicenseKeyOption{}), repo.ValidateLicenseKey)
 				m.Group("/license-keys", func() {
 					m.Combo("").Get(repo.ListLicenseKeys).
 						Post(bind(api.CreateLicenseKeyOption{}), repo.CreateLicenseKey)
+					m.Post("/purchase", bind(api.PurchaseLicenseKeyOption{}), repo.PurchaseLicenseKey)
 					m.Group("/{id}", func() {
 						m.Delete("", repo.DeleteLicenseKey)
+						m.Patch("", bind(api.EditLicenseKeyOption{}), repo.EditLicenseKey)
 						m.Get("/usage", repo.GetLicenseKeyUsage)
 					})
 				}, reqToken(), reqAdmin())

routers/api/v1/repo/license_key.go

@@ -52,6 +52,10 @@ func toLicenseKeyAPI(key *licenses.LicenseKey) *structs.LicenseKey {
 		t := time.Unix(int64(key.ExpiresUnix), 0)
 		lk.ExpiresAt = &t
 	}
+	if key.LastHeartbeatUnix > 0 {
+		t := time.Unix(int64(key.LastHeartbeatUnix), 0)
+		lk.LastHeartbeat = &t
+	}
 	return lk
 }
 
@@ -161,6 +165,100 @@ func CreateLicenseKey(ctx *context.APIContext) {
 	ctx.JSON(http.StatusCreated, resp)
 }
 
+// EditLicenseKey edits a license key via API.
+func EditLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.EditLicenseKeyOption)
+	keyID := ctx.PathParamInt64("id")
+
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.APIError(http.StatusForbidden, "master keys cannot be edited")
+		return
+	}
+
+	if form.LicenseeName != nil {
+		key.LicenseeName = *form.LicenseeName
+	}
+	if form.LicenseeEmail != nil {
+		key.LicenseeEmail = *form.LicenseeEmail
+	}
+	if form.DomainRestriction != nil {
+		key.DomainRestriction = *form.DomainRestriction
+	}
+	if form.MaxSites != nil {
+		key.MaxSites = *form.MaxSites
+	}
+	if form.IsActive != nil {
+		key.IsActive = *form.IsActive
+	}
+	if form.ExpiresAt != nil {
+		key.ExpiresUnix = timeutil.TimeStamp(form.ExpiresAt.Unix())
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	ctx.JSON(http.StatusOK, toLicenseKeyAPI(key))
+}
+
+// PurchaseLicenseKey handles purchase webhook — creates a key from a payment event.
+func PurchaseLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.PurchaseLicenseKeyOption)
+
+	// Idempotency check: if payment_ref already exists, return existing key.
+	if form.PaymentRef != "" {
+		existing, err := licenses.GetLicenseKeyByPaymentRef(ctx, form.PaymentRef)
+		if err == nil {
+			resp := &structs.LicenseKeyCreated{
+				LicenseKey: *toLicenseKeyAPI(existing),
+				RawKey:     "", // raw key not available after creation
+			}
+			ctx.JSON(http.StatusOK, resp)
+			return
+		}
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, form.PackageID)
+	if err != nil {
+		ctx.APIErrorNotFound(err)
+		return
+	}
+
+	key := &licenses.LicenseKey{
+		PackageID:         form.PackageID,
+		OwnerID:           ctx.Repo.Repository.OwnerID,
+		LicenseeName:      form.LicenseeName,
+		LicenseeEmail:     form.LicenseeEmail,
+		DomainRestriction: form.Domain,
+		PaymentRef:        form.PaymentRef,
+		IsActive:          true,
+	}
+
+	if pkg.DurationDays > 0 {
+		expires := time.Now().AddDate(0, 0, pkg.DurationDays)
+		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
+	}
+
+	rawKey, err := licenses.CreateLicenseKey(ctx, key)
+	if err != nil {
+		ctx.APIErrorInternal(err)
+		return
+	}
+
+	resp := &structs.LicenseKeyCreated{
+		LicenseKey: *toLicenseKeyAPI(key),
+		RawKey:     rawKey,
+	}
+	ctx.JSON(http.StatusCreated, resp)
+}
+
 // DeleteLicenseKey deletes a license key.
 func DeleteLicenseKey(ctx *context.APIContext) {
 	if err := licenses.DeleteLicenseKey(ctx, ctx.PathParamInt64("id")); err != nil {
@@ -170,6 +268,44 @@ func DeleteLicenseKey(ctx *context.APIContext) {
 	ctx.Status(http.StatusNoContent)
 }
 
+// ValidateLicenseKey validates a license key — public endpoint (no auth required).
+func ValidateLicenseKey(ctx *context.APIContext) {
+	form := web.GetForm(ctx).(*structs.ValidateLicenseKeyOption)
+
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, form.Key, form.Domain)
+	if err != nil {
+		ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+			Valid:   false,
+			Message: err.Error(),
+		})
+		return
+	}
+
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
+
+	var expiresAt *time.Time
+	if key.ExpiresUnix > 0 {
+		t := time.Unix(int64(key.ExpiresUnix), 0)
+		expiresAt = &t
+	}
+
+	maxSites := key.MaxSites
+	if maxSites == 0 {
+		maxSites = pkg.MaxSites
+	}
+
+	sitesUsed, _ := licenses.CountUniqueDomainsByKey(ctx, key.ID)
+
+	ctx.JSON(http.StatusOK, &structs.ValidateLicenseKeyResponse{
+		Valid:       true,
+		PackageName: pkg.Name,
+		Channels:    pkg.AllowedChannels,
+		ExpiresAt:   expiresAt,
+		SitesUsed:   sitesUsed,
+		MaxSites:    maxSites,
+	})
+}
+
 // GetLicenseKeyUsage returns usage logs for a license key.
 func GetLicenseKeyUsage(ctx *context.APIContext) {
 	usages, err := licenses.GetRecentUsage(ctx, ctx.PathParamInt64("id"), 100)

routers/web/org/home.go

@@ -9,6 +9,7 @@ import (
 	"strings"
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/renderhelper"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -107,6 +108,13 @@ func home(ctx *context.Context, viewRepositories bool) {
 	ctx.Data["Teams"] = ctx.Org.Teams
 	ctx.Data["IsOrganizationMember"] = ctx.Org.IsMember
 	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	ctx.Data["OrgLicensingEnabled"] = orgCfg != nil && orgCfg.LicensingEnabled
+	if orgCfg != nil && orgCfg.LicensingEnabled {
+		numPkgs, _ := licenses_model.CountOrgPackages(ctx, ctx.Org.Organization.ID)
+		ctx.Data["NumOrgLicensePackages"] = numPkgs
+	}
 	ctx.Data["IsPublicMember"] = func(uid int64) bool {
 		return membersIsPublic[uid]
 	}

routers/web/org/licenses.go

@@ -6,9 +6,13 @@ package org
 import (
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
@@ -16,6 +20,27 @@ import (
 
 const tplOrgLicenses templates.TplName = "org/licenses"
 
+// parseOrgAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseOrgAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
 // LicensePackageDisplay is used in templates.
 type LicensePackageDisplay struct {
 	*licenses.LicensePackage
@@ -31,8 +56,10 @@ func Licenses(ctx *context.Context) {
 	org := ctx.Org.Organization
 	ownerID := org.ID
 
-	// Auto-create master key if org owner.
-	if ctx.Org.IsOwner {
+	canWriteLicenses := ctx.Org.Organization.UnitPermission(ctx, ctx.Doer, unit_model.TypeLicenses) >= perm.AccessModeWrite || ctx.IsUserSiteAdmin()
+
+	// Auto-create master key if has write access.
+	if canWriteLicenses {
 		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
 		if err != nil {
 			ctx.ServerError("EnsureMasterKey", err)
@@ -66,7 +93,17 @@ func Licenses(ctx *context.Context) {
 		return
 	}
 	ctx.Data["LicenseKeys"] = keys
-	ctx.Data["IsRepoAdmin"] = ctx.Org.IsOwner
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+	ctx.Data["IsOrganizationOwner"] = ctx.Org.IsOwner
+	ctx.Data["OrgLicensingEnabled"] = true
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
 
 	ctx.HTML(http.StatusOK, tplOrgLicenses)
 }
@@ -83,13 +120,20 @@ func LicensesCreatePackage(ctx *context.Context) {
 	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
 	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
 
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
 	pkg := &licenses.LicensePackage{
 		OwnerID:         ctx.Org.Organization.ID,
 		Name:            name,
 		Description:     ctx.FormString("description"),
 		DurationDays:    durationDays,
 		MaxSites:        maxSites,
-		AllowedChannels: ctx.FormString("allowed_channels"),
+		AllowedChannels: allowedChannels,
 		RepoScope:       "all",
 		IsActive:        true,
 	}
@@ -129,10 +173,21 @@ func LicensesGenerateKey(ctx *context.Context) {
 		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
 	}
 
-	rawKey, err := licenses.CreateLicenseKey(ctx, key)
-	if err != nil {
-		ctx.ServerError("CreateLicenseKey", err)
-		return
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Org.IsOwner) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
 	}
 
 	// Re-render with the new key shown.
@@ -156,9 +211,185 @@ func LicensesGenerateKey(ctx *context.Context) {
 	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
 	ctx.Data["LicenseKeys"] = keys
 
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
 	ctx.HTML(http.StatusOK, tplOrgLicenses)
 }
 
+const tplOrgLicensesEditPackage templates.TplName = "org/licenses_edit_package"
+const tplOrgLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditPackage shows the edit form for an org license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseOrgAllowedChannels(pkg.AllowedChannels)
+
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ctx.Org.Organization.ID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to an org license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeletePackage deletes an org license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesEditKey shows the edit form for an org license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Org.OrgLink + "/-/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Org.OrgLink + "/-/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplOrgLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to an org license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
 // LicensesRevokeKey handles POST to revoke an org license key.
 func LicensesRevokeKey(ctx *context.Context) {
 	keyID := ctx.PathParamInt64("id")
@@ -177,3 +408,47 @@ func LicensesRevokeKey(ctx *context.Context) {
 	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
 	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
 }
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Org.OrgLink + "/-/licenses")
+}

routers/web/org/teams.go

@@ -324,19 +324,9 @@ func NewTeam(ctx *context.Context) {
 	ctx.HTML(http.StatusOK, tplTeamNew)
 }
 
-// FIXME: TEAM-UNIT-PERMISSION: this design is not right, when a new unit is added in the future,
-// The existing teams won't inherit the correct admin permission for the new unit.
-// The full history is like this:
-// 1. There was only "team", no "team unit", so "team.authorize" was used to determine the team permission.
-// 2. Later, "team unit" was introduced, then the usage of "team.authorize" became inconsistent, and causes various bugs.
-//   - Sometimes, "team.authorize" is used to determine the team permission, e.g. admin, owner
-//   - Sometimes, "team unit" is used not really used and "team unit" is used.
-//   - Some functions like `GetTeamsWithAccessToAnyRepoUnit` use both.
-//
-// 3. After introducing "team unit" and more unclear changes, it becomes difficult to maintain team permissions.
-//   - Org owner need to click the permission for each unit, but can't just set a common "write" permission for all units.
-//
-// Ideally, "team.authorize=write" should mean the team has write access to all units including newly (future) added ones.
+// getUnitPerms parses the unit permission form values for a team.
+// Note: admin teams (team.authorize >= Admin) implicitly have admin access to
+// all units via UnitMaxAccess(), so explicit TeamUnit records are supplementary.
 func getUnitPerms(forms url.Values, teamPermission perm.AccessMode) map[unit_model.Type]perm.AccessMode {
 	unitPerms := make(map[unit_model.Type]perm.AccessMode)
 	for _, ut := range unit_model.AllRepoUnitTypes {

routers/web/org/update_streams.go

@@ -0,0 +1,59 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	"net/http"
+
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+const tplSettingsUpdateStreams templates.TplName = "org/settings/update_streams"
+
+// SettingsUpdateStreams shows the org-level update stream settings.
+func SettingsUpdateStreams(ctx *context.Context) {
+	ctx.Data["Title"] = ctx.Tr("org.settings.update_streams")
+	ctx.Data["PageIsOrgSettings"] = true
+	ctx.Data["PageIsSettingsUpdateStreams"] = true
+
+	orgID := ctx.Org.Organization.ID
+
+	cfg, err := licenses.GetOrgConfig(ctx, orgID)
+	if err != nil {
+		ctx.ServerError("GetOrgConfig", err)
+		return
+	}
+	ctx.Data["StreamConfig"] = cfg
+	ctx.Data["EffectiveStreams"] = cfg.GetActiveStreams()
+
+	ctx.HTML(http.StatusOK, tplSettingsUpdateStreams)
+}
+
+// SettingsUpdateStreamsPost saves the org-level update stream settings.
+func SettingsUpdateStreamsPost(ctx *context.Context) {
+	orgID := ctx.Org.Organization.ID
+
+	cfg := &licenses.UpdateStreamConfig{
+		OwnerID:          orgID,
+		RepoID:           0,
+		StreamMode:       ctx.FormString("stream_mode"),
+		CustomStreams:     ctx.FormString("custom_streams"),
+		LicensingEnabled: ctx.FormString("licensing_enabled") == "on",
+		RequireKey:       ctx.FormString("require_key") == "on",
+	}
+
+	if cfg.StreamMode == "" {
+		cfg.StreamMode = "joomla"
+	}
+
+	if err := licenses.SaveConfig(ctx, cfg); err != nil {
+		ctx.ServerError("SaveConfig", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("org.settings.update_streams_saved"))
+	ctx.Redirect(ctx.Org.OrgLink + "/settings/update-streams")
+}

routers/web/repo/licenses.go

@@ -6,9 +6,12 @@ package repo
 import (
 	"net/http"
 	"strconv"
+	"strings"
 	"time"
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/json"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/templates"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/timeutil"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
@@ -16,6 +19,27 @@ import (
 
 const tplLicenses templates.TplName = "repo/licenses"
 
+// parseAllowedChannels splits an AllowedChannels string (CSV or JSON array) into a slice.
+func parseAllowedChannels(s string) []string {
+	if s == "" {
+		return nil
+	}
+	if strings.HasPrefix(s, "[") {
+		var parsed []string
+		if err := json.Unmarshal([]byte(s), &parsed); err == nil {
+			return parsed
+		}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		if t := strings.TrimSpace(p); t != "" {
+			result = append(result, t)
+		}
+	}
+	return result
+}
+
 // LicensePackageDisplay is used in templates.
 type LicensePackageDisplay struct {
 	*licenses.LicensePackage
@@ -28,12 +52,14 @@ func Licenses(ctx *context.Context) {
 	ctx.Data["Title"] = ctx.Tr("repo.licenses")
 	ctx.Data["PageIsLicenses"] = true
 	ctx.Data["IsLicensesPage"] = true
-	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	canWriteLicenses := ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsRepoAdmin"] = canWriteLicenses
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
 
 	ownerID := ctx.Repo.Repository.OwnerID
 
 	// Auto-create master package + key if admin and none exist.
-	if ctx.Repo.Permission.IsAdmin() {
+	if canWriteLicenses {
 		newMasterKey, err := licenses.EnsureMasterKey(ctx, ownerID)
 		if err != nil {
 			ctx.ServerError("EnsureMasterKey", err)
@@ -68,6 +94,14 @@ func Licenses(ctx *context.Context) {
 	}
 	ctx.Data["LicenseKeys"] = keys
 
+	// Load available streams for the channels multiselect.
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
 	ctx.HTML(http.StatusOK, tplLicenses)
 }
 
@@ -83,13 +117,20 @@ func LicensesCreatePackage(ctx *context.Context) {
 	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
 	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
 
+	channels := ctx.Req.Form["allowed_channels"]
+	var allowedChannels string
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		allowedChannels = string(data)
+	}
+
 	pkg := &licenses.LicensePackage{
 		OwnerID:         ctx.Repo.Repository.OwnerID,
 		Name:            name,
 		Description:     ctx.FormString("description"),
 		DurationDays:    durationDays,
 		MaxSites:        maxSites,
-		AllowedChannels: ctx.FormString("allowed_channels"),
+		AllowedChannels: allowedChannels,
 		RepoScope:       "all",
 		IsActive:        true,
 	}
@@ -130,16 +171,28 @@ func LicensesGenerateKey(ctx *context.Context) {
 		key.ExpiresUnix = timeutil.TimeStamp(expires.Unix())
 	}
 
-	rawKey, err := licenses.CreateLicenseKey(ctx, key)
-	if err != nil {
-		ctx.ServerError("CreateLicenseKey", err)
-		return
+	// Site admins and org owners can manually set a custom key.
+	var rawKey string
+	customKey := strings.TrimSpace(ctx.FormString("custom_key"))
+	if customKey != "" && (ctx.IsUserSiteAdmin() || ctx.Repo.Permission.IsOwner()) {
+		if err := licenses.CreateLicenseKeyCustom(ctx, key, customKey); err != nil {
+			ctx.ServerError("CreateLicenseKeyCustom", err)
+			return
+		}
+		rawKey = customKey
+	} else {
+		rawKey, err = licenses.CreateLicenseKey(ctx, key)
+		if err != nil {
+			ctx.ServerError("CreateLicenseKey", err)
+			return
+		}
 	}
 
 	ctx.Data["Title"] = ctx.Tr("repo.licenses")
 	ctx.Data["PageIsLicenses"] = true
 	ctx.Data["IsLicensesPage"] = true
-	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.CanWrite(unit_model.TypeLicenses) || ctx.IsUserSiteAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
 	ctx.Data["NewKeyCreated"] = rawKey
 
 	// Re-render the page with the new key displayed.
@@ -158,6 +211,13 @@ func LicensesGenerateKey(ctx *context.Context) {
 	keys, _ := licenses.ListLicenseKeys(ctx, ownerID)
 	ctx.Data["LicenseKeys"] = keys
 
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
 	ctx.HTML(http.StatusOK, tplLicenses)
 }
 
@@ -179,3 +239,219 @@ func LicensesRevokeKey(ctx *context.Context) {
 	ctx.Flash.Success(ctx.Tr("repo.licenses.key_revoked"))
 	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
 }
+
+const tplLicensesEditPackage templates.TplName = "repo/licenses_edit_package"
+const tplLicensesEditKey templates.TplName = "repo/licenses_edit_key"
+
+// LicensesEditKey shows the edit form for a license key.
+func LicensesEditKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_key")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Key"] = key
+	ctx.Data["FormAction"] = ctx.Repo.RepoLink + "/licenses/keys/" + strconv.FormatInt(key.ID, 10) + "/edit"
+	ctx.Data["BackLink"] = ctx.Repo.RepoLink + "/licenses"
+
+	if key.ExpiresUnix > 0 {
+		ctx.Data["ExpiresDate"] = time.Unix(int64(key.ExpiresUnix), 0).Format("2006-01-02")
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditKey)
+}
+
+// LicensesEditKeyPost saves edits to a license key.
+func LicensesEditKeyPost(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	if key.IsInternal {
+		ctx.Flash.Error("Master keys cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	key.LicenseeName = ctx.FormString("licensee_name")
+	key.LicenseeEmail = ctx.FormString("licensee_email")
+	key.DomainRestriction = ctx.FormString("domain_restriction")
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	key.MaxSites = maxSites
+	key.IsActive = ctx.FormString("is_active") == "on"
+
+	expiresStr := ctx.FormString("expires_at")
+	if expiresStr != "" {
+		t, err := time.Parse("2006-01-02", expiresStr)
+		if err == nil {
+			key.ExpiresUnix = timeutil.TimeStamp(t.Unix())
+		}
+	} else {
+		key.ExpiresUnix = 0
+	}
+
+	if err := licenses.UpdateLicenseKey(ctx, key); err != nil {
+		ctx.ServerError("UpdateLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesEditPackage shows the edit form for a license package.
+func LicensesEditPackage(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	ctx.Data["Title"] = ctx.Tr("repo.licenses.edit_package")
+	ctx.Data["PageIsLicenses"] = true
+	ctx.Data["IsLicensesPage"] = true
+	ctx.Data["Package"] = pkg
+	ctx.Data["SelectedChannels"] = parseAllowedChannels(pkg.AllowedChannels)
+
+	ownerID := ctx.Repo.Repository.OwnerID
+	orgCfg, _ := licenses.GetOrgConfig(ctx, ownerID)
+	if orgCfg != nil {
+		ctx.Data["AvailableStreams"] = orgCfg.GetActiveStreams()
+	} else {
+		ctx.Data["AvailableStreams"] = licenses.DefaultJoomlaStreams()
+	}
+
+	ctx.HTML(http.StatusOK, tplLicensesEditPackage)
+}
+
+// LicensesEditPackagePost saves edits to a license package.
+func LicensesEditPackagePost(ctx *context.Context) {
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be edited")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+
+	pkg.Name = ctx.FormString("name")
+	pkg.Description = ctx.FormString("description")
+	durationDays, _ := strconv.Atoi(ctx.FormString("duration_days"))
+	pkg.DurationDays = durationDays
+	maxSites, _ := strconv.Atoi(ctx.FormString("max_sites"))
+	pkg.MaxSites = maxSites
+
+	channels := ctx.Req.Form["allowed_channels"]
+	if len(channels) > 0 {
+		data, _ := json.Marshal(channels)
+		pkg.AllowedChannels = string(data)
+	} else {
+		pkg.AllowedChannels = ""
+	}
+
+	pkg.IsActive = ctx.FormString("is_active") == "on"
+
+	if err := licenses.UpdateLicensePackage(ctx, pkg); err != nil {
+		ctx.ServerError("UpdateLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_updated"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeletePackage deletes a license package. Site admin only.
+func LicensesDeletePackage(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	pkgID := ctx.PathParamInt64("id")
+	pkg, err := licenses.GetLicensePackageByID(ctx, pkgID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+	if pkg.Name == licenses.MasterPackageName {
+		ctx.Flash.Error("Master package cannot be deleted")
+		ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+		return
+	}
+	if err := licenses.DeleteLicensePackage(ctx, pkgID); err != nil {
+		ctx.ServerError("DeleteLicensePackage", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.package_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesRenewKey extends a license key's expiration by the package's duration.
+func LicensesRenewKey(ctx *context.Context) {
+	keyID := ctx.PathParamInt64("id")
+	key, err := licenses.GetLicenseKeyByID(ctx, keyID)
+	if err != nil {
+		ctx.ServerError("GetLicenseKeyByID", err)
+		return
+	}
+
+	pkg, err := licenses.GetLicensePackageByID(ctx, key.PackageID)
+	if err != nil {
+		ctx.ServerError("GetLicensePackageByID", err)
+		return
+	}
+
+	days := pkg.DurationDays
+	if days == 0 {
+		days = 365 // default to 1 year for lifetime packages
+	}
+
+	if err := licenses.RenewLicenseKey(ctx, keyID, days); err != nil {
+		ctx.ServerError("RenewLicenseKey", err)
+		return
+	}
+
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_renewed", days))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}
+
+// LicensesDeleteKey permanently deletes a license key. Site admin only.
+func LicensesDeleteKey(ctx *context.Context) {
+	if !ctx.IsUserSiteAdmin() {
+		ctx.NotFound(nil)
+		return
+	}
+	keyID := ctx.PathParamInt64("id")
+	if err := licenses.DeleteLicenseKey(ctx, keyID); err != nil {
+		ctx.ServerError("DeleteLicenseKey", err)
+		return
+	}
+	ctx.Flash.Success(ctx.Tr("repo.licenses.key_deleted"))
+	ctx.Redirect(ctx.Repo.RepoLink + "/licenses")
+}

routers/web/repo/setting/setting.go

@@ -12,6 +12,7 @@ import (
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/organization"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/perm"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	unit_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/unit"
@@ -100,6 +101,8 @@ func SettingsCtxData(ctx *context.Context) {
 
 // Settings show a repository's settings page
 func Settings(ctx *context.Context) {
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	ctx.Data["RepoUpdateConfig"] = repoCfg
 	ctx.HTML(http.StatusOK, tplSettingsOptions)
 }
 
@@ -672,6 +675,23 @@ func handleSettingsPostAdvanced(ctx *context.Context) {
 			return
 		}
 	}
+	// Save update server platform and require-key settings.
+	updatePlatform := form.UpdatePlatform
+	if updatePlatform == "" {
+		updatePlatform = "joomla"
+	}
+	updateCfg := &licenses_model.UpdateStreamConfig{
+		OwnerID:          repo.OwnerID,
+		RepoID:           repo.ID,
+		Platform:         updatePlatform,
+		LicensingEnabled: form.EnableLicensing,
+		RequireKey:       form.RequireUpdateKey,
+		StreamMode:       "joomla", // inherit org default
+	}
+	if err := licenses_model.SaveConfig(ctx, updateCfg); err != nil {
+		log.Error("SaveConfig: %v", err)
+	}
+
 	log.Trace("Repository advanced settings updated: %s/%s", ctx.Repo.Owner.Name, repo.Name)
 
 	ctx.Flash.Success(ctx.Tr("repo.settings.update_settings_success"))

routers/web/repo/updateserver.go

@@ -21,23 +21,34 @@ func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool)
 	if rawKey == "" {
 		rawKey = ctx.FormString("download_key")
 	}
+	if rawKey == "" {
+		rawKey = ctx.FormString("dlid")
+	}
 
 	if rawKey == "" {
-		// No key provided — allow public access (all channels).
+		// Check if this repo requires a key for update feed access.
+		repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+		if repoCfg != nil && repoCfg.RequireKey {
+			// Key required but not provided — return empty.
+			return nil, false
+		}
+		// No key required — allow public access (all channels).
 		return nil, true
 	}
 
-	key, pkg, err := licenses.ValidateLicenseKey(ctx, rawKey)
+	domain := ctx.FormString("domain")
+	key, pkg, err := licenses.ValidateLicenseKey(ctx, rawKey, domain)
 	if err != nil {
 		log.Debug("License key validation failed: %v", err)
 		return nil, false
 	}
 
-	// Record usage.
+	// Update heartbeat and record usage.
+	_ = licenses.TouchHeartbeat(ctx, key.ID)
 	_ = licenses.RecordUsage(ctx, &licenses.LicenseKeyUsage{
 		KeyID:       key.ID,
 		RepoID:      ctx.Repo.Repository.ID,
-		Domain:      ctx.FormString("domain"),
+		Domain:      domain,
 		IPAddress:   ctx.RemoteAddr(),
 		UserAgent:   ctx.Req.UserAgent(),
 		VersionFrom: ctx.FormString("version"),
@@ -70,6 +81,13 @@ func validateUpdateKey(ctx *context.Context) (allowedChannels []string, ok bool)
 // ServeUpdatesXML generates and serves a Joomla-compatible updates.xml
 // from the repository's releases.
 func ServeUpdatesXML(ctx *context.Context) {
+	// Block if platform doesn't include joomla.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "dolibarr" {
+		ctx.NotFound(nil)
+		return
+	}
+
 	allowedChannels, ok := validateUpdateKey(ctx)
 	if !ok {
 		// Return empty updates XML for invalid keys (Joomla-compatible).
@@ -79,7 +97,11 @@ func ServeUpdatesXML(ctx *context.Context) {
 		return
 	}
 
-	xmlData, err := updateserver.GenerateJoomlaXML(ctx, ctx.Repo.Repository, allowedChannels...)
+	// Check if this repo requires a license key for update feed access.
+	repoCfg, _ := licenses.GetRepoConfig(ctx, ctx.Repo.Repository.ID)
+	requireKey := repoCfg != nil && repoCfg.RequireKey
+
+	xmlData, err := updateserver.GenerateJoomlaXML(ctx, ctx.Repo.Repository, requireKey, allowedChannels...)
 	if err != nil {
 		ctx.ServerError("GenerateJoomlaXML", err)
 		return
@@ -91,9 +113,26 @@ func ServeUpdatesXML(ctx *context.Context) {
 }
 
 // ServeDolibarrJSON generates and serves a Dolibarr-compatible update feed
-// from the repository's releases.
+// from the repository's releases. Uses the same license key validation as the
+// Joomla XML feed — all platforms share the same licensing system.
 func ServeDolibarrJSON(ctx *context.Context) {
-	data, err := updateserver.GenerateDolibarrJSON(ctx, ctx.Repo.Repository)
+	// Block if platform doesn't include dolibarr.
+	platform := ctx.Data["RepoUpdatePlatform"]
+	if platform == "joomla" || platform == "" {
+		ctx.NotFound(nil)
+		return
+	}
+
+	allowedChannels, ok := validateUpdateKey(ctx)
+	if !ok {
+		// Return empty updates for invalid keys.
+		ctx.Resp.Header().Set("Content-Type", "application/json; charset=utf-8")
+		ctx.Resp.WriteHeader(http.StatusOK)
+		_, _ = ctx.Resp.Write([]byte(`{"module":"","updates":[]}`))
+		return
+	}
+
+	data, err := updateserver.GenerateDolibarrJSON(ctx, ctx.Repo.Repository, allowedChannels...)
 	if err != nil {
 		ctx.ServerError("GenerateDolibarrJSON", err)
 		return

routers/web/web.go

@@ -1057,6 +1057,11 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 					m.Get("", org.BlockedUsers)
 					m.Post("", web.Bind(forms.BlockUserForm{}), org.BlockedUsersPost)
 				})
+
+				m.Group("/update-streams", func() {
+					m.Get("", org.SettingsUpdateStreams)
+					m.Post("", org.SettingsUpdateStreamsPost)
+				})
 			}, ctxDataSet("EnableOAuth2", setting.OAuth2.Enabled, "EnablePackages", setting.Packages.Enabled, "PageIsOrgSettings", true))
 		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireOwner: true}))
 	}, reqSignIn)
@@ -1101,10 +1106,19 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 
 		m.Group("/licenses", func() {
 			m.Get("", org.Licenses)
-			m.Post("/packages", org.LicensesCreatePackage)
-			m.Post("/keys/generate", org.LicensesGenerateKey)
-			m.Post("/keys/{id}/revoke", org.LicensesRevokeKey)
-		})
+			m.Group("", func() {
+				m.Post("/packages", org.LicensesCreatePackage)
+				m.Get("/packages/{id}/edit", org.LicensesEditPackage)
+				m.Post("/packages/{id}/edit", org.LicensesEditPackagePost)
+				m.Post("/packages/{id}/delete", org.LicensesDeletePackage)
+				m.Post("/keys/generate", org.LicensesGenerateKey)
+				m.Get("/keys/{id}/edit", org.LicensesEditKey)
+				m.Post("/keys/{id}/edit", org.LicensesEditKeyPost)
+				m.Post("/keys/{id}/revoke", org.LicensesRevokeKey)
+				m.Post("/keys/{id}/renew", org.LicensesRenewKey)
+				m.Post("/keys/{id}/delete", org.LicensesDeleteKey)
+			}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeWrite, true))
+		}, reqUnitAccess(unit.TypeLicenses, perm.AccessModeRead, true))
 
 		m.Get("/repositories", org.Repositories)
 		m.Get("/heatmap", user.DashboardHeatmap)
@@ -1509,11 +1523,20 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 	// end "/{username}/{reponame}": update server
 
 	// "/{username}/{reponame}": licenses page
+	// Note: page visibility is controlled by LicensingEnabled (org config).
+	// Write permissions are checked in handlers via CanWrite(TypeLicenses).
 	m.Group("/{username}/{reponame}/licenses", func() {
 		m.Get("", repo.Licenses)
 		m.Post("/packages", repo.LicensesCreatePackage)
+		m.Get("/packages/{id}/edit", repo.LicensesEditPackage)
+		m.Post("/packages/{id}/edit", repo.LicensesEditPackagePost)
+		m.Post("/packages/{id}/delete", repo.LicensesDeletePackage)
 		m.Post("/keys/generate", repo.LicensesGenerateKey)
+		m.Get("/keys/{id}/edit", repo.LicensesEditKey)
+		m.Post("/keys/{id}/edit", repo.LicensesEditKeyPost)
 		m.Post("/keys/{id}/revoke", repo.LicensesRevokeKey)
+		m.Post("/keys/{id}/renew", repo.LicensesRenewKey)
+		m.Post("/keys/{id}/delete", repo.LicensesDeleteKey)
 	}, optSignIn, context.RepoAssignment)
 	// end "/{username}/{reponame}": licenses
 

services/context/repo.go

@@ -606,13 +606,27 @@ func repoAssignmentPrepareTemplateData(ctx *Context, data *repoAssignmentPrepare
 		return
 	}
 
-	// Check if license packages exist for this repo's owner (enables Licenses tab).
+	// Check if licensing is enabled for this repo/org.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoUpdateCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoUpdateCfg != nil && repoUpdateCfg.LicensingEnabled)
+
 	numLicensePackages, _ := db.Count[licenses_model.LicensePackage](ctx, licenses_model.FindLicensePackageOptions{
 		OwnerID: repo.OwnerID,
 	})
 	ctx.Data["NumLicensePackages"] = numLicensePackages
-	ctx.Data["EnableLicenses"] = numLicensePackages > 0
+	ctx.Data["EnableLicenses"] = licensingEnabled || numLicensePackages > 0
+	ctx.Data["LicensingEnabled"] = licensingEnabled
 	ctx.Data["IsRepoAdmin"] = ctx.Repo.Permission.IsAdmin()
+	ctx.Data["IsSiteAdmin"] = ctx.IsUserSiteAdmin()
+
+	// Load repo update config for platform-aware UI.
+	if repoUpdateCfg != nil {
+		ctx.Data["RepoUpdatePlatform"] = repoUpdateCfg.Platform
+	} else {
+		ctx.Data["RepoUpdatePlatform"] = "joomla"
+	}
 
 	ctx.Data["Title"] = repo.Owner.Name + "/" + repo.Name
 	ctx.Data["PageTitleCommon"] = repo.Name + " - " + setting.AppName

services/cron/tasks_basic.go

@@ -9,9 +9,11 @@ import (
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/webhook"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/git/gitcmd"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/log"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/updatechecker"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/auth"
@@ -158,6 +160,24 @@ func registerCleanupPackages() {
 	})
 }
 
+func registerCleanupExpiredLicenseKeys() {
+	RegisterTaskFatal("cleanup_expired_license_keys", &BaseConfig{
+		Enabled:    true,
+		RunAtStart: false,
+		Schedule:   "@weekly",
+	}, func(ctx context.Context, _ *user_model.User, config Config) error {
+		// Delete non-internal keys that expired more than 365 days ago.
+		deleted, err := licenses_model.DeleteExpiredKeys(ctx, 365)
+		if err != nil {
+			return err
+		}
+		if deleted > 0 {
+			log.Info("Cleaned up %d expired license keys (expired >1 year)", deleted)
+		}
+		return nil
+	})
+}
+
 func registerSyncRepoLicenses() {
 	RegisterTaskFatal("sync_repo_licenses", &BaseConfig{
 		Enabled:    false,
@@ -185,6 +205,7 @@ func initBasicTasks() {
 		registerCleanupPackages()
 	}
 	registerSyncRepoLicenses()
+	registerCleanupExpiredLicenseKeys()
 	if setting.UpdateChecker.Enabled {
 		registerUpdateChecker()
 	}

services/forms/repo_form.go

@@ -133,6 +133,9 @@ type RepoSettingForm struct {
 
 	EnableReleases     bool
 	ReleasesVisibility string
+	UpdatePlatform     string
+	RequireUpdateKey   bool
+	EnableLicensing    bool
 
 	EnablePackages     bool
 

services/release/release.go

@@ -11,6 +11,7 @@ import (
 
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
 	git_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/git"
+	licenses_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
 	user_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/user"
 	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/container"
@@ -166,6 +167,64 @@ func createTag(ctx context.Context, gitRepo *git.Repository, rel *repo_model.Rel
 }
 
 // CreateRelease creates a new release of repository.
+// ErrTagDoesNotMatchStream indicates a tag doesn't match any configured update stream.
+type ErrTagDoesNotMatchStream struct {
+	TagName string
+}
+
+func (e ErrTagDoesNotMatchStream) Error() string {
+	return fmt.Sprintf("tag %q does not match any configured update stream", e.TagName)
+}
+
+// validateTagAgainstStreams checks that a release tag follows the update stream
+// naming convention when licensing is active. Tags must start with a version
+// prefix (v1.0.0) and any suffix must match a configured stream (e.g. -rc, -beta).
+// When licensing is disabled, any tag is allowed.
+func validateTagAgainstStreams(ctx context.Context, rel *repo_model.Release) error {
+	if rel.IsDraft || rel.IsTag {
+		return nil // drafts and lightweight tags are not validated
+	}
+
+	// Load the repo to get the owner ID.
+	repo, err := repo_model.GetRepositoryByID(ctx, rel.RepoID)
+	if err != nil {
+		return nil // non-fatal, skip validation
+	}
+
+	// Check if licensing is enabled at org or repo level.
+	orgCfg, _ := licenses_model.GetOrgConfig(ctx, repo.OwnerID)
+	repoCfg, _ := licenses_model.GetRepoConfig(ctx, repo.ID)
+	licensingEnabled := (orgCfg != nil && orgCfg.LicensingEnabled) ||
+		(repoCfg != nil && repoCfg.LicensingEnabled)
+
+	if !licensingEnabled {
+		return nil // licensing off — any tag is fine
+	}
+
+	// Check that the tag contains a stream-compatible suffix.
+	// Any prerelease suffix in the tag must match a configured stream suffix.
+	streams := licenses_model.GetEffectiveStreams(ctx, repo.OwnerID, repo.ID)
+	lower := strings.ToLower(rel.TagName)
+	for _, s := range streams {
+		if s.Suffix == "" {
+			continue // stable stream matches everything
+		}
+		if strings.Contains(lower, s.Suffix) {
+			return nil // matches a configured stream
+		}
+	}
+
+	// If the tag has a prerelease-looking suffix but it doesn't match any stream, reject.
+	for _, indicator := range []string{"-rc", "-beta", "-alpha", "-dev"} {
+		if strings.Contains(lower, indicator) {
+			return ErrTagDoesNotMatchStream{TagName: rel.TagName}
+		}
+	}
+
+	// No prerelease suffix — this is a stable release, always allowed.
+	return nil
+}
+
 func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentUUIDs []string, msg string) error {
 	has, err := repo_model.IsReleaseExist(gitRepo.Ctx, rel.RepoID, rel.TagName)
 	if err != nil {
@@ -176,6 +235,11 @@ func CreateRelease(gitRepo *git.Repository, rel *repo_model.Release, attachmentU
 		}
 	}
 
+	// When licensing is enabled, validate that the tag matches a configured update stream.
+	if err := validateTagAgainstStreams(gitRepo.Ctx, rel); err != nil {
+		return err
+	}
+
 	if _, err = createTag(gitRepo.Ctx, gitRepo, rel, msg); err != nil {
 		return err
 	}

services/updateserver/dolibarr.go

@@ -35,7 +35,8 @@ type DolibarrUpdates struct {
 }
 
 // GenerateDolibarrJSON builds a Dolibarr-compatible update feed from releases.
-func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository) (*DolibarrUpdates, error) {
+// allowedChannels optionally restricts output to specific channels (nil = all).
+func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository, allowedChannels ...string) (*DolibarrUpdates, error) {
 	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
 		RepoID:        repo.ID,
 		ListOptions:   db.ListOptionsAll,
@@ -73,8 +74,19 @@ func GenerateDolibarrJSON(ctx context.Context, repo *repo_model.Repository) (*Do
 		}
 	}
 
+	// Build allowed channel set for filtering.
+	channelAllowed := make(map[string]bool)
+	if len(allowedChannels) > 0 {
+		for _, c := range allowedChannels {
+			channelAllowed[NormalizeChannel(c)] = true
+		}
+	}
+
 	for _, stream := range streams {
 		ch := stream.Name
+		if len(channelAllowed) > 0 && !channelAllowed[ch] {
+			continue
+		}
 		rel, ok := bestByChannel[ch]
 		if !ok {
 			continue

services/updateserver/joomla.go

@@ -10,10 +10,10 @@ import (
 	"strings"
 	"time"
 
-	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
-	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
-	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
-	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/db"
+	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/licenses"
+	repo_model "code.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
+	"code.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
 )
 
 // Joomla-compatible updates.xml structures for XML marshaling.
@@ -24,21 +24,29 @@ type xmlUpdates struct {
 }
 
 type xmlUpdate struct {
-	Name           string         `xml:"name"`
-	Description    string         `xml:"description"`
-	Element        string         `xml:"element"`
-	Type           string         `xml:"type"`
-	Client         string         `xml:"client"`
-	Version        string         `xml:"version"`
-	CreationDate   string         `xml:"creationDate"`
-	InfoURL        xmlInfoURL     `xml:"infourl"`
-	Downloads      xmlDownloads   `xml:"downloads"`
-	SHA256         string         `xml:"sha256,omitempty"`
-	Tags           xmlTags        `xml:"tags"`
-	ChangelogURL   string         `xml:"changelogurl,omitempty"`
-	Maintainer     string         `xml:"maintainer,omitempty"`
-	MaintainerURL  string         `xml:"maintainerurl,omitempty"`
-	TargetPlatform xmlTargetPlat  `xml:"targetplatform"`
+	Name           string          `xml:"name"`
+	Element        string          `xml:"element"`
+	Type           string          `xml:"type"`
+	Version        string          `xml:"version"`
+	InfoURL        xmlInfoURL      `xml:"infourl"`
+	Downloads      xmlDownloads    `xml:"downloads"`
+	Tags           xmlTags         `xml:"tags"`
+	TargetPlatform xmlTargetPlat   `xml:"targetplatform"`
+	SHA256         string          `xml:"sha256,omitempty"`
+	SHA512         string          `xml:"sha512,omitempty"`
+	Client         string          `xml:"client"`
+	PHPMinimum     string          `xml:"php_minimum,omitempty"`
+	Description    string          `xml:"description,omitempty"`
+	CreationDate   string          `xml:"creationDate,omitempty"`
+	ChangelogURL   string          `xml:"changelogurl,omitempty"`
+	Maintainer     string          `xml:"maintainer,omitempty"`
+	MaintainerURL  string          `xml:"maintainerurl,omitempty"`
+	DownloadKey    *xmlDownloadKey `xml:"downloadkey,omitempty"`
+}
+
+type xmlDownloadKey struct {
+	Prefix string `xml:"prefix,attr"`
+	Suffix string `xml:"suffix,attr"`
 }
 
 type xmlInfoURL struct {
@@ -120,7 +128,7 @@ func NormalizeChannel(ch string) string {
 // It returns the raw XML bytes. The element, maintainer, and target platform
 // are derived from the repo name and owner.
 // allowedChannels optionally restricts output to specific channels (nil = all).
-func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowedChannels ...string) ([]byte, error) {
+func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, requireKey bool, allowedChannels ...string) ([]byte, error) {
 	releases, err := db.Find[repo_model.Release](ctx, repo_model.FindReleasesOptions{
 		RepoID:        repo.ID,
 		ListOptions:   db.ListOptionsAll,
@@ -234,6 +242,10 @@ func GenerateJoomlaXML(ctx context.Context, repo *repo_model.Repository, allowed
 			},
 		}
 
+		if requireKey {
+			u.DownloadKey = &xmlDownloadKey{Prefix: "dlid=", Suffix: ""}
+		}
+
 		updates.Updates = append(updates.Updates, u)
 	}
 

templates/org/licenses.tmpl

@@ -7,7 +7,10 @@
 			<div class="ui info message">
 				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
 				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
-				<code class="tw-text-lg tw-select-all">{{.NewMasterKey}}</code>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
 			</div>
 		{{end}}
 
@@ -15,55 +18,64 @@
 			<div class="ui success message">
 				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
 				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
-				<code class="tw-text-lg tw-select-all">{{.NewKeyCreated}}</code>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
 			</div>
 		{{end}}
 
-		<h4 class="ui top attached header tw-flex tw-justify-between tw-items-center">
-			<span>{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}</span>
-			{{if .IsRepoAdmin}}
-				<a class="ui small primary button" href="#new-package-form" onclick="this.parentElement.parentElement.nextElementSibling.querySelector('#new-package-form').style.display='block'; return false;">
-					{{ctx.Locale.Tr "repo.licenses.new_package"}}
-				</a>
-			{{end}}
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
 		</h4>
 		<div class="ui attached segment">
 			{{if .IsRepoAdmin}}
-				<div id="new-package-form" style="display: none;" class="tw-mb-4">
-					<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages">
-						{{.CsrfTokenHtml}}
-						<div class="two fields">
-							<div class="required field">
-								<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
-								<input name="name" required placeholder="Pro Annual">
+				<details class="tw-mb-4">
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="tw-mt-4">
+						<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription">
+								</div>
 							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
-								<input name="description" placeholder="Annual pro subscription">
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if $.AvailableStreams}}
+										{{range $.AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
 							</div>
-						</div>
-						<div class="three fields">
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
-								<input name="duration_days" type="number" value="0" min="0">
-							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
-								<input name="max_sites" type="number" value="0" min="0">
-							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
-								<input name="allowed_channels" placeholder="stable,release-candidate">
-							</div>
-						</div>
-						<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
-					</form>
-					<div class="divider"></div>
-				</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
 			{{end}}
-
 			{{if .LicensePackages}}
-				<table class="ui table">
+				<table class="ui compact table">
 					<thead>
 						<tr>
 							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
@@ -77,20 +89,33 @@
 					<tbody>
 						{{range .LicensePackages}}
 							<tr>
-								<td><strong>{{.Name}}</strong>{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
 								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
 								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
 								<td>{{.KeyCount}}</td>
 								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
 								{{if $.IsRepoAdmin}}
-									<td class="tw-text-right">
-										<form method="post" action="{{$.Org.HomeLink}}/-/licenses/keys/generate" class="tw-inline">
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.Org.HomeLink}}/-/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
 											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="package_id" value="{{.ID}}">
-											<button class="ui tiny primary button" type="submit">
-												{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.generate_key"}}
+											{{if or $.IsSiteAdmin $.IsOrganizationOwner}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
+											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
+												{{svg "octicon-plus" 14}}
 											</button>
 										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
 									</td>
 								{{end}}
 							</tr>
@@ -111,12 +136,13 @@
 				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
 			</h4>
 			<div class="ui attached segment">
-				<table class="ui table">
+				<table class="ui compact table">
 					<thead>
 						<tr>
 							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
 							{{if .IsRepoAdmin}}<th></th>{{end}}
 						</tr>
@@ -124,18 +150,35 @@
 					<tbody>
 						{{range .LicenseKeys}}
 							<tr>
-								<td><code>{{.KeyPrefix}}</code>{{if .IsInternal}} <span class="ui tiny orange label">Master</span>{{end}}</td>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
 								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
-								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.TimeSince .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
 								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
 								{{if $.IsRepoAdmin}}
-									<td class="tw-text-right">
-										<form method="post" action="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/revoke" class="tw-inline">
-											{{$.CsrfTokenHtml}}
-											<button class="ui tiny red button" type="submit">
-												{{svg "octicon-x" 14}}
-											</button>
-										</form>
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.Org.HomeLink}}/-/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
 									</td>
 								{{end}}
 							</tr>

templates/org/licenses_edit_package.tmpl

@@ -0,0 +1,60 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content organization">
+	{{template "org/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_package"}}
+		</h4>
+		<div class="ui attached segment">
+			<form class="ui form" method="post" action="{{$.Org.HomeLink}}/-/licenses/packages/{{.Package.ID}}/edit">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="required field">
+						<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+						<input name="name" required value="{{.Package.Name}}">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+						<input name="description" value="{{.Package.Description}}">
+					</div>
+				</div>
+				<div class="three fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+						<input name="duration_days" type="number" value="{{.Package.DurationDays}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Package.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+						{{if .AvailableStreams}}
+							{{range .AvailableStreams}}
+							<div class="ui checkbox tw-mr-4 tw-mb-2">
+								<input name="allowed_channels" type="checkbox" value="{{.Name}}" {{if SliceUtils.Contains $.SelectedChannels .Name}}checked{{end}}>
+								<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+							</div>
+							{{end}}
+						{{end}}
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Package.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_package"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{$.Org.HomeLink}}/-/licenses">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

templates/org/menu.tmpl

@@ -25,9 +25,12 @@
 				{{svg "octicon-package"}} {{ctx.Locale.Tr "packages.title"}}
 			</a>
 			{{end}}
-			{{if .IsOrganizationMember}}
+			{{if and .IsOrganizationMember (or .OrgLicensingEnabled .IsLicensesPage)}}
 			<a class="{{if .IsLicensesPage}}active {{end}}item" href="{{$.Org.HomeLink}}/-/licenses">
 				{{svg "octicon-key"}} {{ctx.Locale.Tr "repo.licenses"}}
+				{{if .NumOrgLicensePackages}}
+					<div class="ui small label">{{.NumOrgLicensePackages}}</div>
+				{{end}}
 			</a>
 			{{end}}
 			{{if and .IsRepoIndexerEnabled .CanReadCode}}

templates/org/settings/navbar.tmpl

@@ -25,6 +25,9 @@
 			{{ctx.Locale.Tr "packages.title"}}
 		</a>
 		{{end}}
+		<a class="{{if .PageIsSettingsUpdateStreams}}active {{end}}item" href="{{.OrgLink}}/settings/update-streams">
+			{{svg "octicon-key"}} {{ctx.Locale.Tr "org.settings.update_streams"}}
+		</a>
 		{{if .EnableActions}}
 		<details class="item toggleable-item" {{if or .PageIsOrgSettingsActionsGeneral .PageIsSharedSettingsRunners .PageIsSharedSettingsSecrets .PageIsSharedSettingsVariables}}open{{end}}>
 			<summary>{{ctx.Locale.Tr "actions.actions"}}</summary>

templates/org/settings/update_streams.tmpl

@@ -0,0 +1,87 @@
+{{template "org/settings/layout_head" (dict "pageClass" "organization settings")}}
+<div class="org-setting-content">
+
+	{{/* ── Section 1: Licensing ── */}}
+	<h4 class="ui top attached header">
+		{{svg "octicon-key" 16}} {{ctx.Locale.Tr "org.settings.licensing"}}
+	</h4>
+	<div class="ui attached segment">
+		<form class="ui form" method="post" action="{{.OrgLink}}/settings/update-streams">
+			{{.CsrfTokenHtml}}
+
+			<p>{{ctx.Locale.Tr "org.settings.licensing_desc"}}</p>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="licensing_enabled" type="checkbox" {{if .StreamConfig.LicensingEnabled}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.enable_licensing"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.enable_licensing_help"}}</p>
+			</div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input name="require_key" type="checkbox" {{if .StreamConfig.RequireKey}}checked{{end}}>
+					<label><strong>{{ctx.Locale.Tr "org.settings.require_key"}}</strong></label>
+				</div>
+				<p class="help">{{ctx.Locale.Tr "org.settings.require_key_help"}}</p>
+			</div>
+
+			<div class="ui divider"></div>
+
+			{{/* ── Section 2: Update Streams ── */}}
+			<h5>{{svg "octicon-rss" 14}} {{ctx.Locale.Tr "org.settings.update_streams_heading"}}</h5>
+			<p>{{ctx.Locale.Tr "org.settings.update_streams_desc"}}</p>
+
+			<div class="grouped fields">
+				<label>{{ctx.Locale.Tr "org.settings.stream_mode"}}</label>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="joomla" {{if or (eq .StreamConfig.StreamMode "") (eq .StreamConfig.StreamMode "joomla")}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_joomla"}}</label>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui radio checkbox">
+						<input name="stream_mode" type="radio" value="custom" {{if eq .StreamConfig.StreamMode "custom"}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "org.settings.stream_mode_custom"}}</label>
+					</div>
+				</div>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.default_streams"}}</label>
+				<table class="ui small compact table">
+					<thead>
+						<tr>
+							<th>{{ctx.Locale.Tr "org.settings.stream_name"}}</th>
+							<th>{{ctx.Locale.Tr "org.settings.stream_suffix"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.description"}}</th>
+						</tr>
+					</thead>
+					<tbody>
+						{{range .EffectiveStreams}}
+							<tr>
+								<td><code>{{.Name}}</code></td>
+								<td>{{if .Suffix}}<code>{{.Suffix}}</code>{{else}}<span class="text grey">{{ctx.Locale.Tr "org.settings.no_suffix"}}</span>{{end}}</td>
+								<td>{{.Description}}</td>
+							</tr>
+						{{end}}
+					</tbody>
+				</table>
+				<p class="help">{{ctx.Locale.Tr "org.settings.streams_tag_help"}}</p>
+			</div>
+
+			<div class="field">
+				<label>{{ctx.Locale.Tr "org.settings.custom_streams"}}</label>
+				<textarea name="custom_streams" rows="6" placeholder='[{"name":"lts","suffix":"-lts","description":"Long-term support"}]'>{{.StreamConfig.CustomStreams}}</textarea>
+				<p class="help">{{ctx.Locale.Tr "org.settings.custom_streams_help"}}</p>
+			</div>
+
+			<div class="field">
+				<button class="ui primary button">{{ctx.Locale.Tr "save"}}</button>
+			</div>
+		</form>
+	</div>
+</div>
+{{template "org/settings/layout_footer" .}}

templates/org/team/sidebar.tmpl

@@ -47,7 +47,7 @@
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.write_permission_desc"}}
 				{{else if (eq .Team.AccessMode 3)}}
-					{{/* FIXME: here might not right, see "FIXME: TEAM-UNIT-PERMISSION", new units might not have correct admin permission*/}}
+					{{/* Admin teams implicitly have admin access to all units (including newly added ones) */}}
 					<h3>{{ctx.Locale.Tr "org.settings.permission"}}</h3>
 					{{ctx.Locale.Tr "org.teams.admin_permission_desc"}}
 				{{else}}

templates/repo/licenses.tmpl

@@ -7,7 +7,10 @@
 			<div class="ui info message">
 				<div class="header">{{ctx.Locale.Tr "repo.licenses.master_key_created"}}</div>
 				<p>{{ctx.Locale.Tr "repo.licenses.master_key_created_copy"}}</p>
-				<code class="tw-text-lg tw-select-all">{{.NewMasterKey}}</code>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-master-key" type="text" readonly value="{{.NewMasterKey}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-master-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
 			</div>
 		{{end}}
 
@@ -15,57 +18,20 @@
 			<div class="ui success message">
 				<div class="header">{{ctx.Locale.Tr "repo.licenses.key_created"}}</div>
 				<p>{{ctx.Locale.Tr "repo.licenses.key_created_copy"}}</p>
-				<code class="tw-text-lg tw-select-all">{{.NewKeyCreated}}</code>
+				<div class="ui action input tw-w-full tw-mt-2">
+					<input class="js-new-license-key" type="text" readonly value="{{.NewKeyCreated}}" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-new-license-key" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
+				</div>
 			</div>
 		{{end}}
 
 		{{/* ── License Packages ── */}}
-		<h4 class="ui top attached header tw-flex tw-justify-between tw-items-center">
-			<span>{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}</span>
-			{{if .IsRepoAdmin}}
-				<a class="ui small primary button" href="#new-package-form" onclick="document.getElementById('new-package-form').style.display=document.getElementById('new-package-form').style.display==='none'?'block':'none'; return false;">
-					{{ctx.Locale.Tr "repo.licenses.new_package"}}
-				</a>
-			{{end}}
+		<h4 class="ui top attached header">
+			{{svg "octicon-key" 16}} {{ctx.Locale.Tr "repo.licenses.packages"}}
 		</h4>
 		<div class="ui attached segment">
-			{{if .IsRepoAdmin}}
-				<div id="new-package-form" style="display: none;" class="tw-mb-4">
-					<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages">
-						{{.CsrfTokenHtml}}
-						<div class="two fields">
-							<div class="required field">
-								<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
-								<input name="name" required placeholder="Pro Annual">
-							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
-								<input name="description" placeholder="Annual pro subscription">
-							</div>
-						</div>
-						<div class="three fields">
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
-								<input name="duration_days" type="number" value="0" min="0" placeholder="0 = lifetime">
-							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
-								<input name="max_sites" type="number" value="0" min="0" placeholder="0 = unlimited">
-							</div>
-							<div class="field">
-								<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
-								<input name="allowed_channels" placeholder='stable,release-candidate'>
-								<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
-							</div>
-						</div>
-						<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
-					</form>
-					<div class="divider"></div>
-				</div>
-			{{end}}
-
 			{{if .LicensePackages}}
-				<table class="ui table">
+				<table class="ui compact table">
 					<thead>
 						<tr>
 							<th>{{ctx.Locale.Tr "repo.licenses.package_name"}}</th>
@@ -79,20 +45,33 @@
 					<tbody>
 						{{range .LicensePackages}}
 							<tr>
-								<td><strong>{{.Name}}</strong>{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
+								<td><strong>{{.Name}}</strong>{{if eq .Name "Master (Internal)"}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}{{if .Description}}<br><small class="text grey">{{.Description}}</small>{{end}}</td>
 								<td>{{if eq .DurationDays 0}}{{ctx.Locale.Tr "repo.licenses.lifetime"}}{{else}}{{.DurationDays}} {{ctx.Locale.Tr "repo.licenses.days"}}{{end}}</td>
 								<td>{{if .AllowedChannels}}<code>{{.AllowedChannels}}</code>{{else}}{{ctx.Locale.Tr "repo.licenses.all_channels"}}{{end}}</td>
 								<td>{{.KeyCount}}</td>
 								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
 								{{if $.IsRepoAdmin}}
-									<td class="tw-text-right">
-										<form method="post" action="{{$.RepoLink}}/licenses/keys/generate" class="tw-inline">
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										<form method="post" action="{{$.RepoLink}}/licenses/keys/generate" class="tw-inline tw-flex tw-gap-1 tw-items-center">
 											{{$.CsrfTokenHtml}}
 											<input type="hidden" name="package_id" value="{{.ID}}">
+											{{if $.IsSiteAdmin}}
+											<input type="text" name="custom_key" placeholder="{{ctx.Locale.Tr "repo.licenses.custom_key_placeholder"}}" class="tw-w-32 tw-text-xs" title="{{ctx.Locale.Tr "repo.licenses.custom_key_help"}}">
+											{{end}}
 											<button class="ui tiny primary button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.generate_key"}}">
-												{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.generate_key"}}
+												{{svg "octicon-plus" 14}}
 											</button>
 										</form>
+										{{if ne .Name "Master (Internal)"}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/packages/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_package"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/packages/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_package"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_package"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
+										{{end}}
 									</td>
 								{{end}}
 							</tr>
@@ -108,18 +87,68 @@
 			{{end}}
 		</div>
 
+		{{/* ── Create New License Package ── */}}
+		{{if .IsRepoAdmin}}
+			<div class="tw-mt-4">
+				<details>
+					<summary class="ui primary button">{{svg "octicon-plus" 14}} {{ctx.Locale.Tr "repo.licenses.new_package"}}</summary>
+					<div class="ui segment tw-mt-2">
+						<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages">
+							{{.CsrfTokenHtml}}
+							<div class="two fields">
+								<div class="required field">
+									<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+									<input name="name" required placeholder="e.g. Pro Annual, Basic Monthly">
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+									<input name="description" placeholder="e.g. Annual pro subscription with all channels">
+								</div>
+							</div>
+							<div class="three fields">
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+									<input name="duration_days" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+									<input name="max_sites" type="number" value="0" min="0">
+									<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+								</div>
+								<div class="field">
+									<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+									{{if .AvailableStreams}}
+										{{range .AvailableStreams}}
+										<div class="ui checkbox tw-mr-4 tw-mb-2">
+											<input name="allowed_channels" type="checkbox" value="{{.Name}}">
+											<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+										</div>
+										{{end}}
+									{{end}}
+									<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+								</div>
+							</div>
+							<button class="ui primary button" type="submit">{{ctx.Locale.Tr "repo.licenses.create_package"}}</button>
+						</form>
+					</div>
+				</details>
+			</div>
+		{{end}}
+
 		{{/* ── Issued Keys ── */}}
 		{{if .LicenseKeys}}
 			<h4 class="ui top attached header tw-mt-4">
 				{{svg "octicon-lock" 16}} {{ctx.Locale.Tr "repo.licenses.issued_keys"}}
 			</h4>
 			<div class="ui attached segment">
-				<table class="ui table">
+				<table class="ui compact table">
 					<thead>
 						<tr>
 							<th>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.licensee"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.expires"}}</th>
+							<th>{{ctx.Locale.Tr "repo.licenses.last_seen"}}</th>
 							<th>{{ctx.Locale.Tr "repo.licenses.status"}}</th>
 							{{if .IsRepoAdmin}}<th></th>{{end}}
 						</tr>
@@ -127,18 +156,35 @@
 					<tbody>
 						{{range .LicenseKeys}}
 							<tr>
-								<td><code>{{.KeyPrefix}}</code></td>
+								<td>
+									<div class="tw-flex tw-items-center tw-gap-1">
+										<code class="js-license-key-{{.ID}}">{{if .KeyRaw}}{{.KeyRaw}}{{else}}{{.KeyPrefix}}{{end}}</code>
+										{{if .KeyRaw}}<button class="ui tiny icon button" data-clipboard-target=".js-license-key-{{.ID}}" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 12}}</button>{{end}}
+										{{if .IsInternal}} <span class="ui tiny orange label">{{ctx.Locale.Tr "repo.licenses.master_label"}}</span>{{end}}
+									</div>
+								</td>
 								<td>{{.LicenseeName}}{{if .LicenseeEmail}} <small>({{.LicenseeEmail}})</small>{{end}}</td>
-								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.TimeSince .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .ExpiresUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .ExpiresUnix}}{{end}}</td>
+								<td>{{if eq .LastHeartbeatUnix 0}}{{ctx.Locale.Tr "repo.licenses.never"}}{{else}}{{DateUtils.AbsoluteShort .LastHeartbeatUnix}}{{end}}</td>
 								<td>{{if .IsActive}}<span class="ui green label">{{ctx.Locale.Tr "repo.licenses.active"}}</span>{{else}}<span class="ui grey label">{{ctx.Locale.Tr "repo.licenses.inactive"}}</span>{{end}}</td>
 								{{if $.IsRepoAdmin}}
-									<td class="tw-text-right">
-										<form method="post" action="{{$.RepoLink}}/licenses/keys/{{.ID}}/revoke" class="tw-inline">
-											{{$.CsrfTokenHtml}}
-											<button class="ui tiny red button" type="submit" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
-												{{svg "octicon-x" 14}}
-											</button>
-										</form>
+									<td class="tw-text-right tw-flex tw-gap-1 tw-justify-end">
+										{{if not .IsInternal}}
+										<a class="ui tiny button" href="{{$.RepoLink}}/licenses/keys/{{.ID}}/edit" title="{{ctx.Locale.Tr "repo.licenses.edit_key"}}">
+											{{svg "octicon-pencil" 14}}
+										</a>
+										<button class="ui tiny green button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/renew" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_renew_key"}}" title="{{ctx.Locale.Tr "repo.licenses.renew"}}">
+											{{svg "octicon-sync" 14}}
+										</button>
+										{{end}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/revoke" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_revoke_key"}}" title="{{ctx.Locale.Tr "repo.licenses.revoke"}}">
+											{{svg "octicon-x" 14}}
+										</button>
+										{{if $.IsSiteAdmin}}
+										<button class="ui tiny red button link-action" data-url="{{$.RepoLink}}/licenses/keys/{{.ID}}/delete" data-modal-confirm="{{ctx.Locale.Tr "repo.licenses.confirm_delete_key"}}" title="{{ctx.Locale.Tr "repo.licenses.delete_key"}}">
+											{{svg "octicon-trash" 14}}
+										</button>
+										{{end}}
 									</td>
 								{{end}}
 							</tr>
@@ -148,26 +194,32 @@
 			</div>
 		{{end}}
 
-		{{/* ── Update Feed Info ── */}}
+		{{/* ── Update Feed URLs ── */}}
+		{{if .LicensingEnabled}}
 		<h4 class="ui top attached header tw-mt-4">
 			{{svg "octicon-rss" 16}} {{ctx.Locale.Tr "repo.licenses.update_feeds"}}
 		</h4>
 		<div class="ui attached segment">
+			{{if or (eq .RepoUpdatePlatform "joomla") (eq .RepoUpdatePlatform "both") (eq .RepoUpdatePlatform "")}}
 			<div class="field">
-				<label>Joomla updates.xml</label>
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_joomla_updates"}}</label>
 				<div class="ui action input tw-w-full">
-					<input type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates.xml" onclick="this.select()">
-					<button class="ui button" onclick="navigator.clipboard.writeText(this.previousElementSibling.value)">{{svg "octicon-copy" 14}}</button>
+					<input class="js-feed-url-joomla" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates.xml" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-joomla" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
 				</div>
 			</div>
+			{{end}}
+			{{if or (eq .RepoUpdatePlatform "dolibarr") (eq .RepoUpdatePlatform "both")}}
 			<div class="field tw-mt-2">
-				<label>Dolibarr JSON</label>
+				<label>{{ctx.Locale.Tr "repo.licenses.feed_dolibarr_updates"}}</label>
 				<div class="ui action input tw-w-full">
-					<input type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates/dolibarr.json" onclick="this.select()">
-					<button class="ui button" onclick="navigator.clipboard.writeText(this.previousElementSibling.value)">{{svg "octicon-copy" 14}}</button>
+					<input class="js-feed-url-dolibarr" type="text" readonly value="{{.Repository.HTMLURL ctx}}/updates/dolibarr.json" onclick="this.select()">
+					<button class="ui button" data-clipboard-target=".js-feed-url-dolibarr" data-tooltip-content="{{ctx.Locale.Tr "copy_url"}}">{{svg "octicon-copy" 14}}</button>
 				</div>
 			</div>
+			{{end}}
 		</div>
+		{{end}}
 	</div>
 </div>
 {{template "base/footer" .}}

templates/repo/licenses_edit_key.tmpl

@@ -0,0 +1,56 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_key"}}
+		</h4>
+		<div class="ui attached segment">
+			<div class="tw-mb-4">
+				<strong>{{ctx.Locale.Tr "repo.licenses.key_prefix"}}:</strong> <code>{{.Key.KeyPrefix}}</code>
+			</div>
+			<form class="ui form" method="post" action="{{.FormAction}}">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_name"}}</label>
+						<input name="licensee_name" value="{{.Key.LicenseeName}}" placeholder="Customer name">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.licensee_email"}}</label>
+						<input name="licensee_email" type="email" value="{{.Key.LicenseeEmail}}" placeholder="customer@example.com">
+					</div>
+				</div>
+				<div class="two fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.domain_restriction"}}</label>
+						<input name="domain_restriction" value="{{.Key.DomainRestriction}}" placeholder="example.com,example.org">
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.domain_restriction_help"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Key.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.use_package_default"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<label>{{ctx.Locale.Tr "repo.licenses.expires_at"}}</label>
+					<input name="expires_at" type="date" value="{{.ExpiresDate}}">
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.expires_at_help"}}</p>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Key.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_key"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{.BackLink}}">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

templates/repo/licenses_edit_package.tmpl

@@ -0,0 +1,60 @@
+{{template "base/head" .}}
+<div role="main" aria-label="{{.Title}}" class="page-content repository">
+	{{template "repo/header" .}}
+	<div class="ui container">
+		<h4 class="ui top attached header">
+			{{svg "octicon-pencil" 16}} {{ctx.Locale.Tr "repo.licenses.edit_package"}}
+		</h4>
+		<div class="ui attached segment">
+			<form class="ui form" method="post" action="{{.RepoLink}}/licenses/packages/{{.Package.ID}}/edit">
+				{{.CsrfTokenHtml}}
+				<div class="two fields">
+					<div class="required field">
+						<label>{{ctx.Locale.Tr "repo.licenses.package_name"}}</label>
+						<input name="name" required value="{{.Package.Name}}">
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.description"}}</label>
+						<input name="description" value="{{.Package.Description}}">
+					</div>
+				</div>
+				<div class="three fields">
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.duration"}} ({{ctx.Locale.Tr "repo.licenses.days"}})</label>
+						<input name="duration_days" type="number" value="{{.Package.DurationDays}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.lifetime"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.max_sites"}}</label>
+						<input name="max_sites" type="number" value="{{.Package.MaxSites}}" min="0">
+						<p class="help">0 = {{ctx.Locale.Tr "repo.licenses.unlimited"}}</p>
+					</div>
+					<div class="field">
+						<label>{{ctx.Locale.Tr "repo.licenses.channels"}}</label>
+						{{if .AvailableStreams}}
+							{{range .AvailableStreams}}
+							<div class="ui checkbox tw-mr-4 tw-mb-2">
+								<input name="allowed_channels" type="checkbox" value="{{.Name}}" {{if SliceUtils.Contains $.SelectedChannels .Name}}checked{{end}}>
+								<label>{{.Name}}{{if .Description}} <small class="text grey">({{.Description}})</small>{{end}}</label>
+							</div>
+							{{end}}
+						{{end}}
+						<p class="help">{{ctx.Locale.Tr "repo.licenses.channels_help"}}</p>
+					</div>
+				</div>
+				<div class="field">
+					<div class="ui checkbox">
+						<input name="is_active" type="checkbox" {{if .Package.IsActive}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.licenses.active"}}</label>
+					</div>
+					<p class="help">{{ctx.Locale.Tr "repo.licenses.active_help_package"}}</p>
+				</div>
+				<div class="field tw-mt-4">
+					<button class="ui primary button" type="submit">{{ctx.Locale.Tr "save"}}</button>
+					<a class="ui button" href="{{.RepoLink}}/licenses">{{ctx.Locale.Tr "cancel"}}</a>
+				</div>
+			</form>
+		</div>
+	</div>
+</div>
+{{template "base/footer" .}}

templates/repo/release_tag_header.tmpl

@@ -16,10 +16,17 @@
 				{{svg "octicon-rss" 16}} {{ctx.Locale.Tr "rss_feed"}}
 			</a>
 		{{end}}
-		{{if not .PageIsTagList}}
-			<a class="ui small button" href="{{.RepoLink}}/updates.xml" target="_blank">
-				{{svg "octicon-download" 16}} {{ctx.Locale.Tr "repo.release.update_feed"}}
-			</a>
+		{{if and (not .PageIsTagList) .LicensingEnabled}}
+			{{if or (eq .RepoUpdatePlatform "joomla") (eq .RepoUpdatePlatform "both") (eq .RepoUpdatePlatform "")}}
+				<a class="ui small button" href="{{.RepoLink}}/updates.xml" target="_blank">
+					{{svg "octicon-download" 16}} {{ctx.Locale.Tr "repo.licenses.feed_joomla_xml"}}
+				</a>
+			{{end}}
+			{{if or (eq .RepoUpdatePlatform "dolibarr") (eq .RepoUpdatePlatform "both")}}
+				<a class="ui small button" href="{{.RepoLink}}/updates/dolibarr.json" target="_blank">
+					{{svg "octicon-download" 16}} {{ctx.Locale.Tr "repo.licenses.feed_dolibarr_json"}}
+				</a>
+			{{end}}
 		{{end}}
 		{{if and (not .PageIsTagList) .CanCreateRelease}}
 			<a class="ui small primary button" href="{{$.RepoLink}}/releases/new{{if .PageIsSingleTag}}?tag={{.SingleReleaseTagName}}{{end}}">

templates/repo/settings/collaboration.tmpl

@@ -62,7 +62,7 @@
 									{{.Name}}
 								</a>
 								<div class="item-body flex-text-block">
-									{{/*FIXME: TEAM-UNIT-PERMISSION this display is not right, search the fixme keyword to see more details */}}
+									{{/* Team access mode: 0=per-unit, 1=read, 2=write, 3=admin (all units), 4=owner */}}
 									{{svg "octicon-shield-lock"}}
 									{{if eq .AccessMode 0}}
 										{{ctx.Locale.Tr "repo.settings.collaboration.per_unit"}}

templates/repo/settings/options.tmpl

@@ -516,6 +516,36 @@
 					</div>
 				</div>
 
+				<div class="divider"></div>
+
+				{{/* ── Licensing & Update Feeds ── */}}
+				<div class="inline field">
+					<label>{{ctx.Locale.Tr "repo.settings.licensing_section"}}</label>
+					<div class="ui checkbox">
+						<input class="enable-system" name="enable_licensing" type="checkbox" data-target="#licensing_options_box" {{if and .RepoUpdateConfig .RepoUpdateConfig.LicensingEnabled}}checked{{end}}>
+						<label>{{ctx.Locale.Tr "repo.settings.enable_licensing"}}</label>
+					</div>
+				</div>
+				<div class="field tw-pl-4{{if not (and .RepoUpdateConfig .RepoUpdateConfig.LicensingEnabled)}} disabled{{end}}" id="licensing_options_box">
+					<p class="help tw-mb-4">{{ctx.Locale.Tr "repo.settings.licensing_section_desc"}}</p>
+					<div class="inline field">
+						<label>{{ctx.Locale.Tr "repo.settings.update_platform"}}</label>
+						<select name="update_platform" class="ui dropdown">
+							<option value="joomla" {{if or (not .RepoUpdateConfig) (eq .RepoUpdateConfig.Platform "joomla") (eq .RepoUpdateConfig.Platform "")}}selected{{end}}>Joomla (updates.xml)</option>
+							<option value="dolibarr" {{if and .RepoUpdateConfig (eq .RepoUpdateConfig.Platform "dolibarr")}}selected{{end}}>Dolibarr (JSON)</option>
+							<option value="both" {{if and .RepoUpdateConfig (eq .RepoUpdateConfig.Platform "both")}}selected{{end}}>{{ctx.Locale.Tr "repo.settings.update_platform_both"}}</option>
+						</select>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.update_platform_help"}}</p>
+					</div>
+					<div class="inline field">
+						<div class="ui checkbox">
+							<input name="require_update_key" type="checkbox" {{if and .RepoUpdateConfig .RepoUpdateConfig.RequireKey}}checked{{end}}>
+							<label>{{ctx.Locale.Tr "repo.settings.require_update_key"}}</label>
+						</div>
+						<p class="help">{{ctx.Locale.Tr "repo.settings.require_update_key_help"}}</p>
+					</div>
+				</div>
+
 				{{$isPackagesEnabled := .Repository.UnitEnabled ctx ctx.Consts.RepoUnitTypePackages}}
 				{{$isPackagesGlobalDisabled := ctx.Consts.RepoUnitTypePackages.UnitGlobalDisabled}}
 				<div class="inline field">

updates.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
  SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 05.13.00
+ VERSION: 05.14.00
  -->
 
 <updates>
@@ -13,13 +13,13 @@
     <client>site</client>
     <version>05.05.00-dev</version>
     <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/development</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/development</infourl>
     <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/development/mokogitea-05.05.00-dev.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/development/mokogitea-05.05.00-dev.zip</downloadurl>
     </downloads>
     <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
     <tags><tag>dev</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*"/>
@@ -32,13 +32,13 @@
     <client>site</client>
     <version>05.05.00-alpha</version>
     <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/alpha</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/alpha</infourl>
     <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/alpha/mokogitea-05.05.00-alpha.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/alpha/mokogitea-05.05.00-alpha.zip</downloadurl>
     </downloads>
     <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
     <tags><tag>alpha</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*"/>
@@ -51,13 +51,13 @@
     <client>site</client>
     <version>05.05.00-beta</version>
     <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/beta</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/beta</infourl>
     <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/beta/mokogitea-05.05.00-beta.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/beta/mokogitea-05.05.00-beta.zip</downloadurl>
     </downloads>
     <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
     <tags><tag>beta</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*"/>
@@ -70,13 +70,13 @@
     <client>site</client>
     <version>05.05.00-rc</version>
     <creationDate>2026-05-30</creationDate>
-    <infourl title="MokoGitea">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/release-candidate</infourl>
+    <infourl title="MokoGitea">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/release-candidate</infourl>
     <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/release-candidate/mokogitea-05.05.00-rc.zip</downloadurl>
+      <downloadurl type="full" format="zip">https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/release-candidate/mokogitea-05.05.00-rc.zip</downloadurl>
     </downloads>
     <sha256>4fee9eb03e4b819a63bce2ceb54fdce0d3eb8bf5b31460fcc42e5ecd75cc856e</sha256>
     <tags><tag>rc</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*"/>
@@ -87,15 +87,15 @@
     <element>mokogitea</element>
     <type>application</type>
     <client>site</client>
-    <version>05.13.00</version>
+    <version>05.14.00</version>
     <creationDate>2026-05-31</creationDate>
-    <infourl title='MokoGitea'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
+    <infourl title='MokoGitea'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/tag/stable</infourl>
     <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.13.00.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/releases/download/stable/mokogitea-05.14.00.zip</downloadurl>
     </downloads>
-    <sha256>b8d32fb99a0fde25ea0860b55ac5f3dfb8a15576863d9ddb80e67c5895722dcd</sha256>
+    <sha256>bec4bf5a1a841f8e72d9826451004db5d8afc70144231dfedc7fb01a6695955c</sha256>
     <tags><tag>stable</tag></tags>
-    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
+    <changelogurl>https://code.mokoconsulting.tech/MokoConsulting/MokoGitea/raw/branch/main/CHANGELOG.md</changelogurl>
     <maintainer>Moko Consulting</maintainer>
     <maintainerurl>https://mokoconsulting.tech</maintainerurl>
     <targetplatform name="go" version=".*" />