chore(ci): add update-server.yml universal workflow [skip ci]

Allow C++, .NET, version numbers (2.0.1) in wiki filenames.
Clean up isolated plus signs that appear between hyphens.

Examples:
- C++ vs C# -> C++-vs-C.md
- .NET Guide -> .NET-Guide.md
- version 2.0.1 -> version-2.0.1-release.md

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.mokogitea/workflows/auto-release.yml

@@ -26,12 +26,10 @@
 name: "Universal: Build & Release"
 
 on:
-  push:
+  pull_request:
+    types: [opened, closed]
     branches:
       - main
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
   workflow_dispatch:
 
 env:
@@ -44,10 +42,65 @@ permissions:
   contents: write
 
 jobs:
+  # ── Draft PR → Promote highest pre-release to RC ─────────────────────────────
+  promote-rc:
+    name: Promote Pre-Release to RC
+    runs-on: release
+    if: >-
+      github.event.action == 'opened' &&
+      github.event.pull_request.draft == true
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+      - name: Promote to release-candidate
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_promote.php \
+            --from auto --to release-candidate \
+            --token "${{ secrets.GA_TOKEN }}" \
+            --api-base "${API_BASE}" \
+            --branch "${{ github.event.pull_request.head.ref }}"
+
+      - name: Cascade lesser channels
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_cascade.php \
+            --stability release-candidate \
+            --token "${{ secrets.GA_TOKEN }}" \
+            --api-base "${API_BASE}"
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+          echo "Draft PR opened — promoted highest pre-release to RC" >> $GITHUB_STEP_SUMMARY
+
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
   release:
     name: Build & Release Pipeline
     runs-on: release
-    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
 
     steps:
       - name: Checkout repository
@@ -94,13 +147,34 @@ jobs:
           fi
           MAJOR=$(echo "$VERSION" | cut -d. -f1)
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=v${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
           echo "skip=false" >> "$GITHUB_OUTPUT"
-          echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "branch=main" >> "$GITHUB_OUTPUT"
+
+      # -- CHECK FOR RC PROMOTION ------------------------------------------------
+      - name: "Check for RC release"
+        id: rc
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/release-candidate" 2>/dev/null || echo "{}")
+          RC_ID=$(echo "$RC_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RC_ID" ] && [ "$RC_ID" != "None" ] && [ "$RC_ID" != "" ]; then
+            echo "promote=true" >> "$GITHUB_OUTPUT"
+            echo "release_id=${RC_ID}" >> "$GITHUB_OUTPUT"
+            echo "::notice::RC release found (id: ${RC_ID}) — will promote to stable"
+          else
+            echo "promote=false" >> "$GITHUB_OUTPUT"
+            echo "::notice::No RC release — full build pipeline"
+          fi
 
       - name: "Step 1b: Bump version"
         id: bump
-        if: steps.version.outputs.skip != 'true'
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.rc.outputs.promote != 'true'
         run: |
           MOKO_API="/tmp/moko-platform-api/cli"
           BUMP=$(php ${MOKO_API}/version_bump.php --path . --minor)
@@ -261,6 +335,7 @@ jobs:
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
+          php /tmp/moko-platform-api/cli/version_check.php --path . --fix 2>/dev/null || true
 
       - name: "Step 5: Write update stream"
         if: >-
@@ -268,6 +343,15 @@ jobs:
           steps.platform.outputs.platform == 'joomla'
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+
+          # Fetch latest updates.xml from main so preserve logic has all channels
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
+            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
+            > updates.xml 2>/dev/null || true
+
           php /tmp/moko-platform-api/cli/updates_xml_build.php \
             --path . --version "${VERSION}" --stability stable \
             --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
@@ -295,9 +379,7 @@ jobs:
       # -- STEP 6: Create tag ---------------------------------------------------
       - name: "Step 6: Create git tag"
         if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.tag_exists != 'true' &&
-          steps.version.outputs.is_minor == 'true'
+          steps.version.outputs.skip != 'true'
         run: |
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
           # Only create the major release tag if it doesn't exist yet
@@ -310,10 +392,26 @@ jobs:
           fi
           echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
 
-      # -- STEP 7: Create or update Gitea Release --------------------------------
-      - name: "Step 7: Gitea Release"
+      # -- STEP 7a: Promote RC to stable (skip build) ----------------------------
+      - name: "Step 7a: Promote RC to stable"
         if: >-
-          steps.version.outputs.skip != 'true'
+          steps.version.outputs.skip != 'true' &&
+          steps.rc.outputs.promote == 'true'
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_promote.php \
+            --from release-candidate --to stable \
+            --token "${{ secrets.GA_TOKEN }}" \
+            --api-base "${API_BASE}" \
+            --path . --branch main
+          echo "Promoted RC → stable (${VERSION})" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 7b: Create or update Gitea Release (full build path) -------------
+      - name: "Step 7b: Gitea Release"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.rc.outputs.promote != 'true'
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -337,6 +435,8 @@ jobs:
           [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
 
           # Build release name: "Pretty Name VERSION (type_element-VERSION)"
+          # Strip existing type prefix to prevent duplication
+          EXT_ELEMENT=$(echo "$EXT_ELEMENT" | sed -E 's/^(pkg_|com_|mod_|plg_[a-z]+_|tpl_|lib_)//')
           TYPE_PREFIX=""
           case "${EXT_TYPE}" in
             plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
@@ -376,7 +476,8 @@ jobs:
       # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
       - name: "Step 8: Build package and update checksum"
         if: >-
-          steps.version.outputs.skip != 'true'
+          steps.version.outputs.skip != 'true' &&
+          steps.rc.outputs.promote != 'true'
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -407,6 +508,13 @@ jobs:
           # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
           EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
           EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          # For packages, prefer <packagename> over filename-derived element
+          if [ "$EXT_TYPE" = "package" ]; then
+            PKG_NAME=$(sed -n 's/.*<packagename>\([^<]*\)<\/packagename>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -n "$PKG_NAME" ] && EXT_ELEMENT="$PKG_NAME"
+          fi
+          # Strip existing type prefix to prevent duplication (e.g. pkg_mokowaas → mokowaas)
+          EXT_ELEMENT=$(echo "$EXT_ELEMENT" | sed -E 's/^(pkg_|com_|mod_|plg_[a-z]+_|tpl_|lib_)//')
           TYPE_PREFIX=""
           case "${EXT_TYPE}" in
             plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
@@ -442,110 +550,35 @@ jobs:
           SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
           SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
 
-          # -- Delete existing assets with same name before uploading ------
+          # -- Get existing assets for cleanup --------------------------------
           ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
+
+          # -- Create per-file .sha256 checksum files -------------------------
+          echo "${SHA256_ZIP}  ${ZIP_NAME}" > "/tmp/${ZIP_NAME}.sha256"
+          echo "${SHA256_TAR}  ${TAR_NAME}" > "/tmp/${TAR_NAME}.sha256"
+
+          # -- Upload packages + checksums to release tag --------------------
+          for ASSET in "${ZIP_NAME}" "${TAR_NAME}" "${ZIP_NAME}.sha256" "${TAR_NAME}.sha256"; do
+            [ ! -f "/tmp/${ASSET}" ] && continue
+            # Delete existing asset with same name
             ASSET_ID=$(echo "$ASSETS" | python3 -c "
           import sys,json
           assets = json.load(sys.stdin)
           for a in assets:
-              if a['name'] == '${ASSET_NAME}':
+              if a['name'] == '${ASSET}':
                   print(a['id']); break
           " 2>/dev/null || true)
-            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-            fi
+            [ -n "$ASSET_ID" ] && curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
+            # Upload
+            curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              -H "Content-Type: application/octet-stream" \
+              --data-binary @"/tmp/${ASSET}" \
+              "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ASSET}" > /dev/null 2>&1 || true
           done
 
-          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${ZIP_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
-
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${TAR_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-
-          # -- Update updates.xml with both download formats ---------------
-          if [ -f "updates.xml" ]; then
-            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
-            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
-
-            # Use Python to update only the stable entry's downloads + sha256
-            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
-            python3 << 'PYEOF'
-          import re, os
-
-          with open("updates.xml") as f:
-              content = f.read()
-
-          zip_url = os.environ["PY_ZIP_URL"]
-          tar_url = os.environ["PY_TAR_URL"]
-          sha = os.environ["PY_SHA"]
-
-          # Find the stable update block and replace its downloads + sha256
-          def replace_stable(m):
-              block = m.group(0)
-              # Replace downloads block
-              new_downloads = (
-                  "    <downloads>\n"
-                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
-                  "    </downloads>"
-              )
-              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
-              # Add or replace sha256
-              if '<sha256>' in block:
-                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
-              else:
-                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
-              return block
-
-          content = re.sub(
-              r'  <update>.*?<tag>stable</tag>.*?</update>',
-              replace_stable,
-              content,
-              flags=re.DOTALL
-          )
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-            CURRENT_BRANCH="${{ github.ref_name }}"
-            git add updates.xml
-            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
-            git push || true
-
-            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
-            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
-
-            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
-
-            if [ -n "$FILE_SHA" ]; then
-              CONTENT=$(base64 -w0 updates.xml)
-              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-                -H "Content-Type: application/json" \
-                "${API}/contents/updates.xml" \
-                -d "$(jq -n \
-                  --arg content "$CONTENT" \
-                  --arg sha "$FILE_SHA" \
-                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
-                  --arg branch "main" \
-                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
-                )" > /dev/null 2>&1 \
-                && echo "updates.xml synced to main via API" \
-                || echo "WARNING: failed to sync updates.xml to main"
-            else
-              echo "WARNING: could not get updates.xml SHA from main"
-            fi
-          fi
+          # updates.xml already handled by Step 5 (updates_xml_build.php with preserve logic)
 
           echo "### Packages" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -556,72 +589,33 @@ jobs:
           echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
           echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
 
-      # -- STEP 8b: Update release description with changelog + SHA ----------------
-      - name: "Step 8b: Update release body with changelog and SHA"
+      # -- STEP 8b: Update release description with changelog ----------------------
+      - name: "Step 8b: Update release body"
         if: steps.version.outputs.skip != 'true'
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+          MOKO_CLI="/tmp/moko-platform-api/cli"
 
-          # Build TYPE_PREFIX to match Step 8's ZIP naming
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
-
-          # Get SHA from the built files
-          SHA256_ZIP=""
-          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
-          SHA256_TAR=""
-          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
-
-          # Extract latest changelog entry (strip the ## header to avoid duplicate)
-          CHANGELOG=""
-          if [ -f "CHANGELOG.md" ]; then
-            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
-            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
-          fi
-
-          # Build release body (single header, no duplicate from changelog)
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
-          if [ -n "$CHANGELOG" ]; then
-            BODY="${BODY}${CHANGELOG}\n\n"
-          fi
-          BODY="${BODY}---\n\n### Checksums\n\n"
-          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
-          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
-          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
-
-          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-            python3 -c "
-          import json, urllib.request
-          body = '''$(printf '%b' "$BODY")'''
-          data = json.dumps({'body': body}).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/releases/${RELEASE_ID}',
-              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
-              method='PATCH'
-          )
-          urllib.request.urlopen(req)
-          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
-          fi
+          php ${MOKO_CLI}/release_body_update.php \
+            --path . --version "${VERSION}" --tag "${RELEASE_TAG}" \
+            --token "${{ secrets.GA_TOKEN }}" \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            2>/dev/null || {
+            # Fallback: simple body update if CLI not available
+            API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+            RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
+              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+              BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\nChecksum files attached as \`*.sha256\` assets."
+              curl -sf -X PATCH -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                -H "Content-Type: application/json" \
+                "${API_BASE}/releases/${RELEASE_ID}" \
+                -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
+            fi
+          }
+          echo "Release body updated" >> $GITHUB_STEP_SUMMARY
 
       # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
       - name: "Step 9: Mirror release to GitHub"
@@ -688,11 +682,13 @@ jobs:
       - name: "Delete lesser pre-release channels"
         continue-on-error: true
         run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           php /tmp/moko-platform-api/cli/release_cascade.php \
             --stability stable \
+            --version "${VERSION}" \
             --token "${{ secrets.GA_TOKEN }}" \
-            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            --gitea-url "${GITEA_URL}" 2>/dev/null || true
+            --api-base "${API_BASE}" 2>/dev/null || true
 
       - name: "Step 11: Delete and recreate dev branch from main"
         if: steps.version.outputs.skip != 'true'

.mokogitea/workflows/pre-release.yml

@@ -13,6 +13,10 @@
 name: "Universal: Pre-Release"
 
 on:
+  pull_request:
+    types: [closed]
+    branches:
+      - dev
   workflow_dispatch:
     inputs:
       stability:
@@ -35,8 +39,11 @@ env:
 
 jobs:
   build:
-    name: "Build Pre-Release (${{ inputs.stability }})"
+    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
     runs-on: release
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
 
     steps:
       - name: Checkout
@@ -84,7 +91,7 @@ jobs:
       - name: Resolve metadata and bump version
         id: meta
         run: |
-          STABILITY="${{ inputs.stability }}"
+          STABILITY="${{ inputs.stability || 'development' }}"
 
           case "$STABILITY" in
             development)        SUFFIX="-dev";   TAG="development" ;;
@@ -107,6 +114,9 @@ jobs:
           php ${MOKO_CLI}/version_set_platform.php \
             --path . --version "$VERSION" --branch "${{ github.ref_name }}" 2>/dev/null || true
 
+          # Verify version consistency across all files
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"

.mokogitea/workflows/update-server.yml

@@ -0,0 +1,597 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /templates/workflows/update-server.yml
+# VERSION: 04.07.00
+# BRIEF: Update server XML feed with stable/rc/beta/alpha/dev entries (universal)
+#
+# Writes updates.xml with multiple <update> entries:
+#   - <tag>stable</tag>     on push to main (from auto-release)
+#   - <tag>rc</tag>         on push to rc/**
+#   - <tag>development</tag> on push to dev or dev/**
+#
+# Joomla filters by user's "Minimum Stability" setting.
+
+name: "Update Server"
+
+on:
+  push:
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  pull_request:
+    types: [closed]
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Stability tag'
+        required: true
+        default: 'development'
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - rc
+          - stable
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  update-xml:
+    name: Update updates.xml
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          if [ -d "/tmp/moko-platform" ]; then
+            echo "moko-platform already available — skipping clone"
+          else
+            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+              /tmp/moko-platform 2>/dev/null || true
+          fi
+          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
+            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Generate updates.xml entry
+        id: update
+        run: |
+          BRANCH="${{ github.ref_name }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
+
+          # Auto-bump patch on all branches (dev, alpha, beta, rc)
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          BUMPED=$(php /tmp/moko-platform/cli/version_bump.php --path . 2>/dev/null || true)
+          if [ -n "$BUMPED" ]; then
+            VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
+            git add -A
+            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
+            git push 2>/dev/null || true
+          fi
+
+          # Determine stability from branch or input
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            STABILITY="${{ inputs.stability }}"
+          elif [[ "$BRANCH" == rc/* ]]; then
+            STABILITY="rc"
+          elif [[ "$BRANCH" == beta/* ]]; then
+            STABILITY="beta"
+          elif [[ "$BRANCH" == alpha/* ]]; then
+            STABILITY="alpha"
+          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
+            STABILITY="development"
+          else
+            STABILITY="stable"
+          fi
+
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+
+          # Parse manifest (portable — no grep -P)
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          if [ -z "$MANIFEST" ]; then
+            echo "No Joomla manifest found — skipping"
+            exit 0
+          fi
+
+          # Extract fields using sed (works on all runners)
+          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
+          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
+          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
+          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
+
+          # Fallbacks
+          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
+          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
+
+          # Derive element if not in manifest: try XML filename, then repo name
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            case "$EXT_ELEMENT" in
+              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
+            esac
+          fi
+
+          # Use manifest version if README version is empty
+          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
+
+          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
+
+          # Joomla requires <client> on ALL extension types for update matching
+          if [ -n "$EXT_CLIENT" ]; then
+            CLIENT_TAG="<client>${EXT_CLIENT}</client>"
+          else
+            CLIENT_TAG="<client>site</client>"
+          fi
+
+          FOLDER_TAG=""
+          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
+
+          PHP_TAG=""
+          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
+
+          # Version suffix for non-stable
+          DISPLAY_VERSION="$VERSION"
+          case "$STABILITY" in
+            development) DISPLAY_VERSION="${VERSION}-dev" ;;
+            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
+            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
+            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
+          esac
+
+          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
+
+          # Each stability level has its own release tag
+          case "$STABILITY" in
+            development) RELEASE_TAG="development" ;;
+            alpha)       RELEASE_TAG="alpha" ;;
+            beta)        RELEASE_TAG="beta" ;;
+            rc)          RELEASE_TAG="release-candidate" ;;
+            *)           RELEASE_TAG="v${MAJOR}" ;;
+          esac
+
+          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
+          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
+          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
+
+          # -- Build install packages and upload to release --------------------
+          php /tmp/moko-platform/cli/release_package.php \
+            --path . --version "${DISPLAY_VERSION}" --tag "${RELEASE_TAG}" \
+            --token "${{ secrets.GA_TOKEN }}" --api-base "${API_BASE}" \
+            --repo "${GITEA_REPO}" --output /tmp 2>&1 || true
+
+          echo "Package built and uploaded for ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+
+          # -- Build the new entry (canonical format matching release.yml) --
+          NEW_ENTRY=""
+          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
+          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
+          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
+          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
+          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
+          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
+          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
+          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
+          NEW_ENTRY="${NEW_ENTRY}  </update>"
+
+          # -- Write new entry to temp file --------------------------------
+          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
+
+          # -- Merge into updates.xml ----------------------------------------
+          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
+          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
+          TARGETS=""
+          for entry in $CASCADE_MAP; do
+            key="${entry%%:*}"
+            vals="${entry#*:}"
+            if [ "$key" = "${STABILITY}" ]; then
+              TARGETS="$vals"
+              break
+            fi
+          done
+          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
+
+          echo "Cascade: ${STABILITY} → ${TARGETS}"
+
+          # Create updates.xml if missing
+          if [ ! -f "updates.xml" ]; then
+            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
+            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
+            printf '%s\n' "<updates>" >> updates.xml
+            printf '%s\n' "</updates>" >> updates.xml
+          fi
+
+          # Update existing blocks or create missing ones
+          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
+          python3 << 'PYEOF'
+          import re, os
+
+          targets = os.environ["PY_TARGETS"].split(",")
+          version = os.environ["PY_VERSION"]
+          date = os.environ["PY_DATE"]
+
+          with open("updates.xml") as f:
+              content = f.read()
+          with open("/tmp/new_entry.xml") as f:
+              new_entry_template = f.read()
+
+          for tag in targets:
+              tag = tag.strip()
+              # Build entry with this tag's name
+              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
+
+              # Try to find existing block (handles both single-line and multi-line <tags>)
+              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
+              match = re.search(block_pattern, content, re.DOTALL)
+
+              if match:
+                  # Update in place — replace entire block
+                  content = content.replace(match.group(1), new_entry.strip())
+                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
+              else:
+                  # Create — insert before </updates>
+                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
+                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
+
+          # Clean up excessive blank lines
+          content = re.sub(r"\n{3,}", "\n\n", content)
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+          # Commit
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git add updates.xml
+          git diff --cached --quiet || {
+            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            git push
+          }
+
+      # -- Sync updates.xml to main (for non-main branches) ----------------------
+      - name: Sync updates.xml to main
+        if: github.ref_name != 'main'
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+
+          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
+            python3 -c "
+          import base64, json, urllib.request, sys
+          with open('updates.xml', 'rb') as f:
+              content = base64.b64encode(f.read()).decode()
+          payload = json.dumps({
+              'content': content,
+              'sha': '${FILE_SHA}',
+              'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
+              'branch': 'main'
+          }).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/contents/updates.xml',
+              data=payload, method='PUT',
+              headers={
+                  'Authorization': 'token ${GA_TOKEN}',
+                  'Content-Type': 'application/json'
+              })
+          try:
+              urllib.request.urlopen(req)
+              print('updates.xml synced to main')
+          except Exception as e:
+              print(f'ERROR: failed to sync updates.xml to main: {e}', file=sys.stderr)
+              sys.exit(1)
+          " \
+              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
+              || echo "::error::failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::could not get updates.xml SHA from main — file may not exist on main yet" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: SFTP deploy to dev server
+        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
+        env:
+          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
+          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
+          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
+          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
+          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
+          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
+          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+        run: |
+          # -- Permission check: admin or maintain role required --------
+          ACTOR="${{ github.actor }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
+          case "$PERMISSION" in
+            admin|maintain|write) ;;
+            *)
+              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
+              exit 0
+              ;;
+          esac
+
+          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
+
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && exit 0
+
+          PORT="${DEV_PORT:-22}"
+          REMOTE="${DEV_PATH%/}"
+          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
+          if [ -n "$DEV_KEY" ]; then
+            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
+          fi
+
+          PLATFORM=$(php /tmp/moko-platform/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/moko-platform/deploy/deploy-joomla.php" ]; then
+            php /tmp/moko-platform/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          elif [ -f "/tmp/moko-platform/deploy/deploy-sftp.php" ]; then
+            php /tmp/moko-platform/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          fi
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
+
+      - name: Validate updates.xml integrity
+        run: |
+          ERRORS=0
+
+          if [ ! -f "updates.xml" ]; then
+            echo "::error::updates.xml not found"
+            exit 1
+          fi
+
+          # Well-formed XML
+          if ! python3 -c "import xml.etree.ElementTree as ET; ET.parse('updates.xml')" 2>/dev/null; then
+            echo "::error::updates.xml is not valid XML"
+            ERRORS=$((ERRORS+1))
+          fi
+
+          python3 << 'PYEOF'
+          import xml.etree.ElementTree as ET, sys, re, os
+
+          tree = ET.parse("updates.xml")
+          root = tree.getroot()
+          updates = root.findall("update")
+          errors = 0
+          warnings = 0
+          seen_tags = set()
+
+          # All 5 channels MUST be present
+          REQUIRED_CHANNELS = {"stable", "rc", "beta", "alpha", "dev"}
+          VALID_TAGS = REQUIRED_CHANNELS | {"development"}  # accept legacy alias
+          REPO = os.environ.get("GITEA_REPO", "")
+          ORG = os.environ.get("GITEA_ORG", "MokoConsulting")
+          REPO_BASE = f"https://git.mokoconsulting.tech/{ORG}/"
+
+          # Gitea release tag names per channel (Moko standard)
+          RELEASE_TAG_MAP = {
+              "stable": "stable",
+              "rc": "release-candidate",
+              "beta": "beta",
+              "alpha": "alpha",
+              "dev": "development",
+              "development": "development",
+          }
+
+          # Joomla update XML required fields per
+          # https://docs.joomla.org/Deploying_an_Update_Server
+          REQUIRED_FIELDS = ["name", "element", "type", "version", "infourl"]
+
+          for i, u in enumerate(updates):
+              tag_el = u.find("tags/tag")
+              tag = tag_el.text.strip() if tag_el is not None and tag_el.text else None
+              label = f"Entry {i+1} (<tag>{tag or '?'}</tag>)"
+
+              # -- Required Joomla fields --
+              for field in REQUIRED_FIELDS:
+                  el = u.find(field)
+                  if el is None or not (el.text or "").strip():
+                      print(f"::error::{label}: missing required <{field}>")
+                      errors += 1
+
+              # -- <downloads><downloadurl> --
+              dl = u.find("downloads/downloadurl")
+              if dl is None or not (dl.text or "").strip():
+                  print(f"::error::{label}: missing <downloads><downloadurl>")
+                  errors += 1
+              else:
+                  dl_url = dl.text.strip()
+                  # Must point to org repo
+                  if REPO_BASE not in dl_url:
+                      print(f"::error::{label}: download URL not under {REPO_BASE}: {dl_url}")
+                      errors += 1
+                  # Must end in .zip
+                  if not dl_url.endswith(".zip"):
+                      print(f"::error::{label}: download URL must end in .zip: {dl_url}")
+                      errors += 1
+                  # Must use correct Gitea release tag in path
+                  if tag and tag in RELEASE_TAG_MAP:
+                      expected_tag = RELEASE_TAG_MAP[tag]
+                      if f"/download/{expected_tag}/" not in dl_url:
+                          print(f"::error::{label}: download URL should contain /download/{expected_tag}/ but got: {dl_url}")
+                          errors += 1
+
+              # -- <client> (required for Joomla to match update) --
+              client = u.find("client")
+              if client is None or not (client.text or "").strip():
+                  print(f"::error::{label}: missing <client> (required for Joomla update matching)")
+                  errors += 1
+
+              # -- <targetplatform> --
+              tp = u.find("targetplatform")
+              if tp is None:
+                  print(f"::error::{label}: missing <targetplatform>")
+                  errors += 1
+              else:
+                  tp_name = tp.get("name", "")
+                  tp_ver = tp.get("version", "")
+                  if tp_name != "joomla":
+                      print(f"::error::{label}: targetplatform name should be 'joomla', got '{tp_name}'")
+                      errors += 1
+                  if not tp_ver:
+                      print(f"::error::{label}: targetplatform missing version regex")
+                      errors += 1
+                  elif "5" not in tp_ver or "6" not in tp_ver:
+                      print(f"::warning::{label}: targetplatform version may not cover Joomla 5+6: {tp_ver}")
+                      warnings += 1
+
+              # -- <type> must be valid Joomla type --
+              type_el = u.find("type")
+              if type_el is not None and type_el.text:
+                  valid_types = {"component", "module", "plugin", "template", "library", "package", "file"}
+                  if type_el.text.strip() not in valid_types:
+                      print(f"::error::{label}: invalid type '{type_el.text}' (expected: {valid_types})")
+                      errors += 1
+
+              # -- <version> format (XX.YY.ZZ with optional suffix) --
+              ver_el = u.find("version")
+              if ver_el is not None and ver_el.text:
+                  if not re.match(r"^\d{2}\.\d{2}\.\d{2}(-\w+)?$", ver_el.text.strip()):
+                      print(f"::warning::{label}: version '{ver_el.text}' does not match XX.YY.ZZ format")
+                      warnings += 1
+
+              # -- <maintainer> and <maintainerurl> --
+              for field in ["maintainer", "maintainerurl"]:
+                  el = u.find(field)
+                  if el is None or not (el.text or "").strip():
+                      print(f"::warning::{label}: missing <{field}>")
+                      warnings += 1
+
+              # -- Valid stability tag --
+              if tag is None:
+                  print(f"::error::{label}: missing <tags><tag>")
+                  errors += 1
+              elif tag not in VALID_TAGS:
+                  print(f"::error::{label}: invalid tag '{tag}' (expected: {VALID_TAGS})")
+                  errors += 1
+
+              # -- Duplicate tag check --
+              norm_tag = "dev" if tag == "development" else tag
+              if norm_tag in seen_tags:
+                  print(f"::error::{label}: duplicate channel '{tag}'")
+                  errors += 1
+              if norm_tag:
+                  seen_tags.add(norm_tag)
+
+          # -- All 5 channels must exist --
+          missing = REQUIRED_CHANNELS - seen_tags
+          if missing:
+              print(f"::error::Missing required update channels: {', '.join(sorted(missing))}")
+              errors += 1
+
+          # -- Version ordering: higher stability must not exceed dev version --
+          channel_versions = {}
+          for u in updates:
+              tag_el = u.find("tags/tag")
+              ver_el = u.find("version")
+              if tag_el is not None and ver_el is not None and tag_el.text and ver_el.text:
+                  norm = "dev" if tag_el.text.strip() == "development" else tag_el.text.strip()
+                  # Strip suffix for comparison (01.00.18-dev -> 01.00.18)
+                  base_ver = re.sub(r"-\w+$", "", ver_el.text.strip())
+                  channel_versions[norm] = base_ver
+
+          # Cascade check: dev >= alpha >= beta >= rc >= stable
+          ORDER = ["dev", "alpha", "beta", "rc", "stable"]
+          for j in range(1, len(ORDER)):
+              current = ORDER[j]
+              previous = ORDER[j - 1]
+              if current in channel_versions and previous in channel_versions:
+                  if channel_versions[current] > channel_versions[previous]:
+                      print(f"::error::{current} version ({channel_versions[current]}) is ahead of {previous} ({channel_versions[previous]})")
+                      errors += 1
+
+          # -- Summary --
+          print(f"\nupdates.xml validation: {len(updates)} entries, {errors} error(s), {warnings} warning(s)")
+          if errors > 0:
+              sys.exit(1)
+          PYEOF
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY

models/migrations/migrations.go

@@ -410,6 +410,7 @@ func prepareMigrationTasks() []*migration {
 
 		newMigration(331, "Add ActionRunAttempt model and related action fields", v1_27.AddActionRunAttemptModel),
 		newMigration(332, "Add org-level branch protection rulesets", v1_27.AddOrgProtectedBranchTable),
+		newMigration(333, "Add require_2fa to user table for org enforcement", v1_27.AddRequire2FAToUser),
 	}
 	return preparedMigrations
 }

models/migrations/v1_27/v333.go

@@ -0,0 +1,16 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package v1_27
+
+import (
+	"xorm.io/xorm"
+)
+
+func AddRequire2FAToUser(x *xorm.Engine) error {
+	type User struct {
+		Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+	}
+	_, err := x.SyncWithOptions(xorm.SyncOptions{IgnoreDropIndices: true}, new(User))
+	return err
+}

models/user/user.go

@@ -117,6 +117,9 @@ type User struct {
 	// Maximum repository creation limit, -1 means use global default
 	MaxRepoCreation int `xorm:"NOT NULL DEFAULT -1"`
 
+	// Require2FA when true (and user is an org), all org members must have 2FA enabled
+	Require2FA bool `xorm:"NOT NULL DEFAULT false"`
+
 	// IsActive true: primary email is activated, user can access Web UI and Git SSH.
 	// false: an inactive user can only log in Web UI for account operations (ex: activate the account by email), no other access.
 	IsActive bool `xorm:"INDEX"`

modules/highlight/highlight_test.go

@@ -63,7 +63,7 @@ func TestFile(t *testing.T) {
 		{
 			name:      "tags.py",
 			code:      "<>",
-			want:      lines(`<span class="o">&lt;</span><span class="o">&gt;</span>`),
+			want:      lines(`<span class="o">&lt;&gt;</span>`),
 			lexerName: "Python",
 		},
 		{
@@ -102,7 +102,7 @@ c=2
 <span class="n">def</span><span class="p">:</span>\n
     <span class="n">a</span><span class="o">=</span><span class="mi">1</span>\n
 \n
-<span class="n">b</span><span class="o">=</span><span class="sa"></span><span class="s1">&#39;</span><span class="s1">&#39;</span>\n
+<span class="n">b</span><span class="o">=</span><span class="s1">&#39;&#39;</span>\n
     \n
 <span class="n">c</span><span class="o">=</span><span class="mi">2</span>`,
 			),
@@ -114,6 +114,18 @@ c=2
 			want:      []template.HTML{"<span class=\"c1\">--\n</span>", `<span class="k">SELECT</span>`},
 			lexerName: "SQL",
 		},
+		{
+			name: "test.http",
+			code: `HTTP/1.0 400 Bad request
+Content-Type: text/html
+
+<html></html>`,
+			want: lines(`<span class="kr">HTTP</span><span class="o">/</span><span class="m">1.0</span> <span class="m">400</span> <span class="ne">Bad request</span>\n
+<span class="n">Content-Type</span><span class="o">:</span> <span class="l">text/html</span>\n
+\n
+<span class="p">&lt;</span><span class="nt">html</span><span class="p">&gt;&lt;/</span><span class="nt">html</span><span class="p">&gt;</span>`),
+			lexerName: "HTTP",
+		},
 	}
 
 	for _, tt := range tests {

modules/highlight/lexerdetect.go

@@ -288,24 +288,24 @@ func detectChromaLexerWithAnalyze(fileName, lang string, code []byte) chroma.Lex
 
 	// if lang is provided, and it matches a lexer, use it directly
 	if byLang {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// if a lexer is detected and there is no conflict for the file extension, use it directly
 	fileExt := path.Ext(fileName)
 	_, hasConflicts := chromaLexers().conflictingExtLangMap[fileExt]
 	if !hasConflicts && lexer != lexers.Fallback {
-		return lexer
+		return chroma.Coalesce(lexer)
 	}
 
 	// try to detect language by content, for best guessing for the language
 	// when using "code" to detect, analyze.GetCodeLanguage is slow, it iterates many rules to detect language from content
 	analyzedLanguage := analyze.GetCodeLanguage(fileName, code)
-	lexer = DetectChromaLexerByFileName(fileName, analyzedLanguage)
+	lexer, _ = detectChromaLexerByFileName(fileName, analyzedLanguage)
 	if lexer == lexers.Fallback {
 		if analyzedLanguage != enry.OtherLanguage {
 			log.Warn("No chroma lexer found for enry detected language: %s (file: %s), need to fix the language mapping between enry and chroma.", analyzedLanguage, fileName)
 		}
 	}
-	return lexer
+	return chroma.Coalesce(lexer)
 }

routers/web/org/require2fa.go

@@ -0,0 +1,37 @@
+// Copyright 2026 Moko Consulting <hello@mokoconsulting.tech>
+// SPDX-License-Identifier: GPL-3.0-or-later
+
+package org
+
+import (
+	auth_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/auth"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/modules/setting"
+	"git.mokoconsulting.tech/MokoConsulting/MokoGitea/services/context"
+)
+
+// Check2FARequirement checks if the current org requires 2FA and if the user has it enabled.
+// If the user doesn't have 2FA and the org requires it, redirect to 2FA setup page.
+func Check2FARequirement(ctx *context.Context) {
+	if ctx.Org == nil || ctx.Org.Organization == nil || ctx.Doer == nil {
+		return
+	}
+
+	if !ctx.Org.Organization.Require2FA {
+		return
+	}
+
+	// Check if user has 2FA enabled
+	has, err := auth_model.HasTwoFactorOrWebAuthn(ctx, ctx.Doer.ID)
+	if err != nil {
+		ctx.ServerError("HasTwoFactorOrWebAuthn", err)
+		return
+	}
+
+	if has {
+		return
+	}
+
+	// User doesn't have 2FA — show warning and redirect to settings
+	ctx.Flash.Warning("This organization requires two-factor authentication. Please enable 2FA to continue.")
+	ctx.Redirect(setting.AppSubURL + "/user/settings/security")
+}

routers/web/org/setting.go

@@ -80,12 +80,14 @@ func SettingsPost(ctx *context.Context) {
 		return
 	}
 
+	require2FA := ctx.FormBool("require_2fa")
 	opts := &user_service.UpdateOptions{
 		FullName:                  optional.FromPtr(form.FullName),
 		Description:               optional.FromPtr(form.Description),
 		Website:                   optional.FromPtr(form.Website),
 		Location:                  optional.FromPtr(form.Location),
 		RepoAdminChangeTeamAccess: optional.FromPtr(form.RepoAdminChangeTeamAccess),
+		Require2FA:                optional.Some(require2FA),
 	}
 	if ctx.Doer.IsAdmin {
 		opts.MaxRepoCreation = optional.FromPtr(form.MaxRepoCreation)

routers/web/web.go

@@ -960,7 +960,7 @@ func registerWebRoutes(m *web.Router, webAuth *AuthMiddleware) {
 			m.Get("/milestones/{team}", reqMilestonesDashboardPageEnabled, user.Milestones)
 			m.Post("/members/action/{action}", org.MembersAction)
 			m.Get("/teams", org.Teams)
-		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}))
+		}, context.OrgAssignment(context.OrgAssignmentOptions{RequireMember: true, RequireTeamMember: true}), org.Check2FARequirement)
 
 		m.Group("/{org}", func() {
 			m.Get("/teams/{team}", org.TeamMembers)

services/user/update.go

@@ -56,6 +56,7 @@ type UpdateOptions struct {
 	EmailNotificationsPreference optional.Option[string]
 	SetLastLogin                 bool
 	RepoAdminChangeTeamAccess    optional.Option[bool]
+	Require2FA                   optional.Option[bool]
 }
 
 func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) error {
@@ -169,6 +170,11 @@ func UpdateUser(ctx context.Context, u *user_model.User, opts *UpdateOptions) er
 
 		cols = append(cols, "repo_admin_change_team_access")
 	}
+	if opts.Require2FA.Has() {
+		u.Require2FA = opts.Require2FA.Value()
+
+		cols = append(cols, "require_2fa")
+	}
 
 	if opts.EmailNotificationsPreference.Has() {
 		u.EmailNotificationsPreference = opts.EmailNotificationsPreference.Value()

services/wiki/wiki_path.go

@@ -6,6 +6,7 @@ package wiki
 import (
 	"net/url"
 	"path"
+	"regexp"
 	"strings"
 
 	repo_model "git.mokoconsulting.tech/MokoConsulting/MokoGitea/models/repo"
@@ -148,10 +149,26 @@ func WebPathFromRequest(s string) WebPath {
 	return WebPath(s)
 }
 
+var multiHyphenRe = regexp.MustCompile(`-{2,}`)
+var nonSlugRe = regexp.MustCompile(`[^a-zA-Z0-9+.\-]`)
+
+// sanitizeWikiTitle converts a user-provided title into a clean, URL-friendly slug.
+// Spaces and special characters become hyphens, consecutive hyphens collapse to one.
+// Preserves: letters, digits, hyphens, plus signs (+), and dots (.)
+func sanitizeWikiTitle(title string) string {
+	title = strings.TrimSpace(title)
+	title = strings.ReplaceAll(title, " ", "-")
+	title = nonSlugRe.ReplaceAllString(title, "-")
+	title = multiHyphenRe.ReplaceAllString(title, "-")
+	title = strings.NewReplacer("-+-", "-", "+-", "-", "-+", "-").Replace(title) // clean stray plus signs
+	title = strings.Trim(title, "-+.")
+	return title
+}
+
 func UserTitleToWebPath(base, title string) WebPath {
 	// TODO: no support for subdirectory, because the old wiki code's behavior is always using %2F, instead of subdirectory.
 	// So we do not add the support for writing slashes in title at the moment.
-	title = strings.TrimSpace(title)
+	title = sanitizeWikiTitle(title)
 	title = util.PathJoinRelX(base, escapeSegToWeb(title, false))
 	if title == "" || title == "." {
 		title = "unnamed"

templates/org/settings/options.tmpl

@@ -48,6 +48,16 @@
 			</div>
 			{{end}}
 
+			<div class="divider"></div>
+
+			<div class="inline field">
+				<div class="ui checkbox">
+					<input type="checkbox" name="require_2fa" {{if .Org.Require2FA}}checked{{end}}>
+					<label>{{svg "octicon-shield-lock" 16}} Require two-factor authentication for all members</label>
+				</div>
+				<p class="help">When enabled, organization members without 2FA configured will be prompted to set it up before accessing organization resources.</p>
+			</div>
+
 			<div class="field">
 				<button class="ui primary button">{{ctx.Locale.Tr "org.settings.update_settings"}}</button>
 			</div>