chore: add dlid and blockChildUninstall to package manifest [skip ci]

chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]
2026-06-04 22:02:35 +00:00 · 2026-06-04 15:58:49 +00:00 · 2026-06-04 15:41:38 +00:00 · 2026-06-04 15:32:49 +00:00 · 2026-06-04 15:27:09 +00:00 · 2026-06-04 15:19:40 +00:00
13 changed files with 2420 additions and 1293 deletions
@@ -0,0 +1,251 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 # SPDX-License-Identifier: GPL-3.0-or-later
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Automation
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.gitea/workflows/branch-protection.yml
 # BRIEF: Apply standardised branch protection rules to all governed repositories
 #
 # +========================================================================+
 # |                   BRANCH PROTECTION SETUP                              |
 # +========================================================================+
 # |                                                                        |
 # |  Applies protection rules for: main, dev, rc, beta, alpha       |
 # |                                                                        |
 # |  main  — Require PR, block rejected reviews, no force push             |
 # |  dev   — Allow push, no force push, no delete                          |
 # |  rc  — Allow push, no force push, no delete                          |
 # |  beta — Allow push, no force push, no delete                         |
 # |  alpha — Allow push, no force push, no delete                        |
 # |                                                                        |
 # |  jmiller has override authority on all branches.                       |
 # |                                                                        |
 # +========================================================================+
 name: Branch Protection Setup
 on:
  schedule:
    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
  workflow_dispatch:
    inputs:
      dry_run:
        description: 'Preview mode (no changes)'
        required: false
        type: boolean
        default: false
      repos:
        description: 'Comma-separated repo names (empty = all governed repos)'
        required: false
        type: string
        default: ''
 env:
  GITEA_URL: https://git.mokoconsulting.tech
  GITEA_ORG: MokoConsulting
 permissions:
  contents: read
 jobs:
  protect:
    name: Apply Branch Protection Rules
    runs-on: ubuntu-latest
    steps:
      - name: Determine target repos
        id: repos
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1"
          # Platform/standards/infra repos to exclude
          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
          if [ -n "${{ inputs.repos }}" ]; then
            # User-specified repos
            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
          else
            # Fetch all org repos
            PAGE=1
            REPOS=""
            while true; do
              BATCH=$(curl -sS \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
                | jq -r '.[].name // empty')
              [ -z "$BATCH" ] && break
              REPOS="$REPOS $BATCH"
              PAGE=$((PAGE + 1))
            done
            # Filter out excluded repos
            FILTERED=""
            for REPO in $REPOS; do
              SKIP=false
              for EX in $EXCLUDE; do
                if [ "$REPO" = "$EX" ]; then
                  SKIP=true
                  break
                fi
              done
              if [ "$SKIP" = "false" ]; then
                FILTERED="$FILTERED $REPO"
              fi
            done
            REPOS="$FILTERED"
          fi
          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
          COUNT=$(echo "$REPOS" | wc -w)
          echo "📋 Target repos (${COUNT}): $REPOS"
      - name: Apply protection rules
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
          DRY_RUN: ${{ inputs.dry_run || 'false' }}
        run: |
          API="${GITEA_URL}/api/v1"
          REPOS="${{ steps.repos.outputs.repos }}"
          SUCCESS=0
          FAILED=0
          SKIPPED=0
          # ── Rule definitions ──────────────────────────────────────
          # Only the CI bot (jmiller token) can push directly.
          # All human contributors must use PRs.
          # Force push disabled on all branches.
          RULE_MAIN='{
            "rule_name": "main",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "dismiss_stale_approvals": true,
            "block_on_rejected_reviews": true,
            "block_on_outdated_branch": false,
            "priority": 1
          }'
          RULE_DEV='{
            "rule_name": "dev",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 2
          }'
          RULE_RC='{
            "rule_name": "rc",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 3
          }'
          RULE_BETA='{
            "rule_name": "beta",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 4
          }'
          RULE_ALPHA='{
            "rule_name": "alpha",
            "enable_push": true,
            "enable_push_whitelist": true,
            "push_whitelist_usernames": ["jmiller"],
            "enable_force_push": false,
            "enable_force_push_allowlist": false,
            "force_push_allowlist_usernames": [],
            "enable_merge_whitelist": false,
            "required_approvals": 0,
            "block_on_rejected_reviews": false,
            "priority": 5
          }'
          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
          RULE_NAMES=("main" "dev" "rc" "beta" "alpha")
          # ── Apply rules to each repo ──────────────────────────────
          for REPO in $REPOS; do
            echo ""
            echo "═══ ${REPO} ═══"
            for i in "${!RULES[@]}"; do
              RULE="${RULES[$i]}"
              NAME="${RULE_NAMES[$i]}"
              if [ "$DRY_RUN" = "true" ]; then
                echo "  [DRY RUN] Would apply rule: ${NAME}"
                SKIPPED=$((SKIPPED + 1))
                continue
              fi
              # Delete existing rule if present (idempotent recreate)
              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
              curl -sS -o /dev/null -w "" \
                -X DELETE \
                -H "Authorization: token ${GA_TOKEN}" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
              # Create rule
              RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "$RULE" \
                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
              HTTP=$(echo "$RESPONSE" | tail -1)
              BODY=$(echo "$RESPONSE" | sed '$d')
              if [ "$HTTP" = "201" ]; then
                echo "  ✅ ${NAME}"
                SUCCESS=$((SUCCESS + 1))
              else
                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
                FAILED=$((FAILED + 1))
              fi
            done
          done
          # ── Summary ───────────────────────────────────────────────
          echo ""
          echo "════════════════════════════════════════"
          echo "  ✅ Success: ${SUCCESS}"
          echo "  ❌ Failed:  ${FAILED}"
          echo "  ⏭️  Skipped: ${SKIPPED}"
          echo "════════════════════════════════════════"
          if [ "$FAILED" -gt 0 ]; then
            echo "::warning::${FAILED} rule(s) failed to apply"
          fi
@@ -1,84 +1,66 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/auto-bump.yml
+# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
+# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
+# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
+
-name: "Universal: Auto Version Bump"
+name: "Universal: Auto Version Bump"
-
+
-on:
+on:
-  push:
+  push:
-    branches:
+    branches:
-      - dev
+      - dev
-
+      - rc
-env:
+      - 'feature/**'
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+      - 'patch/**'
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
-
+env:
-permissions:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  contents: write
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
+
-jobs:
+permissions:
-  bump:
+  contents: write
-    name: Version Bump
+
-    runs-on: release
+jobs:
-    if: >-
+  bump:
-      !contains(github.event.head_commit.message, '[skip ci]') &&
+    name: Version Bump
-      !contains(github.event.head_commit.message, '[skip bump]') &&
+    runs-on: release
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
+    if: >-
-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
-    steps:
+      !contains(github.event.head_commit.message, '[skip bump]') &&
-      - name: Checkout
+      !startsWith(github.event.head_commit.message, 'Merge pull request')
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
-        with:
+    steps:
-          token: ${{ secrets.GA_TOKEN }}
+      - name: Checkout
-          fetch-depth: 1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
+        with:
-      - name: Setup moko-platform tools
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
+          fetch-depth: 1
-          if ! command -v composer &> /dev/null; then
+
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+      - name: Setup moko-platform tools
-          fi
+        run: |
-          if [ -d "/opt/moko-platform/cli" ]; then
+          if ! command -v composer &> /dev/null; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          else
+          fi
-            git clone --depth 1 --branch main --quiet \
+          if [ -d "/opt/moko-platform/cli" ]; then
-              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
+            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-              /tmp/moko-platform-api
+          else
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
+            git clone --depth 1 --branch main --quiet \
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-          fi
+              /tmp/moko-platform-api
-
+            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-      - name: Bump version
+            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-        run: |
+          fi
-          BUMP=$(php ${MOKO_CLI}/version_bump.php --path . 2>&1) || true
+
-          echo "$BUMP"
+      - name: Bump version
-
+        run: |
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null) || true
+          php ${MOKO_CLI}/version_auto_bump.php \
-          [ -z "$VERSION" ] && { echo "No version found — skipping"; exit 0; }
+            --path . --branch "${GITHUB_REF_NAME}" \
-
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-          # Propagate to platform manifests
+            --repo-url "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch dev 2>/dev/null || true
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Commit if anything changed
          if git diff --quiet && git diff --cached --quiet; then
            echo "No version changes to commit"
            exit 0
          fi
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git commit -m "chore(version): patch bump to ${VERSION} [skip ci]" \
            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
          git push origin dev
          echo "Bumped to ${VERSION}" >> $GITHUB_STEP_SUMMARY
@@ -1,492 +1,285 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
+#
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-3.0-or-later
-#
+#
-# FILE INFORMATION
+# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
+# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
+# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
+# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
+# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
+# BRIEF: Universal build & release � detects platform from manifest.xml
-#
+#
-# +========================================================================+
+# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
+# +========================================================================+
-# |                                                                        |
+# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
+# |                                                                        |
-# |  Platform-specific:                                                    |
+# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
+# |    generic:  README-only, no update stream                             |
-# |                                                                        |
+# |                                                                        |
-# +========================================================================+
+# +========================================================================+
-
+
-name: "Universal: Build & Release"
+name: "Universal: Build & Release"
-
+
-on:
+on:
-  pull_request:
+  pull_request:
-    types: [opened, closed]
+    types: [opened, closed]
-    branches:
+    branches:
-      - main
+      - main
-  workflow_dispatch:
+  workflow_dispatch:
-    inputs:
+    inputs:
-      action:
+      action:
-        description: 'Action to perform'
+        description: 'Action to perform'
-        required: false
+        required: false
-        type: choice
+        type: choice
-        default: release
+        default: release
-        options:
+        options:
-          - release
+          - release
-          - promote-rc
+          - promote-rc
-
+
-env:
+env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
+
-permissions:
+permissions:
-  contents: write
+  contents: write
-
+
-jobs:
+jobs:
-  # ── Draft PR → Promote highest pre-release to RC ─────────────────────────────
+  # ── PR Opened → Rename branch to RC and build RC release ─────────────────────
-  promote-rc:
+  promote-rc:
-    name: Promote Pre-Release to RC
+    name: Promote to RC
-    runs-on: release
+    runs-on: release
-    if: >-
+    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.draft == true) ||
+      (github.event.action == 'opened' && github.event.pull_request.merged != true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
+      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
+
-    steps:
+    steps:
-      - name: Checkout repository
+      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
+        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
+          fetch-depth: 1
-
+
-      - name: Setup moko-platform tools
+      - name: Setup moko-platform tools
-        env:
+        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
+        run: |
-          if ! command -v composer &> /dev/null; then
+          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
+          fi
-          git clone --depth 1 --branch main --quiet \
+          # Always fetch latest CLI tools — never use stale cache from previous runs
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+          rm -rf /tmp/moko-platform-api
-            /tmp/moko-platform-api
+          git clone --depth 1 --branch main --quiet \
-          cd /tmp/moko-platform-api
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-          composer install --no-dev --no-interaction --quiet
+            /tmp/moko-platform-api
-
+          cd /tmp/moko-platform-api
-      - name: Promote to release-candidate
+          composer install --no-dev --no-interaction --quiet
-        run: |
+
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+      - name: Rename branch to rc
-          php /tmp/moko-platform-api/cli/release_promote.php \
+        run: |
-            --from auto --to release-candidate \
+          php /tmp/moko-platform-api/cli/branch_rename.php \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --from "${{ github.event.pull_request.head.ref || 'dev' }}" --to rc \
-            --api-base "${API_BASE}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --branch "${{ github.event.pull_request.head.ref || 'dev' }}"
+            --api-base "${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}" \
-
+            --pr "${{ github.event.pull_request.number }}"
-      - name: Cascade lesser channels
+
-        continue-on-error: true
+      - name: Checkout rc and configure git
-        run: |
+        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          git fetch origin rc
-          php /tmp/moko-platform-api/cli/release_cascade.php \
+          git checkout rc
-            --stability release-candidate \
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            --token "${{ secrets.GA_TOKEN }}" \
+          git config --local user.name "gitea-actions[bot]"
-            --api-base "${API_BASE}"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
+
-      - name: Summary
+      - name: Publish RC release
-        if: always()
+        run: |
-        run: |
+          php /tmp/moko-platform-api/cli/release_publish.php \
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
+            --path . --stability rc --bump minor --branch rc \
-          echo "Draft PR opened — promoted highest pre-release to RC" >> $GITHUB_STEP_SUMMARY
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-
+            --skip-update-stream
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
+
-  release:
+      - name: Summary
-    name: Build & Release Pipeline
+        if: always()
-    runs-on: release
+        run: |
-    if: >-
+          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-      github.event.pull_request.merged == true ||
+          echo "Branch renamed to rc, minor bump, RC release built (updates.xml managed by Gitea Pages)" >> $GITHUB_STEP_SUMMARY
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
+
-
+  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-    steps:
+  release:
-      - name: Checkout repository
+    name: Build & Release Pipeline
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+    runs-on: release
-        with:
+    if: >-
-          token: ${{ secrets.GA_TOKEN }}
+      github.event.pull_request.merged == true ||
-          fetch-depth: 0
+      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
+
-      - name: Setup moko-platform tools
+    steps:
-        env:
+      - name: Checkout repository
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        with:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
+          fetch-depth: 0
-          # Ensure PHP + Composer are available
+
-          if ! command -v composer &> /dev/null; then
+      - name: Configure git for bot pushes
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+        run: |
-          fi
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git clone --depth 1 --branch main --quiet \
+          git config --local user.name "gitea-actions[bot]"
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-            /tmp/moko-platform-api
+
-          cd /tmp/moko-platform-api
+      - name: Check for merge conflict markers
-          composer install --no-dev --no-interaction --quiet
+        run: |
-
+          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
-
+          if [ -n "$CONFLICTS" ]; then
-      # -- PLATFORM DETECTION ---------------------------------------------------
+            echo "::error::Merge conflict markers found — aborting release"
-      - name: Detect platform
+            echo "## Release Blocked: Conflict Markers" >> $GITHUB_STEP_SUMMARY
-        id: platform
+            echo '```' >> $GITHUB_STEP_SUMMARY
-        run: |
+            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
-          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
+            echo '```' >> $GITHUB_STEP_SUMMARY
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+            exit 1
-          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1 || true)
+          fi
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
+          echo "No conflict markers found"
-          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
+
-
+      - name: Setup moko-platform tools
-      - name: "Step 1: Read version"
+        env:
-        id: version
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          VERSION=$(php /tmp/moko-platform-api/cli/version_read.php --path .)
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
-          if [ -z "$VERSION" ]; then
+        run: |
-            echo "::error::No VERSION in README.md"
+          # Ensure PHP + Composer are available
-            echo "skip=true" >> "$GITHUB_OUTPUT"
+          if ! command -v composer &> /dev/null; then
-            exit 0
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
+          fi
-          MAJOR=$(echo "$VERSION" | cut -d. -f1)
+          # Always fetch latest CLI tools — never use stale cache from previous runs
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          rm -rf /tmp/moko-platform-api
-          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          git clone --depth 1 --branch main --quiet \
-          echo "skip=false" >> "$GITHUB_OUTPUT"
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-          echo "branch=main" >> "$GITHUB_OUTPUT"
+            /tmp/moko-platform-api
-
+          cd /tmp/moko-platform-api
-      # -- CHECK FOR RC PROMOTION ------------------------------------------------
+          composer install --no-dev --no-interaction --quiet
-      - name: "Check for RC release"
+
-        id: rc
+
-        if: steps.version.outputs.skip != 'true'
+      - name: "Publish stable release"
-        run: |
+        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php /tmp/moko-platform-api/cli/release_publish.php \
-          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            --path . --stability stable --bump minor --branch main \
-            "${API_BASE}/releases/tags/release-candidate" 2>/dev/null || echo "{}")
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-          RC_ID=$(echo "$RC_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
+            --skip-update-stream
-
+
-          if [ -n "$RC_ID" ] && [ "$RC_ID" != "None" ] && [ "$RC_ID" != "" ]; then
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-            echo "promote=true" >> "$GITHUB_OUTPUT"
+      - name: "Step 9: Mirror release to GitHub"
-            echo "release_id=${RC_ID}" >> "$GITHUB_OUTPUT"
+        if: >-
-            echo "::notice::RC release found (id: ${RC_ID}) — will promote to stable"
+          steps.version.outputs.skip != 'true' &&
-          else
+          secrets.GH_MIRROR_TOKEN != ''
-            echo "promote=false" >> "$GITHUB_OUTPUT"
+        continue-on-error: true
-            echo "::notice::No RC release — full build pipeline"
+        run: |
-          fi
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-      - name: "Step 1b: Minor bump version"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-        id: bump
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-        if: >-
+          php /tmp/moko-platform-api/cli/release_mirror.php \
-          steps.version.outputs.skip != 'true' &&
+            --version "$VERSION" --tag "$RELEASE_TAG" \
-          steps.rc.outputs.promote != 'true'
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-        run: |
+            --gh-token "${{ secrets.GH_MIRROR_TOKEN }}" --gh-repo "$GH_REPO" \
-          MOKO_API="/tmp/moko-platform-api/cli"
+            --branch main 2>&1 || true
-          php ${MOKO_API}/version_bump.php --path . --minor 2>&1 || true
+          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-          VERSION=$(php ${MOKO_API}/version_read.php --path .)
+
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-          echo "Bumped to: ${VERSION}"
+      - name: "Step 10: Push main to GitHub mirror"
-
+        if: >-
-      - name: Check if already released
+          steps.version.outputs.skip != 'true' &&
-        if: steps.version.outputs.skip != 'true'
+          secrets.GH_MIRROR_TOKEN != ''
-        id: check
+        continue-on-error: true
-        run: |
+        run: |
-          TAG="${{ steps.version.outputs.release_tag }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          TAG_EXISTS=false
+          git remote add github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-          BRANCH_EXISTS=false
+            git remote set-url github "https://x-access-token:${{ secrets.GH_MIRROR_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-
+          git fetch origin main --depth=1
-          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
-          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
+            && echo "main branch pushed to GitHub mirror" \
-
+            || echo "WARNING: GitHub mirror push failed"
-          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
+
-          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
+      - name: "Step 11: Delete rc branch and recreate dev from main"
-
+        if: steps.version.outputs.skip != 'true'
-          # Tag and branch may persist across patch releases — never skip
+        continue-on-error: true
-          echo "already_released=false" >> "$GITHUB_OUTPUT"
+        run: |
-
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-      # -- SANITY CHECKS -------------------------------------------------------
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-      - name: "Sanity: Pre-release validation"
+
-        if: >-
+          # Delete rc branch (ephemeral — created by promote-rc)
-          steps.version.outputs.skip != 'true' &&
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-          steps.check.outputs.already_released != 'true'
+            "${API_BASE}/branches/rc" 2>/dev/null \
-        run: |
+            && echo "Deleted rc branch" || echo "rc branch not found"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+
-          php /tmp/moko-platform-api/cli/release_validate.php \
+          # Delete dev branch
-            --path . --version "$VERSION" --output-summary --github-output || true
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
+
-      # Always runs — every version change on main archives to version/XX.YY
+          # Recreate dev from main (now includes version bump + changelog promotion)
-      - name: "Step 2: Version archive branch"
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-        if: steps.check.outputs.already_released != 'true'
+            -H "Content-Type: application/json" \
-        run: |
+            "${API_BASE}/branches" \
-          BRANCH="${{ steps.version.outputs.branch }}"
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-          IS_MINOR="${{ steps.version.outputs.is_minor }}"
+
-          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          echo "Pre-release branches cleaned, dev reset from main" >> $GITHUB_STEP_SUMMARY
-          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
+
-
+      - name: "Step 12: Create version branch from main"
-          # Check if branch exists
+        if: steps.version.outputs.skip != 'true'
-          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+        continue-on-error: true
-            git push origin HEAD:"$BRANCH" --force
+        run: |
-            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          else
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-            git push origin "$BRANCH" --force
+          BRANCH_NAME="version/${VERSION}"
-            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          MAIN_SHA=$(git rev-parse HEAD)
-          fi
+
-
+          # Delete old version branch if it exists (same version re-release)
-      # -- STEP 3: Set platform version ----------------------------------------
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-      - name: "Step 3: Set platform version"
+
-        if: >-
+          # Create version/XX.YY.ZZ from main
-          steps.version.outputs.skip != 'true' &&
+          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-          steps.check.outputs.already_released != 'true'
+
-        run: |
+          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+
-          php /tmp/moko-platform-api/cli/version_set_platform.php \
+
-            --path . --version "$VERSION" --branch main
+
-
+      # -- Dolibarr post-release: Reset dev version -----------------------------
-      # -- STEP 4: Update version badges ----------------------------------------
+      - name: "Post-release: Reset dev version"
-      - name: "Step 4: Update version badges"
+        if: steps.version.outputs.skip != 'true'
-        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
-        run: |
+        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
+          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-          php /tmp/moko-platform-api/cli/version_check.php --path . --fix 2>/dev/null || true
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-
+            --branch dev --path . 2>&1 || true
-      # Step 5 (updates.xml) moved after Step 8 to include SHA-256 checksum
+
-
+      # -- Summary --------------------------------------------------------------
-      - name: Commit release changes
+      - name: Pipeline Summary
-        if: >-
+        if: always()
-          steps.version.outputs.skip != 'true' &&
+        run: |
-          steps.check.outputs.already_released != 'true'
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if git diff --quiet && git diff --cached --quiet; then
+          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "No changes to commit"
+            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            exit 0
+            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          fi
+          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          else
-          git config --local user.name "gitea-actions[bot]"
+            echo "" >> $GITHUB_STEP_SUMMARY
-          # Set push URL with token for branch-protected repos
+            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+            echo "" >> $GITHUB_STEP_SUMMARY
-          git add -A
+            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-          git commit -m "chore(release): build ${VERSION} [skip ci]" \
+            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-          git push -u origin HEAD
+            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-
+            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-      # -- STEP 6: Create tag ---------------------------------------------------
+            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-      - name: "Step 6: Create git tag"
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-        if: >-
+          fi
          steps.version.outputs.skip != 'true'
        run: |
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          # Only create the major release tag if it doesn't exist yet
          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
            git tag "$RELEASE_TAG"
            git push origin "$RELEASE_TAG"
            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
          else
            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
          fi
          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
      # -- STEP 7a: Promote RC to stable (skip build) ----------------------------
      - name: "Step 7a: Promote RC to stable"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.rc.outputs.promote == 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/release_promote.php \
            --from release-candidate --to stable \
            --token "${{ secrets.GA_TOKEN }}" \
            --api-base "${API_BASE}" \
            --path . --branch main
          echo "Promoted RC → stable (${VERSION})" >> $GITHUB_STEP_SUMMARY
      # -- STEP 7b: Create or update Gitea Release (full build path) -------------
      - name: "Step 7b: Gitea Release"
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.rc.outputs.promote != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/release_create.php \
            --path . --version "$VERSION" --tag "$RELEASE_TAG" \
            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch main
          echo "Release created: ${VERSION}" >> $GITHUB_STEP_SUMMARY
      # -- STEP 8: Build packages and upload to release ----------------------------
      - name: "Step 8: Build package and upload"
        id: package
        if: >-
          steps.version.outputs.skip != 'true' &&
          steps.rc.outputs.promote != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/release_package.php \
            --path . --version "$VERSION" --tag "$RELEASE_TAG" \
            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
      - name: "Step 5: Write update stream"
        if: steps.version.outputs.skip != 'true'
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          SHA256="${{ steps.package.outputs.sha256_zip }}"
          # Fetch latest updates.xml from main so preserve logic has all channels
          GA_TOKEN="${{ secrets.GA_TOKEN }}"
          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
          curl -sf -H "Authorization: token ${GA_TOKEN}" \
            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
            > updates.xml 2>/dev/null || true
          SHA_FLAG=""
          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
          php /tmp/moko-platform-api/cli/updates_xml_build.php \
            --path . --version "${VERSION}" --stability stable \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            ${SHA_FLAG} --github-output
          # Commit updates.xml if changed
          if ! git diff --quiet updates.xml 2>/dev/null; then
            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
            git config --local user.name "gitea-actions[bot]"
            git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
            git add updates.xml
            git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
            git push origin HEAD 2>&1 || true
          fi
      # -- STEP 8b: Update release description with changelog ----------------------
      - name: "Step 8b: Update release body"
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          php /tmp/moko-platform-api/cli/release_body_update.php \
            --path . --version "${VERSION}" --tag "${RELEASE_TAG}" \
            --token "${{ secrets.GA_TOKEN }}" \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            2>&1 || true
          echo "Release body updated" >> $GITHUB_STEP_SUMMARY
      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
      - name: "Step 9: Mirror release to GitHub"
        if: >-
          steps.version.outputs.skip != 'true' &&
          secrets.GH_TOKEN != ''
        continue-on-error: true
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/release_mirror.php \
            --version "$VERSION" --tag "$RELEASE_TAG" \
            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
            --gh-token "${{ secrets.GH_TOKEN }}" --gh-repo "$GH_REPO" \
            --branch main 2>&1 || true
          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
      - name: "Step 10: Push main to GitHub mirror"
        if: >-
          steps.version.outputs.skip != 'true' &&
          secrets.GH_TOKEN != ''
        continue-on-error: true
        run: |
          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
          git fetch origin main --depth=1
          git push github origin/main:refs/heads/main --force 2>/dev/null \
            && echo "main branch pushed to GitHub mirror" \
            || echo "WARNING: GitHub mirror push failed"
      # -- Clean up lesser pre-releases (cascade) ---------------------------------
      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
      - name: "Delete lesser pre-release channels"
        continue-on-error: true
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/release_cascade.php \
            --stability stable \
            --version "${VERSION}" \
            --token "${{ secrets.GA_TOKEN }}" \
            --api-base "${API_BASE}" 2>/dev/null || true
      - name: "Step 11: Delete and recreate dev branch from main"
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          TOKEN="${{ secrets.GA_TOKEN }}"
          # Delete dev branch
          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
          # Recreate dev from main (now includes version bump + changelog promotion)
          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
            -H "Content-Type: application/json" \
            "${API_BASE}/branches" \
            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
      # -- Dolibarr post-release: Reset dev version -----------------------------
      - name: "Post-release: Reset dev version"
        if: steps.version.outputs.skip != 'true'
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php /tmp/moko-platform-api/cli/version_reset_dev.php \
            --token "${{ secrets.GA_TOKEN }}" --api-base "${API_BASE}" \
            --branch dev --path . 2>&1 || true
      # -- Summary --------------------------------------------------------------
      - name: Pipeline Summary
        if: always()
        run: |
          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
          PLATFORM="${{ steps.platform.outputs.platform }}"
          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
          else
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
          fi
@@ -0,0 +1,48 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: MokoStandards.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.mokogitea/workflows/branch-cleanup.yml
 # VERSION: 01.00.00
 # BRIEF: Delete feature branches after PR merge
 name: "Branch Cleanup"
 on:
  pull_request:
    types: [closed]
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  cleanup:
    name: Delete merged branch
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request.merged == true &&
      github.event.pull_request.head.ref != 'dev' &&
      github.event.pull_request.head.ref != 'main'
    steps:
      - name: Delete source branch
        run: |
          BRANCH="${{ github.event.pull_request.head.ref }}"
          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API}/${ENCODED}" 2>/dev/null || true)
          if [ "$STATUS" = "204" ]; then
            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          elif [ "$STATUS" = "404" ]; then
            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
          else
            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
          fi
@@ -1,213 +1,10 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# DISABLED — auto-release Step 11 recreates dev from main after every release.
-#
+# Cascade-dev is redundant and causes version conflicts when both main and dev
-# SPDX-License-Identifier: GPL-3.0-or-later
+# have different version numbers in templateDetails.xml / manifest.xml.
-#
+name: "Cascade Main → Dev (DISABLED)"
-# FILE INFORMATION
+on: workflow_dispatch
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Maintenance
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/cascade-dev.yml.template
 # VERSION: 02.00.00
 # BRIEF: Forward-merge main -> all open branches after every push to main
 #
 # +========================================================================+
 # |                CASCADE MAIN -> ALL BRANCHES                             |
 # +========================================================================+
 # |                                                                        |
 # |  Triggers on every push to main (PR merges, bot commits, etc.)         |
 # |                                                                        |
 # |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
 # |  2. For each: create PR (main -> branch), auto-merge if clean           |
 # |  3. On conflict: leave PR open for manual resolution                   |
 # |                                                                        |
 # +========================================================================+
 name: "Universal: Cascade Main -> Dev"
 on:
  push:
    branches:
      - main
  workflow_dispatch:
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
 permissions:
  contents: write
  pull-requests: write
 jobs:
-  cascade:
+  noop:
    name: Cascade main -> branches
    runs-on: ubuntu-latest
    if: >-
      !contains(github.event.head_commit.message, '[skip ci]') &&
      !contains(github.event.head_commit.message, '[skip cascade]')
    steps:
-      - name: Discover target branches
+      - run: echo "Cascade disabled — auto-release handles dev recreation"
        id: branches
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Fetch all branches (paginated)
          PAGE=1
          ALL_BRANCHES=""
          while true; do
            BATCH=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/branches?page=${PAGE}&limit=50" \
              | jq -r '.[].name // empty')
            [ -z "$BATCH" ] && break
            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
            PAGE=$((PAGE + 1))
          done
          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
          TARGETS=""
          for BRANCH in $ALL_BRANCHES; do
            case "$BRANCH" in
              dev|dev/*|rc/*|beta/*|alpha/*)
                TARGETS="$TARGETS $BRANCH"
                ;;
            esac
          done
          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
          if [ -z "$TARGETS" ]; then
            echo "targets=" >> "$GITHUB_OUTPUT"
            echo "  No cascade target branches found"
          else
            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
            COUNT=$(echo "$TARGETS" | wc -w)
            echo " Found ${COUNT} target branch(es): ${TARGETS}"
          fi
      - name: Cascade to all target branches
        if: steps.branches.outputs.targets != ''
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN }}
        run: |
          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          SHORT_SHA="${GITHUB_SHA:0:7}"
          TARGETS="${{ steps.branches.outputs.targets }}"
          SUCCESS=0
          CONFLICTS=0
          SKIPPED=0
          FAILED=0
          for BRANCH in $TARGETS; do
            echo ""
            echo " main -> ${BRANCH} "
            # Check if branch is already up to date
            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
            RESPONSE=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/compare/${ENCODED_BRANCH}...main")
            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
            if [ "$AHEAD" -eq 0 ]; then
              echo "   Already up to date"
              SKIPPED=$((SKIPPED + 1))
              continue
            fi
            echo "    main is ${AHEAD} commit(s) ahead"
            # Check for existing cascade PR
            EXISTING=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
            PR_NUMBER=""
            if [ "$EXISTING_COUNT" -gt 0 ]; then
              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
              echo "    Reusing existing PR #${PR_NUMBER}"
            else
              # Create cascade PR
              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
                -X POST \
                -H "Authorization: token ${GA_TOKEN}" \
                -H "Content-Type: application/json" \
                -d "{
                  \"title\": \"chore: cascade main -> ${BRANCH} (${SHORT_SHA}) [skip ci]\",
                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main -> Dev**.\",
                  \"head\": \"main\",
                  \"base\": \"${BRANCH}\"
                }" \
                "${API}/pulls")
              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
              BODY=$(echo "$PR_RESPONSE" | sed '$d')
              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
                echo "   Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
                FAILED=$((FAILED + 1))
                continue
              fi
              echo "   Created PR #${PR_NUMBER}"
            fi
            # Try auto-merge
            PR_DATA=$(curl -sS \
              -H "Authorization: token ${GA_TOKEN}" \
              "${API}/pulls/${PR_NUMBER}")
            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
            if [ "$MERGEABLE" != "true" ]; then
              echo "    Conflicts -- PR #${PR_NUMBER} left open"
              CONFLICTS=$((CONFLICTS + 1))
              continue
            fi
            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
              -X POST \
              -H "Authorization: token ${GA_TOKEN}" \
              -H "Content-Type: application/json" \
              -d "{
                \"Do\": \"merge\",
                \"merge_message_field\": \"chore: cascade main -> ${BRANCH} [skip ci]\",
                \"delete_branch_after_merge\": false
              }" \
              "${API}/pulls/${PR_NUMBER}/merge")
            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
              echo "   Merged -- ${BRANCH} is in sync"
              SUCCESS=$((SUCCESS + 1))
            else
              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
              echo "    Merge failed (HTTP ${MERGE_HTTP}) -- PR #${PR_NUMBER} left open"
              CONFLICTS=$((CONFLICTS + 1))
            fi
          done
          # Summary
          echo ""
          echo ""
          echo "   Merged:    ${SUCCESS}"
          echo "    Conflicts: ${CONFLICTS}"
          echo "    Up to date: ${SKIPPED}"
          echo "   Failed:    ${FAILED}"
          echo ""
          if [ "$FAILED" -gt 0 ]; then
            exit 1
          fi
@@ -0,0 +1,508 @@
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.CI
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/universal/pr-check.yml.template
 # VERSION: 09.23.00
 # BRIEF: PR gate — branch policy + code validation before merge
 name: "Universal: PR Check"
 on:
  pull_request:
    types: [opened, synchronize, reopened, edited]
 permissions:
  contents: read
  pull-requests: write
 env:
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  # ── Branch Policy ──────────────────────────────────────────────────────
  branch-policy:
    name: Branch Policy
    runs-on: ubuntu-latest
    steps:
      - name: Check branch merge target
        run: |
          HEAD="${{ github.head_ref }}"
          BASE="${{ github.base_ref }}"
          echo "PR: ${HEAD} → ${BASE}"
          ALLOWED=true
          REASON=""
          case "$HEAD" in
            feature/*|feat/*)
              if [ "$BASE" != "dev" ]; then
                ALLOWED=false
                REASON="Feature branches must target 'dev', not '${BASE}'"
              fi
              ;;
            fix/*|bugfix/*)
              if [ "$BASE" != "dev" ]; then
                ALLOWED=false
                REASON="Fix branches must target 'dev', not '${BASE}'"
              fi
              ;;
            patch/*)
              if [ "$BASE" != "dev" ] && [ "$BASE" != "rc" ]; then
                ALLOWED=false
                REASON="Patch branches must target 'dev' or 'rc', not '${BASE}'"
              fi
              ;;
            hotfix/*)
              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
                ALLOWED=false
                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
              fi
              ;;
            rc)
              if [ "$BASE" != "main" ]; then
                ALLOWED=false
                REASON="RC branch can only merge into 'main', not '${BASE}'"
              fi
              ;;
            dev)
              if [ "$BASE" != "main" ]; then
                ALLOWED=false
                REASON="Dev branch can only merge into 'main', not '${BASE}'"
              fi
              ;;
          esac
          if [ "$ALLOWED" = false ]; then
            echo "::error::${REASON}"
            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "Branch policy: OK (${HEAD} → ${BASE})"
          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
  # ── Code Validation ────────────────────────────────────────────────────
  validate:
    name: Validate PR
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Check for merge conflict markers
        run: |
          CONFLICTS=$(grep -rn '<<<<<<< \|>>>>>>> \|^=======$' --include='*.php' --include='*.xml' --include='*.css' --include='*.js' --include='*.json' --include='*.md' --include='*.yml' --include='*.yaml' --include='*.ini' --include='*.txt' . 2>/dev/null | grep -v '.git/' || true)
          if [ -n "$CONFLICTS" ]; then
            echo "::error::Merge conflict markers found in source files"
            echo "## Conflict Markers Found" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            echo "$CONFLICTS" >> $GITHUB_STEP_SUMMARY
            echo '```' >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "No conflict markers found"
      - name: Detect platform
        id: platform
        run: |
          # Read platform from XML manifest (<platform> tag) or plain text fallback
          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
          [ -z "$PLATFORM" ] && PLATFORM="generic"
          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
      - name: Setup PHP
        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
        run: |
          if ! command -v php &> /dev/null; then
            sudo apt-get update -qq
            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
          fi
      - name: PHP syntax check
        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
        run: |
          ERRORS=0
          while IFS= read -r -d '' file; do
            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
              ERRORS=$((ERRORS + 1))
            fi
          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
          echo "PHP lint: ${ERRORS} error(s)"
          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
      - name: Joomla JEXEC guard check
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          while IFS= read -r -d '' file; do
            # Skip vendor, node_modules, and index.html stub files
            case "$file" in ./vendor/*|./node_modules/*) continue ;; esac
            # Check first 10 lines for JEXEC or JPATH guard
            if ! head -20 "$file" | grep -qE "defined\s*\(\s*['\"](_JEXEC|JPATH_BASE|\\\\JPATH_PLATFORM)['\"]"; then
              echo "::error file=${file}::Missing JEXEC guard: ${file}"
              ERRORS=$((ERRORS + 1))
            fi
          done < <(find . -name "*.php" -path "*/src/*" -not -path "./.git/*" -not -path "./vendor/*" -print0)
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::${ERRORS} PHP file(s) missing defined('_JEXEC') or die guard"
            echo "## JEXEC Guard Check: Failed" >> $GITHUB_STEP_SUMMARY
            echo "${ERRORS} file(s) in src/ are missing the Joomla execution guard." >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "JEXEC guard: OK"
      - name: Joomla directory listing protection
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          MISSING=0
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && exit 0
          while IFS= read -r dir; do
            if [ ! -f "${dir}/index.html" ]; then
              echo "::warning::Missing index.html in ${dir} (directory listing protection)"
              MISSING=$((MISSING + 1))
            fi
          done < <(find "$SOURCE_DIR" -type d -not -path "./.git/*" -not -path "*/vendor/*" -not -path "*/node_modules/*")
          if [ "$MISSING" -gt 0 ]; then
            echo "## Directory Protection" >> $GITHUB_STEP_SUMMARY
            echo "${MISSING} director(ies) missing index.html" >> $GITHUB_STEP_SUMMARY
          fi
          echo "Directory protection: ${MISSING} missing (advisory)"
      - name: Joomla script file and asset checks
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
          [ -z "$MANIFEST" ] && exit 0
          MANIFEST_DIR=$(dirname "$MANIFEST")
          # Check scriptfile exists if declared
          SCRIPTFILE=$(sed -n 's/.*<scriptfile>\([^<]*\)<\/scriptfile>.*/\1/p' "$MANIFEST" 2>/dev/null)
          if [ -n "$SCRIPTFILE" ]; then
            if [ ! -f "${MANIFEST_DIR}/${SCRIPTFILE}" ]; then
              echo "::error::Manifest declares <scriptfile>${SCRIPTFILE}</scriptfile> but file not found at ${MANIFEST_DIR}/${SCRIPTFILE}"
              ERRORS=$((ERRORS + 1))
            else
              echo "Script file: ${MANIFEST_DIR}/${SCRIPTFILE} (OK)"
            fi
          fi
          # Require joomla.asset.json and validate it
          ASSET_JSON=$(find "$MANIFEST_DIR" -name "joomla.asset.json" -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -z "$ASSET_JSON" ]; then
            echo "::error::joomla.asset.json not found — Joomla asset system is required"
            ERRORS=$((ERRORS + 1))
          else
            if command -v php &> /dev/null; then
              php -r "json_decode(file_get_contents('$ASSET_JSON')); if(json_last_error()!==JSON_ERROR_NONE){echo json_last_error_msg();exit(1);}" 2>&1 || {
                echo "::error::joomla.asset.json is not valid JSON"
                ERRORS=$((ERRORS + 1))
              }
            fi
            echo "joomla.asset.json: valid"
          fi
          # Validate all XML files in src/ are well-formed
          XML_ERRORS=0
          if command -v php &> /dev/null; then
            while IFS= read -r -d '' xmlfile; do
              if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$xmlfile'); if(!\$x){foreach(libxml_get_errors() as \$e) echo trim(\$e->message) . ' in $xmlfile'; exit(1);}" 2>&1; then
                XML_ERRORS=$((XML_ERRORS + 1))
              fi
            done < <(find "$MANIFEST_DIR" -name "*.xml" -not -path "./.git/*" -print0)
          fi
          if [ "$XML_ERRORS" -gt 0 ]; then
            echo "::error::${XML_ERRORS} XML file(s) are malformed"
            ERRORS=$((ERRORS + 1))
          else
            echo "XML well-formedness: OK"
          fi
          [ "$ERRORS" -gt 0 ] && exit 1
          echo "Joomla asset checks: OK"
      - name: Validate platform manifest
        run: |
          PLATFORM="${{ steps.platform.outputs.platform }}"
          case "$PLATFORM" in
            joomla)
              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
              if [ -z "$MANIFEST" ]; then
                echo "::warning::No Joomla manifest found (WaaS site)"
                exit 0
              fi
              echo "Manifest: ${MANIFEST}"
              if command -v php &> /dev/null; then
                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
              fi
              for ELEMENT in name version description; do
                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
              done
              # Block legacy raw/branch update server URLs on MokoGitea
              RAW_URLS=$(grep -n 'raw/branch' "$MANIFEST" | grep -i 'mokoconsulting\|mokogitea\|git\.mokoconsulting\.tech' || true)
              if [ -n "$RAW_URLS" ]; then
                echo "::error::Manifest contains legacy raw/branch update server URL on MokoGitea. Use the Gitea Pages URL instead (e.g. /{REPO}/updates.xml not /{REPO}/raw/branch/main/updates.xml)"
                echo "$RAW_URLS"
                exit 1
              fi
              echo "Joomla manifest valid"
              ;;
            dolibarr)
              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
              if [ -z "$MOD_FILE" ]; then
                echo "::error::No mod*.class.php found"
                exit 1
              fi
              echo "Dolibarr module: ${MOD_FILE}"
              ;;
            *)
              echo "Generic platform — no manifest validation"
              ;;
          esac
      - name: Check update stream format
        run: |
          PLATFORM="${{ steps.platform.outputs.platform }}"
          case "$PLATFORM" in
            joomla)
              if [ -f "updates.xml" ]; then
                if command -v php &> /dev/null; then
                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
                fi
                echo "updates.xml valid"
              fi
              ;;
            dolibarr)
              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
              ;;
          esac
      - name: Validate Joomla language files
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          ERRORS=0
          WARNINGS=0
          # Require both en-GB and en-US language directories
          LANG_ROOT=$(find . -path "*/language" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -z "$LANG_ROOT" ]; then
            echo "No language/ directory found — skipping"
            exit 0
          fi
          if [ ! -d "$LANG_ROOT/en-GB" ]; then
            echo "::error::Missing en-GB language directory (${LANG_ROOT}/en-GB)"
            ERRORS=$((ERRORS + 1))
          fi
          if [ ! -d "$LANG_ROOT/en-US" ]; then
            echo "::error::Missing en-US language directory (${LANG_ROOT}/en-US)"
            ERRORS=$((ERRORS + 1))
          fi
          # Check that en-GB and en-US have matching .ini files
          if [ -d "$LANG_ROOT/en-GB" ] && [ -d "$LANG_ROOT/en-US" ]; then
            for GB_INI in "$LANG_ROOT/en-GB"/*.ini; do
              [ ! -f "$GB_INI" ] && continue
              US_INI="$LANG_ROOT/en-US/$(basename "$GB_INI")"
              if [ ! -f "$US_INI" ]; then
                echo "::error::$(basename "$GB_INI") exists in en-GB but missing from en-US"
                ERRORS=$((ERRORS + 1))
              fi
            done
            for US_INI in "$LANG_ROOT/en-US"/*.ini; do
              [ ! -f "$US_INI" ] && continue
              GB_INI="$LANG_ROOT/en-GB/$(basename "$US_INI")"
              if [ ! -f "$GB_INI" ]; then
                echo "::error::$(basename "$US_INI") exists in en-US but missing from en-GB"
                ERRORS=$((ERRORS + 1))
              fi
            done
          fi
          # Find all .ini language files
          INI_FILES=$(find . -path "*/language/*/*.ini" -not -path "./.git/*" 2>/dev/null)
          if [ -z "$INI_FILES" ]; then
            echo "No .ini language files found"
            [ "$ERRORS" -gt 0 ] && exit 1
            exit 0
          fi
          echo "Found $(echo "$INI_FILES" | wc -l) language file(s)"
          for FILE in $INI_FILES; do
            FNAME=$(basename "$FILE")
            LINENUM=0
            SEEN_KEYS=""
            while IFS= read -r line || [ -n "$line" ]; do
              LINENUM=$((LINENUM + 1))
              # Skip empty lines and comments
              [ -z "$line" ] && continue
              echo "$line" | grep -qE '^\s*;' && continue
              echo "$line" | grep -qE '^\s*$' && continue
              # Must match KEY="VALUE" format
              if ! echo "$line" | grep -qE '^[A-Z_][A-Z0-9_]*=".*"$'; then
                echo "::error file=${FILE},line=${LINENUM}::Malformed line: ${line}"
                ERRORS=$((ERRORS + 1))
                continue
              fi
              # Extract key and check for duplicates
              KEY=$(echo "$line" | sed 's/=.*//')
              if echo "$SEEN_KEYS" | grep -qx "$KEY"; then
                echo "::error file=${FILE},line=${LINENUM}::Duplicate key: ${KEY}"
                ERRORS=$((ERRORS + 1))
              fi
              SEEN_KEYS="${SEEN_KEYS}
          ${KEY}"
            done < "$FILE"
            echo "  ${FILE}: checked ${LINENUM} lines"
          done
          # Cross-check en-GB vs en-US key consistency
          GB_DIR=$(find . -path "*/language/en-GB" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          US_DIR=$(find . -path "*/language/en-US" -type d -not -path "./.git/*" 2>/dev/null | head -1)
          if [ -n "$GB_DIR" ] && [ -n "$US_DIR" ]; then
            for GB_FILE in "$GB_DIR"/*.ini; do
              [ ! -f "$GB_FILE" ] && continue
              FNAME=$(basename "$GB_FILE")
              US_FILE="$US_DIR/$FNAME"
              [ ! -f "$US_FILE" ] && continue
              GB_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$GB_FILE" 2>/dev/null | sort)
              US_KEYS=$(grep -oP '^[A-Z_][A-Z0-9_]*(?==)' "$US_FILE" 2>/dev/null | sort)
              # Keys in en-GB but not en-US
              MISSING_US=$(comm -23 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
              if [ -n "$MISSING_US" ]; then
                echo "::warning::Keys in en-GB/$FNAME but missing from en-US/$FNAME:"
                echo "$MISSING_US" | while read -r k; do echo "  - $k"; done
                WARNINGS=$((WARNINGS + 1))
              fi
              # Keys in en-US but not en-GB
              MISSING_GB=$(comm -13 <(echo "$GB_KEYS") <(echo "$US_KEYS"))
              if [ -n "$MISSING_GB" ]; then
                echo "::warning::Keys in en-US/$FNAME but missing from en-GB/$FNAME:"
                echo "$MISSING_GB" | while read -r k; do echo "  - $k"; done
                WARNINGS=$((WARNINGS + 1))
              fi
            done
          fi
          {
            echo "### Language File Validation"
            echo "| Metric | Count |"
            echo "|---|---|"
            echo "| Files checked | $(echo "$INI_FILES" | wc -l) |"
            echo "| Errors | ${ERRORS} |"
            echo "| Warnings | ${WARNINGS} |"
          } >> $GITHUB_STEP_SUMMARY
          if [ "$ERRORS" -gt 0 ]; then
            echo "::error::Language validation failed with ${ERRORS} error(s)"
            exit 1
          fi
          echo "Language files: OK (${WARNINGS} warning(s))"
      - name: Check changelog has unreleased entry
        run: |
          if [ ! -f "CHANGELOG.md" ]; then
            echo "::warning::No CHANGELOG.md found"
            exit 0
          fi
          # Check for content under [Unreleased] section
          if ! grep -q "## \[Unreleased\]" CHANGELOG.md; then
            echo "::error::CHANGELOG.md missing [Unreleased] section"
            exit 1
          fi
          # Check there's at least one entry (Added/Changed/Fixed/Removed) under Unreleased
          UNRELEASED_CONTENT=$(sed -n '/## \[Unreleased\]/,/## \[/p' CHANGELOG.md | grep -cE '^\s*-\s' || true)
          if [ "$UNRELEASED_CONTENT" -eq 0 ]; then
            echo "::error::CHANGELOG.md [Unreleased] section has no entries. Add a changelog entry describing your changes."
            echo "## Changelog Check: Failed" >> $GITHUB_STEP_SUMMARY
            echo "The \`[Unreleased]\` section in CHANGELOG.md has no entries." >> $GITHUB_STEP_SUMMARY
            echo "Add a line like \`- Description of your change\` under a heading (\`### Added\`, \`### Changed\`, \`### Fixed\`, etc.)" >> $GITHUB_STEP_SUMMARY
            exit 1
          fi
          echo "Changelog: ${UNRELEASED_CONTENT} entry/entries in [Unreleased]"
      - name: Verify package source
        run: |
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
          if [ ! -d "$SOURCE_DIR" ]; then
            echo "::warning::No src/ or htdocs/ directory"
            exit 0
          fi
          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
          echo "Source: ${FILE_COUNT} files"
          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
  # ── Pre-Release RC Build ─────────────────────────────────────────────────
  pre-release:
    name: Build RC Package
    runs-on: ubuntu-latest
    needs: [branch-policy, validate]
    steps:
      - name: Trigger RC pre-release
        env:
          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: ${{ github.head_ref }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
  # ── Issue Reporter ──────────────────────────────────────────────────────
  report-issues:
    name: Report Issues
    runs-on: ubuntu-latest
    needs: [branch-policy, validate]
    if: >-
      always() &&
      needs.validate.result == 'failure'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          sparse-checkout: automation/ci-issue-reporter.sh
          sparse-checkout-cone-mode: false
      - name: "File issue for PR validation failure"
        env:
          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          chmod +x automation/ci-issue-reporter.sh
          ./automation/ci-issue-reporter.sh \
            --gate "PR Validation" \
            --workflow "PR Check" \
            --severity error \
            --details "PR validation failed (syntax, manifest, changelog, or source checks). See the CI run for the specific check that failed."
@@ -50,16 +50,18 @@ jobs:
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
      - name: Setup moko-platform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
          # Always fetch latest CLI tools — never use stale cache from previous runs
          rm -rf /tmp/moko-platform-api
          git clone --depth 1 --branch main --quiet \
            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
            /tmp/moko-platform-api
@@ -87,16 +89,24 @@ jobs:
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
          [ -z "$VERSION" ] && VERSION="00.00.01"
          # Strip any existing suffix from version before applying stability
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" 2>/dev/null || true
+            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
          # Verify version consistency across all files
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Update VERSION variable with suffix
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
          # Commit version bump
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          git add -A
          git diff --cached --quiet || {
            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
@@ -112,7 +122,7 @@ jobs:
          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
@@ -131,7 +141,7 @@ jobs:
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch dev --prerelease
      - name: Build package and upload
@@ -142,7 +152,7 @@ jobs:
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      - name: Update updates.xml
@@ -199,7 +209,7 @@ jobs:
        continue-on-error: true
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
          php ${MOKO_CLI}/release_cascade.php \
            --stability "${{ steps.meta.outputs.stability }}" \
@@ -0,0 +1,711 @@
 # ============================================================================
 # Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
 #
 # This file is part of a Moko Consulting project.
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
 # INGROUP: moko-platform.Validation
 # REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/joomla/repo_health.yml.template
 # VERSION: 09.23.00
 # BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
 # ============================================================================
 name: "Generic: Repo Health"
 defaults:
  run:
    shell: bash
 on:
  workflow_dispatch:
    inputs:
      profile:
        description: 'Validation profile: all, scripts, or repo'
        required: true
        default: all
        type: choice
        options:
          - all
          - scripts
          - repo
  pull_request:
  push:
 permissions:
  contents: read
 env:
  # Scripts governance policy
  SCRIPTS_REQUIRED_DIRS:
  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
  # Repo health policy
  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.mokogitea/workflows/
  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
  REPO_DISALLOWED_DIRS:
  REPO_DISALLOWED_FILES: TODO.md,todo.md
  # Extended checks toggles
  EXTENDED_CHECKS: "true"
  # File / directory variables
  DOCS_INDEX: docs/docs-index.md
  SCRIPT_DIR: scripts
  WORKFLOWS_DIR: .mokogitea/workflows
  SHELLCHECK_PATTERN: '*.sh'
  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 jobs:
  access_check:
    name: Access control
    runs-on: ubuntu-latest
    timeout-minutes: 10
    permissions:
      contents: read
    outputs:
      allowed: ${{ steps.perm.outputs.allowed }}
      permission: ${{ steps.perm.outputs.permission }}
    steps:
      - name: Check actor permission (admin only)
        id: perm
        env:
          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
          REPO: ${{ github.repository }}
          ACTOR: ${{ github.actor }}
        run: |
          set -euo pipefail
          ALLOWED=false
          PERMISSION=unknown
          METHOD=""
          # Hardcoded authorized users — always allowed
          case "$ACTOR" in
            jmiller|gitea-actions[bot])
              ALLOWED=true
              PERMISSION=admin
              METHOD="hardcoded allowlist"
              ;;
            *)
              # Detect platform and check permissions via API
              API_BASE="${GITHUB_API_URL:-${GITEA_API_URL:-https://api.github.com}}"
              RESP=$(curl -sf -H "Authorization: token ${TOKEN}" \
                "${API_BASE}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}')
              PERMISSION=$(echo "$RESP" | grep -oP '"permission"\s*:\s*"\K[^"]+' || echo "unknown")
              if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "maintain" ] || [ "$PERMISSION" = "owner" ]; then
                ALLOWED=true
              fi
              METHOD="collaborator API"
              ;;
          esac
          echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT"
          echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"
          {
            echo "## Access Authorization"
            echo ""
            echo "| Field | Value |"
            echo "|-------|-------|"
            echo "| **Actor** | \`${ACTOR}\` |"
            echo "| **Repository** | \`${REPO}\` |"
            echo "| **Permission** | \`${PERMISSION}\` |"
            echo "| **Method** | ${METHOD} |"
            echo "| **Authorized** | ${ALLOWED} |"
            echo ""
            if [ "$ALLOWED" = "true" ]; then
              echo "${ACTOR} authorized (${METHOD})"
            else
              echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
            fi
          } >> "${GITHUB_STEP_SUMMARY}"
      - name: Deny execution when not permitted
        if: ${{ steps.perm.outputs.allowed != 'true' }}
        run: |
          set -euo pipefail
          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
          exit 1
  scripts_governance:
    name: Scripts governance
    needs: access_check
    if: ${{ needs.access_check.outputs.allowed == 'true' }}
    runs-on: ubuntu-latest
    timeout-minutes: 15
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Scripts folder checks
        env:
          PROFILE_RAW: ${{ github.event.inputs.profile }}
        run: |
          set -euo pipefail
          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac
          if [ "${profile}" = 'repo' ]; then
            {
              printf '%s\n' '### Scripts governance'
              printf '%s\n' "Profile: ${profile}"
              printf '%s\n' 'Status: SKIPPED'
              printf '%s\n' 'Reason: profile excludes scripts governance'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 0
          fi
          if [ ! -d "${SCRIPT_DIR}" ]; then
            {
              printf '%s\n' '### Scripts governance'
              printf '%s\n' 'Status: OK (advisory)'
              printf '%s\n' 'scripts/ directory not present. No scripts governance enforced.'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 0
          fi
          if [ -n "${SCRIPTS_REQUIRED_DIRS:-}" ]; then IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"; else required_dirs=(); fi
          IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"
          missing_dirs=()
          unapproved_dirs=()
          for d in "${required_dirs[@]}"; do
            req="${d%/}"
            [ ! -d "${req}" ] && missing_dirs+=("${req}/")
          done
          while IFS= read -r d; do
            allowed=false
            for a in "${allowed_dirs[@]}"; do
              a_norm="${a%/}"
              [ "${d%/}" = "${a_norm}" ] && allowed=true
            done
            [ "${allowed}" = false ] && unapproved_dirs+=("${d%/}/")
          done < <(find "${SCRIPT_DIR}" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sed 's#^\./##')
          {
            printf '%s\n' '### Scripts governance'
            printf '%s\n' "Profile: ${profile}"
            printf '%s\n' '| Area | Status | Notes |'
            printf '%s\n' '|---|---|---|'
            if [ "${#missing_dirs[@]}" -gt 0 ]; then
              printf '%s\n' '| Required directories | Warning | Missing required subfolders |'
            else
              printf '%s\n' '| Required directories | OK | All required subfolders present |'
            fi
            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
              printf '%s\n' '| Directory policy | Warning | Unapproved directories detected |'
            else
              printf '%s\n' '| Directory policy | OK | No unapproved directories |'
            fi
            printf '%s\n' '| Enforcement mode | Advisory | scripts folder is optional |'
            printf '\n'
            if [ "${#missing_dirs[@]}" -gt 0 ]; then
              printf '%s\n' 'Missing required script directories:'
              for m in "${missing_dirs[@]}"; do printf '%s\n' "- ${m}"; done
              printf '\n'
            else
              printf '%s\n' 'Missing required script directories: none.'
              printf '\n'
            fi
            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
              printf '%s\n' 'Unapproved script directories detected:'
              for m in "${unapproved_dirs[@]}"; do printf '%s\n' "- ${m}"; done
              printf '\n'
            else
              printf '%s\n' 'Unapproved script directories detected: none.'
              printf '\n'
            fi
            printf '%s\n' 'Scripts governance completed in advisory mode.'
            printf '\n'
          } >> "${GITHUB_STEP_SUMMARY}"
  repo_health:
    name: Repository health
    needs: access_check
    if: ${{ needs.access_check.outputs.allowed == 'true' }}
    runs-on: ubuntu-latest
    timeout-minutes: 20
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
      - name: Repository health checks
        env:
          PROFILE_RAW: ${{ github.event.inputs.profile }}
        run: |
          set -euo pipefail
          profile="${PROFILE_RAW:-all}"
          case "${profile}" in
            all|scripts|repo) ;;
            *)
              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
              exit 1
              ;;
          esac
          if [ "${profile}" = 'scripts' ]; then
            {
              printf '%s\n' '### Repository health'
              printf '%s\n' "Profile: ${profile}"
              printf '%s\n' 'Status: SKIPPED'
              printf '%s\n' 'Reason: profile excludes repository health'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 0
          fi
          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
          if [ -n "${REPO_DISALLOWED_DIRS:-}" ]; then IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"; else disallowed_dirs=(); fi
          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES:-}"
          missing_required=()
          missing_optional=()
          # Source directory: src/ or htdocs/ (either is valid for extension repos)
          SOURCE_DIR=""
          if [ -d "src" ]; then
            SOURCE_DIR="src"
          elif [ -d "htdocs" ]; then
            SOURCE_DIR="htdocs"
          elif [ -d "deploy" ] || [ -d "cli" ] || [ -d "monitoring" ]; then
            # Platform/tooling repos don't need src/
            SOURCE_DIR=""
          else
            missing_required+=("src/ or htdocs/ (source directory required)")
          fi
          for item in "${required_artifacts[@]}"; do
            if printf '%s' "${item}" | grep -q '/$'; then
              d="${item%/}"
              [ ! -d "${d}" ] && missing_required+=("${item}")
            else
              [ ! -f "${item}" ] && missing_required+=("${item}")
            fi
          done
          for f in "${optional_files[@]}"; do
            if printf '%s' "${f}" | grep -q '/$'; then
              d="${f%/}"
              [ ! -d "${d}" ] && missing_optional+=("${f}")
            else
              [ ! -f "${f}" ] && missing_optional+=("${f}")
            fi
          done
          for d in "${disallowed_dirs[@]}"; do
            d_norm="${d%/}"
            [ -d "${d_norm}" ] && missing_required+=("${d_norm}/ (disallowed)")
          done
          for f in "${disallowed_files[@]}"; do
            [ -f "${f}" ] && missing_required+=("${f} (disallowed)")
          done
          git fetch origin --prune
          dev_paths=()
          dev_branches=()
          while IFS= read -r b; do
            name="${b#origin/}"
            if [ "${name}" = 'dev' ]; then
              dev_branches+=("${name}")
            else
              dev_paths+=("${name}")
            fi
          done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')
          if [ "${#dev_paths[@]}" -eq 0 ] && [ "${#dev_branches[@]}" -eq 0 ]; then
            missing_required+=("dev or dev/* branch")
          fi
          content_warnings=()
          if [ -f 'CHANGELOG.md' ] && ! grep -Eq '^# Changelog' CHANGELOG.md; then
            content_warnings+=("CHANGELOG.md missing '# Changelog' header")
          fi
          if [ -f 'CHANGELOG.md' ] && grep -Eq '^[# ]*Unreleased' CHANGELOG.md; then
            content_warnings+=("CHANGELOG.md contains Unreleased section (review release readiness)")
          fi
          if [ -f 'LICENSE' ] && ! grep -qiE 'GNU GENERAL PUBLIC LICENSE|GPL' LICENSE; then
            content_warnings+=("LICENSE does not look like a GPL text")
          fi
          if [ -f 'README.md' ] && ! grep -qiE 'moko|Moko' README.md; then
            content_warnings+=("README.md missing expected brand keyword")
          fi
          export PROFILE_RAW="${profile}"
          export MISSING_REQUIRED="$(printf '%s\n' "${missing_required[@]:-}")"
          export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
          export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"
          report_json=$(printf '{"profile":"%s","missing_required":%d,"missing_optional":%d,"content_warnings":%d}'             "$profile" "${#missing_required[@]}" "${#missing_optional[@]}" "${#content_warnings[@]}")
          {
            printf '%s\n' '### Repository health'
            printf '%s\n' "Profile: ${profile}"
            printf '%s\n' '| Metric | Value |'
            printf '%s\n' '|---|---|'
            printf '%s\n' "| Missing required | ${#missing_required[@]} |"
            printf '%s\n' "| Missing optional | ${#missing_optional[@]} |"
            printf '%s\n' "| Content warnings | ${#content_warnings[@]} |"
            printf '\n'
            printf '%s\n' '### Guardrails report (JSON)'
            printf '%s\n' '```json'
            printf '%s\n' "${report_json}"
            printf '%s\n' '```'
            printf '\n'
          } >> "${GITHUB_STEP_SUMMARY}"
          if [ "${#missing_required[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Missing required repo artifacts'
              for m in "${missing_required[@]}"; do printf '%s\n' "- ${m}"; done
              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository artifacts.'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
            exit 1
          fi
          if [ "${#missing_optional[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Missing optional repo artifacts'
              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          fi
          if [ "${#content_warnings[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Repo content warnings'
              for m in "${content_warnings[@]}"; do printf '%s\n' "- ${m}"; done
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          fi
          # -- Joomla-specific checks --
          joomla_findings=()
          MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
          if [ -z "${MANIFEST}" ]; then
            joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
          else
            if ! grep -qP '<version>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <version> tag missing")
            fi
            if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: type attribute missing or invalid")
            fi
            if ! grep -qP '<name>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <name> tag missing")
            fi
            if ! grep -qP '<author>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <author> tag missing")
            fi
            if ! grep -qP '<namespace' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
            fi
          fi
          INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
          if [ "${INI_COUNT}" -eq 0 ]; then
            joomla_findings+=("No .ini language files found")
          fi
          if [ ! -f 'updates.xml' ]; then
            joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
          fi
          if [ -n "${SOURCE_DIR}" ]; then
            INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
            for dir in "${INDEX_DIRS[@]}"; do
              if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
                joomla_findings+=("${dir}/index.html missing (directory listing protection)")
              fi
            done
          fi
          if [ "${#joomla_findings[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Joomla extension checks'
              printf '%s\n' '| Check | Status |'
              printf '%s\n' '|---|---|'
              for f in "${joomla_findings[@]}"; do
                printf '%s\n' "| ${f} | Warning |"
              done
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          else
            {
              printf '%s\n' '### Joomla extension checks'
              printf '%s\n' 'All Joomla-specific checks passed.'
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          fi
          extended_enabled="${EXTENDED_CHECKS:-true}"
          extended_findings=()
          if [ "${extended_enabled}" = 'true' ]; then
            if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
              :
            else
              extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
            fi
            if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
              bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
              if [ -n "${bad_refs}" ]; then
                extended_findings+=("Workflows reference actions @main/@master (pin versions): see log excerpt")
                {
                  printf '%s\n' '### Workflow pinning advisory'
                  printf '%s\n' 'Found uses: entries pinned to main/master:'
                  printf '%s\n' '```'
                  printf '%s\n' "${bad_refs}"
                  printf '%s\n' '```'
                  printf '\n'
                } >> "${GITHUB_STEP_SUMMARY}"
              fi
            fi
            if [ -f "${DOCS_INDEX}" ]; then
              missing_links=""
              while IFS= read -r docline; do
                for link in $(echo "$docline" | grep -oE '\]\([^)]+\)' | sed 's/\](//' | sed 's/)$//' || true); do
                  case "$link" in http://*|https://*|"#"*|mailto:*) continue ;; esac
                  linkpath="${link%%#*}"
                  linkpath="${linkpath%%\?*}"
                  [ -z "$linkpath" ] && continue
                  if [ "${linkpath:0:1}" = "/" ]; then
                    testpath="${linkpath#/}"
                  else
                    testpath="$(dirname "${DOCS_INDEX}")/${linkpath}"
                  fi
                  [ ! -e "$testpath" ] && missing_links="${missing_links}${testpath} "
                done
              done < "${DOCS_INDEX}"
              if [ -n "${missing_links}" ]; then
                extended_findings+=("docs/docs-index.md contains broken relative links")
                {
                  printf '%s\n' '### Docs index link integrity'
                  printf '%s\n' 'Broken relative links:'
                  for bl in ${missing_links}; do
                    printf '%s\n' "- ${bl}"
                  done
                  printf '\n'
                } >> "${GITHUB_STEP_SUMMARY}"
              fi
            fi
            if [ -d "${SCRIPT_DIR}" ]; then
              if ! command -v shellcheck >/dev/null 2>&1; then
                sudo apt-get update -qq
                sudo apt-get install -y shellcheck >/dev/null
              fi
              sc_out=''
              while IFS= read -r shf; do
                [ -z "${shf}" ] && continue
                out_one="$(shellcheck -S warning -x "${shf}" 2>/dev/null || true)"
                if [ -n "${out_one}" ]; then
                  sc_out="${sc_out}${out_one}\n"
                fi
              done < <(find "${SCRIPT_DIR}" -type f -name "${SHELLCHECK_PATTERN}" 2>/dev/null | sort)
              if [ -n "${sc_out}" ]; then
                extended_findings+=("ShellCheck warnings detected (advisory)")
                sc_head="$(printf '%s' "${sc_out}" | head -n 200)"
                {
                  printf '%s\n' '### ShellCheck (advisory)'
                  printf '%s\n' '```'
                  printf '%s\n' "${sc_head}"
                  printf '%s\n' '```'
                  printf '\n'
                } >> "${GITHUB_STEP_SUMMARY}"
              fi
            fi
            spdx_missing=()
            IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
            spdx_args=()
            for g in "${spdx_globs[@]}"; do spdx_args+=("${g}"); done
            while IFS= read -r f; do
              [ -z "${f}" ] && continue
              if ! head -n 40 "${f}" | grep -q 'SPDX-License-Identifier:'; then
                spdx_missing+=("${f}")
              fi
            done < <(git ls-files "${spdx_args[@]}" 2>/dev/null || true)
            if [ "${#spdx_missing[@]}" -gt 0 ]; then
              extended_findings+=("SPDX header missing in some tracked files (advisory)")
              {
                printf '%s\n' '### SPDX header advisory'
                printf '%s\n' 'Files missing SPDX-License-Identifier (first 40 lines scan):'
                for f in "${spdx_missing[@]}"; do printf '%s\n' "- ${f}"; done
                printf '\n'
              } >> "${GITHUB_STEP_SUMMARY}"
            fi
            stale_cutoff_days=180
            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
            if [ -n "${stale_branches}" ]; then
              extended_findings+=("Stale remote branches detected (advisory)")
              {
                printf '%s\n' '### Git hygiene advisory'
                printf '%s\n' "Branches with last commit older than ${stale_cutoff_days} days (sample up to 50):"
                while IFS= read -r b; do [ -n "${b}" ] && printf '%s\n' "- ${b}"; done <<< "${stale_branches}"
                printf '\n'
              } >> "${GITHUB_STEP_SUMMARY}"
            fi
          fi
          {
            printf '%s\n' '### Guardrails coverage matrix'
            printf '%s\n' '| Domain | Status | Notes |'
            printf '%s\n' '|---|---|---|'
            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
            printf '%s\n' '| Release policy | N/A | Releases handled by MokoGitea |'
            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
            if [ "${extended_enabled}" = 'true' ]; then
              if [ "${#extended_findings[@]}" -gt 0 ]; then
                printf '%s\n' '| Extended checks | Warning | See extended findings below |'
              else
                printf '%s\n' '| Extended checks | OK | No findings |'
              fi
            else
              printf '%s\n' '| Extended checks | SKIPPED | EXTENDED_CHECKS disabled |'
            fi
            printf '\n'
          } >> "${GITHUB_STEP_SUMMARY}"
          if [ "${extended_enabled}" = 'true' ] && [ "${#extended_findings[@]}" -gt 0 ]; then
            {
              printf '%s\n' '### Extended findings (advisory)'
              for f in "${extended_findings[@]}"; do printf '%s\n' "- ${f}"; done
              printf '\n'
            } >> "${GITHUB_STEP_SUMMARY}"
          fi
          printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
  site-health:
    name: Site Health
    runs-on: ubuntu-latest
    if: github.event_name == 'workflow_dispatch'
    steps:
      - uses: actions/checkout@v4
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: '8.3'
      - name: Uptime check
        if: env.URLS != ''
        run: |
          echo "$URLS" > /tmp/urls.txt
          php monitoring/uptime-probe.php --urls /tmp/urls.txt --timeout 15 || echo "::warning::Some sites are down"
          rm -f /tmp/urls.txt
        env:
          URLS: ${{ vars.MONITORED_URLS }}
      - name: SSL certificate check
        if: env.DOMAINS != ''
        run: |
          echo "$DOMAINS" > /tmp/domains.txt
          php monitoring/ssl-check.php --domains /tmp/domains.txt --warn-days 30 || echo "::warning::SSL certificates expiring soon"
          rm -f /tmp/domains.txt
        env:
          DOMAINS: ${{ vars.MONITORED_DOMAINS }}
      - name: Summary
        if: always()
        run: |
          echo "### Site Health" >> $GITHUB_STEP_SUMMARY
          echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY
  # ═══════════════════════════════════════════════════════════════════════
  # Issue Reporter — file issues for failed gates
  # ═══════════════════════════════════════════════════════════════════════
  report-issues:
    name: "Report Issues"
    runs-on: ubuntu-latest
    needs: [access_check, scripts_governance, repo_health]
    if: >-
      always() &&
      (needs.scripts_governance.result == 'failure' ||
       needs.repo_health.result == 'failure')
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          sparse-checkout: automation/ci-issue-reporter.sh
          sparse-checkout-cone-mode: false
      - name: "File issues for failed gates"
        env:
          GITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
        run: |
          chmod +x automation/ci-issue-reporter.sh
          REPORTER="./automation/ci-issue-reporter.sh"
          WF="Repo Health"
          report_gate() {
            local gate="$1" result="$2" details="$3"
            if [ "$result" = "failure" ]; then
              "$REPORTER" --gate "$gate" --details "$details" --workflow "$WF" --severity error
            fi
          }
          report_gate "Scripts Governance" \
            "${{ needs.scripts_governance.result }}" \
            "Scripts directory policy violations detected. Review required and allowed directories."
          report_gate "Repository Health" \
            "${{ needs.repo_health.result }}" \
            "Repository health checks failed — missing required artifacts, disallowed files, or content warnings. Check the CI run summary."
@@ -4,18 +4,16 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Universal
+# INGROUP: moko-platform.Universal
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/update-server.yml
-# VERSION: 04.07.00
+# VERSION: 05.00.00
-# BRIEF: Update server XML feed with stable/rc/beta/alpha/dev entries (universal)
+# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
 #
-# Writes updates.xml with multiple <update> entries:
+# Thin wrapper around moko-platform CLI tools.
-#   - <tag>stable</tag>     on push to main (from auto-release)
+# Builds packages, updates updates.xml, and optionally deploys via SFTP.
 #   - <tag>rc</tag>         on push to rc/**
 #   - <tag>development</tag> on push to dev or dev/**
 #
-# Joomla filters by user's "Minimum Stability" setting.
+# Joomla filters update entries by the user's "Minimum Stability" setting.
 name: "Update Server"
@@ -66,7 +64,7 @@ permissions:
 jobs:
  update-xml:
-    name: Update updates.xml
+    name: Update Server
    runs-on: release
    if: >-
      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
@@ -75,50 +73,51 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
          fetch-depth: 0
      - name: Setup moko-platform tools
        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
        run: |
          if ! command -v composer &> /dev/null; then
            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
          fi
-          if [ -d "/tmp/moko-platform" ]; then
+          # Always fetch latest CLI tools — never use stale cache from previous runs
-            echo "moko-platform already available — skipping clone"
+          rm -rf /tmp/moko-platform
-          else
+          git clone --depth 1 --branch main --quiet \
-            git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-              "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform 2>/dev/null || true
              /tmp/moko-platform 2>/dev/null || true
          fi
          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
          fi
          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-      - name: Generate updates.xml entry
+      - name: Detect platform
-        id: update
+        id: platform
        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
      - name: Resolve stability and bump version
        id: meta
        run: |
          BRANCH="${{ github.ref_name }}"
          REPO="${{ github.repository }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
-          # Auto-bump patch on all branches (dev, alpha, beta, rc)
+          # Configure git for bot pushes
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
-          BUMPED=$(php /tmp/moko-platform/cli/version_bump.php --path . 2>/dev/null || true)
+          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
          if [ -n "$BUMPED" ]; then
            VERSION=$(php /tmp/moko-platform/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
            git add -A
            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
            git push 2>/dev/null || true
          fi
-          # Determine stability from branch or input
+          # Auto-bump patch version
          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
          # Strip any existing suffix before applying stability
          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
          # Determine stability from branch or manual input
          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
            STABILITY="${{ inputs.stability }}"
          elif [[ "$BRANCH" == rc/* ]]; then
@@ -127,263 +126,96 @@ jobs:
            STABILITY="beta"
          elif [[ "$BRANCH" == alpha/* ]]; then
            STABILITY="alpha"
-          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
+          else
            STABILITY="development"
          else
            STABILITY="stable"
          fi
          # Version suffix per stability stream
          case "$STABILITY" in
            development) SUFFIX="-dev";  TAG="development" ;;
            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
            beta)        SUFFIX="-beta";  TAG="beta" ;;
            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
            *)           SUFFIX="";       TAG="stable" ;;
          esac
          # Propagate version with stability suffix to all manifest files
          php ${MOKO_CLI}/version_set_platform.php \
            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
          # Re-read version (now includes suffix from version_set_platform)
          if [ -n "$SUFFIX" ]; then
            VERSION="${VERSION}${SUFFIX}"
          fi
          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
-          # Parse manifest (portable — no grep -P)
+          # Commit version bump if changed
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+          git add -A
          if [ -z "$MANIFEST" ]; then
            echo "No Joomla manifest found — skipping"
            exit 0
          fi
          # Extract fields using sed (works on all runners)
          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
          # Fallbacks
          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
          # Derive element if not in manifest: try XML filename, then repo name
          if [ -z "$EXT_ELEMENT" ]; then
            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
            case "$EXT_ELEMENT" in
              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
            esac
          fi
          # Use manifest version if README version is empty
          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
          # Joomla requires <client> on ALL extension types for update matching
          if [ -n "$EXT_CLIENT" ]; then
            CLIENT_TAG="<client>${EXT_CLIENT}</client>"
          else
            CLIENT_TAG="<client>site</client>"
          fi
          FOLDER_TAG=""
          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
          PHP_TAG=""
          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
          # Version suffix for non-stable
          DISPLAY_VERSION="$VERSION"
          case "$STABILITY" in
            development) DISPLAY_VERSION="${VERSION}-dev" ;;
            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
          esac
          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
          # Each stability level has its own release tag
          case "$STABILITY" in
            development) RELEASE_TAG="development" ;;
            alpha)       RELEASE_TAG="alpha" ;;
            beta)        RELEASE_TAG="beta" ;;
            rc)          RELEASE_TAG="release-candidate" ;;
            *)           RELEASE_TAG="v${MAJOR}" ;;
          esac
          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
          # -- Build install packages (ZIP + tar.gz) --------------------
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
          if [ -d "$SOURCE_DIR" ]; then
            EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
            TAR_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.tar.gz"
            cd "$SOURCE_DIR"
            zip -r "/tmp/${PACKAGE_NAME}" . -x $EXCLUDES
            cd ..
            tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
              --exclude='.ftpignore' --exclude='sftp-config*' \
              --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
            SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
            # Ensure release exists on Gitea
            RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
            RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
            if [ -z "$RELEASE_ID" ]; then
              # Create release
              RELEASE_JSON=$(curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                -H "Content-Type: application/json" \
                "${API_BASE}/releases" \
                -d "$(python3 -c "import json; print(json.dumps({
                  'tag_name': '${RELEASE_TAG}',
                  'name': '${RELEASE_TAG} (${DISPLAY_VERSION})',
                  'body': '${STABILITY} release',
                  'prerelease': True,
                  'target_commitish': 'main'
                }))")" 2>/dev/null || true)
              RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
            fi
            if [ -n "$RELEASE_ID" ]; then
              # Delete existing assets with same name before uploading
              ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
              for ASSET_FILE in "$PACKAGE_NAME" "$TAR_NAME"; do
                ASSET_ID=$(echo "$ASSETS" | python3 -c "
          import sys,json
          assets = json.load(sys.stdin)
          for a in assets:
              if a['name'] == '${ASSET_FILE}':
                  print(a['id']); break
          " 2>/dev/null || true)
                if [ -n "$ASSET_ID" ]; then
                  curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                    "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
                fi
              done
              # Upload both formats
              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                -H "Content-Type: application/octet-stream" \
                --data-binary @"/tmp/${PACKAGE_NAME}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${PACKAGE_NAME}" > /dev/null 2>&1 || true
              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
                -H "Content-Type: application/octet-stream" \
                --data-binary @"/tmp/${TAR_NAME}" \
                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
            fi
            echo "Packages: ${PACKAGE_NAME} + ${TAR_NAME} (SHA: ${SHA256})" >> $GITHUB_STEP_SUMMARY
          else
            SHA256=""
          fi
          # -- Build the new entry (canonical format matching release.yml) --
          NEW_ENTRY=""
          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
          NEW_ENTRY="${NEW_ENTRY}  </update>"
          # -- Write new entry to temp file --------------------------------
          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
          # -- Merge into updates.xml ----------------------------------------
          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
          TARGETS=""
          for entry in $CASCADE_MAP; do
            key="${entry%%:*}"
            vals="${entry#*:}"
            if [ "$key" = "${STABILITY}" ]; then
              TARGETS="$vals"
              break
            fi
          done
          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
          echo "Cascade: ${STABILITY} → ${TARGETS}"
          # Create updates.xml if missing
          if [ ! -f "updates.xml" ]; then
            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
            printf '%s\n' "<updates>" >> updates.xml
            printf '%s\n' "</updates>" >> updates.xml
          fi
          # Update existing blocks or create missing ones
          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
          python3 << 'PYEOF'
          import re, os
          targets = os.environ["PY_TARGETS"].split(",")
          version = os.environ["PY_VERSION"]
          date = os.environ["PY_DATE"]
          with open("updates.xml") as f:
              content = f.read()
          with open("/tmp/new_entry.xml") as f:
              new_entry_template = f.read()
          for tag in targets:
              tag = tag.strip()
              # Build entry with this tag's name
              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
              # Try to find existing block (handles both single-line and multi-line <tags>)
              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
              match = re.search(block_pattern, content, re.DOTALL)
              if match:
                  # Update in place — replace entire block
                  content = content.replace(match.group(1), new_entry.strip())
                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
              else:
                  # Create — insert before </updates>
                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
          # Clean up excessive blank lines
          content = re.sub(r"\n{3,}", "\n\n", content)
          with open("updates.xml", "w") as f:
              f.write(content)
          PYEOF
          # Commit
          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
          git config --local user.name "gitea-actions[bot]"
          git add updates.xml
          git diff --cached --quiet || {
-            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
+            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
            git push
          }
-      # -- Sync updates.xml to main (for non-main branches) ----------------------
+      - name: Create release and upload package
        id: package
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          TAG="${{ steps.meta.outputs.tag }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
          # Create or update Gitea release
          php ${MOKO_CLI}/release_create.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
          # Build package and upload
          php ${MOKO_CLI}/release_package.php \
            --path . --version "$VERSION" --tag "$TAG" \
            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
            --repo "${GITEA_REPO}" --output /tmp || true
      - name: Update updates.xml
        if: steps.platform.outputs.platform == 'joomla'
        run: |
          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          SHA256="${{ steps.package.outputs.sha256_zip }}"
          if [ ! -f "updates.xml" ]; then
            echo "No updates.xml — skipping"
            exit 0
          fi
          SHA_FLAG=""
          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
          php ${MOKO_CLI}/updates_xml_build.php \
            --path . --version "${VERSION}" --stability "${STABILITY}" \
            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
            ${SHA_FLAG}
          # Commit and push updates.xml
          git add updates.xml
          git diff --cached --quiet || {
            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
            git push
          }
      - name: Sync updates.xml to main
-        if: github.ref_name != 'main'
+        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
        run: |
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
@@ -394,27 +226,22 @@ jobs:
          payload = json.dumps({
              'content': content,
              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
+              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
              'branch': 'main'
          }).encode()
          req = urllib.request.Request(
              '${API_BASE}/contents/updates.xml',
              data=payload, method='PUT',
              headers={
-                  'Authorization': 'token ${GA_TOKEN}',
+                  'Authorization': 'token ${GITEA_TOKEN}',
                  'Content-Type': 'application/json'
              })
          try:
              urllib.request.urlopen(req)
              print('updates.xml synced to main')
          except Exception as e:
-              print(f'ERROR: failed to sync updates.xml to main: {e}', file=sys.stderr)
+              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-              sys.exit(1)
+          "
          " \
              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
              || echo "::error::failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
          else
            echo "::error::could not get updates.xml SHA from main — file may not exist on main yet" >> $GITHUB_STEP_SUMMARY
          fi
      - name: SFTP deploy to dev server
@@ -428,12 +255,11 @@ jobs:
          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
        run: |
-          # -- Permission check: admin or maintain role required --------
+          # Permission check: admin or maintain role required
          ACTOR="${{ github.actor }}"
          REPO="${{ github.repository }}"
          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
          case "$PERMISSION" in
@@ -463,198 +289,24 @@ jobs:
            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
          fi
-          PLATFORM=$(php /tmp/moko-platform/cli/platform_detect.php --path . 2>/dev/null || true)
+          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/moko-platform/deploy/deploy-joomla.php" ]; then
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php /tmp/moko-platform/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "/tmp/moko-platform/deploy/deploy-sftp.php" ]; then
+          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php /tmp/moko-platform/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
          fi
          rm -f /tmp/deploy_key /tmp/sftp-config.json
          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
      - name: Validate updates.xml integrity
        run: |
          ERRORS=0
          if [ ! -f "updates.xml" ]; then
            echo "::error::updates.xml not found"
            exit 1
          fi
          # Well-formed XML
          if ! python3 -c "import xml.etree.ElementTree as ET; ET.parse('updates.xml')" 2>/dev/null; then
            echo "::error::updates.xml is not valid XML"
            ERRORS=$((ERRORS+1))
          fi
          python3 << 'PYEOF'
          import xml.etree.ElementTree as ET, sys, re, os
          tree = ET.parse("updates.xml")
          root = tree.getroot()
          updates = root.findall("update")
          errors = 0
          warnings = 0
          seen_tags = set()
          # All 5 channels MUST be present
          REQUIRED_CHANNELS = {"stable", "rc", "beta", "alpha", "dev"}
          VALID_TAGS = REQUIRED_CHANNELS | {"development"}  # accept legacy alias
          REPO = os.environ.get("GITEA_REPO", "")
          ORG = os.environ.get("GITEA_ORG", "MokoConsulting")
          REPO_BASE = f"https://git.mokoconsulting.tech/{ORG}/"
          # Gitea release tag names per channel (Moko standard)
          RELEASE_TAG_MAP = {
              "stable": "stable",
              "rc": "release-candidate",
              "beta": "beta",
              "alpha": "alpha",
              "dev": "development",
              "development": "development",
          }
          # Joomla update XML required fields per
          # https://docs.joomla.org/Deploying_an_Update_Server
          REQUIRED_FIELDS = ["name", "element", "type", "version", "infourl"]
          for i, u in enumerate(updates):
              tag_el = u.find("tags/tag")
              tag = tag_el.text.strip() if tag_el is not None and tag_el.text else None
              label = f"Entry {i+1} (<tag>{tag or '?'}</tag>)"
              # -- Required Joomla fields --
              for field in REQUIRED_FIELDS:
                  el = u.find(field)
                  if el is None or not (el.text or "").strip():
                      print(f"::error::{label}: missing required <{field}>")
                      errors += 1
              # -- <downloads><downloadurl> --
              dl = u.find("downloads/downloadurl")
              if dl is None or not (dl.text or "").strip():
                  print(f"::error::{label}: missing <downloads><downloadurl>")
                  errors += 1
              else:
                  dl_url = dl.text.strip()
                  # Must point to org repo
                  if REPO_BASE not in dl_url:
                      print(f"::error::{label}: download URL not under {REPO_BASE}: {dl_url}")
                      errors += 1
                  # Must end in .zip
                  if not dl_url.endswith(".zip"):
                      print(f"::error::{label}: download URL must end in .zip: {dl_url}")
                      errors += 1
                  # Must use correct Gitea release tag in path
                  if tag and tag in RELEASE_TAG_MAP:
                      expected_tag = RELEASE_TAG_MAP[tag]
                      if f"/download/{expected_tag}/" not in dl_url:
                          print(f"::error::{label}: download URL should contain /download/{expected_tag}/ but got: {dl_url}")
                          errors += 1
              # -- <client> (required for Joomla to match update) --
              client = u.find("client")
              if client is None or not (client.text or "").strip():
                  print(f"::error::{label}: missing <client> (required for Joomla update matching)")
                  errors += 1
              # -- <targetplatform> --
              tp = u.find("targetplatform")
              if tp is None:
                  print(f"::error::{label}: missing <targetplatform>")
                  errors += 1
              else:
                  tp_name = tp.get("name", "")
                  tp_ver = tp.get("version", "")
                  if tp_name != "joomla":
                      print(f"::error::{label}: targetplatform name should be 'joomla', got '{tp_name}'")
                      errors += 1
                  if not tp_ver:
                      print(f"::error::{label}: targetplatform missing version regex")
                      errors += 1
                  elif "5" not in tp_ver or "6" not in tp_ver:
                      print(f"::warning::{label}: targetplatform version may not cover Joomla 5+6: {tp_ver}")
                      warnings += 1
              # -- <type> must be valid Joomla type --
              type_el = u.find("type")
              if type_el is not None and type_el.text:
                  valid_types = {"component", "module", "plugin", "template", "library", "package", "file"}
                  if type_el.text.strip() not in valid_types:
                      print(f"::error::{label}: invalid type '{type_el.text}' (expected: {valid_types})")
                      errors += 1
              # -- <version> format (XX.YY.ZZ with optional suffix) --
              ver_el = u.find("version")
              if ver_el is not None and ver_el.text:
                  if not re.match(r"^\d{2}\.\d{2}\.\d{2}(-\w+)?$", ver_el.text.strip()):
                      print(f"::warning::{label}: version '{ver_el.text}' does not match XX.YY.ZZ format")
                      warnings += 1
              # -- <maintainer> and <maintainerurl> --
              for field in ["maintainer", "maintainerurl"]:
                  el = u.find(field)
                  if el is None or not (el.text or "").strip():
                      print(f"::warning::{label}: missing <{field}>")
                      warnings += 1
              # -- Valid stability tag --
              if tag is None:
                  print(f"::error::{label}: missing <tags><tag>")
                  errors += 1
              elif tag not in VALID_TAGS:
                  print(f"::error::{label}: invalid tag '{tag}' (expected: {VALID_TAGS})")
                  errors += 1
              # -- Duplicate tag check --
              norm_tag = "dev" if tag == "development" else tag
              if norm_tag in seen_tags:
                  print(f"::error::{label}: duplicate channel '{tag}'")
                  errors += 1
              if norm_tag:
                  seen_tags.add(norm_tag)
          # -- All 5 channels must exist --
          missing = REQUIRED_CHANNELS - seen_tags
          if missing:
              print(f"::error::Missing required update channels: {', '.join(sorted(missing))}")
              errors += 1
          # -- Version ordering: higher stability must not exceed dev version --
          channel_versions = {}
          for u in updates:
              tag_el = u.find("tags/tag")
              ver_el = u.find("version")
              if tag_el is not None and ver_el is not None and tag_el.text and ver_el.text:
                  norm = "dev" if tag_el.text.strip() == "development" else tag_el.text.strip()
                  # Strip suffix for comparison (01.00.18-dev -> 01.00.18)
                  base_ver = re.sub(r"-\w+$", "", ver_el.text.strip())
                  channel_versions[norm] = base_ver
          # Cascade check: dev >= alpha >= beta >= rc >= stable
          ORDER = ["dev", "alpha", "beta", "rc", "stable"]
          for j in range(1, len(ORDER)):
              current = ORDER[j]
              previous = ORDER[j - 1]
              if current in channel_versions and previous in channel_versions:
                  if channel_versions[current] > channel_versions[previous]:
                      print(f"::error::{current} version ({channel_versions[current]}) is ahead of {previous} ({channel_versions[previous]})")
                      errors += 1
          # -- Summary --
          print(f"\nupdates.xml validation: {len(updates)} entries, {errors} error(s), {warnings} warning(s)")
          if errors > 0:
              sys.exit(1)
          PYEOF
      - name: Summary
        if: always()
        run: |
-          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
+          VERSION="${{ steps.meta.outputs.version }}"
          STABILITY="${{ steps.meta.outputs.stability }}"
          DISPLAY="${{ steps.meta.outputs.display_version }}"
          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
          echo "" >> $GITHUB_STEP_SUMMARY
          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,161 @@
 # Contributing to Moko Consulting Projects
 Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
 ## Branching Workflow
 ```
 feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
 ```
 ### Step by step
 1. **Create a feature branch** from `dev`:
   ```bash
   git checkout dev && git pull
   git checkout -b feature/my-change
   ```
 2. **Work and commit** on your feature branch. Push to origin.
 3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
 4. **When ready for release**, open a **draft PR**: `dev` → `main`.
   - This automatically renames the source branch to `rc` (release candidate)
   - An RC pre-release is built and uploaded
 5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
   - When the draft PR is created, the branch is renamed to `rc`
 6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
 7. **Merging to main** triggers the stable release pipeline:
   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
   - Stability suffix stripped (clean version)
   - Gitea release created with ZIP/tar.gz packages
   - `updates.xml` updated (Joomla extensions)
   - `dev` branch recreated from `main`
 ### Branch summary
 | Branch | Purpose | Created by |
 |--------|---------|-----------|
 | `feature/*` | New features and fixes | Developer |
 | `dev` | Integration branch | Auto-recreated after release |
 | `alpha` | Alpha pre-release testing | Manual rename from `dev` |
 | `beta` | Beta pre-release testing | Manual rename from `alpha` |
 | `rc` | Release candidate | Auto-renamed on draft PR to main |
 | `main` | Stable releases | Protected, merge only |
 | `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
 ### Protected branches
 | Branch | Direct push | Merge via |
 |--------|------------|-----------|
 | `main` | Blocked (CI bot whitelisted) | PR merge only |
 | `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
 | `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
 | `alpha` | Blocked (CI bot whitelisted) | Manual rename |
 | `beta` | Blocked (CI bot whitelisted) | Manual rename |
 | `feature/*` | Open | N/A (source branch) |
 ## Version Policy
 ### Format
 All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
 - **XX** — Major version (breaking changes)
 - **YY** — Minor version (new features, bumped on release to main)
 - **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
 Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
 ### Stability suffixes
 Each branch appends a suffix to indicate stability:
 | Branch | Suffix | Example |
 |--------|--------|---------|
 | `main` | (none) | `02.09.00` |
 | `dev` | `-dev` | `02.09.01-dev` |
 | `feature/*` | `-dev` | `02.09.01-dev` |
 | `alpha` | `-alpha` | `02.09.01-alpha` |
 | `beta` | `-beta` | `02.09.01-beta` |
 | `rc` | `-rc` | `02.09.01-rc` |
 ### Auto version bump
 On every push to `dev`, `feature/*`, or `patch/*`:
 1. Patch version incremented
 2. Stability suffix `-dev` applied
 3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
 4. Commit created with `[skip ci]` to avoid loops
 ### Release version flow
 Version bumps happen at specific release events:
 | Event | Bump | Example |
 |-------|------|---------|
 | Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
 | Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
 | RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
 | Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
 ### Release stream copies
 When a higher-stability release is published, copies are created for all lesser streams with the same base version:
 - **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
 - **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
 This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
 ### Version files
 The version tools update all files containing version stamps:
 - `.mokogitea/manifest.xml` (canonical source)
 - Joomla XML manifests (`<version>` tag)
 - `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
 - `package.json`, `pyproject.toml`
 - Any text file with a `VERSION: XX.YY.ZZ` label
 Files synced from other repos (with a `# REPO:` header) are not touched.
 ## Code Standards
 - **PHP**: PSR-12, tabs for indentation
 - **Copyright**: all files must include the Moko Consulting copyright header
 - **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
 - **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
 ## Commit Messages
 Use conventional commit format:
 ```
 type(scope): short description
 Optional body with context.
 Authored-by: Moko Consulting
 ```
 Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
 Special flags in commit messages:
 - `[skip ci]` — skip all CI workflows
 - `[skip bump]` — skip auto version bump only
 ## Reporting Issues
 Use the repository's issue tracker with the appropriate template.
 ---
 *Moko Consulting <hello@mokoconsulting.tech>*
@@ -0,0 +1,237 @@
 #!/usr/bin/env bash
 # ============================================================================
 # Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 #
 # FILE INFORMATION
 # DEFGROUP: Automation.CI
 # INGROUP: moko-platform.Automation
 # REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /automation/ci-issue-reporter.sh
 # VERSION: 09.23.00
 # BRIEF: Creates or updates a Gitea issue when a CI gate fails.
 #        Deduplicates by searching open issues with the "ci-auto" label
 #        whose title matches the gate. If a matching issue exists, a comment
 #        is appended instead of opening a duplicate.
 # ============================================================================
 set -euo pipefail
 # ── Defaults ────────────────────────────────────────────────────────────────
 GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
 GITEA_TOKEN="${GITEA_TOKEN:-}"
 REPO="${GITHUB_REPOSITORY:-}"
 RUN_URL="${GITHUB_SERVER_URL:-${GITEA_URL}}/${REPO}/actions/runs/${GITHUB_RUN_ID:-0}"
 LABEL_NAME="ci-auto"
 LABEL_COLOR="#e11d48"
 GATE=""
 DETAILS=""
 SEVERITY="error"
 WORKFLOW=""
 # ── Parse arguments ─────────────────────────────────────────────────────────
 usage() {
  cat <<EOF
 Usage: ci-issue-reporter.sh --gate NAME --details TEXT [OPTIONS]
 Required:
  --gate      CI gate name (e.g. "Code Quality", "Self-Health")
  --details   Human-readable failure description
 Optional:
  --severity  "error" (default) or "warning"
  --workflow  Workflow name for the issue title
  --repo      owner/repo (default: \$GITHUB_REPOSITORY)
  --run-url   URL to the CI run (auto-detected from env)
  --token     Gitea API token (default: \$GITEA_TOKEN)
  --url       Gitea base URL (default: \$GITEA_URL)
 EOF
  exit 1
 }
 while [[ $# -gt 0 ]]; do
  case "$1" in
    --gate)     GATE="$2";       shift 2 ;;
    --details)  DETAILS="$2";    shift 2 ;;
    --severity) SEVERITY="$2";   shift 2 ;;
    --workflow) WORKFLOW="$2";   shift 2 ;;
    --repo)     REPO="$2";      shift 2 ;;
    --run-url)  RUN_URL="$2";   shift 2 ;;
    --token)    GITEA_TOKEN="$2"; shift 2 ;;
    --url)      GITEA_URL="$2"; shift 2 ;;
    -h|--help)  usage ;;
    *)          echo "Unknown option: $1"; usage ;;
  esac
 done
 [[ -z "$GATE" ]]         && { echo "ERROR: --gate is required"; usage; }
 [[ -z "$DETAILS" ]]      && { echo "ERROR: --details is required"; usage; }
 [[ -z "$GITEA_TOKEN" ]]  && { echo "ERROR: GITEA_TOKEN not set"; exit 1; }
 [[ -z "$REPO" ]]         && { echo "ERROR: GITHUB_REPOSITORY not set"; exit 1; }
 API="${GITEA_URL}/api/v1/repos/${REPO}"
 # ── Build title ─────────────────────────────────────────────────────────────
 if [[ -n "$WORKFLOW" ]]; then
  TITLE="[CI] ${WORKFLOW}: ${GATE} failed"
 else
  TITLE="[CI] ${GATE} failed"
 fi
 # ── Ensure label exists ─────────────────────────────────────────────────────
 ensure_label() {
  local exists
  exists=$(curl -sf -o /dev/null -w '%{http_code}' \
    -H "Authorization: token ${GITEA_TOKEN}" \
    "${API}/labels" 2>/dev/null || echo "000")
  if [[ "$exists" == "200" ]]; then
    # Check if label already exists
    local found
    found=$(curl -sf \
      -H "Authorization: token ${GITEA_TOKEN}" \
      "${API}/labels" 2>/dev/null \
      | grep -o "\"name\":\"${LABEL_NAME}\"" || true)
    if [[ -z "$found" ]]; then
      curl -sf -X POST \
        -H "Authorization: token ${GITEA_TOKEN}" \
        -H "Content-Type: application/json" \
        "${API}/labels" \
        -d "{\"name\":\"${LABEL_NAME}\",\"color\":\"${LABEL_COLOR}\",\"description\":\"Auto-created by CI issue reporter\"}" \
        > /dev/null 2>&1 || true
    fi
  fi
 }
 # ── Search for existing open issue ──────────────────────────────────────────
 find_existing_issue() {
  # URL-encode the gate name for the query
  local query
  query=$(printf '%s' "[CI] ${GATE}" | sed 's/ /%20/g; s/\[/%5B/g; s/\]/%5D/g')
  local response
  response=$(curl -sf \
    -H "Authorization: token ${GITEA_TOKEN}" \
    "${API}/issues?type=issues&state=open&labels=${LABEL_NAME}&q=${query}&limit=5" \
    2>/dev/null || echo "[]")
  # Extract the first matching issue number
  echo "$response" \
    | grep -oP '"number":\s*\K[0-9]+' \
    | head -1
 }
 # ── Build issue body ────────────────────────────────────────────────────────
 build_body() {
  local severity_badge
  if [[ "$SEVERITY" == "error" ]]; then
    severity_badge="**Severity:** Error"
  else
    severity_badge="**Severity:** Warning"
  fi
  cat <<BODY
 ## CI Gate Failure: ${GATE}
 ${severity_badge}
 **Workflow:** ${WORKFLOW:-unknown}
 **Branch:** ${GITHUB_REF_NAME:-unknown}
 **Commit:** \`${GITHUB_SHA:0:8}\`
 **Run:** [View CI run](${RUN_URL})
 ### Details
 ${DETAILS}
 ### Resolution
 Fix the issue described above and push a new commit. This issue will be closed automatically when the gate passes, or can be closed manually.
 ---
 *Auto-created by [ci-issue-reporter](${GITEA_URL}/${REPO}/src/branch/main/automation/ci-issue-reporter.sh)*
 BODY
 }
 # ── Build comment body (for existing issues) ────────────────────────────────
 build_comment() {
  cat <<COMMENT
 ### CI failure recurrence
 **Branch:** ${GITHUB_REF_NAME:-unknown}
 **Commit:** \`${GITHUB_SHA:0:8}\`
 **Run:** [View CI run](${RUN_URL})
 ${DETAILS}
 COMMENT
 }
 # ── Main ────────────────────────────────────────────────────────────────────
 ensure_label
 EXISTING=$(find_existing_issue)
 if [[ -n "$EXISTING" ]]; then
  # Append comment to existing issue
  COMMENT_BODY=$(build_comment)
  COMMENT_JSON=$(printf '%s' "$COMMENT_BODY" | python3 -c "
 import sys, json
 print(json.dumps({'body': sys.stdin.read()}))" 2>/dev/null)
  HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    "${API}/issues/${EXISTING}/comments" \
    -d "${COMMENT_JSON}" 2>/dev/null || echo "000")
  if [[ "$HTTP" == "201" ]]; then
    echo "Commented on existing issue #${EXISTING}"
  else
    echo "WARNING: Failed to comment on issue #${EXISTING} (HTTP ${HTTP})"
  fi
 else
  # Create new issue
  ISSUE_BODY=$(build_body)
  ISSUE_JSON=$(python3 -c "
 import sys, json
 body = sys.stdin.read()
 print(json.dumps({
    'title': sys.argv[1],
    'body': body,
    'labels': []
 }))" "$TITLE" <<< "$ISSUE_BODY" 2>/dev/null)
  # Create the issue
  RESPONSE=$(curl -sf -X POST \
    -H "Authorization: token ${GITEA_TOKEN}" \
    -H "Content-Type: application/json" \
    "${API}/issues" \
    -d "${ISSUE_JSON}" 2>/dev/null || echo "{}")
  ISSUE_NUM=$(echo "$RESPONSE" | grep -oP '"number":\s*\K[0-9]+' | head -1)
  if [[ -n "$ISSUE_NUM" ]]; then
    # Apply label (separate call — more reliable across Gitea versions)
    LABEL_ID=$(curl -sf \
      -H "Authorization: token ${GITEA_TOKEN}" \
      "${API}/labels" 2>/dev/null \
      | grep -oP "\"id\":\s*\K[0-9]+(?=[^}]*\"name\":\s*\"${LABEL_NAME}\")" \
      | head -1 || true)
    if [[ -n "$LABEL_ID" ]]; then
      curl -sf -X POST \
        -H "Authorization: token ${GITEA_TOKEN}" \
        -H "Content-Type: application/json" \
        "${API}/issues/${ISSUE_NUM}/labels" \
        -d "{\"labels\":[${LABEL_ID}]}" \
        > /dev/null 2>&1 || true
    fi
    echo "Created issue #${ISSUE_NUM}: ${TITLE}"
  else
    echo "WARNING: Failed to create issue"
    echo "Response: ${RESPONSE}"
  fi
 fi
@@ -37,6 +37,8 @@
    </languages>
    <updateservers>
-        <server type="extension" name="MokoJoomCross Updates">https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/raw/branch/main/updates.xml</server>
+        <server type="extension" name="MokoJoomCross Updates">https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/updates.xml</server>
    </updateservers>
 	<dlid prefix="dlid=" suffix=""/>
 	<blockChildUninstall>true</blockChildUninstall>
 </extension>
@@ -1,25 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
 VERSION: 01.00.00-dev
 -->
 <updates>
  <update>
    <name>MokoJoomCross</name>
    <description>MokoJoomCross development build.</description>
    <element>pkg_mokojoomcross</element>
    <type>package</type>
    <client>site</client>
    <version>01.00.00-dev</version>
    <creationDate>2026-05-28</creationDate>
    <infourl title='MokoJoomCross'>https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/releases/tag/development</infourl>
    <downloads>
      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoJoomCross/releases/download/development/pkg_mokojoomcross-01.00.00-dev.zip</downloadurl>
    </downloads>
    <tags><tag>development</tag></tags>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name='joomla' version='(5|6)\..*'/>
  </update>
 </updates>
Author	SHA1	Message	Date
jmiller	230f17b5bc	chore: add dlid and blockChildUninstall to package manifest [skip ci]	2026-06-04 22:02:35 +00:00
jmiller	ef8e3bcfcf	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:58:49 +00:00
jmiller	adf55bc2b2	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:41:38 +00:00
jmiller	cd8c1826fe	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:32:49 +00:00
jmiller	0adc05fa2b	chore: remove updates.xml [skip ci]	2026-06-04 15:27:09 +00:00
jmiller	1c1d168ffb	chore: sync .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-06-04 15:19:40 +00:00
jmiller	824026ace2	feat(update): migrate update server URL to Gitea Pages [skip ci]	2026-06-04 14:34:06 +00:00
jmiller	55e47a4913	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-06-04 14:23:58 +00:00
jmiller	1b3c70dec6	chore: sync .mokogitea/workflows/repo-health.yml from moko-platform [skip ci]	2026-06-04 13:47:42 +00:00
Moko Consulting	cec5f192c3	chore(ci): add CI issue reporter for auto-filing gate failures Generic: Repo Health / Site Health (push) Has been skipped Details Generic: Repo Health / Access control (push) Successful in 1s Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details	2026-06-02 20:38:39 +00:00
Moko Consulting	554818cc10	chore(ci): add CI issue reporter for auto-filing gate failures Generic: Repo Health / Site Health (push) Has been skipped Details Generic: Repo Health / Access control (push) Successful in 2s Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details	2026-06-02 20:38:39 +00:00
Moko Consulting	65b48b65ba	chore(ci): add CI issue reporter for auto-filing gate failures Generic: Repo Health / Site Health (push) Has been skipped Details Generic: Repo Health / Access control (push) Successful in 1s Details Generic: Repo Health / Release configuration (push) Has been cancelled Details Generic: Repo Health / Scripts governance (push) Has been cancelled Details Generic: Repo Health / Repository health (push) Has been cancelled Details Generic: Repo Health / Report Issues (push) Has been cancelled Details	2026-06-02 20:38:38 +00:00
jmiller	173c868a56	chore: sync .mokogitea/workflows/cascade-dev.yml from moko-platform [skip ci]	2026-05-31 01:42:52 +00:00
jmiller	7836522d8a	chore: sync CONTRIBUTING.md from moko-platform [skip ci]	2026-05-31 01:10:54 +00:00
jmiller	786ce1b14a	chore: add .mokogitea/workflows/pr-check.yml from moko-platform [skip ci]	2026-05-30 16:02:17 +00:00
jmiller	f5fd4ac8da	chore: sync CONTRIBUTING.md from moko-platform [skip ci]	2026-05-30 15:00:27 +00:00
jmiller	6f67bf97bd	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 14:56:55 +00:00
jmiller	d947a0e259	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-30 14:54:57 +00:00
jmiller	334c90fa02	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-30 05:52:02 +00:00
jmiller	bbca20d795	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 03:41:55 +00:00
jmiller	705e2a2eaf	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-30 01:15:35 +00:00
jmiller	61ce28c29e	chore: add .mokogitea/branch-protection.yml from moko-platform [skip ci]	2026-05-29 10:30:49 +00:00
jmiller	efd604808e	chore: add CONTRIBUTING.md from moko-platform [skip ci]	2026-05-29 10:28:12 +00:00
jmiller	92efb3b4de	chore: add .mokogitea/workflows/branch-cleanup.yml from moko-platform [skip ci]	2026-05-29 10:26:36 +00:00
jmiller	6ae4ff9b83	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-29 10:25:09 +00:00
jmiller	f0501d562c	chore: sync .mokogitea/workflows/auto-bump.yml from moko-platform [skip ci]	2026-05-29 10:23:40 +00:00
jmiller	4606bec029	chore: sync updates.xml from development [skip ci]	2026-05-29 05:29:03 +00:00
jmiller	91e9a1005a	chore: sync updates.xml from development [skip ci]	2026-05-29 05:13:42 +00:00
jmiller	f4c4daee05	chore: sync updates.xml from development [skip ci]	2026-05-29 03:56:03 +00:00
jmiller	6696d08607	chore: sync updates.xml from development [skip ci]	2026-05-29 03:52:44 +00:00
jmiller	1150455e43	chore: sync updates.xml from development [skip ci]	2026-05-29 03:48:33 +00:00
jmiller	b78609c929	chore: sync updates.xml from development [skip ci]	2026-05-29 03:33:54 +00:00
jmiller	1b40c627e2	chore: sync updates.xml from development [skip ci]	2026-05-29 00:14:14 +00:00
jmiller	3a57ae1584	chore: sync updates.xml from development [skip ci]	2026-05-28 23:56:28 +00:00
jmiller	baacbb82a7	chore: sync updates.xml from development [skip ci]	2026-05-28 23:47:06 +00:00
jmiller	493666cabb	chore: sync updates.xml from development [skip ci]	2026-05-28 22:40:19 +00:00
jmiller	a6be4af9d0	chore: sync updates.xml from development [skip ci]	2026-05-28 22:05:04 +00:00
jmiller	bc5976ef1a	chore: sync updates.xml from development [skip ci]	2026-05-28 21:51:15 +00:00
jmiller	e25846fded	chore: sync .mokogitea/workflows/pre-release.yml from moko-platform [skip ci]	2026-05-28 20:54:27 +00:00
jmiller	466448719b	chore: sync .mokogitea/workflows/update-server.yml from moko-platform [skip ci]	2026-05-28 20:49:20 +00:00
jmiller	37edd57f85	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-28 20:44:39 +00:00
jmiller	2df322841e	chore: sync updates.xml from development [skip ci]	2026-05-28 20:38:49 +00:00
jmiller	302851abb7	chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]	2026-05-28 20:38:43 +00:00
jmiller	ea4e211175	chore: sync updates.xml from development [skip ci]	2026-05-28 20:06:51 +00:00
jmiller	48b2745c42	chore: sync updates.xml from development [skip ci]	2026-05-28 19:53:46 +00:00
jmiller	abc73045be	chore: sync updates.xml from development [skip ci]	2026-05-28 19:41:42 +00:00
jmiller	c244751bb0	chore: sync updates.xml from development [skip ci]	2026-05-28 19:33:23 +00:00
jmiller	6cd06d0aa0	chore: sync updates.xml from development [skip ci]	2026-05-28 19:00:06 +00:00
jmiller	21fde78e08	chore: sync updates.xml from development [skip ci]	2026-05-28 18:42:23 +00:00
jmiller	be850dc676	chore: sync updates.xml from [skip ci]	2026-05-28 18:36:32 +00:00
jmiller	54ea3f46e0	chore: sync updates.xml from [skip ci]	2026-05-28 18:29:40 +00:00
jmiller	988c3a1ef6	chore: sync updates.xml from [skip ci]	2026-05-28 18:19:52 +00:00
jmiller	84da84b62d	chore: sync updates.xml from [skip ci]	2026-05-28 18:11:33 +00:00
jmiller	8dc3234bd4	chore: sync updates.xml from [skip ci]	2026-05-28 17:55:20 +00:00