MokoOnyx v01.00.00 — initial release (successor to MokoCassiopeia)

All files renamed from mokocassiopeia to mokoonyx. Update server points to MokoOnyx repo. Bridge migration removed (clean standalone template). Version reset to 01.00.00. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-19 17:19:03 -05:00
parent 3ba2214614
commit 8258ed804a
238 changed files with 85443 additions and 2 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,185 @@
+<!--
+ Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
+
+ This file is part of a Moko Consulting project.
+
+ SPDX-License-Identifier: GPL-3.0-or-later
+
+ # FILE INFORMATION
+ DEFGROUP: Joomla.Template
+ INGROUP: MokoOnyx.Governance
+ REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx
+ FILE: SECURITY.md
+ VERSION: 03.09.03
+ BRIEF: Security policy and vulnerability reporting process for MokoOnyx.
+ PATH: /SECURITY.md
+ NOTE: This policy is process oriented and does not replace secure engineering practices.
+-->
+
+## Security Policy
+
+This document defines how MokoOnyx handles vulnerability intake, triage, remediation, and disclosure. The objective is to reduce risk, protect downstream users, and preserve operational continuity with a verifiable audit trail.
+
+## Scope
+
+This policy applies to:
+
+* Repository source code, workflows, scripts, and build artifacts.
+* Release packaging (ZIP outputs) generated from the repository.
+* Configuration and metadata used for distribution (for example manifests and update metadata).
+
+Out of scope:
+
+* Vulnerabilities in upstream Joomla core, third party extensions, or external infrastructure not controlled by this repository.
+* Issues that require physical access to a host, compromised administrator credentials, or a compromised hosting provider, unless the repository materially increases impact.
+
+## Supported Versions
+
+Security fixes are prioritized for:
+
+* The latest released version.
+* The current development line when it is actively used for release engineering.
+
+Backports may be provided based on impact, deployment footprint, and engineering capacity.
+
+## Reporting a Vulnerability
+
+Use one of the following channels:
+
+* GitHub Security Advisories (preferred): use the repository security tab to submit a private report.
+* Email: send details to `hello@mokoconsulting.tech` with subject `SECURITY: MokoOnyx vulnerability report`.
+
+Do not file a public GitHub issue for suspected security vulnerabilities.
+
+### What to include
+
+Provide enough detail to reproduce and triage:
+
+* A clear description of the vulnerability and expected impact.
+* A minimal proof of concept or reproduction steps.
+* Affected versions, configuration assumptions, and environment details.
+* Any proposed mitigation or patch.
+* Your preferred contact details for follow up.
+
+## Triage and Response Targets
+
+The project operates with response targets aligned to practical delivery realities:
+
+* **Acknowledgement:** within 3 business days.
+* **Initial triage:** within 10 business days.
+* **Fix plan:** communicated once severity is confirmed.
+
+These targets are not guarantees. Complex issues, supply chain considerations, and coordination with upstream vendors may extend timelines.
+
+## Severity Assessment
+
+Issues are triaged based on business impact and technical exploitability, including:
+
+* Remote exploitability and required privileges.
+* Data confidentiality, integrity, and availability impact.
+* Likelihood of exploitation in typical Joomla deployments.
+* Exposure surface (public endpoints, administrator area, installation flows, and update mechanisms).
+
+When appropriate, industry standard scoring such as CVSS may be used for internal prioritization.
+
+## Coordinated Disclosure
+
+The project follows coordinated vulnerability disclosure:
+
+* Reports are treated as confidential until remediation is available.
+* A public advisory may be published once a fix is released.
+* A reasonable embargo period is expected to enable patch distribution.
+
+If you believe disclosure is time sensitive due to active exploitation, include that assessment and any supporting indicators.
+
+## Security Updates and Advisories
+
+Security updates are distributed through:
+
+* GitHub releases for the repository.
+* GitHub Security Advisories when applicable.
+
+Advisories may include:
+
+* Affected versions and fixed versions.
+* Mitigations and workarounds when a fix is not immediately available.
+* Upgrade guidance.
+
+## Dependencies and Supply Chain Controls
+
+The project aims to manage supply chain risk through:
+
+* Pinning and review of workflow dependencies where feasible.
+* Minimizing privileged GitHub token permissions.
+* Validating build inputs prior to packaging releases.
+
+If you identify a supply chain issue (for example compromised action, dependency confusion, or malicious upstream artifact), report it as a vulnerability.
+
+## Secure Development and CI Expectations
+
+Security posture is reinforced through operational controls:
+
+* CI validation for packaging inputs and manifest integrity.
+* Consistent path normalization and whitespace hygiene checks where required for release correctness.
+* Least privilege for GitHub Actions permissions.
+
+### Template Security Features
+
+**Custom Head Content Injection**
+
+The template provides Custom Head Code fields (`custom_head_start` and `custom_head_end`) that allow administrators to inject custom HTML, CSS, and JavaScript code. This is an intentional feature for:
+
+* Adding analytics scripts (Google Analytics, Google Tag Manager)
+* Custom meta tags
+* Third-party integrations
+* Custom styling
+
+**Security Considerations:**
+
+* These fields use `filter="raw"` to allow HTML/JS injection
+* **Access is restricted to Joomla administrators only** via template configuration
+* This is not an XSS vulnerability as it requires administrator privileges
+* Administrators should only add trusted code from verified sources
+* Regular security audits should review custom head content
+
+This policy does not guarantee that all vulnerabilities will be prevented. It defines how risk is managed when issues are discovered.
+
+## Safe Harbor
+
+The project supports good faith security research. When you:
+
+* Avoid privacy violations, data destruction, and service disruption.
+* Limit testing to systems you own or have explicit permission to test.
+* Provide a reasonable window for coordinated disclosure.
+
+Then the project will treat your report as a constructive security contribution.
+
+Jurisdiction note: this repository is managed from Tennessee, USA. This note is informational only and does not constitute legal advice.
+
+## Public Communications
+
+Only maintainers will publish security advisories or public statements for confirmed vulnerabilities. Public communication will focus on actionable remediation and operational risk reduction.
+
+## Acknowledgements
+
+If you want credit, include the name or handle to list in an advisory. If you prefer anonymity, state that explicitly.
+
+---
+
+## Metadata
+
+* **Document:** SECURITY.md
+* **Repository:** [https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx](https://git.mokoconsulting.tech/MokoConsulting/MokoOnyx)
+* **Path:** /SECURITY.md
+* **Owner:** Moko Consulting
+* **Version:** 03.06.00
+* **Status:** Active
+* **Effective Date:** 2025-12-18
+* **Last Reviewed:** 2025-12-18
+
+## Revision History
+
+| Date       | Change Summary                                                                                   | Author          |
+| ---------- | ------------------------------------------------------------------------------------------------ | --------------- |
+| 2026-01-30 | Added Template Security Features section documenting custom head content injection controls.    | Copilot Agent   |
+| 2025-12-18 | Initial publication of security policy, intake channels, triage targets, and disclosure process. | Moko Consulting |