chore(release): build 01.07.00 [skip ci]

Merge PR #21: feat: DonorRetentionHelper — LYBUNT/SYBUNT, retention rates

.mokogitea/workflows/auto-release.yml

@@ -205,6 +205,12 @@ jobs:
             echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
           fi
 
+      - name: "Detect platform"
+        id: platform
+        run: |
+          php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
+          php ${MOKO_CLI}/manifest_read.php --path . --github-output 2>/dev/null || true
+
       - name: "Determine version bump level"
         id: bump
         run: |
@@ -228,6 +234,18 @@ jobs:
             --path . --stability stable ${BUMP_FLAG} --branch main \
             --token "${{ secrets.MOKOGITEA_TOKEN }}"
 
+      - name: "Read published version"
+        id: version
+        run: |
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "")
+          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
+          [ -z "$VERSION" ] && VERSION="00.00.00" && echo "skip=true" >> "$GITHUB_OUTPUT"
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "tag=stable" >> "$GITHUB_OUTPUT"
+          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
+          echo "branch=main" >> "$GITHUB_OUTPUT"
+          echo "Published version: ${VERSION}"
+
       - name: Update release notes and promote changelog
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"

.mokogitea/workflows/cascade-dev.yml

@@ -0,0 +1,10 @@
+# DISABLED — auto-release Step 11 recreates dev from main after every release.
+# Cascade-dev is redundant and causes version conflicts when both main and dev
+# have different version numbers in templateDetails.xml / manifest.xml.
+name: "Cascade Main → Dev (DISABLED)"
+on: workflow_dispatch
+jobs:
+  noop:
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Cascade disabled — auto-release handles dev recreation"

.mokogitea/workflows/ci-generic.yml

@@ -0,0 +1,191 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.CI
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/Template-Generic
+# PATH: /.gitea/workflows/ci-generic.yml
+# VERSION: 01.00.00
+# BRIEF: CI pipeline — lint, validate, and test for generic projects (PHP + Node.js)
+
+name: "Generic: Project CI"
+
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Lint & Validate ───────────────────────────────────────────────────
+  lint:
+    name: Lint & Validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+          echo "Toolchain: PHP=$HAS_PHP Node=$HAS_NODE"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+          php -v
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install PHP dependencies
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "composer.json" ]; then
+            composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          fi
+
+      - name: Install Node.js dependencies
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "package.json" ]; then
+            npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true
+          fi
+
+      - name: PHP syntax check
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              echo "::error file=${file}::PHP syntax error"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -not -path "./node_modules/*" -print0)
+
+          echo "## PHP Lint" >> $GITHUB_STEP_SUMMARY
+          if [ "$ERRORS" -eq 0 ]; then
+            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "${ERRORS} file(s) with syntax errors." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: TypeScript/JavaScript lint
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "node_modules/.bin/eslint" ]; then
+            npx eslint src/ --quiet 2>&1 || { echo "::error::ESLint errors found"; exit 1; }
+            echo "## ESLint" >> $GITHUB_STEP_SUMMARY
+            echo "All files passed ESLint." >> $GITHUB_STEP_SUMMARY
+          elif [ -f ".eslintrc.json" ] || [ -f ".eslintrc.js" ] || [ -f "eslint.config.js" ]; then
+            echo "::warning::ESLint config found but eslint not installed"
+          else
+            echo "No ESLint configured — skipping"
+          fi
+
+      - name: TypeScript compile check
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if [ -f "tsconfig.json" ] && [ -f "node_modules/.bin/tsc" ]; then
+            npx tsc --noEmit 2>&1 || { echo "::error::TypeScript compilation errors"; exit 1; }
+            echo "## TypeScript" >> $GITHUB_STEP_SUMMARY
+            echo "TypeScript compilation passed." >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: PHPStan static analysis
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "phpstan.neon" ] && [ -f "vendor/bin/phpstan" ]; then
+            vendor/bin/phpstan analyse --no-progress 2>&1 || { echo "::warning::PHPStan found issues"; }
+          fi
+
+  # ── Tests ─────────────────────────────────────────────────────────────
+  test:
+    name: Tests
+    runs-on: ubuntu-latest
+    needs: lint
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect toolchain
+        id: detect
+        run: |
+          HAS_PHP=false
+          HAS_NODE=false
+          [ -f "composer.json" ] && HAS_PHP=true
+          [ -f "package.json" ] && HAS_NODE=true
+          echo "has_php=$HAS_PHP" >> "$GITHUB_OUTPUT"
+          echo "has_node=$HAS_NODE" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: Setup Node.js
+        if: steps.detect.outputs.has_node == 'true'
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          [ -f "composer.json" ] && composer install --no-interaction --prefer-dist --quiet 2>/dev/null || true
+          [ -f "package.json" ] && { npm ci --quiet 2>/dev/null || npm install --quiet 2>/dev/null || true; }
+
+      - name: Run PHP tests
+        if: steps.detect.outputs.has_php == 'true'
+        run: |
+          if [ -f "vendor/bin/phpunit" ]; then
+            vendor/bin/phpunit --testdox 2>&1
+            echo "## PHPUnit" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          elif [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
+            echo "::warning::PHPUnit config found but phpunit not installed"
+          else
+            echo "No PHPUnit configured — skipping"
+          fi
+
+      - name: Run Node.js tests
+        if: steps.detect.outputs.has_node == 'true'
+        run: |
+          if jq -e '.scripts.test' package.json > /dev/null 2>&1; then
+            npm test 2>&1
+            echo "## Node.js Tests" >> $GITHUB_STEP_SUMMARY
+            echo "Tests passed." >> $GITHUB_STEP_SUMMARY
+          else
+            echo "No test script in package.json — skipping"
+          fi
+
+      - name: Build check
+        run: |
+          if [ -f "Makefile" ]; then
+            make build 2>&1 || echo "::warning::Build failed or not configured"
+          elif [ -f "package.json" ] && jq -e '.scripts.build' package.json > /dev/null 2>&1; then
+            npm run build 2>&1 || echo "::warning::Build failed"
+          fi

.mokogitea/workflows/cleanup.yml

@@ -0,0 +1,87 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
+
+name: "Universal: Repository Cleanup"
+
+on:
+  schedule:
+    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  cleanup:
+    name: Clean Merged Branches
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Delete merged branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Merged Branch Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+
+          # List branches via API
+          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/branches?limit=50" | jq -r '.[].name')
+
+          DELETED=0
+          for BRANCH in $BRANCHES; do
+            # Skip protected branches
+            case "$BRANCH" in
+              main|master|develop|release/*|hotfix/*) continue ;;
+            esac
+
+            # Check if branch is merged into main
+            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
+              echo "  Deleting merged branch: ${BRANCH}"
+              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/branches/${BRANCH}" 2>/dev/null || true
+              DELETED=$((DELETED + 1))
+            fi
+          done
+
+          echo "Deleted ${DELETED} merged branch(es)"
+
+      - name: Clean old workflow runs
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Workflow Run Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
+
+          # Get old completed runs
+          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/actions/runs?status=completed&limit=50" | \
+            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
+
+          DELETED=0
+          for RUN_ID in $RUNS; do
+            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
+            DELETED=$((DELETED + 1))
+          done
+
+          echo "Deleted ${DELETED} old workflow run(s)"

.mokogitea/workflows/composer-publish.yml

@@ -0,0 +1,76 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+name: "Publish to Composer"
+
+on:
+  push:
+    tags:
+      - 'v*'
+      - '[0-9]*.[0-9]*.[0-9]*'
+  release:
+    types: [published]
+  workflow_dispatch:
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  publish:
+    name: Publish Package
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip publish]')
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+
+      - name: Install dependencies
+        run: composer install --no-dev --no-interaction --prefer-dist --quiet
+
+      - name: Determine version
+        id: version
+        run: |
+          VERSION=$(php -r "echo json_decode(file_get_contents('composer.json'))->version;")
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Package version: ${VERSION}"
+
+      # Gitea Composer Registry — auto-publishes from tags
+      # The tag push itself registers the package at:
+      # https://git.mokoconsulting.tech/api/packages/MokoConsulting/composer
+      - name: Verify Gitea registry
+        run: |
+          echo "Gitea Composer registry auto-publishes from tags."
+          echo "Package available at: ${GITEA_URL}/api/packages/MokoConsulting/composer"
+          echo "Install: composer require mokoconsulting/mokocli"
+
+      # Packagist — notify of new version
+      - name: Notify Packagist
+        if: secrets.PACKAGIST_TOKEN != ''
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "Notifying Packagist of version ${VERSION}..."
+          curl -sf -X POST \
+            -H "Content-Type: application/json" \
+            -d '{"repository":{"url":"https://git.mokoconsulting.tech/MokoConsulting/mokocli"}}' \
+            "https://packagist.org/api/update-package?username=mokoconsulting&apiToken=${{ secrets.PACKAGIST_TOKEN }}" \
+            && echo "Packagist notified" \
+            || echo "::warning::Packagist notification failed (package may not be registered yet)"
+
+      - name: Summary
+        run: |
+          VERSION="${{ steps.version.outputs.version }}"
+          echo "## Composer Package Published" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Registry | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|----------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Gitea | \`composer require mokoconsulting/mokocli:${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Packagist | \`composer require mokoconsulting/mokocli\` |" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/deploy-manual.yml

@@ -0,0 +1,126 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Deploy
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+# PATH: /templates/workflows/joomla/deploy-manual.yml.template
+# VERSION: 04.07.00
+# BRIEF: Manual SFTP deploy to dev server for Joomla repos
+
+name: "Universal: Deploy to Dev (Manual)"
+
+on:
+  workflow_dispatch:
+    inputs:
+      clear_remote:
+        description: 'Delete all remote files before uploading'
+        required: false
+        default: 'false'
+        type: boolean
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    name: SFTP Deploy to Dev
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Setup PHP
+        run: |
+          php -v && composer --version
+
+      - name: Setup MokoStandards tools
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+        run: |
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
+            /tmp/mokostandards-api 2>/dev/null || true
+          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
+            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+
+      - name: Check FTP configuration
+        id: check
+        env:
+          HOST: ${{ vars.DEV_FTP_HOST }}
+          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
+          PORT: ${{ vars.DEV_FTP_PORT }}
+        run: |
+          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
+            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          echo "host=$HOST" >> "$GITHUB_OUTPUT"
+
+          REMOTE="${PATH_VAR%/}"
+          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
+
+          [ -z "$PORT" ] && PORT="22"
+          echo "port=$PORT" >> "$GITHUB_OUTPUT"
+
+      - name: Deploy via SFTP
+        if: steps.check.outputs.skip != 'true'
+        env:
+          SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
+          SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+          SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
+            > /tmp/sftp-config.json
+
+          if [ -n "$SFTP_KEY" ]; then
+            echo "$SFTP_KEY" > /tmp/deploy_key
+            chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
+          fi
+
+          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
+          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
+
+          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+          else
+            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+          fi
+
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+
+      - name: Summary
+        if: always()
+        run: |
+          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
+            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+            echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
+          fi

.mokogitea/workflows/gitleaks.yml

@@ -0,0 +1,92 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# PATH: /templates/workflows/gitleaks.yml.template
+# VERSION: 01.00.00
+# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
+#
+# +========================================================================+
+# |                        SECRET SCANNING                                 |
+# +========================================================================+
+# |                                                                        |
+# |  Scans commits for leaked secrets using Gitleaks.                      |
+# |                                                                        |
+# |  - PR scan: only new commits in the PR                                 |
+# |  - Scheduled: full repo scan weekly                                    |
+# |  - Alerts via ntfy on findings                                         |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Secret Scanning"
+
+on:
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  gitleaks:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Scan for secrets
+        id: scan
+        run: |
+          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
+          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # Scan only PR commits
+            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if gitleaks detect $ARGS 2>&1; then
+            echo "result=clean" >> "$GITHUB_OUTPUT"
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "result=found" >> "$GITHUB_OUTPUT"
+            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
+            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Notify on findings
+        if: failure() && steps.scan.outputs.result == 'found'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} — secrets detected in code" \
+            -H "Tags: rotating_light,key" \
+            -H "Priority: urgent" \
+            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true

.mokogitea/workflows/issue-branch.yml

@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Automation
+# VERSION: 01.07.00
+# BRIEF: Auto-create feature branch when an issue is opened
+
+name: "Universal: Issue Branch"
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: write
+  issues: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  create-branch:
+    name: Create feature branch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create branch and comment
+        run: |
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          ISSUE_NUM="${{ github.event.issue.number }}"
+          ISSUE_TITLE="${{ github.event.issue.title }}"
+
+          # Build slug from title: lowercase, replace non-alnum with dash, trim
+          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
+          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
+
+          # Check dev branch exists
+          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/branches/dev" 2>/dev/null || echo "000")
+
+          if [ "${DEV_EXISTS}" != "200" ]; then
+            echo "No dev branch -- skipping"
+            exit 0
+          fi
+
+          # Create branch from dev
+          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API}/branches" \
+            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
+
+          if [ "${HTTP}" = "201" ]; then
+            echo "Created branch: ${BRANCH}"
+
+            # Comment on issue with branch link
+            REPO_URL="${GITEA_URL}/${{ github.repository }}"
+            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
+
+            curl -sf -X POST \
+              -H "Authorization: token ${TOKEN}" \
+              -H "Content-Type: application/json" \
+              "${API}/issues/${ISSUE_NUM}/comments" \
+              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
+
+            echo "Commented on issue #${ISSUE_NUM}"
+          else
+            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
+          fi

.mokogitea/workflows/notify.yml

@@ -0,0 +1,70 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Notifications
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/notify.yml
+# VERSION: 01.00.00
+# BRIEF: Push notifications via ntfy on release success or workflow failure
+
+name: "Universal: Notifications"
+
+on:
+  workflow_run:
+    workflows:
+      - "Joomla Build & Release"
+      - "Joomla Extension CI"
+      - "Deploy"
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
+
+jobs:
+  notify:
+    name: Send Notification
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.workflow_run.conclusion == 'success' ||
+      github.event.workflow_run.conclusion == 'failure'
+
+    steps:
+      - name: Notify on success (releases only)
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          contains(github.event.workflow_run.name, 'Release')
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} released" \
+            -H "Tags: white_check_mark,package" \
+            -H "Priority: default" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} completed successfully." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
+
+      - name: Notify on failure
+        if: github.event.workflow_run.conclusion == 'failure'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} workflow failed" \
+            -H "Tags: x,warning" \
+            -H "Priority: high" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} failed. Check the run for details." \
+            "${NTFY_URL}/${NTFY_TOPIC}"

.mokogitea/workflows/pr-check.yml

@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokocli.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
 # PATH: /templates/workflows/universal/pr-check.yml.template
 # VERSION: 09.23.00
 # BRIEF: PR gate — branch policy + code validation before merge
@@ -96,6 +96,32 @@ jobs:
           echo "Branch policy: OK (${HEAD} → ${BASE})"
           echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
 
+  # ── Secret Scanning ──────────────────────────────────────────────────
+  gitleaks:
+    name: Secret Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+
+      - name: Scan PR commits for secrets
+        run: |
+          if gitleaks detect --source . --verbose \
+            --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} 2>&1; then
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::Potential secrets detected in PR commits"
+            exit 1
+          fi
+
   # ── Code Validation ────────────────────────────────────────────────────
   validate:
     name: Validate PR

.mokogitea/workflows/rc-revert.yml

@@ -0,0 +1,66 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/rc-revert.yml
+# VERSION: 09.23.00
+# BRIEF: Rename rc/ branch back to dev/ when PR is closed without merge
+
+name: "RC Revert"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  revert:
+    name: Rename rc/ back to dev/
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == false &&
+      startsWith(github.event.pull_request.head.ref, 'rc/')
+
+    steps:
+      - name: Rename branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          SUFFIX="${BRANCH#rc/}"
+          DEV_BRANCH="dev/${SUFFIX}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Create dev/ branch from rc/ branch
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"new_branch_name\": \"${DEV_BRANCH}\", \"old_branch_name\": \"${BRANCH}\"}" \
+            "${API}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "201" ]; then
+            echo "Created branch: ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::error::Failed to create ${DEV_BRANCH} from ${BRANCH} (HTTP ${STATUS})"
+            exit 1
+          fi
+
+          # Delete rc/ branch
+          ENCODED=$(php -r "echo rawurlencode('${BRANCH}');")
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete ${BRANCH} (HTTP ${STATUS})"
+          fi
+
+          echo "### RC Reverted" >> $GITHUB_STEP_SUMMARY
+          echo "${BRANCH} → ${DEV_BRANCH}" >> $GITHUB_STEP_SUMMARY

.mokogitea/workflows/security-audit.yml

@@ -0,0 +1,82 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/security-audit.yml
+# VERSION: 01.00.00
+# BRIEF: Dependency vulnerability scanning for composer and npm packages
+
+name: "Universal: Security Audit"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'composer.json'
+      - 'composer.lock'
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Composer audit
+        if: hashFiles('composer.lock') != ''
+        run: |
+          echo "=== Composer Security Audit ==="
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
+          fi
+          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
+          RESULT=$?
+          if [ $RESULT -ne 0 ]; then
+            echo "::warning::Composer vulnerabilities found"
+            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
+          else
+            echo "No known vulnerabilities in composer dependencies"
+          fi
+
+      - name: NPM audit
+        if: hashFiles('package-lock.json') != ''
+        run: |
+          echo "=== NPM Security Audit ==="
+          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
+          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
+            echo "No known vulnerabilities in npm dependencies"
+          else
+            echo "::warning::NPM vulnerabilities found"
+            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
+          fi
+
+      - name: Notify on vulnerabilities
+        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} has vulnerable dependencies" \
+            -H "Tags: lock,warning" \
+            -H "Priority: high" \
+            -d "Security audit found vulnerabilities. Review dependency updates." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true

.mokogitea/workflows/workflow-sync-trigger.yml

@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: mokocli.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
+# VERSION: 01.01.00
+# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
+
+name: "Universal: Workflow Sync Trigger"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    name: Sync workflows to live repos
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')
+
+    steps:
+      - name: Determine platform from repo name
+        id: platform
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          case "$REPO" in
+            Template-Joomla)   PLATFORM="joomla" ;;
+            Template-Dolibarr) PLATFORM="dolibarr" ;;
+            Template-Go)       PLATFORM="go" ;;
+            Template-MCP)      PLATFORM="mcp" ;;
+            Template-Generic)  PLATFORM="" ;;
+            *)                 PLATFORM="" ;;
+          esac
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform: ${PLATFORM:-all}"
+
+      - name: Clone mokocli
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          GITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
+          git clone --depth 1 "${GITEA_URL}/MokoConsulting/mokocli.git" /tmp/mokocli
+
+      - name: Install dependencies
+        run: |
+          cd /tmp/mokocli
+          composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+
+      - name: Run workflow sync
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          ARGS="--token ${MOKOGITEA_TOKEN}"
+          ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
+          ARGS="${ARGS} --phase repos"
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ -n "$PLATFORM" ]; then
+            ARGS="${ARGS} --platform-filter ${PLATFORM}"
+          fi
+
+          php /tmp/mokocli/cli/workflow_sync.php ${ARGS}

source/packages/com_mokosuitenpo/api/src/Controller/NpoReportsController.php

@@ -85,11 +85,30 @@ class NpoReportsController extends BaseController
 		$id = Factory::getApplication()->getInput()->getInt('id', 0);
 
 		$db = Factory::getContainer()->get(\Joomla\Database\DatabaseInterface::class);
+
+		// Verify pledge exists and is active before cancelling
+		$db->setQuery($db->getQuery(true)
+			->select('id, status')
+			->from('#__mokosuitenpo_pledges')
+			->where('id = ' . (int) $id));
+		$pledge = $db->loadObject();
+
+		if (!$pledge) {
+			http_response_code(404);
+			$this->sendJson(['success' => false, 'error' => 'Pledge not found']);
+			return;
+		}
+		if ($pledge->status !== 'active') {
+			$this->sendJson(['success' => false, 'error' => 'Pledge is not active']);
+			return;
+		}
+
 		$db->setQuery($db->getQuery(true)
 			->update('#__mokosuitenpo_pledges')
 			->set($db->quoteName('status') . ' = ' . $db->quote('cancelled'))
 			->set($db->quoteName('cancelled_at') . ' = ' . $db->quote(Factory::getDate()->toSql()))
-			->where('id = ' . (int) $id));
+			->where('id = ' . (int) $id)
+			->where($db->quoteName('status') . ' = ' . $db->quote('active')));
 		$db->execute();
 
 		$this->sendJson(['success' => true]);

source/packages/com_mokosuitenpo/mokosuitenpo.xml

@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>01.02.00</version>
+	<version>01.07.00</version>
 	<php_minimum>8.3</php_minimum>
 	<description>MokoSuite NPO component</description>
 	<namespace path="src">Moko\Component\MokoSuiteNpo</namespace>

source/packages/com_mokosuitenpo/site/src/View/ThankYou/HtmlView.php

@@ -0,0 +1,52 @@
+<?php
+namespace Moko\Component\MokoSuiteNpo\Site\View\ThankYou;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\View\HtmlView as BaseHtmlView;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Donation thank-you page — displays after successful donation with receipt info.
+ */
+class HtmlView extends BaseHtmlView
+{
+	public ?object $donation = null;
+	public ?object $receipt = null;
+
+	public function display($tpl = null): void
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+		$donationId = Factory::getApplication()->getInput()->getInt('id', 0);
+		$token = Factory::getApplication()->getInput()->getString('token', '');
+
+		if (!$donationId || !$token) {
+			parent::display($tpl);
+			return;
+		}
+
+		// Verify token matches donation (prevents enumeration)
+		$db->setQuery($db->getQuery(true)
+			->select('d.*, cd.name AS donor_name, f.name AS fund_name, c.title AS campaign_title')
+			->from($db->quoteName('#__mokosuitenpo_donations', 'd'))
+			->join('INNER', $db->quoteName('#__mokosuitenpo_donors', 'don') . ' ON don.id = d.donor_id')
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = don.contact_id')
+			->join('LEFT', $db->quoteName('#__mokosuitenpo_funds', 'f') . ' ON f.id = d.fund_id')
+			->join('LEFT', $db->quoteName('#__mokosuitenpo_campaigns', 'c') . ' ON c.id = d.campaign_id')
+			->where('d.id = ' . (int) $donationId)
+			->where($db->quoteName('d.confirmation_token') . ' = ' . $db->quote($token)));
+		$this->donation = $db->loadObject();
+
+		if ($this->donation) {
+			// Get tax receipt if generated
+			$db->setQuery($db->getQuery(true)
+				->select('receipt_number, issued_date, amount')
+				->from('#__mokosuitenpo_tax_receipts')
+				->where('donation_id = ' . (int) $donationId));
+			$this->receipt = $db->loadObject();
+		}
+
+		parent::display($tpl);
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/BoardManagementHelper.php

@@ -0,0 +1,105 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Board of directors management — member terms, committees, meeting minutes, attendance.
+ */
+class BoardManagementHelper
+{
+	/**
+	 * Get current board members with term status.
+	 */
+	public static function getCurrentMembers(): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('bm.*, cd.name, cd.email_to, cd.telephone')
+			->select('CASE WHEN bm.term_end < NOW() THEN ' . $db->quote('expired')
+				. ' WHEN bm.term_end < DATE_ADD(NOW(), INTERVAL 90 DAY) THEN ' . $db->quote('expiring_soon')
+				. ' ELSE ' . $db->quote('active') . ' END AS term_status')
+			->from($db->quoteName('#__mokosuitenpo_board_members', 'bm'))
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = bm.contact_id')
+			->where($db->quoteName('bm.status') . ' = ' . $db->quote('active'))
+			->order('bm.role ASC, cd.name ASC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+
+	/**
+	 * Get committee assignments.
+	 */
+	public static function getCommittees(): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('c.id, c.name AS committee_name, c.description')
+			->select('(SELECT COUNT(*) FROM #__mokosuitenpo_committee_members cm WHERE cm.committee_id = c.id AND cm.status = ' . $db->quote('active') . ') AS member_count')
+			->select('(SELECT cd2.name FROM #__mokosuitenpo_committee_members cm2'
+				. ' JOIN #__contact_details cd2 ON cd2.id = cm2.contact_id'
+				. ' WHERE cm2.committee_id = c.id AND cm2.role = ' . $db->quote('chair')
+				. ' AND cm2.status = ' . $db->quote('active') . ' LIMIT 1) AS chair_name')
+			->from($db->quoteName('#__mokosuitenpo_committees', 'c'))
+			->where($db->quoteName('c.status') . ' = ' . $db->quote('active'))
+			->order('c.name ASC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+
+	/**
+	 * Get meeting attendance rate for a board member.
+	 */
+	public static function getAttendanceRate(int $contactId, int $months = 12): object
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+		$since = date('Y-m-d', strtotime("-{$months} months"));
+
+		$db->setQuery($db->getQuery(true)
+			->select('COUNT(*) AS total_meetings')
+			->select('SUM(CASE WHEN ma.status = ' . $db->quote('present') . ' THEN 1 ELSE 0 END) AS attended')
+			->select('SUM(CASE WHEN ma.status = ' . $db->quote('absent') . ' THEN 1 ELSE 0 END) AS absent')
+			->select('SUM(CASE WHEN ma.status = ' . $db->quote('excused') . ' THEN 1 ELSE 0 END) AS excused')
+			->from($db->quoteName('#__mokosuitenpo_meeting_attendance', 'ma'))
+			->join('INNER', $db->quoteName('#__mokosuitenpo_meetings', 'm') . ' ON m.id = ma.meeting_id')
+			->where('ma.contact_id = ' . (int) $contactId)
+			->where('m.meeting_date >= ' . $db->quote($since)));
+
+		$stats = $db->loadObject();
+		$total = (int) ($stats->total_meetings ?? 0);
+
+		return (object) [
+			'contact_id'     => $contactId,
+			'total_meetings' => $total,
+			'attended'       => (int) ($stats->attended ?? 0),
+			'absent'         => (int) ($stats->absent ?? 0),
+			'excused'        => (int) ($stats->excused ?? 0),
+			'attendance_pct' => $total > 0 ? round((int) $stats->attended / $total * 100, 1) : 0,
+		];
+	}
+
+	/**
+	 * Get terms expiring within N days.
+	 */
+	public static function getExpiringTerms(int $days = 90): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+		$cutoff = date('Y-m-d', strtotime("+{$days} days"));
+
+		$db->setQuery($db->getQuery(true)
+			->select('bm.id, bm.role, bm.term_start, bm.term_end')
+			->select('cd.name, cd.email_to')
+			->from($db->quoteName('#__mokosuitenpo_board_members', 'bm'))
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = bm.contact_id')
+			->where($db->quoteName('bm.status') . ' = ' . $db->quote('active'))
+			->where('bm.term_end BETWEEN ' . $db->quote(date('Y-m-d')) . ' AND ' . $db->quote($cutoff))
+			->order('bm.term_end ASC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/DonorRetentionHelper.php

@@ -0,0 +1,120 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Donor retention analysis — LYBUNT/SYBUNT detection, retention rates, lapsed outreach lists.
+ */
+class DonorRetentionHelper
+{
+	/**
+	 * Get LYBUNT donors — gave Last Year But Unfortunately Not This year.
+	 */
+	public static function getLybunt(int $currentYear = 0): array
+	{
+		$currentYear = $currentYear ?: (int) date('Y');
+		$lastYear = $currentYear - 1;
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('cd.id AS contact_id, cd.name, cd.email_to, cd.telephone')
+			->select('MAX(d.donation_date) AS last_donation_date')
+			->select('SUM(CASE WHEN YEAR(d.donation_date) = ' . $lastYear . ' THEN d.amount ELSE 0 END) AS last_year_total')
+			->from($db->quoteName('#__contact_details', 'cd'))
+			->join('INNER', $db->quoteName('#__mokosuitenpo_donations', 'd') . ' ON d.contact_id = cd.id')
+			->where('YEAR(d.donation_date) = ' . $lastYear)
+			->where('cd.id NOT IN (SELECT d2.contact_id FROM #__mokosuitenpo_donations d2 WHERE YEAR(d2.donation_date) = ' . $currentYear . ')')
+			->group('cd.id, cd.name, cd.email_to, cd.telephone')
+			->order('last_year_total DESC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+
+	/**
+	 * Get SYBUNT donors — gave Some Year But Unfortunately Not This year.
+	 */
+	public static function getSybunt(int $currentYear = 0, int $lookbackYears = 3): array
+	{
+		$currentYear = $currentYear ?: (int) date('Y');
+		$lastYear = $currentYear - 1;
+		$startYear = $currentYear - $lookbackYears;
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('cd.id AS contact_id, cd.name, cd.email_to')
+			->select('COUNT(DISTINCT YEAR(d.donation_date)) AS years_donated')
+			->select('MAX(d.donation_date) AS last_donation_date')
+			->select('SUM(d.amount) AS lifetime_total')
+			->from($db->quoteName('#__contact_details', 'cd'))
+			->join('INNER', $db->quoteName('#__mokosuitenpo_donations', 'd') . ' ON d.contact_id = cd.id')
+			->where('YEAR(d.donation_date) BETWEEN ' . $startYear . ' AND ' . $lastYear)
+			->where('cd.id NOT IN (SELECT d2.contact_id FROM #__mokosuitenpo_donations d2 WHERE YEAR(d2.donation_date) = ' . $currentYear . ')')
+			->group('cd.id, cd.name, cd.email_to')
+			->order('lifetime_total DESC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+
+	/**
+	 * Calculate retention rate — percentage of donors who gave again this year.
+	 */
+	public static function getRetentionRate(int $currentYear = 0): object
+	{
+		$currentYear = $currentYear ?: (int) date('Y');
+		$lastYear = $currentYear - 1;
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('COUNT(DISTINCT d.contact_id) AS last_year_donors')
+			->from($db->quoteName('#__mokosuitenpo_donations', 'd'))
+			->where('YEAR(d.donation_date) = ' . $lastYear));
+		$lastYearDonors = (int) $db->loadResult();
+
+		$db->setQuery($db->getQuery(true)
+			->select('COUNT(DISTINCT d.contact_id) AS retained')
+			->from($db->quoteName('#__mokosuitenpo_donations', 'd'))
+			->where('YEAR(d.donation_date) = ' . $currentYear)
+			->where('d.contact_id IN (SELECT d2.contact_id FROM #__mokosuitenpo_donations d2 WHERE YEAR(d2.donation_date) = ' . $lastYear . ')'));
+		$retained = (int) $db->loadResult();
+
+		return (object) [
+			'last_year_donors' => $lastYearDonors,
+			'retained'         => $retained,
+			'lapsed'           => $lastYearDonors - $retained,
+			'retention_rate'   => $lastYearDonors > 0 ? round($retained / $lastYearDonors * 100, 1) : 0,
+		];
+	}
+
+	/**
+	 * Get donor giving trends — year-over-year comparison.
+	 */
+	public static function getGivingTrends(int $years = 5): array
+	{
+		$currentYear = (int) date('Y');
+		$startYear = $currentYear - $years + 1;
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('YEAR(donation_date) AS year')
+			->select('COUNT(*) AS donation_count')
+			->select('COUNT(DISTINCT contact_id) AS unique_donors')
+			->select('SUM(amount) AS total_amount')
+			->select('AVG(amount) AS avg_donation')
+			->from('#__mokosuitenpo_donations')
+			->where('YEAR(donation_date) BETWEEN ' . $startYear . ' AND ' . $currentYear)
+			->group('YEAR(donation_date)')
+			->order('year ASC'));
+
+		$trends = $db->loadObjectList() ?: [];
+
+		foreach ($trends as &$t) {
+			$t->avg_donation = round((float) $t->avg_donation, 2);
+		}
+
+		return $trends;
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/FundAccountingHelper.php

@@ -0,0 +1,139 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Fund accounting — restricted vs unrestricted funds, fund balances, GAAP compliance.
+ */
+class FundAccountingHelper
+{
+	/**
+	 * Get fund balances summary.
+	 */
+	public static function getFundBalances(): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('f.id, f.name, f.type, f.description')
+			->select('COALESCE((SELECT SUM(d.amount) FROM #__mokosuitenpo_donations d WHERE d.fund_id = f.id), 0) AS total_received')
+			->select('COALESCE((SELECT SUM(e.amount) FROM #__mokosuitenpo_fund_expenses e WHERE e.fund_id = f.id), 0) AS total_spent')
+			->from($db->quoteName('#__mokosuitenpo_funds', 'f'))
+			->where($db->quoteName('f.status') . ' = ' . $db->quote('active'))
+			->order('f.type ASC, f.name ASC'));
+
+		$funds = $db->loadObjectList() ?: [];
+
+		foreach ($funds as &$f) {
+			$f->balance = round((float) $f->total_received - (float) $f->total_spent, 2);
+			$f->is_restricted = ($f->type === 'restricted' || $f->type === 'temporarily_restricted');
+		}
+
+		return $funds;
+	}
+
+	/**
+	 * Record an expense against a fund.
+	 */
+	public static function recordExpense(int $fundId, float $amount, string $description, string $category = 'program'): int
+	{
+		$db  = Factory::getContainer()->get(DatabaseInterface::class);
+		$now = Factory::getDate()->toSql();
+
+		// Verify fund exists and has sufficient balance
+		$db->setQuery($db->getQuery(true)->select('type')->from('#__mokosuitenpo_funds')->where('id = ' . (int) $fundId));
+		$fundType = $db->loadResult();
+
+		if (!$fundType) throw new \RuntimeException('Fund not found');
+
+		// Enforce balance check on restricted funds (GAAP compliance)
+		if ($fundType === 'restricted' || $fundType === 'temporarily_restricted') {
+			$db->setQuery($db->getQuery(true)
+				->select('COALESCE((SELECT SUM(d.amount) FROM #__mokosuitenpo_donations d WHERE d.fund_id = ' . (int) $fundId . '), 0)'
+					. ' - COALESCE((SELECT SUM(e.amount) FROM #__mokosuitenpo_fund_expenses e WHERE e.fund_id = ' . (int) $fundId . '), 0) AS balance')
+				->from('DUAL'));
+			$balance = (float) $db->loadResult();
+
+			if ($amount > $balance) {
+				throw new \RuntimeException('Insufficient balance in restricted fund (available: $' . number_format($balance, 2) . ', requested: $' . number_format($amount, 2) . ')');
+			}
+		}
+
+		$expense = (object) [
+			'fund_id'     => $fundId,
+			'amount'      => $amount,
+			'description' => $description,
+			'category'    => $category, // program, admin, fundraising
+			'recorded_by' => Factory::getApplication()->getIdentity()->id,
+			'recorded_at' => $now,
+		];
+
+		$db->insertObject('#__mokosuitenpo_fund_expenses', $expense, 'id');
+		return (int) $expense->id;
+	}
+
+	/**
+	 * Get Statement of Financial Position (nonprofit balance sheet).
+	 */
+	public static function getFinancialPosition(): object
+	{
+		$funds = self::getFundBalances();
+
+		$unrestricted = 0;
+		$tempRestricted = 0;
+		$permRestricted = 0;
+
+		foreach ($funds as $f) {
+			switch ($f->type) {
+				case 'unrestricted': $unrestricted += $f->balance; break;
+				case 'temporarily_restricted': $tempRestricted += $f->balance; break;
+				case 'permanently_restricted': case 'restricted': $permRestricted += $f->balance; break;
+			}
+		}
+
+		return (object) [
+			'unrestricted'            => $unrestricted,
+			'temporarily_restricted'  => $tempRestricted,
+			'permanently_restricted'  => $permRestricted,
+			'total_net_assets'        => $unrestricted + $tempRestricted + $permRestricted,
+			'fund_count'              => count($funds),
+		];
+	}
+
+	/**
+	 * Get expense breakdown by category (program vs admin vs fundraising).
+	 */
+	public static function getExpenseBreakdown(string $from = '', string $to = ''): object
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+		$from = $from ?: date('Y-01-01');
+		$to = $to ?: date('Y-12-31');
+
+		$db->setQuery($db->getQuery(true)
+			->select('category')
+			->select('COUNT(*) AS count, COALESCE(SUM(amount), 0) AS total')
+			->from('#__mokosuitenpo_fund_expenses')
+			->where('DATE(recorded_at) BETWEEN ' . $db->quote($from) . ' AND ' . $db->quote($to))
+			->group('category'));
+
+		$byCategory = $db->loadObjectList('category') ?: [];
+
+		$program = (float) ($byCategory['program']->total ?? 0);
+		$admin = (float) ($byCategory['admin']->total ?? 0);
+		$fundraising = (float) ($byCategory['fundraising']->total ?? 0);
+		$totalExpenses = $program + $admin + $fundraising;
+
+		return (object) [
+			'program'           => $program,
+			'admin'             => $admin,
+			'fundraising'       => $fundraising,
+			'total'             => $totalExpenses,
+			'program_pct'       => $totalExpenses > 0 ? round($program / $totalExpenses * 100, 1) : 0,
+			'overhead_pct'      => $totalExpenses > 0 ? round(($admin + $fundraising) / $totalExpenses * 100, 1) : 0,
+		];
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/GrantReportingHelper.php

@@ -0,0 +1,65 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Grant reporting — deliverable tracking, spending reports, funder compliance.
+ */
+class GrantReportingHelper
+{
+	/**
+	 * Get grant spending report — budgeted vs actual by category.
+	 */
+	public static function getSpendingReport(int $grantId): object
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('g.*, cd.name AS funder_name')
+			->from($db->quoteName('#__mokosuitenpo_grants', 'g'))
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = g.funder_contact_id')
+			->where('g.id = ' . (int) $grantId));
+		$grant = $db->loadObject();
+
+		if (!$grant) return (object) ['found' => false];
+
+		// Get expenses charged to this grant's fund
+		$db->setQuery($db->getQuery(true)
+			->select('category, COUNT(*) AS count, COALESCE(SUM(amount), 0) AS spent')
+			->from('#__mokosuitenpo_fund_expenses')
+			->where('fund_id = ' . (int) ($grant->fund_id ?? 0))
+			->group('category')
+			->order('spent DESC'));
+		$grant->spending_by_category = $db->loadObjectList() ?: [];
+
+		$grant->total_spent = array_sum(array_column($grant->spending_by_category, 'spent'));
+		$grant->remaining = max(0, (float) ($grant->amount ?? 0) - (float) $grant->total_spent);
+		$grant->utilization_pct = (float) ($grant->amount ?? 0) > 0
+			? round((float) $grant->total_spent / (float) $grant->amount * 100, 1) : 0;
+
+		return $grant;
+	}
+
+	/**
+	 * Get grants requiring reports soon.
+	 */
+	public static function getUpcomingReportDeadlines(int $days = 30): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('g.id, g.title, g.funder, g.report_due_date, g.amount')
+			->select('DATEDIFF(g.report_due_date, CURDATE()) AS days_until_due')
+			->from($db->quoteName('#__mokosuitenpo_grants', 'g'))
+			->where($db->quoteName('g.status') . ' IN (' . $db->quote('active') . ',' . $db->quote('reporting') . ')')
+			->where($db->quoteName('g.report_due_date') . ' IS NOT NULL')
+			->where($db->quoteName('g.report_due_date') . ' BETWEEN CURDATE() AND DATE_ADD(CURDATE(), INTERVAL ' . (int) $days . ' DAY)')
+			->order('g.report_due_date ASC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/InKindDonationHelper.php

@@ -0,0 +1,96 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * In-kind donation tracking — non-cash gifts, fair market valuation, category reporting.
+ */
+class InKindDonationHelper
+{
+	/**
+	 * Record an in-kind donation.
+	 */
+	public static function record(int $contactId, string $description, float $fairMarketValue, string $category = 'goods'): object
+	{
+		if ($fairMarketValue <= 0) {
+			throw new \InvalidArgumentException('Fair market value must be positive.');
+		}
+
+		$allowedCategories = ['goods', 'services', 'equipment', 'real_estate', 'securities', 'vehicles', 'other'];
+		if (!in_array($category, $allowedCategories, true)) {
+			$category = 'other';
+		}
+
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+		$filter = \Joomla\Filter\InputFilter::getInstance();
+
+		$donation = (object) [
+			'contact_id'       => $contactId,
+			'description'      => $filter->clean($description, 'STRING'),
+			'fair_market_value'=> $fairMarketValue,
+			'category'         => $category,
+			'status'           => 'received',
+			'received_at'      => Factory::getDate()->toSql(),
+		];
+
+		$db->insertObject('#__mokosuitenpo_inkind_donations', $donation, 'id');
+
+		return (object) ['success' => true, 'donation_id' => (int) $donation->id];
+	}
+
+	/**
+	 * Get in-kind donation summary by category for a period.
+	 */
+	public static function getSummary(string $from = '', string $to = ''): array
+	{
+		$from = $from ?: date('Y-01-01');
+		$to = $to ?: date('Y-m-d');
+
+		if (!\DateTime::createFromFormat('Y-m-d', $from) || !\DateTime::createFromFormat('Y-m-d', $to)) {
+			throw new \InvalidArgumentException('Date parameters must be Y-m-d format.');
+		}
+
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('ik.category')
+			->select('COUNT(*) AS donation_count')
+			->select('SUM(ik.fair_market_value) AS total_value')
+			->select('AVG(ik.fair_market_value) AS avg_value')
+			->from($db->quoteName('#__mokosuitenpo_inkind_donations', 'ik'))
+			->where('DATE(ik.received_at) BETWEEN ' . $db->quote($from) . ' AND ' . $db->quote($to))
+			->group('ik.category')
+			->order('total_value DESC'));
+
+		$results = $db->loadObjectList() ?: [];
+
+		foreach ($results as &$r) {
+			$r->avg_value = round((float) $r->avg_value, 2);
+		}
+
+		return $results;
+	}
+
+	/**
+	 * Get donations needing appraisal (over $5,000 threshold per IRS rules).
+	 */
+	public static function getNeedingAppraisal(): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('ik.*, cd.name AS donor_name')
+			->from($db->quoteName('#__mokosuitenpo_inkind_donations', 'ik'))
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = ik.contact_id')
+			->where('ik.fair_market_value > 5000')
+			->where('ik.appraisal_date IS NULL')
+			->where($db->quoteName('ik.category') . ' NOT IN (' . $db->quote('securities') . ')')
+			->order('ik.fair_market_value DESC'));
+
+		return $db->loadObjectList() ?: [];
+	}
+}

source/packages/plg_system_mokosuitenpo/src/Helper/PledgeReminderHelper.php

@@ -0,0 +1,64 @@
+<?php
+namespace Moko\Plugin\System\MokoSuiteNpo\Helper;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\Database\DatabaseInterface;
+
+/**
+ * Pledge reminders — notify donors of unfulfilled pledges, track fulfillment progress.
+ */
+class PledgeReminderHelper
+{
+	/**
+	 * Get unfulfilled pledges that need reminders.
+	 */
+	public static function getUnfulfilled(int $overdueDays = 30): array
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('p.*, cd.name AS donor_name, cd.email_to')
+			->select('COALESCE((SELECT SUM(d.amount) FROM #__mokosuitenpo_donations d WHERE d.pledge_id = p.id), 0) AS amount_fulfilled')
+			->from($db->quoteName('#__mokosuitenpo_pledges', 'p'))
+			->join('INNER', $db->quoteName('#__mokosuitenpo_donors', 'don') . ' ON don.id = p.donor_id')
+			->join('LEFT', $db->quoteName('#__contact_details', 'cd') . ' ON cd.id = don.contact_id')
+			->where($db->quoteName('p.status') . ' = ' . $db->quote('active'))
+			->where('p.due_date IS NOT NULL')
+			->where('p.due_date < DATE_SUB(CURDATE(), INTERVAL ' . (int) $overdueDays . ' DAY)')
+			->having('amount_fulfilled < p.amount')
+			->order('p.due_date ASC'));
+
+		$pledges = $db->loadObjectList() ?: [];
+
+		foreach ($pledges as &$p) {
+			$p->remaining = round((float) $p->amount - (float) $p->amount_fulfilled, 2);
+			$p->fulfillment_pct = (float) $p->amount > 0 ? round((float) $p->amount_fulfilled / (float) $p->amount * 100, 1) : 0;
+		}
+
+		return $pledges;
+	}
+
+	/**
+	 * Get pledge fulfillment summary.
+	 */
+	public static function getFulfillmentSummary(): object
+	{
+		$db = Factory::getContainer()->get(DatabaseInterface::class);
+
+		$db->setQuery($db->getQuery(true)
+			->select('COUNT(*) AS total_pledges')
+			->select('COALESCE(SUM(amount), 0) AS total_pledged')
+			->select('COALESCE(SUM((SELECT COALESCE(SUM(d.amount), 0) FROM #__mokosuitenpo_donations d WHERE d.pledge_id = p.id)), 0) AS total_received')
+			->from($db->quoteName('#__mokosuitenpo_pledges', 'p'))
+			->where($db->quoteName('p.status') . ' IN (' . $db->quote('active') . ',' . $db->quote('completed') . ')'));
+
+		$stats = $db->loadObject() ?: (object) ['total_pledges' => 0, 'total_pledged' => 0, 'total_received' => 0];
+		$stats->outstanding = round((float) $stats->total_pledged - (float) $stats->total_received, 2);
+		$stats->fulfillment_rate = (float) $stats->total_pledged > 0
+			? round((float) $stats->total_received / (float) $stats->total_pledged * 100, 1) : 0;
+
+		return $stats;
+	}
+}

source/pkg_mokosuitenpo.xml

@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>Package - MokoSuite NPO</name>
 	<packagename>mokosuitenpo</packagename>
-	<version>01.02.00</version>
+	<version>01.07.00</version>
 	<creationDate>2026-06-11</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>