Release: promote dev → main (dashboard, edit UI, ACL, security & forward-compat) #115

Merged

jmiller merged 26 commits from dev into main 2026-06-29 16:27:20 +00:00

Conversation 0 Commits 26 Files Changed 50

+949 -321

jmiller commented 2026-06-29 16:26:51 +00:00

Owner

Copy Link

Copy Source

Promotes the current development cycle from dev to main. Triggers the auto-release + version bump.

Highlights

Release blockers fixed

• Fatal frontend 500 from scalar custom JSON-LD — validated on save, guarded on render (#97)
• Single-tag create/edit admin UI (the manager was read-only) (#98)

Security

• AI endpoint now requires article-edit + HTTP timeout/status check (#99)
• Sitemap excludes non-public content and writes atomically (#100)
• canonical_url scheme-sanitized (#79)

Features

• OG coverage dashboard as the default admin view (#94)
• CSV import UI + og_video/event_data/recipe_data/custom_schema in CSV & REST API (#101, #103)
• Component access.xml/config.xml with mokoog.batch/mokoog.import (#95)

Quality / forward-compat

• Joomla 6.0+/PHP 8.2+ enforced; product renamed to MokoSuiteOpenGraph
• Remaining Joomla-7 deprecations removed (getLanguage, Filesystem) (#102)
• Dead code removed + generated-image pruning (#104); packaging fixes (#107); form maxlengths (#77)
• Unit tests for pure JsonLdBuilder helpers (#33, partial)

Full detail in CHANGELOG.md [Unreleased].

⚠️ Verification note

This payload has been statically verified only (php -l, XML/INI parse, CI). It has not been runtime-tested on a live Joomla 6 site. The highest-risk un-lint-checkable areas: the new edit UI (#98), ACL gates (#95/#99), the access-level sitemap query (#100), and the dashboard render (#94). Recommend a smoke test post-release before announcing.

Open follow-ups (not in this release): #33 (more tests, PR #113 pending CI), #100/#106 (sitemap throttling / batch cursor pagination), #104 (minor consolidation), #96 (test tracker).

🤖 Generated with Claude Code

Promotes the current development cycle from `dev` to `main`. Triggers the auto-release + version bump. ## Highlights **Release blockers fixed** - Fatal frontend 500 from scalar custom JSON-LD — validated on save, guarded on render (#97) - Single-tag create/edit admin UI (the manager was read-only) (#98) **Security** - AI endpoint now requires article-edit + HTTP timeout/status check (#99) - Sitemap excludes non-public content and writes atomically (#100) - canonical_url scheme-sanitized (#79) **Features** - OG coverage **dashboard** as the default admin view (#94) - CSV **import** UI + `og_video`/`event_data`/`recipe_data`/`custom_schema` in CSV & REST API (#101, #103) - Component **access.xml/config.xml** with `mokoog.batch`/`mokoog.import` (#95) **Quality / forward-compat** - Joomla 6.0+/PHP 8.2+ enforced; product renamed to **MokoSuiteOpenGraph** - Remaining Joomla-7 deprecations removed (`getLanguage`, `Filesystem`) (#102) - Dead code removed + generated-image pruning (#104); packaging fixes (#107); form maxlengths (#77) - Unit tests for pure JsonLdBuilder helpers (#33, partial) Full detail in `CHANGELOG.md` `[Unreleased]`. ## ⚠️ Verification note This payload has been **statically verified only** (`php -l`, XML/INI parse, CI). It has **not** been runtime-tested on a live Joomla 6 site. The highest-risk un-lint-checkable areas: the new edit UI (#98), ACL gates (#95/#99), the access-level sitemap query (#100), and the dashboard render (#94). Recommend a smoke test post-release before announcing. Open follow-ups (not in this release): #33 (more tests, PR #113 pending CI), #100/#106 (sitemap throttling / batch cursor pagination), #104 (minor consolidation), #96 (test tracker). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

jmiller added 26 commits 2026-06-29 16:26:52 +00:00

chore(version): pre-release bump to 01.05.02-dev [skip ci] 6d4284c6c9

fix: resolve release blockers #97 (scalar JSON-LD 500) and #98 (no edit UI) ... 8582a3eac5

#97 — Fatal frontend 500 from scalar custom_schema:
- MokoOGContent::validateJson() now requires a JSON object/array (rejects
  scalars like 42/"x"/true that previously passed and were stored)
- MokoOG render path guards with is_array($decoded) so already-stored
  scalar payloads can no longer crash the public page

#98 — Missing single-tag create/edit admin UI:
- Add Controller/TagController (FormController), View/Tag/HtmlView, tmpl/tag/edit.php
- Link OG title in the list to the editor; add New/Edit toolbar buttons
- Declare tmpl/tag folder in the component manifest
- tag.xml: switch cross-package PLG_CONTENT_* labels to COM_MOKOOG_* keys,
  make content_type/content_id editable+required (enables New), add language field
- Add the new COM_MOKOOG_* strings to en-GB and en-US

Also fixes #77 while here: seo_title/meta_description form maxlength now
match the DB columns (70/200) instead of 255.

chore(version): pre-release bump to 01.06.02-dev [skip ci] e6328a1e8d

Merge pull request 'fix: resolve release blockers #97 (scalar JSON-LD 500) and #98 (no single-tag edit UI)' (#108) from fix/release-blockers-97-98 into dev 5b1fb1584e

chore(version): pre-release bump to 01.06.03-dev [skip ci] 8858c81f87

fix: security & correctness batch (#99, #100, #101, #102, #106) ... 71a102028d

#99 — AI AJAX endpoint hardening:
- require core.edit/core.create on com_content before generating (was
  reachable by any authenticated back-end user → paid-credit abuse)
- callAiApi: 20s timeout + HTTP status check (throw on non-200) instead of
  silently returning an empty string

#100 — Sitemap information disclosure + robustness:
- filter to public (guest) view levels so registered/special-access
  articles are never written into the public sitemap
- atomic write (temp file + rename) so concurrent saves can't expose a
  half-written sitemap.xml
- (throttling + SEF URLs remain follow-ups, noted on the issue)

#101 — Expose newer columns in CSV + API:
- og_video, event_data, recipe_data, custom_schema added to CSV export/import
  (appended, so existing CSVs still import) and to the REST API field whitelist
- import validates JSON fields as arrays/objects and og_video as http(s)
  (prevents re-introducing the #97 scalar-JSON-LD crash via import)

#102 — Forward-compat (complete):
- Factory::getLanguage() -> getApplication()->getLanguage() (4 sites)
- Joomla\CMS\Filesystem\File/Folder -> Joomla\Filesystem\* (ImageHelper, ImageGenerator)

#106 — partial: loadArticle() now caches null misses (array_key_exists),
getArticleDate() skips 0000-00-00 dates. Batch-JS halt deferred — the
offset=0 design re-fetches failed rows, so the created>0 guard prevents an
infinite loop; a safe fix needs cursor-based pagination in BatchController.

chore(version): pre-release bump to 01.06.04-dev [skip ci] a60ba86b19

Merge pull request 'fix: security & correctness batch — AI ACL, sitemap disclosure, API/CSV columns, forward-compat (#99 #100 #101 #102 #106)' (#109) from fix/security-correctness-batch into dev 377ae2d39e

chore(version): pre-release bump to 01.06.05-dev [skip ci] 11e50c54bb

chore: migrate update server URLs to MokoGitea 87267d8e80

chore(version): pre-release bump to 01.06.06-dev [skip ci] 53bf4a3187

chore: migrate update server URLs to MokoGitea 4f92b4e508

chore(version): auto-bump patch 01.06.07-dev [skip ci] 32bb72d12d

chore(version): pre-release bump to 01.06.08-dev [skip ci] 543bd2b464

fix: features & quality batch (#95, #103, #104, #107) ... d8376d6cdf

#95 — ACL + Options:
- Add access.xml (core actions + mokoog.batch / mokoog.import custom actions)
- Add config.xml (Permissions tab + note pointing settings to the system plugin)
- Declare both in the manifest; Batch/ImportExport controllers now check the
  custom actions with a fallback to the prior core checks (no lockout)

#103 — CSV import is now reachable:
- Add an Import toolbar button that toggles a multipart file-upload form
  (jform[csv_file]) posting to importexport.import with a CSRF token

#104 — Dead code + disk leak:
- Delete unused ImageGenerator class and JsonLdBuilder::buildOrganization()
- Add ImageHelper::pruneOldFiles() (deletes generated images older than 30d)
  and call it on content save so the generated-image cache is bounded

#107 — Packaging:
- Declare language/en-US in the component manifest (was never installed)
- Remove undeclared empty stub dirs src/Field, src/Service

Merge pull request 'fix: features & quality — access.xml/config.xml, CSV import UI, dead-code/leak, packaging (#95 #103 #104 #107)' (#111) from fix/features-quality-batch into dev cb28cb12cd

chore(version): pre-release bump to 01.06.09-dev [skip ci] 93b28a851e

feat: OG coverage dashboard as default admin view (#94) ... 696e369ec1

- New DashboardModel (BaseDatabaseModel) with getStats(), getCoverageByType(),
  getMissingArticles() — coverage logic moved out of the list template
- New View/Dashboard/HtmlView + tmpl/dashboard/default.php: SVG donut coverage
  gauge, field-gap badges, per-content_type breakdown table, and a list of
  published articles missing OG tags (linking to the article editor) with a
  Batch Generate shortcut
- DisplayController default_view -> dashboard; Dashboard + Tags submenu entries
- Removed the inline coverage.php include from the tags list (it ran 6 uncached
  COUNT queries on every list load); that logic now lives in DashboardModel
- Declared tmpl/dashboard in the manifest; added language strings (en-GB, en-US)

Merge pull request 'feat: OG coverage dashboard as default admin view (#94)' (#112) from feat/dashboard-94 into dev 60c243a733

chore(version): pre-release bump to 01.06.10-dev [skip ci] 1dec76ff0c

docs: update CHANGELOG and README for this development cycle ... 0a5e2b94e2

- CHANGELOG: fix the mangled header (duplicate empty [01.05.00], misplaced
  intro) and add a full [Unreleased] section covering the dashboard, edit UI,
  CSV import UI, access.xml/config.xml, AI/sitemap hardening, forward-compat,
  dead-code removal, and the new unit tests
- README: add Coverage dashboard / Manual tag editor / Component permissions to
  Admin Tools; drop the removed ImageGenerator overlay feature; note sitemap
  access-level filtering; add a Joomla 6.0+ / PHP 8.2+ Requirements line

Merge pull request 'docs: CHANGELOG + README for the current development cycle' (#114) from docs/session-updates into dev 2e45d7ea5a

chore(version): pre-release bump to 01.06.11-dev [skip ci] e7d0395be0

Merge origin/main into dev — resync 01.06.00 release chores before promotion 36c37c8e67

chore(version): auto-bump patch 01.06.12-dev [skip ci] 47f073539a

chore(version): pre-release bump to 01.06.13-dev [skip ci] 320b842c6e

jmiller merged commit b93ce7b872 into main 2026-06-29 16:27:20 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something is broken

documentation

Documentation improvements

enhancement

production-readiness

Required before v1.0 release

security

Security vulnerability or hardening

testing

Test coverage and QA

No labels

Priority -

Type -

Milestone

No items

No Milestone

Assignees

Clear assignees

jmiller (Jonathan Miller)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: MokoConsulting/MokoSuiteOpenGraph#115