- Set protected=1, locked=0 on MokoWaaS extensions via package script
- Self-healing: plugin checks and restores protected flag each session
- Block non-master disable via plugin list toggle (plugins.publish)
- Block non-master uninstall via installer manage
- Joomla framework natively enforces protected status (greys out toggles)
- Master users can still manage settings and updates
Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- manifest.xml: package-type plugin → package
- Canonical URL injection for alias domains (prevents SEO duplication)
- Heartbeat registration for alias domains (each alias gets Grafana datasource)
- Package script.php: enable plugins on every install/update, heartbeat on postflight
- Remove accidentally committed profile.ps1 and TODO.md
- Add profile.ps1 and TODO.md to .gitignore
Authored-by: Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Restructure MokoWaaS from a standalone system plugin into a Joomla
package containing:
- plg_system_mokowaas — existing system plugin (moved to packages/)
- com_mokowaas — minimal API-only component with health, cache, and
update controllers for Joomla Web Services API
- plg_webservices_mokowaas — registers /api/v1/mokowaas/* routes
Package script auto-enables both plugins on fresh install.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The receiver returns 'updated' when re-registering an existing site,
but the code only accepted 'registered', causing false 'HTTP 200 — Unknown' warnings.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The postflight still had the old Grafana API code with obfuscated tokens,
causing 403 RBAC errors on install/update. Now uses the heartbeat receiver
at bench.mokoconsulting.tech/api/waas-heartbeat/register.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- enforceLocked() runs every page load — re-enables, re-locks, re-protects
if someone tampers with the database flags
- preflight() blocks uninstall attempts with error message
- Logs tampering attempts to mokowaas log category
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove all Grafana API code (630 lines), obfuscated tokens, SA tokens,
ensureGrafanaPlugin, provisionGrafanaDatasource, buildDashboardModel.
Replace with simple HTTP POST to heartbeat receiver on bench server.
Receiver writes Grafana provisioning YAML and restarts Grafana container.
No API tokens or RBAC permissions needed.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- New service account token with correct RBAC permissions
- script.php postflight now shows success/failure messages to admin
- Logs all heartbeat attempts with HTTP code and cURL errors
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add CURLOPT_SSL_VERIFYPEER=false for shared hosting environments
- Add CURLOPT_FOLLOWLOCATION to handle redirects
- Log all Grafana heartbeat attempts with HTTP code and cURL errors
- Helps debug provisioning failures on DreamHost and similar hosts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
API key and URL stored as XOR-encoded base64 constants. Deobfuscated
at runtime only when needed. Prevents plain-text grep discovery.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Health endpoint always enabled when plugin is installed
- Grafana URL and API key hardcoded as constants
- Removed enable_health_endpoint, grafana_url, grafana_api_key from config UI
- Token still auto-generated and shown as read-only
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Implements heartbeat telemetry for WaaS dashboard monitoring:
- JSON health endpoint at /?mokowaas=health with token auth
- Database, filesystem, cache, and extension health checks
- Auto-generated API token (separate from Joomla user tokens)
- Grafana Infinity datasource auto-provisioning via REST API
- Shared dashboard with endpoint dropdown variable
- Auto-provision on plugin install/update via script.php
- Grafana plugin install via API (replaces deprecated CLI)
- Deprovisioning on disable (datasource cleanup)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
If MokoOnyx is installed, lock it and set as default.
Unlock MokoCassiopeia to allow uninstall.
Falls back to MokoCassiopeia if Onyx not present.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Updated version in all .ini, .php, .md files to 02.01.08.
Added SHA256 checksum to updates.xml for install integrity validation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- MokoCassiopeia zip shipped at src/payload/mokocassiopeia.zip
- Install script uses local payload instead of downloading
- Removed getDownloadUrlFromUpdates (no longer needed)
- Added update-payload.yml workflow to refresh payload on merge to main
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The release zip is properly structured for Joomla installation.
Simplified extraction logic — release zips have templateDetails.xml
at root or one level deep. Added better error messages with the
failing URL for debugging.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Send email to webmaster@mokoconsulting.tech on every install/update
with site name, version, PHP, Joomla version
- Changed locked=0 (allows uninstall by super users) but kept
protected=1 (prevents disabling)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Instead of hardcoding the zip URL, fetches MokoCassiopeia's updates.xml
from the repo main branch and parses the downloadurl. This way the
download location is controlled by the MokoCassiopeia repo.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Joomla Installer::install() expects a directory path, not a zip file.
Now extracts the zip to a temp folder, finds the templateDetails.xml,
and passes the correct directory to the installer.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Minor version bump to 02.01.01:
- Auto-install mokocassiopeia from GitHub if not present
- Lock and protect the template (cannot be disabled/uninstalled)
- Set mokocassiopeia as default site template
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
On install/update, checks if mokocassiopeia template exists. If found,
locks and protects it. If missing, downloads latest release from
GitHub and installs it automatically.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
install() only runs on first install. Moved enableAndLockPlugin() to
postflight() which runs on both install and update, ensuring existing
installs get locked when updating.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sets both locked=1 and protected=1 in #__extensions on install.
Prevents tenants from disabling or uninstalling the plugin through
the Extension Manager.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
First release of v02.00 — patch .00 reserved for development.
Version bumped across all files: manifest, PHP, language, docs,
composer, updates.xml, changelog, README.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Atum reads color values from #__template_styles params (hue, link-color,
special-color) and outputs them as inline CSS variables at render time.
Our CSS variable injection was being overridden by Atum's own output.
Now enforceAtumBranding() sets the color params directly in the DB:
- color_primary → hue (hex→HSL converted) + special-color
- color_sidebar → header-color
- color_link → link-color
Added hexToHsl() helper for the conversion. Install script also sets
default Moko theme colors at install time.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add #__action_log_config entry so MokoWaaS emergency access events
display with proper type title and text prefix in System > Action Logs.
Both #__action_logs_extensions and #__action_log_config are cleaned up
on uninstall.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Register plg_system_mokowaas in #__action_logs_extensions on install
so emergency access events appear as filterable in Action Logs UI
- Unregister on uninstall
- Set Moko brand colors as defaults: navy #1a2744, dark #0f1b2d,
accent green #2ecc71
- Force HTTPS default: Yes (was No)
- Admin session timeout default: 60 minutes (was 0/disabled)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace CSS-based logo injection with proper Atum template param
enforcement. The plugin now sets logoBrandLarge, logoBrandSmall,
loginLogo, and favicon via #__template_styles params — both at
install time and enforced at runtime.
Media assets shipped with plugin:
- logo.png → sidebar brand (expanded) + login page logo
- favicon_256.png → sidebar brand (collapsed)
- favicon.svg → modern browser favicon (SVG preferred)
- favicon.ico → legacy browser fallback
- favicon_256.png → Apple/Android touch icon
Removed per-config media upload fields (admin_logo, login_logo,
custom_favicon) — images are now fixed in the plugin media folder.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The mokoconsulting.tech/support, /kb, and /news pages exist. Restore
runtime enforcement in MokoWaaS.php and install-time write in
script.php.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Remove enforceLoginSupportUrls() from runtime and
updateLoginSupportUrls() from install script. Both write hardcoded
mokoconsulting.tech/support, /kb, /news URLs to mod_loginsupport
module params — these pages don't exist yet.
Login support TEXT overrides (MOD_LOGINSUPPORT_FORUM etc.) are kept
since they work locally without an endpoint. The underlying hrefs
will still point to joomla.org until the endpoints are built and
URL enforcement is restored.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Changed mergeOverridesIntoFile to collect keys already defined outside
the MokoWaaS block and skip them when building the block. User-set
overrides are never overwritten — only keys not already present get
injected. On update, the block is rebuilt with only missing keys.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bump composer.json version to 02.00.00 (was 01.00.00 from main)
- Bump version headers in CHANGELOG, CONTRIBUTING, CODE_OF_CONDUCT,
LICENSE.md, and all docs/ files to 02.00.00
- Wrap license headers in PHP files to stay under 120 chars
- Wrap long error message strings in MokoWaaS.php
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Override mod_loginsupport headline and description strings
- Install script updates mod_loginsupport module params in DB to set
forum_url, documentation_url, and news_url to mokoconsulting.tech
- Ensures both link text (language overrides) and link destinations
(module params) point to Moko Consulting
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace hardcoded "MokoWaaS" in override files with {{BRAND_NAME}},
{{COMPANY_NAME}}, and {{SUPPORT_URL}} placeholders. Brand values come
from plugin config params (defaults: MokoWaaS / Moko Consulting).
- Runtime: plugin resolves placeholders on every request from live params
- Install-time: script resolves and writes to Joomla override files
- Added ~20 new admin override keys (Quick Icons, System Info, Installer,
Global Config, Privacy, Update component)
- Added brand_name, company_name, support_url config fields to manifest
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rework the install script to use a sentinel-block pattern (BEGIN/END
MokoWaaS Overrides) so existing site overrides are preserved verbatim.
On install the block is appended; on update it is stripped and rebuilt;
on uninstall only MokoWaaS keys are removed.
Also hardcode the plugin display name in the manifest and fix
creationDate XML formatting.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Drop the "Brand" suffix from all naming conventions:
- PascalCase: MokoWaaSBrand → MokoWaaS
- lowercase: mokowaasbrand → mokowaas
- Display: MokoWaaS-Brand → MokoWaaS
- Language keys: PLG_SYSTEM_MOKOWAASBRAND → PLG_SYSTEM_MOKOWAAS
Renames 6 files and updates 28 files across PHP, XML, INI,
Markdown, YAML, and shell scripts.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Jonathan Miller
jmiller