chore: merge main into dev, resolve conflicts for 02.28.00

Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Merge branch 'dev' of https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS into feature/sync-task-plugin
2026-05-30 22:56:13 -05:00 · 2026-05-30 22:52:39 -05:00 · 2026-05-31 03:49:16 +00:00 · 2026-05-31 03:49:13 +00:00 · 2026-05-31 03:49:10 +00:00 · 2026-05-31 03:49:07 +00:00
94 changed files with 5647 additions and 8361 deletions
@@ -1,949 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/auto-release.yml.template
-# VERSION: 04.06.00
-# BRIEF: Joomla build & release — ZIP package, updates.xml, SHA-256 checksum
-#
-# +========================================================================+
-# |                    BUILD & RELEASE PIPELINE (JOOMLA)                   |
-# +========================================================================+
-# |                                                                        |
-# |  Triggers on push to main (skips bot commits + [skip ci]):             |
-# |                                                                        |
-# |  Every push:                                                           |
-# |    1. Read version from README.md                                      |
-# |    3. Set platform version (Joomla <version>)                          |
-# |    4. Update [VERSION: XX.YY.ZZ] badges in markdown files              |
-# |    5. Write updates.xml (Joomla update server XML)                      |
-# |    6. Create git tag vXX.YY.ZZ                                        |
-# |    7a. Patch: update existing Gitea Release for this minor             |
-# |    8. Build ZIP, upload asset, write SHA-256 to updates.xml             |
-# |                                                                        |
-# |  Every version change: archives main -> version/XX.YY branch           |
-# |  All patches release (including 00). Patch 00/01 = full pipeline.      |
-# |  First release only (patch == 01):                                     |
-# |    7b. Create new Gitea Release                                        |
-# |                                                                        |
-# |  GitHub mirror: stable/rc releases only (continue-on-error)            |
-# |                                                                        |
-# +========================================================================+
-
-name: Build & Release
-
-on:
-  pull_request:
-    types: [closed]
-    branches:
-      - main
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.GA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup MokoStandards tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api
-          cd /tmp/mokostandards-api
-          composer install --no-dev --no-interaction --quiet
-
-      # -- STEP 1: Read version -----------------------------------------------
-      - name: "Step 1: Read version from README.md"
-        id: version
-        run: |
-          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null)
-          if [ -z "$VERSION" ]; then
-            echo "No VERSION in README.md — skipping release"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Derive major.minor for branch naming (patches update existing branch)
-          MINOR=$(echo "$VERSION" | awk -F. '{printf "%s.%s", $1, $2}')
-          PATCH=$(echo "$VERSION" | awk -F. '{print $3}')
-
-          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
-          MINOR_NUM=$(echo "$VERSION" | awk -F. '{print $2}')
-
-          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
-          echo "minor=$MINOR" >> "$GITHUB_OUTPUT"
-          echo "major=$MAJOR" >> "$GITHUB_OUTPUT"
-          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
-          echo "stability=stable" >> "$GITHUB_OUTPUT"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-          if [ "$PATCH" = "00" ] || [ "$PATCH" = "01" ]; then
-            echo "is_minor=true" >> "$GITHUB_OUTPUT"
-            echo "Version: $VERSION (first release for this minor — full pipeline)"
-          else
-            echo "is_minor=false" >> "$GITHUB_OUTPUT"
-            echo "Version: $VERSION (patch — platform version + badges only)"
-          fi
-
-      # -- STEP 1b: Bump minor version (stable = minor bump, reset patch) ------
-      - name: "Step 1b: Bump minor version for stable release"
-        if: steps.version.outputs.skip != 'true'
-        id: bump
-        run: |
-          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          [ -z "$CURRENT" ] && { echo "skip=true" >> "$GITHUB_OUTPUT"; exit 0; }
-
-          MAJOR=$((10#$(echo "$CURRENT" | cut -d. -f1)))
-          MINOR=$((10#$(echo "$CURRENT" | cut -d. -f2)))
-
-          # Minor bump, reset patch. Rollover if minor > 99
-          MINOR=$((MINOR + 1))
-          if [ $MINOR -gt 99 ]; then
-            MINOR=0
-            MAJOR=$((MAJOR + 1))
-          fi
-
-          VERSION=$(printf "%02d.%02d.00" $MAJOR $MINOR)
-          TODAY=$(date +%Y-%m-%d)
-
-          echo "Stable bump: ${CURRENT} → ${VERSION} (minor)"
-
-          # Update README.md
-          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${VERSION}/" README.md
-
-          # Update manifest
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            MANIFEST_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-            [ -n "$MANIFEST_VER" ] && sed -i "s|<version>${MANIFEST_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
-            sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
-          fi
-
-          # Promote [Unreleased] section in CHANGELOG.md to new version
-          if [ -f "CHANGELOG.md" ] && grep -qi "Unreleased" CHANGELOG.md; then
-            sed -i "s|## \[Unreleased\]|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
-            sed -i "s|## Unreleased|## [${VERSION}] --- ${TODAY}|" CHANGELOG.md
-            sed -i "2i ## [Unreleased]" CHANGELOG.md
-            sed -i "3i \\ " CHANGELOG.md
-            echo "CHANGELOG promoted to [${VERSION}]"
-          fi
-
-          # Commit and push
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): bump ${CURRENT} → ${VERSION} [skip ci]"
-            git push origin HEAD:main 2>&1
-          }
-
-          # Override version output for rest of pipeline
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "major=$(printf "%02d" $MAJOR)" >> "$GITHUB_OUTPUT"
-
-      - name: Check if already released
-        if: steps.version.outputs.skip != 'true'
-        id: check
-        run: |
-          TAG="${{ steps.version.outputs.release_tag }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-
-          TAG_EXISTS=false
-          BRANCH_EXISTS=false
-
-          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
-          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
-
-          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
-          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
-
-          # Tag and branch may persist across patch releases — never skip
-          echo "already_released=false" >> "$GITHUB_OUTPUT"
-
-      # -- SANITY CHECKS -------------------------------------------------------
-      - name: "Sanity: Pre-release validation"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          ERRORS=0
-
-          echo "## Pre-Release Sanity Checks (Joomla)" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-
-          # -- Version drift check (must pass before release) --------
-          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          if [ "$README_VER" != "$VERSION" ]; then
-            echo "- Version drift: README says \`${README_VER}\` but releasing \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- Version consistent: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # Check CHANGELOG version matches
-          CL_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' CHANGELOG.md 2>/dev/null | head -1)
-          if [ -n "$CL_VER" ] && [ "$CL_VER" != "$VERSION" ]; then
-            echo "- CHANGELOG drift: \`${CL_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          fi
-
-          # Check composer.json version if present
-          if [ -f "composer.json" ]; then
-            COMP_VER=$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' composer.json 2>/dev/null | head -1)
-            if [ -n "$COMP_VER" ] && [ "$COMP_VER" != "$VERSION" ]; then
-              echo "- composer.json drift: \`${COMP_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS+1))
-            fi
-          fi
-
-          # Common checks
-          if [ ! -f "LICENSE" ]; then
-            echo "- Missing LICENSE file" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- LICENSE present" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ ! -d "src" ] && [ ! -d "htdocs" ]; then
-            echo "- Warning: No src/ or htdocs/ directory" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # -- Joomla: manifest version drift --------
-          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
-              echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS+1))
-            else
-              echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-          fi
-
-          # -- Joomla: XML manifest existence --------
-          if [ -z "$MANIFEST" ]; then
-            echo "- No Joomla XML manifest found" >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS+1))
-          else
-            echo "- Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # -- Joomla: extension type check --------
-            TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
-            echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          echo "" >> $GITHUB_STEP_SUMMARY
-          if [ "$ERRORS" -gt 0 ]; then
-            echo "**${ERRORS} error(s) — release may be incomplete**" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "**All sanity checks passed**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
-      # Always runs — every version change on main archives to version/XX.YY
-      - name: "Step 2: Version archive branch"
-        if: steps.check.outputs.already_released != 'true'
-        run: |
-          BRANCH="${{ steps.version.outputs.branch }}"
-          IS_MINOR="${{ steps.version.outputs.is_minor }}"
-          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
-
-          # Check if branch exists
-          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
-            git push origin HEAD:"$BRANCH" --force
-            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
-          else
-            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
-            git push origin "$BRANCH" --force
-            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 3: Set platform version ----------------------------------------
-      - name: "Step 3: Set platform version"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/mokostandards-api/cli/version_set_platform.php \
-            --path . --version "$VERSION" --branch main
-
-      # -- STEP 4: Update version badges ----------------------------------------
-      - name: "Step 4: Update version badges"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          find . -name "*.md" ! -path "./.git/*" ! -path "./vendor/*" | while read -r f; do
-            if grep -q '\[VERSION:' "$f" 2>/dev/null; then
-              sed -i "s/\[VERSION:[[:space:]]*[0-9]\{2\}\.[0-9]\{2\}\.[0-9]\{2\}\]/[VERSION: ${VERSION}]/" "$f"
-            fi
-          done
-
-      # -- STEP 5: Write updates.xml (Joomla update server) ---------------------
-      - name: "Step 5: Write updates.xml"
-        id: updates
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          REPO="${{ github.repository }}"
-
-          # -- Parse extension metadata from XML manifest ----------------
-          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -z "$MANIFEST" ]; then
-            echo "Warning: No Joomla XML manifest found — skipping updates.xml" >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-
-          # Extract fields using sed (portable — no grep -P)
-          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
-          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
-
-          # If EXT_NAME is a language key (e.g. PLG_SYSTEM_MOKOJGDPC), resolve from .ini
-          if echo "$EXT_NAME" | grep -qE '^[A-Z_]+$'; then
-            INI_NAME=$(find . -name "*.sys.ini" -path "*/en-GB/*" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
-            [ -z "$INI_NAME" ] && INI_NAME=$(find . -name "*.sys.ini" -exec grep -h "^${EXT_NAME}=" {} \; 2>/dev/null | head -1 | cut -d'"' -f2)
-            [ -n "$INI_NAME" ] && EXT_NAME="$INI_NAME"
-          fi
-
-          # Fallbacks
-          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
-          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
-
-          # Derive element if not in manifest:
-          # 1. plugin="xxx" attribute (plugins)
-          # 2. module="xxx" attribute (modules)
-          # 3. XML filename (components, packages)
-          # 4. Repo name fallback (templates, anything else)
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          fi
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*module="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          fi
-          if [ -z "$EXT_ELEMENT" ]; then
-            FNAME=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            # If filename is generic (templateDetails, manifest), use repo name
-            case "$FNAME" in
-              templatedetails|manifest) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-              *) EXT_ELEMENT="$FNAME" ;;
-            esac
-          fi
-          # Final fallback
-          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-
-          # Save for Steps 7, 8, 8b
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-          echo "ext_name=${EXT_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_type=${EXT_TYPE}" >> "$GITHUB_OUTPUT"
-          echo "ext_folder=${EXT_FOLDER}" >> "$GITHUB_OUTPUT"
-
-          # Build client tag: plugins and frontend modules need <client>site</client>
-          CLIENT_TAG=""
-          if [ -n "$EXT_CLIENT" ]; then
-            CLIENT_TAG="<client>${EXT_CLIENT}</client>"
-          elif [ "$EXT_TYPE" = "module" ] || [ "$EXT_TYPE" = "plugin" ]; then
-            CLIENT_TAG="<client>site</client>"
-          fi
-
-          # Build folder tag for plugins (required for Joomla to match the update)
-          FOLDER_TAG=""
-          if [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ]; then
-            FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
-          fi
-
-          # Build targetplatform (fallback to Joomla 5 if not in manifest)
-          if [ -z "$TARGET_PLATFORM" ]; then
-            TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
-          fi
-
-          # Build php_minimum tag
-          PHP_TAG=""
-          if [ -n "$PHP_MINIMUM" ]; then
-            PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
-          fi
-
-          # Build TYPE_PREFIX for download URL
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-
-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/stable/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/stable"
-
-          # -- Build update entry for a given stability tag
-          build_entry() {
-            local TAG_NAME="$1"
-            printf '%s\n' '  <update>'
-            printf '%s\n' "    <name>${EXT_NAME}</name>"
-            printf '%s\n' "    <description>${EXT_NAME} update</description>"
-            printf '%s\n' "    <element>${EXT_ELEMENT}</element>"
-            printf '%s\n' "    <type>${EXT_TYPE}</type>"
-            printf '%s\n' "    <version>${VERSION}</version>"
-            [ -n "$CLIENT_TAG" ] && printf '%s\n' "    ${CLIENT_TAG}"
-            [ -n "$FOLDER_TAG" ] && printf '%s\n' "    ${FOLDER_TAG}"
-            printf '%s\n' "    <tags><tag>${TAG_NAME}</tag></tags>"
-            printf '%s\n' "    <infourl title=\"${EXT_NAME}\">${INFO_URL}</infourl>"
-            printf '%s\n' '    <downloads>'
-            printf '%s\n' "      <downloadurl type=\"full\" format=\"zip\">${DOWNLOAD_URL}</downloadurl>"
-            printf '%s\n' '    </downloads>'
-            printf '%s\n' "    ${TARGET_PLATFORM}"
-            [ -n "$PHP_TAG" ] && printf '%s\n' "    ${PHP_TAG}"
-            printf '%s\n' '    <maintainer>Moko Consulting</maintainer>'
-            printf '%s\n' '    <maintainerurl>https://mokoconsulting.tech</maintainerurl>'
-            printf '%s\n' '  </update>'
-          }
-
-          # -- Write updates.xml with cascading channels
-          # Stable release updates ALL channels (development, alpha, beta, rc, stable)
-          {
-            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>"
-            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting <hello@mokoconsulting.tech>"
-            printf '%s\n' " SPDX-License-Identifier: GPL-3.0-or-later"
-            printf '%s\n' " VERSION: ${VERSION}"
-            printf '%s\n' " -->"
-            printf '%s\n' ""
-            printf '%s\n' '<updates>'
-            build_entry "development"
-            build_entry "alpha"
-            build_entry "beta"
-            build_entry "rc"
-            build_entry "stable"
-            printf '%s\n' '</updates>'
-          } > updates.xml
-
-          echo "updates.xml: ${VERSION} (all channels updated to stable)" >> $GITHUB_STEP_SUMMARY
-
-      # -- Commit all changes ---------------------------------------------------
-      - name: Commit release changes
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          if git diff --quiet && git diff --cached --quiet; then
-            echo "No changes to commit"
-            exit 0
-          fi
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git commit -m "chore(release): build ${VERSION} [skip ci]" \
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push -u origin HEAD
-
-      # -- STEP 6: Create tag ---------------------------------------------------
-      - name: "Step 6: Create git tag"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.tag_exists != 'true' &&
-          steps.version.outputs.is_minor == 'true'
-        run: |
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          # Only create the major release tag if it doesn't exist yet
-          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
-            git tag "$RELEASE_TAG"
-            git push origin "$RELEASE_TAG"
-            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
-          fi
-          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 7: Create or update Gitea Release --------------------------------
-      - name: "Step 7: Gitea Release"
-        if: >-
-          steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-          MAJOR="${{ steps.version.outputs.major }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Reuse metadata from Step 5 (single source of truth)
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
-
-          # Fallbacks if Step 5 was skipped
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          fi
-          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"
-
-          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-
-          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
-
-          # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
-            echo "Deleted previous stable release (id: ${EXISTING_ID})"
-          fi
-
-          # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/releases" \
-            -d "$(python3 -c "import json; print(json.dumps({
-              'tag_name': '${RELEASE_TAG}',
-              'name': '${RELEASE_NAME}',
-              'body': '''## ${VERSION} ($(date +%Y-%m-%d))\n${NOTES}''',
-              'target_commitish': '${BRANCH}'
-            }))")"
-          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
-      - name: "Step 8: Build Joomla package and update checksum"
-        if: >-
-          steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-          if [ -z "$RELEASE_ID" ]; then
-            echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
-            exit 0
-          fi
-
-          # Find extension element name from manifest
-          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
-          [ -z "$MANIFEST" ] && exit 0
-
-          # Reuse element from Step 5, with same fallback chain
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          fi
-          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
-
-          # -- Build install packages from src/ ----------------------------
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ — skipping package"; exit 0; }
-
-          EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
-
-          # ZIP package
-          cd "$SOURCE_DIR"
-          zip -r "/tmp/${ZIP_NAME}" . -x $EXCLUDES
-          cd ..
-
-          # tar.gz package
-          tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
-            --exclude='.ftpignore' --exclude='sftp-config*' \
-            --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
-
-          ZIP_SIZE=$(stat -c%s "/tmp/${ZIP_NAME}" 2>/dev/null || stat -f%z "/tmp/${ZIP_NAME}" 2>/dev/null || echo "unknown")
-          TAR_SIZE=$(stat -c%s "/tmp/${TAR_NAME}" 2>/dev/null || stat -f%z "/tmp/${TAR_NAME}" 2>/dev/null || echo "unknown")
-
-          # -- Calculate SHA-256 for both ----------------------------------
-          SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
-          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
-
-          # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
-            ASSET_ID=$(echo "$ASSETS" | python3 -c "
-          import sys,json
-          assets = json.load(sys.stdin)
-          for a in assets:
-              if a['name'] == '${ASSET_NAME}':
-                  print(a['id']); break
-          " 2>/dev/null || true)
-            if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-            fi
-          done
-
-          # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${ZIP_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
-
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            -H "Content-Type: application/octet-stream" \
-            --data-binary @"/tmp/${TAR_NAME}" \
-            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-
-          # -- Update updates.xml with both download formats ---------------
-          if [ -f "updates.xml" ]; then
-            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
-            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
-
-            # Use Python to update only the stable entry's downloads + sha256
-            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
-            python3 << 'PYEOF'
-          import re, os
-
-          with open("updates.xml") as f:
-              content = f.read()
-
-          zip_url = os.environ["PY_ZIP_URL"]
-          tar_url = os.environ["PY_TAR_URL"]
-          sha = os.environ["PY_SHA"]
-
-          # Find the stable update block and replace its downloads + sha256
-          def replace_stable(m):
-              block = m.group(0)
-              # Replace downloads block
-              new_downloads = (
-                  "    <downloads>\n"
-                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
-                  "    </downloads>"
-              )
-              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
-              # Add or replace sha256
-              if '<sha256>' in block:
-                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
-              else:
-                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
-              return block
-
-          content = re.sub(
-              r'  <update>.*?<tag>stable</tag>.*?</update>',
-              replace_stable,
-              content,
-              flags=re.DOTALL
-          )
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-            CURRENT_BRANCH="${{ github.ref_name }}"
-            git add updates.xml
-            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
-            git push || true
-
-            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
-            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
-
-            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
-
-            if [ -n "$FILE_SHA" ]; then
-              CONTENT=$(base64 -w0 updates.xml)
-              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-                -H "Content-Type: application/json" \
-                "${API}/contents/updates.xml" \
-                -d "$(jq -n \
-                  --arg content "$CONTENT" \
-                  --arg sha "$FILE_SHA" \
-                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
-                  --arg branch "main" \
-                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
-                )" > /dev/null 2>&1 \
-                && echo "updates.xml synced to main via API" \
-                || echo "WARNING: failed to sync updates.xml to main"
-            else
-              echo "WARNING: could not get updates.xml SHA from main"
-            fi
-          fi
-
-          echo "### Joomla Packages" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
-          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
-          echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 8b: Update release description with changelog + SHA ----------------
-      - name: "Step 8b: Update release body with changelog and SHA"
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
-          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
-          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
-
-          # Build TYPE_PREFIX to match Step 8's ZIP naming
-          TYPE_PREFIX=""
-          case "${EXT_TYPE}" in
-            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
-            module)    TYPE_PREFIX="mod_" ;;
-            component) TYPE_PREFIX="com_" ;;
-            template)  TYPE_PREFIX="tpl_" ;;
-            library)   TYPE_PREFIX="lib_" ;;
-            package)   TYPE_PREFIX="pkg_" ;;
-          esac
-          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
-          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
-
-          # Get SHA from the built files
-          SHA256_ZIP=""
-          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
-          SHA256_TAR=""
-          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
-
-          # Extract latest changelog entry (strip the ## header to avoid duplicate)
-          CHANGELOG=""
-          if [ -f "CHANGELOG.md" ]; then
-            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
-            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
-          fi
-
-          # Build release body (single header, no duplicate from changelog)
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
-          if [ -n "$CHANGELOG" ]; then
-            BODY="${BODY}${CHANGELOG}\n\n"
-          fi
-          BODY="${BODY}---\n\n### Checksums\n\n"
-          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
-          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
-          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
-
-          # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-            python3 -c "
-          import json, urllib.request
-          body = '''$(printf '%b' "$BODY")'''
-          data = json.dumps({'body': body}).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/releases/${RELEASE_ID}',
-              data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
-              method='PATCH'
-          )
-          urllib.request.urlopen(req)
-          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          MAJOR="${{ steps.version.outputs.major }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-
-          NOTES=$(php /tmp/mokostandards-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
-          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
-          echo "$NOTES" > /tmp/release_notes.md
-
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
-
-          if [ -z "$EXISTING" ]; then
-            gh release create "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" \
-              --notes-file /tmp/release_notes.md \
-              --target "$BRANCH" || true
-          else
-            gh release edit "$RELEASE_TAG" \
-              --repo "$GH_REPO" \
-              --title "v${MAJOR} (latest: ${VERSION})" || true
-          fi
-
-          # Upload assets to GitHub mirror
-          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
-            if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
-            fi
-          done
-          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      # -- Clean up lesser pre-releases (cascade) ---------------------------------
-      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
-      - name: "Delete lesser pre-release channels"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-
-          # Stable deletes all pre-release channels
-          TAGS_TO_DELETE="development alpha beta release-candidate"
-
-          DELETED=0
-          for TAG in $TAGS_TO_DELETE; do
-            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
-              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
-              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
-              DELETED=$((DELETED + 1))
-            fi
-          done
-          echo "Cleaned up ${DELETED} pre-release channel(s)" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 11: Reset dev branch from main ------------------------------------
-      - name: "Step 11: Delete and recreate dev branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (Joomla)" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -1,213 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Maintenance
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/cascade-dev.yml.template
-# VERSION: 02.00.00
-# BRIEF: Forward-merge main → all open branches after every push to main
-#
-# +========================================================================+
-# |                CASCADE MAIN → ALL BRANCHES                             |
-# +========================================================================+
-# |                                                                        |
-# |  Triggers on every push to main (PR merges, bot commits, etc.)         |
-# |                                                                        |
-# |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
-# |  2. For each: create PR (main → branch), auto-merge if clean           |
-# |  3. On conflict: leave PR open for manual resolution                   |
-# |                                                                        |
-# +========================================================================+
-
-name: Cascade Main → Dev
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  cascade:
-    name: Cascade main → branches
-    runs-on: ubuntu-latest
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip cascade]')
-
-    steps:
-      - name: Discover target branches
-        id: branches
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-        run: |
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Fetch all branches (paginated)
-          PAGE=1
-          ALL_BRANCHES=""
-          while true; do
-            BATCH=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/branches?page=${PAGE}&limit=50" \
-              | jq -r '.[].name // empty')
-            [ -z "$BATCH" ] && break
-            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
-            PAGE=$((PAGE + 1))
-          done
-
-          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
-          TARGETS=""
-          for BRANCH in $ALL_BRANCHES; do
-            case "$BRANCH" in
-              dev|dev/*|rc/*|beta/*|alpha/*)
-                TARGETS="$TARGETS $BRANCH"
-                ;;
-            esac
-          done
-
-          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
-
-          if [ -z "$TARGETS" ]; then
-            echo "targets=" >> "$GITHUB_OUTPUT"
-            echo "ℹ️  No cascade target branches found"
-          else
-            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
-            COUNT=$(echo "$TARGETS" | wc -w)
-            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
-          fi
-
-      - name: Cascade to all target branches
-        if: steps.branches.outputs.targets != ''
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-        run: |
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          SHORT_SHA="${GITHUB_SHA:0:7}"
-          TARGETS="${{ steps.branches.outputs.targets }}"
-
-          SUCCESS=0
-          CONFLICTS=0
-          SKIPPED=0
-          FAILED=0
-
-          for BRANCH in $TARGETS; do
-            echo ""
-            echo "═══ main → ${BRANCH} ═══"
-
-            # Check if branch is already up to date
-            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
-            RESPONSE=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/compare/${ENCODED_BRANCH}...main")
-
-            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
-
-            if [ "$AHEAD" -eq 0 ]; then
-              echo "  ✅ Already up to date"
-              SKIPPED=$((SKIPPED + 1))
-              continue
-            fi
-
-            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
-
-            # Check for existing cascade PR
-            EXISTING=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
-
-            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
-            PR_NUMBER=""
-
-            if [ "$EXISTING_COUNT" -gt 0 ]; then
-              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
-              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
-            else
-              # Create cascade PR
-              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
-                -X POST \
-                -H "Authorization: token ${GA_TOKEN}" \
-                -H "Content-Type: application/json" \
-                -d "{
-                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
-                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
-                  \"head\": \"main\",
-                  \"base\": \"${BRANCH}\"
-                }" \
-                "${API}/pulls")
-
-              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
-              BODY=$(echo "$PR_RESPONSE" | sed '$d')
-              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
-
-              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
-                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
-                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
-                FAILED=$((FAILED + 1))
-                continue
-              fi
-
-              echo "  ✅ Created PR #${PR_NUMBER}"
-            fi
-
-            # Try auto-merge
-            PR_DATA=$(curl -sS \
-              -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/pulls/${PR_NUMBER}")
-
-            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
-
-            if [ "$MERGEABLE" != "true" ]; then
-              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
-              CONFLICTS=$((CONFLICTS + 1))
-              continue
-            fi
-
-            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
-              -X POST \
-              -H "Authorization: token ${GA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              -d "{
-                \"Do\": \"merge\",
-                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
-                \"delete_branch_after_merge\": false
-              }" \
-              "${API}/pulls/${PR_NUMBER}/merge")
-
-            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
-
-            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
-              echo "  ✅ Merged — ${BRANCH} is in sync"
-              SUCCESS=$((SUCCESS + 1))
-            else
-              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
-              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
-              CONFLICTS=$((CONFLICTS + 1))
-            fi
-          done
-
-          # Summary
-          echo ""
-          echo "════════════════════════════════════════"
-          echo "  ✅ Merged:    ${SUCCESS}"
-          echo "  ⚠️  Conflicts: ${CONFLICTS}"
-          echo "  ⏭️  Up to date: ${SKIPPED}"
-          echo "  ❌ Failed:    ${FAILED}"
-          echo "════════════════════════════════════════"
-
-          if [ "$FAILED" -gt 0 ]; then
-            exit 1
-          fi
@@ -1,450 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# This file is part of a Moko Consulting project.
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow.Template
-# INGROUP: MokoStandards.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/ci-joomla.yml.template
-# VERSION: 04.06.00
-# BRIEF: CI workflow for Joomla extensions — lint, validate, test
-
-name: Joomla Extension CI
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'dev/**'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  lint-and-validate:
-    name: Lint & Validate
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP
-        run: |
-          php -v && composer --version
-
-      - name: Clone MokoStandards
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-        run: |
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install \
-              --no-interaction \
-              --prefer-dist \
-              --optimize-autoloader
-          else
-            echo "No composer.json found — skipping dependency install"
-          fi
-
-      - name: PHP syntax check
-        run: |
-          ERRORS=0
-          for DIR in src/ htdocs/; do
-            if [ -d "$DIR" ]; then
-              FOUND=1
-              while IFS= read -r -d '' FILE; do
-                OUTPUT=$(php -l "$FILE" 2>&1)
-                if echo "$OUTPUT" | grep -q "Parse error"; then
-                  echo "::error file=${FILE}::${OUTPUT}"
-                  ERRORS=$((ERRORS + 1))
-                fi
-              done < <(find "$DIR" -name "*.php" -print0)
-            fi
-          done
-          echo "### PHP Syntax Check" >> $GITHUB_STEP_SUMMARY
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "**${ERRORS} syntax error(s) found.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: XML manifest validation
-        run: |
-          echo "### XML Manifest Validation" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          # Find the extension manifest (XML with <extension tag)
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla extension manifest found (XML file with \`<extension\` tag)." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "Manifest found: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # Validate well-formed XML
-            php -r "
-              \$xml = @simplexml_load_file('$MANIFEST');
-              if (\$xml === false) {
-                echo 'INVALID';
-                exit(1);
-              }
-              echo 'VALID';
-            " > /tmp/xml_result 2>&1
-            XML_RESULT=$(cat /tmp/xml_result)
-            if [ "$XML_RESULT" != "VALID" ]; then
-              echo "Manifest is not well-formed XML." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Manifest is well-formed XML." >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Check required tags: name, version, author, namespace (Joomla 5+)
-            for TAG in name version author namespace; do
-              if ! grep -q "<${TAG}>" "$MANIFEST" 2>/dev/null; then
-                echo "Missing required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS + 1))
-              else
-                echo "Found required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
-              fi
-            done
-          fi
-
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${ERRORS} manifest issue(s) found.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**Manifest validation passed.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: Check language files referenced in manifest
-        run: |
-          echo "### Language File Check" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -n "$MANIFEST" ]; then
-            # Extract language file references from manifest
-            LANG_FILES=$(grep -oP 'language\s+tag="[^"]*"[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
-            if [ -z "$LANG_FILES" ]; then
-              echo "No language file references found in manifest — skipping." >> $GITHUB_STEP_SUMMARY
-            else
-              while IFS= read -r LANG_FILE; do
-                LANG_FILE=$(echo "$LANG_FILE" | xargs)
-                if [ -z "$LANG_FILE" ]; then
-                  continue
-                fi
-                # Check in common locations
-                FOUND=0
-                for BASE in "." "src" "htdocs"; do
-                  if [ -f "${BASE}/${LANG_FILE}" ]; then
-                    FOUND=1
-                    break
-                  fi
-                done
-                if [ "$FOUND" -eq 0 ]; then
-                  echo "Missing language file: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
-                  ERRORS=$((ERRORS + 1))
-                else
-                  echo "Language file present: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
-                fi
-              done <<< "$LANG_FILES"
-            fi
-          else
-            echo "No manifest found — skipping language check." >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${ERRORS} missing language file(s).**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**Language file check passed.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: Check index.html files in directories
-        run: |
-          echo "### Index.html Check" >> $GITHUB_STEP_SUMMARY
-          MISSING=0
-          CHECKED=0
-
-          for DIR in src/ htdocs/; do
-            if [ -d "$DIR" ]; then
-              while IFS= read -r -d '' SUBDIR; do
-                CHECKED=$((CHECKED + 1))
-                if [ ! -f "${SUBDIR}/index.html" ]; then
-                  echo "Missing index.html in: \`${SUBDIR}\`" >> $GITHUB_STEP_SUMMARY
-                  MISSING=$((MISSING + 1))
-                fi
-              done < <(find "$DIR" -type d -print0)
-            fi
-          done
-
-          if [ "${CHECKED}" -eq 0 ]; then
-            echo "No src/ or htdocs/ directories found — skipping." >> $GITHUB_STEP_SUMMARY
-          elif [ "${MISSING}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${MISSING} director(ies) missing index.html out of ${CHECKED} checked.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "All ${CHECKED} directories contain index.html." >> $GITHUB_STEP_SUMMARY
-          fi
-
-  release-readiness:
-    name: Release Readiness Check
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' && github.base_ref == 'main'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Validate release readiness
-        run: |
-          echo "## Release Readiness" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          # Extract version from README.md
-          README_VERSION=$(grep -oP '^\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' README.md | head -1)
-          if [ -z "$README_VERSION" ]; then
-            echo "No VERSION found in README.md FILE INFORMATION block." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "README version: \`${README_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # Find the extension manifest
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla extension manifest found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # Check <version> matches README VERSION
-            MANIFEST_VERSION=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
-            if [ -z "$MANIFEST_VERSION" ]; then
-              echo "No \`<version>\` tag in manifest." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            elif [ -n "$README_VERSION" ] && [ "$MANIFEST_VERSION" != "$README_VERSION" ]; then
-              echo "Manifest version \`${MANIFEST_VERSION}\` does not match README \`${README_VERSION}\`." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Manifest version: \`${MANIFEST_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Check extension type, element, client attributes
-            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
-            if [ -z "$EXT_TYPE" ]; then
-              echo "Missing \`type\` attribute on \`<extension>\` tag." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Extension type: \`${EXT_TYPE}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Element check (component/module/plugin name)
-            HAS_ELEMENT=$(grep -cP '<(element|name)>' "$MANIFEST" 2>/dev/null || echo "0")
-            if [ "$HAS_ELEMENT" -eq 0 ]; then
-              echo "Missing \`<element>\` or \`<name>\` in manifest." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            fi
-
-            # Client attribute for site/admin modules and plugins
-            if echo "$EXT_TYPE" | grep -qP "^(module|plugin)$"; then
-              HAS_CLIENT=$(grep -cP '<extension[^>]*\bclient=' "$MANIFEST" 2>/dev/null || echo "0")
-              if [ "$HAS_CLIENT" -eq 0 ]; then
-                echo "Missing \`client\` attribute for ${EXT_TYPE} extension." >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS + 1))
-              fi
-            fi
-          fi
-
-          # Check updates.xml exists
-          if [ -f "updates.xml" ] || [ -f "updates.xml" ]; then
-            echo "Update XML present." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "No updates.xml found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          # Check CHANGELOG.md exists
-          if [ -f "CHANGELOG.md" ]; then
-            echo "CHANGELOG.md present." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "No CHANGELOG.md found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          echo "" >> $GITHUB_STEP_SUMMARY
-          if [ $ERRORS -gt 0 ]; then
-            echo "**${ERRORS} issue(s) must be resolved before release.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "**Extension is ready for release.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-  test:
-    name: Tests (PHP ${{ matrix.php }})
-    runs-on: ubuntu-latest
-    needs: lint-and-validate
-
-    strategy:
-      fail-fast: false
-      matrix:
-        php: ['8.2', '8.3']
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP ${{ matrix.php }}
-        run: |
-          php -v && composer --version
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install \
-              --no-interaction \
-              --prefer-dist \
-              --optimize-autoloader
-          else
-            echo "No composer.json found — skipping dependency install"
-          fi
-
-      - name: Run tests
-        run: |
-          echo "### Test Results (PHP ${{ matrix.php }})" >> $GITHUB_STEP_SUMMARY
-          if [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
-            vendor/bin/phpunit --testdox 2>&1 | tee /tmp/test-output.log
-            EXIT=${PIPESTATUS[0]}
-            if [ $EXIT -eq 0 ]; then
-              echo "All tests passed." >> $GITHUB_STEP_SUMMARY
-            else
-              echo "Test failures detected — see log." >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-              cat /tmp/test-output.log >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-            fi
-            exit $EXIT
-          else
-            echo "No phpunit.xml found — skipping tests." >> $GITHUB_STEP_SUMMARY
-          fi
-
-  static-analysis:
-    name: PHPStan Analysis
-    runs-on: ubuntu-latest
-    needs: lint-and-validate
-    continue-on-error: true
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP
-        run: php -v && composer --version
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install --no-interaction --prefer-dist --optimize-autoloader
-          fi
-
-      - name: Install PHPStan
-        run: |
-          if ! command -v vendor/bin/phpstan &> /dev/null; then
-            composer require --dev phpstan/phpstan --no-interaction 2>/dev/null || \
-              composer global require phpstan/phpstan --no-interaction
-          fi
-
-      - name: Run PHPStan
-        run: |
-          echo "### PHPStan Static Analysis" >> $GITHUB_STEP_SUMMARY
-          PHPSTAN="vendor/bin/phpstan"
-          if [ ! -f "$PHPSTAN" ]; then
-            PHPSTAN=$(composer global config bin-dir --absolute 2>/dev/null)/phpstan
-          fi
-
-          # Determine source directory
-          SRC_DIR=""
-          for DIR in src/ htdocs/ lib/; do
-            if [ -d "$DIR" ]; then
-              SRC_DIR="$DIR"
-              break
-            fi
-          done
-
-          if [ -z "$SRC_DIR" ]; then
-            echo "No source directory found (src/, htdocs/, lib/) — skipping." >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-
-          # Use repo phpstan.neon if present, otherwise use baseline config
-          ARGS="analyse ${SRC_DIR} --memory-limit=512M --no-progress --error-format=table"
-          if [ -f "phpstan.neon" ] || [ -f "phpstan.neon.dist" ]; then
-            echo "Using project PHPStan config." >> $GITHUB_STEP_SUMMARY
-          else
-            ARGS="$ARGS --level=3"
-            echo "No phpstan.neon found — using level 3 (type inference)." >> $GITHUB_STEP_SUMMARY
-          fi
-
-          $PHPSTAN $ARGS 2>&1 | tee /tmp/phpstan-output.txt
-          EXIT=${PIPESTATUS[0]}
-
-          if [ $EXIT -eq 0 ]; then
-            echo "**No errors found.**" >> $GITHUB_STEP_SUMMARY
-          else
-            ERRORS=$(grep -c "ERROR" /tmp/phpstan-output.txt 2>/dev/null || echo "some")
-            echo "**${ERRORS} error(s) found.** Review output above." >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            tail -30 /tmp/phpstan-output.txt >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-          fi
-          exit $EXIT
@@ -1,87 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Maintenance
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/cleanup.yml
-# VERSION: 01.00.00
-# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
-
-name: Repository Cleanup
-
-on:
-  schedule:
-    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-jobs:
-  cleanup:
-    name: Clean Merged Branches
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
-
-      - name: Delete merged branches
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-        run: |
-          echo "=== Merged Branch Cleanup ==="
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-
-          # List branches via API
-          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
-            "${API}/branches?limit=50" | jq -r '.[].name')
-
-          DELETED=0
-          for BRANCH in $BRANCHES; do
-            # Skip protected branches
-            case "$BRANCH" in
-              main|master|develop|release/*|hotfix/*) continue ;;
-            esac
-
-            # Check if branch is merged into main
-            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
-              echo "  Deleting merged branch: ${BRANCH}"
-              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
-                "${API}/branches/${BRANCH}" 2>/dev/null || true
-              DELETED=$((DELETED + 1))
-            fi
-          done
-
-          echo "Deleted ${DELETED} merged branch(es)"
-
-      - name: Clean old workflow runs
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-        run: |
-          echo "=== Workflow Run Cleanup ==="
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
-
-          # Get old completed runs
-          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
-            "${API}/actions/runs?status=completed&limit=50" | \
-            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
-
-          DELETED=0
-          for RUN_ID in $RUNS; do
-            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
-              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
-            DELETED=$((DELETED + 1))
-          done
-
-          echo "Deleted ${DELETED} old workflow run(s)"
@@ -1,126 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Deploy
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
-# PATH: /templates/workflows/joomla/deploy-manual.yml.template
-# VERSION: 04.07.00
-# BRIEF: Manual SFTP deploy to dev server for Joomla repos
-
-name: Deploy to Dev (Manual)
-
-on:
-  workflow_dispatch:
-    inputs:
-      clear_remote:
-        description: 'Delete all remote files before uploading'
-        required: false
-        default: 'false'
-        type: boolean
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-permissions:
-  contents: read
-
-jobs:
-  deploy:
-    name: SFTP Deploy to Dev
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP
-        run: |
-          php -v && composer --version
-
-      - name: Setup MokoStandards tools
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api 2>/dev/null || true
-          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
-            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-
-      - name: Check FTP configuration
-        id: check
-        env:
-          HOST: ${{ vars.DEV_FTP_HOST }}
-          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
-          PORT: ${{ vars.DEV_FTP_PORT }}
-        run: |
-          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
-            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-          echo "host=$HOST" >> "$GITHUB_OUTPUT"
-
-          REMOTE="${PATH_VAR%/}"
-          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"
-
-          [ -z "$PORT" ] && PORT="22"
-          echo "port=$PORT" >> "$GITHUB_OUTPUT"
-
-      - name: Deploy via SFTP
-        if: steps.check.outputs.skip != 'true'
-        env:
-          SFTP_KEY: ${{ secrets.DEV_FTP_KEY }}
-          SFTP_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-          SFTP_USER: ${{ vars.DEV_FTP_USERNAME }}
-        run: |
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
-            > /tmp/sftp-config.json
-
-          if [ -n "$SFTP_KEY" ]; then
-            echo "$SFTP_KEY" > /tmp/deploy_key
-            chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$SFTP_PASS" >> /tmp/sftp-config.json
-          fi
-
-          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
-          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)
-
-          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
-          else
-            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
-          fi
-
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-
-      - name: Summary
-        if: always()
-        run: |
-          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
-            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-            echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Host | \`${{ steps.check.outputs.host }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Remote | \`${{ steps.check.outputs.remote }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Clear | ${{ inputs.clear_remote }} |" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -1,96 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/gitleaks.yml.template
-# VERSION: 01.00.00
-# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
-#
-# +========================================================================+
-# |                        SECRET SCANNING                                 |
-# +========================================================================+
-# |                                                                        |
-# |  Scans commits for leaked secrets using Gitleaks.                      |
-# |                                                                        |
-# |  - PR scan: only new commits in the PR                                 |
-# |  - Scheduled: full repo scan weekly                                    |
-# |  - Alerts via ntfy on findings                                         |
-# |                                                                        |
-# +========================================================================+
-
-name: Secret Scanning
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'dev/**'
-  schedule:
-    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  gitleaks:
-    name: Gitleaks Secret Scan
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Gitleaks
-        run: |
-          GITLEAKS_VERSION="8.21.2"
-          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
-            | tar -xz -C /usr/local/bin gitleaks
-          gitleaks version
-
-      - name: Scan for secrets
-        id: scan
-        run: |
-          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
-          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
-
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            # Scan only PR commits
-            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
-            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if gitleaks detect $ARGS 2>&1; then
-            echo "result=clean" >> "$GITHUB_OUTPUT"
-            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "result=found" >> "$GITHUB_OUTPUT"
-            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
-            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-      - name: Notify on findings
-        if: failure() && steps.scan.outputs.result == 'found'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} — secrets detected in code" \
-            -H "Tags: rotating_light,key" \
-            -H "Priority: urgent" \
-            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -6,16 +6,17 @@
 <moko-platform xmlns="https://standards.mokoconsulting.tech/moko-platform/1.0" schema-version="1.0">
  <identity>
    <name>MokoWaaS</name>
+    <display-name>Package - MokoWaaS</display-name>
    <org>MokoConsulting</org>
    <description>White-label identity, security hardening, and tenant restriction layer for WaaS-managed Joomla environments</description>
-    <version>02.16.00-dev</version>
+    <version>02.27.00</version>
    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
  </identity>
  <governance>
    <platform>joomla</platform>
    <standards-version>05.00.00</standards-version>
    <standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
-    <last-synced>2026-05-21T20:48:00+00:00</last-synced>
+    <last-synced>2026-05-28T20:00:00+00:00</last-synced>
  </governance>
  <build>
    <language>PHP</language>
@@ -1,71 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Notifications
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/notify.yml
-# VERSION: 01.00.00
-# BRIEF: Push notifications via ntfy on release success or workflow failure
-
-name: Notifications
-
-on:
-  workflow_run:
-    workflows:
-      - "Joomla Build & Release"
-      - "Joomla Extension CI"
-      - "Deploy"
-      - "Cascade Main → Dev"
-    types:
-      - completed
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
-
-jobs:
-  notify:
-    name: Send Notification
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.workflow_run.conclusion == 'success' ||
-      github.event.workflow_run.conclusion == 'failure'
-
-    steps:
-      - name: Notify on success (releases only)
-        if: >-
-          github.event.workflow_run.conclusion == 'success' &&
-          contains(github.event.workflow_run.name, 'Release')
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          WORKFLOW="${{ github.event.workflow_run.name }}"
-          URL="${{ github.event.workflow_run.html_url }}"
-
-          curl -sS \
-            -H "Title: ${REPO} released" \
-            -H "Tags: white_check_mark,package" \
-            -H "Priority: default" \
-            -H "Click: ${URL}" \
-            -d "${WORKFLOW} completed successfully." \
-            "${NTFY_URL}/${NTFY_TOPIC}"
-
-      - name: Notify on failure
-        if: github.event.workflow_run.conclusion == 'failure'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          WORKFLOW="${{ github.event.workflow_run.name }}"
-          URL="${{ github.event.workflow_run.html_url }}"
-
-          curl -sS \
-            -H "Title: ${REPO} workflow failed" \
-            -H "Tags: x,warning" \
-            -H "Priority: high" \
-            -H "Click: ${URL}" \
-            -d "${WORKFLOW} failed. Check the run for details." \
-            "${NTFY_URL}/${NTFY_TOPIC}"
@@ -1,90 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# Enforces branch merge policy:
-#   feature/* → dev only
-#   fix/*     → dev only
-#   hotfix/*  → dev or main (emergency)
-#   dev       → main only
-#   alpha/*   → dev only
-#   beta/*    → dev only
-#   rc/*      → main only
-
-name: Branch Policy Check
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, edited]
-
-jobs:
-  check-target:
-    name: Verify merge target
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check branch policy
-        run: |
-          HEAD="${{ github.head_ref }}"
-          BASE="${{ github.base_ref }}"
-
-          echo "PR: ${HEAD} → ${BASE}"
-
-          ALLOWED=true
-          REASON=""
-
-          case "$HEAD" in
-            feature/*|feat/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Feature branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            fix/*|bugfix/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Fix branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            hotfix/*)
-              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
-              fi
-              ;;
-            alpha/*|beta/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Pre-release branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            rc/*)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Release candidate branches must target 'main', not '${BASE}'"
-              fi
-              ;;
-            dev)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Dev branch can only merge into 'main', not '${BASE}'"
-              fi
-              ;;
-          esac
-
-          if [ "$ALLOWED" = false ]; then
-            echo "::error::${REASON}"
-            echo ""
-            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
-            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-          echo "Branch policy: OK (${HEAD} → ${BASE})"
-          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
@@ -1,106 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.CI
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/pr-check.yml
-# VERSION: 01.00.00
-# BRIEF: PR gate — validates code quality and manifest before merge to main
-
-name: PR Check
-
-on:
-  pull_request:
-    branches:
-      - main
-    types: [opened, synchronize, reopened]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  validate:
-    name: Validate PR
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
-          fi
-
-      - name: PHP syntax check
-        run: |
-          echo "=== PHP Lint ==="
-          ERRORS=0
-          while IFS= read -r -d '' file; do
-            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
-              ERRORS=$((ERRORS + 1))
-            fi
-          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
-          echo "Checked files, errors: ${ERRORS}"
-          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
-
-      - name: Validate Joomla manifest
-        run: |
-          echo "=== Manifest Validation ==="
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -z "$MANIFEST" ]; then
-            echo "::warning::No Joomla manifest found"
-            exit 0
-          fi
-          echo "Manifest: ${MANIFEST}"
-
-          # Check well-formed XML
-          if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}"; then
-            echo "::error::Manifest XML is malformed"
-            exit 1
-          fi
-
-          # Check required elements
-          for ELEMENT in name version description; do
-            if ! grep -q "<${ELEMENT}>" "$MANIFEST"; then
-              echo "::error::Missing <${ELEMENT}> in manifest"
-              exit 1
-            fi
-          done
-          echo "Manifest valid"
-
-      - name: Check updates.xml format
-        run: |
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-          echo "=== updates.xml Validation ==="
-          if ! php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}"; then
-            echo "::error::updates.xml is malformed"
-            exit 1
-          fi
-          echo "updates.xml valid"
-
-      - name: Verify package builds
-        run: |
-          echo "=== Package Build Test ==="
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::warning::No src/ or htdocs/ directory"
-            exit 0
-          fi
-          # Dry-run: ensure zip would succeed
-          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
-          echo "Source contains ${FILE_COUNT} files — package will build"
-          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
@@ -1,341 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/pre-release.yml
-# VERSION: 01.00.00
-# BRIEF: Manual pre-release — builds dev/alpha/beta/rc packages from any branch
-
-name: Pre-Release
-
-on:
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability }})"
-    runs-on: release
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip >/dev/null 2>&1
-          fi
-
-      - name: Resolve metadata
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability }}"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Read and bump patch version (with rollover)
-          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          [ -z "$CURRENT" ] && CURRENT="00.00.00"
-
-          MAJOR=$(echo "$CURRENT" | cut -d. -f1)
-          MINOR=$(echo "$CURRENT" | cut -d. -f2)
-          PATCH=$(echo "$CURRENT" | cut -d. -f3)
-
-          # Patch bump with rollover: ZZ=99 → bump minor, YY=99 → bump major
-          NEW_PATCH=$((10#$PATCH + 1))
-          NEW_MINOR=$((10#$MINOR))
-          NEW_MAJOR=$((10#$MAJOR))
-
-          if [ $NEW_PATCH -gt 99 ]; then
-            NEW_PATCH=0
-            NEW_MINOR=$((NEW_MINOR + 1))
-          fi
-          if [ $NEW_MINOR -gt 99 ]; then
-            NEW_MINOR=0
-            NEW_MAJOR=$((NEW_MAJOR + 1))
-          fi
-
-          VERSION=$(printf "%02d.%02d.%02d" $NEW_MAJOR $NEW_MINOR $NEW_PATCH)
-          TODAY=$(date +%Y-%m-%d)
-
-          echo "Bumping: ${CURRENT} → ${VERSION} (patch)"
-
-          # Update README.md
-          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${VERSION}/" README.md
-
-          # Update manifest
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            MANIFEST_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-            sed -i "s|<version>${MANIFEST_VER}</version>|<version>${VERSION}</version>|" "$MANIFEST"
-            sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
-          fi
-
-          # Commit version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): bump ${CURRENT} → ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
-
-          # Auto-detect element from manifest
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          EXT_ELEMENT=""
-          if [ -n "$MANIFEST" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            if [ -z "$EXT_ELEMENT" ]; then
-              EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-              case "$EXT_ELEMENT" in
-                templatedetails|manifest) EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-              esac
-            fi
-          else
-            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          fi
-
-          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Build package
-        run: |
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::error::No src/ or htdocs/ directory"
-            exit 1
-          fi
-
-          mkdir -p build/package
-          rsync -a \
-            --exclude='sftp-config*' \
-            --exclude='.ftpignore' \
-            --exclude='*.ppk' \
-            --exclude='*.pem' \
-            --exclude='*.key' \
-            --exclude='.env*' \
-            --exclude='*.local' \
-            --exclude='.build-trigger' \
-            "${SOURCE_DIR}/" build/package/
-
-      - name: Create ZIP
-        id: zip
-        run: |
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          cd build/package
-          zip -r "../${ZIP_NAME}" .
-          cd ..
-
-          SHA256=$(sha256sum "${ZIP_NAME}" | cut -d' ' -f1)
-          echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
-          echo "ZIP: ${ZIP_NAME} (SHA: ${SHA256:0:16}...)"
-
-      - name: Create or replace Gitea release
-        id: release
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          BRANCH=$(git branch --show-current)
-
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))
-          **Channel:** ${STABILITY}
-          **SHA-256:** \`${SHA256}\`"
-
-          # Delete existing release
-          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
-          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/tags/${TAG}" 2>/dev/null || true
-          fi
-
-          # Create release
-          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API}/releases" \
-            -d "$(jq -n \
-              --arg tag "$TAG" \
-              --arg target "$BRANCH" \
-              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
-              --arg body "$BODY" \
-              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
-            )" | jq -r '.id')
-
-          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
-
-          # Upload ZIP
-          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/octet-stream" \
-            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
-            --data-binary "@build/${ZIP_NAME}"
-
-          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
-
-      - name: Update updates.xml
-        run: |
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          DATE=$(date +%Y-%m-%d)
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          export PY_STABILITY="$STABILITY" PY_VERSION="$VERSION" PY_SHA256="$SHA256" \
-                 PY_ZIP_NAME="$ZIP_NAME" PY_TAG="$TAG" PY_DATE="$DATE" \
-                 PY_GITEA_ORG="$GITEA_ORG" PY_GITEA_REPO="$GITEA_REPO"
-          python3 << 'PYEOF'
-          import re, os
-
-          stability  = os.environ["PY_STABILITY"]
-          version    = os.environ["PY_VERSION"]
-          sha256     = os.environ["PY_SHA256"]
-          zip_name   = os.environ["PY_ZIP_NAME"]
-          tag        = os.environ["PY_TAG"]
-          date       = os.environ["PY_DATE"]
-          gitea_org  = os.environ["PY_GITEA_ORG"]
-          gitea_repo = os.environ["PY_GITEA_REPO"]
-          download_url = f"https://git.mokoconsulting.tech/{gitea_org}/{gitea_repo}/releases/download/{tag}/{zip_name}"
-
-          with open("updates.xml", "r") as f:
-              content = f.read()
-
-          # Map stability to XML tag name
-          tag_map = {"development": "development", "alpha": "alpha", "beta": "beta", "release-candidate": "rc"}
-          xml_tag = tag_map.get(stability, stability)
-
-          pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(xml_tag) + r"</tag>.*?</update>)"
-          match = re.search(pattern, content, re.DOTALL)
-          if match:
-              block = match.group(1)
-              updated = re.sub(r"<version>[^<]*</version>", f"<version>{version}</version>", block)
-              updated = re.sub(r"<creationDate>[^<]*</creationDate>", f"<creationDate>{date}</creationDate>", updated)
-              if "<sha256>" in updated:
-                  updated = re.sub(r"<sha256>[^<]*</sha256>", f"<sha256>{sha256}</sha256>", updated)
-              else:
-                  updated = updated.replace("</downloads>", f"</downloads>\n    <sha256>{sha256}</sha256>")
-              updated = re.sub(r"(<downloadurl[^>]*>)[^<]*(</downloadurl>)", rf"\g<1>{download_url}\g<2>", updated)
-              content = content.replace(block, updated)
-              print(f"Updated {xml_tag} channel: version={version}")
-          else:
-              print(f"WARNING: No <tag>{xml_tag}</tag> block in updates.xml")
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-          # Commit and push to current branch
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          # Sync updates.xml to main and dev (whichever isn't current)
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-
-            echo "Syncing updates.xml → ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- . 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-
-          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
-          case "$STABILITY" in
-            release-candidate) TAGS_TO_DELETE="beta alpha development" ;;
-            beta)              TAGS_TO_DELETE="alpha development" ;;
-            alpha)             TAGS_TO_DELETE="development" ;;
-            *)                 TAGS_TO_DELETE="" ;;
-          esac
-
-          [ -z "$TAGS_TO_DELETE" ] && exit 0
-
-          for TAG in $TAGS_TO_DELETE; do
-            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
-              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
-              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
-            fi
-          done
@@ -1,600 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# This file is part of a Moko Consulting project.
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Joomla
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/release.yml
-# VERSION: 02.00.00
-# BRIEF: Generic Joomla release — auto-detects element from manifest, stream tags, cascade
-
-name: Create Release
-
-on:
-  push:
-    tags:
-      - 'stable'
-      - 'release-candidate'
-      - 'beta'
-      - 'alpha'
-      - 'development'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'stable'
-        type: choice
-        options:
-          - stable
-          - release-candidate
-          - beta
-          - alpha
-          - development
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: Build Release Package
-    runs-on: release
-
-    steps:
-      # Always checkout main for tag triggers (avoids detached HEAD).
-      # For workflow_dispatch, checkout whatever branch was selected.
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event_name == 'push' && 'main' || github.ref }}
-          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          echo "PHP: $(php -v | head -1)"
-          echo "Composer: $(composer --version 2>&1 | head -1)"
-
-      - name: Get version and stability
-        id: meta
-        run: |
-          echo "=== Meta ==="
-          echo "event_name: ${{ github.event_name }}"
-          echo "ref: ${{ github.ref }}"
-          echo "ref_name: ${{ github.ref_name }}"
-          echo "sha: ${{ github.sha }}"
-
-          # Derive stability from tag name or dispatch input
-          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          else
-            TAG_PUSHED="${GITHUB_REF#refs/tags/}"
-            case "$TAG_PUSHED" in
-              stable)             STABILITY="stable" ;;
-              release-candidate)  STABILITY="rc" ;;
-              beta)               STABILITY="beta" ;;
-              alpha)              STABILITY="alpha" ;;
-              development)        STABILITY="development" ;;
-              *)                  STABILITY="stable" ;;
-            esac
-          fi
-
-          # Read version from README.md (will be bumped in next step)
-          VERSION=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          [ -z "$VERSION" ] && VERSION="00.00.00"
-
-          # Auto-detect extension element from Joomla manifest
-          # Search depth 3 covers src/admin/com_xxx.xml and similar nested structures
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          EXT_ELEMENT=""
-          if [ -n "$MANIFEST" ]; then
-            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
-            # If no <element> tag, derive from manifest filename or repo name
-            if [ -z "$EXT_ELEMENT" ]; then
-              EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-              case "$EXT_ELEMENT" in
-                templatedetails|manifest) EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-              esac
-            fi
-            echo "Manifest: ${MANIFEST}, element: ${EXT_ELEMENT}"
-          else
-            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-            echo "No manifest found, using repo name: ${EXT_ELEMENT}"
-          fi
-
-          case "$STABILITY" in
-            development) SUFFIX="-dev";   TAG_NAME="development" ;;
-            alpha)       SUFFIX="-alpha"; TAG_NAME="alpha" ;;
-            beta)        SUFFIX="-beta";  TAG_NAME="beta" ;;
-            rc)          SUFFIX="-rc";    TAG_NAME="release-candidate" ;;
-            stable)      SUFFIX="";       TAG_NAME="stable" ;;
-            *)           SUFFIX="-dev";   TAG_NAME="development" ;;
-          esac
-
-          PRERELEASE="true"
-          [ "$STABILITY" = "stable" ] && PRERELEASE="false"
-
-          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "prerelease=${PRERELEASE}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag_name=${TAG_NAME}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Resolved ==="
-          echo "VERSION=${VERSION}"
-          echo "STABILITY=${STABILITY}"
-          echo "TAG_NAME=${TAG_NAME}"
-          echo "ZIP_NAME=${ZIP_NAME}"
-          echo "Branch: $(git branch --show-current)"
-
-      - name: Auto-bump patch version
-        id: bump
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-          INPUT_VERSION: ${{ steps.meta.outputs.version }}
-          INPUT_STABILITY: ${{ steps.meta.outputs.stability }}
-          INPUT_SUFFIX: ${{ steps.meta.outputs.suffix }}
-          EXT_ELEMENT: ${{ steps.meta.outputs.ext_element }}
-        run: |
-          BRANCH=$(git branch --show-current)
-          GITEA_API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-
-          echo "=== Version Bump ==="
-          echo "On branch: ${BRANCH}"
-
-          # Read current version from README.md
-          CURRENT=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
-          echo "Current version in README: ${CURRENT}"
-
-          if [ -z "$CURRENT" ]; then
-            echo "No VERSION in README.md — using input version"
-            echo "version=${INPUT_VERSION}" >> "$GITHUB_OUTPUT"
-            echo "zip_name=${EXT_ELEMENT}-${INPUT_VERSION}${INPUT_SUFFIX}.zip" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          # Bump patch: XX.YY.ZZ → XX.YY.(ZZ+1)
-          MAJOR=$(echo "$CURRENT" | cut -d. -f1)
-          MINOR=$(echo "$CURRENT" | cut -d. -f2)
-          PATCH=$(echo "$CURRENT" | cut -d. -f3)
-          NEW_PATCH=$(printf "%02d" $((10#$PATCH + 1)))
-          NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}"
-          TODAY=$(date +%Y-%m-%d)
-
-          echo "Bumping: ${CURRENT} → ${NEW_VERSION} (date: ${TODAY})"
-
-          # Update README.md
-          sed -i "s/VERSION:[[:space:]]*${CURRENT}/VERSION: ${NEW_VERSION}/" README.md
-
-          # Update manifest (templateDetails.xml / *.xml with <extension>)
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -n "$MANIFEST" ]; then
-            echo "Manifest: ${MANIFEST}"
-            sed -i "s|<version>${CURRENT}</version>|<version>${NEW_VERSION}</version>|" "$MANIFEST"
-            sed -i "s|<creationDate>[^<]*</creationDate>|<creationDate>${TODAY}</creationDate>|" "$MANIFEST"
-          fi
-
-          # Update matching stability channel in updates.xml
-          if [ -f "updates.xml" ]; then
-            export PY_OLD="$CURRENT" PY_NEW="$NEW_VERSION" PY_STABILITY="$INPUT_STABILITY" PY_DATE="$TODAY"
-            python3 << 'PYEOF'
-          import re, os
-          old = os.environ["PY_OLD"]
-          new = os.environ["PY_NEW"]
-          stability = os.environ["PY_STABILITY"]
-          date = os.environ["PY_DATE"]
-          with open("updates.xml") as f:
-              content = f.read()
-          pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(stability) + r"</tag>.*?</update>)"
-          match = re.search(pattern, content, re.DOTALL)
-          if match:
-              block = match.group(1)
-              updated = block.replace(old, new)
-              updated = re.sub(r"<creationDate>[^<]*</creationDate>", f"<creationDate>{date}</creationDate>", updated)
-              content = content.replace(block, updated)
-              print(f"Updated {stability} channel: {old} -> {new}")
-          else:
-              print(f"WARNING: No <update> block found for <tag>{stability}</tag>")
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-          fi
-
-          # Commit and push version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${GA_TOKEN}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet && echo "No changes to commit" || {
-            git commit -m "chore(version): bump ${CURRENT} → ${NEW_VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            echo "Pushing version bump to ${BRANCH}..."
-            git push origin HEAD:${BRANCH} 2>&1
-            echo "Push exit code: $?"
-          }
-
-          # For stable releases from non-main: merge to main via Gitea API
-          if [ "$INPUT_STABILITY" = "stable" ] && [ "$BRANCH" != "main" ]; then
-            echo "Merging ${BRANCH} → main via Gitea API..."
-            HTTP_CODE=$(curl -sS -o /tmp/merge_response.json -w "%{http_code}" \
-              -X POST -H "Authorization: token ${GA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${GITEA_API}/merges" \
-              -d "$(jq -n \
-                --arg base "main" \
-                --arg head "${BRANCH}" \
-                --arg msg "chore(release): merge ${BRANCH} for stable ${NEW_VERSION} [skip ci]" \
-                '{base: $base, head: $head, merge_message_field: $msg}'
-              )")
-            echo "Merge response (HTTP ${HTTP_CODE}):"
-            cat /tmp/merge_response.json 2>/dev/null; echo
-          fi
-
-          echo "version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${EXT_ELEMENT}-${NEW_VERSION}${INPUT_SUFFIX}.zip" >> "$GITHUB_OUTPUT"
-          echo "=== Bump complete: ${NEW_VERSION} ==="
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            echo "Installing composer dependencies..."
-            composer install --no-dev --optimize-autoloader --no-interaction 2>&1
-          else
-            echo "No composer.json — skipping"
-          fi
-
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-
-      - name: Minify CSS and JS
-        run: |
-          if [ -f "package.json" ] && [ -f "scripts/minify.js" ]; then
-            npm ci --ignore-scripts
-            node scripts/minify.js
-          else
-            echo "No minify setup — skipping"
-          fi
-
-      - name: Create package
-        run: |
-          # Detect source directory (src/ or htdocs/)
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::error::No src/ or htdocs/ directory found"
-            exit 1
-          fi
-          echo "Source directory: ${SOURCE_DIR}"
-
-          mkdir -p build/package
-          rsync -av \
-            --exclude='sftp-config*' \
-            --exclude='.ftpignore' \
-            --exclude='*.ppk' \
-            --exclude='*.pem' \
-            --exclude='*.key' \
-            --exclude='.env*' \
-            --exclude='*.local' \
-            --exclude='.build-trigger' \
-            --exclude='.beta-trigger' \
-            --exclude='.rc-trigger' \
-            "${SOURCE_DIR}/" build/package/
-          echo "Package contents:"
-          ls -la build/package/ | head -20
-
-      - name: Build ZIP
-        id: zip
-        run: |
-          ZIP_NAME="${{ steps.bump.outputs.zip_name }}"
-          echo "Building: ${ZIP_NAME}"
-          cd build/package
-          zip -r "../${ZIP_NAME}" .
-          cd ..
-
-          SHA256=$(sha256sum "${ZIP_NAME}" | cut -d' ' -f1)
-          SIZE=$(stat -c%s "${ZIP_NAME}")
-
-          echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
-          echo "size=${SIZE}" >> "$GITHUB_OUTPUT"
-          echo "=== Package Built ==="
-          echo "ZIP: ${ZIP_NAME}"
-          echo "SHA-256: ${SHA256}"
-          echo "Size: ${SIZE} bytes"
-
-      # ── Gitea Release (PRIMARY) ─────────────────────────���────────────
-      - name: "Gitea: Create or update release"
-        id: gitea_release
-        env:
-          EXT_ELEMENT: ${{ steps.meta.outputs.ext_element }}
-        run: |
-          TAG="${{ steps.meta.outputs.tag_name }}"
-          VERSION="${{ steps.bump.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          BRANCH=$(git branch --show-current)
-          MAX_HISTORY=5
-
-          IS_PRE="true"
-          [ "$STABILITY" = "stable" ] && IS_PRE="false"
-
-          # Build this version's entry
-          NEW_ENTRY="## ${VERSION} ($(date +%Y-%m-%d))
-          **SHA-256:** \`${SHA256}\`"
-
-          if [ -f "CHANGELOG.md" ]; then
-            NOTES=$(awk "/## \[${VERSION}\]/,/## \[/{if(/## \[${VERSION}\]/)next;if(/## \[/)exit;print}" CHANGELOG.md)
-            [ -n "$NOTES" ] && NEW_ENTRY="## ${VERSION} ($(date +%Y-%m-%d))
-          ${NOTES}
-          **SHA-256:** \`${SHA256}\`"
-          fi
-
-          # Check for existing release — keep last N versions in body
-          EXISTING_BODY=""
-          EXISTING_ID=""
-          RELEASE_JSON=$(curl -sS -H "Authorization: token ${TOKEN}" \
-            "${API}/releases/tags/${TAG}" 2>/dev/null)
-          EXISTING_ID=$(echo "$RELEASE_JSON" | jq -r '.id // empty')
-
-          if [ -n "$EXISTING_ID" ]; then
-            echo "Existing release found: id=${EXISTING_ID}"
-            EXISTING_BODY=$(echo "$RELEASE_JSON" | jq -r '.body // ""')
-
-            # Keep only last (MAX_HISTORY - 1) version entries to make room for new one
-            TRIMMED_BODY=$(echo "$EXISTING_BODY" | python3 -c "
-          import sys, re
-          content = sys.stdin.read()
-          # Split on version headers (## XX.YY.ZZ)
-          parts = re.split(r'(?=^## \d)', content, flags=re.MULTILINE)
-          # Keep only version entries (skip any preamble)
-          versions = [p for p in parts if re.match(r'^## \d', p)]
-          # Keep last $((MAX_HISTORY - 1)) entries
-          kept = versions[:$((MAX_HISTORY - 1))]
-          print('\n---\n'.join(kept))
-          " 2>/dev/null || echo "")
-
-            # Delete old release and tag so we can recreate
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/tags/${TAG}" 2>/dev/null || true
-          fi
-
-          # Compose full body: new entry + previous entries
-          if [ -n "$TRIMMED_BODY" ]; then
-            FULL_BODY="${NEW_ENTRY}
-
-          ---
-
-          ${TRIMMED_BODY}"
-          else
-            FULL_BODY="${NEW_ENTRY}"
-          fi
-
-          echo "=== Create Release ==="
-          echo "TAG=${TAG} VERSION=${VERSION} BRANCH=${BRANCH} PRE=${IS_PRE} HISTORY=${MAX_HISTORY}"
-
-          HTTP_CODE=$(curl -sS -o /tmp/create_release.json -w "%{http_code}" \
-            -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API}/releases" \
-            -d "$(jq -n \
-              --arg tag "$TAG" \
-              --arg target "$BRANCH" \
-              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
-              --arg body "$FULL_BODY" \
-              --argjson pre "$IS_PRE" \
-              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: $pre}'
-            )")
-
-          echo "Response (HTTP ${HTTP_CODE}):"
-          cat /tmp/create_release.json | jq . 2>/dev/null || cat /tmp/create_release.json
-          echo
-
-          RELEASE_ID=$(jq -r '.id // empty' /tmp/create_release.json)
-          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
-            echo "::error::Failed to create release (HTTP ${HTTP_CODE})"
-            exit 1
-          fi
-
-          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
-          echo "Release created: id=${RELEASE_ID}"
-
-      - name: "Gitea: Upload ZIP"
-        run: |
-          RELEASE_ID="${{ steps.gitea_release.outputs.release_id }}"
-          ZIP_NAME="${{ steps.bump.outputs.zip_name }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          echo "Uploading ${ZIP_NAME} to release ${RELEASE_ID}..."
-          HTTP_CODE=$(curl -sS -o /tmp/upload_response.json -w "%{http_code}" \
-            -X POST \
-            -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/octet-stream" \
-            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
-            --data-binary "@build/${ZIP_NAME}")
-
-          echo "Upload response (HTTP ${HTTP_CODE}):"
-          cat /tmp/upload_response.json | jq . 2>/dev/null || cat /tmp/upload_response.json
-          echo
-
-          if [ "$HTTP_CODE" -ge 400 ]; then
-            echo "::error::Upload failed (HTTP ${HTTP_CODE})"
-            exit 1
-          fi
-          echo "Uploaded ${ZIP_NAME}"
-
-      # ── Update updates.xml ──────────────────────────────────────────
-      - name: "Update updates.xml with SHA and sync to main"
-        run: |
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          VERSION="${{ steps.bump.outputs.version }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.bump.outputs.zip_name }}"
-          TAG="${{ steps.meta.outputs.tag_name }}"
-          DATE=$(date +%Y-%m-%d)
-          BRANCH=$(git branch --show-current)
-
-          echo "=== Update updates.xml ==="
-          echo "STABILITY=${STABILITY} VERSION=${VERSION} SHA=${SHA256:0:16}..."
-
-          if [ ! -f "updates.xml" ] || [ -z "$SHA256" ]; then
-            echo "No updates.xml or no SHA — skipping"
-            exit 0
-          fi
-
-          # Cascade map: each stability level updates itself + all lower levels
-          # stable → all | rc → rc,beta,alpha,dev | beta → beta,alpha,dev | alpha → alpha,dev | dev → dev
-          case "$STABILITY" in
-            stable)      CASCADE="development,alpha,beta,rc,stable" ;;
-            rc)          CASCADE="development,alpha,beta,rc" ;;
-            beta)        CASCADE="development,alpha,beta" ;;
-            alpha)       CASCADE="development,alpha" ;;
-            development) CASCADE="development" ;;
-            *)           CASCADE="$STABILITY" ;;
-          esac
-
-          echo "Cascade: ${STABILITY} → ${CASCADE}"
-
-          export PY_CASCADE="$CASCADE" PY_VERSION="$VERSION" PY_SHA256="$SHA256" \
-                 PY_ZIP_NAME="$ZIP_NAME" PY_TAG="$TAG" PY_DATE="$DATE" \
-                 PY_GITEA_ORG="$GITEA_ORG" PY_GITEA_REPO="$GITEA_REPO"
-          python3 << 'PYEOF'
-          import re, os
-
-          cascade    = os.environ["PY_CASCADE"].split(",")
-          version    = os.environ["PY_VERSION"]
-          sha256     = os.environ["PY_SHA256"]
-          zip_name   = os.environ["PY_ZIP_NAME"]
-          tag        = os.environ["PY_TAG"]
-          date       = os.environ["PY_DATE"]
-          gitea_org  = os.environ["PY_GITEA_ORG"]
-          gitea_repo = os.environ["PY_GITEA_REPO"]
-
-          gitea_url = f"https://git.mokoconsulting.tech/{gitea_org}/{gitea_repo}/releases/download/{tag}/{zip_name}"
-
-          with open("updates.xml", "r") as f:
-              content = f.read()
-
-          for xml_tag in cascade:
-              xml_tag = xml_tag.strip()
-              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(xml_tag) + r"</tag>.*?</update>)"
-              match = re.search(block_pattern, content, re.DOTALL)
-
-              if not match:
-                  print(f"  SKIP: no <tag>{xml_tag}</tag> block found")
-                  continue
-
-              block = match.group(1)
-              original_block = block
-
-              # Update version and date
-              block = re.sub(r"<version>[^<]*</version>", f"<version>{version}</version>", block)
-              block = re.sub(r"<creationDate>[^<]*</creationDate>", f"<creationDate>{date}</creationDate>", block)
-
-              # Set SHA — add if missing, update if present, never leave empty
-              if "<sha256>" in block:
-                  block = re.sub(r"<sha256>[^<]*</sha256>", f"<sha256>{sha256}</sha256>", block)
-              else:
-                  block = block.replace("</downloads>", f"</downloads>\n    <sha256>{sha256}</sha256>")
-
-              # Update download URL
-              block = re.sub(
-                  r"(<downloadurl[^>]*>)https://git\.mokoconsulting\.tech/[^<]*(</downloadurl>)",
-                  rf"\g<1>{gitea_url}\g<2>",
-                  block
-              )
-
-              content = content.replace(original_block, block)
-              print(f"  OK: {xml_tag} → version={version}, sha={sha256[:16]}...")
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-
-          print(f"Cascaded {len(cascade)} channel(s)")
-          PYEOF
-
-          # Commit and push
-          if git diff --quiet updates.xml 2>/dev/null; then
-            echo "No changes to updates.xml"
-            exit 0
-          fi
-
-          git add updates.xml
-          git commit -m "chore: update ${STABILITY} SHA-256 for ${VERSION} [skip ci]" \
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          echo "Pushing updates.xml to ${BRANCH}..."
-          git push origin HEAD:${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-
-          # Always sync updates.xml to main via API (Joomla reads from main)
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-
-          echo "Syncing updates.xml to main via API..."
-          FILE_SHA=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
-            "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
-
-          if [ -n "$FILE_SHA" ]; then
-            CONTENT=$(base64 -w0 updates.xml)
-            HTTP_CODE=$(curl -sS -o /tmp/sync_response.json -w "%{http_code}" \
-              -X PUT -H "Authorization: token ${GA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${API}/contents/updates.xml" \
-              -d "$(jq -n \
-                --arg content "$CONTENT" \
-                --arg sha "$FILE_SHA" \
-                --arg msg "chore: sync updates.xml ${STABILITY} ${VERSION} [skip ci]" \
-                --arg branch "main" \
-                '{content: $content, sha: $sha, message: $msg, branch: $branch}'
-              )")
-            echo "Sync response (HTTP ${HTTP_CODE}):"
-            cat /tmp/sync_response.json | jq -r '.content.name // .message // "unknown"' 2>/dev/null
-            if [ "$HTTP_CODE" -ge 400 ]; then
-              echo "::warning::Sync to main failed (HTTP ${HTTP_CODE})"
-            fi
-          else
-            echo "::warning::Could not get updates.xml SHA from main"
-          fi
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          ZIP_NAME="${{ steps.bump.outputs.zip_name }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          TAG="${{ steps.meta.outputs.tag_name }}"
-
-          echo "### Release Created" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Tag | \`${TAG}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| SHA-256 | \`${SHA256}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Gitea | [Release](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${TAG}) |" >> $GITHUB_STEP_SUMMARY
@@ -1,766 +0,0 @@
-# ============================================================================
-# Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
-#
-# This file is part of a Moko Consulting project.
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Validation
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/repo_health.yml.template
-# VERSION: 04.06.00
-# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
-# ============================================================================
-
-name: Repo Health
-
-concurrency:
-  group: repo-health-${{ github.repository }}-${{ github.ref }}
-  cancel-in-progress: true
-
-defaults:
-  run:
-    shell: bash
-
-on:
-  workflow_dispatch:
-    inputs:
-      profile:
-        description: 'Validation profile: all, release, scripts, or repo'
-        required: true
-        default: all
-        type: choice
-        options:
-          - all
-          - release
-          - scripts
-          - repo
-  pull_request:
-  push:
-
-permissions:
-  contents: read
-
-env:
-  # Release policy - Repository Variables Only
-  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
-  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
-
-  # Scripts governance policy
-  SCRIPTS_REQUIRED_DIRS:
-  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
-
-  # Repo health policy
-  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.gitea/workflows/
-  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
-  REPO_DISALLOWED_DIRS:
-  REPO_DISALLOWED_FILES: TODO.md,todo.md
-
-  # Extended checks toggles
-  EXTENDED_CHECKS: "true"
-
-  # File / directory variables
-  DOCS_INDEX: docs/docs-index.md
-  SCRIPT_DIR: scripts
-  WORKFLOWS_DIR: .gitea/workflows
-  SHELLCHECK_PATTERN: '*.sh'
-  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  access_check:
-    name: Access control
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    outputs:
-      allowed: ${{ steps.perm.outputs.allowed }}
-      permission: ${{ steps.perm.outputs.permission }}
-
-    steps:
-      - name: Check actor permission (admin only)
-        id: perm
-        env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          REPO: ${{ github.repository }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          set -euo pipefail
-          ALLOWED=false
-          PERMISSION=unknown
-          METHOD=""
-
-          # Hardcoded authorized users — always allowed
-          case "$ACTOR" in
-            jmiller|gitea-actions[bot])
-              ALLOWED=true
-              PERMISSION=admin
-              METHOD="hardcoded allowlist"
-              ;;
-            *)
-              # Detect platform and check permissions via API
-              API_BASE="${GITHUB_API_URL:-${GITEA_API_URL:-https://api.github.com}}"
-              RESP=$(curl -sf -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}')
-              PERMISSION=$(echo "$RESP" | grep -oP '"permission"\s*:\s*"\K[^"]+' || echo "unknown")
-              if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "maintain" ] || [ "$PERMISSION" = "owner" ]; then
-                ALLOWED=true
-              fi
-              METHOD="collaborator API"
-              ;;
-          esac
-
-          echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT"
-          echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"
-
-          {
-            echo "## Access Authorization"
-            echo ""
-            echo "| Field | Value |"
-            echo "|-------|-------|"
-            echo "| **Actor** | \`${ACTOR}\` |"
-            echo "| **Repository** | \`${REPO}\` |"
-            echo "| **Permission** | \`${PERMISSION}\` |"
-            echo "| **Method** | ${METHOD} |"
-            echo "| **Authorized** | ${ALLOWED} |"
-            echo ""
-            if [ "$ALLOWED" = "true" ]; then
-              echo "${ACTOR} authorized (${METHOD})"
-            else
-              echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
-            fi
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-      - name: Deny execution when not permitted
-        if: ${{ steps.perm.outputs.allowed != 'true' }}
-        run: |
-          set -euo pipefail
-          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
-          exit 1
-
-  release_config:
-    name: Release configuration
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Guardrails release vars
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
-          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Release configuration (Repository Variables)'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes release validation'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
-          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
-
-          missing=()
-          missing_optional=()
-
-          for k in "${required[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing+=("${k}")
-          done
-
-          for k in "${optional[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing_optional+=("${k}")
-          done
-
-          {
-            printf '%s\n' '### Release configuration (Repository Variables)'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Variable | Status |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
-            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repository variables'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#missing[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repository variables'
-              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          {
-            printf '%s\n' '### Repository variables validation result'
-            printf '%s\n' 'Status: OK'
-            printf '%s\n' 'All required repository variables present.'
-            printf '%s\n' ''
-            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-  scripts_governance:
-    name: Scripts governance
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Scripts folder checks
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Scripts governance'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes scripts governance'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          if [ ! -d "${SCRIPT_DIR}" ]; then
-            {
-              printf '%s\n' '### Scripts governance'
-              printf '%s\n' 'Status: OK (advisory)'
-              printf '%s\n' 'scripts/ directory not present. No scripts governance enforced.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"
-          IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"
-
-          missing_dirs=()
-          unapproved_dirs=()
-
-          for d in "${required_dirs[@]}"; do
-            req="${d%/}"
-            [ ! -d "${req}" ] && missing_dirs+=("${req}/")
-          done
-
-          while IFS= read -r d; do
-            allowed=false
-            for a in "${allowed_dirs[@]}"; do
-              a_norm="${a%/}"
-              [ "${d%/}" = "${a_norm}" ] && allowed=true
-            done
-            [ "${allowed}" = false ] && unapproved_dirs+=("${d%/}/")
-          done < <(find "${SCRIPT_DIR}" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sed 's#^\./##')
-
-          {
-            printf '%s\n' '### Scripts governance'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Area | Status | Notes |'
-            printf '%s\n' '|---|---|---|'
-
-            if [ "${#missing_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' '| Required directories | Warning | Missing required subfolders |'
-            else
-              printf '%s\n' '| Required directories | OK | All required subfolders present |'
-            fi
-
-            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' '| Directory policy | Warning | Unapproved directories detected |'
-            else
-              printf '%s\n' '| Directory policy | OK | No unapproved directories |'
-            fi
-
-            printf '%s\n' '| Enforcement mode | Advisory | scripts folder is optional |'
-            printf '\n'
-
-            if [ "${#missing_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' 'Missing required script directories:'
-              for m in "${missing_dirs[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            else
-              printf '%s\n' 'Missing required script directories: none.'
-              printf '\n'
-            fi
-
-            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' 'Unapproved script directories detected:'
-              for m in "${unapproved_dirs[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            else
-              printf '%s\n' 'Unapproved script directories detected: none.'
-              printf '\n'
-            fi
-
-            printf '%s\n' 'Scripts governance completed in advisory mode.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-  repo_health:
-    name: Repository health
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Repository health checks
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
-            {
-              printf '%s\n' '### Repository health'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes repository health'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          # Source directory: src/ or htdocs/ (either is valid)
-          if [ -d "src" ]; then
-            SOURCE_DIR="src"
-          elif [ -d "htdocs" ]; then
-            SOURCE_DIR="htdocs"
-          else
-            missing_required+=("src/ or htdocs/ (source directory required)")
-          fi
-
-          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
-          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
-          IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"
-          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES}"
-
-          missing_required=()
-          missing_optional=()
-
-          for item in "${required_artifacts[@]}"; do
-            if printf '%s' "${item}" | grep -q '/$'; then
-              d="${item%/}"
-              [ ! -d "${d}" ] && missing_required+=("${item}")
-            else
-              [ ! -f "${item}" ] && missing_required+=("${item}")
-            fi
-          done
-
-          for f in "${optional_files[@]}"; do
-            if printf '%s' "${f}" | grep -q '/$'; then
-              d="${f%/}"
-              [ ! -d "${d}" ] && missing_optional+=("${f}")
-            else
-              [ ! -f "${f}" ] && missing_optional+=("${f}")
-            fi
-          done
-
-          for d in "${disallowed_dirs[@]}"; do
-            d_norm="${d%/}"
-            [ -d "${d_norm}" ] && missing_required+=("${d_norm}/ (disallowed)")
-          done
-
-          for f in "${disallowed_files[@]}"; do
-            [ -f "${f}" ] && missing_required+=("${f} (disallowed)")
-          done
-
-          git fetch origin --prune
-
-          dev_paths=()
-          dev_branches=()
-
-          while IFS= read -r b; do
-            name="${b#origin/}"
-            if [ "${name}" = 'dev' ]; then
-              dev_branches+=("${name}")
-            else
-              dev_paths+=("${name}")
-            fi
-          done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')
-
-          if [ "${#dev_paths[@]}" -eq 0 ]; then
-            missing_required+=("dev/* branch (e.g. dev/01.00.00)")
-          fi
-
-          if [ "${#dev_branches[@]}" -gt 0 ]; then
-            missing_required+=("invalid branch dev (must be dev/<version>)")
-          fi
-
-          content_warnings=()
-
-          if [ -f 'CHANGELOG.md' ] && ! grep -Eq '^# Changelog' CHANGELOG.md; then
-            content_warnings+=("CHANGELOG.md missing '# Changelog' header")
-          fi
-
-          if [ -f 'CHANGELOG.md' ] && grep -Eq '^[# ]*Unreleased' CHANGELOG.md; then
-            content_warnings+=("CHANGELOG.md contains Unreleased section (review release readiness)")
-          fi
-
-          if [ -f 'LICENSE' ] && ! grep -qiE 'GNU GENERAL PUBLIC LICENSE|GPL' LICENSE; then
-            content_warnings+=("LICENSE does not look like a GPL text")
-          fi
-
-          if [ -f 'README.md' ] && ! grep -qiE 'moko|Moko' README.md; then
-            content_warnings+=("README.md missing expected brand keyword")
-          fi
-
-          export PROFILE_RAW="${profile}"
-          export MISSING_REQUIRED="$(printf '%s\n' "${missing_required[@]:-}")"
-          export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
-          export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"
-
-          report_json="$(python3 - <<'PY'
-          import json
-          import os
-
-          profile = os.environ.get('PROFILE_RAW') or 'all'
-
-          missing_required = os.environ.get('MISSING_REQUIRED', '').splitlines() if os.environ.get('MISSING_REQUIRED') else []
-          missing_optional = os.environ.get('MISSING_OPTIONAL', '').splitlines() if os.environ.get('MISSING_OPTIONAL') else []
-          content_warnings = os.environ.get('CONTENT_WARNINGS', '').splitlines() if os.environ.get('CONTENT_WARNINGS') else []
-
-          out = {
-            'profile': profile,
-            'missing_required': [x for x in missing_required if x],
-            'missing_optional': [x for x in missing_optional if x],
-            'content_warnings': [x for x in content_warnings if x],
-          }
-
-          print(json.dumps(out, indent=2))
-          PY
-          )"
-
-          {
-            printf '%s\n' '### Repository health'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Metric | Value |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| Missing required | ${#missing_required[@]} |"
-            printf '%s\n' "| Missing optional | ${#missing_optional[@]} |"
-            printf '%s\n' "| Content warnings | ${#content_warnings[@]} |"
-            printf '\n'
-
-            printf '%s\n' '### Guardrails report (JSON)'
-            printf '%s\n' '```json'
-            printf '%s\n' "${report_json}"
-            printf '%s\n' '```'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_required[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repo artifacts'
-              for m in "${missing_required[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository artifacts.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repo artifacts'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#content_warnings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Repo content warnings'
-              for m in "${content_warnings[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          # -- Joomla-specific checks --
-          joomla_findings=()
-
-          MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
-          if [ -z "${MANIFEST}" ]; then
-            joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
-          else
-            if ! grep -qP '<version>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <version> tag missing")
-            fi
-            if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: type attribute missing or invalid")
-            fi
-            if ! grep -qP '<name>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <name> tag missing")
-            fi
-            if ! grep -qP '<author>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <author> tag missing")
-            fi
-            if ! grep -qP '<namespace' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
-            fi
-          fi
-
-          INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
-          if [ "${INI_COUNT}" -eq 0 ]; then
-            joomla_findings+=("No .ini language files found")
-          fi
-
-          if [ ! -f 'updates.xml' ]; then
-            joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
-          fi
-
-          INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
-          for dir in "${INDEX_DIRS[@]}"; do
-            if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
-              joomla_findings+=("${dir}/index.html missing (directory listing protection)")
-            fi
-          done
-
-          if [ "${#joomla_findings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Joomla extension checks'
-              printf '%s\n' '| Check | Status |'
-              printf '%s\n' '|---|---|'
-              for f in "${joomla_findings[@]}"; do
-                printf '%s\n' "| ${f} | Warning |"
-              done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          else
-            {
-              printf '%s\n' '### Joomla extension checks'
-              printf '%s\n' 'All Joomla-specific checks passed.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          extended_enabled="${EXTENDED_CHECKS:-true}"
-          extended_findings=()
-
-          if [ "${extended_enabled}" = 'true' ]; then
-            if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
-              :
-            else
-              extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
-            fi
-
-            if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
-              bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
-              if [ -n "${bad_refs}" ]; then
-                extended_findings+=("Workflows reference actions @main/@master (pin versions): see log excerpt")
-                {
-                  printf '%s\n' '### Workflow pinning advisory'
-                  printf '%s\n' 'Found uses: entries pinned to main/master:'
-                  printf '%s\n' '```'
-                  printf '%s\n' "${bad_refs}"
-                  printf '%s\n' '```'
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            if [ -f "${DOCS_INDEX}" ]; then
-              missing_links="$(python3 - <<'PY'
-              import os
-              import re
-
-              idx = os.environ.get('DOCS_INDEX', 'docs/docs-index.md')
-              base = os.getcwd()
-
-              bad = []
-              pat = re.compile(r'\[[^\]]+\]\(([^)]+)\)')
-
-              with open(idx, 'r', encoding='utf-8') as f:
-                for line in f:
-                  for m in pat.findall(line):
-                    link = m.strip()
-                    if link.startswith('http://') or link.startswith('https://') or link.startswith('#') or link.startswith('mailto:'):
-                      continue
-                    if link.startswith('/'):
-                      rel = link.lstrip('/')
-                    else:
-                      rel = os.path.normpath(os.path.join(os.path.dirname(idx), link))
-                    rel = rel.split('#', 1)[0]
-                    rel = rel.split('?', 1)[0]
-                    if not rel:
-                      continue
-                    p = os.path.join(base, rel)
-                    if not os.path.exists(p):
-                      bad.append(rel)
-
-              print('\n'.join(sorted(set(bad))))
-              PY
-              )"
-              if [ -n "${missing_links}" ]; then
-                extended_findings+=("docs/docs-index.md contains broken relative links")
-                {
-                  printf '%s\n' '### Docs index link integrity'
-                  printf '%s\n' 'Broken relative links:'
-                  while IFS= read -r l; do [ -n "${l}" ] && printf '%s\n' "- ${l}"; done <<< "${missing_links}"
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            if [ -d "${SCRIPT_DIR}" ]; then
-              if ! command -v shellcheck >/dev/null 2>&1; then
-                sudo apt-get update -qq
-                sudo apt-get install -y shellcheck >/dev/null
-              fi
-
-              sc_out=''
-              while IFS= read -r shf; do
-                [ -z "${shf}" ] && continue
-                out_one="$(shellcheck -S warning -x "${shf}" 2>/dev/null || true)"
-                if [ -n "${out_one}" ]; then
-                  sc_out="${sc_out}${out_one}\n"
-                fi
-              done < <(find "${SCRIPT_DIR}" -type f -name "${SHELLCHECK_PATTERN}" 2>/dev/null | sort)
-
-              if [ -n "${sc_out}" ]; then
-                extended_findings+=("ShellCheck warnings detected (advisory)")
-                sc_head="$(printf '%s' "${sc_out}" | head -n 200)"
-                {
-                  printf '%s\n' '### ShellCheck (advisory)'
-                  printf '%s\n' '```'
-                  printf '%s\n' "${sc_head}"
-                  printf '%s\n' '```'
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            spdx_missing=()
-            IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
-            spdx_args=()
-            for g in "${spdx_globs[@]}"; do spdx_args+=("${g}"); done
-
-            while IFS= read -r f; do
-              [ -z "${f}" ] && continue
-              if ! head -n 40 "${f}" | grep -q 'SPDX-License-Identifier:'; then
-                spdx_missing+=("${f}")
-              fi
-            done < <(git ls-files "${spdx_args[@]}" 2>/dev/null || true)
-
-            if [ "${#spdx_missing[@]}" -gt 0 ]; then
-              extended_findings+=("SPDX header missing in some tracked files (advisory)")
-              {
-                printf '%s\n' '### SPDX header advisory'
-                printf '%s\n' 'Files missing SPDX-License-Identifier (first 40 lines scan):'
-                for f in "${spdx_missing[@]}"; do printf '%s\n' "- ${f}"; done
-                printf '\n'
-              } >> "${GITHUB_STEP_SUMMARY}"
-            fi
-
-            stale_cutoff_days=180
-            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
-            if [ -n "${stale_branches}" ]; then
-              extended_findings+=("Stale remote branches detected (advisory)")
-              {
-                printf '%s\n' '### Git hygiene advisory'
-                printf '%s\n' "Branches with last commit older than ${stale_cutoff_days} days (sample up to 50):"
-                while IFS= read -r b; do [ -n "${b}" ] && printf '%s\n' "- ${b}"; done <<< "${stale_branches}"
-                printf '\n'
-              } >> "${GITHUB_STEP_SUMMARY}"
-            fi
-          fi
-
-          {
-            printf '%s\n' '### Guardrails coverage matrix'
-            printf '%s\n' '| Domain | Status | Notes |'
-            printf '%s\n' '|---|---|---|'
-            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
-            printf '%s\n' '| Release variables | OK | Repository variables validation |'
-            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
-            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
-            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
-            if [ "${extended_enabled}" = 'true' ]; then
-              if [ "${#extended_findings[@]}" -gt 0 ]; then
-                printf '%s\n' '| Extended checks | Warning | See extended findings below |'
-              else
-                printf '%s\n' '| Extended checks | OK | No findings |'
-              fi
-            else
-              printf '%s\n' '| Extended checks | SKIPPED | EXTENDED_CHECKS disabled |'
-            fi
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${extended_enabled}" = 'true' ] && [ "${#extended_findings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Extended findings (advisory)'
-              for f in "${extended_findings[@]}"; do printf '%s\n' "- ${f}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
@@ -1,82 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
-# PATH: /.gitea/workflows/security-audit.yml
-# VERSION: 01.00.00
-# BRIEF: Dependency vulnerability scanning for composer and npm packages
-
-name: Security Audit
-
-on:
-  schedule:
-    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'composer.json'
-      - 'composer.lock'
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  audit:
-    name: Dependency Audit
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Composer audit
-        if: hashFiles('composer.lock') != ''
-        run: |
-          echo "=== Composer Security Audit ==="
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
-          fi
-          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
-          RESULT=$?
-          if [ $RESULT -ne 0 ]; then
-            echo "::warning::Composer vulnerabilities found"
-            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
-          else
-            echo "No known vulnerabilities in composer dependencies"
-          fi
-
-      - name: NPM audit
-        if: hashFiles('package-lock.json') != ''
-        run: |
-          echo "=== NPM Security Audit ==="
-          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
-          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
-            echo "No known vulnerabilities in npm dependencies"
-          else
-            echo "::warning::NPM vulnerabilities found"
-            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
-          fi
-
-      - name: Notify on vulnerabilities
-        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} has vulnerable dependencies" \
-            -H "Tags: lock,warning" \
-            -H "Priority: high" \
-            -d "Security audit found vulnerabilities. Review dependency updates." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -1,464 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Joomla
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/update-server.yml.template
-# VERSION: 04.06.00
-# BRIEF: Update Joomla update server XML feed with stable/rc/dev entries
-#
-# Writes updates.xml with multiple <update> entries:
-#   - <tag>stable</tag>     on push to main (from auto-release)
-#   - <tag>rc</tag>         on push to rc/**
-#   - <tag>development</tag> on push to dev or dev/**
-#
-# Joomla filters by user's "Minimum Stability" setting.
-
-name: Update Joomla Update Server XML Feed
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update updates.xml
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.GA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup MokoStandards tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api 2>/dev/null || true
-          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
-            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-
-      - name: Generate updates.xml entry
-        id: update
-        run: |
-          BRANCH="${{ github.ref_name }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Auto-bump patch on all branches (dev, alpha, beta, rc)
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          BUMPED=$(php /tmp/mokostandards-api/cli/version_bump.php --path . 2>/dev/null || true)
-          if [ -n "$BUMPED" ]; then
-            VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
-            git add -A
-            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
-            git push 2>/dev/null || true
-          fi
-
-          # Determine stability from branch or input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
-            STABILITY="development"
-          else
-            STABILITY="stable"
-          fi
-
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-
-          # Parse manifest (portable — no grep -P)
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla manifest found — skipping"
-            exit 0
-          fi
-
-          # Extract fields using sed (works on all runners)
-          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
-          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
-
-          # Fallbacks
-          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
-          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
-
-          # Derive element if not in manifest: try XML filename, then repo name
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            case "$EXT_ELEMENT" in
-              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-            esac
-          fi
-
-          # Use manifest version if README version is empty
-          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
-
-          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
-
-          CLIENT_TAG=""
-          [ -n "$EXT_CLIENT" ] && CLIENT_TAG="<client>${EXT_CLIENT}</client>"
-          [ -z "$CLIENT_TAG" ] && ([ "$EXT_TYPE" = "module" ] || [ "$EXT_TYPE" = "plugin" ]) && CLIENT_TAG="<client>site</client>"
-
-          FOLDER_TAG=""
-          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
-
-          PHP_TAG=""
-          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
-
-          # Version suffix for non-stable
-          DISPLAY_VERSION="$VERSION"
-          case "$STABILITY" in
-            development) DISPLAY_VERSION="${VERSION}-dev" ;;
-            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
-            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
-            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
-          esac
-
-          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
-
-          # Each stability level has its own release tag
-          case "$STABILITY" in
-            development) RELEASE_TAG="development" ;;
-            alpha)       RELEASE_TAG="alpha" ;;
-            beta)        RELEASE_TAG="beta" ;;
-            rc)          RELEASE_TAG="release-candidate" ;;
-            *)           RELEASE_TAG="v${MAJOR}" ;;
-          esac
-
-          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
-          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
-
-          # -- Build install packages (ZIP + tar.gz) --------------------
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ -d "$SOURCE_DIR" ]; then
-            EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
-            TAR_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.tar.gz"
-
-            cd "$SOURCE_DIR"
-            zip -r "/tmp/${PACKAGE_NAME}" . -x $EXCLUDES
-            cd ..
-            tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
-              --exclude='.ftpignore' --exclude='sftp-config*' \
-              --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
-
-            SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
-
-            # Ensure release exists on Gitea
-            RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-            RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -z "$RELEASE_ID" ]; then
-              # Create release
-              RELEASE_JSON=$(curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/json" \
-                "${API_BASE}/releases" \
-                -d "$(python3 -c "import json; print(json.dumps({
-                  'tag_name': '${RELEASE_TAG}',
-                  'name': '${RELEASE_TAG} (${DISPLAY_VERSION})',
-                  'body': '${STABILITY} release',
-                  'prerelease': True,
-                  'target_commitish': 'main'
-                }))")" 2>/dev/null || true)
-              RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-            fi
-
-            if [ -n "$RELEASE_ID" ]; then
-              # Delete existing assets with same name before uploading
-              ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-              for ASSET_FILE in "$PACKAGE_NAME" "$TAR_NAME"; do
-                ASSET_ID=$(echo "$ASSETS" | python3 -c "
-          import sys,json
-          assets = json.load(sys.stdin)
-          for a in assets:
-              if a['name'] == '${ASSET_FILE}':
-                  print(a['id']); break
-          " 2>/dev/null || true)
-                if [ -n "$ASSET_ID" ]; then
-                  curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                    "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-                fi
-              done
-
-              # Upload both formats
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${PACKAGE_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${PACKAGE_NAME}" > /dev/null 2>&1 || true
-
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${TAR_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-            fi
-
-            echo "Packages: ${PACKAGE_NAME} + ${TAR_NAME} (SHA: ${SHA256})" >> $GITHUB_STEP_SUMMARY
-          else
-            SHA256=""
-          fi
-
-          # -- Build the new entry (canonical format matching release.yml) --
-          NEW_ENTRY=""
-          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
-          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
-          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
-          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
-          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
-          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
-          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
-          NEW_ENTRY="${NEW_ENTRY}  </update>"
-
-          # -- Write new entry to temp file --------------------------------
-          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
-
-          # -- Merge into updates.xml ----------------------------------------
-          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
-          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
-          TARGETS=""
-          for entry in $CASCADE_MAP; do
-            key="${entry%%:*}"
-            vals="${entry#*:}"
-            if [ "$key" = "${STABILITY}" ]; then
-              TARGETS="$vals"
-              break
-            fi
-          done
-          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
-
-          echo "Cascade: ${STABILITY} → ${TARGETS}"
-
-          # Create updates.xml if missing
-          if [ ! -f "updates.xml" ]; then
-            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
-            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
-            printf '%s\n' "<updates>" >> updates.xml
-            printf '%s\n' "</updates>" >> updates.xml
-          fi
-
-          # Update existing blocks or create missing ones
-          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
-          python3 << 'PYEOF'
-          import re, os
-
-          targets = os.environ["PY_TARGETS"].split(",")
-          version = os.environ["PY_VERSION"]
-          date = os.environ["PY_DATE"]
-
-          with open("updates.xml") as f:
-              content = f.read()
-          with open("/tmp/new_entry.xml") as f:
-              new_entry_template = f.read()
-
-          for tag in targets:
-              tag = tag.strip()
-              # Build entry with this tag's name
-              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
-
-              # Try to find existing block (handles both single-line and multi-line <tags>)
-              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
-              match = re.search(block_pattern, content, re.DOTALL)
-
-              if match:
-                  # Update in place — replace entire block
-                  content = content.replace(match.group(1), new_entry.strip())
-                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
-              else:
-                  # Create — insert before </updates>
-                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
-                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
-
-          # Clean up excessive blank lines
-          content = re.sub(r"\n{3,}", "\n\n", content)
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-          # Commit
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      # -- Sync updates.xml to main (for non-main branches) ----------------------
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            CONTENT=$(base64 -w0 updates.xml)
-            curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${API_BASE}/contents/updates.xml" \
-              -d "$(python3 -c "import json; print(json.dumps({
-                'content': '${CONTENT}',
-                'sha': '${FILE_SHA}',
-                'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
-                'branch': 'main'
-              }))")" > /dev/null 2>&1 \
-              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
-              || echo "WARNING: failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "WARNING: could not get updates.xml SHA from main" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # -- Permission check: admin or maintain role required --------
-          ACTOR="${{ github.actor }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "/tmp/mokostandards-api/deploy/deploy-sftp.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY
@@ -1,85 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.02.00
-# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
-
-name: "Universal: Auto Version Bump"
-
-on:
-  push:
-    branches:
-      - dev
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-permissions:
-  contents: write
-
-jobs:
-  bump:
-    name: Version Bump
-    runs-on: release
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip bump]') &&
-      !startsWith(github.event.head_commit.message, 'Merge pull request')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          if [ -d "/opt/moko-platform/cli" ]; then
-            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
-          else
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
-              /tmp/moko-platform-api
-            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-          fi
-
-      - name: Bump version
-        run: |
-          BUMP=$(php ${MOKO_CLI}/version_bump.php --path . 2>&1) || true
-          echo "$BUMP"
-
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null) || true
-          [ -z "$VERSION" ] && { echo "No version found — skipping"; exit 0; }
-
-          # Propagate to platform manifests with -dev suffix
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch dev --stability dev 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-          VERSION="${VERSION}-dev"
-
-          # Commit if anything changed
-          if git diff --quiet && git diff --cached --quiet; then
-            echo "No version changes to commit"
-            exit 0
-          fi
-
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push origin dev
-          echo "Bumped to ${VERSION}" >> $GITHUB_STEP_SUMMARY
@@ -1,524 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/auto-release.yml.template
-# VERSION: 05.00.00
-# BRIEF: Universal build & release � detects platform from manifest.xml
-#
-# +========================================================================+
-# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
-# +========================================================================+
-# |                                                                        |
-# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
-# |                                                                        |
-# |  Platform-specific:                                                    |
-# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
-# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
-# |    generic:  README-only, no update stream                             |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Build & Release"
-
-on:
-  pull_request:
-    types: [opened, closed]
-    branches:
-      - main
-  workflow_dispatch:
-    inputs:
-      action:
-        description: 'Action to perform'
-        required: false
-        type: choice
-        default: release
-        options:
-          - release
-          - promote-rc
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  # ── Draft PR → Promote highest pre-release to RC ─────────────────────────────
-  promote-rc:
-    name: Promote Pre-Release to RC
-    runs-on: release
-    if: >-
-      (github.event.action == 'opened' && github.event.pull_request.draft == true) ||
-      (github.event_name == 'workflow_dispatch' && inputs.action == 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 1
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-      - name: Promote to release-candidate
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_promote.php \
-            --from auto --to release-candidate \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${API_BASE}" \
-            --branch "${{ github.event.pull_request.head.ref || 'dev' }}"
-
-      - name: Cascade lesser channels
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_cascade.php \
-            --stability release-candidate \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${API_BASE}"
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Promoted to Release Candidate" >> $GITHUB_STEP_SUMMARY
-          echo "Draft PR opened — promoted highest pre-release to RC" >> $GITHUB_STEP_SUMMARY
-
-  # ── Merged PR → Build & Release (or promote RC to stable) ────────────────────
-  release:
-    name: Build & Release Pipeline
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true ||
-      (github.event_name == 'workflow_dispatch' && inputs.action != 'promote-rc')
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Configure git for bot pushes
-        run: |
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GITHUB_TOKEN }}"}}'
-        run: |
-          # Ensure PHP + Composer are available
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api
-          composer install --no-dev --no-interaction --quiet
-
-
-      # -- PLATFORM DETECTION ---------------------------------------------------
-      - name: Detect platform
-        id: platform
-        run: |
-          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
-          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1 || true)
-          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
-          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
-
-      - name: "Step 1: Read version"
-        id: version
-        run: |
-          VERSION=$(php /tmp/moko-platform-api/cli/version_read.php --path .)
-          if [ -z "$VERSION" ]; then
-            echo "::error::No VERSION in README.md"
-            echo "skip=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          # Strip any pre-release suffix merged from dev (e.g. 01.02.20-dev → 01.02.20)
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-          MAJOR=$(echo "$VERSION" | cut -d. -f1)
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "release_tag=stable" >> "$GITHUB_OUTPUT"
-          echo "skip=false" >> "$GITHUB_OUTPUT"
-          echo "branch=main" >> "$GITHUB_OUTPUT"
-
-      # -- CHECK FOR RC PROMOTION ------------------------------------------------
-      - name: "Check for RC release"
-        id: rc
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          RC_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/releases/tags/release-candidate" 2>/dev/null || echo "{}")
-          RC_ID=$(echo "$RC_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
-
-          if [ -n "$RC_ID" ] && [ "$RC_ID" != "None" ] && [ "$RC_ID" != "" ]; then
-            echo "promote=true" >> "$GITHUB_OUTPUT"
-            echo "release_id=${RC_ID}" >> "$GITHUB_OUTPUT"
-            echo "::notice::RC release found (id: ${RC_ID}) — will promote to stable"
-          else
-            echo "promote=false" >> "$GITHUB_OUTPUT"
-            echo "::notice::No RC release — full build pipeline"
-          fi
-
-      - name: "Step 1b: Minor bump version"
-        id: bump
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.rc.outputs.promote != 'true'
-        run: |
-          MOKO_API="/tmp/moko-platform-api/cli"
-          php ${MOKO_API}/version_bump.php --path . --minor 2>&1 || true
-          VERSION=$(php ${MOKO_API}/version_read.php --path .)
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "Bumped to: ${VERSION}"
-
-      - name: Check if already released
-        if: steps.version.outputs.skip != 'true'
-        id: check
-        run: |
-          TAG="${{ steps.version.outputs.release_tag }}"
-          BRANCH="${{ steps.version.outputs.branch }}"
-
-          TAG_EXISTS=false
-          BRANCH_EXISTS=false
-
-          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
-          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
-
-          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
-          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
-
-          # Tag and branch may persist across patch releases — never skip
-          echo "already_released=false" >> "$GITHUB_OUTPUT"
-
-      # -- SANITY CHECKS -------------------------------------------------------
-      - name: "Sanity: Pre-release validation"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/release_validate.php \
-            --path . --version "$VERSION" --output-summary --github-output || true
-
-      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
-      # Always runs — every version change on main archives to version/XX.YY
-      - name: "Step 2: Version archive branch"
-        if: steps.check.outputs.already_released != 'true'
-        run: |
-          BRANCH="${{ steps.version.outputs.branch }}"
-          IS_MINOR="${{ steps.version.outputs.is_minor }}"
-          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
-
-          # Check if branch exists
-          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
-            git push origin HEAD:"$BRANCH" --force
-            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
-          else
-            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
-            git push origin "$BRANCH" --force
-            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      # -- STEP 3: Set platform version ----------------------------------------
-      - name: "Step 3: Set platform version"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/version_set_platform.php \
-            --path . --version "$VERSION" --branch main
-
-      # -- STEP 4: Update version badges ----------------------------------------
-      - name: "Step 4: Update version badges"
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
-          php /tmp/moko-platform-api/cli/version_check.php --path . --fix 2>/dev/null || true
-
-      # Step 5 (updates.xml) moved after Step 8 to include SHA-256 checksum
-
-      - name: "Step 4b: Promote and prune CHANGELOG"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          MOKO_API="/tmp/moko-platform-api/cli"
-          if [ -f "CHANGELOG.md" ]; then
-            php ${MOKO_API}/changelog_promote.php --path . --version "$VERSION" 2>&1 || true
-            php ${MOKO_API}/changelog_prune.php --path . --keep 5 2>&1 || true
-          fi
-
-      - name: Commit release changes
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.check.outputs.already_released != 'true'
-        run: |
-          if git diff --quiet && git diff --cached --quiet; then
-            echo "No changes to commit"
-            exit 0
-          fi
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          git add -A
-          git commit -m "chore(release): build ${VERSION} [skip ci]" \
-            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-          git push -u origin HEAD
-
-      # -- STEP 6: Create tag ---------------------------------------------------
-      - name: "Step 6: Create git tag"
-        if: >-
-          steps.version.outputs.skip != 'true'
-        run: |
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          # Only create the major release tag if it doesn't exist yet
-          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
-            git tag "$RELEASE_TAG"
-            git push origin "$RELEASE_TAG"
-            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
-          fi
-          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 7a: Promote RC to stable (skip build) ----------------------------
-      - name: "Step 7a: Promote RC to stable"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.rc.outputs.promote == 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_promote.php \
-            --from release-candidate --to stable \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${API_BASE}" \
-            --path . --branch main
-          echo "Promoted RC → stable (${VERSION})" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 7b: Create or update Gitea Release (full build path) -------------
-      - name: "Step 7b: Gitea Release"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.rc.outputs.promote != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_create.php \
-            --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch main
-          echo "Release created: ${VERSION}" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 8: Build packages and upload to release ----------------------------
-      - name: "Step 8: Build package and upload"
-        id: package
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          steps.rc.outputs.promote != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_package.php \
-            --path . --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      # -- STEP 5: Write update stream (after build so SHA-256 is available) -----
-      - name: "Step 5: Write update stream"
-        if: steps.version.outputs.skip != 'true'
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          # Fetch latest updates.xml from main so preserve logic has all channels
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API}/contents/updates.xml?ref=main" 2>/dev/null | \
-            python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin)['content']).decode())" \
-            > updates.xml 2>/dev/null || true
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php /tmp/moko-platform-api/cli/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability stable \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG} --github-output
-
-          # Commit updates.xml if changed
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git add updates.xml
-            git commit -m "chore: update stable channel ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push origin HEAD 2>&1 || true
-          fi
-
-      # -- STEP 8b: Update release description with changelog ----------------------
-      - name: "Step 8b: Update release body"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          php /tmp/moko-platform-api/cli/release_body_update.php \
-            --path . --version "${VERSION}" --tag "${RELEASE_TAG}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            2>&1 || true
-          echo "Release body updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
-      - name: "Step 9: Mirror release to GitHub"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GITHUB_TOKEN != ''
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_mirror.php \
-            --version "$VERSION" --tag "$RELEASE_TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --gh-token "${{ secrets.GITHUB_TOKEN }}" --gh-repo "$GH_REPO" \
-            --branch main 2>&1 || true
-          echo "GitHub mirror updated" >> $GITHUB_STEP_SUMMARY
-
-      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
-      - name: "Step 10: Push main to GitHub mirror"
-        if: >-
-          steps.version.outputs.skip != 'true' &&
-          secrets.GITHUB_TOKEN != ''
-        continue-on-error: true
-        run: |
-          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
-          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
-          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
-          git fetch origin main --depth=1
-          git push github origin/main:refs/heads/main --force 2>/dev/null \
-            && echo "main branch pushed to GitHub mirror" \
-            || echo "WARNING: GitHub mirror push failed"
-
-      # -- Clean up lesser pre-releases (cascade) ---------------------------------
-      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
-      - name: "Delete lesser pre-release channels"
-        continue-on-error: true
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/release_cascade.php \
-            --stability stable \
-            --version "${VERSION}" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
-            --api-base "${API_BASE}" 2>/dev/null || true
-
-      - name: "Step 11: Delete and recreate dev branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          # Delete dev branch
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
-            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
-
-          # Recreate dev from main (now includes version bump + changelog promotion)
-          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API_BASE}/branches" \
-            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
-
-          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
-
-      - name: "Step 12: Create version branch from main"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          BRANCH_NAME="version/${VERSION}"
-          MAIN_SHA=$(git rev-parse HEAD)
-
-          # Delete old version branch if it exists (same version re-release)
-          curl -sf -X DELETE -H "Authorization: token ${TOKEN}"             "${API_BASE}/branches/${BRANCH_NAME}" 2>/dev/null && echo "Deleted old ${BRANCH_NAME}"
-
-          # Create version/XX.YY.ZZ from main
-          curl -sf -X POST -H "Authorization: token ${TOKEN}"             -H "Content-Type: application/json"             "${API_BASE}/branches"             -d "{\"new_branch_name\":\"${BRANCH_NAME}\",\"old_branch_name\":\"main\"}" 2>/dev/null             && echo "Created ${BRANCH_NAME} from main (${MAIN_SHA})"             || echo "WARNING: ${BRANCH_NAME} creation failed"
-
-          echo "Version branch created: ${BRANCH_NAME} (${MAIN_SHA})" >> $GITHUB_STEP_SUMMARY
-
-
-
-      # -- Dolibarr post-release: Reset dev version -----------------------------
-      - name: "Post-release: Reset dev version"
-        if: steps.version.outputs.skip != 'true'
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php /tmp/moko-platform-api/cli/version_reset_dev.php \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "${API_BASE}" \
-            --branch dev --path . 2>&1 || true
-
-      # -- Summary --------------------------------------------------------------
-      - name: Pipeline Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
-            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
-            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
-          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
-            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
-            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
-            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
-            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
-          fi
@@ -1,48 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.mokogitea/workflows/branch-cleanup.yml
-# VERSION: 01.00.00
-# BRIEF: Delete feature branches after PR merge
-
-name: "Branch Cleanup"
-
-on:
-  pull_request:
-    types: [closed]
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  cleanup:
-    name: Delete merged branch
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.pull_request.merged == true &&
-      github.event.pull_request.head.ref != 'dev' &&
-      github.event.pull_request.head.ref != 'main'
-
-    steps:
-      - name: Delete source branch
-        run: |
-          BRANCH="${{ github.event.pull_request.head.ref }}"
-          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
-          ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${BRANCH}', safe=''))")
-
-          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
-            -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API}/${ENCODED}" 2>/dev/null || true)
-
-          if [ "$STATUS" = "204" ]; then
-            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
-          elif [ "$STATUS" = "404" ]; then
-            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
-          fi
@@ -1,213 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Maintenance
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/cascade-dev.yml.template
-# VERSION: 02.00.00
-# BRIEF: Forward-merge main → all open branches after every push to main
-#
-# +========================================================================+
-# |                CASCADE MAIN → ALL BRANCHES                             |
-# +========================================================================+
-# |                                                                        |
-# |  Triggers on every push to main (PR merges, bot commits, etc.)         |
-# |                                                                        |
-# |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
-# |  2. For each: create PR (main → branch), auto-merge if clean           |
-# |  3. On conflict: leave PR open for manual resolution                   |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Cascade Main → Dev"
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-  pull-requests: write
-
-jobs:
-  cascade:
-    name: Cascade main → branches
-    runs-on: ubuntu-latest
-    if: >-
-      !contains(github.event.head_commit.message, '[skip ci]') &&
-      !contains(github.event.head_commit.message, '[skip cascade]')
-
-    steps:
-      - name: Discover target branches
-        id: branches
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Fetch all branches (paginated)
-          PAGE=1
-          ALL_BRANCHES=""
-          while true; do
-            BATCH=$(curl -sS \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "${API}/branches?page=${PAGE}&limit=50" \
-              | jq -r '.[].name // empty')
-            [ -z "$BATCH" ] && break
-            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
-            PAGE=$((PAGE + 1))
-          done
-
-          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
-          TARGETS=""
-          for BRANCH in $ALL_BRANCHES; do
-            case "$BRANCH" in
-              dev|dev/*|rc/*|beta/*|alpha/*)
-                TARGETS="$TARGETS $BRANCH"
-                ;;
-            esac
-          done
-
-          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
-
-          if [ -z "$TARGETS" ]; then
-            echo "targets=" >> "$GITHUB_OUTPUT"
-            echo "ℹ️  No cascade target branches found"
-          else
-            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
-            COUNT=$(echo "$TARGETS" | wc -w)
-            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
-          fi
-
-      - name: Cascade to all target branches
-        if: steps.branches.outputs.targets != ''
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          SHORT_SHA="${GITHUB_SHA:0:7}"
-          TARGETS="${{ steps.branches.outputs.targets }}"
-
-          SUCCESS=0
-          CONFLICTS=0
-          SKIPPED=0
-          FAILED=0
-
-          for BRANCH in $TARGETS; do
-            echo ""
-            echo "═══ main → ${BRANCH} ═══"
-
-            # Check if branch is already up to date
-            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
-            RESPONSE=$(curl -sS \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "${API}/compare/${ENCODED_BRANCH}...main")
-
-            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
-
-            if [ "$AHEAD" -eq 0 ]; then
-              echo "  ✅ Already up to date"
-              SKIPPED=$((SKIPPED + 1))
-              continue
-            fi
-
-            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
-
-            # Check for existing cascade PR
-            EXISTING=$(curl -sS \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
-
-            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
-            PR_NUMBER=""
-
-            if [ "$EXISTING_COUNT" -gt 0 ]; then
-              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
-              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
-            else
-              # Create cascade PR
-              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
-                -X POST \
-                -H "Authorization: token ${GITEA_TOKEN}" \
-                -H "Content-Type: application/json" \
-                -d "{
-                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
-                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
-                  \"head\": \"main\",
-                  \"base\": \"${BRANCH}\"
-                }" \
-                "${API}/pulls")
-
-              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
-              BODY=$(echo "$PR_RESPONSE" | sed '$d')
-              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
-
-              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
-                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
-                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
-                FAILED=$((FAILED + 1))
-                continue
-              fi
-
-              echo "  ✅ Created PR #${PR_NUMBER}"
-            fi
-
-            # Try auto-merge
-            PR_DATA=$(curl -sS \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              "${API}/pulls/${PR_NUMBER}")
-
-            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
-
-            if [ "$MERGEABLE" != "true" ]; then
-              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
-              CONFLICTS=$((CONFLICTS + 1))
-              continue
-            fi
-
-            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
-              -X POST \
-              -H "Authorization: token ${GITEA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              -d "{
-                \"Do\": \"merge\",
-                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
-                \"delete_branch_after_merge\": false
-              }" \
-              "${API}/pulls/${PR_NUMBER}/merge")
-
-            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
-
-            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
-              echo "  ✅ Merged — ${BRANCH} is in sync"
-              SUCCESS=$((SUCCESS + 1))
-            else
-              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
-              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
-              CONFLICTS=$((CONFLICTS + 1))
-            fi
-          done
-
-          # Summary
-          echo ""
-          echo "════════════════════════════════════════"
-          echo "  ✅ Merged:    ${SUCCESS}"
-          echo "  ⚠️  Conflicts: ${CONFLICTS}"
-          echo "  ⏭️  Up to date: ${SKIPPED}"
-          echo "  ❌ Failed:    ${FAILED}"
-          echo "════════════════════════════════════════"
-
-          if [ "$FAILED" -gt 0 ]; then
-            exit 1
-          fi
@@ -1,467 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# This file is part of a Moko Consulting project.
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow.Template
-# INGROUP: MokoStandards.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/ci-joomla.yml.template
-# VERSION: 04.06.00
-# BRIEF: CI workflow for Joomla extensions — lint, validate, test
-
-name: "Joomla: Extension CI"
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'dev/**'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  lint-and-validate:
-    name: Lint & Validate
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP
-        run: |
-          php -v && composer --version
-
-      - name: Clone MokoStandards
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-        run: |
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install \
-              --no-interaction \
-              --prefer-dist \
-              --optimize-autoloader
-          else
-            echo "No composer.json found — skipping dependency install"
-          fi
-
-      - name: PHP syntax check
-        run: |
-          ERRORS=0
-          for DIR in src/ htdocs/; do
-            if [ -d "$DIR" ]; then
-              FOUND=1
-              while IFS= read -r -d '' FILE; do
-                OUTPUT=$(php -l "$FILE" 2>&1)
-                if echo "$OUTPUT" | grep -q "Parse error"; then
-                  echo "::error file=${FILE}::${OUTPUT}"
-                  ERRORS=$((ERRORS + 1))
-                fi
-              done < <(find "$DIR" -name "*.php" -print0)
-            fi
-          done
-          echo "### PHP Syntax Check" >> $GITHUB_STEP_SUMMARY
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "**${ERRORS} syntax error(s) found.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "All PHP files passed syntax check." >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: XML manifest validation
-        run: |
-          echo "### XML Manifest Validation" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          # Find the extension manifest (XML with <extension tag)
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla extension manifest found (XML file with \`<extension\` tag)." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "Manifest found: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # Validate well-formed XML
-            php -r "
-              \$xml = @simplexml_load_file('$MANIFEST');
-              if (\$xml === false) {
-                echo 'INVALID';
-                exit(1);
-              }
-              echo 'VALID';
-            " > /tmp/xml_result 2>&1
-            XML_RESULT=$(cat /tmp/xml_result)
-            if [ "$XML_RESULT" != "VALID" ]; then
-              echo "Manifest is not well-formed XML." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Manifest is well-formed XML." >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Check required tags: name, version, author, namespace (Joomla 5+)
-            for TAG in name version author namespace; do
-              if ! grep -q "<${TAG}>" "$MANIFEST" 2>/dev/null; then
-                echo "Missing required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS + 1))
-              else
-                echo "Found required tag: \`<${TAG}>\`" >> $GITHUB_STEP_SUMMARY
-              fi
-            done
-          fi
-
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${ERRORS} manifest issue(s) found.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**Manifest validation passed.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: Check language files referenced in manifest
-        run: |
-          echo "### Language File Check" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -n "$MANIFEST" ]; then
-            # Extract language file references from manifest
-            LANG_FILES=$(grep -oP 'language\s+tag="[^"]*"[^>]*>\K[^<]+' "$MANIFEST" 2>/dev/null || true)
-            if [ -z "$LANG_FILES" ]; then
-              echo "No language file references found in manifest — skipping." >> $GITHUB_STEP_SUMMARY
-            else
-              while IFS= read -r LANG_FILE; do
-                LANG_FILE=$(echo "$LANG_FILE" | xargs)
-                if [ -z "$LANG_FILE" ]; then
-                  continue
-                fi
-                # Check in common locations
-                FOUND=0
-                for BASE in "." "src" "htdocs"; do
-                  if [ -f "${BASE}/${LANG_FILE}" ]; then
-                    FOUND=1
-                    break
-                  fi
-                done
-                if [ "$FOUND" -eq 0 ]; then
-                  echo "Missing language file: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
-                  ERRORS=$((ERRORS + 1))
-                else
-                  echo "Language file present: \`${LANG_FILE}\`" >> $GITHUB_STEP_SUMMARY
-                fi
-              done <<< "$LANG_FILES"
-            fi
-          else
-            echo "No manifest found — skipping language check." >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if [ "${ERRORS}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${ERRORS} missing language file(s).**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**Language file check passed.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: Check index.html files in directories
-        run: |
-          echo "### Index.html Check" >> $GITHUB_STEP_SUMMARY
-          MISSING=0
-          CHECKED=0
-
-          for DIR in src/ htdocs/; do
-            if [ -d "$DIR" ]; then
-              while IFS= read -r -d '' SUBDIR; do
-                CHECKED=$((CHECKED + 1))
-                if [ ! -f "${SUBDIR}/index.html" ]; then
-                  echo "Missing index.html in: \`${SUBDIR}\`" >> $GITHUB_STEP_SUMMARY
-                  MISSING=$((MISSING + 1))
-                fi
-              done < <(find "$DIR" -type d -print0)
-            fi
-          done
-
-          if [ "${CHECKED}" -eq 0 ]; then
-            echo "No src/ or htdocs/ directories found — skipping." >> $GITHUB_STEP_SUMMARY
-          elif [ "${MISSING}" -gt 0 ]; then
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "**${MISSING} director(ies) missing index.html out of ${CHECKED} checked.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "All ${CHECKED} directories contain index.html." >> $GITHUB_STEP_SUMMARY
-          fi
-
-  release-readiness:
-    name: Release Readiness Check
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request' && github.base_ref == 'main'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Validate release readiness
-        run: |
-          echo "## Release Readiness" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          ERRORS=0
-
-          # Extract version from README.md
-          README_VERSION=$(grep -oP '^\s*VERSION:\s*\K[0-9]{2}\.[0-9]{2}\.[0-9]{2}' README.md | head -1)
-          if [ -z "$README_VERSION" ]; then
-            echo "No VERSION found in README.md FILE INFORMATION block." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "README version: \`${README_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          # Find the extension manifest
-          MANIFEST=""
-          for XML_FILE in $(find . -maxdepth 2 -name "*.xml" -not -path "./.git/*" -not -path "./vendor/*"); do
-            if grep -q "<extension" "$XML_FILE" 2>/dev/null; then
-              MANIFEST="$XML_FILE"
-              break
-            fi
-          done
-
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla extension manifest found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          else
-            echo "Manifest: \`${MANIFEST}\`" >> $GITHUB_STEP_SUMMARY
-
-            # Check <version> matches README VERSION
-            MANIFEST_VERSION=$(grep -oP '<version>\K[^<]+' "$MANIFEST" | head -1)
-            if [ -z "$MANIFEST_VERSION" ]; then
-              echo "No \`<version>\` tag in manifest." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            elif [ -n "$README_VERSION" ] && [ "$MANIFEST_VERSION" != "$README_VERSION" ]; then
-              echo "Manifest version \`${MANIFEST_VERSION}\` does not match README \`${README_VERSION}\`." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Manifest version: \`${MANIFEST_VERSION}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Check extension type, element, client attributes
-            EXT_TYPE=$(grep -oP '<extension[^>]*\btype="\K[^"]+' "$MANIFEST" | head -1)
-            if [ -z "$EXT_TYPE" ]; then
-              echo "Missing \`type\` attribute on \`<extension>\` tag." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            else
-              echo "Extension type: \`${EXT_TYPE}\`" >> $GITHUB_STEP_SUMMARY
-            fi
-
-            # Element check (component/module/plugin name)
-            HAS_ELEMENT=$(grep -cP '<(element|name)>' "$MANIFEST" 2>/dev/null || echo "0")
-            if [ "$HAS_ELEMENT" -eq 0 ]; then
-              echo "Missing \`<element>\` or \`<name>\` in manifest." >> $GITHUB_STEP_SUMMARY
-              ERRORS=$((ERRORS + 1))
-            fi
-
-            # Client attribute for site/admin modules and plugins
-            if echo "$EXT_TYPE" | grep -qP "^(module|plugin)$"; then
-              HAS_CLIENT=$(grep -cP '<extension[^>]*\bclient=' "$MANIFEST" 2>/dev/null || echo "0")
-              if [ "$HAS_CLIENT" -eq 0 ]; then
-                echo "Missing \`client\` attribute for ${EXT_TYPE} extension." >> $GITHUB_STEP_SUMMARY
-                ERRORS=$((ERRORS + 1))
-              fi
-            fi
-          fi
-
-          # Check updates.xml exists
-          if [ -f "updates.xml" ] || [ -f "updates.xml" ]; then
-            echo "Update XML present." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "No updates.xml found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          # Check CHANGELOG.md exists
-          if [ -f "CHANGELOG.md" ]; then
-            echo "CHANGELOG.md present." >> $GITHUB_STEP_SUMMARY
-          else
-            echo "No CHANGELOG.md found." >> $GITHUB_STEP_SUMMARY
-            ERRORS=$((ERRORS + 1))
-          fi
-
-          echo "" >> $GITHUB_STEP_SUMMARY
-          if [ $ERRORS -gt 0 ]; then
-            echo "**${ERRORS} issue(s) must be resolved before release.**" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          else
-            echo "**Extension is ready for release.**" >> $GITHUB_STEP_SUMMARY
-          fi
-
-  test:
-    name: Tests (PHP ${{ matrix.php }})
-    runs-on: ubuntu-latest
-    needs: lint-and-validate
-
-    strategy:
-      fail-fast: false
-      matrix:
-        php: ['8.2', '8.3']
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP ${{ matrix.php }}
-        run: |
-          php -v && composer --version
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install \
-              --no-interaction \
-              --prefer-dist \
-              --optimize-autoloader
-          else
-            echo "No composer.json found — skipping dependency install"
-          fi
-
-      - name: Run tests
-        run: |
-          echo "### Test Results (PHP ${{ matrix.php }})" >> $GITHUB_STEP_SUMMARY
-          if [ -f "phpunit.xml" ] || [ -f "phpunit.xml.dist" ]; then
-            vendor/bin/phpunit --testdox 2>&1 | tee /tmp/test-output.log
-            EXIT=${PIPESTATUS[0]}
-            if [ $EXIT -eq 0 ]; then
-              echo "All tests passed." >> $GITHUB_STEP_SUMMARY
-            else
-              echo "Test failures detected — see log." >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-              cat /tmp/test-output.log >> $GITHUB_STEP_SUMMARY
-              echo '```' >> $GITHUB_STEP_SUMMARY
-            fi
-            exit $EXIT
-          else
-            echo "No phpunit.xml found — skipping tests." >> $GITHUB_STEP_SUMMARY
-          fi
-
-  static-analysis:
-    name: PHPStan Analysis
-    runs-on: ubuntu-latest
-    needs: lint-and-validate
-    continue-on-error: true
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-
-      - name: Setup PHP
-        run: php -v && composer --version
-
-      - name: Install dependencies
-        env:
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
-        run: |
-          if [ -f "composer.json" ]; then
-            composer install --no-interaction --prefer-dist --optimize-autoloader
-          fi
-
-      - name: Install PHPStan
-        run: |
-          if ! command -v vendor/bin/phpstan &> /dev/null; then
-            composer require --dev phpstan/phpstan --no-interaction 2>/dev/null || \
-              composer global require phpstan/phpstan --no-interaction
-          fi
-
-      - name: Run PHPStan
-        run: |
-          echo "### PHPStan Static Analysis" >> $GITHUB_STEP_SUMMARY
-          PHPSTAN="vendor/bin/phpstan"
-          if [ ! -f "$PHPSTAN" ]; then
-            PHPSTAN=$(composer global config bin-dir --absolute 2>/dev/null)/phpstan
-          fi
-
-          # Determine source directory
-          SRC_DIR=""
-          for DIR in src/ htdocs/ lib/; do
-            if [ -d "$DIR" ]; then
-              SRC_DIR="$DIR"
-              break
-            fi
-          done
-
-          if [ -z "$SRC_DIR" ]; then
-            echo "No source directory found (src/, htdocs/, lib/) — skipping." >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-
-          # Use repo phpstan.neon if present, otherwise use baseline config
-          ARGS="analyse ${SRC_DIR} --memory-limit=512M --no-progress --error-format=table"
-          if [ -f "phpstan.neon" ] || [ -f "phpstan.neon.dist" ]; then
-            echo "Using project PHPStan config." >> $GITHUB_STEP_SUMMARY
-          else
-            ARGS="$ARGS --level=3"
-            echo "No phpstan.neon found — using level 3 (type inference)." >> $GITHUB_STEP_SUMMARY
-          fi
-
-          $PHPSTAN $ARGS 2>&1 | tee /tmp/phpstan-output.txt
-          EXIT=${PIPESTATUS[0]}
-
-          if [ $EXIT -eq 0 ]; then
-            echo "**No errors found.**" >> $GITHUB_STEP_SUMMARY
-          else
-            ERRORS=$(grep -c "ERROR" /tmp/phpstan-output.txt 2>/dev/null || echo "some")
-            echo "**${ERRORS} error(s) found.** Review output above." >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-            tail -30 /tmp/phpstan-output.txt >> $GITHUB_STEP_SUMMARY
-            echo '```' >> $GITHUB_STEP_SUMMARY
-          fi
-          exit $EXIT
-
-  pre-release:
-    name: Build RC Pre-Release
-    runs-on: ubuntu-latest
-    needs: [lint-and-validate, test]
-    if: github.event_name == 'pull_request'
-
-    steps:
-      - name: Trigger pre-release build
-        env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-          REPO: ${{ github.repository }}
-          BRANCH: ${{ github.head_ref }}
-        run: |
-          curl -s -X POST             "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
-          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
-          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
@@ -1,87 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Maintenance
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.gitea/workflows/cleanup.yml
-# VERSION: 01.00.00
-# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
-
-name: "Universal: Repository Cleanup"
-
-on:
-  schedule:
-    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-jobs:
-  cleanup:
-    name: Clean Merged Branches
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-
-      - name: Delete merged branches
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
-          echo "=== Merged Branch Cleanup ==="
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-
-          # List branches via API
-          BRANCHES=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API}/branches?limit=50" | jq -r '.[].name')
-
-          DELETED=0
-          for BRANCH in $BRANCHES; do
-            # Skip protected branches
-            case "$BRANCH" in
-              main|master|develop|release/*|hotfix/*) continue ;;
-            esac
-
-            # Check if branch is merged into main
-            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
-              echo "  Deleting merged branch: ${BRANCH}"
-              curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
-                "${API}/branches/${BRANCH}" 2>/dev/null || true
-              DELETED=$((DELETED + 1))
-            fi
-          done
-
-          echo "Deleted ${DELETED} merged branch(es)"
-
-      - name: Clean old workflow runs
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-        run: |
-          echo "=== Workflow Run Cleanup ==="
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
-
-          # Get old completed runs
-          RUNS=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API}/actions/runs?status=completed&limit=50" | \
-            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
-
-          DELETED=0
-          for RUN_ID in $RUNS; do
-            curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
-              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
-            DELETED=$((DELETED + 1))
-          done
-
-          echo "Deleted ${DELETED} old workflow run(s)"
@@ -1,96 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Security
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/gitleaks.yml.template
-# VERSION: 01.00.00
-# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
-#
-# +========================================================================+
-# |                        SECRET SCANNING                                 |
-# +========================================================================+
-# |                                                                        |
-# |  Scans commits for leaked secrets using Gitleaks.                      |
-# |                                                                        |
-# |  - PR scan: only new commits in the PR                                 |
-# |  - Scheduled: full repo scan weekly                                    |
-# |  - Alerts via ntfy on findings                                         |
-# |                                                                        |
-# +========================================================================+
-
-name: "Universal: Secret Scanning"
-
-on:
-  pull_request:
-    branches:
-      - main
-      - 'dev/**'
-  schedule:
-    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  gitleaks:
-    name: Gitleaks Secret Scan
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Install Gitleaks
-        run: |
-          GITLEAKS_VERSION="8.21.2"
-          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
-            | tar -xz -C /usr/local/bin gitleaks
-          gitleaks version
-
-      - name: Scan for secrets
-        id: scan
-        run: |
-          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
-          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
-
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            # Scan only PR commits
-            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
-            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
-          fi
-
-          if gitleaks detect $ARGS 2>&1; then
-            echo "result=clean" >> "$GITHUB_OUTPUT"
-            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "result=found" >> "$GITHUB_OUTPUT"
-            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
-            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-      - name: Notify on findings
-        if: failure() && steps.scan.outputs.result == 'found'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} — secrets detected in code" \
-            -H "Tags: rotating_light,key" \
-            -H "Priority: urgent" \
-            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -1,73 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Automation
-# VERSION: 01.00.00
-# BRIEF: Auto-create feature branch when an issue is opened
-
-name: "Universal: Issue Branch"
-
-on:
-  issues:
-    types: [opened]
-
-permissions:
-  contents: write
-  issues: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-
-jobs:
-  create-branch:
-    name: Create feature branch
-    runs-on: ubuntu-latest
-    steps:
-      - name: Create branch and comment
-        run: |
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
-          ISSUE_NUM="${{ github.event.issue.number }}"
-          ISSUE_TITLE="${{ github.event.issue.title }}"
-
-          # Build slug from title: lowercase, replace non-alnum with dash, trim
-          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
-          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
-
-          # Check dev branch exists
-          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
-            -H "Authorization: token ${TOKEN}" \
-            "${API}/branches/dev" 2>/dev/null || echo "000")
-
-          if [ "${DEV_EXISTS}" != "200" ]; then
-            echo "No dev branch -- skipping"
-            exit 0
-          fi
-
-          # Create branch from dev
-          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
-            -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API}/branches" \
-            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
-
-          if [ "${HTTP}" = "201" ]; then
-            echo "Created branch: ${BRANCH}"
-
-            # Comment on issue with branch link
-            REPO_URL="${GITEA_URL}/${{ github.repository }}"
-            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
-
-            curl -sf -X POST \
-              -H "Authorization: token ${TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${API}/issues/${ISSUE_NUM}/comments" \
-              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
-
-            echo "Commented on issue #${ISSUE_NUM}"
-          else
-            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
-          fi
@@ -1,70 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Notifications
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.gitea/workflows/notify.yml
-# VERSION: 01.00.00
-# BRIEF: Push notifications via ntfy on release success or workflow failure
-
-name: "Universal: Notifications"
-
-on:
-  workflow_run:
-    workflows:
-      - "Joomla Build & Release"
-      - "Joomla Extension CI"
-      - "Deploy"
-    types:
-      - completed
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
-
-jobs:
-  notify:
-    name: Send Notification
-    runs-on: ubuntu-latest
-    if: >-
-      github.event.workflow_run.conclusion == 'success' ||
-      github.event.workflow_run.conclusion == 'failure'
-
-    steps:
-      - name: Notify on success (releases only)
-        if: >-
-          github.event.workflow_run.conclusion == 'success' &&
-          contains(github.event.workflow_run.name, 'Release')
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          WORKFLOW="${{ github.event.workflow_run.name }}"
-          URL="${{ github.event.workflow_run.html_url }}"
-
-          curl -sS \
-            -H "Title: ${REPO} released" \
-            -H "Tags: white_check_mark,package" \
-            -H "Priority: default" \
-            -H "Click: ${URL}" \
-            -d "${WORKFLOW} completed successfully." \
-            "${NTFY_URL}/${NTFY_TOPIC}"
-
-      - name: Notify on failure
-        if: github.event.workflow_run.conclusion == 'failure'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          WORKFLOW="${{ github.event.workflow_run.name }}"
-          URL="${{ github.event.workflow_run.html_url }}"
-
-          curl -sS \
-            -H "Title: ${REPO} workflow failed" \
-            -H "Tags: x,warning" \
-            -H "Priority: high" \
-            -H "Click: ${URL}" \
-            -d "${WORKFLOW} failed. Check the run for details." \
-            "${NTFY_URL}/${NTFY_TOPIC}"
@@ -1,214 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/universal/pr-check.yml.template
-# VERSION: 05.00.00
-# BRIEF: PR gate — branch policy + code validation before merge
-
-name: "Universal: PR Check"
-
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, edited]
-
-permissions:
-  contents: read
-  pull-requests: write
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  # ── Branch Policy ──────────────────────────────────────────────────────
-  branch-policy:
-    name: Branch Policy
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check branch merge target
-        run: |
-          HEAD="${{ github.head_ref }}"
-          BASE="${{ github.base_ref }}"
-
-          echo "PR: ${HEAD} → ${BASE}"
-
-          ALLOWED=true
-          REASON=""
-
-          case "$HEAD" in
-            feature/*|feat/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Feature branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            fix/*|bugfix/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Fix branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            hotfix/*)
-              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
-              fi
-              ;;
-            alpha/*|beta/*)
-              if [ "$BASE" != "dev" ]; then
-                ALLOWED=false
-                REASON="Pre-release branches must target 'dev', not '${BASE}'"
-              fi
-              ;;
-            rc/*)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Release candidate branches must target 'main', not '${BASE}'"
-              fi
-              ;;
-            dev)
-              if [ "$BASE" != "main" ]; then
-                ALLOWED=false
-                REASON="Dev branch can only merge into 'main', not '${BASE}'"
-              fi
-              ;;
-          esac
-
-          if [ "$ALLOWED" = false ]; then
-            echo "::error::${REASON}"
-            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
-            echo "" >> $GITHUB_STEP_SUMMARY
-            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
-            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
-            exit 1
-          fi
-
-          echo "Branch policy: OK (${HEAD} → ${BASE})"
-          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
-
-  # ── Code Validation ────────────────────────────────────────────────────
-  validate:
-    name: Validate PR
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Detect platform
-        id: platform
-        run: |
-          # Read platform from XML manifest (<platform> tag) or plain text fallback
-          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
-          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
-          [ -z "$PLATFORM" ] && PLATFORM="generic"
-          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
-
-      - name: Setup PHP
-        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
-          fi
-
-      - name: PHP syntax check
-        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
-        run: |
-          ERRORS=0
-          while IFS= read -r -d '' file; do
-            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
-              ERRORS=$((ERRORS + 1))
-            fi
-          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
-          echo "PHP lint: ${ERRORS} error(s)"
-          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
-
-      - name: Validate platform manifest
-        run: |
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          case "$PLATFORM" in
-            joomla)
-              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-              if [ -z "$MANIFEST" ]; then
-                echo "::warning::No Joomla manifest found (WaaS site)"
-                exit 0
-              fi
-              echo "Manifest: ${MANIFEST}"
-              if command -v php &> /dev/null; then
-                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
-              fi
-              for ELEMENT in name version description; do
-                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
-              done
-              echo "Joomla manifest valid"
-              ;;
-            dolibarr)
-              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
-              if [ -z "$MOD_FILE" ]; then
-                echo "::error::No mod*.class.php found"
-                exit 1
-              fi
-              echo "Dolibarr module: ${MOD_FILE}"
-              ;;
-            *)
-              echo "Generic platform — no manifest validation"
-              ;;
-          esac
-
-      - name: Check update stream format
-        run: |
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          case "$PLATFORM" in
-            joomla)
-              if [ -f "updates.xml" ]; then
-                if command -v php &> /dev/null; then
-                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
-                fi
-                echo "updates.xml valid"
-              fi
-              ;;
-            dolibarr)
-              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
-              ;;
-          esac
-
-      - name: Verify package source
-        run: |
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ ! -d "$SOURCE_DIR" ]; then
-            echo "::warning::No src/ or htdocs/ directory"
-            exit 0
-          fi
-          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
-          echo "Source: ${FILE_COUNT} files"
-          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
-
-  # ── Pre-Release RC Build ─────────────────────────────────────────────────
-  pre-release:
-    name: Build RC Package
-    runs-on: ubuntu-latest
-    needs: [branch-policy, validate]
-
-    steps:
-      - name: Trigger RC pre-release
-        env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          REPO: ${{ github.repository }}
-          BRANCH: ${{ github.head_ref }}
-          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-        run: |
-          curl -s -X POST             "${GITEA_URL}/api/v1/repos/${REPO}/actions/workflows/pre-release.yml/dispatches"             -H "Authorization: token ${GITEA_TOKEN}"             -H "Content-Type: application/json"             -d "{\"ref\":\"${BRANCH}\",\"inputs\":{\"stability\":\"release-candidate\"}}"
-          echo "### Pre-Release" >> $GITHUB_STEP_SUMMARY
-          echo "Triggered RC build on branch \`${BRANCH}\`" >> $GITHUB_STEP_SUMMARY
@@ -1,231 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
-
-name: "Universal: Pre-Release"
-
-on:
-  pull_request:
-    types: [closed]
-    branches:
-      - dev
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
-    runs-on: release
-    if: >-
-      github.event_name == 'workflow_dispatch' ||
-      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-            /tmp/moko-platform-api
-          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
-          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: |
-          php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve metadata and bump version
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability || 'development' }}"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Read current version (bump already handled by push workflow)
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
-          [ -z "$VERSION" ] && VERSION="00.00.01"
-
-          # Strip any existing suffix from version before applying stability
-          VERSION=$(echo "$VERSION" | sed 's/-\(dev\|alpha\|beta\|rc\)$//')
-
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "${{ github.ref_name }}" --stability "$STABILITY" 2>/dev/null || true
-
-          # Verify version consistency across all files
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Update VERSION variable with suffix
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          # Commit version bump
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
-
-          # Auto-detect element via manifest_element.php
-          php ${MOKO_CLI}/manifest_element.php \
-            --path . --version "$VERSION" --stability "$STABILITY" \
-            --repo "${GITEA_REPO}" --github-output
-
-          # Read back element outputs
-          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
-          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Create release
-        id: release
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch dev --prerelease
-
-      - name: Build package and upload
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml -- skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          CURRENT_BRANCH="${{ github.ref_name }}"
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-
-          for BRANCH in main dev; do
-            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
-            echo "Syncing updates.xml -> ${BRANCH}"
-            git fetch origin "${BRANCH}" 2>/dev/null || continue
-            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
-            git checkout "${CURRENT_BRANCH}" -- updates.xml
-            if ! git diff --quiet updates.xml 2>/dev/null; then
-              git add updates.xml
-              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
-              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
-            fi
-            git checkout "${CURRENT_BRANCH}" 2>/dev/null
-          done
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          php ${MOKO_CLI}/release_cascade.php \
-            --stability "${{ steps.meta.outputs.stability }}" \
-            --token "${TOKEN}" \
-            --api-base "${API_BASE}"
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
-          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
@@ -1,769 +0,0 @@
-# ============================================================================
-# Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
-#
-# This file is part of a Moko Consulting project.
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Validation
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
-# PATH: /templates/workflows/joomla/repo_health.yml.template
-# VERSION: 04.06.00
-# BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
-# ============================================================================
-
-name: "Generic: Repo Health"
-
-defaults:
-  run:
-    shell: bash
-
-on:
-  workflow_dispatch:
-    inputs:
-      profile:
-        description: 'Validation profile: all, release, scripts, or repo'
-        required: true
-        default: all
-        type: choice
-        options:
-          - all
-          - release
-          - scripts
-          - repo
-  pull_request:
-  push:
-
-permissions:
-  contents: read
-
-env:
-  # Release policy - Repository Variables Only
-  RELEASE_REQUIRED_REPO_VARS: RS_FTP_PATH_SUFFIX
-  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX
-
-  # Scripts governance policy
-  SCRIPTS_REQUIRED_DIRS:
-  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate
-
-  # Repo health policy
-  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.mokogitea/workflows/
-  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
-  REPO_DISALLOWED_DIRS:
-  REPO_DISALLOWED_FILES: TODO.md,todo.md
-
-  # Extended checks toggles
-  EXTENDED_CHECKS: "true"
-
-  # File / directory variables
-  DOCS_INDEX: docs/docs-index.md
-  SCRIPT_DIR: scripts
-  WORKFLOWS_DIR: .mokogitea/workflows
-  SHELLCHECK_PATTERN: '*.sh'
-  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-
-jobs:
-  access_check:
-    name: Access control
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    permissions:
-      contents: read
-
-    outputs:
-      allowed: ${{ steps.perm.outputs.allowed }}
-      permission: ${{ steps.perm.outputs.permission }}
-
-    steps:
-      - name: Check actor permission (admin only)
-        id: perm
-        env:
-          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
-          REPO: ${{ github.repository }}
-          ACTOR: ${{ github.actor }}
-        run: |
-          set -euo pipefail
-          ALLOWED=false
-          PERMISSION=unknown
-          METHOD=""
-
-          # Hardcoded authorized users — always allowed
-          case "$ACTOR" in
-            jmiller|gitea-actions[bot])
-              ALLOWED=true
-              PERMISSION=admin
-              METHOD="hardcoded allowlist"
-              ;;
-            *)
-              # Detect platform and check permissions via API
-              API_BASE="${GITHUB_API_URL:-${GITEA_API_URL:-https://api.github.com}}"
-              RESP=$(curl -sf -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/repos/${REPO}/collaborators/${ACTOR}/permission" 2>/dev/null || echo '{}')
-              PERMISSION=$(echo "$RESP" | grep -oP '"permission"\s*:\s*"\K[^"]+' || echo "unknown")
-              if [ "$PERMISSION" = "admin" ] || [ "$PERMISSION" = "maintain" ] || [ "$PERMISSION" = "owner" ]; then
-                ALLOWED=true
-              fi
-              METHOD="collaborator API"
-              ;;
-          esac
-
-          echo "permission=${PERMISSION}" >> "$GITHUB_OUTPUT"
-          echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"
-
-          {
-            echo "## Access Authorization"
-            echo ""
-            echo "| Field | Value |"
-            echo "|-------|-------|"
-            echo "| **Actor** | \`${ACTOR}\` |"
-            echo "| **Repository** | \`${REPO}\` |"
-            echo "| **Permission** | \`${PERMISSION}\` |"
-            echo "| **Method** | ${METHOD} |"
-            echo "| **Authorized** | ${ALLOWED} |"
-            echo ""
-            if [ "$ALLOWED" = "true" ]; then
-              echo "${ACTOR} authorized (${METHOD})"
-            else
-              echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
-            fi
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-      - name: Deny execution when not permitted
-        if: ${{ steps.perm.outputs.allowed != 'true' }}
-        run: |
-          set -euo pipefail
-          printf '%s\n' 'ERROR: Access denied. Admin permission required.' >> "${GITHUB_STEP_SUMMARY}"
-          exit 1
-
-  release_config:
-    name: Release configuration
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Guardrails release vars
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-          RS_FTP_PATH_SUFFIX: ${{ vars.RS_FTP_PATH_SUFFIX }}
-          DEV_FTP_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'scripts' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Release configuration (Repository Variables)'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes release validation'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required <<< "${RELEASE_REQUIRED_REPO_VARS}"
-          IFS=',' read -r -a optional <<< "${RELEASE_OPTIONAL_REPO_VARS}"
-
-          missing=()
-          missing_optional=()
-
-          for k in "${required[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing+=("${k}")
-          done
-
-          for k in "${optional[@]}"; do
-            v="${!k:-}"
-            [ -z "${v}" ] && missing_optional+=("${k}")
-          done
-
-          {
-            printf '%s\n' '### Release configuration (Repository Variables)'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Variable | Status |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| RS_FTP_PATH_SUFFIX | ${RS_FTP_PATH_SUFFIX:-NOT SET} |"
-            printf '%s\n' "| DEV_FTP_SUFFIX | ${DEV_FTP_SUFFIX:-NOT SET} |"
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repository variables'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#missing[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repository variables'
-              for m in "${missing[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository variables.'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          {
-            printf '%s\n' '### Repository variables validation result'
-            printf '%s\n' 'Status: OK'
-            printf '%s\n' 'All required repository variables present.'
-            printf '%s\n' ''
-            printf '%s\n' '**Note**: Organization secrets (RS_FTP_HOST, RS_FTP_USER, etc.) are validated at deployment time, not in repository health checks.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-  scripts_governance:
-    name: Scripts governance
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Scripts folder checks
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'repo' ]; then
-            {
-              printf '%s\n' '### Scripts governance'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes scripts governance'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          if [ ! -d "${SCRIPT_DIR}" ]; then
-            {
-              printf '%s\n' '### Scripts governance'
-              printf '%s\n' 'Status: OK (advisory)'
-              printf '%s\n' 'scripts/ directory not present. No scripts governance enforced.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          if [ -n "${SCRIPTS_REQUIRED_DIRS:-}" ]; then IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"; else required_dirs=(); fi
-          IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"
-
-          missing_dirs=()
-          unapproved_dirs=()
-
-          for d in "${required_dirs[@]}"; do
-            req="${d%/}"
-            [ ! -d "${req}" ] && missing_dirs+=("${req}/")
-          done
-
-          while IFS= read -r d; do
-            allowed=false
-            for a in "${allowed_dirs[@]}"; do
-              a_norm="${a%/}"
-              [ "${d%/}" = "${a_norm}" ] && allowed=true
-            done
-            [ "${allowed}" = false ] && unapproved_dirs+=("${d%/}/")
-          done < <(find "${SCRIPT_DIR}" -maxdepth 1 -mindepth 1 -type d 2>/dev/null | sed 's#^\./##')
-
-          {
-            printf '%s\n' '### Scripts governance'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Area | Status | Notes |'
-            printf '%s\n' '|---|---|---|'
-
-            if [ "${#missing_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' '| Required directories | Warning | Missing required subfolders |'
-            else
-              printf '%s\n' '| Required directories | OK | All required subfolders present |'
-            fi
-
-            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' '| Directory policy | Warning | Unapproved directories detected |'
-            else
-              printf '%s\n' '| Directory policy | OK | No unapproved directories |'
-            fi
-
-            printf '%s\n' '| Enforcement mode | Advisory | scripts folder is optional |'
-            printf '\n'
-
-            if [ "${#missing_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' 'Missing required script directories:'
-              for m in "${missing_dirs[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            else
-              printf '%s\n' 'Missing required script directories: none.'
-              printf '\n'
-            fi
-
-            if [ "${#unapproved_dirs[@]}" -gt 0 ]; then
-              printf '%s\n' 'Unapproved script directories detected:'
-              for m in "${unapproved_dirs[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            else
-              printf '%s\n' 'Unapproved script directories detected: none.'
-              printf '\n'
-            fi
-
-            printf '%s\n' 'Scripts governance completed in advisory mode.'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-  repo_health:
-    name: Repository health
-    needs: access_check
-    if: ${{ needs.access_check.outputs.allowed == 'true' }}
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    permissions:
-      contents: read
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-
-      - name: Repository health checks
-        env:
-          PROFILE_RAW: ${{ github.event.inputs.profile }}
-        run: |
-          set -euo pipefail
-
-          profile="${PROFILE_RAW:-all}"
-          case "${profile}" in
-            all|release|scripts|repo) ;;
-            *)
-              printf '%s\n' "ERROR: Unknown profile: ${profile}" >> "${GITHUB_STEP_SUMMARY}"
-              exit 1
-              ;;
-          esac
-
-          if [ "${profile}" = 'release' ] || [ "${profile}" = 'scripts' ]; then
-            {
-              printf '%s\n' '### Repository health'
-              printf '%s\n' "Profile: ${profile}"
-              printf '%s\n' 'Status: SKIPPED'
-              printf '%s\n' 'Reason: profile excludes repository health'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 0
-          fi
-
-          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
-          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
-          if [ -n "${REPO_DISALLOWED_DIRS:-}" ]; then IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"; else disallowed_dirs=(); fi
-          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES:-}"
-
-          missing_required=()
-          missing_optional=()
-
-          # Source directory: src/ or htdocs/ (either is valid for extension repos)
-          SOURCE_DIR=""
-          if [ -d "src" ]; then
-            SOURCE_DIR="src"
-          elif [ -d "htdocs" ]; then
-            SOURCE_DIR="htdocs"
-          elif [ -d "deploy" ] || [ -d "cli" ] || [ -d "monitoring" ]; then
-            # Platform/tooling repos don't need src/
-            SOURCE_DIR=""
-          else
-            missing_required+=("src/ or htdocs/ (source directory required)")
-          fi
-
-          for item in "${required_artifacts[@]}"; do
-            if printf '%s' "${item}" | grep -q '/$'; then
-              d="${item%/}"
-              [ ! -d "${d}" ] && missing_required+=("${item}")
-            else
-              [ ! -f "${item}" ] && missing_required+=("${item}")
-            fi
-          done
-
-          for f in "${optional_files[@]}"; do
-            if printf '%s' "${f}" | grep -q '/$'; then
-              d="${f%/}"
-              [ ! -d "${d}" ] && missing_optional+=("${f}")
-            else
-              [ ! -f "${f}" ] && missing_optional+=("${f}")
-            fi
-          done
-
-          for d in "${disallowed_dirs[@]}"; do
-            d_norm="${d%/}"
-            [ -d "${d_norm}" ] && missing_required+=("${d_norm}/ (disallowed)")
-          done
-
-          for f in "${disallowed_files[@]}"; do
-            [ -f "${f}" ] && missing_required+=("${f} (disallowed)")
-          done
-
-          git fetch origin --prune
-
-          dev_paths=()
-          dev_branches=()
-
-          while IFS= read -r b; do
-            name="${b#origin/}"
-            if [ "${name}" = 'dev' ]; then
-              dev_branches+=("${name}")
-            else
-              dev_paths+=("${name}")
-            fi
-          done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')
-
-          if [ "${#dev_paths[@]}" -eq 0 ] && [ "${#dev_branches[@]}" -eq 0 ]; then
-            missing_required+=("dev or dev/* branch")
-          fi
-
-          content_warnings=()
-
-          if [ -f 'CHANGELOG.md' ] && ! grep -Eq '^# Changelog' CHANGELOG.md; then
-            content_warnings+=("CHANGELOG.md missing '# Changelog' header")
-          fi
-
-          if [ -f 'CHANGELOG.md' ] && grep -Eq '^[# ]*Unreleased' CHANGELOG.md; then
-            content_warnings+=("CHANGELOG.md contains Unreleased section (review release readiness)")
-          fi
-
-          if [ -f 'LICENSE' ] && ! grep -qiE 'GNU GENERAL PUBLIC LICENSE|GPL' LICENSE; then
-            content_warnings+=("LICENSE does not look like a GPL text")
-          fi
-
-          if [ -f 'README.md' ] && ! grep -qiE 'moko|Moko' README.md; then
-            content_warnings+=("README.md missing expected brand keyword")
-          fi
-
-          export PROFILE_RAW="${profile}"
-          export MISSING_REQUIRED="$(printf '%s\n' "${missing_required[@]:-}")"
-          export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
-          export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"
-
-          report_json=$(printf '{"profile":"%s","missing_required":%d,"missing_optional":%d,"content_warnings":%d}'             "$profile" "${#missing_required[@]}" "${#missing_optional[@]}" "${#content_warnings[@]}")
-
-          {
-            printf '%s\n' '### Repository health'
-            printf '%s\n' "Profile: ${profile}"
-            printf '%s\n' '| Metric | Value |'
-            printf '%s\n' '|---|---|'
-            printf '%s\n' "| Missing required | ${#missing_required[@]} |"
-            printf '%s\n' "| Missing optional | ${#missing_optional[@]} |"
-            printf '%s\n' "| Content warnings | ${#content_warnings[@]} |"
-            printf '\n'
-
-            printf '%s\n' '### Guardrails report (JSON)'
-            printf '%s\n' '```json'
-            printf '%s\n' "${report_json}"
-            printf '%s\n' '```'
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${#missing_required[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing required repo artifacts'
-              for m in "${missing_required[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '%s\n' 'ERROR: Guardrails failed. Missing required repository artifacts.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-            exit 1
-          fi
-
-          if [ "${#missing_optional[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Missing optional repo artifacts'
-              for m in "${missing_optional[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          if [ "${#content_warnings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Repo content warnings'
-              for m in "${content_warnings[@]}"; do printf '%s\n' "- ${m}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          # -- Joomla-specific checks --
-          joomla_findings=()
-
-          MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
-          if [ -z "${MANIFEST}" ]; then
-            joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
-          else
-            if ! grep -qP '<version>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <version> tag missing")
-            fi
-            if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: type attribute missing or invalid")
-            fi
-            if ! grep -qP '<name>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <name> tag missing")
-            fi
-            if ! grep -qP '<author>' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <author> tag missing")
-            fi
-            if ! grep -qP '<namespace' "${MANIFEST}"; then
-              joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
-            fi
-          fi
-
-          INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
-          if [ "${INI_COUNT}" -eq 0 ]; then
-            joomla_findings+=("No .ini language files found")
-          fi
-
-          if [ ! -f 'updates.xml' ]; then
-            joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
-          fi
-
-          if [ -n "${SOURCE_DIR}" ]; then
-            INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
-            for dir in "${INDEX_DIRS[@]}"; do
-              if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
-                joomla_findings+=("${dir}/index.html missing (directory listing protection)")
-              fi
-            done
-          fi
-
-          if [ "${#joomla_findings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Joomla extension checks'
-              printf '%s\n' '| Check | Status |'
-              printf '%s\n' '|---|---|'
-              for f in "${joomla_findings[@]}"; do
-                printf '%s\n' "| ${f} | Warning |"
-              done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          else
-            {
-              printf '%s\n' '### Joomla extension checks'
-              printf '%s\n' 'All Joomla-specific checks passed.'
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          extended_enabled="${EXTENDED_CHECKS:-true}"
-          extended_findings=()
-
-          if [ "${extended_enabled}" = 'true' ]; then
-            if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
-              :
-            else
-              extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
-            fi
-
-            if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
-              bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
-              if [ -n "${bad_refs}" ]; then
-                extended_findings+=("Workflows reference actions @main/@master (pin versions): see log excerpt")
-                {
-                  printf '%s\n' '### Workflow pinning advisory'
-                  printf '%s\n' 'Found uses: entries pinned to main/master:'
-                  printf '%s\n' '```'
-                  printf '%s\n' "${bad_refs}"
-                  printf '%s\n' '```'
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            if [ -f "${DOCS_INDEX}" ]; then
-              missing_links=""
-              while IFS= read -r docline; do
-                for link in $(echo "$docline" | grep -oE '\]\([^)]+\)' | sed 's/\](//' | sed 's/)$//' || true); do
-                  case "$link" in http://*|https://*|"#"*|mailto:*) continue ;; esac
-                  linkpath="${link%%#*}"
-                  linkpath="${linkpath%%\?*}"
-                  [ -z "$linkpath" ] && continue
-                  if [ "${linkpath:0:1}" = "/" ]; then
-                    testpath="${linkpath#/}"
-                  else
-                    testpath="$(dirname "${DOCS_INDEX}")/${linkpath}"
-                  fi
-                  [ ! -e "$testpath" ] && missing_links="${missing_links}${testpath} "
-                done
-              done < "${DOCS_INDEX}"
-              if [ -n "${missing_links}" ]; then
-                extended_findings+=("docs/docs-index.md contains broken relative links")
-                {
-                  printf '%s\n' '### Docs index link integrity'
-                  printf '%s\n' 'Broken relative links:'
-                  for bl in ${missing_links}; do
-                    printf '%s\n' "- ${bl}"
-                  done
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            if [ -d "${SCRIPT_DIR}" ]; then
-              if ! command -v shellcheck >/dev/null 2>&1; then
-                sudo apt-get update -qq
-                sudo apt-get install -y shellcheck >/dev/null
-              fi
-
-              sc_out=''
-              while IFS= read -r shf; do
-                [ -z "${shf}" ] && continue
-                out_one="$(shellcheck -S warning -x "${shf}" 2>/dev/null || true)"
-                if [ -n "${out_one}" ]; then
-                  sc_out="${sc_out}${out_one}\n"
-                fi
-              done < <(find "${SCRIPT_DIR}" -type f -name "${SHELLCHECK_PATTERN}" 2>/dev/null | sort)
-
-              if [ -n "${sc_out}" ]; then
-                extended_findings+=("ShellCheck warnings detected (advisory)")
-                sc_head="$(printf '%s' "${sc_out}" | head -n 200)"
-                {
-                  printf '%s\n' '### ShellCheck (advisory)'
-                  printf '%s\n' '```'
-                  printf '%s\n' "${sc_head}"
-                  printf '%s\n' '```'
-                  printf '\n'
-                } >> "${GITHUB_STEP_SUMMARY}"
-              fi
-            fi
-
-            spdx_missing=()
-            IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
-            spdx_args=()
-            for g in "${spdx_globs[@]}"; do spdx_args+=("${g}"); done
-
-            while IFS= read -r f; do
-              [ -z "${f}" ] && continue
-              if ! head -n 40 "${f}" | grep -q 'SPDX-License-Identifier:'; then
-                spdx_missing+=("${f}")
-              fi
-            done < <(git ls-files "${spdx_args[@]}" 2>/dev/null || true)
-
-            if [ "${#spdx_missing[@]}" -gt 0 ]; then
-              extended_findings+=("SPDX header missing in some tracked files (advisory)")
-              {
-                printf '%s\n' '### SPDX header advisory'
-                printf '%s\n' 'Files missing SPDX-License-Identifier (first 40 lines scan):'
-                for f in "${spdx_missing[@]}"; do printf '%s\n' "- ${f}"; done
-                printf '\n'
-              } >> "${GITHUB_STEP_SUMMARY}"
-            fi
-
-            stale_cutoff_days=180
-            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
-            if [ -n "${stale_branches}" ]; then
-              extended_findings+=("Stale remote branches detected (advisory)")
-              {
-                printf '%s\n' '### Git hygiene advisory'
-                printf '%s\n' "Branches with last commit older than ${stale_cutoff_days} days (sample up to 50):"
-                while IFS= read -r b; do [ -n "${b}" ] && printf '%s\n' "- ${b}"; done <<< "${stale_branches}"
-                printf '\n'
-              } >> "${GITHUB_STEP_SUMMARY}"
-            fi
-          fi
-
-          {
-            printf '%s\n' '### Guardrails coverage matrix'
-            printf '%s\n' '| Domain | Status | Notes |'
-            printf '%s\n' '|---|---|---|'
-            printf '%s\n' '| Access control | OK | Admin-only execution gate |'
-            printf '%s\n' '| Release variables | OK | Repository variables validation |'
-            printf '%s\n' '| Scripts governance | OK | Directory policy and advisory reporting |'
-            printf '%s\n' '| Repo required artifacts | OK | Required, optional, disallowed enforcement |'
-            printf '%s\n' '| Repo content heuristics | OK | Brand, license, changelog structure |'
-            if [ "${extended_enabled}" = 'true' ]; then
-              if [ "${#extended_findings[@]}" -gt 0 ]; then
-                printf '%s\n' '| Extended checks | Warning | See extended findings below |'
-              else
-                printf '%s\n' '| Extended checks | OK | No findings |'
-              fi
-            else
-              printf '%s\n' '| Extended checks | SKIPPED | EXTENDED_CHECKS disabled |'
-            fi
-            printf '\n'
-          } >> "${GITHUB_STEP_SUMMARY}"
-
-          if [ "${extended_enabled}" = 'true' ] && [ "${#extended_findings[@]}" -gt 0 ]; then
-            {
-              printf '%s\n' '### Extended findings (advisory)'
-              for f in "${extended_findings[@]}"; do printf '%s\n' "- ${f}"; done
-              printf '\n'
-            } >> "${GITHUB_STEP_SUMMARY}"
-          fi
-
-          printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
-
-
-  site-health:
-    name: Site Health
-    runs-on: ubuntu-latest
-    if: github.event_name == 'workflow_dispatch'
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup PHP
-        uses: shivammathur/setup-php@v2
-        with:
-          php-version: '8.3'
-
-      - name: Uptime check
-        if: env.URLS != ''
-        run: |
-          echo "$URLS" > /tmp/urls.txt
-          php monitoring/uptime-probe.php --urls /tmp/urls.txt --timeout 15 || echo "::warning::Some sites are down"
-          rm -f /tmp/urls.txt
-        env:
-          URLS: ${{ vars.MONITORED_URLS }}
-
-      - name: SSL certificate check
-        if: env.DOMAINS != ''
-        run: |
-          echo "$DOMAINS" > /tmp/domains.txt
-          php monitoring/ssl-check.php --domains /tmp/domains.txt --warn-days 30 || echo "::warning::SSL certificates expiring soon"
-          rm -f /tmp/domains.txt
-        env:
-          DOMAINS: ${{ vars.MONITORED_DOMAINS }}
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "### Site Health" >> $GITHUB_STEP_SUMMARY
-          echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY
-
@@ -1,98 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /.gitea/workflows/security-audit.yml
-# VERSION: 01.00.00
-# BRIEF: Dependency vulnerability scanning for composer and npm packages
-
-name: "Universal: Security Audit"
-
-on:
-  schedule:
-    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
-  pull_request:
-    branches:
-      - main
-    paths:
-      - 'composer.json'
-      - 'composer.lock'
-      - 'package.json'
-      - 'package-lock.json'
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-env:
-  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
-  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
-
-jobs:
-  audit:
-    name: Dependency Audit
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Composer audit
-        if: hashFiles('composer.lock') != ''
-        run: |
-          echo "=== Composer Security Audit ==="
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
-          fi
-          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
-          RESULT=$?
-          if [ $RESULT -ne 0 ]; then
-            echo "::warning::Composer vulnerabilities found"
-            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
-          else
-            echo "No known vulnerabilities in composer dependencies"
-          fi
-
-      - name: NPM audit
-        if: hashFiles('package-lock.json') != ''
-        run: |
-          echo "=== NPM Security Audit ==="
-          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
-          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
-            echo "No known vulnerabilities in npm dependencies"
-          else
-            echo "::warning::NPM vulnerabilities found"
-            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
-          fi
-
-      - name: Notify on vulnerabilities
-        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
-        run: |
-          REPO="${{ github.event.repository.name }}"
-          curl -sS \
-            -H "Title: ${REPO} has vulnerable dependencies" \
-            -H "Tags: lock,warning" \
-            -H "Priority: high" \
-            -d "Security audit found vulnerabilities. Review dependency updates." \
-            "${NTFY_URL}/${NTFY_TOPIC}" || true
-
-
-      - name: Joomla version audit
-        if: always()
-        run: |
-          if [ -f "monitoring/joomla-version-audit.php" ] && [ -n "$JOOMLA_SITES" ]; then
-            echo "$JOOMLA_SITES" > /tmp/sites.json
-            php monitoring/joomla-version-audit.php --sites /tmp/sites.json || true
-            echo "### Joomla Version Audit" >> $GITHUB_STEP_SUMMARY
-            rm -f /tmp/sites.json
-          else
-            echo "Joomla audit skipped (no script or JOOMLA_SITES_JSON not configured)"
-          fi
-        env:
-          JOOMLA_SITES: ${{ vars.JOOMLA_SITES_JSON }}
-
@@ -1,311 +0,0 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/update-server.yml
-# VERSION: 05.00.00
-# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
-#
-# Thin wrapper around moko-platform CLI tools.
-# Builds packages, updates updates.xml, and optionally deploys via SFTP.
-#
-# Joomla filters update entries by the user's "Minimum Stability" setting.
-
-name: "Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update Server
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.MOKOGITEA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          if [ -d "/tmp/moko-platform" ]; then
-            echo "moko-platform already available — skipping clone"
-          else
-            git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
-              /tmp/moko-platform 2>/dev/null || true
-          fi
-          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
-            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
-
-      - name: Detect platform
-        id: platform
-        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
-
-      - name: Resolve stability and bump version
-        id: meta
-        run: |
-          BRANCH="${{ github.ref_name }}"
-
-          # Configure git for bot pushes
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Auto-bump patch version
-          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
-
-          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Determine stability from branch or manual input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          else
-            STABILITY="development"
-          fi
-
-          # Version suffix per stability stream
-          case "$STABILITY" in
-            development) SUFFIX="-dev";  TAG="development" ;;
-            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)        SUFFIX="-beta";  TAG="beta" ;;
-            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
-            *)           SUFFIX="";       TAG="stable" ;;
-          esac
-
-          # Propagate version with stability suffix to all manifest files
-          php ${MOKO_CLI}/version_set_platform.php \
-            --path . --version "$VERSION" --branch "$BRANCH" --stability "$STABILITY" 2>/dev/null || true
-          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
-
-          # Re-read version (now includes suffix from version_set_platform)
-          if [ -n "$SUFFIX" ]; then
-            VERSION="${VERSION}${SUFFIX}"
-          fi
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "display_version=${VERSION}" >> "$GITHUB_OUTPUT"
-
-          # Commit version bump if changed
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      - name: Create release and upload package
-        id: package
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          TAG="${{ steps.meta.outputs.tag }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          # Create or update Gitea release
-          php ${MOKO_CLI}/release_create.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
-
-          # Build package and upload
-          php ${MOKO_CLI}/release_package.php \
-            --path . --version "$VERSION" --tag "$TAG" \
-            --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --output /tmp || true
-
-      - name: Update updates.xml
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.package.outputs.sha256_zip }}"
-
-          if [ ! -f "updates.xml" ]; then
-            echo "No updates.xml — skipping"
-            exit 0
-          fi
-
-          SHA_FLAG=""
-          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
-
-          php ${MOKO_CLI}/updates_xml_build.php \
-            --path . --version "${VERSION}" --stability "${STABILITY}" \
-            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
-            ${SHA_FLAG}
-
-          # Commit and push updates.xml
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
-            git push
-          }
-
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GITEA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GITEA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            python3 -c "
-          import base64, json, urllib.request, sys
-          with open('updates.xml', 'rb') as f:
-              content = base64.b64encode(f.read()).decode()
-          payload = json.dumps({
-              'content': content,
-              'sha': '${FILE_SHA}',
-              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
-              'branch': 'main'
-          }).encode()
-          req = urllib.request.Request(
-              '${API_BASE}/contents/updates.xml',
-              data=payload, method='PUT',
-              headers={
-                  'Authorization': 'token ${GITEA_TOKEN}',
-                  'Content-Type': 'application/json'
-              })
-          try:
-              urllib.request.urlopen(req)
-              print('updates.xml synced to main')
-          except Exception as e:
-              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
-          "
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # Permission check: admin or maintain role required
-          ACTOR="${{ github.actor }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
-            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          DISPLAY="${{ steps.meta.outputs.display_version }}"
-          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -14,418 +14,44 @@
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: ./CHANGELOG.md
- VERSION: 02.01.08
+ VERSION: 02.28.00
 BRIEF: Version history using `Keep a Changelog`
 -->

 # Changelog
+## [02.28.00] - 2026-05-31
+### Added
+- `plg_task_mokowaassync` — Joomla Scheduled Task plugin for automatic content sync to remote sites
+- Community Builder tables added to demo reset safe table list
+- API endpoint `POST /api/index.php/v1/mokowaas/install` — install extensions from a remote ZIP URL
+
+- Demo Mode with configurable warning banner on frontend when enabled
+
+### Fixed
+- Demo banner countdown now shows weeks/days/months for longer intervals instead of raw hours
+- `DemoResetService` — baseline snapshot and restore for DB tables + media files
+- API endpoints `POST /?mokowaas=reset` and `POST /?mokowaas=snapshot` (query-string)
+- REST endpoints `POST /api/v1/mokowaas/reset` and `GET/POST /api/v1/mokowaas/snapshot`
+- `plg_task_mokowaasdemo` — Joomla Scheduled Task plugin for automatic demo site reset
+- Admin toggles: Take Snapshot Now and Restore Baseline Now in plugin config
+- Content Sync: one-way push of articles, categories, menus, and modules to remote MokoWaaS sites
+- Content Sync: API endpoints `POST /?mokowaas=sync` (sender) and `POST /?mokowaas=sync-receive` (receiver)
+- Content Sync: REST endpoints `POST /api/v1/mokowaas/sync` and `POST /api/v1/mokowaas/sync-receive`
+- Content Sync: configurable sync targets with URL + API token in plugin settings
+- Package installer: protect all MokoWaaS extensions (not just system plugin) and ensure update server stays enabled
+- Package installer: clean up legacy `mokowaasbrand` extension entries and files on install/update
+- API endpoint `GET /?mokowaas=extensions` and `GET /api/v1/mokowaas/extensions` — list installed extensions with version, status, and update server info
+
+## [02.20.00] --- 2026-05-28
+
+## [02.20.00] --- 2026-05-28
+
+## [02.19.00] --- 2026-05-28
+
+## [02.18.00] --- 2026-05-28
+

 All notable changes to the MokoWaaS plugin will be documented in this file.

 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
-
-## [Unreleased]
-
-### Changed
- Migrated all workflow and template paths from `.github/` to `.mokogitea/`
- Template source paths updated: `templates/gitea/` to `templates/mokogitea/`
- HCL definition files removed -- Template repos are now the canonical source
-
-### Added
- `branch-cleanup.yml`: auto-delete merged feature branches after PR merge
- `plg_webservices_perfectpublisher`: REST API for Perfect Publisher (com_autotweet) — channels, posts, requests, rules, feeds, and stats
-
-### Planned
- License/subscription check
- System email template branding (DB approach)
-
-### Added
- Trusted IPs: configurable repeatable rows of IP addresses, CIDR ranges, and wildcards that bypass admin session timeout
- Supports exact IPs (192.168.1.100), CIDR (10.0.0.0/24), and wildcards (192.168.1.*)
- Each entry has a label and enabled toggle for easy management
- Current IP display above trusted IPs table so admins can easily add their own IP
-
-### Fixed
- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first)
- updates.xml: removed stale pre-release entries pointing to non-existent dev artifacts, legacy plugin update entry that caused stable sites to attempt dev downloads
- Removed duplicate `<updateservers>` from inner plugin manifest — only the package-level manifest should register the update server
- Auto-cleanup of stale plugin-level update site entries on install/update (cleans `#__update_sites` and `#__update_sites_extensions`)
-
-## [02.06.00] - 2026-05-25
-
-### Added
- Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
- Block non-master users from viewing or editing MokoWaaS plugin settings
- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)
- Admin Help menu redirected to configured support URL (replaces help.joomla.org)
-
-### Fixed
- Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
- Clean up extracted temp directory on success or failure
- Update site disabled by Joomla when protected=1 — ensureProtectedFlag() now re-enables it
- CI: auto-release fetches updates.xml from main before building (preserves all channels)
- CI: version_check.php --fix runs after version bump in both workflows
- CI: checksums attached as `[filename].sha256` files instead of in release body
- CI: auto-release cleaned up — removed duplicate asset loops, inline Python updater, dead code
- CI: Step 8b uses `release_body_update.php` CLI instead of inline Python
- CI: Step 6 tag creation no longer gated by `is_minor` (was never set)
-
-### Changed
- CI: auto-release uses stream tag `stable` instead of version tag `vXX`
- CI: pre-release package build uses absolute paths (fixes relative path zip error)
-
-## [02.05.00] - 2026-05-24
-
-### Added
- Joomla `protected=1` flag on all MokoWaaS extensions (framework-level disable/uninstall prevention)
- Self-healing protected flag — restored each admin session if cleared
- Block non-master disable via plugin list toggle (`plugins.publish`)
- Package script sets `protected=1, locked=0` on every install/update
- Legacy plugin entry in updates.xml for sites upgrading from standalone plugin
-
-### Fixed
- CI: auto-release workflow `pkg_pkg_` duplication in release names, ZIP filenames, and SHA256 paths
- CI: auto-release now strips existing type prefix and uses `<packagename>` for packages
- CI: `updates_xml_build` was cascading entries for all lower channels on stable release — now writes only current channel
- CI: `targetplatform` regex `((5.[0-9])|(6.[0-9]))` caused Gitea 500 on XML render — simplified to `(5|6)\..*`
- updates.xml stable entry now has correct `<tag>stable</tag>` and download URL
- README slimmed to overview, detailed content moved to wiki
-
-## [02.03.10] - 2026-05-24
-
-### Added
- Canonical URL injection for alias domains (prevents SEO duplication)
- Primary Domain config field in Site Aliases tab
- Heartbeat registration for alias domains (each alias gets Grafana datasource)
- Plugin protection: hidden from non-master users, disable/uninstall blocked
- Dynamic plugin version read from manifest XML (no more hardcoded strings)
- Package structure: `pkg_mokowaas` with system plugin, webservices plugin, and component
-
-### Changed
- Alias offline mode uses Joomla's native template offline.php (not custom HTML)
- Alias detection simplified: direct lookup in aliases list (no primary host comparison)
- handleSiteAlias() moved to onAfterRoute (client type resolved at that point)
- Package script.php enables plugins on every install/update and sends heartbeat
-
-### Fixed
- Alias domain matching: strip trailing slashes, handle Joomla subform stdClass format
- Backend redirect: use primary_domain setting instead of Uri::root() (returned alias domain on mirrors)
- CI: version_bump reads manifest XML with priority over README.md VERSION header
- CI: version bump occurs after release build, not before
- CI: pipefail disabled during element detection (SIGPIPE on find|head)
- CI: pkg_pkg_ prefix duplication in zip names and updates.xml URLs
- CI: updates_xml_build preserves existing channel entries (stable not wiped by dev releases)
-
-### Removed
- deploy-manual.yml workflow — using Joomla update server for distribution
- Accidentally committed profile.ps1 and TODO.md
-
-## [02.01.43] - 2026-05-23
-
-### Added
- Site Aliases tab with Joomla subform repeatable-table UI
- Per-alias offline toggle with custom maintenance message (503 response)
- Per-alias robots meta directive (index/noindex/follow/nofollow/none)
- Per-alias backend redirect (admin panel redirects to primary domain)
- 6 MokoWaaS API endpoints: health, install, update, cache, backup, info
- Remote plugin install via `/?mokowaas=install` endpoint
- Remote update trigger via `/?mokowaas=update` endpoint
- Remote cache clear via `/?mokowaas=cache` endpoint (site + admin + opcache)
- Remote Akeeba Backup trigger via `/?mokowaas=backup` endpoint
- Compact site info via `/?mokowaas=info` endpoint
-
-### Changed
- Site aliases moved from comma-separated text field to structured subform
- Each alias now stores domain, offline, offline_message, robots, redirect_backend
- Heartbeat provisioning updated for subform alias format
- Grafana datasource names use domain-only (removed "MokoWaaS - " prefix)
-
-### Fixed
- Heartbeat receiver accepts any 200 status (registered/updated/ok)
- script.php uses heartbeat receiver instead of Grafana API (fixes 403 RBAC)
-
-## [02.01.37] - 2026-05-23
-
-### Added
- Health check endpoint at `/?mokowaas=health` with 16 diagnostic checks (#54)
- Core checks: database latency, filesystem writability/size, cache, extensions
- Backup checks: Akeeba Backup last backup date/status/size, days since, frequency
- Security checks: Admin Tools WAF status, blocked requests 24h/7d
- SSL certificate: expiry date, days left, issuer (degraded <30d, error <7d)
- Scheduled tasks: Joomla task scheduler status, failed tasks 24h
- Error log: PHP error log size, recent errors, last error message
- Database size: total MB, table count, top 5 largest tables
- Content stats: articles, categories, menu items, modules
- User activity: total users, active sessions, failed logins 24h, last login
- Mail system: mailer type, from address, SMTP host, queue count
- SEO health: robots.txt, sitemap, htaccess, SEF status
- Template info: site/admin template names, override count
- Configuration drift: debug mode, error reporting, force SSL, caching
- Human-readable `reason` field explaining degraded/error status
- Site size reporting (images, media, tmp, cache, logs directories)
- Heartbeat provisioning via receiver at bench.mokoconsulting.tech
- Grafana datasource auto-provisioning via YAML (no API token needed)
- ntfy notifications on heartbeat registration (mokowaas-heartbeat topic)
- Grafana dashboard with 9 rows covering all 16 health checks
- Auto-generated health API token (separate from Joomla user tokens)
-
-### Changed
- Health endpoint always enabled — no config toggle needed
- Grafana provisioning uses heartbeat receiver pattern (replaces direct API)
- Removed config fields: enable_health_endpoint, grafana_url, grafana_api_key
- Migrated .gitea/ to .mokogitea/ directory standard
- Updated all references from MokoStandards to moko-platform
- Renamed Gitea references to MokoGitea in docs
-
-### Fixed
- SSL verification disabled for Grafana cURL calls (shared hosting)
- cURL follow redirects enabled
- updates.xml download URL uses correct `development` tag
-
-### Security
- Plugin hidden from plugin list for non-master users
- Plugin settings restricted to master user only
- Self-healing lock (enforceLocked) runs every page load
- Uninstall blocked in preflight
- Health endpoint requires HTTPS + bearer token
- Heartbeat shared secret for receiver authentication
-
-## [02.01.08] - 2026-04-07
-
-### Added
- Template-based language overrides with `{{BRAND_NAME}}`, `{{COMPANY_NAME}}`, `{{SUPPORT_URL}}` placeholders
- Configurable brand name, company name, and support URL via plugin params
- Sentinel-block merge pattern that preserves existing site overrides
- Install respects user-defined overrides (non-overwrite)
- ~50 override keys across admin and frontend
- Powered by links with anchor tag to support URL
- Login support URL enforcement (mokoconsulting.tech/support, /kb, /news)
- Atum template branding via params (logoBrandLarge, logoBrandSmall, loginLogo)
- Shipped media assets: logo.png, favicon.ico, favicon.svg, favicon_256.png
- Favicon injection (SVG + ICO + Apple touch icon)
- Admin color scheme via Atum template style params (hue, link-color, special-color)
- Custom CSS textarea injection
- Master user enforcement (persistent super admin — "Webmaster")
- Emergency access (DB password + file verification two-factor)
- IP whitelist via configuration.php (empty blocks access)
- IP whitelist display in plugin config (shows current IPs + your IP)
- All emergency access attempts logged to Joomla Action Logs
- Email notification on successful emergency login
- Tenant restrictions: Extension Installer, System Info, Global Configuration, Template code editor
- Dynamic admin menu hiding via onPreprocessMenuItems
- Disable install-from-URL for all users
- Force HTTPS redirect (supports reverse proxy)
- Admin session idle timeout (default 60 min, master user exempt)
- Password policy (min length, uppercase, number, special character)
- Upload type and size restrictions (default 100MB)
- Maintenance actions: reset all hits, delete all versions
- Auto-enable plugin on first install
- Action log extension registration in #__action_logs_extensions and #__action_log_config
- Custom AllowedIpsField form field for IP whitelist display
- Joomla 5.x and 6.x compatibility
-
-### Fixed
- Column heading overrides removed (broke module/plugin list views)
- RegularLabs Position column workaround
- Nested `<a>` tags in login support overrides
- Emergency access moved from onUserAuthenticate to onAfterInitialise (Joomla uses isolated auth dispatcher)
- Session created directly for emergency login (bypasses auth dispatcher)
- Auto-complete emergency login after verify file deletion (no re-entering credentials)
-
-### Changed
- Version bumped to 02.01.08 across all files
- Configuration guide fully rewritten with all fieldsets documented
- Testing guide with 17 test suites
- README updated with Usage section, new features, Joomla 5/6 badges
-
-## [01.04.00] - 2026-02-22
-
-### Added
- Complete Joomla 5.x system plugin implementation with modern architecture
- Main plugin class (`src/mokowaas.php`) with event handlers:
-  - `onAfterInitialise` event hook for framework initialization
-  - `onAfterRoute` event hook for routing integration
- Plugin manifest (`src/mokowaas.xml`) with Joomla 5.x namespace support
-  - Namespace: `Moko\Plugin\System\MokoWaaS`
-  - Configuration parameter for enabling/disabling branding
- Dependency injection service provider (`src/services/provider.php`)
-  - DI container registration for Joomla 5.x compatibility
- Plugin language files in `src/language/en-GB/`:
-  - `plg_system_mokowaas.ini` - Plugin UI strings
-  - `plg_system_mokowaas.sys.ini` - System/installation strings
- Enhanced language overrides (57+ strings):
-  - Installation sample data branding
-  - Site name labels
-  - Admin-specific UI elements
-  - Version and About sections
- Security `index.html` files throughout directory structure
- Comprehensive README.md with:
-  - Badges for version, license, Joomla, and PHP compatibility
-  - Table of contents with 12+ major sections
-  - Detailed installation instructions (2 methods)
-  - Technical implementation documentation
-  - Repository structure overview
-  - Development and build instructions
-
-### Changed
- Updated all documentation to version 01.04.00
- Enhanced language overrides with more comprehensive coverage
- Improved plugin configuration options
-
-### Fixed
- Typo in language override: "ERROR OCCURED" → "ERROR OCCURRED"
- Repository references updated from placeholders to actual GitHub URLs
-
-### Technical
- Integrates with Joomla's native language override system
- No programmatic string loading (performance optimization)
- Event-driven architecture for minimal overhead
- PSR-4 autoloading through service provider
-
-## [01.03.00] - 2025-12-11
-
-### Changed
- General cleanup and code organization
- Documentation structure improvements
-
-## [01.02.01] - 2025-12-11
-
-### Changed
- Version bump for release alignment
-
-## [01.02.00] - 2025-12-11
-
-### Added
- Documentation directory (`/docs/`) with comprehensive guides:
-  - Installation guide
-  - Configuration guide
-  - Build guide
-  - Operations guide
-  - Troubleshooting guide
-  - Upgrade and versioning guide
-  - Rollback and recovery guide
- GitHub workflow for automated builds (`.github/workflows/build.yml`)
- Image and favicon replacement feature for complete branding
-
-### Changed
- Improved documentation structure and organization
-
-## [01.01.05] - 2025-12-11
-
-### Changed
- Version bump for release coordination
-
-## [01.01.04] - 2025-12-11
-
-### Fixed
- Plugin manifest corrections and validation fixes
-
-## [01.01.03] - 2025-12-11
-
-### Fixed
- Administrator language file location corrected
- Language override path alignment with Joomla standards
-
-## [01.01.02] - 2025-12-11
-
-### Changed
- Moved plugin code to `/src/` directory for better organization
- Aligned repository structure with release deployment pipeline
- Improved packaging workflow
-
-### Added
- Release deployment pipeline integration
- Automated build and validation scripts
-
-## [1.0.0] - 2025-12-11
-
-### Added
- Initial release of MokoWaaS plugin
- Basic language override system for Joomla rebranding
- Frontend language overrides (en-GB, en-US)
- Administrator language overrides (en-GB, en-US)
- Core branding replacements:
-  - Footer "Powered by" text
-  - Control panel welcome messages
-  - Help and documentation links
-  - Generic Joomla→MokoWaaS replacements
- Basic plugin structure and manifest
- License (GPL-3.0-or-later)
- Contributing guidelines
- Code of conduct
-
-### Technical Details
- Joomla 5.x compatible
- PHP 8.1+ requirement
- Language override mechanism using Joomla's native system
-
---
-
-## Version History Summary
-
-| Version    | Date       | Type      | Summary                                    |
-|------------|------------|-----------|-------------------------------------------|
-| 01.04.00   | 2026-02-22 | Major     | Complete plugin implementation & enhanced docs |
-| 01.03.00   | 2025-12-11 | Minor     | Cleanup and organization                  |
-| 01.02.01   | 2025-12-11 | Patch     | Version alignment                         |
-| 01.02.00   | 2025-12-11 | Minor     | Documentation and build system            |
-| 01.01.05   | 2025-12-11 | Patch     | Version coordination                      |
-| 01.01.04   | 2025-12-11 | Patch     | Manifest fixes                            |
-| 01.01.03   | 2025-12-11 | Patch     | Language location fix                     |
-| 01.01.02   | 2025-12-11 | Patch     | Repository restructuring                  |
-| 1.0.0      | 2025-12-11 | Major     | Initial release                           |
-
---
-
-## Upgrade Notes
-
-### Upgrading to 01.04.00
-
-**Breaking Changes:** None
-
-**New Features:**
- Complete Joomla 5.x plugin implementation
- Dependency injection support
- Enhanced language overrides (14+ new strings)
-
-**Installation:**
-1. Backup your current installation
-2. Download the latest release package
-3. Install via Joomla Extension Manager
-4. Clear Joomla cache
-5. Verify branding appears correctly
-
-### Upgrading to 01.02.00
-
-**New Features:**
- Comprehensive documentation in `/docs/`
- Automated build workflows
-
-**Notes:**
- Review new documentation for operational guidance
- Check GitHub workflows for automated builds
-
---
-
-## Contributing
-
-Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduct and the process for submitting pull requests.
-
-When adding entries to this changelog:
-1. Add new changes under `[Unreleased]` section
-2. Use categories: Added, Changed, Deprecated, Removed, Fixed, Security
-3. Include clear, concise descriptions
-4. Reference issue numbers where applicable
-5. Move items from Unreleased to versioned section upon release
-
-## Links
-
- [MokoStandards](https://github.com/mokoconsulting-tech/MokoStandards) - Coding and documentation standards
- [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) - Changelog format specification
- [Semantic Versioning](https://semver.org/spec/v2.0.0.html) - Version numbering specification
- [Repository](https://github.com/mokoconsulting-tech/mokowaas) - Project repository
-
---
-
-**Note:** For detailed technical documentation, see the `/docs/` directory and [README.md](README.md).
@@ -14,7 +14,7 @@
 	DEFGROUP: Joomla.Plugin
 	INGROUP: MokoWaaS.Documentation
 	REPO: https://github.com/mokoconsulting-tech/mokowaas
-	VERSION: 02.01.08
+	VERSION: 02.27.00
 	PATH: ./CODE_OF_CONDUCT.md
 	BRIEF: Reference + packaging repo for Moko Consulting Developer GPT Other Default
 -->
@@ -1,93 +1,161 @@
-<!--
- Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
- This file is part of a Moko Consulting project.
- SPDX-LICENSE-IDENTIFIER: GPL-3.0-or-later
- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version.
- This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the IMPLIED WARRANTY of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- You should have received a copy of the GNU General Public License (./LICENSE.md).
-
- # FILE INFORMATION
- DEFGROUP: Joomla.Plugin
- INGROUP: MokoWaaS.Contributing
- REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
- PATH: /CONTRIBUTING.md
- BRIEF: Contribution guidelines for the MokoWaaS plugin
-->
-
-# Contributing to MokoWaaS (VERSION: 02.01.08)
-
-## Overview
-Contributions to the MokoWaaS plugin follow standardized development, governance, and quality control expectations defined by Moko Consulting. This document outlines contribution requirements, acceptable change types, branch management, testing expectations, and release readiness standards.
-
-## 1. Contribution Workflow
-All contributions must follow the established workflow:
-1. Fork the repository or create a feature branch (if internal).
-2. Ensure your environment matches the supported Joomla and PHP versions.
-3. Implement changes following coding, documentation, and metadata standards.
-4. Validate plugin functionality locally.
-5. Submit a Pull Request (PR) for review.
-
-## 2. Branching Model
- `main`: Production stable branch.
- `develop`: Aggregates work for the next minor release.
- `feature/*`: New enhancements or changes.
- `bugfix/*`: Hotfixes and corrections.
-
-Internal teams must coordinate with governance before creating major feature branches.
-
-## 3. Coding and Documentation Standards
-All code must:
- Follow [MokoStandards](https://github.com/mokoconsulting-tech/MokoStandards) coding standards
- Include the unified SPDX license header
- Include a FILE INFORMATION metadata block
- Avoid deprecated Joomla APIs
- Preserve load order compatibility with other system plugins
-
-Documentation must:
- Include metadata
- Maintain revision history
- Use consistent formatting as defined by Moko documentation standards
-
-## 4. Testing Requirements
-Before submitting a PR, contributors must verify:
- Plugin installs successfully in Joomla 5.x
- No load errors appear in logs
- Branding replacements appear as expected
- Terminology strings are correct
- No regressions in administrator UI
-
-Automated testing coverage will expand as part of future roadmap enhancements.
-
-## 5. Pull Request Requirements
-A PR must include:
- Description of change
- Screenshots for UI related updates
- Version updates when appropriate
- Notes for documentation changes
- Reference to related issues or tasks
-
-PRs lacking required information may be flagged or delayed.
-
-## 6. Release Versioning
-Changes must follow semantic versioning:
- MAJOR: Structural branding or architectural changes
- MINOR: Feature updates or terminology expansion
- PATCH: Bug fixes or language corrections
-
-Version updates must be reflected in:
- Manifest files
- PHP headers
- Documentation metadata
-
-## 7. Code Review Standards
-Reviewers validate:
- Code quality and clarity
- Compliance with [MokoStandards](https://github.com/mokoconsulting-tech/MokoStandards) coding standards
- Impact to templates and WaaS branding rules
- Backwards compatibility expectations
-
-## Revision History
-| Date | Author | Description |
-| ------ | -------- | ----------- |
-| 2025-12-11 | Jonathan Miller (@jmiller-moko) | Initial creation of contribution guidelines |
+# Contributing to Moko Consulting Projects
+
+Thank you for your interest in contributing. All Moko Consulting repositories follow this universal workflow and version policy.
+
+## Branching Workflow
+
+```
+feature/* ──PR──> dev ──draft PR──> (renamed to rc) ──merge──> main
+```
+
+### Step by step
+
+1. **Create a feature branch** from `dev`:
+   ```bash
+   git checkout dev && git pull
+   git checkout -b feature/my-change
+   ```
+
+2. **Work and commit** on your feature branch. Push to origin.
+
+3. **Open a PR**: `feature/my-change` → `dev`. After review and checks, merge it.
+
+4. **When ready for release**, open a **draft PR**: `dev` → `main`.
+   - This automatically renames the source branch to `rc` (release candidate)
+   - An RC pre-release is built and uploaded
+
+5. **Alpha and beta branches** are created by manually renaming the branch before the RC stage:
+   - Rename `dev` to `alpha` for early testing → alpha pre-release is built
+   - Rename `alpha` to `beta` for feature-complete testing → beta pre-release is built
+   - When the draft PR is created, the branch is renamed to `rc`
+
+6. **Once PR checks pass** on the `rc` branch, mark the PR as ready and merge to `main`.
+
+7. **Merging to main** triggers the stable release pipeline:
+   - Minor version bump (e.g., `02.09.xx` → `02.10.00`)
+   - Stability suffix stripped (clean version)
+   - Gitea release created with ZIP/tar.gz packages
+   - `updates.xml` updated (Joomla extensions)
+   - `dev` branch recreated from `main`
+
+### Branch summary
+
+| Branch | Purpose | Created by |
+|--------|---------|-----------|
+| `feature/*` | New features and fixes | Developer |
+| `dev` | Integration branch | Auto-recreated after release |
+| `alpha` | Alpha pre-release testing | Manual rename from `dev` |
+| `beta` | Beta pre-release testing | Manual rename from `alpha` |
+| `rc` | Release candidate | Auto-renamed on draft PR to main |
+| `main` | Stable releases | Protected, merge only |
+| `version/XX.YY.ZZ` | Archived release snapshots | Auto-created by CI |
+
+### Protected branches
+
+| Branch | Direct push | Merge via |
+|--------|------------|-----------|
+| `main` | Blocked (CI bot whitelisted) | PR merge only |
+| `dev` | Blocked (CI bot whitelisted) | PR merge from feature/* |
+| `rc` | Blocked (CI bot whitelisted) | Auto-created on draft PR |
+| `alpha` | Blocked (CI bot whitelisted) | Manual rename |
+| `beta` | Blocked (CI bot whitelisted) | Manual rename |
+| `feature/*` | Open | N/A (source branch) |
+
+## Version Policy
+
+### Format
+
+All versions use `XX.YY.ZZ` — three two-digit segments, zero-padded:
+
+- **XX** — Major version (breaking changes)
+- **YY** — Minor version (new features, bumped on release to main)
+- **ZZ** — Patch version (auto-incremented on every push to dev/feature branches)
+
+Rollover: patch `99` → `00` increments minor; minor `99` → `00` increments major.
+
+### Stability suffixes
+
+Each branch appends a suffix to indicate stability:
+
+| Branch | Suffix | Example |
+|--------|--------|---------|
+| `main` | (none) | `02.09.00` |
+| `dev` | `-dev` | `02.09.01-dev` |
+| `feature/*` | `-dev` | `02.09.01-dev` |
+| `alpha` | `-alpha` | `02.09.01-alpha` |
+| `beta` | `-beta` | `02.09.01-beta` |
+| `rc` | `-rc` | `02.09.01-rc` |
+
+### Auto version bump
+
+On every push to `dev`, `feature/*`, or `patch/*`:
+
+1. Patch version incremented
+2. Stability suffix `-dev` applied
+3. All version-bearing files updated (manifests, CHANGELOG, PHP headers, etc.)
+4. Commit created with `[skip ci]` to avoid loops
+
+### Release version flow
+
+Version bumps happen at specific release events:
+
+| Event | Bump | Example |
+|-------|------|---------|
+| Feature merged to dev | Patch bump after dev release | `02.09.01-dev` → release → `02.09.02-dev` |
+| Dev promoted to RC | Minor bump | `02.09.02-dev` → `02.10.00-rc` |
+| RC merged to main | Minor bump | `02.10.00-rc` → `02.11.00` (stable) |
+| Dev recreated from main | Patch bump | `02.11.00` → `02.11.01-dev` |
+
+### Release stream copies
+
+When a higher-stability release is published, copies are created for all lesser streams with the same base version:
+
+- **RC `02.10.00-rc`** also creates: `02.10.00-dev`, `02.10.00-alpha`, `02.10.00-beta`
+- **Stable `02.11.00`** also creates: `02.11.00-dev`, `02.11.00-alpha`, `02.11.00-beta`, `02.11.00-rc`
+
+This ensures Joomla sites on ANY stability channel see the update (Joomla only shows versions higher than what's installed).
+
+### Version files
+
+The version tools update all files containing version stamps:
+
+- `.mokogitea/manifest.xml` (canonical source)
+- Joomla XML manifests (`<version>` tag)
+- `README.md`, `CHANGELOG.md` (`VERSION:` pattern)
+- `package.json`, `pyproject.toml`
+- Any text file with a `VERSION: XX.YY.ZZ` label
+
+Files synced from other repos (with a `# REPO:` header) are not touched.
+
+## Code Standards
+
+- **PHP**: PSR-12, tabs for indentation
+- **Copyright**: all files must include the Moko Consulting copyright header
+- **License**: SPDX identifier `GPL-3.0-or-later` (or as specified per repo)
+- **Attribution**: use `Authored-by: Moko Consulting` in commits, not individual names
+
+## Commit Messages
+
+Use conventional commit format:
+
+```
+type(scope): short description
+
+Optional body with context.
+
+Authored-by: Moko Consulting
+```
+
+Types: `feat`, `fix`, `chore`, `docs`, `style`, `refactor`, `test`, `ci`
+
+Special flags in commit messages:
+- `[skip ci]` — skip all CI workflows
+- `[skip bump]` — skip auto version bump only
+
+## Reporting Issues
+
+Use the repository's issue tracker with the appropriate template.
+
+---
+
+*Moko Consulting <hello@mokoconsulting.tech>*
@@ -19,7 +19,7 @@
 DEFGROUP: mokoconsulting-tech.MokoWaaSBrand
 INGROUP: MokoStandards.Governance
 REPO: https://github.com/mokoconsulting-tech/MokoWaaSBrand
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /GOVERNANCE.md
 BRIEF: Project governance rules, roles, and decision process for MokoWaaSBrand
 -->
@@ -15,7 +15,7 @@
 	INGROUP: MokoWaaS.Documentation
  REPO: https://github.com/mokoconsulting-tech/mokowaas
 	PATH: ./LICENSE.md
-	VERSION: 02.01.08
+	VERSION: 02.27.00
 	BRIEF: Project license (GPL-3.0-or-later)
 -->
 										GNU GENERAL PUBLIC LICENSE
@@ -9,7 +9,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.16.00-dev
+ VERSION: 02.27.00
 PATH: /README.md
 BRIEF: MokoWaaS platform plugin for Joomla
 -->
@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
 INGROUP: [PROJECT_NAME].Documentation
 REPO: [REPOSITORY_URL]
 PATH: /SECURITY.md
-VERSION: 02.01.08
+VERSION: 02.27.00
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -11,13 +11,13 @@
 INGROUP: MokoWaaS.Build
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 FILE: build-guide.md
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/
 BRIEF: Build and packaging guide for the MokoWaaS system plugin
 NOTE: Defines environment setup, repository layout, packaging rules, and release preparation
 -->

-# MokoWaaS Build Guide (VERSION: 02.01.08)
+# MokoWaaS Build Guide (VERSION: 02.27.00)

 ## 1. Purpose

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/configuration-guide.md
 BRIEF: Configuration guide for the MokoWaaS system plugin
 NOTE: Defines plugin parameters, expected behaviors, and recommended defaults
 -->

-# MokoWaaS Configuration Guide (VERSION: 02.01.08)
+# MokoWaaS Configuration Guide (VERSION: 02.27.00)

 ## 1. Objective

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/installation-guide.md
 BRIEF: Installation guide for the MokoWaaS system plugin
 NOTE: First document in the guide set
 -->

-# MokoWaaS Installation Guide (VERSION: 02.01.08)
+# MokoWaaS Installation Guide (VERSION: 02.27.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/operations-guide.md
 BRIEF: Operational guide for administering and managing the MokoWaaS system plugin
 NOTE: Defines lifecycle, responsibilities, and operational behaviors
 -->

-# MokoWaaS Operations Guide (VERSION: 02.01.08)
+# MokoWaaS Operations Guide (VERSION: 02.27.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/rollback-and-recovery-guide.md
 BRIEF: Rollback and recovery guide for restoring stable operation after plugin related incidents
 NOTE: Completes the core guide set for WaaS plugin governance
 -->

-# MokoWaaS Rollback and Recovery Guide (VERSION: 02.01.08)
+# MokoWaaS Rollback and Recovery Guide (VERSION: 02.27.00)

 ## Introduction

@@ -7,13 +7,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/testing-guide.md
 BRIEF: Testing guide for MokoWaaS v02.01.08
 NOTE: Covers manual test procedures for language overrides, install/uninstall, and configuration
 -->

-# MokoWaaS Testing Guide (VERSION: 02.01.08)
+# MokoWaaS Testing Guide (VERSION: 02.27.00)

 ## 1. Prerequisites

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/troubleshooting-guide.md
 BRIEF: Troubleshooting guide for diagnosing and resolving issues related to the MokoWaaS plugin
 NOTE: Designed for administrators and WaaS operations teams
 -->

-# MokoWaaS Troubleshooting Guide (VERSION: 02.01.08)
+# MokoWaaS Troubleshooting Guide (VERSION: 02.27.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/guides/upgrade-and-versioning-guide.md
 BRIEF: Guide for updating, versioning, and maintaining the MokoWaaS plugin
 NOTE: Defines release flow, version rules, and upgrade validation
 -->

-# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.01.08)
+# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.27.00)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.01.08
+ VERSION: 02.27.00
 PATH: /docs/index.md
 BRIEF: Master index of all documentation for the MokoWaaS plugin
 NOTE: Automatically maintained index for all guide canvases
 -->

-# MokoWaaS Documentation Index (VERSION: 02.01.08)
+# MokoWaaS Documentation Index (VERSION: 02.27.00)

 ## Introduction

@@ -11,12 +11,12 @@
 INGROUP: MokoWaaS
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: /docs/plugin-basic.md
- VERSION: 02.01.08
+ VERSION: 02.27.00
 BRIEF: Baseline documentation for the MokoWaaS system plugin
 NOTE: Foundational reference for internal and external stakeholders
 -->

-# MokoWaaS Plugin Overview (VERSION: 02.01.08)
+# MokoWaaS Plugin Overview (VERSION: 02.27.00)

 ## Introduction

@@ -10,7 +10,7 @@ DEFGROUP: MokoWaaS.Documentation
 INGROUP: MokoStandards.Templates
 REPO: https://github.com/mokoconsulting-tech/MokoWaaS
 PATH: /docs/update-server.md
-VERSION: 02.01.08
+VERSION: 02.27.00
 BRIEF: How this extension's Joomla update server file (update.xml) is managed
 -->

@@ -0,0 +1,187 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Controller\BaseController;
+
+/**
+ * Extensions list API controller.
+ *
+ * GET /api/index.php/v1/mokowaas/extensions
+ *
+ * Returns all installed extensions with type, element, folder, version,
+ * enabled/protected/locked status, and update server info.
+ *
+ * Optional filters via query params:
+ *   ?type=plugin          — filter by extension type
+ *   ?search=moko          — search name or element
+ *   ?enabled=1            — only enabled/disabled
+ *
+ * @since  02.21.00
+ */
+class ExtensionsController extends BaseController
+{
+	/**
+	 * List installed extensions.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	public function displayList(): void
+	{
+		$app  = Factory::getApplication();
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_installer'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized — requires core.manage on com_installer']);
+			return;
+		}
+
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('e.extension_id'),
+					$db->quoteName('e.name'),
+					$db->quoteName('e.type'),
+					$db->quoteName('e.element'),
+					$db->quoteName('e.folder'),
+					$db->quoteName('e.client_id'),
+					$db->quoteName('e.enabled'),
+					$db->quoteName('e.protected'),
+					$db->quoteName('e.locked'),
+					$db->quoteName('e.manifest_cache'),
+				])
+				->from($db->quoteName('#__extensions', 'e'))
+				->order($db->quoteName('e.type') . ' ASC, ' . $db->quoteName('e.name') . ' ASC');
+
+			// Filter by type
+			$typeFilter = $app->input->get('type', '', 'CMD');
+
+			if ($typeFilter !== '')
+			{
+				$query->where($db->quoteName('e.type') . ' = ' . $db->quote($typeFilter));
+			}
+
+			// Filter by enabled
+			$enabledFilter = $app->input->get('enabled', '', 'CMD');
+
+			if ($enabledFilter !== '')
+			{
+				$query->where($db->quoteName('e.enabled') . ' = ' . (int) $enabledFilter);
+			}
+
+			// Search name or element
+			$search = $app->input->get('search', '', 'STRING');
+
+			if ($search !== '')
+			{
+				$searchQuoted = $db->quote('%' . $db->escape($search, true) . '%');
+				$query->where(
+					'(' . $db->quoteName('e.name') . ' LIKE ' . $searchQuoted
+					. ' OR ' . $db->quoteName('e.element') . ' LIKE ' . $searchQuoted . ')'
+				);
+			}
+
+			$db->setQuery($query);
+			$rows = $db->loadAssocList();
+
+			// Get update sites for cross-reference
+			$usQuery = $db->getQuery(true)
+				->select([
+					$db->quoteName('us.update_site_id'),
+					$db->quoteName('us.name', 'site_name'),
+					$db->quoteName('us.location'),
+					$db->quoteName('us.enabled', 'site_enabled'),
+					$db->quoteName('usm.extension_id'),
+				])
+				->from($db->quoteName('#__update_sites', 'us'))
+				->innerJoin(
+					$db->quoteName('#__update_sites_extensions', 'usm')
+					. ' ON ' . $db->quoteName('us.update_site_id')
+					. ' = ' . $db->quoteName('usm.update_site_id')
+				);
+			$db->setQuery($usQuery);
+			$updateSites = [];
+
+			foreach ($db->loadAssocList() ?: [] as $us)
+			{
+				$updateSites[(int) $us['extension_id']] = [
+					'name'     => $us['site_name'],
+					'location' => $us['location'],
+					'enabled'  => (bool) $us['site_enabled'],
+				];
+			}
+
+			// Build response
+			$extensions = [];
+
+			foreach ($rows as $row)
+			{
+				$manifest = json_decode($row['manifest_cache'] ?: '{}', true);
+				$extId    = (int) $row['extension_id'];
+
+				$ext = [
+					'extension_id' => $extId,
+					'name'         => $row['name'],
+					'type'         => $row['type'],
+					'element'      => $row['element'],
+					'folder'       => $row['folder'] ?: null,
+					'client_id'    => (int) $row['client_id'],
+					'enabled'      => (bool) $row['enabled'],
+					'protected'    => (bool) $row['protected'],
+					'locked'       => (bool) $row['locked'],
+					'version'      => $manifest['version'] ?? null,
+					'author'       => $manifest['author'] ?? null,
+					'description'  => $manifest['description'] ?? null,
+				];
+
+				if (isset($updateSites[$extId]))
+				{
+					$ext['update_server'] = $updateSites[$extId];
+				}
+
+				$extensions[] = $ext;
+			}
+
+			$this->sendJson(200, [
+				'status' => 'ok',
+				'count'  => count($extensions),
+				'extensions' => $extensions,
+			]);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, [
+				'error'   => 'Failed to list extensions',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * @param   int    $code     HTTP status code
+	 * @param   array  $payload  Response data
+	 * @return  void
+	 */
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -0,0 +1,283 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Installer\Installer;
+use Joomla\CMS\MVC\Controller\BaseController;
+
+/**
+ * Extension install-from-URL API controller.
+ *
+ * POST /api/index.php/v1/mokowaas/install
+ * Body: {"url": "https://example.com/path/to/extension.zip"}
+ *
+ * Downloads a ZIP from the given URL and installs it via Joomla's Installer.
+ * Requires a Joomla API token with core.manage on com_installer.
+ *
+ * @since  02.21.00
+ */
+class InstallController extends BaseController
+{
+	/**
+	 * Maximum allowed download size in bytes (64 MB).
+	 *
+	 * @var    int
+	 * @since  02.21.00
+	 */
+	private const MAX_DOWNLOAD_BYTES = 67108864;
+
+	/**
+	 * Install an extension from a remote ZIP URL.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	public function execute(): void
+	{
+		$app = Factory::getApplication();
+
+		if ($app->input->getMethod() !== 'POST')
+		{
+			$this->sendJson(405, ['error' => 'POST required']);
+			return;
+		}
+
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_installer'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized — requires core.manage on com_installer']);
+			return;
+		}
+
+		// Parse JSON body
+		$body = json_decode($app->input->json->getRaw(), true);
+		$url  = $body['url'] ?? '';
+
+		if ($url === '')
+		{
+			$this->sendJson(400, ['error' => 'Missing "url" in request body']);
+			return;
+		}
+
+		// Validate URL scheme
+		if (!preg_match('#^https?://#i', $url))
+		{
+			$this->sendJson(400, ['error' => 'URL must use http or https scheme']);
+			return;
+		}
+
+		// Must point to a .zip file
+		$path = parse_url($url, PHP_URL_PATH);
+
+		if (!$path || !str_ends_with(strtolower($path), '.zip'))
+		{
+			$this->sendJson(400, ['error' => 'URL must point to a .zip file']);
+			return;
+		}
+
+		try
+		{
+			$result = $this->downloadAndInstall($url);
+			$this->sendJson(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, [
+				'error'   => 'Installation failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Download ZIP from URL, extract, and install via Joomla Installer.
+	 *
+	 * @param   string  $url  The remote ZIP URL
+	 *
+	 * @return  array  Result payload
+	 *
+	 * @throws  \RuntimeException on failure
+	 *
+	 * @since   02.21.00
+	 */
+	private function downloadAndInstall(string $url): array
+	{
+		$config  = Factory::getConfig();
+		$tmpPath = $config->get('tmp_path', JPATH_ROOT . '/tmp');
+		$zipFile = $tmpPath . '/mokowaas_install_' . bin2hex(random_bytes(8)) . '.zip';
+
+		// Download
+		$this->downloadFile($url, $zipFile);
+
+		try
+		{
+			// Extract
+			$extractDir = $tmpPath . '/mokowaas_extract_' . bin2hex(random_bytes(8));
+
+			if (!mkdir($extractDir, 0755, true))
+			{
+				throw new \RuntimeException('Failed to create extraction directory');
+			}
+
+			$archive = new \Joomla\Archive\Archive;
+			$archive->extract($zipFile, $extractDir);
+
+			// Install
+			$installer = Installer::getInstance();
+			$result    = $installer->install($extractDir);
+
+			if (!$result)
+			{
+				throw new \RuntimeException('Joomla Installer returned failure — check server logs for details');
+			}
+
+			// Read installed extension info from the installer
+			$manifest = $installer->getManifest();
+			$name     = $manifest ? (string) $manifest->name : 'Unknown';
+			$version  = $manifest ? (string) $manifest->version : 'Unknown';
+			$type     = $installer->get('extension.type', 'Unknown');
+
+			return [
+				'status'  => 'ok',
+				'message' => 'Extension installed successfully',
+				'extension' => [
+					'name'    => $name,
+					'version' => $version,
+					'type'    => $type,
+				],
+				'source_url' => $url,
+			];
+		}
+		finally
+		{
+			// Clean up temp files
+			@unlink($zipFile);
+
+			if (isset($extractDir) && is_dir($extractDir))
+			{
+				$this->removeDirectory($extractDir);
+			}
+		}
+	}
+
+	/**
+	 * Download a file from a URL with size limit enforcement.
+	 *
+	 * @param   string  $url       Remote URL
+	 * @param   string  $destPath  Local destination path
+	 *
+	 * @return  void
+	 *
+	 * @throws  \RuntimeException on failure
+	 *
+	 * @since   02.21.00
+	 */
+	private function downloadFile(string $url, string $destPath): void
+	{
+		$ch = curl_init($url);
+
+		if ($ch === false)
+		{
+			throw new \RuntimeException('Failed to initialise cURL');
+		}
+
+		$fp = fopen($destPath, 'wb');
+
+		if ($fp === false)
+		{
+			curl_close($ch);
+			throw new \RuntimeException('Failed to open temp file for writing');
+		}
+
+		curl_setopt_array($ch, [
+			CURLOPT_FILE           => $fp,
+			CURLOPT_FOLLOWLOCATION => true,
+			CURLOPT_MAXREDIRS      => 5,
+			CURLOPT_TIMEOUT        => 120,
+			CURLOPT_CONNECTTIMEOUT => 15,
+			CURLOPT_FAILONERROR    => true,
+			CURLOPT_USERAGENT      => 'MokoWaaS-Installer/1.0',
+		]);
+
+		$success = curl_exec($ch);
+		$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+		$error    = curl_error($ch);
+		$fileSize = curl_getinfo($ch, CURLINFO_SIZE_DOWNLOAD);
+
+		curl_close($ch);
+		fclose($fp);
+
+		if (!$success)
+		{
+			@unlink($destPath);
+			throw new \RuntimeException('Download failed (HTTP ' . $httpCode . '): ' . $error);
+		}
+
+		if ($fileSize > self::MAX_DOWNLOAD_BYTES)
+		{
+			@unlink($destPath);
+			throw new \RuntimeException('Download exceeds maximum size of ' . (self::MAX_DOWNLOAD_BYTES / 1048576) . ' MB');
+		}
+	}
+
+	/**
+	 * Recursively remove a directory and its contents.
+	 *
+	 * @param   string  $dir  Directory path
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function removeDirectory(string $dir): void
+	{
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item)
+		{
+			if ($item->isDir())
+			{
+				@rmdir($item->getPathname());
+			}
+			else
+			{
+				@unlink($item->getPathname());
+			}
+		}
+
+		@rmdir($dir);
+	}
+
+	/**
+	 * Send a JSON response and close.
+	 *
+	 * @param   int    $code     HTTP status code
+	 * @param   array  $payload  Response data
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -0,0 +1,120 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Controller\BaseController;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\Registry\Registry;
+
+/**
+ * Demo site reset API controller.
+ *
+ * POST /api/index.php/v1/mokowaas/reset
+ * Body: {"baseline": "default"}
+ *
+ * Restores the site to a named baseline snapshot.
+ * Requires a Joomla API token with core.manage on com_plugins.
+ *
+ * @since  02.21.00
+ */
+class ResetController extends BaseController
+{
+	/**
+	 * Restore site to a baseline snapshot.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	public function execute(): void
+	{
+		$app = Factory::getApplication();
+
+		if ($app->input->getMethod() !== 'POST')
+		{
+			$this->sendJson(405, ['error' => 'POST required']);
+			return;
+		}
+
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_plugins'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized']);
+			return;
+		}
+
+		$plugin = PluginHelper::getPlugin('system', 'mokowaas');
+
+		if (!$plugin)
+		{
+			$this->sendJson(503, ['error' => 'MokoWaaS system plugin not enabled']);
+			return;
+		}
+
+		$params = new Registry($plugin->params);
+
+		try
+		{
+			$service = $this->createService($params);
+			$result  = $service->restoreSnapshot('default');
+
+			$this->sendJson(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, [
+				'error'   => 'Reset failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Create DemoResetService from plugin params.
+	 *
+	 * @param   Registry  $params  Plugin parameters
+	 *
+	 * @return  \Moko\Plugin\System\MokoWaaS\Service\DemoResetService
+	 *
+	 * @since   02.21.00
+	 */
+	private function createService(Registry $params)
+	{
+		$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/DemoResetService.php';
+
+		if (!file_exists($serviceFile))
+		{
+			throw new \RuntimeException('DemoResetService not found — is the MokoWaaS plugin installed?');
+		}
+
+		require_once $serviceFile;
+
+		$media = (bool) $params->get('demo_snapshot_include_media', 1);
+
+		return new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($media);
+	}
+
+	/**
+	 * @param   int    $code     HTTP status code
+	 * @param   array  $payload  Response data
+	 * @return  void
+	 */
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -0,0 +1,151 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Controller\BaseController;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\Registry\Registry;
+
+/**
+ * Snapshot management API controller.
+ *
+ * GET  /api/index.php/v1/mokowaas/snapshot  — list snapshots
+ * POST /api/index.php/v1/mokowaas/snapshot  — create snapshot
+ *
+ * @since  02.21.00
+ */
+class SnapshotController extends BaseController
+{
+	/**
+	 * List all available snapshots.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	public function displayList(): void
+	{
+		$app  = Factory::getApplication();
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_plugins'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized']);
+			return;
+		}
+
+		try
+		{
+			$service = $this->createService();
+
+			$this->sendJson(200, [
+				'status'    => 'ok',
+				'snapshots' => $service->listSnapshots(),
+			]);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, [
+				'error'   => 'Failed to list snapshots',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Create a new snapshot.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	public function execute(): void
+	{
+		$app = Factory::getApplication();
+
+		if ($app->input->getMethod() !== 'POST')
+		{
+			$this->sendJson(405, ['error' => 'POST required']);
+			return;
+		}
+
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_plugins'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized']);
+			return;
+		}
+
+		try
+		{
+			$plugin = PluginHelper::getPlugin('system', 'mokowaas');
+			$params = $plugin ? new Registry($plugin->params) : new Registry;
+
+			$body = json_decode($app->input->json->getRaw(), true);
+			$name = $body['name']
+				?? $params->get('demo_active_baseline', 'default');
+
+			$service = $this->createService();
+			$result  = $service->createSnapshot($name);
+
+			$this->sendJson(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, [
+				'error'   => 'Snapshot failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Create DemoResetService from plugin params.
+	 *
+	 * @return  \Moko\Plugin\System\MokoWaaS\Service\DemoResetService
+	 *
+	 * @since   02.21.00
+	 */
+	private function createService()
+	{
+		$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/DemoResetService.php';
+
+		if (!file_exists($serviceFile))
+		{
+			throw new \RuntimeException('DemoResetService not found');
+		}
+
+		require_once $serviceFile;
+
+		$plugin = PluginHelper::getPlugin('system', 'mokowaas');
+		$params = $plugin ? new Registry($plugin->params) : new Registry;
+
+		$media = (bool) $params->get('demo_snapshot_include_media', 1);
+
+		return new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($media);
+	}
+
+	/**
+	 * @param   int    $code     HTTP status code
+	 * @param   array  $payload  Response data
+	 * @return  void
+	 */
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -0,0 +1,82 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Controller\BaseController;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\Registry\Registry;
+
+/**
+ * Content sync trigger API controller (sender side).
+ *
+ * POST /api/index.php/v1/mokowaas/sync
+ *
+ * Pushes content to all configured sync targets.
+ *
+ * @since  02.21.00
+ */
+class SyncController extends BaseController
+{
+	public function execute(): void
+	{
+		$app = Factory::getApplication();
+
+		if ($app->input->getMethod() !== 'POST')
+		{
+			$this->sendJson(405, ['error' => 'POST required']);
+			return;
+		}
+
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_plugins'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized']);
+			return;
+		}
+
+		$plugin = PluginHelper::getPlugin('system', 'mokowaas');
+
+		if (!$plugin)
+		{
+			$this->sendJson(503, ['error' => 'MokoWaaS system plugin not enabled']);
+			return;
+		}
+
+		try
+		{
+			$params = new Registry($plugin->params);
+			$targets = json_decode($params->get('sync_targets', '[]'), true) ?: [];
+
+			$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/ContentSyncService.php';
+			require_once $serviceFile;
+
+			$service = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncService();
+			$result  = $service->syncAllTargets($targets);
+
+			$this->sendJson(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, ['error' => 'Sync failed', 'message' => $e->getMessage()]);
+		}
+	}
+
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -0,0 +1,77 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  com_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Component\MokoWaaS\Api\Controller;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\MVC\Controller\BaseController;
+
+/**
+ * Content sync receiver API controller (target side).
+ *
+ * POST /api/index.php/v1/mokowaas/sync-receive
+ *
+ * Accepts a JSON payload from a source site and applies the content locally.
+ *
+ * @since  02.21.00
+ */
+class SyncReceiveController extends BaseController
+{
+	public function execute(): void
+	{
+		$app = Factory::getApplication();
+
+		if ($app->input->getMethod() !== 'POST')
+		{
+			$this->sendJson(405, ['error' => 'POST required']);
+			return;
+		}
+
+		$user = $app->getIdentity();
+
+		if (!$user->authorise('core.manage', 'com_plugins'))
+		{
+			$this->sendJson(403, ['error' => 'Not authorized']);
+			return;
+		}
+
+		try
+		{
+			$payload = json_decode($app->input->json->getRaw(), true);
+
+			if (empty($payload['mokowaas_sync']))
+			{
+				$this->sendJson(400, ['error' => 'Invalid payload — missing mokowaas_sync version']);
+				return;
+			}
+
+			$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/ContentSyncReceiver.php';
+			require_once $serviceFile;
+
+			$receiver = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncReceiver();
+			$result   = $receiver->receive($payload);
+
+			$this->sendJson(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendJson(500, ['error' => 'Sync receive failed', 'message' => $e->getMessage()]);
+		}
+	}
+
+	private function sendJson(int $code, array $payload): void
+	{
+		$app = Factory::getApplication();
+		$app->setHeader('Content-Type', 'application/json', true);
+		$app->setHeader('Status', (string) $code, true);
+		echo json_encode($payload, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES | JSON_PRETTY_PRINT);
+		$app->close();
+	}
+}
@@ -7,7 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.16.00-dev</version>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.01.08
+ * VERSION: 02.27.00
 * PATH: /src/Extension/MokoWaaS.php
 * NOTE: Handles Joomla system events for rebranding functionality
 */
@@ -862,6 +862,35 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			);
 		}

+		// Content Sync: Push Now
+		if ((int) $params->get('sync_push_now', 0) === 1)
+		{
+			$params->set('sync_push_now', '0');
+			$changed = true;
+
+			try
+			{
+				require_once __DIR__ . '/../Service/ContentSyncService.php';
+
+				$targets = json_decode($params->get('sync_targets', '[]'), true) ?: [];
+				$service = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncService();
+				$result  = $service->syncAllTargets($targets);
+
+				$targetCount = count($result['targets'] ?? []);
+				$app->enqueueMessage(
+					sprintf('Content sync pushed to %d target(s).', $targetCount),
+					'message'
+				);
+			}
+			catch (\Throwable $e)
+			{
+				$app->enqueueMessage(
+					'Content sync failed: ' . $e->getMessage(),
+					'error'
+				);
+			}
+		}
+
 		if ($changed)
 		{
 			$db = Factory::getDbo();
@@ -965,6 +994,17 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			$this->injectAliasRobots($doc);
 		}

+		// Demo mode banner (frontend only) — check if scheduled task is active
+		if ($this->app->isClient('site'))
+		{
+			$demoTask = $this->getDemoTaskParams();
+
+			if ($demoTask && (!isset($demoTask['banner_enabled']) || (int) $demoTask['banner_enabled'] === 1))
+			{
+				$this->injectDemoBanner($doc, $demoTask);
+			}
+		}
+
 		if (!$this->app->isClient('administrator'))
 		{
 			return;
@@ -980,6 +1020,138 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		}
 	}

+	/**
+	 * Inject demo mode warning banner into the frontend site.
+	 *
+	 * Renders a fixed-position bar at the top of the page with a configurable
+	 * message, color, optional countdown, and session-dismissable behavior.
+	 *
+	 * @param   \Joomla\CMS\Document\HtmlDocument  $doc  Document object
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	protected function injectDemoBanner($doc, array $taskData)
+	{
+		$message       = htmlspecialchars($taskData['banner_message'] ?? 'This is a demo site. All changes will be reset periodically.', ENT_QUOTES, 'UTF-8');
+		$bgColor       = htmlspecialchars($taskData['banner_color'] ?? '#d9534f', ENT_QUOTES, 'UTF-8');
+		$showCountdown = isset($taskData['show_countdown']) ? (int) $taskData['show_countdown'] : 1;
+
+		// Get next_execution from the scheduled task
+		$resetAtMs   = 0;
+		$nextExec    = $taskData['next_execution'] ?? '';
+
+		if ($showCountdown && !empty($nextExec))
+		{
+			$ts = strtotime($nextExec . ' UTC');
+
+			if ($ts > time())
+			{
+				$resetAtMs = $ts * 1000;
+			}
+		}
+
+		$countdownJs = '';
+
+		if ($showCountdown && $resetAtMs > 0)
+		{
+			$countdownJs = "
+				var resetAt = {$resetAtMs};
+				var cdSpan = document.getElementById('mokowaas-demo-countdown');
+				if (cdSpan) {
+					var tick = function() {
+						var now = Date.now();
+						var diff = Math.max(0, Math.floor((resetAt - now) / 1000));
+						if (diff <= 0) { cdSpan.textContent = ' — Reset imminent'; return; }
+						var parts = [];
+						var d = Math.floor(diff / 86400);
+						if (d >= 30) {
+							var mo = Math.floor(d / 30);
+							parts.push(mo + (mo === 1 ? ' month' : ' months'));
+							d = d % 30;
+						}
+						if (d >= 7) {
+							var w = Math.floor(d / 7);
+							parts.push(w + (w === 1 ? ' week' : ' weeks'));
+							d = d % 7;
+						}
+						if (d > 0) { parts.push(d + (d === 1 ? ' day' : ' days')); }
+						var rem = diff % 86400;
+						if (parts.length === 0) {
+							var h = Math.floor(rem / 3600);
+							var m = Math.floor((rem % 3600) / 60);
+							var s = rem % 60;
+							parts.push(h + 'h ' + m + 'm ' + s + 's');
+						} else if (parts.length <= 2) {
+							var h = Math.floor(rem / 3600);
+							if (h > 0) { parts.push(h + 'h'); }
+						}
+						cdSpan.textContent = ' — Resets in ' + parts.join(' ');
+					};
+					tick();
+					setInterval(tick, 1000);
+				}
+			";
+		}
+
+		$doc->addScriptDeclaration("
+			document.addEventListener('DOMContentLoaded', function() {
+				var bar = document.createElement('div');
+				bar.id = 'mokowaas-demo-banner';
+				bar.style.cssText = 'background:{$bgColor};color:#fff;padding:10px 20px;font-family:-apple-system,BlinkMacSystemFont,sans-serif;font-size:14px;text-align:center;';
+				bar.innerHTML = '<span>{$message}</span>" . ($showCountdown ? "<span id=\"mokowaas-demo-countdown\"></span>" : "") . "';
+
+				document.body.insertBefore(bar, document.body.firstChild);
+
+				{$countdownJs}
+			});
+		");
+	}
+
+	/**
+	 * Get demo task params from #__scheduler_tasks if task is enabled.
+	 *
+	 * @return  array|null  Task params merged with task metadata, or null if no active task
+	 *
+	 * @since   02.29.00
+	 */
+	protected function getDemoTaskParams(): ?array
+	{
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('params'),
+					$db->quoteName('state'),
+					$db->quoteName('next_execution'),
+					$db->quoteName('last_execution'),
+				])
+				->from($db->quoteName('#__scheduler_tasks'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'))
+				->where($db->quoteName('state') . ' = 1');
+
+			$db->setQuery($query);
+			$task = $db->loadAssoc();
+
+			if (!$task)
+			{
+				return null;
+			}
+
+			$params = json_decode($task['params'] ?? '{}', true) ?: [];
+			$params['next_execution'] = $task['next_execution'];
+			$params['last_execution'] = $task['last_execution'];
+
+			return $params;
+		}
+		catch (\Throwable $e)
+		{
+			return null;
+		}
+	}
+
 	/**
 	 * Hide MokoWaaS plugin and package from the extensions list via JS.
 	 *
@@ -1407,11 +1579,26 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			case 'info':
 				$this->handleInfoAction();
 				break;
+			case 'reset':
+				$this->handleDemoResetAction();
+				break;
+			case 'snapshot':
+				$this->handleSnapshotAction();
+				break;
+			case 'sync':
+				$this->handleSyncAction();
+				break;
+			case 'sync-receive':
+				$this->handleSyncReceiveAction();
+				break;
+			case 'extensions':
+				$this->handleExtensionsAction();
+				break;
 			default:
 				$this->sendHealthResponse(400, [
 					'error'    => 'Unknown action',
 					'action'   => $action,
-					'available' => ['health', 'install', 'update', 'cache', 'backup', 'info'],
+					'available' => ['health', 'install', 'update', 'cache', 'backup', 'info', 'reset', 'snapshot', 'sync', 'sync-receive', 'extensions'],
 				]);
 				break;
 		}
@@ -1421,6 +1608,534 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	// API Actions
 	// ------------------------------------------------------------------

+	/**
+	 * Handle demo site reset via API.
+	 *
+	 * POST /?mokowaas=reset
+	 * Body: {"baseline": "default"}  (optional, defaults to active baseline)
+	 *
+	 * @return  void
+	 * @since   02.21.00
+	 */
+	protected function handleDemoResetAction()
+	{
+		if ($this->app->input->getMethod() !== 'POST')
+		{
+			$this->sendHealthResponse(405, ['error' => 'POST required']);
+
+			return;
+		}
+
+		try
+		{
+			$body     = json_decode(file_get_contents('php://input'), true);
+			$baseline = $body['baseline']
+				?? 'default';
+
+			$service = $this->createDemoResetService();
+			$result  = $service->restoreSnapshot($baseline);
+
+			$this->sendHealthResponse(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendHealthResponse(500, [
+				'error'   => 'Reset failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Handle snapshot create/list via API.
+	 *
+	 * GET  /?mokowaas=snapshot          — list snapshots
+	 * POST /?mokowaas=snapshot          — create snapshot
+	 * Body: {"name": "my-baseline"}     (optional, defaults to active baseline)
+	 *
+	 * @return  void
+	 * @since   02.21.00
+	 */
+	protected function handleSnapshotAction()
+	{
+		$service = $this->createDemoResetService();
+
+		if ($this->app->input->getMethod() === 'GET')
+		{
+			$this->sendHealthResponse(200, [
+				'status'    => 'ok',
+				'snapshots' => $service->listSnapshots(),
+			]);
+
+			return;
+		}
+
+		if ($this->app->input->getMethod() !== 'POST')
+		{
+			$this->sendHealthResponse(405, ['error' => 'GET or POST required']);
+
+			return;
+		}
+
+		try
+		{
+			$body = json_decode(file_get_contents('php://input'), true);
+			$name = $body['name']
+				?? 'default';
+
+			$result = $service->createSnapshot($name);
+
+			$this->sendHealthResponse(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendHealthResponse(500, [
+				'error'   => 'Snapshot failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Create a DemoResetService instance from current plugin params.
+	 *
+	 * @return  \Moko\Plugin\System\MokoWaaS\Service\DemoResetService
+	 * @since   02.21.00
+	 */
+	protected function createDemoResetService()
+	{
+		require_once __DIR__ . '/../Service/DemoResetService.php';
+
+		$includeMedia = (bool) $this->params->get('demo_snapshot_include_media', 1);
+
+		return new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($includeMedia);
+	}
+
+	/**
+	 * Calculate the next run time from a crontab expression.
+	 *
+	 * Supports standard 5-field crontab: minute hour day month weekday.
+	 * Steps (e.g. every N), ranges, and wildcards are supported.
+	 *
+	 * @param   string  $cron  Crontab expression
+	 *
+	 * @return  string|null  ISO datetime of next run, or null on invalid input
+	 *
+	 * @since   02.21.00
+	 */
+	protected function ensureDemoResetTask(string $cron, string $baseline): void
+	{
+		try
+		{
+			$db = Factory::getDbo();
+
+			// Check if task already exists
+			$query = $db->getQuery(true)
+				->select([$db->quoteName('id'), $db->quoteName('params')])
+				->from($db->quoteName('#__scheduler_tasks'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'));
+
+			$db->setQuery($query);
+			$existing = $db->loadAssoc();
+
+			// Convert cron to Joomla scheduler execution rule
+			$execRule = json_encode([
+				'rule-type'     => 'cron-expression',
+				'cron-expression' => $cron,
+			]);
+
+			$taskParams = json_encode(['baseline' => $baseline]);
+
+			if ($existing)
+			{
+				// Update existing task
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__scheduler_tasks'))
+					->set($db->quoteName('execution_rules') . ' = ' . $db->quote($execRule))
+					->set($db->quoteName('params') . ' = ' . $db->quote($taskParams))
+					->set($db->quoteName('state') . ' = 1')
+					->where($db->quoteName('id') . ' = ' . (int) $existing['id']);
+
+				$db->setQuery($query);
+				$db->execute();
+			}
+			else
+			{
+				// Create new task
+				$obj = (object) [
+					'title'           => 'MokoWaaS Demo Reset',
+					'type'            => 'mokowaas.demo.reset',
+					'execution_rules' => $execRule,
+					'params'          => $taskParams,
+					'state'           => 1,
+					'created'         => Factory::getDate()->toSql(),
+					'next_execution'  => Factory::getDate()->toSql(),
+				];
+
+				$db->insertObject('#__scheduler_tasks', $obj);
+			}
+		}
+		catch (\Throwable $e)
+		{
+			Log::add('Failed to create demo reset task: ' . $e->getMessage(), Log::WARNING, 'mokowaas');
+		}
+	}
+
+	/**
+	 * Remove the demo reset scheduled task.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.28.00
+	 */
+	protected function removeDemoResetTask(): void
+	{
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->delete($db->quoteName('#__scheduler_tasks'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'));
+
+			$db->setQuery($query);
+			$db->execute();
+		}
+		catch (\Throwable $e)
+		{
+			// Silent — table may not exist
+		}
+	}
+
+	protected function calculateNextCronRun(string $cron): ?string
+	{
+		$parts = preg_split('/\s+/', trim($cron));
+
+		if (count($parts) !== 5)
+		{
+			return null;
+		}
+
+		[$cronMin, $cronHour, $cronDay, $cronMonth, $cronWeekday] = $parts;
+
+		// Start from next minute
+		$now = time();
+		$check = $now - ($now % 60) + 60;
+
+		// Check up to 366 days ahead
+		$maxChecks = 527040; // 366 * 24 * 60
+
+		for ($i = 0; $i < $maxChecks; $i++)
+		{
+			$min     = (int) date('i', $check);
+			$hour    = (int) date('G', $check);
+			$day     = (int) date('j', $check);
+			$month   = (int) date('n', $check);
+			$weekday = (int) date('w', $check);
+
+			if ($this->cronFieldMatches($cronMin, $min, 0, 59)
+				&& $this->cronFieldMatches($cronHour, $hour, 0, 23)
+				&& $this->cronFieldMatches($cronDay, $day, 1, 31)
+				&& $this->cronFieldMatches($cronMonth, $month, 1, 12)
+				&& $this->cronFieldMatches($cronWeekday, $weekday, 0, 6))
+			{
+				return gmdate('Y-m-d\TH:i:s\Z', $check);
+			}
+
+			$check += 60;
+		}
+
+		return null;
+	}
+
+	/**
+	 * Check if a value matches a crontab field expression.
+	 *
+	 * @param   string  $field  Cron field (e.g. every-5, 1-15 range, 0-23, wildcard)
+	 * @param   int     $value  Current value to check
+	 * @param   int     $min    Minimum allowed value
+	 * @param   int     $max    Maximum allowed value
+	 *
+	 * @return  bool
+	 *
+	 * @since   02.21.00
+	 */
+	private function cronFieldMatches(string $field, int $value, int $min, int $max): bool
+	{
+		foreach (explode(',', $field) as $part)
+		{
+			$part = trim($part);
+
+			// Step: every-N or range-with-step
+			if (str_contains($part, '/'))
+			{
+				[$range, $step] = explode('/', $part, 2);
+				$step = (int) $step;
+
+				if ($step <= 0)
+				{
+					continue;
+				}
+
+				if ($range === '*')
+				{
+					if (($value - $min) % $step === 0)
+					{
+						return true;
+					}
+				}
+				elseif (str_contains($range, '-'))
+				{
+					[$rangeMin, $rangeMax] = array_map('intval', explode('-', $range, 2));
+
+					if ($value >= $rangeMin && $value <= $rangeMax && ($value - $rangeMin) % $step === 0)
+					{
+						return true;
+					}
+				}
+
+				continue;
+			}
+
+			// Wildcard
+			if ($part === '*')
+			{
+				return true;
+			}
+
+			// Range: N-M
+			if (str_contains($part, '-'))
+			{
+				[$rangeMin, $rangeMax] = array_map('intval', explode('-', $part, 2));
+
+				if ($value >= $rangeMin && $value <= $rangeMax)
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			// Exact value
+			if ((int) $part === $value)
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+
+	/**
+	 * Handle content sync push to configured targets.
+	 *
+	 * POST /?mokowaas=sync
+	 *
+	 * @return  void
+	 * @since   02.21.00
+	 */
+	protected function handleSyncAction()
+	{
+		if ($this->app->input->getMethod() !== 'POST')
+		{
+			$this->sendHealthResponse(405, ['error' => 'POST required']);
+
+			return;
+		}
+
+		try
+		{
+			require_once __DIR__ . '/../Service/ContentSyncService.php';
+
+			$targets = json_decode($this->params->get('sync_targets', '[]'), true) ?: [];
+
+			$service = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncService();
+			$result  = $service->syncAllTargets($targets);
+
+			$this->sendHealthResponse(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendHealthResponse(500, [
+				'error'   => 'Sync failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * Handle incoming content sync payload (receiver side).
+	 *
+	 * POST /?mokowaas=sync-receive
+	 *
+	 * @return  void
+	 * @since   02.21.00
+	 */
+	protected function handleSyncReceiveAction()
+	{
+		if ($this->app->input->getMethod() !== 'POST')
+		{
+			$this->sendHealthResponse(405, ['error' => 'POST required']);
+
+			return;
+		}
+
+		try
+		{
+			$payload = json_decode(file_get_contents('php://input'), true);
+
+			if (empty($payload['mokowaas_sync']))
+			{
+				$this->sendHealthResponse(400, ['error' => 'Invalid payload — missing mokowaas_sync version']);
+
+				return;
+			}
+
+			require_once __DIR__ . '/../Service/ContentSyncReceiver.php';
+
+			$receiver = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncReceiver();
+			$result   = $receiver->receive($payload);
+
+			$this->sendHealthResponse(200, $result);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendHealthResponse(500, [
+				'error'   => 'Sync receive failed',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
+	/**
+	 * List installed extensions with version, status, and update server info.
+	 *
+	 * GET /?mokowaas=extensions
+	 * Optional: ?type=plugin&search=moko&enabled=1
+	 *
+	 * @return  void
+	 * @since   02.21.00
+	 */
+	protected function handleExtensionsAction()
+	{
+		try
+		{
+			$db    = Factory::getDbo();
+			$input = $this->app->input;
+
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('e.extension_id'),
+					$db->quoteName('e.name'),
+					$db->quoteName('e.type'),
+					$db->quoteName('e.element'),
+					$db->quoteName('e.folder'),
+					$db->quoteName('e.client_id'),
+					$db->quoteName('e.enabled'),
+					$db->quoteName('e.protected'),
+					$db->quoteName('e.locked'),
+					$db->quoteName('e.manifest_cache'),
+				])
+				->from($db->quoteName('#__extensions', 'e'))
+				->order($db->quoteName('e.type') . ' ASC, ' . $db->quoteName('e.name') . ' ASC');
+
+			$typeFilter = $input->get('type', '', 'CMD');
+
+			if ($typeFilter !== '')
+			{
+				$query->where($db->quoteName('e.type') . ' = ' . $db->quote($typeFilter));
+			}
+
+			$enabledFilter = $input->get('enabled', '', 'CMD');
+
+			if ($enabledFilter !== '')
+			{
+				$query->where($db->quoteName('e.enabled') . ' = ' . (int) $enabledFilter);
+			}
+
+			$search = $input->get('search', '', 'STRING');
+
+			if ($search !== '')
+			{
+				$like = $db->quote('%' . $db->escape($search, true) . '%');
+				$query->where(
+					'(' . $db->quoteName('e.name') . ' LIKE ' . $like
+					. ' OR ' . $db->quoteName('e.element') . ' LIKE ' . $like . ')'
+				);
+			}
+
+			$db->setQuery($query);
+			$rows = $db->loadAssocList();
+
+			// Get update sites
+			$usQuery = $db->getQuery(true)
+				->select([
+					$db->quoteName('us.name', 'site_name'),
+					$db->quoteName('us.location'),
+					$db->quoteName('us.enabled', 'site_enabled'),
+					$db->quoteName('usm.extension_id'),
+				])
+				->from($db->quoteName('#__update_sites', 'us'))
+				->innerJoin(
+					$db->quoteName('#__update_sites_extensions', 'usm')
+					. ' ON ' . $db->quoteName('us.update_site_id')
+					. ' = ' . $db->quoteName('usm.update_site_id')
+				);
+			$db->setQuery($usQuery);
+			$updateSites = [];
+
+			foreach ($db->loadAssocList() ?: [] as $us)
+			{
+				$updateSites[(int) $us['extension_id']] = [
+					'name'     => $us['site_name'],
+					'location' => $us['location'],
+					'enabled'  => (bool) $us['site_enabled'],
+				];
+			}
+
+			$extensions = [];
+
+			foreach ($rows as $row)
+			{
+				$manifest = json_decode($row['manifest_cache'] ?: '{}', true);
+				$extId    = (int) $row['extension_id'];
+
+				$ext = [
+					'extension_id' => $extId,
+					'name'         => $row['name'],
+					'type'         => $row['type'],
+					'element'      => $row['element'],
+					'folder'       => $row['folder'] ?: null,
+					'client_id'    => (int) $row['client_id'],
+					'enabled'      => (bool) $row['enabled'],
+					'protected'    => (bool) $row['protected'],
+					'locked'       => (bool) $row['locked'],
+					'version'      => $manifest['version'] ?? null,
+					'author'       => $manifest['author'] ?? null,
+				];
+
+				if (isset($updateSites[$extId]))
+				{
+					$ext['update_server'] = $updateSites[$extId];
+				}
+
+				$extensions[] = $ext;
+			}
+
+			$this->sendHealthResponse(200, [
+				'status'     => 'ok',
+				'count'      => count($extensions),
+				'extensions' => $extensions,
+			]);
+		}
+		catch (\Throwable $e)
+		{
+			$this->sendHealthResponse(500, [
+				'error'   => 'Failed to list extensions',
+				'message' => $e->getMessage(),
+			]);
+		}
+	}
+
 	/**
 	 * Trigger Joomla update finder check.
 	 *
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.01.08
+ * VERSION: 02.27.00
 * PATH: /src/Field/AllowedIpsField.php
 * BRIEF: Custom form field that displays the current IP whitelist
 */
@@ -0,0 +1,63 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * VERSION: 02.27.00
+ * PATH: /src/Field/CopyableTokenField.php
+ * BRIEF: Read-only token field with a copy-to-clipboard button
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Form\FormField;
+
+/**
+ * Renders a read-only text input with a "Copy" button, similar to
+ * Joomla's API token field in the user profile.
+ *
+ * @since  02.25.00
+ */
+class CopyableTokenField extends FormField
+{
+	protected $type = 'CopyableToken';
+
+	protected function getInput()
+	{
+		$value = htmlspecialchars($this->value ?? '', ENT_QUOTES, 'UTF-8');
+		$id    = $this->id;
+
+		if (empty($this->value))
+		{
+			return '<div class="alert alert-warning mb-0 py-2">Token will be generated automatically on first save.</div>';
+		}
+
+		return <<<HTML
+<div class="input-group">
+	<input type="text" id="{$id}" name="{$this->name}" value="{$value}"
+		class="form-control" readonly="readonly" style="font-family:monospace;font-size:0.85em" />
+	<button type="button" class="btn btn-outline-secondary" onclick="
+		var inp = document.getElementById('{$id}');
+		if (navigator.clipboard) {
+			navigator.clipboard.writeText(inp.value).then(function() {
+				var btn = inp.nextElementSibling;
+				var orig = btn.innerHTML;
+				btn.innerHTML = '<span class=&quot;icon-check&quot; aria-hidden=&quot;true&quot;></span> Copied';
+				btn.classList.replace('btn-outline-secondary','btn-success');
+				setTimeout(function(){ btn.innerHTML = orig; btn.classList.replace('btn-success','btn-outline-secondary'); }, 2000);
+			});
+		} else {
+			inp.select(); document.execCommand('copy');
+		}
+	"><span class="icon-copy" aria-hidden="true"></span> Copy</button>
+</div>
+HTML;
+	}
+}
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.11.00
+ * VERSION: 02.27.00
 * PATH: /src/Field/CurrentIpField.php
 * BRIEF: Read-only field that displays the current user's IP address
 */
@@ -0,0 +1,237 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * VERSION: 02.27.00
+ * PATH: /src/Field/DemoTaskInfoField.php
+ * BRIEF: Read-only field showing scheduled task info with link to manage it
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Form\FormField;
+use Joomla\CMS\Router\Route;
+
+/**
+ * Displays the demo reset scheduled task status: schedule, next run,
+ * last run, and a direct link to edit the task in Joomla's Scheduler.
+ *
+ * @since  02.29.00
+ */
+class DemoTaskInfoField extends FormField
+{
+	protected $type = 'DemoTaskInfo';
+
+	protected function getInput()
+	{
+		// Query the scheduled task — if it exists and is enabled, demo mode is on
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName('#__scheduler_tasks'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'));
+
+			$db->setQuery($query);
+			$task = $db->loadAssoc();
+		}
+		catch (\Throwable $e)
+		{
+			$task = null;
+		}
+
+		$newTaskLink = Route::_('index.php?option=com_scheduler&task=task.add');
+
+		if (!$task)
+		{
+			return '<div class="alert alert-info mb-0 py-2">'
+				. 'No demo reset task configured. '
+				. '<a href="' . $newTaskLink . '" class="alert-link">Create a Scheduled Task</a> '
+				. 'and select <strong>MokoWaaS Demo Reset</strong> to enable demo mode.</div>';
+		}
+
+		$taskId  = (int) $task['id'];
+		$state   = (int) $task['state'];
+		$siteTimezone = Factory::getApplication()->get('offset', 'UTC');
+
+		// Parse schedule from execution_rules
+		$rules    = json_decode($task['execution_rules'] ?? '{}', true);
+		$ruleType = $rules['rule-type'] ?? '';
+
+		switch ($ruleType)
+		{
+			case 'cron-expression':
+				$schedule = $rules['cron-expression'] ?? '';
+				$friendlySchedule = $this->friendlySchedule($schedule);
+				break;
+
+			case 'interval-minutes':
+				$mins = (int) ($rules['interval-minutes'] ?? 0);
+
+				if ($mins >= 1440 && $mins % 1440 === 0)
+				{
+					$days = $mins / 1440;
+					$schedule = 'Every ' . $days . ' day' . ($days > 1 ? 's' : '');
+				}
+				elseif ($mins >= 60 && $mins % 60 === 0)
+				{
+					$hours = $mins / 60;
+					$schedule = 'Every ' . $hours . ' hour' . ($hours > 1 ? 's' : '');
+				}
+				else
+				{
+					$schedule = 'Every ' . $mins . ' minute' . ($mins !== 1 ? 's' : '');
+				}
+
+				$friendlySchedule = $schedule;
+				break;
+
+			case 'interval-hours':
+				$hours = (int) ($rules['interval-hours'] ?? 0);
+				$schedule = 'Every ' . $hours . ' hour' . ($hours !== 1 ? 's' : '');
+				$friendlySchedule = $schedule;
+				break;
+
+			case 'interval-days':
+				$days = (int) ($rules['interval-days'] ?? 0);
+				$schedule = 'Every ' . $days . ' day' . ($days !== 1 ? 's' : '');
+				$friendlySchedule = $schedule;
+				break;
+
+			default:
+				$schedule = $ruleType ?: 'Not set';
+				$friendlySchedule = 'Custom';
+		}
+
+		// Next execution
+		$nextExec = $task['next_execution'] ?? '';
+		$nextFormatted = 'Not scheduled';
+		$nextBadge = '';
+
+		if (!empty($nextExec) && $nextExec !== '0000-00-00 00:00:00')
+		{
+			try
+			{
+				$dt = new \DateTime($nextExec, new \DateTimeZone('UTC'));
+				$dt->setTimezone(new \DateTimeZone($siteTimezone));
+				$nextFormatted = $dt->format('M j, Y g:i A T');
+			}
+			catch (\Throwable $e)
+			{
+				$nextFormatted = $nextExec;
+			}
+
+			$diff = strtotime($nextExec . ' UTC') - time();
+
+			if ($diff <= 0)
+			{
+				$nextBadge = '<span class="badge bg-warning text-dark">DUE</span>';
+			}
+			elseif ($diff < 3600)
+			{
+				$nextBadge = '<span class="badge bg-info">in ' . (int) ceil($diff / 60) . ' min</span>';
+			}
+			elseif ($diff < 86400)
+			{
+				$nextBadge = '<span class="badge bg-info">in ' . round($diff / 3600, 1) . 'h</span>';
+			}
+			else
+			{
+				$nextBadge = '<span class="badge bg-secondary">in ' . round($diff / 86400, 1) . 'd</span>';
+			}
+		}
+
+		// Last execution
+		$lastExec = $task['last_execution'] ?? '';
+		$lastFormatted = 'Never';
+
+		if (!empty($lastExec) && $lastExec !== '0000-00-00 00:00:00')
+		{
+			try
+			{
+				$dt = new \DateTime($lastExec, new \DateTimeZone('UTC'));
+				$dt->setTimezone(new \DateTimeZone($siteTimezone));
+				$lastFormatted = $dt->format('M j, Y g:i A T');
+			}
+			catch (\Throwable $e)
+			{
+				$lastFormatted = $lastExec;
+			}
+		}
+
+		// State badge
+		$stateBadge = $state === 1
+			? '<span class="badge bg-success">Enabled</span>'
+			: '<span class="badge bg-danger">Disabled</span>';
+
+		// Link to edit the task
+		$editLink = Route::_('index.php?option=com_scheduler&task=task.edit&id=' . $taskId);
+
+		// Task params — default to On when keys are missing (matches form defaults)
+		$taskParams  = json_decode($task['params'] ?? '{}', true) ?: [];
+		$bannerOn    = !isset($taskParams['banner_enabled']) || (int) $taskParams['banner_enabled'] === 1;
+		$mediaOn     = !isset($taskParams['include_media']) || (int) $taskParams['include_media'] === 1;
+		$countdownOn = !isset($taskParams['show_countdown']) || (int) $taskParams['show_countdown'] === 1;
+
+		// Check if snapshot exists
+		$snapshotExists = is_dir(JPATH_ROOT . '/mokowaas-snapshots/default');
+
+		// Build info card
+		return '<div class="card card-body bg-light py-2 px-3 mb-0">'
+			. '<table class="table table-sm table-borderless mb-1" style="max-width:550px">'
+			. '<tr><td class="text-muted" style="width:130px">Status</td><td>' . $stateBadge . '</td></tr>'
+			. '<tr><td class="text-muted">Schedule</td><td>' . htmlspecialchars($friendlySchedule) . '</td></tr>'
+			. '<tr><td class="text-muted">Next Reset</td><td>' . htmlspecialchars($nextFormatted) . ' ' . $nextBadge . '</td></tr>'
+			. '<tr><td class="text-muted">Last Reset</td><td>' . htmlspecialchars($lastFormatted) . '</td></tr>'
+			. '<tr><td class="text-muted">Runs</td><td>' . (int) ($task['times_executed'] ?? 0) . ' executed, ' . (int) ($task['times_failed'] ?? 0) . ' failed</td></tr>'
+			. '<tr><td class="text-muted">Baseline</td><td>' . ($snapshotExists ? '<span class="badge bg-success">Saved</span>' : '<span class="badge bg-warning text-dark">Not taken yet</span>') . '</td></tr>'
+			. '<tr><td class="text-muted">Banner</td><td>' . ($bannerOn ? 'On' : 'Off') . ($countdownOn ? ' + countdown' : '') . '</td></tr>'
+			. '<tr><td class="text-muted">Images</td><td>' . ($mediaOn ? 'Included' : 'Excluded') . '</td></tr>'
+			. '</table>'
+			. '<a href="' . $editLink . '" class="btn btn-sm btn-outline-primary">'
+			. '<span class="icon-cog" aria-hidden="true"></span> Manage Scheduled Task</a>'
+			. '</div>';
+	}
+
+	protected function getLabel()
+	{
+		return '<label class="form-label"><strong>Scheduled Reset</strong></label>';
+	}
+
+	/**
+	 * Convert a cron expression to a human-readable string.
+	 *
+	 * @param   string  $cron  Cron expression
+	 *
+	 * @return  string
+	 */
+	private function friendlySchedule(string $cron): string
+	{
+		$map = [
+			'* * * * *'       => 'Every minute',
+			'*/5 * * * *'     => 'Every 5 minutes',
+			'*/15 * * * *'    => 'Every 15 minutes',
+			'*/30 * * * *'    => 'Every 30 minutes',
+			'0 */1 * * *'     => 'Every hour',
+			'0 */4 * * *'     => 'Every 4 hours',
+			'0 */6 * * *'     => 'Every 6 hours',
+			'0 */12 * * *'    => 'Every 12 hours',
+			'0 0 * * *'       => 'Daily at midnight',
+			'0 6 * * *'       => 'Daily at 6:00 AM',
+			'0 0 * * 0'       => 'Weekly (Sunday)',
+			'0 0 1 * *'       => 'Monthly (1st)',
+		];
+
+		return $map[$cron] ?? 'Custom';
+	}
+}
@@ -0,0 +1,156 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * VERSION: 02.27.00
+ * PATH: /src/Field/NextResetField.php
+ * BRIEF: Read-only field showing next reset time from Joomla scheduled task
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Form\FormField;
+
+/**
+ * Pulls the next execution time directly from the Joomla scheduled task
+ * (#__scheduler_tasks) and displays it formatted in the site timezone.
+ *
+ * @since  02.29.00
+ */
+class NextResetField extends FormField
+{
+	protected $type = 'NextReset';
+
+	protected function getInput()
+	{
+		// Check if demo mode is enabled
+		$demoEnabled = false;
+
+		if ($this->form)
+		{
+			$demoEnabled = (int) $this->form->getValue('demo_mode_enabled', 'params', 0) === 1;
+		}
+
+		if (!$demoEnabled)
+		{
+			return '<span class="form-control-plaintext text-muted">Demo mode is off</span>'
+				. '<input type="hidden" name="' . $this->name . '" value="" />';
+		}
+
+		// Query the actual next_execution from the scheduled task
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select([
+					$db->quoteName('next_execution'),
+					$db->quoteName('last_execution'),
+					$db->quoteName('state'),
+				])
+				->from($db->quoteName('#__scheduler_tasks'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'));
+
+			$db->setQuery($query);
+			$task = $db->loadAssoc();
+		}
+		catch (\Throwable $e)
+		{
+			$task = null;
+		}
+
+		if (!$task)
+		{
+			return '<div class="alert alert-secondary mb-0 py-2">No scheduled task found — save to create one automatically.</div>'
+				. '<input type="hidden" name="' . $this->name . '" value="" />';
+		}
+
+		if ((int) $task['state'] !== 1)
+		{
+			return '<div class="alert alert-warning mb-0 py-2">Scheduled task is disabled.</div>'
+				. '<input type="hidden" name="' . $this->name . '" value="" />';
+		}
+
+		$nextExec = $task['next_execution'];
+		$lastExec = $task['last_execution'];
+
+		if (empty($nextExec) || $nextExec === '0000-00-00 00:00:00')
+		{
+			return '<div class="alert alert-secondary mb-0 py-2">Waiting for first run...</div>'
+				. '<input type="hidden" name="' . $this->name . '" value="" />';
+		}
+
+		// Convert to site timezone
+		$utcTimestamp = strtotime($nextExec);
+		$siteTimezone = Factory::getApplication()->get('offset', 'UTC');
+
+		try
+		{
+			$dt = new \DateTime('@' . $utcTimestamp);
+			$dt->setTimezone(new \DateTimeZone($siteTimezone));
+			$formatted = $dt->format('l, F j, Y \a\t g:i A T');
+		}
+		catch (\Throwable $e)
+		{
+			$formatted = $nextExec . ' UTC';
+		}
+
+		// Relative time
+		$diff     = $utcTimestamp - time();
+		$relative = '';
+
+		if ($diff <= 0)
+		{
+			$relative = '<span class="badge bg-warning text-dark">overdue</span>';
+		}
+		elseif ($diff < 3600)
+		{
+			$mins = (int) ceil($diff / 60);
+			$relative = '<span class="badge bg-info">in ' . $mins . ' min</span>';
+		}
+		elseif ($diff < 86400)
+		{
+			$hours = round($diff / 3600, 1);
+			$relative = '<span class="badge bg-info">in ' . $hours . 'h</span>';
+		}
+		else
+		{
+			$days = round($diff / 86400, 1);
+			$relative = '<span class="badge bg-secondary">in ' . $days . 'd</span>';
+		}
+
+		// Last run info
+		$lastInfo = '';
+
+		if (!empty($lastExec) && $lastExec !== '0000-00-00 00:00:00')
+		{
+			try
+			{
+				$lastDt = new \DateTime($lastExec);
+				$lastDt->setTimezone(new \DateTimeZone($siteTimezone));
+				$lastInfo = '<small class="text-muted ms-2">Last run: ' . $lastDt->format('M j, g:i A') . '</small>';
+			}
+			catch (\Throwable $e)
+			{
+				// skip
+			}
+		}
+
+		return '<div class="d-flex align-items-center gap-2 flex-wrap">'
+			. '<span class="form-control-plaintext" style="font-weight:500">'
+			. '<span class="icon-calendar" aria-hidden="true"></span> '
+			. htmlspecialchars($formatted) . '</span> '
+			. $relative
+			. $lastInfo
+			. '<input type="hidden" name="' . $this->name . '" value="' . htmlspecialchars($nextExec) . '" />'
+			. '</div>';
+	}
+}
@@ -0,0 +1,175 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * VERSION: 02.27.00
+ * PATH: /src/Field/SnapshotTablesField.php
+ * BRIEF: Multi-select list field that loads DB tables with sensible defaults
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Form\FormField;
+
+/**
+ * Renders a multi-select list box of all Joomla database tables, with
+ * content-related tables pre-selected by default.
+ *
+ * @since  02.26.00
+ */
+class SnapshotTablesField extends FormField
+{
+	protected $type = 'SnapshotTables';
+
+	/**
+	 * Tables selected by default when no value is stored yet.
+	 *
+	 * @var    array
+	 * @since  02.25.00
+	 */
+	private const DEFAULT_TABLES = [
+		'#__content',
+		'#__categories',
+		'#__fields',
+		'#__fields_values',
+		'#__fields_groups',
+		'#__menu',
+		'#__menu_types',
+		'#__modules',
+		'#__modules_menu',
+		'#__users',
+		'#__user_usergroup_map',
+		'#__user_profiles',
+		'#__tags',
+		'#__contentitem_tag_map',
+		'#__assets',
+	];
+
+	/**
+	 * Table suffixes grouped by category.
+	 *
+	 * @var    array
+	 * @since  02.25.00
+	 */
+	private const TABLE_GROUPS = [
+		'Content'  => ['content', 'categories', 'fields', 'fields_values', 'fields_groups', 'tags', 'contentitem_tag_map', 'ucm_content', 'ucm_history'],
+		'Users'    => ['users', 'user_usergroup_map', 'user_profiles', 'usergroups', 'user_keys', 'user_mfa'],
+		'Menus'    => ['menu', 'menu_types'],
+		'Modules'  => ['modules', 'modules_menu'],
+		'Assets'   => ['assets'],
+	];
+
+	protected function getInput()
+	{
+		$db     = Factory::getDbo();
+		$prefix = $db->getPrefix();
+		$tables = $db->getTableList();
+
+		// Resolve selected values
+		$selected = $this->value;
+
+		if ($selected === null || $selected === '')
+		{
+			$selected = self::DEFAULT_TABLES;
+		}
+		elseif (is_string($selected))
+		{
+			$selected = array_filter(array_map('trim', explode("\n", $selected)));
+		}
+
+		$selected = (array) $selected;
+
+		// Flatten nested arrays from broken save format [["#__content"],["#__categories"]]
+		$selected = array_map(function ($v) {
+			return is_array($v) ? reset($v) : $v;
+		}, $selected);
+
+		// Group tables
+		$grouped = [];
+
+		foreach ($tables as $table)
+		{
+			if (strpos($table, $prefix) !== 0)
+			{
+				continue;
+			}
+
+			$suffix  = substr($table, strlen($prefix));
+			$logical = '#__' . $suffix;
+			$group   = 'Other';
+
+			foreach (self::TABLE_GROUPS as $groupName => $patterns)
+			{
+				if (in_array($suffix, $patterns, true))
+				{
+					$group = $groupName;
+					break;
+				}
+			}
+
+			$grouped[$group][] = $logical;
+		}
+
+		// Build HTML select with optgroups
+		$size = (int) ($this->element['size'] ?? 15);
+		$html = '<select name="' . $this->name . '" id="' . $this->id . '"'
+			. ' multiple="multiple" size="' . $size . '"'
+			. ' class="form-select">';
+
+		$priority = ['Content', 'Users', 'Menus', 'Modules', 'Assets'];
+
+		foreach ($priority as $g)
+		{
+			if (!empty($grouped[$g]))
+			{
+				$html .= '<optgroup label="' . $g . '">';
+
+				foreach ($grouped[$g] as $t)
+				{
+					$sel = in_array($t, $selected, true) ? ' selected="selected"' : '';
+					$html .= '<option value="' . htmlspecialchars($t) . '"' . $sel . '>' . htmlspecialchars($t) . '</option>';
+				}
+
+				$html .= '</optgroup>';
+				unset($grouped[$g]);
+			}
+		}
+
+		if (!empty($grouped['Other']))
+		{
+			$html .= '<optgroup label="Other">';
+
+			foreach ($grouped['Other'] as $t)
+			{
+				$sel = in_array($t, $selected, true) ? ' selected="selected"' : '';
+				$html .= '<option value="' . htmlspecialchars($t) . '"' . $sel . '>' . htmlspecialchars($t) . '</option>';
+			}
+
+			$html .= '</optgroup>';
+		}
+
+		$html .= '</select>';
+
+		// "Reset to defaults" link
+		$defaultsJson = htmlspecialchars(json_encode(self::DEFAULT_TABLES), ENT_QUOTES, 'UTF-8');
+		$html .= '<div class="mt-1">'
+			. '<a href="#" class="small" onclick="'
+			. 'var sel=document.getElementById(\'' . $this->id . '\');'
+			. 'var defs=' . $defaultsJson . ';'
+			. 'Array.from(sel.options).forEach(function(o){o.selected=defs.indexOf(o.value)!==-1;});'
+			. 'return false;'
+			. '"><span class="icon-refresh" aria-hidden="true"></span> Reset to defaults</a>'
+			. '</div>';
+
+		return $html;
+	}
+}
@@ -0,0 +1,819 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
+ * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncReceiver.php
+ * VERSION: 02.27.00
+ * BRIEF: Receiver-side content sync — applies incoming payload to local DB
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Service;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
+
+/**
+ * Content Sync Receiver — applies incoming sync payload to the local site.
+ *
+ * Processes categories, articles, menu types, menu items, and modules
+ * from a JSON payload sent by a source MokoWaaS site. Content is matched
+ * by alias (upsert pattern): existing content is updated, new content
+ * is inserted.
+ *
+ * @since  02.21.00
+ */
+class ContentSyncReceiver
+{
+	/**
+	 * @var    \Joomla\Database\DatabaseInterface
+	 * @since  02.21.00
+	 */
+	private $db;
+
+	/**
+	 * Warnings collected during sync.
+	 *
+	 * @var    array
+	 * @since  02.21.00
+	 */
+	private array $warnings = [];
+
+	/**
+	 * Cache of resolved category paths → local IDs.
+	 *
+	 * @var    array
+	 * @since  02.21.00
+	 */
+	private array $catPathCache = [];
+
+	/**
+	 * Constructor.
+	 *
+	 * @param   \Joomla\Database\DatabaseInterface|null  $db  Database driver
+	 *
+	 * @since   02.21.00
+	 */
+	public function __construct($db = null)
+	{
+		$this->db = $db ?: Factory::getDbo();
+	}
+
+	/**
+	 * Process an incoming sync payload.
+	 *
+	 * @param   array  $payload  Decoded JSON payload from the source site
+	 *
+	 * @return  array  Result summary with per-type counts and warnings
+	 *
+	 * @since   02.21.00
+	 */
+	public function receive(array $payload): array
+	{
+		if (empty($payload['mokowaas_sync']))
+		{
+			return ['status' => 'error', 'message' => 'Invalid payload — missing mokowaas_sync version'];
+		}
+
+		$this->warnings = [];
+		$results = [];
+
+		// Apply in dependency order
+		try
+		{
+			$results['categories'] = $this->applyCategories($payload['categories'] ?? []);
+		}
+		catch (\Throwable $e)
+		{
+			$results['categories'] = ['error' => $e->getMessage()];
+			$this->warnings[] = 'Categories failed: ' . $e->getMessage();
+		}
+
+		try
+		{
+			$results['articles'] = $this->applyArticles($payload['articles'] ?? []);
+		}
+		catch (\Throwable $e)
+		{
+			$results['articles'] = ['error' => $e->getMessage()];
+			$this->warnings[] = 'Articles failed: ' . $e->getMessage();
+		}
+
+		try
+		{
+			$results['menu_types'] = $this->applyMenuTypes($payload['menu_types'] ?? []);
+		}
+		catch (\Throwable $e)
+		{
+			$results['menu_types'] = ['error' => $e->getMessage()];
+			$this->warnings[] = 'Menu types failed: ' . $e->getMessage();
+		}
+
+		try
+		{
+			$results['menu_items'] = $this->applyMenuItems($payload['menu_items'] ?? []);
+		}
+		catch (\Throwable $e)
+		{
+			$results['menu_items'] = ['error' => $e->getMessage()];
+			$this->warnings[] = 'Menu items failed: ' . $e->getMessage();
+		}
+
+		try
+		{
+			$results['modules'] = $this->applyModules($payload['modules'] ?? []);
+		}
+		catch (\Throwable $e)
+		{
+			$results['modules'] = ['error' => $e->getMessage()];
+			$this->warnings[] = 'Modules failed: ' . $e->getMessage();
+		}
+
+		Log::add(
+			sprintf('Content sync received from %s', $payload['source_site'] ?? 'unknown'),
+			Log::INFO,
+			'mokowaas'
+		);
+
+		return [
+			'status'      => 'ok',
+			'message'     => 'Sync applied',
+			'source_site' => $payload['source_site'] ?? '',
+			'results'     => $results,
+			'warnings'    => $this->warnings,
+		];
+	}
+
+	/**
+	 * Apply categories — sorted by path depth (shallow first).
+	 *
+	 * @param   array  $categories  Category data from payload
+	 *
+	 * @return  array  ['inserted' => N, 'updated' => N]
+	 *
+	 * @since   02.21.00
+	 */
+	private function applyCategories(array $categories): array
+	{
+		$db = $this->db;
+		$inserted = 0;
+		$updated  = 0;
+
+		// Sort by path depth — parents before children
+		usort($categories, function ($a, $b) {
+			return substr_count($a['path'], '/') - substr_count($b['path'], '/');
+		});
+
+		foreach ($categories as $cat)
+		{
+			$alias = $cat['alias'] ?? '';
+			$path  = $cat['path'] ?? $alias;
+
+			if (empty($alias) || !preg_match('/^[a-z0-9\-\/]+$/i', $path))
+			{
+				$this->warnings[] = 'Skipped category with invalid alias/path: ' . $alias;
+				continue;
+			}
+
+			// Resolve parent ID from path
+			$parentId = 1; // Root
+			$pathParts = explode('/', $path);
+
+			if (count($pathParts) > 1)
+			{
+				$parentPath = implode('/', array_slice($pathParts, 0, -1));
+				$parentId   = $this->resolveCategoryPath($parentPath);
+
+				if ($parentId === 0)
+				{
+					$this->warnings[] = 'Parent category not found for: ' . $path;
+					$parentId = 1;
+				}
+			}
+
+			// Check if category exists
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__categories'))
+				->where($db->quoteName('alias') . ' = ' . $db->quote($alias))
+				->where($db->quoteName('extension') . ' = ' . $db->quote('com_content'))
+				->where($db->quoteName('parent_id') . ' = ' . (int) $parentId);
+
+			$db->setQuery($query);
+			$existingId = (int) $db->loadResult();
+
+			$now = Factory::getDate()->toSql();
+
+			if ($existingId)
+			{
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__categories'))
+					->set($db->quoteName('title') . ' = ' . $db->quote($cat['title']))
+					->set($db->quoteName('description') . ' = ' . $db->quote($cat['description'] ?? ''))
+					->set($db->quoteName('published') . ' = ' . (int) ($cat['published'] ?? 1))
+					->set($db->quoteName('access') . ' = ' . (int) ($cat['access'] ?? 1))
+					->set($db->quoteName('language') . ' = ' . $db->quote($cat['language'] ?? '*'))
+					->set($db->quoteName('params') . ' = ' . $db->quote(json_encode($cat['params'] ?? new \stdClass)))
+					->set($db->quoteName('metadata') . ' = ' . $db->quote(json_encode($cat['metadata'] ?? new \stdClass)))
+					->set($db->quoteName('modified_time') . ' = ' . $db->quote($now))
+					->where($db->quoteName('id') . ' = ' . $existingId);
+
+				$db->setQuery($query);
+				$db->execute();
+				$updated++;
+
+				$this->catPathCache[$path] = $existingId;
+			}
+			else
+			{
+				$obj = (object) [
+					'title'         => $cat['title'],
+					'alias'         => $alias,
+					'path'          => $path,
+					'extension'     => 'com_content',
+					'description'   => $cat['description'] ?? '',
+					'published'     => (int) ($cat['published'] ?? 1),
+					'access'        => (int) ($cat['access'] ?? 1),
+					'language'      => $cat['language'] ?? '*',
+					'params'        => json_encode($cat['params'] ?? new \stdClass),
+					'metadata'      => json_encode($cat['metadata'] ?? new \stdClass),
+					'parent_id'     => $parentId,
+					'level'         => count($pathParts),
+					'lft'           => 0,
+					'rgt'           => 0,
+					'created_time'  => $now,
+					'modified_time' => $now,
+				];
+
+				$db->insertObject('#__categories', $obj, 'id');
+				$inserted++;
+
+				$this->catPathCache[$path] = (int) $obj->id;
+
+				// Rebuild category tree for this extension
+				$this->rebuildCategoryTree();
+			}
+		}
+
+		return ['inserted' => $inserted, 'updated' => $updated];
+	}
+
+	/**
+	 * Apply articles — resolve category by alias path, upsert by alias.
+	 *
+	 * @param   array  $articles  Article data from payload
+	 *
+	 * @return  array  ['inserted' => N, 'updated' => N]
+	 *
+	 * @since   02.21.00
+	 */
+	private function applyArticles(array $articles): array
+	{
+		$db = $this->db;
+		$inserted = 0;
+		$updated  = 0;
+
+		foreach ($articles as $article)
+		{
+			$alias = $article['alias'] ?? '';
+
+			if (empty($alias))
+			{
+				continue;
+			}
+
+			// Resolve category
+			$catPath = $article['catid_alias_path'] ?? 'uncategorised';
+			$catId   = $this->resolveCategoryPath($catPath);
+
+			if ($catId === 0)
+			{
+				$catId = 2; // Joomla's built-in Uncategorised
+				$this->warnings[] = 'Category "' . $catPath . '" not found for article "' . $alias . '" — assigned to Uncategorised';
+			}
+
+			// Check if article exists
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__content'))
+				->where($db->quoteName('alias') . ' = ' . $db->quote($alias));
+
+			$db->setQuery($query);
+			$existingId = (int) $db->loadResult();
+
+			$now = Factory::getDate()->toSql();
+
+			if ($existingId)
+			{
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__content'))
+					->set($db->quoteName('title') . ' = ' . $db->quote($article['title']))
+					->set($db->quoteName('introtext') . ' = ' . $db->quote($article['introtext'] ?? ''))
+					->set($db->quoteName('fulltext') . ' = ' . $db->quote($article['fulltext'] ?? ''))
+					->set($db->quoteName('state') . ' = ' . (int) ($article['state'] ?? 1))
+					->set($db->quoteName('catid') . ' = ' . $catId)
+					->set($db->quoteName('access') . ' = ' . (int) ($article['access'] ?? 1))
+					->set($db->quoteName('language') . ' = ' . $db->quote($article['language'] ?? '*'))
+					->set($db->quoteName('featured') . ' = ' . (int) ($article['featured'] ?? 0))
+					->set($db->quoteName('metadata') . ' = ' . $db->quote(json_encode($article['metadata'] ?? new \stdClass)))
+					->set($db->quoteName('attribs') . ' = ' . $db->quote(json_encode($article['attribs'] ?? new \stdClass)))
+					->set($db->quoteName('images') . ' = ' . $db->quote(json_encode($article['images'] ?? new \stdClass)))
+					->set($db->quoteName('urls') . ' = ' . $db->quote(json_encode($article['urls'] ?? new \stdClass)))
+					->set($db->quoteName('modified') . ' = ' . $db->quote($now))
+					->where($db->quoteName('id') . ' = ' . $existingId);
+
+				$db->setQuery($query);
+				$db->execute();
+				$updated++;
+			}
+			else
+			{
+				$obj = (object) [
+					'title'        => $article['title'],
+					'alias'        => $alias,
+					'introtext'    => $article['introtext'] ?? '',
+					'fulltext'     => $article['fulltext'] ?? '',
+					'state'        => (int) ($article['state'] ?? 1),
+					'catid'        => $catId,
+					'access'       => (int) ($article['access'] ?? 1),
+					'language'     => $article['language'] ?? '*',
+					'featured'     => (int) ($article['featured'] ?? 0),
+					'publish_up'   => $article['publish_up'] ?? $now,
+					'publish_down' => $article['publish_down'],
+					'metadata'     => json_encode($article['metadata'] ?? new \stdClass),
+					'attribs'      => json_encode($article['attribs'] ?? new \stdClass),
+					'images'       => json_encode($article['images'] ?? new \stdClass),
+					'urls'         => json_encode($article['urls'] ?? new \stdClass),
+					'created'      => $now,
+					'modified'     => $now,
+				];
+
+				$db->insertObject('#__content', $obj, 'id');
+				$inserted++;
+			}
+		}
+
+		return ['inserted' => $inserted, 'updated' => $updated];
+	}
+
+	/**
+	 * Apply menu types — insert if not exists.
+	 *
+	 * @param   array  $menuTypes  Menu type data from payload
+	 *
+	 * @return  array  ['inserted' => N, 'updated' => N]
+	 *
+	 * @since   02.21.00
+	 */
+	private function applyMenuTypes(array $menuTypes): array
+	{
+		$db = $this->db;
+		$inserted = 0;
+		$updated  = 0;
+
+		foreach ($menuTypes as $mt)
+		{
+			$menutype = $mt['menutype'] ?? '';
+
+			if (empty($menutype))
+			{
+				continue;
+			}
+
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__menu_types'))
+				->where($db->quoteName('menutype') . ' = ' . $db->quote($menutype));
+
+			$db->setQuery($query);
+
+			if ($db->loadResult())
+			{
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__menu_types'))
+					->set($db->quoteName('title') . ' = ' . $db->quote($mt['title'] ?? $menutype))
+					->set($db->quoteName('description') . ' = ' . $db->quote($mt['description'] ?? ''))
+					->where($db->quoteName('menutype') . ' = ' . $db->quote($menutype));
+
+				$db->setQuery($query);
+				$db->execute();
+				$updated++;
+			}
+			else
+			{
+				$obj = (object) [
+					'title'       => $mt['title'] ?? $menutype,
+					'menutype'    => $menutype,
+					'description' => $mt['description'] ?? '',
+				];
+
+				$db->insertObject('#__menu_types', $obj);
+				$inserted++;
+			}
+		}
+
+		return ['inserted' => $inserted, 'updated' => $updated];
+	}
+
+	/**
+	 * Apply menu items — resolve parent aliases and {catid:path} tokens.
+	 *
+	 * @param   array  $items  Menu item data from payload
+	 *
+	 * @return  array  ['inserted' => N, 'updated' => N]
+	 *
+	 * @since   02.21.00
+	 */
+	private function applyMenuItems(array $items): array
+	{
+		$db = $this->db;
+		$inserted = 0;
+		$updated  = 0;
+
+		// Sort: root items first, then children
+		usort($items, function ($a, $b) {
+			$aIsRoot = empty($a['parent_alias']);
+			$bIsRoot = empty($b['parent_alias']);
+
+			if ($aIsRoot && !$bIsRoot) return -1;
+			if (!$aIsRoot && $bIsRoot) return 1;
+
+			return 0;
+		});
+
+		// Resolve component IDs
+		$compQuery = $db->getQuery(true)
+			->select([$db->quoteName('extension_id'), $db->quoteName('element')])
+			->from($db->quoteName('#__extensions'))
+			->where($db->quoteName('type') . ' = ' . $db->quote('component'));
+		$db->setQuery($compQuery);
+		$compMap = [];
+
+		foreach ($db->loadAssocList() ?: [] as $c)
+		{
+			$compMap[$c['element']] = (int) $c['extension_id'];
+		}
+
+		foreach ($items as $item)
+		{
+			$alias    = $item['alias'] ?? '';
+			$menutype = $item['menutype'] ?? '';
+
+			if (empty($alias) || empty($menutype))
+			{
+				continue;
+			}
+
+			// Resolve parent
+			$parentId = 1; // Root menu item
+
+			if (!empty($item['parent_alias']))
+			{
+				$parentId = $this->resolveMenuAlias($menutype, $item['parent_alias']);
+
+				if ($parentId === 0)
+				{
+					$this->warnings[] = 'Parent menu item "' . $item['parent_alias'] . '" not found for "' . $alias . '"';
+					$parentId = 1;
+				}
+			}
+
+			// Resolve {catid:path} tokens in link
+			$link = $item['link'] ?? '';
+
+			if (preg_match_all('/\{catid:([^}]+)\}/', $link, $matches))
+			{
+				foreach ($matches[1] as $i => $catPath)
+				{
+					$localCatId = $this->resolveCategoryPath($catPath);
+
+					if ($localCatId > 0)
+					{
+						$link = str_replace($matches[0][$i], (string) $localCatId, $link);
+					}
+					else
+					{
+						$this->warnings[] = 'Could not resolve {catid:' . $catPath . '} in menu item "' . $alias . '"';
+						$link = str_replace($matches[0][$i], '0', $link);
+					}
+				}
+			}
+
+			$componentId = $compMap[$item['component_name'] ?? ''] ?? 0;
+
+			// Check if menu item exists
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__menu'))
+				->where($db->quoteName('alias') . ' = ' . $db->quote($alias))
+				->where($db->quoteName('menutype') . ' = ' . $db->quote($menutype))
+				->where($db->quoteName('client_id') . ' = 0');
+
+			$db->setQuery($query);
+			$existingId = (int) $db->loadResult();
+
+			if ($existingId)
+			{
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__menu'))
+					->set($db->quoteName('title') . ' = ' . $db->quote($item['title']))
+					->set($db->quoteName('link') . ' = ' . $db->quote($link))
+					->set($db->quoteName('type') . ' = ' . $db->quote($item['type'] ?? 'component'))
+					->set($db->quoteName('published') . ' = ' . (int) ($item['published'] ?? 1))
+					->set($db->quoteName('access') . ' = ' . (int) ($item['access'] ?? 1))
+					->set($db->quoteName('language') . ' = ' . $db->quote($item['language'] ?? '*'))
+					->set($db->quoteName('params') . ' = ' . $db->quote(json_encode($item['params'] ?? new \stdClass)))
+					->set($db->quoteName('parent_id') . ' = ' . $parentId)
+					->set($db->quoteName('component_id') . ' = ' . $componentId)
+					->set($db->quoteName('home') . ' = ' . (int) ($item['home'] ?? 0))
+					->where($db->quoteName('id') . ' = ' . $existingId);
+
+				$db->setQuery($query);
+				$db->execute();
+				$updated++;
+			}
+			else
+			{
+				$obj = (object) [
+					'menutype'     => $menutype,
+					'title'        => $item['title'],
+					'alias'        => $alias,
+					'path'         => $alias,
+					'link'         => $link,
+					'type'         => $item['type'] ?? 'component',
+					'published'    => (int) ($item['published'] ?? 1),
+					'parent_id'    => $parentId,
+					'level'        => $parentId <= 1 ? 1 : 2,
+					'component_id' => $componentId,
+					'access'       => (int) ($item['access'] ?? 1),
+					'language'     => $item['language'] ?? '*',
+					'params'       => json_encode($item['params'] ?? new \stdClass),
+					'home'         => (int) ($item['home'] ?? 0),
+					'client_id'    => 0,
+					'lft'          => 0,
+					'rgt'          => 0,
+				];
+
+				$db->insertObject('#__menu', $obj, 'id');
+				$inserted++;
+			}
+		}
+
+		// Rebuild menu tree for each affected menutype
+		$affectedMenuTypes = array_unique(array_column($items, 'menutype'));
+
+		foreach ($affectedMenuTypes as $mt)
+		{
+			$this->rebuildMenuTree($mt);
+		}
+
+		return ['inserted' => $inserted, 'updated' => $updated];
+	}
+
+	/**
+	 * Apply modules — upsert by title+position+client_id, rebuild menu assignments.
+	 *
+	 * @param   array  $modules  Module data from payload
+	 *
+	 * @return  array  ['inserted' => N, 'updated' => N]
+	 *
+	 * @since   02.21.00
+	 */
+	private function applyModules(array $modules): array
+	{
+		$db = $this->db;
+		$inserted = 0;
+		$updated  = 0;
+
+		foreach ($modules as $mod)
+		{
+			$title    = $mod['title'] ?? '';
+			$position = $mod['position'] ?? '';
+			$clientId = (int) ($mod['client_id'] ?? 0);
+
+			if (empty($title))
+			{
+				continue;
+			}
+
+			// Check existence by title + position + client_id
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__modules'))
+				->where($db->quoteName('title') . ' = ' . $db->quote($title))
+				->where($db->quoteName('position') . ' = ' . $db->quote($position))
+				->where($db->quoteName('client_id') . ' = ' . $clientId);
+
+			$db->setQuery($query);
+			$existingId = (int) $db->loadResult();
+
+			if ($existingId)
+			{
+				$query = $db->getQuery(true)
+					->update($db->quoteName('#__modules'))
+					->set($db->quoteName('module') . ' = ' . $db->quote($mod['module'] ?? ''))
+					->set($db->quoteName('content') . ' = ' . $db->quote($mod['content'] ?? ''))
+					->set($db->quoteName('published') . ' = ' . (int) ($mod['published'] ?? 1))
+					->set($db->quoteName('access') . ' = ' . (int) ($mod['access'] ?? 1))
+					->set($db->quoteName('language') . ' = ' . $db->quote($mod['language'] ?? '*'))
+					->set($db->quoteName('params') . ' = ' . $db->quote(json_encode($mod['params'] ?? new \stdClass)))
+					->where($db->quoteName('id') . ' = ' . $existingId);
+
+				$db->setQuery($query);
+				$db->execute();
+				$updated++;
+
+				$moduleId = $existingId;
+			}
+			else
+			{
+				$obj = (object) [
+					'title'     => $title,
+					'module'    => $mod['module'] ?? '',
+					'position'  => $position,
+					'content'   => $mod['content'] ?? '',
+					'published' => (int) ($mod['published'] ?? 1),
+					'access'    => (int) ($mod['access'] ?? 1),
+					'language'  => $mod['language'] ?? '*',
+					'params'    => json_encode($mod['params'] ?? new \stdClass),
+					'client_id' => $clientId,
+					'ordering'  => 0,
+				];
+
+				$db->insertObject('#__modules', $obj, 'id');
+				$inserted++;
+				$moduleId = (int) $obj->id;
+			}
+
+			// Rebuild menu assignments
+			$query = $db->getQuery(true)
+				->delete($db->quoteName('#__modules_menu'))
+				->where($db->quoteName('moduleid') . ' = ' . $moduleId);
+			$db->setQuery($query);
+			$db->execute();
+
+			$assignment = $mod['menu_assignment'] ?? [];
+			$assignType = (int) ($assignment['assignment'] ?? 0);
+			$aliases    = $assignment['menu_item_aliases'] ?? [];
+
+			if ($assignType === 0 || empty($aliases))
+			{
+				// All pages
+				$obj = (object) ['moduleid' => $moduleId, 'menuid' => 0];
+				$db->insertObject('#__modules_menu', $obj);
+			}
+			else
+			{
+				foreach ($aliases as $aliasRef)
+				{
+					// Format: "menutype:alias"
+					$parts = explode(':', $aliasRef, 2);
+
+					if (count($parts) !== 2)
+					{
+						continue;
+					}
+
+					$menuId = $this->resolveMenuAlias($parts[0], $parts[1]);
+
+					if ($menuId > 0)
+					{
+						$menuidValue = $assignType === -1 ? -$menuId : $menuId;
+						$obj = (object) ['moduleid' => $moduleId, 'menuid' => $menuidValue];
+						$db->insertObject('#__modules_menu', $obj);
+					}
+					else
+					{
+						$this->warnings[] = 'Module "' . $title . '": menu item "' . $aliasRef . '" not found';
+					}
+				}
+			}
+		}
+
+		return ['inserted' => $inserted, 'updated' => $updated];
+	}
+
+	/**
+	 * Resolve a category alias path to a local category ID.
+	 *
+	 * @param   string  $path  Slash-delimited alias path (e.g. "blog/news")
+	 *
+	 * @return  int  Category ID, or 0 if not found
+	 *
+	 * @since   02.21.00
+	 */
+	private function resolveCategoryPath(string $path): int
+	{
+		if (isset($this->catPathCache[$path]))
+		{
+			return $this->catPathCache[$path];
+		}
+
+		$db       = $this->db;
+		$segments = explode('/', $path);
+		$parentId = 1;
+
+		foreach ($segments as $segment)
+		{
+			$query = $db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__categories'))
+				->where($db->quoteName('alias') . ' = ' . $db->quote($segment))
+				->where($db->quoteName('parent_id') . ' = ' . $parentId)
+				->where($db->quoteName('extension') . ' = ' . $db->quote('com_content'));
+
+			$db->setQuery($query);
+			$id = (int) $db->loadResult();
+
+			if ($id === 0)
+			{
+				$this->catPathCache[$path] = 0;
+
+				return 0;
+			}
+
+			$parentId = $id;
+		}
+
+		$this->catPathCache[$path] = $parentId;
+
+		return $parentId;
+	}
+
+	/**
+	 * Resolve a menu item alias to a local menu ID.
+	 *
+	 * @param   string  $menutype  Menu type key
+	 * @param   string  $alias     Menu item alias
+	 *
+	 * @return  int  Menu item ID, or 0 if not found
+	 *
+	 * @since   02.21.00
+	 */
+	private function resolveMenuAlias(string $menutype, string $alias): int
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select($db->quoteName('id'))
+			->from($db->quoteName('#__menu'))
+			->where($db->quoteName('alias') . ' = ' . $db->quote($alias))
+			->where($db->quoteName('menutype') . ' = ' . $db->quote($menutype))
+			->where($db->quoteName('client_id') . ' = 0');
+
+		$db->setQuery($query);
+
+		return (int) $db->loadResult();
+	}
+
+	/**
+	 * Rebuild the nested set (lft/rgt) for the category tree.
+	 *
+	 * Uses Joomla's built-in Table rebuild method.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function rebuildCategoryTree(): void
+	{
+		try
+		{
+			$table = \Joomla\CMS\Table\Table::getInstance('Category');
+			$table->rebuild();
+		}
+		catch (\Throwable $e)
+		{
+			$this->warnings[] = 'Category tree rebuild failed: ' . $e->getMessage();
+		}
+	}
+
+	/**
+	 * Rebuild the nested set (lft/rgt) for a menu type.
+	 *
+	 * @param   string  $menutype  Menu type to rebuild
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function rebuildMenuTree(string $menutype): void
+	{
+		try
+		{
+			$table = \Joomla\CMS\Table\Table::getInstance('Menu');
+			$table->rebuild();
+		}
+		catch (\Throwable $e)
+		{
+			$this->warnings[] = 'Menu tree rebuild failed for "' . $menutype . '": ' . $e->getMessage();
+		}
+	}
+}
@@ -0,0 +1,634 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
+ * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncService.php
+ * VERSION: 02.27.00
+ * BRIEF: Sender-side content sync — builds payload and pushes to remote sites
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Service;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
+use Joomla\CMS\Uri\Uri;
+
+/**
+ * Content Sync Service — builds a JSON payload of site content and pushes
+ * it to one or more remote MokoWaaS sites.
+ *
+ * Content is matched by alias on the receiving end (upsert-by-alias).
+ * Category IDs in menu item links are encoded as {catid:alias/path} tokens
+ * so the receiver can resolve them to local IDs.
+ *
+ * @since  02.21.00
+ */
+class ContentSyncService
+{
+	/**
+	 * Maximum items per content type to prevent unbounded memory.
+	 *
+	 * @var    int
+	 * @since  02.21.00
+	 */
+	private const MAX_ITEMS = 2000;
+
+	/**
+	 * HTTP timeout for push requests in seconds.
+	 *
+	 * @var    int
+	 * @since  02.21.00
+	 */
+	private const HTTP_TIMEOUT = 60;
+
+	/**
+	 * @var    \Joomla\Database\DatabaseInterface
+	 * @since  02.21.00
+	 */
+	private $db;
+
+	/**
+	 * Category ID → alias path map cache.
+	 *
+	 * @var    array
+	 * @since  02.21.00
+	 */
+	private array $catPathMap = [];
+
+	/**
+	 * Constructor.
+	 *
+	 * @param   \Joomla\Database\DatabaseInterface|null  $db  Database driver
+	 *
+	 * @since   02.21.00
+	 */
+	public function __construct($db = null)
+	{
+		$this->db = $db ?: Factory::getDbo();
+	}
+
+	/**
+	 * Build the full sync payload from local content.
+	 *
+	 * @return  array  Structured payload ready for JSON encoding
+	 *
+	 * @since   02.21.00
+	 */
+	public function buildPayload(): array
+	{
+		$this->catPathMap = $this->buildCategoryPathMap();
+
+		return [
+			'mokowaas_sync' => '1.0',
+			'source_site'   => rtrim(Uri::root(), '/'),
+			'generated_at'  => gmdate('Y-m-d\TH:i:s\Z'),
+			'categories'    => $this->buildCategoryPayload(),
+			'articles'      => $this->buildArticlePayload(),
+			'menu_types'    => $this->buildMenuTypePayload(),
+			'menu_items'    => $this->buildMenuItemPayload(),
+			'modules'       => $this->buildModulePayload(),
+		];
+	}
+
+	/**
+	 * Push the sync payload to a single target site.
+	 *
+	 * @param   string  $targetUrl  Base URL of the target site
+	 * @param   string  $token      health_api_token for the target
+	 *
+	 * @return  array  Result with status, message, and per-type counts
+	 *
+	 * @since   02.21.00
+	 */
+	public function pushToTarget(string $targetUrl, string $token): array
+	{
+		$payload  = $this->buildPayload();
+		$jsonBody = json_encode($payload, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+		$endpoint = rtrim($targetUrl, '/') . '/?mokowaas=sync-receive';
+
+		$context = stream_context_create([
+			'http' => [
+				'method'        => 'POST',
+				'header'        => "Authorization: Bearer {$token}\r\nContent-Type: application/json\r\n",
+				'content'       => $jsonBody,
+				'timeout'       => self::HTTP_TIMEOUT,
+				'ignore_errors' => true,
+			],
+			'ssl' => [
+				'verify_peer'      => false,
+				'verify_peer_name' => false,
+			],
+		]);
+
+		$response = @file_get_contents($endpoint, false, $context);
+
+		if ($response === false)
+		{
+			return [
+				'status'  => 'error',
+				'target'  => $targetUrl,
+				'message' => 'Connection failed — target unreachable',
+			];
+		}
+
+		// Parse HTTP status from response headers
+		$httpCode = 0;
+
+		if (isset($http_response_header[0]))
+		{
+			preg_match('/\d{3}/', $http_response_header[0], $matches);
+			$httpCode = (int) ($matches[0] ?? 0);
+		}
+
+		$result = json_decode($response, true);
+
+		if ($httpCode >= 400 || !$result)
+		{
+			return [
+				'status'    => 'error',
+				'target'    => $targetUrl,
+				'http_code' => $httpCode,
+				'message'   => $result['error'] ?? $result['message'] ?? 'Unknown error from target',
+			];
+		}
+
+		$result['target'] = $targetUrl;
+
+		return $result;
+	}
+
+	/**
+	 * Push content to all configured sync targets.
+	 *
+	 * @param   array  $targets  Array of ['url' => ..., 'token' => ..., 'label' => ...]
+	 *
+	 * @return  array  Per-target results
+	 *
+	 * @since   02.21.00
+	 */
+	public function syncAllTargets(array $targets): array
+	{
+		$results = [];
+
+		foreach ($targets as $target)
+		{
+			$url   = $target['url'] ?? '';
+			$token = $target['token'] ?? '';
+			$label = $target['label'] ?? $url;
+
+			if (empty($url) || empty($token))
+			{
+				$results[] = [
+					'status'  => 'skipped',
+					'target'  => $label,
+					'message' => 'Missing URL or token',
+				];
+				continue;
+			}
+
+			try
+			{
+				$result = $this->pushToTarget($url, $token);
+				$result['label'] = $label;
+				$results[] = $result;
+			}
+			catch (\Throwable $e)
+			{
+				$results[] = [
+					'status'  => 'error',
+					'target'  => $label,
+					'message' => $e->getMessage(),
+				];
+			}
+		}
+
+		Log::add(
+			sprintf('Content sync pushed to %d target(s)', count($targets)),
+			Log::INFO,
+			'mokowaas'
+		);
+
+		return [
+			'status'  => 'ok',
+			'message' => sprintf('Sync completed for %d target(s)', count($results)),
+			'targets' => $results,
+		];
+	}
+
+	/**
+	 * Build category ID → alias path map.
+	 *
+	 * @return  array  [id => 'parent-alias/child-alias']
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildCategoryPathMap(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([$db->quoteName('id'), $db->quoteName('alias'), $db->quoteName('parent_id')])
+			->from($db->quoteName('#__categories'))
+			->where($db->quoteName('extension') . ' = ' . $db->quote('com_content'))
+			->where($db->quoteName('published') . ' != -2')
+			->where($db->quoteName('id') . ' > 1');
+
+		$db->setQuery($query);
+		$rows = $db->loadAssocList('id');
+
+		$map = [];
+
+		foreach ($rows as $id => $row)
+		{
+			$map[$id] = $this->resolvePathFromRows($id, $rows);
+		}
+
+		return $map;
+	}
+
+	/**
+	 * Recursively build alias path for a category ID.
+	 *
+	 * @param   int    $id    Category ID
+	 * @param   array  $rows  All category rows keyed by ID
+	 *
+	 * @return  string  Slash-delimited alias path
+	 *
+	 * @since   02.21.00
+	 */
+	private function resolvePathFromRows(int $id, array $rows): string
+	{
+		if (!isset($rows[$id]))
+		{
+			return '';
+		}
+
+		$row = $rows[$id];
+		$parentId = (int) $row['parent_id'];
+
+		if ($parentId <= 1 || !isset($rows[$parentId]))
+		{
+			return $row['alias'];
+		}
+
+		return $this->resolvePathFromRows($parentId, $rows) . '/' . $row['alias'];
+	}
+
+	/**
+	 * Build category payload.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildCategoryPayload(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([
+				$db->quoteName('id'),
+				$db->quoteName('title'),
+				$db->quoteName('alias'),
+				$db->quoteName('description'),
+				$db->quoteName('published'),
+				$db->quoteName('access'),
+				$db->quoteName('language'),
+				$db->quoteName('params'),
+				$db->quoteName('metadata'),
+			])
+			->from($db->quoteName('#__categories'))
+			->where($db->quoteName('extension') . ' = ' . $db->quote('com_content'))
+			->where($db->quoteName('published') . ' != -2')
+			->where($db->quoteName('id') . ' > 1')
+			->order($db->quoteName('lft') . ' ASC')
+			->setLimit(self::MAX_ITEMS);
+
+		$db->setQuery($query);
+		$rows = $db->loadAssocList();
+
+		$categories = [];
+
+		foreach ($rows as $row)
+		{
+			$categories[] = [
+				'title'       => $row['title'],
+				'alias'       => $row['alias'],
+				'path'        => $this->catPathMap[(int) $row['id']] ?? $row['alias'],
+				'description' => $row['description'] ?? '',
+				'published'   => (int) $row['published'],
+				'access'      => (int) $row['access'],
+				'language'    => $row['language'],
+				'params'      => json_decode($row['params'] ?: '{}', true),
+				'metadata'    => json_decode($row['metadata'] ?: '{}', true),
+			];
+		}
+
+		return $categories;
+	}
+
+	/**
+	 * Build article payload.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildArticlePayload(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([
+				$db->quoteName('title'),
+				$db->quoteName('alias'),
+				$db->quoteName('introtext'),
+				$db->quoteName('fulltext'),
+				$db->quoteName('state'),
+				$db->quoteName('catid'),
+				$db->quoteName('access'),
+				$db->quoteName('language'),
+				$db->quoteName('featured'),
+				$db->quoteName('publish_up'),
+				$db->quoteName('publish_down'),
+				$db->quoteName('metadata'),
+				$db->quoteName('attribs'),
+				$db->quoteName('images'),
+				$db->quoteName('urls'),
+			])
+			->from($db->quoteName('#__content'))
+			->where($db->quoteName('state') . ' != -2')
+			->order($db->quoteName('id') . ' ASC')
+			->setLimit(self::MAX_ITEMS);
+
+		$db->setQuery($query);
+		$rows = $db->loadAssocList();
+
+		$articles = [];
+
+		foreach ($rows as $row)
+		{
+			$articles[] = [
+				'title'            => $row['title'],
+				'alias'            => $row['alias'],
+				'introtext'        => $row['introtext'],
+				'fulltext'         => $row['fulltext'],
+				'state'            => (int) $row['state'],
+				'catid_alias_path' => $this->catPathMap[(int) $row['catid']] ?? 'uncategorised',
+				'access'           => (int) $row['access'],
+				'language'         => $row['language'],
+				'featured'         => (int) $row['featured'],
+				'publish_up'       => $row['publish_up'],
+				'publish_down'     => $row['publish_down'],
+				'metadata'         => json_decode($row['metadata'] ?: '{}', true),
+				'attribs'          => json_decode($row['attribs'] ?: '{}', true),
+				'images'           => json_decode($row['images'] ?: '{}', true),
+				'urls'             => json_decode($row['urls'] ?: '{}', true),
+			];
+		}
+
+		return $articles;
+	}
+
+	/**
+	 * Build menu type payload.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildMenuTypePayload(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([
+				$db->quoteName('title'),
+				$db->quoteName('menutype'),
+				$db->quoteName('description'),
+			])
+			->from($db->quoteName('#__menu_types'));
+
+		$db->setQuery($query);
+
+		return $db->loadAssocList() ?: [];
+	}
+
+	/**
+	 * Build menu item payload with {catid:path} tokens in links.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildMenuItemPayload(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([
+				$db->quoteName('a.title'),
+				$db->quoteName('a.alias'),
+				$db->quoteName('a.menutype'),
+				$db->quoteName('a.parent_id'),
+				$db->quoteName('a.link'),
+				$db->quoteName('a.type'),
+				$db->quoteName('a.published'),
+				$db->quoteName('a.access'),
+				$db->quoteName('a.language'),
+				$db->quoteName('a.params'),
+				$db->quoteName('a.home'),
+				$db->quoteName('a.component_id'),
+				$db->quoteName('b.alias', 'parent_alias'),
+			])
+			->from($db->quoteName('#__menu', 'a'))
+			->leftJoin(
+				$db->quoteName('#__menu', 'b') . ' ON '
+				. $db->quoteName('a.parent_id') . ' = ' . $db->quoteName('b.id')
+			)
+			->where($db->quoteName('a.published') . ' != -2')
+			->where($db->quoteName('a.client_id') . ' = 0')
+			->where($db->quoteName('a.level') . ' >= 1')
+			->order($db->quoteName('a.lft') . ' ASC')
+			->setLimit(self::MAX_ITEMS);
+
+		$db->setQuery($query);
+		$rows = $db->loadAssocList();
+
+		// Get component name map
+		$compQuery = $db->getQuery(true)
+			->select([$db->quoteName('extension_id'), $db->quoteName('element')])
+			->from($db->quoteName('#__extensions'))
+			->where($db->quoteName('type') . ' = ' . $db->quote('component'));
+		$db->setQuery($compQuery);
+		$components = $db->loadAssocList('extension_id') ?: [];
+
+		$items = [];
+
+		foreach ($rows as $row)
+		{
+			$link = $row['link'];
+
+			// Encode category IDs in com_content links as {catid:path} tokens
+			if (preg_match('/option=com_content/', $link) && preg_match('/&id=(\d+)/', $link, $m))
+			{
+				$catId = (int) $m[1];
+
+				if (isset($this->catPathMap[$catId]))
+				{
+					$link = preg_replace('/&id=\d+/', '&id={catid:' . $this->catPathMap[$catId] . '}', $link);
+				}
+			}
+
+			$compName = '';
+
+			if (!empty($row['component_id']) && isset($components[$row['component_id']]))
+			{
+				$compName = $components[$row['component_id']]['element'];
+			}
+
+			// Root-level items have parent_id=1 (Joomla's root menu item)
+			$parentAlias = ((int) $row['parent_id'] <= 1) ? '' : ($row['parent_alias'] ?? '');
+
+			$items[] = [
+				'title'          => $row['title'],
+				'alias'          => $row['alias'],
+				'menutype'       => $row['menutype'],
+				'parent_alias'   => $parentAlias,
+				'link'           => $link,
+				'type'           => $row['type'],
+				'component_name' => $compName,
+				'published'      => (int) $row['published'],
+				'access'         => (int) $row['access'],
+				'language'       => $row['language'],
+				'params'         => json_decode($row['params'] ?: '{}', true),
+				'home'           => (int) $row['home'],
+			];
+		}
+
+		return $items;
+	}
+
+	/**
+	 * Build module payload with menu assignments.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.21.00
+	 */
+	private function buildModulePayload(): array
+	{
+		$db    = $this->db;
+		$query = $db->getQuery(true)
+			->select([
+				$db->quoteName('id'),
+				$db->quoteName('title'),
+				$db->quoteName('module'),
+				$db->quoteName('position'),
+				$db->quoteName('content'),
+				$db->quoteName('published'),
+				$db->quoteName('access'),
+				$db->quoteName('language'),
+				$db->quoteName('params'),
+				$db->quoteName('client_id'),
+			])
+			->from($db->quoteName('#__modules'))
+			->where($db->quoteName('client_id') . ' = 0')
+			->where($db->quoteName('published') . ' != -2')
+			->order($db->quoteName('ordering') . ' ASC')
+			->setLimit(self::MAX_ITEMS);
+
+		$db->setQuery($query);
+		$rows = $db->loadAssocList();
+
+		// Get all module-menu assignments
+		$mmQuery = $db->getQuery(true)
+			->select([
+				$db->quoteName('mm.moduleid'),
+				$db->quoteName('mm.menuid'),
+				$db->quoteName('m.alias', 'menu_alias'),
+				$db->quoteName('m.menutype'),
+			])
+			->from($db->quoteName('#__modules_menu', 'mm'))
+			->leftJoin(
+				$db->quoteName('#__menu', 'm') . ' ON '
+				. $db->quoteName('mm.menuid') . ' = ' . $db->quoteName('m.id')
+			);
+		$db->setQuery($mmQuery);
+		$allAssignments = $db->loadAssocList();
+
+		// Group assignments by module ID
+		$assignmentsByModule = [];
+
+		foreach ($allAssignments as $a)
+		{
+			$assignmentsByModule[(int) $a['moduleid']][] = $a;
+		}
+
+		$modules = [];
+
+		foreach ($rows as $row)
+		{
+			$moduleId    = (int) $row['id'];
+			$assignments = $assignmentsByModule[$moduleId] ?? [];
+
+			// Determine assignment type: 0 = all pages, positive = selected, negative = excluded
+			$menuAliases  = [];
+			$assignType   = 0;
+
+			if (!empty($assignments))
+			{
+				$firstMenuId = (int) $assignments[0]['menuid'];
+
+				if ($firstMenuId === 0)
+				{
+					$assignType = 0; // All pages
+				}
+				elseif ($firstMenuId < 0)
+				{
+					$assignType = -1; // All except selected
+					foreach ($assignments as $a)
+					{
+						if (!empty($a['menu_alias']))
+						{
+							$menuAliases[] = $a['menutype'] . ':' . $a['menu_alias'];
+						}
+					}
+				}
+				else
+				{
+					$assignType = 1; // Selected only
+					foreach ($assignments as $a)
+					{
+						if (!empty($a['menu_alias']))
+						{
+							$menuAliases[] = $a['menutype'] . ':' . $a['menu_alias'];
+						}
+					}
+				}
+			}
+
+			$modules[] = [
+				'title'           => $row['title'],
+				'module'          => $row['module'],
+				'position'        => $row['position'],
+				'content'         => $row['content'],
+				'published'       => (int) $row['published'],
+				'access'          => (int) $row['access'],
+				'language'        => $row['language'],
+				'params'          => json_decode($row['params'] ?: '{}', true),
+				'client_id'       => (int) $row['client_id'],
+				'menu_assignment' => [
+					'assignment'        => $assignType,
+					'menu_item_aliases' => $menuAliases,
+				],
+			];
+		}
+
+		return $modules;
+	}
+}
@@ -0,0 +1,606 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_system_mokowaas
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
+ * PATH: /src/packages/plg_system_mokowaas/Service/DemoResetService.php
+ * VERSION: 02.27.00
+ * BRIEF: Content-only snapshot/restore for demo site reset
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Service;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Log\Log;
+
+/**
+ * Demo Reset Service — content-only snapshot and restore.
+ *
+ * Only touches safe content tables (articles, categories, menus, modules,
+ * users, tags, fields). Never touches extensions, assets, sessions,
+ * schemas, update sites, or any system tables.
+ *
+ * @since  02.30.00
+ */
+class DemoResetService
+{
+	private const MAX_NAME_LENGTH = 64;
+	private const BATCH_SIZE = 500;
+
+	/**
+	 * Safe content tables to snapshot/restore.
+	 * These can be wiped and restored without breaking the Joomla installation.
+	 */
+	private const SAFE_TABLES = [
+		// Content
+		'#__content',
+		'#__content_frontpage',
+		'#__categories',
+		'#__fields',
+		'#__fields_values',
+		'#__fields_groups',
+		'#__tags',
+		'#__contentitem_tag_map',
+		'#__ucm_content',
+
+		// Menus
+		'#__menu',
+		'#__menu_types',
+
+		// Modules
+		'#__modules',
+		'#__modules_menu',
+
+		// Users
+		'#__users',
+		'#__user_usergroup_map',
+		'#__user_profiles',
+
+		// Contact
+		'#__contact_details',
+
+		// Banners
+		'#__banners',
+		'#__banner_clients',
+		'#__banner_tracks',
+
+		// Community Builder
+		'#__comprofiler',
+		'#__comprofiler_fields',
+		'#__comprofiler_field_values',
+		'#__comprofiler_tabs',
+		'#__comprofiler_members',
+		'#__comprofiler_lists',
+		'#__comprofiler_plugin',
+		'#__comprofiler_userreports',
+	];
+
+	/**
+	 * @var string
+	 */
+	private string $snapshotDir;
+
+	/**
+	 * @var bool
+	 */
+	private bool $includeMedia;
+
+	/**
+	 * @param   bool    $includeMedia  Include /images/ directory
+	 * @param   string  $baseDir       Override snapshot root
+	 */
+	public function __construct(bool $includeMedia = true, string $baseDir = '')
+	{
+		$this->includeMedia = $includeMedia;
+		$this->snapshotDir  = $baseDir ?: JPATH_ROOT . '/mokowaas-snapshots';
+	}
+
+	/**
+	 * List all available snapshots.
+	 *
+	 * @return  array
+	 */
+	public function listSnapshots(): array
+	{
+		$snapshots = [];
+
+		if (!is_dir($this->snapshotDir))
+		{
+			return $snapshots;
+		}
+
+		foreach (glob($this->snapshotDir . '/*/manifest.json') as $path)
+		{
+			$data = json_decode(file_get_contents($path), true);
+
+			if ($data && isset($data['name']))
+			{
+				$snapshots[$data['name']] = $data;
+			}
+		}
+
+		return $snapshots;
+	}
+
+	/**
+	 * Create a content snapshot.
+	 *
+	 * @param   string  $name  Snapshot name
+	 *
+	 * @return  array  Result
+	 */
+	public function createSnapshot(string $name): array
+	{
+		$this->validateSnapshotName($name);
+		$this->ensureSnapshotDir();
+
+		$path = $this->getSnapshotPath($name);
+
+		if (is_dir($path))
+		{
+			$this->removeDirectory($path);
+		}
+
+		mkdir($path, 0755, true);
+
+		$db     = Factory::getDbo();
+		$prefix = $db->getPrefix();
+		$allTables = $db->getTableList();
+		$dumped = 0;
+
+		foreach (self::SAFE_TABLES as $logicalName)
+		{
+			$realName = str_replace('#__', $prefix, $logicalName);
+
+			if (!in_array($realName, $allTables))
+			{
+				continue;
+			}
+
+			$this->dumpTable($logicalName, $realName, $path, $db);
+			$dumped++;
+		}
+
+		// Media
+		$hasMedia = false;
+
+		if ($this->includeMedia && is_dir(JPATH_ROOT . '/images'))
+		{
+			$hasMedia = $this->zipDirectory(JPATH_ROOT . '/images', $path . '/media.zip');
+		}
+
+		$manifest = [
+			'name'           => $name,
+			'created_at'     => gmdate('Y-m-d\TH:i:s\Z'),
+			'type'           => 'content-only',
+			'tables'         => $dumped,
+			'has_media'      => $hasMedia,
+			'joomla_version' => JVERSION,
+		];
+
+		file_put_contents($path . '/manifest.json', json_encode($manifest, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES));
+
+		Log::add(sprintf('Demo snapshot "%s" created (%d tables, media=%s)', $name, $dumped, $hasMedia ? 'yes' : 'no'), Log::INFO, 'mokowaas');
+
+		return [
+			'status'    => 'ok',
+			'message'   => 'Snapshot created',
+			'name'      => $name,
+			'tables'    => $dumped,
+			'has_media' => $hasMedia,
+		];
+	}
+
+	/**
+	 * Restore from a snapshot.
+	 *
+	 * @param   string  $name  Snapshot name
+	 *
+	 * @return  array  Result
+	 */
+	public function restoreSnapshot(string $name): array
+	{
+		$this->validateSnapshotName($name);
+
+		$path     = $this->getSnapshotPath($name);
+		$manifest = $path . '/manifest.json';
+
+		if (!file_exists($manifest))
+		{
+			throw new \RuntimeException('Snapshot not found: ' . $name);
+		}
+
+		$manifestData = json_decode(file_get_contents($manifest), true);
+
+		// Clear cache
+		try { Factory::getCache('')->clean(''); } catch (\Throwable $e) {}
+
+		$db       = Factory::getDbo();
+		$prefix   = $db->getPrefix();
+		$restored = 0;
+		$sqlFiles = glob($path . '/*.sql');
+
+		foreach ($sqlFiles as $sqlFile)
+		{
+			try
+			{
+				$this->restoreTable($sqlFile, $db, $prefix);
+				$restored++;
+			}
+			catch (\Throwable $e)
+			{
+				Log::add('Demo reset: failed to restore ' . basename($sqlFile) . ': ' . $e->getMessage(), Log::ERROR, 'mokowaas');
+			}
+		}
+
+		// Restore /images/
+		$mediaRestored = false;
+
+		if (($manifestData['has_media'] ?? false) && file_exists($path . '/media.zip'))
+		{
+			$this->clearDirectory(JPATH_ROOT . '/images');
+			$zip = new \ZipArchive();
+
+			if ($zip->open($path . '/media.zip') === true)
+			{
+				$zip->extractTo(JPATH_ROOT . '/images');
+				$zip->close();
+				$mediaRestored = true;
+			}
+		}
+
+		// Rebuild assets table to fix ACL after content restore
+		$this->rebuildAssets();
+
+		Log::add(sprintf('Demo site reset (%d tables, media=%s)', $restored, $mediaRestored ? 'yes' : 'no'), Log::WARNING, 'mokowaas');
+
+		return [
+			'status'          => 'ok',
+			'message'         => 'Site content restored',
+			'baseline'        => $name,
+			'restored_tables' => $restored,
+			'media_restored'  => $mediaRestored,
+		];
+	}
+
+	/**
+	 * Delete a snapshot.
+	 */
+	public function deleteSnapshot(string $name): bool
+	{
+		$this->validateSnapshotName($name);
+		$path = $this->getSnapshotPath($name);
+
+		if (!is_dir($path))
+		{
+			return false;
+		}
+
+		$this->removeDirectory($path);
+
+		return true;
+	}
+
+	/**
+	 * Rebuild the assets table after content restore.
+	 *
+	 * Deletes content-related asset entries (which now have stale IDs)
+	 * and rebuilds them using Joomla's Table classes. Extension and
+	 * component-level assets are left untouched.
+	 *
+	 * @return  void
+	 */
+	private function rebuildAssets(): void
+	{
+		try
+		{
+			$db = Factory::getDbo();
+
+			// Delete content-level assets (articles, categories, modules, etc.)
+			// Keep component-level and root assets intact
+			$contentAssetPrefixes = [
+				'com_content.article.%',
+				'com_content.category.%',
+				'com_contact.contact.%',
+				'com_banners.banner.%',
+				'com_banners.category.%',
+				'com_modules.module.%',
+				'com_menus.menu.%',
+				'com_users.user.%',
+			];
+
+			foreach ($contentAssetPrefixes as $prefix)
+			{
+				$db->setQuery(
+					$db->getQuery(true)
+						->delete($db->quoteName('#__assets'))
+						->where($db->quoteName('name') . ' LIKE ' . $db->quote($prefix))
+				);
+				$db->execute();
+			}
+
+			// Rebuild category tree (also fixes category assets)
+			$catTable = \Joomla\CMS\Table\Table::getInstance('Category');
+
+			if ($catTable)
+			{
+				$catTable->rebuild();
+			}
+
+			// Rebuild menu tree
+			$menuTable = \Joomla\CMS\Table\Table::getInstance('Menu');
+
+			if ($menuTable)
+			{
+				$menuTable->rebuild();
+			}
+
+			// Rebuild asset tree
+			$assetTable = \Joomla\CMS\Table\Table::getInstance('Asset');
+
+			if ($assetTable)
+			{
+				$assetTable->rebuild();
+			}
+
+			// Re-create assets for content items that lost theirs
+			$this->fixContentAssets($db);
+		}
+		catch (\Throwable $e)
+		{
+			Log::add('Asset rebuild warning: ' . $e->getMessage(), Log::WARNING, 'mokowaas');
+		}
+	}
+
+	/**
+	 * Re-create missing asset entries for content items.
+	 *
+	 * After deleting stale assets and restoring content, some items
+	 * may reference asset_id=0. This creates new asset rows for them.
+	 *
+	 * @param   \Joomla\Database\DatabaseInterface  $db
+	 *
+	 * @return  void
+	 */
+	private function fixContentAssets($db): void
+	{
+		// Fix articles with missing assets
+		$query = $db->getQuery(true)
+			->select([$db->quoteName('id'), $db->quoteName('title'), $db->quoteName('alias')])
+			->from($db->quoteName('#__content'))
+			->where($db->quoteName('asset_id') . ' = 0');
+
+		$db->setQuery($query);
+		$articles = $db->loadAssocList() ?: [];
+
+		// Find the com_content component asset as parent
+		$db->setQuery(
+			$db->getQuery(true)
+				->select($db->quoteName('id'))
+				->from($db->quoteName('#__assets'))
+				->where($db->quoteName('name') . ' = ' . $db->quote('com_content'))
+		);
+		$contentAssetId = (int) $db->loadResult();
+
+		foreach ($articles as $article)
+		{
+			$assetName = 'com_content.article.' . (int) $article['id'];
+
+			$asset = (object) [
+				'parent_id' => $contentAssetId ?: 1,
+				'lft'       => 0,
+				'rgt'       => 0,
+				'level'     => 0,
+				'name'      => $assetName,
+				'title'     => $article['title'],
+				'rules'     => '{}',
+			];
+
+			$db->insertObject('#__assets', $asset, 'id');
+
+			// Update content row with new asset_id
+			$db->setQuery(
+				$db->getQuery(true)
+					->update($db->quoteName('#__content'))
+					->set($db->quoteName('asset_id') . ' = ' . (int) $asset->id)
+					->where($db->quoteName('id') . ' = ' . (int) $article['id'])
+			);
+			$db->execute();
+		}
+
+		// Rebuild asset tree again after inserts
+		try
+		{
+			$assetTable = \Joomla\CMS\Table\Table::getInstance('Asset');
+
+			if ($assetTable)
+			{
+				$assetTable->rebuild();
+			}
+		}
+		catch (\Throwable $e)
+		{
+			// Best effort
+		}
+	}
+
+	// ------------------------------------------------------------------
+	// Private helpers
+	// ------------------------------------------------------------------
+
+	private function dumpTable(string $logicalName, string $realName, string $dir, $db): void
+	{
+		$safeFileName = str_replace('#__', 'jml__', $logicalName);
+		$fp = fopen($dir . '/' . $safeFileName . '.sql', 'w');
+
+		$columns  = $db->getTableColumns($realName, false);
+		$colNames = array_keys($columns);
+		$quotedCols = array_map([$db, 'quoteName'], $colNames);
+		$colList  = implode(', ', $quotedCols);
+		$offset   = 0;
+
+		while (true)
+		{
+			$query = $db->getQuery(true)
+				->select('*')
+				->from($db->quoteName($realName))
+				->setLimit(self::BATCH_SIZE, $offset);
+
+			$db->setQuery($query);
+			$rows = $db->loadAssocList();
+
+			if (empty($rows))
+			{
+				break;
+			}
+
+			$values = [];
+
+			foreach ($rows as $row)
+			{
+				$vals = [];
+
+				foreach ($colNames as $col)
+				{
+					$vals[] = $row[$col] === null ? 'NULL' : $db->quote($row[$col]);
+				}
+
+				$values[] = '(' . implode(', ', $vals) . ')';
+			}
+
+			fwrite($fp, 'INSERT INTO ' . $db->quoteName($realName) . ' (' . $colList . ') VALUES ' . "\n" . implode(",\n", $values) . ";\n\n");
+
+			$offset += self::BATCH_SIZE;
+
+			if (count($rows) < self::BATCH_SIZE)
+			{
+				break;
+			}
+		}
+
+		fclose($fp);
+	}
+
+	private function restoreTable(string $sqlFile, $db, string $prefix): void
+	{
+		$baseName  = basename($sqlFile, '.sql');
+		$realTable = str_replace('jml__', $prefix, $baseName);
+
+		$db->setQuery('TRUNCATE TABLE ' . $db->quoteName($realTable));
+		$db->execute();
+
+		$sql = file_get_contents($sqlFile);
+
+		if (empty(trim($sql)))
+		{
+			return;
+		}
+
+		$statements = array_filter(
+			array_map('trim', explode(";\n", $sql)),
+			function ($s) { return !empty($s) && $s !== ';'; }
+		);
+
+		foreach ($statements as $statement)
+		{
+			$statement = rtrim($statement, ';');
+
+			if (empty($statement))
+			{
+				continue;
+			}
+
+			$db->setQuery($statement);
+			$db->execute();
+		}
+	}
+
+	private function zipDirectory(string $sourceDir, string $zipPath): bool
+	{
+		$zip = new \ZipArchive();
+
+		if ($zip->open($zipPath, \ZipArchive::CREATE | \ZipArchive::OVERWRITE) !== true)
+		{
+			return false;
+		}
+
+		$iterator = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($sourceDir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::SELF_FIRST
+		);
+
+		foreach ($iterator as $item)
+		{
+			$rel = str_replace('\\', '/', substr($item->getPathname(), strlen($sourceDir) + 1));
+			$item->isDir() ? $zip->addEmptyDir($rel) : $zip->addFile($item->getPathname(), $rel);
+		}
+
+		$zip->close();
+
+		return true;
+	}
+
+	private function ensureSnapshotDir(): void
+	{
+		if (!is_dir($this->snapshotDir))
+		{
+			mkdir($this->snapshotDir, 0755, true);
+		}
+
+		if (!file_exists($this->snapshotDir . '/.htaccess'))
+		{
+			file_put_contents($this->snapshotDir . '/.htaccess', "Deny from all\n");
+		}
+	}
+
+	private function getSnapshotPath(string $name): string
+	{
+		return $this->snapshotDir . '/' . $name;
+	}
+
+	private function validateSnapshotName(string $name): void
+	{
+		if ($name === '' || strlen($name) > self::MAX_NAME_LENGTH || !preg_match('/^[a-zA-Z0-9_-]+$/', $name))
+		{
+			throw new \InvalidArgumentException('Invalid snapshot name');
+		}
+	}
+
+	private function removeDirectory(string $dir): void
+	{
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item)
+		{
+			$item->isDir() ? @rmdir($item->getPathname()) : @unlink($item->getPathname());
+		}
+
+		@rmdir($dir);
+	}
+
+	private function clearDirectory(string $dir): void
+	{
+		if (!is_dir($dir)) return;
+
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item)
+		{
+			$item->isDir() ? @rmdir($item->getPathname()) : @unlink($item->getPathname());
+		}
+	}
+}
@@ -0,0 +1 @@
+<!DOCTYPE html><title></title>
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<field name="url" type="url"
+		label="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_DESC"
+		required="true" hint="https://client.example.com" />
+	<field name="token" type="text"
+		label="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_DESC"
+		required="true" hint="health_api_token from target site" />
+	<field name="label" type="text"
+		label="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_DESC"
+		hint="e.g. Client A" />
+</form>
@@ -16,7 +16,7 @@
 ; Variables: (none)
 ; -----------------------------------------------------------------------------

-PLG_SYSTEM_MOKOWAAS="System - Moko WaaS"
+PLG_SYSTEM_MOKOWAAS="System - MokoWaaS"
 PLG_SYSTEM_MOKOWAAS_XML_DESCRIPTION="This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform."

 PLG_SYSTEM_MOKOWAAS_ENABLE_BRANDING_LABEL="Enable Branding"
@@ -99,6 +99,20 @@ PLG_SYSTEM_MOKOWAAS_DISABLE_INSTALL_URL_DESC="Block installing extensions from U
 PLG_SYSTEM_MOKOWAAS_HIDDEN_MENUS_LABEL="Hidden Menu Items"
 PLG_SYSTEM_MOKOWAAS_HIDDEN_MENUS_DESC="Components to hide from admin menu for non-master users. One per line (e.g., com_installer)."

+; ===== Content Sync fieldset =====
+PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_LABEL="Content Sync"
+PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_DESC="One-way content push to remote MokoWaaS sites. Syncs articles, categories, menus, and modules by alias."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_LABEL="Sync Targets"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_DESC="Remote sites to push content to. Each target requires the site URL and that site's health API token."
+PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_LABEL="Push Content Now"
+PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_DESC="Set to Yes and save to immediately push all content to all configured targets. Resets to No automatically."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_LABEL="Site URL"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_DESC="Full URL of the remote Joomla site (e.g. https://client.example.com)."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_LABEL="API Token"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_DESC="The health_api_token from the remote site's MokoWaaS plugin settings."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_DESC="Friendly name for this target (for identification only)."
+
 ; ===== Diagnostics fieldset =====
 PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_LABEL="Diagnostics & Monitoring"
 PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_DESC="Health check endpoint for external monitoring systems (e.g. Grafana). Exposes system status via a token-authenticated JSON API."
@@ -137,6 +151,35 @@ PLG_SYSTEM_MOKOWAAS_UPLOAD_TYPES_DESC="Comma-separated list of allowed file exte
 PLG_SYSTEM_MOKOWAAS_UPLOAD_SIZE_LABEL="Max Upload Size (MB)"
 PLG_SYSTEM_MOKOWAAS_UPLOAD_SIZE_DESC="Maximum file upload size in megabytes."

+; ===== Demo Mode fieldset =====
+PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_LABEL="Demo Mode"
+PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_DESC="Configure demo site behavior with baseline snapshots and automatic periodic reset. When enabled, a warning banner is shown on the frontend."
+
+PLG_SYSTEM_MOKOWAAS_DEMO_ENABLED_LABEL="Enable Demo Mode"
+PLG_SYSTEM_MOKOWAAS_DEMO_ENABLED_DESC="When enabled, shows a warning banner on the frontend and enables snapshot/restore functionality."
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_MSG_LABEL="Banner Message"
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_MSG_DESC="Message displayed in the demo warning banner on the frontend."
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_COLOR_LABEL="Banner Color"
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_COLOR_DESC="Background color for the demo warning banner."
+PLG_SYSTEM_MOKOWAAS_DEMO_COUNTDOWN_LABEL="Show Reset Countdown"
+PLG_SYSTEM_MOKOWAAS_DEMO_COUNTDOWN_DESC="Display a countdown timer in the banner showing time until the next scheduled reset."
+PLG_SYSTEM_MOKOWAAS_DEMO_SCHEDULE_LABEL="Reset Schedule"
+PLG_SYSTEM_MOKOWAAS_DEMO_SCHEDULE_DESC="How often the demo site resets. Select a preset or choose Custom to enter a crontab expression."
+PLG_SYSTEM_MOKOWAAS_DEMO_CRON_LABEL="Custom Crontab"
+PLG_SYSTEM_MOKOWAAS_DEMO_CRON_DESC="Crontab expression for the reset schedule. Format: minute hour day month weekday (e.g. 0 */6 * * * for every 6 hours)."
+PLG_SYSTEM_MOKOWAAS_DEMO_NEXT_RESET_LABEL="Next Scheduled Reset"
+PLG_SYSTEM_MOKOWAAS_DEMO_NEXT_RESET_DESC="Calculated automatically from the reset schedule. The banner countdown uses this timestamp."
+PLG_SYSTEM_MOKOWAAS_DEMO_TABLES_LABEL="Snapshot Tables"
+PLG_SYSTEM_MOKOWAAS_DEMO_TABLES_DESC="Database tables to include in snapshots. One per line, using #__ prefix. These tables will be truncated and restored during a reset."
+PLG_SYSTEM_MOKOWAAS_DEMO_MEDIA_LABEL="Include Directories"
+PLG_SYSTEM_MOKOWAAS_DEMO_MEDIA_DESC="Select which directories to include in the snapshot. Images contains uploaded media, Media contains extension assets."
+PLG_SYSTEM_MOKOWAAS_DEMO_ACTIVE_BASELINE_LABEL="Active Baseline Name"
+PLG_SYSTEM_MOKOWAAS_DEMO_ACTIVE_BASELINE_DESC="Name of the baseline snapshot used by admin toggles and scheduled tasks. Alphanumeric, hyphens, and underscores only."
+PLG_SYSTEM_MOKOWAAS_DEMO_TAKE_SNAPSHOT_LABEL="Take Snapshot Now"
+PLG_SYSTEM_MOKOWAAS_DEMO_TAKE_SNAPSHOT_DESC="Save the current site state as a baseline snapshot. Uses the Active Baseline Name above. Resets to No after execution."
+PLG_SYSTEM_MOKOWAAS_DEMO_RESTORE_NOW_LABEL="Restore Baseline Now"
+PLG_SYSTEM_MOKOWAAS_DEMO_RESTORE_NOW_DESC="Immediately restore the site to the active baseline snapshot. WARNING: This will overwrite current content. Resets to No after execution."
+
 ; ===== Site Aliases fieldset =====
 PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_LABEL="Site Aliases"
 PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_DESC="Configure additional domains that mirror this site. Each alias can have its own offline status, robots directive, and backend redirect behavior."
@@ -15,5 +15,5 @@
 ; Variables: (none)
 ; -----------------------------------------------------------------------------

-PLG_SYSTEM_MOKOWAAS="System - Moko WaaS"
+PLG_SYSTEM_MOKOWAAS="System - MokoWaaS"
 PLG_SYSTEM_MOKOWAAS_XML_DESCRIPTION="This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform."
@@ -99,6 +99,20 @@ PLG_SYSTEM_MOKOWAAS_DISABLE_INSTALL_URL_DESC="Block installing extensions from U
 PLG_SYSTEM_MOKOWAAS_HIDDEN_MENUS_LABEL="Hidden Menu Items"
 PLG_SYSTEM_MOKOWAAS_HIDDEN_MENUS_DESC="Components to hide from admin menu for non-master users. One per line (e.g., com_installer)."

+; ===== Content Sync fieldset =====
+PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_LABEL="Content Sync"
+PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_DESC="One-way content push to remote MokoWaaS sites. Syncs articles, categories, menus, and modules by alias."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_LABEL="Sync Targets"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_DESC="Remote sites to push content to. Each target requires the site URL and that site's health API token."
+PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_LABEL="Push Content Now"
+PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_DESC="Set to Yes and save to immediately push all content to all configured targets. Resets to No automatically."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_LABEL="Site URL"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_URL_DESC="Full URL of the remote Joomla site (e.g. https://client.example.com)."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_LABEL="API Token"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_TOKEN_DESC="The health_api_token from the remote site's MokoWaaS plugin settings."
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_SYNC_TARGET_LABEL_DESC="Friendly name for this target (for identification only)."
+
 ; ===== Diagnostics fieldset =====
 PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_LABEL="Diagnostics & Monitoring"
 PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_DESC="Health check endpoint for external monitoring systems (e.g. Grafana). Exposes system status via a token-authenticated JSON API."
@@ -137,6 +151,35 @@ PLG_SYSTEM_MOKOWAAS_UPLOAD_TYPES_DESC="Comma-separated list of allowed file exte
 PLG_SYSTEM_MOKOWAAS_UPLOAD_SIZE_LABEL="Max Upload Size (MB)"
 PLG_SYSTEM_MOKOWAAS_UPLOAD_SIZE_DESC="Maximum file upload size in megabytes."

+; ===== Demo Mode fieldset =====
+PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_LABEL="Demo Mode"
+PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_DESC="Configure demo site behavior with baseline snapshots and automatic periodic reset. When enabled, a warning banner is shown on the frontend."
+
+PLG_SYSTEM_MOKOWAAS_DEMO_ENABLED_LABEL="Enable Demo Mode"
+PLG_SYSTEM_MOKOWAAS_DEMO_ENABLED_DESC="When enabled, shows a warning banner on the frontend and enables snapshot/restore functionality."
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_MSG_LABEL="Banner Message"
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_MSG_DESC="Message displayed in the demo warning banner on the frontend."
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_COLOR_LABEL="Banner Color"
+PLG_SYSTEM_MOKOWAAS_DEMO_BANNER_COLOR_DESC="Background color for the demo warning banner."
+PLG_SYSTEM_MOKOWAAS_DEMO_COUNTDOWN_LABEL="Show Reset Countdown"
+PLG_SYSTEM_MOKOWAAS_DEMO_COUNTDOWN_DESC="Display a countdown timer in the banner showing time until the next scheduled reset."
+PLG_SYSTEM_MOKOWAAS_DEMO_SCHEDULE_LABEL="Reset Schedule"
+PLG_SYSTEM_MOKOWAAS_DEMO_SCHEDULE_DESC="How often the demo site resets. Select a preset or choose Custom to enter a crontab expression."
+PLG_SYSTEM_MOKOWAAS_DEMO_CRON_LABEL="Custom Crontab"
+PLG_SYSTEM_MOKOWAAS_DEMO_CRON_DESC="Crontab expression for the reset schedule. Format: minute hour day month weekday (e.g. 0 */6 * * * for every 6 hours)."
+PLG_SYSTEM_MOKOWAAS_DEMO_NEXT_RESET_LABEL="Next Scheduled Reset"
+PLG_SYSTEM_MOKOWAAS_DEMO_NEXT_RESET_DESC="Calculated automatically from the reset schedule. The banner countdown uses this timestamp."
+PLG_SYSTEM_MOKOWAAS_DEMO_TABLES_LABEL="Snapshot Tables"
+PLG_SYSTEM_MOKOWAAS_DEMO_TABLES_DESC="Database tables to include in snapshots. One per line, using #__ prefix. These tables will be truncated and restored during a reset."
+PLG_SYSTEM_MOKOWAAS_DEMO_MEDIA_LABEL="Include Directories"
+PLG_SYSTEM_MOKOWAAS_DEMO_MEDIA_DESC="Select which directories to include in the snapshot. Images contains uploaded media, Media contains extension assets."
+PLG_SYSTEM_MOKOWAAS_DEMO_ACTIVE_BASELINE_LABEL="Active Baseline Name"
+PLG_SYSTEM_MOKOWAAS_DEMO_ACTIVE_BASELINE_DESC="Name of the baseline snapshot used by admin toggles and scheduled tasks. Alphanumeric, hyphens, and underscores only."
+PLG_SYSTEM_MOKOWAAS_DEMO_TAKE_SNAPSHOT_LABEL="Take Snapshot Now"
+PLG_SYSTEM_MOKOWAAS_DEMO_TAKE_SNAPSHOT_DESC="Save the current site state as a baseline snapshot. Uses the Active Baseline Name above. Resets to No after execution."
+PLG_SYSTEM_MOKOWAAS_DEMO_RESTORE_NOW_LABEL="Restore Baseline Now"
+PLG_SYSTEM_MOKOWAAS_DEMO_RESTORE_NOW_DESC="Immediately restore the site to the active baseline snapshot. WARNING: This will overwrite current content. Resets to No after execution."
+
 ; ===== Site Aliases fieldset =====
 PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_LABEL="Site Aliases"
 PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_DESC="Configure additional domains that mirror this site. Each alias can have its own offline status, robots directive, and backend redirect behavior."
@@ -15,5 +15,5 @@
 ; Variables: (none)
 ; -----------------------------------------------------------------------------

-PLG_SYSTEM_MOKOWAAS="System - Moko WaaS"
+PLG_SYSTEM_MOKOWAAS="System - MokoWaaS"
 PLG_SYSTEM_MOKOWAAS_XML_DESCRIPTION="This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform."
@@ -30,7 +30,8 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.16.00-dev</version>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
@@ -39,6 +40,7 @@
 		<filename plugin="mokowaas">script.php</filename>
 		<folder>Extension</folder>
 		<folder>Field</folder>
+		<folder>Service</folder>
 		<folder>forms</folder>
 		<folder>payload</folder>
 		<folder>services</folder>
@@ -264,7 +266,16 @@
 					description="PLG_SYSTEM_MOKOWAAS_HIDDEN_MENUS_DESC"
 					rows="5" filter="raw" />
 			</fieldset>
-			<fieldset name="site_aliases"
+			<fieldset name="demo_mode"
+			label="PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_LABEL"
+			description="PLG_SYSTEM_MOKOWAAS_FIELDSET_DEMO_DESC"
+			addfieldprefix="Moko\Plugin\System\MokoWaaS\Field"
+			>
+			<field name="demo_scheduled_task" type="DemoTaskInfo"
+				label="PLG_SYSTEM_MOKOWAAS_DEMO_TASK_INFO_LABEL"
+				/>
+		</fieldset>
+		<fieldset name="site_aliases"
 				label="PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_LABEL"
 				description="PLG_SYSTEM_MOKOWAAS_FIELDSET_ALIASES_DESC"
 				>
@@ -288,13 +299,37 @@
 					buttons="add,remove,move"
 					/>
 			</fieldset>
-			<fieldset name="diagnostics"
+			<fieldset name="content_sync"
+			label="PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_LABEL"
+			description="PLG_SYSTEM_MOKOWAAS_FIELDSET_SYNC_DESC"
+			>
+			<field
+				name="sync_targets"
+				type="subform"
+				label="PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_LABEL"
+				description="PLG_SYSTEM_MOKOWAAS_SYNC_TARGETS_DESC"
+				formsource="plugins/system/mokowaas/forms/sync_target_entry.xml"
+				multiple="true"
+				layout="joomla.form.field.subform.repeatable-table"
+				groupByFieldset="false"
+				buttons="add,remove,move"
+				/>
+			<field name="sync_push_now" type="radio" default="0"
+				label="PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_LABEL"
+				description="PLG_SYSTEM_MOKOWAAS_SYNC_PUSH_NOW_DESC"
+				class="btn-group btn-group-yesno">
+				<option value="1">JYES</option>
+				<option value="0">JNO</option>
+			</field>
+		</fieldset>
+		<fieldset name="diagnostics"
 				label="PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_LABEL"
 				description="PLG_SYSTEM_MOKOWAAS_FIELDSET_DIAGNOSTICS_DESC"
+				addfieldprefix="Moko\Plugin\System\MokoWaaS\Field"
 				>
 				<field
 					name="health_api_token"
-					type="text"
+					type="CopyableToken"
 					label="PLG_SYSTEM_MOKOWAAS_HEALTH_TOKEN_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_HEALTH_TOKEN_DESC"
 					default=""
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.01.08
+ * VERSION: 02.27.00
 * PATH: /src/script.php
 * BRIEF: Installation script for MokoWaaS plugin
 * NOTE: Handles installation, update, and uninstallation tasks including language override deployment
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.01.08
+ * VERSION: 02.27.00
 * PATH: /src/services/provider.php
 * BRIEF: Service provider for dependency injection in Joomla 5.x
 * NOTE: Registers the plugin with Joomla's DI container
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<fieldset name="reset_params" label="Demo Reset Settings">
+		<field name="take_snapshot_on_save" type="radio" default="0"
+			label="Take Snapshot Now"
+			description="Set to Yes and save to capture the current site state as the baseline. Do this once before enabling the schedule."
+			class="btn-group btn-group-yesno">
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field name="include_media" type="radio" default="1"
+			label="Include Images"
+			description="Include the /images/ directory in snapshots and restores."
+			class="btn-group btn-group-yesno">
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field name="banner_enabled" type="radio" default="1"
+			label="Show Demo Banner"
+			description="Display a warning banner on the frontend telling visitors this is a demo site."
+			class="btn-group btn-group-yesno">
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+		<field name="banner_message" type="text"
+			label="Banner Message"
+			description="Message displayed in the demo warning banner."
+			default="This is a demo site. All changes will be reset periodically." />
+		<field name="banner_color" type="color"
+			label="Banner Color"
+			description="Background color for the demo warning banner."
+			default="#d9534f" />
+		<field name="show_countdown" type="radio" default="1"
+			label="Show Countdown"
+			description="Display a countdown timer in the banner showing time until the next reset."
+			class="btn-group btn-group-yesno">
+			<option value="1">JYES</option>
+			<option value="0">JNO</option>
+		</field>
+	</fieldset>
+</form>
@@ -0,0 +1,10 @@
+; MokoWaaS Demo Reset Task Plugin
+; Copyright (C) 2026 Moko Consulting
+; SPDX-License-Identifier: GPL-3.0-or-later
+
+PLG_TASK_MOKOWAASDEMO="Task - MokoWaaS Demo Reset"
+PLG_TASK_MOKOWAASDEMO_DESC="Scheduled task to periodically reset a demo site to a saved baseline snapshot."
+PLG_TASK_MOKOWAASDEMO_RESET_TITLE="MokoWaaS Demo Reset"
+PLG_TASK_MOKOWAASDEMO_RESET_DESC="Restore the site to a named baseline snapshot. Configure the baseline name and schedule interval."
+PLG_TASK_MOKOWAASDEMO_BASELINE_LABEL="Baseline Name"
+PLG_TASK_MOKOWAASDEMO_BASELINE_DESC="Name of the snapshot to restore. Must match a snapshot created via the MokoWaaS Demo Mode settings."
@@ -0,0 +1,6 @@
+; MokoWaaS Demo Reset Task Plugin (sys)
+; Copyright (C) 2026 Moko Consulting
+; SPDX-License-Identifier: GPL-3.0-or-later
+
+PLG_TASK_MOKOWAASDEMO="Task - MokoWaaS Demo Reset"
+PLG_TASK_MOKOWAASDEMO_DESC="Scheduled task to periodically reset a demo site to a saved baseline snapshot."
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ SPDX-License-Identifier: GPL-3.0-or-later
+-->
+<extension type="plugin" group="task" method="upgrade">
+	<name>Task - MokoWaaS Demo Reset</name>
+	<element>mokowaasdemo</element>
+	<author>Moko Consulting</author>
+	<creationDate>2026-05-30</creationDate>
+	<copyright>Copyright (C) 2026 Moko Consulting. All rights reserved.</copyright>
+	<license>GNU General Public License version 3 or later; see LICENSE</license>
+	<authorEmail>hello@mokoconsulting.tech</authorEmail>
+	<authorUrl>https://mokoconsulting.tech</authorUrl>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
+	<description>PLG_TASK_MOKOWAASDEMO_DESC</description>
+	<namespace path="src">Moko\Plugin\Task\MokoWaaSDemo</namespace>
+
+	<files>
+		<filename plugin="mokowaasdemo">mokowaasdemo.xml</filename>
+		<folder>src</folder>
+		<folder>services</folder>
+		<folder>forms</folder>
+		<folder>language</folder>
+	</files>
+
+	<languages folder="language">
+		<language tag="en-GB">en-GB/plg_task_mokowaasdemo.ini</language>
+		<language tag="en-GB">en-GB/plg_task_mokowaasdemo.sys.ini</language>
+	</languages>
+</extension>
@@ -0,0 +1,37 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_task_mokowaasdemo
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Extension\PluginInterface;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\DI\Container;
+use Joomla\DI\ServiceProviderInterface;
+use Joomla\Event\DispatcherInterface;
+use Moko\Plugin\Task\MokoWaaSDemo\Extension\DemoReset;
+
+return new class implements ServiceProviderInterface
+{
+	public function register(Container $container): void
+	{
+		$container->set(
+			PluginInterface::class,
+			function (Container $container) {
+				$dispatcher = $container->get(DispatcherInterface::class);
+				$plugin     = new DemoReset(
+					$dispatcher,
+					(array) PluginHelper::getPlugin('task', 'mokowaasdemo')
+				);
+				$plugin->setApplication(Factory::getApplication());
+
+				return $plugin;
+			}
+		);
+	}
+};
@@ -0,0 +1,224 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_task_mokowaasdemo
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Plugin\Task\MokoWaaSDemo\Extension;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\Component\Scheduler\Administrator\Event\ExecuteTaskEvent;
+use Joomla\Component\Scheduler\Administrator\Task\Status;
+use Joomla\Component\Scheduler\Administrator\Traits\TaskPluginTrait;
+use Joomla\Event\SubscriberInterface;
+
+/**
+ * MokoWaaS Demo Reset — Joomla Scheduled Task Plugin.
+ *
+ * All demo settings live here in the task form: snapshot, media,
+ * banner message, color, countdown. The system plugin reads these
+ * settings from the task to render the banner.
+ *
+ * @since  02.29.00
+ */
+final class DemoReset extends CMSPlugin implements SubscriberInterface
+{
+	use TaskPluginTrait;
+
+	protected const TASKS_MAP = [
+		'mokowaas.demo.reset' => [
+			'langConstPrefix' => 'PLG_TASK_MOKOWAASDEMO_RESET',
+			'method'          => 'resetDemoSite',
+			'form'            => 'reset_params',
+		],
+	];
+
+	public static function getSubscribedEvents(): array
+	{
+		return [
+			'onTaskOptionsList'    => 'advertiseRoutines',
+			'onExecuteTask'        => 'standardRoutineHandler',
+			'onContentPrepareForm' => 'enhanceTaskItemForm',
+			'onContentAfterSave'   => 'onContentAfterSave',
+		];
+	}
+
+	/**
+	 * Handle snapshot-on-save when the task is saved with take_snapshot_on_save=1.
+	 *
+	 * @param   string  $context  The save context
+	 * @param   object  $table    The table object
+	 * @param   bool    $isNew    Whether this is a new record
+	 *
+	 * @return  void
+	 *
+	 * @since   02.29.00
+	 */
+	public function onContentAfterSave($event): void
+	{
+		// Joomla 6 passes a single event object; Joomla 5 passes individual args
+		if (is_object($event) && method_exists($event, 'getArgument'))
+		{
+			$context = $event->getArgument('context', $event->getArgument(0, ''));
+			$table   = $event->getArgument('subject', $event->getArgument(1, null));
+		}
+		else
+		{
+			$context = $event;
+			$table   = func_get_arg(1);
+		}
+
+		if ($context !== 'com_scheduler.task')
+		{
+			return;
+		}
+
+		if (!is_object($table) || ($table->type ?? '') !== 'mokowaas.demo.reset')
+		{
+			return;
+		}
+
+		$params = json_decode($table->params ?? '{}', true) ?: [];
+
+		if (!empty($params['take_snapshot_on_save']) && (int) $params['take_snapshot_on_save'] === 1)
+		{
+			$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/DemoResetService.php';
+
+			if (file_exists($serviceFile))
+			{
+				require_once $serviceFile;
+
+				$media   = !empty($params['include_media']) && (int) $params['include_media'] === 1;
+				$service = new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($media);
+
+				try
+				{
+					$result = $service->createSnapshot('default');
+					Factory::getApplication()->enqueueMessage(
+						sprintf('Demo snapshot created (%.1f MB database, media=%s).', $result['dump_size_mb'] ?? 0, ($result['has_media'] ?? false) ? 'yes' : 'no'),
+						'message'
+					);
+				}
+				catch (\Throwable $e)
+				{
+					Factory::getApplication()->enqueueMessage('Snapshot failed: ' . $e->getMessage(), 'error');
+				}
+			}
+
+			// Reset the flag
+			$this->clearSnapshotFlag();
+		}
+	}
+
+	/**
+	 * Reset the demo site to the baseline snapshot.
+	 *
+	 * @param   ExecuteTaskEvent  $event  The task event
+	 *
+	 * @return  int  Status::OK or Status::KNOCKOUT
+	 *
+	 * @since   02.29.00
+	 */
+	private function resetDemoSite(ExecuteTaskEvent $event): int
+	{
+		$params = $event->getArgument('params');
+
+		$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/DemoResetService.php';
+
+		if (!file_exists($serviceFile))
+		{
+			$this->logTask('DemoResetService.php not found');
+
+			return Status::KNOCKOUT;
+		}
+
+		require_once $serviceFile;
+
+		$media   = !empty($params->include_media) && (int) $params->include_media === 1;
+		$service = new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($media);
+
+		try
+		{
+			$result = $service->restoreSnapshot('default');
+			$this->logTask('Demo site reset — media=' . ($result['media_restored'] ? 'yes' : 'no'));
+
+			return Status::OK;
+		}
+		catch (\Throwable $e)
+		{
+			$this->logTask('Demo reset failed: ' . $e->getMessage());
+
+			return Status::KNOCKOUT;
+		}
+	}
+
+	/**
+	 * Take a baseline snapshot.
+	 *
+	 * @param   object  $params  Task params
+	 *
+	 * @return  void
+	 *
+	 * @since   02.29.00
+	 */
+	private function takeSnapshot(object $params): void
+	{
+		$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/DemoResetService.php';
+
+		if (!file_exists($serviceFile))
+		{
+			return;
+		}
+
+		require_once $serviceFile;
+
+		$media   = !empty($params->include_media) && (int) $params->include_media === 1;
+		$service = new \Moko\Plugin\System\MokoWaaS\Service\DemoResetService($media);
+		$service->createSnapshot('default');
+	}
+
+	/**
+	 * Reset the take_snapshot_on_save flag back to 0 after snapshot.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.29.00
+	 */
+	private function clearSnapshotFlag(): void
+	{
+		try
+		{
+			$db = Factory::getDbo();
+			$db->setQuery(
+				$db->getQuery(true)
+					->select($db->quoteName(['id', 'params']))
+					->from($db->quoteName('#__scheduler_tasks'))
+					->where($db->quoteName('type') . ' = ' . $db->quote('mokowaas.demo.reset'))
+			);
+			$task = $db->loadAssoc();
+
+			if ($task)
+			{
+				$p = json_decode($task['params'], true) ?: [];
+				$p['take_snapshot_on_save'] = '0';
+
+				$db->setQuery(
+					$db->getQuery(true)
+						->update($db->quoteName('#__scheduler_tasks'))
+						->set($db->quoteName('params') . ' = ' . $db->quote(json_encode($p)))
+						->where($db->quoteName('id') . ' = ' . (int) $task['id'])
+				);
+				$db->execute();
+			}
+		}
+		catch (\Throwable $e)
+		{
+			// Best effort
+		}
+	}
+}
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<fieldset name="sync_params" label="Content Sync Settings">
+		<field name="sync_info" type="note"
+			label="Sync Targets"
+			description="Content sync targets are configured in the MokoWaaS system plugin settings (Content Sync tab). This task will push content to all configured targets on each execution." />
+	</fieldset>
+</form>
@@ -0,0 +1,8 @@
+; MokoWaaS Content Sync Task Plugin
+; Copyright (C) 2026 Moko Consulting
+; SPDX-License-Identifier: GPL-3.0-or-later
+
+PLG_TASK_MOKOWAASSYNC="Task - MokoWaaS Content Sync"
+PLG_TASK_MOKOWAASSYNC_DESC="Scheduled task to push content (articles, categories, menus, modules) to remote MokoWaaS sites."
+PLG_TASK_MOKOWAASSYNC_SYNC_TITLE="MokoWaaS Content Sync"
+PLG_TASK_MOKOWAASSYNC_SYNC_DESC="Push site content to all configured sync targets. Targets are configured in the MokoWaaS system plugin settings."
@@ -0,0 +1,6 @@
+; MokoWaaS Content Sync Task Plugin (sys)
+; Copyright (C) 2026 Moko Consulting
+; SPDX-License-Identifier: GPL-3.0-or-later
+
+PLG_TASK_MOKOWAASSYNC="Task - MokoWaaS Content Sync"
+PLG_TASK_MOKOWAASSYNC_DESC="Scheduled task to push content (articles, categories, menus, modules) to remote MokoWaaS sites."
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ SPDX-License-Identifier: GPL-3.0-or-later
+-->
+<extension type="plugin" group="task" method="upgrade">
+	<name>Task - MokoWaaS Content Sync</name>
+	<element>mokowaassync</element>
+	<author>Moko Consulting</author>
+	<creationDate>2026-05-30</creationDate>
+	<copyright>Copyright (C) 2026 Moko Consulting. All rights reserved.</copyright>
+	<license>GNU General Public License version 3 or later; see LICENSE</license>
+	<authorEmail>hello@mokoconsulting.tech</authorEmail>
+	<authorUrl>https://mokoconsulting.tech</authorUrl>
+	<version>02.28.00</version>
+	<description>PLG_TASK_MOKOWAASSYNC_DESC</description>
+	<namespace path="src">Moko\Plugin\Task\MokoWaaSSync</namespace>
+
+	<files>
+		<filename plugin="mokowaassync">mokowaassync.xml</filename>
+		<folder>src</folder>
+		<folder>services</folder>
+		<folder>forms</folder>
+		<folder>language</folder>
+	</files>
+
+	<languages folder="language">
+		<language tag="en-GB">en-GB/plg_task_mokowaassync.ini</language>
+		<language tag="en-GB">en-GB/plg_task_mokowaassync.sys.ini</language>
+	</languages>
+</extension>
@@ -0,0 +1,37 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_task_mokowaassync
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Extension\PluginInterface;
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\PluginHelper;
+use Joomla\DI\Container;
+use Joomla\DI\ServiceProviderInterface;
+use Joomla\Event\DispatcherInterface;
+use Moko\Plugin\Task\MokoWaaSSync\Extension\ContentSync;
+
+return new class implements ServiceProviderInterface
+{
+	public function register(Container $container): void
+	{
+		$container->set(
+			PluginInterface::class,
+			function (Container $container) {
+				$dispatcher = $container->get(DispatcherInterface::class);
+				$plugin     = new ContentSync(
+					$dispatcher,
+					(array) PluginHelper::getPlugin('task', 'mokowaassync')
+				);
+				$plugin->setApplication(Factory::getApplication());
+
+				return $plugin;
+			}
+		);
+	}
+};
@@ -0,0 +1,164 @@
+<?php
+/**
+ * @package     MokoWaaS
+ * @subpackage  plg_task_mokowaassync
+ * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
+ * @license     GNU General Public License version 3 or later; see LICENSE
+ */
+
+namespace Moko\Plugin\Task\MokoWaaSSync\Extension;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Factory;
+use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\Component\Scheduler\Administrator\Event\ExecuteTaskEvent;
+use Joomla\Component\Scheduler\Administrator\Task\Status;
+use Joomla\Component\Scheduler\Administrator\Traits\TaskPluginTrait;
+use Joomla\Event\SubscriberInterface;
+
+/**
+ * MokoWaaS Content Sync — Joomla Scheduled Task Plugin.
+ *
+ * Pushes site content (articles, categories, menus, modules) to
+ * configured remote MokoWaaS sites on a schedule. Sync targets are
+ * read from the system plugin params (content_sync fieldset).
+ *
+ * @since  02.27.00
+ */
+final class ContentSync extends CMSPlugin implements SubscriberInterface
+{
+	use TaskPluginTrait;
+
+	protected const TASKS_MAP = [
+		'mokowaas.content.sync' => [
+			'langConstPrefix' => 'PLG_TASK_MOKOWAASSYNC_SYNC',
+			'method'          => 'syncContent',
+			'form'            => 'sync_params',
+		],
+	];
+
+	public static function getSubscribedEvents(): array
+	{
+		return [
+			'onTaskOptionsList'    => 'advertiseRoutines',
+			'onExecuteTask'        => 'standardRoutineHandler',
+			'onContentPrepareForm' => 'enhanceTaskItemForm',
+		];
+	}
+
+	/**
+	 * Push content to all configured sync targets.
+	 *
+	 * Reads sync_targets from the MokoWaaS system plugin params, then
+	 * delegates to ContentSyncService. Task-level overrides (if any)
+	 * are merged on top.
+	 *
+	 * @param   ExecuteTaskEvent  $event  The task event
+	 *
+	 * @return  int  Status::OK or Status::KNOCKOUT
+	 *
+	 * @since   02.27.00
+	 */
+	private function syncContent(ExecuteTaskEvent $event): int
+	{
+		$serviceFile = JPATH_PLUGINS . '/system/mokowaas/Service/ContentSyncService.php';
+
+		if (!file_exists($serviceFile))
+		{
+			$this->logTask('ContentSyncService.php not found — is plg_system_mokowaas installed?');
+
+			return Status::KNOCKOUT;
+		}
+
+		require_once $serviceFile;
+
+		// Read sync targets from the system plugin params
+		$targets = $this->getSyncTargets();
+
+		if (empty($targets))
+		{
+			$this->logTask('No sync targets configured in MokoWaaS system plugin');
+
+			return Status::OK;
+		}
+
+		try
+		{
+			$service = new \Moko\Plugin\System\MokoWaaS\Service\ContentSyncService();
+			$result  = $service->syncAllTargets($targets);
+
+			$targetResults = $result['targets'] ?? [];
+			$okCount       = 0;
+			$errCount      = 0;
+
+			foreach ($targetResults as $tr)
+			{
+				if (($tr['status'] ?? '') === 'ok')
+				{
+					$okCount++;
+				}
+				else
+				{
+					$errCount++;
+					$this->logTask('Sync failed for ' . ($tr['target'] ?? 'unknown') . ': ' . ($tr['message'] ?? ''));
+				}
+			}
+
+			$this->logTask(sprintf('Content sync completed — %d ok, %d failed of %d target(s)', $okCount, $errCount, count($targetResults)));
+
+			return $errCount > 0 && $okCount === 0 ? Status::KNOCKOUT : Status::OK;
+		}
+		catch (\Throwable $e)
+		{
+			$this->logTask('Content sync failed: ' . $e->getMessage());
+
+			return Status::KNOCKOUT;
+		}
+	}
+
+	/**
+	 * Read sync targets from the MokoWaaS system plugin configuration.
+	 *
+	 * @return  array  Array of ['url' => ..., 'token' => ..., 'label' => ...]
+	 *
+	 * @since   02.27.00
+	 */
+	private function getSyncTargets(): array
+	{
+		try
+		{
+			$db    = Factory::getDbo();
+			$query = $db->getQuery(true)
+				->select($db->quoteName('params'))
+				->from($db->quoteName('#__extensions'))
+				->where($db->quoteName('type') . ' = ' . $db->quote('plugin'))
+				->where($db->quoteName('folder') . ' = ' . $db->quote('system'))
+				->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'));
+
+			$db->setQuery($query);
+			$raw = $db->loadResult();
+
+			if (empty($raw))
+			{
+				return [];
+			}
+
+			$params  = json_decode($raw, true) ?: [];
+			$targets = $params['sync_targets'] ?? [];
+
+			if (is_string($targets))
+			{
+				$targets = json_decode($targets, true) ?: [];
+			}
+
+			return is_array($targets) ? $targets : [];
+		}
+		catch (\Throwable $e)
+		{
+			$this->logTask('Failed to read sync targets: ' . $e->getMessage());
+
+			return [];
+		}
+	}
+}
@@ -7,7 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.16.00-dev</version>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
@@ -64,5 +64,41 @@ final class MokoWaaSApi extends CMSPlugin implements SubscriberInterface
 			'update',
 			['component' => 'com_mokowaas']
 		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/install',
+			'install',
+			['component' => 'com_mokowaas']
+		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/reset',
+			'reset',
+			['component' => 'com_mokowaas']
+		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/snapshot',
+			'snapshot',
+			['component' => 'com_mokowaas']
+		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/sync',
+			'sync',
+			['component' => 'com_mokowaas']
+		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/sync-receive',
+			'syncreceive',
+			['component' => 'com_mokowaas']
+		);
+
+		$router->createCRUDRoutes(
+			'v1/mokowaas/extensions',
+			'extensions',
+			['component' => 'com_mokowaas']
+		);
 	}
 }
@@ -7,7 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.16.00-dev</version>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
 	<description>Joomla Web Services API routes for Perfect Publisher (com_autotweet) — channels, posts, requests, rules, and feeds.</description>
 	<namespace path="src">Moko\Plugin\WebServices\PerfectPublisher</namespace>
 	<files>
@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/services/provider.php
- * VERSION: 02.13.01
+ * VERSION: 02.27.00
 * BRIEF: DI service provider for Perfect Publisher Web Services plugin
 */

@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/src/Extension/PerfectPublisherApi.php
- * VERSION: 02.13.01
+ * VERSION: 02.27.00
 * BRIEF: Web Services API plugin for Perfect Publisher (com_autotweet)
 */

@@ -1,8 +1,9 @@
 <?xml version="1.0" encoding="utf-8"?>
 <extension type="package" method="upgrade">
-	<name>MokoWaaS</name>
+	<name>Package - MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.16.00-dev</version>
+	<version>02.28.00</version>
+	<version>02.28.00</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -12,11 +13,13 @@
 	<description>MokoWaaS site management suite — branding, health monitoring, tenant restrictions, and REST API.</description>
 	<scriptfile>script.php</scriptfile>

-	<files>
+	<files folder="packages">
 		<file type="plugin" id="plg_system_mokowaas" group="system">plg_system_mokowaas.zip</file>
 		<file type="component" id="com_mokowaas">com_mokowaas.zip</file>
 		<file type="plugin" id="plg_webservices_mokowaas" group="webservices">plg_webservices_mokowaas.zip</file>
 		<file type="plugin" id="plg_webservices_perfectpublisher" group="webservices">plg_webservices_perfectpublisher.zip</file>
+		<file type="plugin" id="plg_task_mokowaasdemo" group="task">plg_task_mokowaasdemo.zip</file>
+		<file type="plugin" id="plg_task_mokowaassync" group="task">plg_task_mokowaassync.zip</file>
 	</files>

 	<updateservers>
@@ -34,8 +34,13 @@ class Pkg_MokowaasInstallerScript
 	 */
 	public function postflight($type, $parent)
 	{
+		// Remove legacy extensions from before the package rewrite
+		$this->cleanupLegacyExtensions();
+
 		$this->enablePlugin('system', 'mokowaas');
 		$this->enablePlugin('webservices', 'mokowaas');
+		$this->enablePlugin('task', 'mokowaasdemo');
+		$this->enablePlugin('task', 'mokowaassync');

 		// Mark MokoWaaS extensions as protected (prevents disable/uninstall at framework level)
 		$this->protectExtensions();
@@ -44,6 +49,101 @@ class Pkg_MokowaasInstallerScript
 		$this->sendHeartbeat();
 	}

+	/**
+	 * Remove legacy/stale extension entries and filesystem remnants.
+	 *
+	 * The old standalone plugin was named "mokowaasbrand" (plg_system_mokowaasbrand).
+	 * After the rewrite into the pkg_mokowaas package, the old entries and files
+	 * may linger — especially on sites restored from old backups.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function cleanupLegacyExtensions(): void
+	{
+		try
+		{
+			$db = Factory::getDbo();
+
+			// Legacy element names to remove from #__extensions
+			$legacy = [
+				$db->quote('mokowaasbrand'),
+				$db->quote('plg_system_mokowaasbrand'),
+			];
+
+			// Delete from #__extensions
+			$query = $db->getQuery(true)
+				->delete($db->quoteName('#__extensions'))
+				->where($db->quoteName('element') . ' IN (' . implode(',', $legacy) . ')');
+			$db->setQuery($query);
+			$affected = $db->execute();
+			$count    = $db->getAffectedRows();
+
+			// Remove legacy plugin files from the filesystem
+			$legacyDirs = [
+				JPATH_PLUGINS . '/system/mokowaasbrand',
+			];
+
+			foreach ($legacyDirs as $dir)
+			{
+				if (is_dir($dir))
+				{
+					$this->rmdirRecursive($dir);
+				}
+			}
+
+			if ($count > 0)
+			{
+				Factory::getApplication()->enqueueMessage(
+					sprintf('Removed %d legacy MokoWaaS extension(s).', $count),
+					'message'
+				);
+
+				Log::add(
+					sprintf('Cleaned up %d legacy MokoWaaS extension entries', $count),
+					Log::INFO,
+					'mokowaas'
+				);
+			}
+		}
+		catch (\Throwable $e)
+		{
+			Log::add('Legacy cleanup error: ' . $e->getMessage(), Log::WARNING, 'jerror');
+		}
+	}
+
+	/**
+	 * Recursively remove a directory.
+	 *
+	 * @param   string  $dir  Directory path
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function rmdirRecursive(string $dir): void
+	{
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \RecursiveDirectoryIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item)
+		{
+			if ($item->isDir())
+			{
+				@rmdir($item->getPathname());
+			}
+			else
+			{
+				@unlink($item->getPathname());
+			}
+		}
+
+		@rmdir($dir);
+	}
+
 	/**
 	 * Enable a plugin by group and element.
 	 *
@@ -89,18 +189,64 @@ class Pkg_MokowaasInstallerScript
 		try
 		{
 			$db = Factory::getDbo();
+
+			// All MokoWaaS elements: package, system plugin, component,
+			// webservices plugins, task plugin
+			$elements = [
+				$db->quote('pkg_mokowaas'),
+				$db->quote('mokowaas'),
+				$db->quote('com_mokowaas'),
+				$db->quote('mokowaasdemo'),
+				$db->quote('mokowaassync'),
+				$db->quote('perfectpublisher'),
+			];
+
 			$query = $db->getQuery(true)
 				->update($db->quoteName('#__extensions'))
 				->set($db->quoteName('protected') . ' = 1')
 				->set($db->quoteName('locked') . ' = 0')
-				->where('(' . $db->quoteName('element') . ' = ' . $db->quote('mokowaas')
-					. ' OR ' . $db->quoteName('element') . ' = ' . $db->quote('pkg_mokowaas') . ')');
+				->where($db->quoteName('element') . ' IN (' . implode(',', $elements) . ')');
+			$db->setQuery($query);
+			$db->execute();
+
+			// Ensure update server stays enabled
+			$this->enableUpdateServer();
+		}
+		catch (\Throwable $e)
+		{
+			Log::add('Error protecting MokoWaaS extensions: ' . $e->getMessage(), Log::WARNING, 'jerror');
+		}
+	}
+
+	/**
+	 * Ensure the MokoWaaS update server entry stays enabled.
+	 *
+	 * Joomla stores update server records in #__update_sites. If a tenant
+	 * or automation disables it, the site stops receiving updates. This
+	 * re-enables it on every install/update.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.21.00
+	 */
+	private function enableUpdateServer(): void
+	{
+		try
+		{
+			$db = Factory::getDbo();
+
+			// Find update site by name or URL pattern
+			$query = $db->getQuery(true)
+				->update($db->quoteName('#__update_sites'))
+				->set($db->quoteName('enabled') . ' = 1')
+				->where('(' . $db->quoteName('name') . ' LIKE ' . $db->quote('%MokoWaaS%')
+					. ' OR ' . $db->quoteName('location') . ' LIKE ' . $db->quote('%MokoWaaS%') . ')');
 			$db->setQuery($query);
 			$db->execute();
 		}
 		catch (\Throwable $e)
 		{
-			Log::add('Error protecting MokoWaaS extensions: ' . $e->getMessage(), Log::WARNING, 'jerror');
+			Log::add('Error enabling update server: ' . $e->getMessage(), Log::WARNING, 'jerror');
 		}
 	}

@@ -1,96 +1,24 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 02.16.00-dev
+ VERSION: 02.28.00
 -->

 <updates>
-  <update>
-    <name>Package - MokoWaaS</name>
-    <description>Package - MokoWaaS development build.</description>
-    <element>pkg_mokowaas</element>
-    <type>package</type>
-    <client>site</client>
-    <version>02.16.00-dev</version>
-    <creationDate>2026-05-28</creationDate>
-    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
-    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.16.00-dev.zip</downloadurl>
-    </downloads>
-    <sha256>f233e73694b4e4ce0b4d71e828a158438257c1aec6fdb63d4b0482d23fd3d431</sha256>
-    <tags><tag>dev</tag></tags>
-    <maintainer>Moko Consulting</maintainer>
-    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
-    <targetplatform name="joomla" version="(5|6)\..*" />
-  </update>
-  <update>
-    <name>Package - MokoWaaS</name>
-    <description>Package - MokoWaaS alpha build.</description>
-    <element>pkg_mokowaas</element>
-    <type>package</type>
-    <client>site</client>
-    <version>02.16.00-dev</version>
-    <creationDate>2026-05-28</creationDate>
-    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
-    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.16.00-dev.zip</downloadurl>
-    </downloads>
-    <sha256>f233e73694b4e4ce0b4d71e828a158438257c1aec6fdb63d4b0482d23fd3d431</sha256>
-    <tags><tag>alpha</tag></tags>
-    <maintainer>Moko Consulting</maintainer>
-    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
-    <targetplatform name="joomla" version="(5|6)\..*" />
-  </update>
-  <update>
-    <name>Package - MokoWaaS</name>
-    <description>Package - MokoWaaS beta build.</description>
-    <element>pkg_mokowaas</element>
-    <type>package</type>
-    <client>site</client>
-    <version>02.16.00-dev</version>
-    <creationDate>2026-05-28</creationDate>
-    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
-    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.16.00-dev.zip</downloadurl>
-    </downloads>
-    <sha256>f233e73694b4e4ce0b4d71e828a158438257c1aec6fdb63d4b0482d23fd3d431</sha256>
-    <tags><tag>beta</tag></tags>
-    <maintainer>Moko Consulting</maintainer>
-    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
-    <targetplatform name="joomla" version="(5|6)\..*" />
-  </update>
-  <update>
-    <name>Package - MokoWaaS</name>
-    <description>Package - MokoWaaS rc build.</description>
-    <element>pkg_mokowaas</element>
-    <type>package</type>
-    <client>site</client>
-    <version>02.16.00-dev</version>
-    <creationDate>2026-05-28</creationDate>
-    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
-    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.16.00-dev.zip</downloadurl>
-    </downloads>
-    <sha256>f233e73694b4e4ce0b4d71e828a158438257c1aec6fdb63d4b0482d23fd3d431</sha256>
-    <tags><tag>rc</tag></tags>
-    <maintainer>Moko Consulting</maintainer>
-    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
-    <targetplatform name="joomla" version="(5|6)\..*" />
-  </update>
  <update>
    <name>Package - MokoWaaS</name>
    <description>Package - MokoWaaS stable build.</description>
    <element>pkg_mokowaas</element>
    <type>package</type>
    <client>site</client>
-    <version>02.16.00-dev</version>
-    <creationDate>2026-05-28</creationDate>
+    <version>02.28.00</version>
+    <creationDate>2026-05-31</creationDate>
    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.16.00-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.28.00.zip</downloadurl>
    </downloads>
-    <sha256>f233e73694b4e4ce0b4d71e828a158438257c1aec6fdb63d4b0482d23fd3d431</sha256>
    <tags><tag>stable</tag></tags>
+    <changelogurl>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/raw/branch/main/CHANGELOG.md</changelogurl>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
    <targetplatform name="joomla" version="(5|6)\..*" />
@@ -164,7 +164,7 @@ Requesting an unknown action returns HTTP 400 with the list of available actions
 {
  "error": "Unknown action",
  "action": "invalid",
-  "available": ["health", "install", "update", "cache", "backup", "info"]
+  "available": ["health", "install", "update", "cache", "backup", "info", "reset", "snapshot"]
 }
 ```

@@ -172,10 +172,166 @@ Requesting an unknown action returns HTTP 400 with the list of available actions

 In addition to the query-string endpoints above, MokoWaaS registers standard Joomla API routes via the `plg_webservices_mokowaas` plugin:

-| Route | Controller |
-|---|---|
-| `GET /api/v1/mokowaas/health` | HealthController |
-| `POST /api/v1/mokowaas/cache` | CacheController |
-| `POST /api/v1/mokowaas/update` | UpdateController |
+| Route | Controller | Description |
+|---|---|---|
+| `GET /api/v1/mokowaas/health` | HealthController | Full site health diagnostics |
+| `POST /api/v1/mokowaas/cache` | CacheController | Clear all caches |
+| `POST /api/v1/mokowaas/update` | UpdateController | Trigger update check |
+| `POST /api/v1/mokowaas/install` | InstallController | Install extension from ZIP URL |
+| `POST /api/v1/mokowaas/reset` | ResetController | Restore site to baseline snapshot |
+| `GET/POST /api/v1/mokowaas/snapshot` | SnapshotController | List or create snapshots |
+| `POST /api/v1/mokowaas/sync` | SyncController | Push content to all sync targets |
+| `POST /api/v1/mokowaas/sync-receive` | SyncReceiveController | Receive content from source site |
+| `GET /api/v1/mokowaas/extensions` | ExtensionsController | List installed extensions |

 These routes use Joomla's standard API authentication (API token in `X-Joomla-Token` header) and are useful for integrations that already use the Joomla API framework.
+
+### Install Endpoint (REST API)
+
+```
+POST /api/index.php/v1/mokowaas/install
+X-Joomla-Token: <api-token>
+Content-Type: application/json
+
+{"url": "https://git.mokoconsulting.tech/.../plg_system_mokowaas-02.20.00.zip"}
+```
+
+Downloads the ZIP from the given URL and installs it via Joomla's Installer. Requires a Joomla API token with `core.manage` permission on `com_installer`.
+
+**Constraints:**
+- URL must use `http` or `https` scheme
+- URL path must end in `.zip`
+- Maximum download size: 64 MB
+
+**Success Response** (HTTP 200):
+
+```json
+{
+    "status": "ok",
+    "message": "Extension installed successfully",
+    "extension": {
+        "name": "MokoWaaS",
+        "version": "02.20.00",
+        "type": "plugin"
+    },
+    "source_url": "https://git.mokoconsulting.tech/.../plg_system_mokowaas-02.20.00.zip"
+}
+```
+
+**Error Responses:**
+
+| HTTP Status | Condition |
+|---|---|
+| 400 | Missing `url` field, non-HTTPS URL, or URL not ending in `.zip` |
+| 403 | API token lacks `core.manage` on `com_installer` |
+| 405 | Request method is not POST |
+| 500 | Download or installation failed |
+
+### Reset Endpoint (REST API)
+
+```
+POST /api/index.php/v1/mokowaas/reset
+X-Joomla-Token: <api-token>
+Content-Type: application/json
+
+{"baseline": "default"}
+```
+
+Restores the site to a named baseline snapshot. The `baseline` field is optional and defaults to the active baseline configured in the plugin.
+
+Requires `core.manage` permission on `com_plugins`.
+
+**Success Response** (HTTP 200):
+
+```json
+{
+    "status": "ok",
+    "message": "Site restored to baseline: default",
+    "baseline": "default",
+    "restored_tables": 15,
+    "media_restored": true
+}
+```
+
+### Snapshot Endpoint (REST API)
+
+**List snapshots:**
+
+```
+GET /api/index.php/v1/mokowaas/snapshot
+X-Joomla-Token: <api-token>
+```
+
+**Create snapshot:**
+
+```
+POST /api/index.php/v1/mokowaas/snapshot
+X-Joomla-Token: <api-token>
+Content-Type: application/json
+
+{"name": "my-baseline"}
+```
+
+The `name` field is optional and defaults to the active baseline name.
+
+**Success Response** (HTTP 200):
+
+```json
+{
+    "status": "ok",
+    "message": "Snapshot created",
+    "name": "my-baseline",
+    "tables": 15,
+    "has_media": true
+}
+```
+
+### Extensions Endpoint (REST API)
+
+```
+GET /api/index.php/v1/mokowaas/extensions
+X-Joomla-Token: <api-token>
+```
+
+Lists all installed Joomla extensions with version, enabled/protected/locked status, and update server info.
+
+**Query filters:**
+
+| Parameter | Description | Example |
+|---|---|---|
+| `type` | Filter by extension type | `?type=plugin` |
+| `search` | Search name or element | `?search=moko` |
+| `enabled` | Filter by enabled status | `?enabled=1` |
+
+**Query-string equivalent:** `GET /?mokowaas=extensions&search=moko&type=plugin`
+
+Requires `core.manage` on `com_installer`.
+
+**Success Response** (HTTP 200):
+
+```json
+{
+    "status": "ok",
+    "count": 3,
+    "extensions": [
+        {
+            "extension_id": 456,
+            "name": "System - MokoWaaS",
+            "type": "plugin",
+            "element": "mokowaas",
+            "folder": "system",
+            "client_id": 0,
+            "enabled": true,
+            "protected": true,
+            "locked": false,
+            "version": "02.21.00",
+            "author": "Moko Consulting",
+            "update_server": {
+                "name": "MokoWaaS Update Server",
+                "location": "https://git.mokoconsulting.tech/.../updates.xml",
+                "enabled": true
+            }
+        }
+    ]
+}
+```