chore(release): build 02.13.00 [skip ci]

Merge pull request 'fix: rewrite release workflows and fix version propagation' (#64 ) from dev into main
chore(version): patch bump to 02.12.01 [skip ci]
2026-05-28 16:01:47 +00:00 · 2026-05-28 16:01:29 +00:00 · 2026-05-28 16:01:25 +00:00 · 2026-05-28 11:01:13 -05:00 · 2026-05-28 15:59:48 +00:00 · 2026-05-28 10:59:38 -05:00
21 changed files with 1830 additions and 1580 deletions
@@ -8,6 +8,7 @@
    <name>MokoWaaS</name>
    <org>MokoConsulting</org>
    <description>White-label identity, security hardening, and tenant restriction layer for WaaS-managed Joomla environments</description>
+    <version>02.13.00</version>
    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
  </identity>
  <governance>
@@ -0,0 +1,84 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.mokogitea/workflows/auto-bump.yml
+# VERSION: 09.02.00
+# BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
+
+name: "Universal: Auto Version Bump"
+
+on:
+  push:
+    branches:
+      - dev
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+permissions:
+  contents: write
+
+jobs:
+  bump:
+    name: Version Bump
+    runs-on: release
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip bump]') &&
+      !startsWith(github.event.head_commit.message, 'Merge pull request')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 1
+
+      - name: Setup moko-platform tools
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          if [ -d "/opt/moko-platform/cli" ]; then
+            echo "MOKO_CLI=/opt/moko-platform/cli" >> "$GITHUB_ENV"
+          else
+            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/moko-platform.git" \
+              /tmp/moko-platform-api
+            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
+            echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
+          fi
+
+      - name: Bump version
+        run: |
+          BUMP=$(php ${MOKO_CLI}/version_bump.php --path . 2>&1) || true
+          echo "$BUMP"
+
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null) || true
+          [ -z "$VERSION" ] && { echo "No version found — skipping"; exit 0; }
+
+          # Propagate to platform manifests
+          php ${MOKO_CLI}/version_set_platform.php \
+            --path . --version "$VERSION" --branch dev 2>/dev/null || true
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
+          # Commit if anything changed
+          if git diff --quiet && git diff --cached --quiet; then
+            echo "No version changes to commit"
+            exit 0
+          fi
+
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git commit -m "chore(version): patch bump to ${VERSION} [skip ci]" \
+            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+          git push origin dev
+          echo "Bumped to ${VERSION}" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,48 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoStandards.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.mokogitea/workflows/branch-cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Delete feature branches after PR merge
+
+name: "Branch Cleanup"
+
+on:
+  pull_request:
+    types: [closed]
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  cleanup:
+    name: Delete merged branch
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      github.event.pull_request.head.ref != 'dev' &&
+      github.event.pull_request.head.ref != 'main'
+
+    steps:
+      - name: Delete source branch
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          API="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}/api/v1/repos/${{ github.repository }}/branches"
+          ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('${BRANCH}', safe=''))")
+
+          STATUS=$(curl -sf -o /dev/null -w "%{http_code}" -X DELETE \
+            -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API}/${ENCODED}" 2>/dev/null || true)
+
+          if [ "$STATUS" = "204" ]; then
+            echo "Deleted branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          elif [ "$STATUS" = "404" ]; then
+            echo "Branch already deleted: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "::warning::Failed to delete branch ${BRANCH} (HTTP ${STATUS})"
+          fi
@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Automation
+# VERSION: 01.00.00
+# BRIEF: Auto-create feature branch when an issue is opened
+
+name: "Universal: Issue Branch"
+
+on:
+  issues:
+    types: [opened]
+
+permissions:
+  contents: write
+  issues: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  create-branch:
+    name: Create feature branch
+    runs-on: ubuntu-latest
+    steps:
+      - name: Create branch and comment
+        run: |
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          ISSUE_NUM="${{ github.event.issue.number }}"
+          ISSUE_TITLE="${{ github.event.issue.title }}"
+
+          # Build slug from title: lowercase, replace non-alnum with dash, trim
+          SLUG=$(echo "${ISSUE_TITLE}" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//;s/-$//' | cut -c1-40)
+          BRANCH="feature/${ISSUE_NUM}-${SLUG}"
+
+          # Check dev branch exists
+          DEV_EXISTS=$(curl -sf -o /dev/null -w '%{http_code}' \
+            -H "Authorization: token ${TOKEN}" \
+            "${API}/branches/dev" 2>/dev/null || echo "000")
+
+          if [ "${DEV_EXISTS}" != "200" ]; then
+            echo "No dev branch -- skipping"
+            exit 0
+          fi
+
+          # Create branch from dev
+          HTTP=$(curl -sf -o /dev/null -w '%{http_code}' -X POST \
+            -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API}/branches" \
+            -d "{\"new_branch_name\":\"${BRANCH}\",\"old_branch_name\":\"dev\"}" 2>/dev/null || echo "000")
+
+          if [ "${HTTP}" = "201" ]; then
+            echo "Created branch: ${BRANCH}"
+
+            # Comment on issue with branch link
+            REPO_URL="${GITEA_URL}/${{ github.repository }}"
+            BODY="Branch created: [\`${BRANCH}\`](${REPO_URL}/src/branch/${BRANCH})\n\n\`\`\`bash\ngit fetch origin\ngit checkout ${BRANCH}\n\`\`\`"
+
+            curl -sf -X POST \
+              -H "Authorization: token ${TOKEN}" \
+              -H "Content-Type: application/json" \
+              "${API}/issues/${ISSUE_NUM}/comments" \
+              -d "{\"body\":\"${BODY}\"}" > /dev/null 2>&1
+
+            echo "Commented on issue #${ISSUE_NUM}"
+          else
+            echo "Failed to create branch (HTTP ${HTTP}) -- may already exist"
+          fi
@@ -1,260 +1,223 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: moko-platform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
-# PATH: /templates/workflows/universal/pre-release.yml.template
-# VERSION: 05.00.00
-# BRIEF: Manual pre-release — builds dev/alpha/beta/rc packages from any branch
-
-name: "Universal: Pre-Release"
-
-on:
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Pre-release channel'
-        required: true
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - release-candidate
-
-permissions:
-  contents: write
-
-env:
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-jobs:
-  build:
-    name: "Build Pre-Release (${{ inputs.stability }})"
-    runs-on: release
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
-
-      - name: Setup PHP
-        run: |
-          if ! command -v php &> /dev/null; then
-            sudo apt-get update -qq
-            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
-          fi
-
-      - name: Setup moko-platform tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-        run: |
-          git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git"             /tmp/moko-platform-api
-
-      - name: Detect platform
-        id: platform
-        run: |
-          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
-
-      - name: Resolve metadata
-        id: meta
-        run: |
-          STABILITY="${{ inputs.stability }}"
-          MOKO_API="/tmp/moko-platform-api/cli"
-
-          case "$STABILITY" in
-            development)        SUFFIX="-dev";   TAG="development" ;;
-            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
-            beta)               SUFFIX="-beta";  TAG="beta" ;;
-            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
-          esac
-
-          # Read current version from manifest (priority) or README — no bump yet
-          VERSION=$(php ${MOKO_API}/version_read.php --path .)
-          echo "Version: ${VERSION}"
-
-          # Ensure platform-specific manifest matches
-          php ${MOKO_API}/version_set_platform.php --path . --version "${VERSION}"
-
-          # Git setup for later commits
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
-
-          # Detect element from Joomla/Dolibarr manifest
-          set +o pipefail
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-          EXT_ELEMENT=$(php ${MOKO_API}/manifest_read.php --path . --field name 2>/dev/null | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
-          # For Joomla, prefer <element> tag
-          if [ "$PLATFORM" = "joomla" ]; then
-            MANIFEST=$(find . -maxdepth 4 -name "*.xml" ! -path "./.git/*" -print0 2>/dev/null | xargs -0 grep -l '<extension' 2>/dev/null | head -1 || true)
-            if [ -n "$MANIFEST" ]; then
-              ELEM=$(grep -oP "<element>\K[^<]+" "$MANIFEST" 2>/dev/null | head -1 || true)
-              [ -n "$ELEM" ] && EXT_ELEMENT="$ELEM"
-            fi
-          fi
-          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
-          set -o pipefail
-
-          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
-
-          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
-          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
-          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
-
-          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
-
-      - name: Build package
-        id: zip
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          SUFFIX="${{ steps.meta.outputs.suffix }}"
-          PLATFORM="${{ steps.platform.outputs.platform }}"
-
-          if [ "$PLATFORM" = "joomla" ]; then
-            php /tmp/moko-platform-api/cli/joomla_build.php               --path . --version "${VERSION}" --suffix "${SUFFIX}"               --output build --github-output
-          else
-            # Generic build: zip src/ directory
-            SOURCE_DIR="src"
-            [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-            [ ! -d "$SOURCE_DIR" ] && { echo "::error::No src/ or htdocs/"; exit 1; }
-            EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-            ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
-            mkdir -p build
-            cd "$SOURCE_DIR" && zip -r "../build/${ZIP_NAME}" . && cd ..
-            SHA256=$(sha256sum "build/${ZIP_NAME}" | cut -d' ' -f1)
-            echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-            echo "zip_path=build/${ZIP_NAME}" >> "$GITHUB_OUTPUT"
-            echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Create or replace Gitea release
-        id: release
-        continue-on-error: true
-        run: |
-          TAG="${{ steps.meta.outputs.tag }}"
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
-          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          BRANCH=$(git branch --show-current)
-
-          BODY="## ${VERSION} ($(date +%Y-%m-%d))
-          **Channel:** ${STABILITY}
-          **SHA-256:** \`${SHA256}\`"
-
-          # Delete existing release
-          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
-          if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-              "${API}/tags/${TAG}" 2>/dev/null || true
-          fi
-
-          # Create release
-          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/json" \
-            "${API}/releases" \
-            -d "$(jq -n \
-              --arg tag "$TAG" \
-              --arg target "$BRANCH" \
-              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
-              --arg body "$BODY" \
-              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
-            )" | jq -r '.id')
-
-          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
-
-          # Upload ZIP
-          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
-            -H "Content-Type: application/octet-stream" \
-            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
-            --data-binary "@${{ steps.zip.outputs.zip_path }}"
-
-          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
-
-      - name: "Update updates.xml"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          VERSION="${{ steps.meta.outputs.version }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-          SHA256="${{ steps.zip.outputs.sha256 }}"
-          php /tmp/moko-platform-api/cli/updates_xml_build.php             --path . --version "$VERSION" --stability "$STABILITY"             --sha "$SHA256"             --gitea-url "$GITEA_URL" --org "$GITEA_ORG" --repo "$GITEA_REPO"
-          if ! git diff --quiet updates.xml 2>/dev/null; then
-            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-            git config --local user.name "gitea-actions[bot]"
-            git add updates.xml
-            git commit -m "chore: update $STABILITY channel $VERSION [skip ci]"
-            git push origin HEAD 2>&1 || echo "WARNING: push failed"
-          fi
-
-      - name: "Sync updates.xml to all branches"
-        if: steps.platform.outputs.platform == 'joomla'
-        run: |
-          php /tmp/moko-platform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
-
-      - name: "Delete lesser pre-release channels (cascade)"
-        continue-on-error: true
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
-          STABILITY="${{ steps.meta.outputs.stability }}"
-
-          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
-          case "$STABILITY" in
-            release-candidate) TAGS_TO_DELETE="beta alpha development" ;;
-            beta)              TAGS_TO_DELETE="alpha development" ;;
-            alpha)             TAGS_TO_DELETE="development" ;;
-            *)                 TAGS_TO_DELETE="" ;;
-          esac
-
-          [ -z "$TAGS_TO_DELETE" ] && exit 0
-
-          for TAG in $TAGS_TO_DELETE; do
-            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
-              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
-              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
-              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
-                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
-              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
-            fi
-          done
-
-      - name: "Post-release version bump"
-        run: |
-          MOKO_API="/tmp/moko-platform-api/cli"
-          VERSION="${{ steps.meta.outputs.version }}"
-
-          # Bump patch for next dev cycle
-          BUMP_OUTPUT=$(php ${MOKO_API}/version_bump.php --path .)
-          NEXT=$(echo "$BUMP_OUTPUT" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
-          [ -z "$NEXT" ] && exit 0
-
-          # Update platform-specific manifest to next version
-          php ${MOKO_API}/version_set_platform.php --path . --version "${NEXT}"
-
-          git add -A
-          git diff --cached --quiet || {
-            git commit -m "chore: update development channel ${VERSION} [skip ci]"
-            git push origin HEAD 2>&1
-          }
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /templates/workflows/universal/pre-release.yml.template
+# VERSION: 05.01.00
+# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
+
+name: "Universal: Pre-Release"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - dev
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Pre-release channel'
+        required: true
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - release-candidate
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+jobs:
+  build:
+    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
+    runs-on: release
+    if: >-
+      github.event_name == 'workflow_dispatch' ||
+      (github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet
+          echo "MOKO_CLI=/tmp/moko-platform-api/cli" >> "$GITHUB_ENV"
+
+      - name: Detect platform
+        id: platform
+        run: |
+          php ${MOKO_CLI}/manifest_read.php --path . --github-output
+
+      - name: Resolve metadata and bump version
+        id: meta
+        run: |
+          STABILITY="${{ inputs.stability || 'development' }}"
+
+          case "$STABILITY" in
+            development)        SUFFIX="-dev";   TAG="development" ;;
+            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)               SUFFIX="-beta";  TAG="beta" ;;
+            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
+          esac
+
+          # Read current version (bump already handled by push workflow)
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null)
+          [ -z "$VERSION" ] && VERSION="00.00.01"
+
+          php ${MOKO_CLI}/version_set_platform.php \
+            --path . --version "$VERSION" --branch "${{ github.ref_name }}" 2>/dev/null || true
+
+          # Verify version consistency across all files
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
+          # Commit version bump
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git diff --cached --quiet || {
+            git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
+            git push origin HEAD 2>&1
+          }
+
+          # Auto-detect element via manifest_element.php
+          php ${MOKO_CLI}/manifest_element.php \
+            --path . --version "$VERSION" --stability "$STABILITY" \
+            --repo "${GITEA_REPO}" --github-output
+
+          # Read back element outputs
+          EXT_ELEMENT=$(grep '^ext_element=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
+          ZIP_NAME=$(grep '^zip_name=' "$GITHUB_OUTPUT" | tail -1 | cut -d= -f2)
+          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          [ -z "$ZIP_NAME" ] && ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
+
+          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
+
+      - name: Create release
+        id: release
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          VERSION="${{ steps.meta.outputs.version }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php ${MOKO_CLI}/release_create.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --branch dev --prerelease
+
+      - name: Build package and upload
+        id: package
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          TAG="${{ steps.meta.outputs.tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          php ${MOKO_CLI}/release_package.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --output /tmp || true
+
+      - name: Update updates.xml
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+
+          if [ ! -f "updates.xml" ]; then
+            echo "No updates.xml -- skipping"
+            exit 0
+          fi
+
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
+          php ${MOKO_CLI}/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability "${STABILITY}" \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG}
+
+          # Commit and push
+          if ! git diff --quiet updates.xml 2>/dev/null; then
+            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+            git config --local user.name "gitea-actions[bot]"
+            git add updates.xml
+            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
+            git push origin HEAD 2>&1 || echo "WARNING: push failed"
+          fi
+
+      - name: "Sync updates.xml to all branches"
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          CURRENT_BRANCH="${{ github.ref_name }}"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+
+          for BRANCH in main dev; do
+            [ "$BRANCH" = "$CURRENT_BRANCH" ] && continue
+            echo "Syncing updates.xml -> ${BRANCH}"
+            git fetch origin "${BRANCH}" 2>/dev/null || continue
+            git checkout "origin/${BRANCH}" -- updates.xml 2>/dev/null || continue
+            git checkout "${CURRENT_BRANCH}" -- updates.xml
+            if ! git diff --quiet updates.xml 2>/dev/null; then
+              git add updates.xml
+              git commit -m "chore: sync updates.xml from ${CURRENT_BRANCH} [skip ci]"
+              git push origin HEAD:refs/heads/${BRANCH} 2>&1 || echo "WARNING: push to ${BRANCH} failed"
+            fi
+            git checkout "${CURRENT_BRANCH}" 2>/dev/null
+          done
+
+      - name: "Delete lesser pre-release channels (cascade)"
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+
+          php ${MOKO_CLI}/release_cascade.php \
+            --stability "${{ steps.meta.outputs.stability }}" \
+            --token "${TOKEN}" \
+            --api-base "${API_BASE}"
+
+      - name: Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+          echo "## Pre-Release Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Channel | ${STABILITY} |" >> $GITHUB_STEP_SUMMARY
+          echo "| Package | \`${ZIP_NAME}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| SHA-256 | \`${SHA256:-n/a}\` |" >> $GITHUB_STEP_SUMMARY
@@ -1,464 +1,304 @@
-# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
-#
-# SPDX-License-Identifier: GPL-3.0-or-later
-#
-# FILE INFORMATION
-# DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Joomla
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /templates/workflows/joomla/update-server.yml.template
-# VERSION: 04.06.00
-# BRIEF: Update Joomla update server XML feed with stable/rc/dev entries
-#
-# Writes updates.xml with multiple <update> entries:
-#   - <tag>stable</tag>     on push to main (from auto-release)
-#   - <tag>rc</tag>         on push to rc/**
-#   - <tag>development</tag> on push to dev or dev/**
-#
-# Joomla filters by user's "Minimum Stability" setting.
-
-name: "Joomla: Update Server"
-
-on:
-  push:
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  pull_request:
-    types: [closed]
-    branches:
-      - 'dev'
-      - 'dev/**'
-      - 'alpha/**'
-      - 'beta/**'
-      - 'rc/**'
-    paths:
-      - 'src/**'
-      - 'htdocs/**'
-  workflow_dispatch:
-    inputs:
-      stability:
-        description: 'Stability tag'
-        required: true
-        default: 'development'
-        type: choice
-        options:
-          - development
-          - alpha
-          - beta
-          - rc
-          - stable
-
-env:
-  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
-  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
-  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
-  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
-
-permissions:
-  contents: write
-
-jobs:
-  update-xml:
-    name: Update updates.xml
-    runs-on: release
-    if: >-
-      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          token: ${{ secrets.GA_TOKEN }}
-          fetch-depth: 0
-
-      - name: Setup MokoStandards tools
-        env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
-          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
-        run: |
-          if ! command -v composer &> /dev/null; then
-            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-          fi
-          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api 2>/dev/null || true
-          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
-            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
-          fi
-
-      - name: Generate updates.xml entry
-        id: update
-        run: |
-          BRANCH="${{ github.ref_name }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "0.0.0")
-
-          # Auto-bump patch on all branches (dev, alpha, beta, rc)
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          BUMPED=$(php /tmp/mokostandards-api/cli/version_bump.php --path . 2>/dev/null || true)
-          if [ -n "$BUMPED" ]; then
-            VERSION=$(php /tmp/mokostandards-api/cli/version_read.php --path . 2>/dev/null || echo "$VERSION")
-            git add -A
-            git commit -m "chore(version): auto-bump patch ${VERSION} [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" 2>/dev/null || true
-            git push 2>/dev/null || true
-          fi
-
-          # Determine stability from branch or input
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            STABILITY="${{ inputs.stability }}"
-          elif [[ "$BRANCH" == rc/* ]]; then
-            STABILITY="rc"
-          elif [[ "$BRANCH" == beta/* ]]; then
-            STABILITY="beta"
-          elif [[ "$BRANCH" == alpha/* ]]; then
-            STABILITY="alpha"
-          elif [[ "$BRANCH" == dev/* ]] || [[ "$BRANCH" == "dev" ]]; then
-            STABILITY="development"
-          else
-            STABILITY="stable"
-          fi
-
-          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
-
-          # Parse manifest (portable — no grep -P)
-          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" ! -path "./build/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
-          if [ -z "$MANIFEST" ]; then
-            echo "No Joomla manifest found — skipping"
-            exit 0
-          fi
-
-          # Extract fields using sed (works on all runners)
-          EXT_NAME=$(sed -n 's/.*<name>\([^<]*\)<\/name>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" | head -1)
-          EXT_CLIENT=$(sed -n 's/.*<extension[^>]*client="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
-          EXT_VERSION=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" | head -1)
-          TARGET_PLATFORM=$(sed -n 's/.*\(<targetplatform[^/]*\/>\).*/\1/p' "$MANIFEST" | head -1)
-          PHP_MINIMUM=$(sed -n 's/.*<php_minimum>\([^<]*\)<\/php_minimum>.*/\1/p' "$MANIFEST" | head -1)
-
-          # Fallbacks
-          [ -z "$EXT_NAME" ] && EXT_NAME="${{ github.event.repository.name }}"
-          [ -z "$EXT_TYPE" ] && EXT_TYPE="component"
-
-          # Derive element if not in manifest: try XML filename, then repo name
-          if [ -z "$EXT_ELEMENT" ]; then
-            EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
-            case "$EXT_ELEMENT" in
-              templatedetails|manifest|*.xml) EXT_ELEMENT=$(echo "${{ github.event.repository.name }}" | tr '[:upper:]' '[:lower:]' | tr -d ' -') ;;
-            esac
-          fi
-
-          # Use manifest version if README version is empty
-          [ "$VERSION" = "0.0.0" ] && [ -n "$EXT_VERSION" ] && VERSION="$EXT_VERSION"
-
-          [ -z "$TARGET_PLATFORM" ] && TARGET_PLATFORM=$(printf '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" %s>' "/")
-
-          CLIENT_TAG=""
-          [ -n "$EXT_CLIENT" ] && CLIENT_TAG="<client>${EXT_CLIENT}</client>"
-          [ -z "$CLIENT_TAG" ] && ([ "$EXT_TYPE" = "module" ] || [ "$EXT_TYPE" = "plugin" ]) && CLIENT_TAG="<client>site</client>"
-
-          FOLDER_TAG=""
-          [ -n "$EXT_FOLDER" ] && [ "$EXT_TYPE" = "plugin" ] && FOLDER_TAG="<folder>${EXT_FOLDER}</folder>"
-
-          PHP_TAG=""
-          [ -n "$PHP_MINIMUM" ] && PHP_TAG="<php_minimum>${PHP_MINIMUM}</php_minimum>"
-
-          # Version suffix for non-stable
-          DISPLAY_VERSION="$VERSION"
-          case "$STABILITY" in
-            development) DISPLAY_VERSION="${VERSION}-dev" ;;
-            alpha)       DISPLAY_VERSION="${VERSION}-alpha" ;;
-            beta)        DISPLAY_VERSION="${VERSION}-beta" ;;
-            rc)          DISPLAY_VERSION="${VERSION}-rc" ;;
-          esac
-
-          MAJOR=$(echo "$VERSION" | awk -F. '{print $1}')
-
-          # Each stability level has its own release tag
-          case "$STABILITY" in
-            development) RELEASE_TAG="development" ;;
-            alpha)       RELEASE_TAG="alpha" ;;
-            beta)        RELEASE_TAG="beta" ;;
-            rc)          RELEASE_TAG="release-candidate" ;;
-            *)           RELEASE_TAG="v${MAJOR}" ;;
-          esac
-
-          PACKAGE_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.zip"
-          DOWNLOAD_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${PACKAGE_NAME}"
-          INFO_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}"
-
-          # -- Build install packages (ZIP + tar.gz) --------------------
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          if [ -d "$SOURCE_DIR" ]; then
-            EXCLUDES=".ftpignore sftp-config* *.ppk *.pem *.key .env*"
-            TAR_NAME="${EXT_ELEMENT}-${DISPLAY_VERSION}.tar.gz"
-
-            cd "$SOURCE_DIR"
-            zip -r "/tmp/${PACKAGE_NAME}" . -x $EXCLUDES
-            cd ..
-            tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR" \
-              --exclude='.ftpignore' --exclude='sftp-config*' \
-              --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
-
-            SHA256=$(sha256sum "/tmp/${PACKAGE_NAME}" | cut -d' ' -f1)
-
-            # Ensure release exists on Gitea
-            RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-              "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
-            RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
-            if [ -z "$RELEASE_ID" ]; then
-              # Create release
-              RELEASE_JSON=$(curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/json" \
-                "${API_BASE}/releases" \
-                -d "$(python3 -c "import json; print(json.dumps({
-                  'tag_name': '${RELEASE_TAG}',
-                  'name': '${RELEASE_TAG} (${DISPLAY_VERSION})',
-                  'body': '${STABILITY} release',
-                  'prerelease': True,
-                  'target_commitish': 'main'
-                }))")" 2>/dev/null || true)
-              RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-            fi
-
-            if [ -n "$RELEASE_ID" ]; then
-              # Delete existing assets with same name before uploading
-              ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
-              for ASSET_FILE in "$PACKAGE_NAME" "$TAR_NAME"; do
-                ASSET_ID=$(echo "$ASSETS" | python3 -c "
-          import sys,json
-          assets = json.load(sys.stdin)
-          for a in assets:
-              if a['name'] == '${ASSET_FILE}':
-                  print(a['id']); break
-          " 2>/dev/null || true)
-                if [ -n "$ASSET_ID" ]; then
-                  curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                    "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
-                fi
-              done
-
-              # Upload both formats
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${PACKAGE_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${PACKAGE_NAME}" > /dev/null 2>&1 || true
-
-              curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-                -H "Content-Type: application/octet-stream" \
-                --data-binary @"/tmp/${TAR_NAME}" \
-                "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
-            fi
-
-            echo "Packages: ${PACKAGE_NAME} + ${TAR_NAME} (SHA: ${SHA256})" >> $GITHUB_STEP_SUMMARY
-          else
-            SHA256=""
-          fi
-
-          # -- Build the new entry (canonical format matching release.yml) --
-          NEW_ENTRY=""
-          NEW_ENTRY="${NEW_ENTRY}  <update>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <name>${EXT_NAME}</name>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <description>${EXT_NAME} ${STABILITY} build.</description>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <element>${EXT_ELEMENT}</element>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <type>${EXT_TYPE}</type>\n"
-          [ -n "$CLIENT_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${CLIENT_TAG}\n"
-          [ -n "$FOLDER_TAG" ] && NEW_ENTRY="${NEW_ENTRY}    ${FOLDER_TAG}\n"
-          NEW_ENTRY="${NEW_ENTRY}    <version>${VERSION}</version>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <creationDate>$(date +%Y-%m-%d)</creationDate>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <infourl title='${EXT_NAME}'>https://git.mokoconsulting.tech/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${RELEASE_TAG}</infourl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <downloads>\n"
-          NEW_ENTRY="${NEW_ENTRY}      <downloadurl type='full' format='zip'>${DOWNLOAD_URL}</downloadurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    </downloads>\n"
-          [ -n "$SHA256" ] && NEW_ENTRY="${NEW_ENTRY}    <sha256>${SHA256}</sha256>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <tags><tag>${STABILITY}</tag></tags>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainer>Moko Consulting</maintainer>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <maintainerurl>https://mokoconsulting.tech</maintainerurl>\n"
-          NEW_ENTRY="${NEW_ENTRY}    <targetplatform name='joomla' version='(5|6).*'/>\n"
-          [ -n "$PHP_MINIMUM" ] && NEW_ENTRY="${NEW_ENTRY}    <php_minimum>${PHP_MINIMUM}</php_minimum>\n"
-          NEW_ENTRY="${NEW_ENTRY}  </update>"
-
-          # -- Write new entry to temp file --------------------------------
-          printf '%b' "$NEW_ENTRY" > /tmp/new_entry.xml
-
-          # -- Merge into updates.xml ----------------------------------------
-          # Cascade: stable→all | rc→rc+lower | beta→beta+lower | alpha→alpha+dev | dev→dev
-          CASCADE_MAP="stable:development,alpha,beta,rc,stable rc:development,alpha,beta,rc beta:development,alpha,beta alpha:development,alpha development:development"
-          TARGETS=""
-          for entry in $CASCADE_MAP; do
-            key="${entry%%:*}"
-            vals="${entry#*:}"
-            if [ "$key" = "${STABILITY}" ]; then
-              TARGETS="$vals"
-              break
-            fi
-          done
-          [ -z "$TARGETS" ] && TARGETS="${STABILITY}"
-
-          echo "Cascade: ${STABILITY} → ${TARGETS}"
-
-          # Create updates.xml if missing
-          if [ ! -f "updates.xml" ]; then
-            printf '%s\n' "<?xml version='1.0' encoding='UTF-8'?>" > updates.xml
-            printf '%s\n' "<!-- Copyright (C) $(date +%Y) Moko Consulting -->" >> updates.xml
-            printf '%s\n' "<updates>" >> updates.xml
-            printf '%s\n' "</updates>" >> updates.xml
-          fi
-
-          # Update existing blocks or create missing ones
-          export PY_TARGETS="$TARGETS" PY_VERSION="$VERSION" PY_DATE="$(date +%Y-%m-%d)"
-          python3 << 'PYEOF'
-          import re, os
-
-          targets = os.environ["PY_TARGETS"].split(",")
-          version = os.environ["PY_VERSION"]
-          date = os.environ["PY_DATE"]
-
-          with open("updates.xml") as f:
-              content = f.read()
-          with open("/tmp/new_entry.xml") as f:
-              new_entry_template = f.read()
-
-          for tag in targets:
-              tag = tag.strip()
-              # Build entry with this tag's name
-              new_entry = re.sub(r"<tag>[^<]*</tag>", f"<tag>{tag}</tag>", new_entry_template)
-
-              # Try to find existing block (handles both single-line and multi-line <tags>)
-              block_pattern = r"(<update>(?:(?!</update>).)*?<tag>" + re.escape(tag) + r"</tag>.*?</update>)"
-              match = re.search(block_pattern, content, re.DOTALL)
-
-              if match:
-                  # Update in place — replace entire block
-                  content = content.replace(match.group(1), new_entry.strip())
-                  print(f"  UPDATED: <tag>{tag}</tag> → {version}")
-              else:
-                  # Create — insert before </updates>
-                  content = content.replace("</updates>", "\n" + new_entry.strip() + "\n\n</updates>")
-                  print(f"  CREATED: <tag>{tag}</tag> → {version}")
-
-          # Clean up excessive blank lines
-          content = re.sub(r"\n{3,}", "\n\n", content)
-
-          with open("updates.xml", "w") as f:
-              f.write(content)
-          PYEOF
-
-          # Commit
-          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
-          git config --local user.name "gitea-actions[bot]"
-          git add updates.xml
-          git diff --cached --quiet || {
-            git commit -m "chore: update updates.xml (${STABILITY}: ${DISPLAY_VERSION}) [skip ci]" \
-              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
-            git push
-          }
-
-      # -- Sync updates.xml to main (for non-main branches) ----------------------
-      - name: Sync updates.xml to main
-        if: github.ref_name != 'main'
-        run: |
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          GA_TOKEN="${{ secrets.GA_TOKEN }}"
-
-          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
-            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
-
-          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
-            CONTENT=$(base64 -w0 updates.xml)
-            curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
-              -H "Content-Type: application/json" \
-              "${API_BASE}/contents/updates.xml" \
-              -d "$(python3 -c "import json; print(json.dumps({
-                'content': '${CONTENT}',
-                'sha': '${FILE_SHA}',
-                'message': 'chore: sync updates.xml from ${STABILITY} [skip ci]',
-                'branch': 'main'
-              }))")" > /dev/null 2>&1 \
-              && echo "updates.xml synced to main (${STABILITY})" >> $GITHUB_STEP_SUMMARY \
-              || echo "WARNING: failed to sync updates.xml to main" >> $GITHUB_STEP_SUMMARY
-          else
-            echo "WARNING: could not get updates.xml SHA from main" >> $GITHUB_STEP_SUMMARY
-          fi
-
-      - name: SFTP deploy to dev server
-        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
-        env:
-          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
-          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
-          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
-          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
-          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
-          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
-          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
-        run: |
-          # -- Permission check: admin or maintain role required --------
-          ACTOR="${{ github.actor }}"
-          REPO="${{ github.repository }}"
-          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-
-          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
-            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
-            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
-          case "$PERMISSION" in
-            admin|maintain|write) ;;
-            *)
-              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
-              exit 0
-              ;;
-          esac
-
-          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
-
-          SOURCE_DIR="src"
-          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && exit 0
-
-          PORT="${DEV_PORT:-22}"
-          REMOTE="${DEV_PATH%/}"
-          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
-
-          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
-            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
-          if [ -n "$DEV_KEY" ]; then
-            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
-            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
-          else
-            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
-          fi
-
-          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          elif [ -f "/tmp/mokostandards-api/deploy/deploy-sftp.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
-          fi
-          rm -f /tmp/deploy_key /tmp/sftp-config.json
-          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
-
-      - name: Summary
-        if: always()
-        run: |
-          echo "## Joomla Update Server" >> $GITHUB_STEP_SUMMARY
-          echo "" >> $GITHUB_STEP_SUMMARY
-          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
-          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Version | \`${DISPLAY_VERSION}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Element | \`${EXT_ELEMENT}\` |" >> $GITHUB_STEP_SUMMARY
-          echo "| Download | [ZIP](${DOWNLOAD_URL}) |" >> $GITHUB_STEP_SUMMARY
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /templates/workflows/update-server.yml
+# VERSION: 05.00.00
+# BRIEF: Pre-release build + update server XML for dev/alpha/beta/rc branches
+#
+# Thin wrapper around moko-platform CLI tools.
+# Builds packages, updates updates.xml, and optionally deploys via SFTP.
+#
+# Joomla filters update entries by the user's "Minimum Stability" setting.
+
+name: "Update Server"
+
+on:
+  push:
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  pull_request:
+    types: [closed]
+    branches:
+      - 'dev'
+      - 'dev/**'
+      - 'alpha/**'
+      - 'beta/**'
+      - 'rc/**'
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Stability tag'
+        required: true
+        default: 'development'
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - rc
+          - stable
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  update-xml:
+    name: Update Server
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch' || github.event_name == 'push'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"http-basic":{"git.mokoconsulting.tech":{"username":"token","password":"${{ secrets.GA_TOKEN }}"}}}'
+        run: |
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          if [ -d "/tmp/moko-platform" ]; then
+            echo "moko-platform already available — skipping clone"
+          else
+            git clone --depth 1 --branch main --quiet \
+              "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+              /tmp/moko-platform 2>/dev/null || true
+          fi
+          if [ -d "/tmp/moko-platform" ] && [ -f "/tmp/moko-platform/composer.json" ]; then
+            cd /tmp/moko-platform && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+          fi
+          echo "MOKO_CLI=/tmp/moko-platform/cli" >> "$GITHUB_ENV"
+
+      - name: Detect platform
+        id: platform
+        run: php ${MOKO_CLI}/manifest_read.php --path . --github-output
+
+      - name: Resolve stability and bump version
+        id: meta
+        run: |
+          BRANCH="${{ github.ref_name }}"
+
+          # Auto-bump patch version
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          php ${MOKO_CLI}/version_bump.php --path . 2>/dev/null || true
+
+          VERSION=$(php ${MOKO_CLI}/version_read.php --path . 2>/dev/null || echo "0.0.0")
+
+          # Propagate version to all manifest files
+          php ${MOKO_CLI}/version_set_platform.php --path . --version "$VERSION" --branch "$BRANCH" 2>/dev/null || true
+          php ${MOKO_CLI}/version_check.php --path . --fix 2>/dev/null || true
+
+          # Determine stability from branch or manual input
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            STABILITY="${{ inputs.stability }}"
+          elif [[ "$BRANCH" == rc/* ]]; then
+            STABILITY="rc"
+          elif [[ "$BRANCH" == beta/* ]]; then
+            STABILITY="beta"
+          elif [[ "$BRANCH" == alpha/* ]]; then
+            STABILITY="alpha"
+          else
+            STABILITY="development"
+          fi
+
+          # Version suffix
+          case "$STABILITY" in
+            development) SUFFIX="-dev";  TAG="development" ;;
+            alpha)       SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)        SUFFIX="-beta";  TAG="beta" ;;
+            rc)          SUFFIX="-rc";    TAG="release-candidate" ;;
+            *)           SUFFIX="";       TAG="stable" ;;
+          esac
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "display_version=${VERSION}${SUFFIX}" >> "$GITHUB_OUTPUT"
+
+          # Commit version bump if changed
+          git add -A
+          git diff --cached --quiet || {
+            git commit -m "chore(version): auto-bump ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+            git push
+          }
+
+      - name: Create release and upload package
+        id: package
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          TAG="${{ steps.meta.outputs.tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Create or update Gitea release
+          php ${MOKO_CLI}/release_create.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
+
+          # Build package and upload
+          php ${MOKO_CLI}/release_package.php \
+            --path . --version "$VERSION" --tag "$TAG" \
+            --token "${{ secrets.GA_TOKEN }}" --api-base "$API_BASE" \
+            --repo "${GITEA_REPO}" --output /tmp || true
+
+      - name: Update updates.xml
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.package.outputs.sha256_zip }}"
+
+          if [ ! -f "updates.xml" ]; then
+            echo "No updates.xml — skipping"
+            exit 0
+          fi
+
+          SHA_FLAG=""
+          [ -n "$SHA256" ] && SHA_FLAG="--sha ${SHA256}"
+
+          php ${MOKO_CLI}/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability "${STABILITY}" \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            ${SHA_FLAG}
+
+          # Commit and push updates.xml
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git add updates.xml
+          git diff --cached --quiet || {
+            git commit -m "chore: update ${STABILITY} channel ${VERSION} [skip ci]"
+            git push
+          }
+
+      - name: Sync updates.xml to main
+        if: github.ref_name != 'main' && steps.platform.outputs.platform == 'joomla'
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          GA_TOKEN="${{ secrets.GA_TOKEN }}"
+
+          FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+            "${API_BASE}/contents/updates.xml?ref=main" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+
+          if [ -n "$FILE_SHA" ] && [ -f "updates.xml" ]; then
+            python3 -c "
+          import base64, json, urllib.request, sys
+          with open('updates.xml', 'rb') as f:
+              content = base64.b64encode(f.read()).decode()
+          payload = json.dumps({
+              'content': content,
+              'sha': '${FILE_SHA}',
+              'message': 'chore: sync updates.xml from ${{ steps.meta.outputs.stability }} [skip ci]',
+              'branch': 'main'
+          }).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/contents/updates.xml',
+              data=payload, method='PUT',
+              headers={
+                  'Authorization': 'token ${GA_TOKEN}',
+                  'Content-Type': 'application/json'
+              })
+          try:
+              urllib.request.urlopen(req)
+              print('updates.xml synced to main')
+          except Exception as e:
+              print(f'WARNING: sync to main failed: {e}', file=sys.stderr)
+          "
+          fi
+
+      - name: SFTP deploy to dev server
+        if: contains(github.ref, 'dev/') || github.ref == 'refs/heads/dev'
+        env:
+          DEV_HOST: ${{ vars.DEV_FTP_HOST }}
+          DEV_PATH: ${{ vars.DEV_FTP_PATH }}
+          DEV_SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
+          DEV_USER: ${{ vars.DEV_FTP_USERNAME }}
+          DEV_PORT: ${{ vars.DEV_FTP_PORT }}
+          DEV_KEY: ${{ secrets.DEV_FTP_KEY }}
+          DEV_PASS: ${{ secrets.DEV_FTP_PASSWORD }}
+        run: |
+          # Permission check: admin or maintain role required
+          ACTOR="${{ github.actor }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          PERMISSION=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/collaborators/${ACTOR}/permission" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('permission','read'))" 2>/dev/null || echo "read")
+          case "$PERMISSION" in
+            admin|maintain|write) ;;
+            *)
+              echo "Deploy denied: ${ACTOR} has '${PERMISSION}' — requires admin, maintain, or write"
+              exit 0
+              ;;
+          esac
+
+          [ -z "$DEV_HOST" ] || [ -z "$DEV_PATH" ] && { echo "DEV FTP not configured — skipping SFTP"; exit 0; }
+
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && exit 0
+
+          PORT="${DEV_PORT:-22}"
+          REMOTE="${DEV_PATH%/}"
+          [ -n "$DEV_SUFFIX" ] && REMOTE="${REMOTE}/${DEV_SUFFIX#/}"
+
+          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
+            "$DEV_HOST" "$PORT" "$DEV_USER" "$REMOTE" > /tmp/sftp-config.json
+          if [ -n "$DEV_KEY" ]; then
+            echo "$DEV_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
+            printf ',"privateKeyPath":"/tmp/deploy_key"}' >> /tmp/sftp-config.json
+          else
+            printf ',"password":"%s"}' "$DEV_PASS" >> /tmp/sftp-config.json
+          fi
+
+          PLATFORM=$(php ${MOKO_CLI}/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "${MOKO_CLI}/../deploy/deploy-joomla.php" ]; then
+            php ${MOKO_CLI}/../deploy/deploy-joomla.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          elif [ -f "${MOKO_CLI}/../deploy/deploy-sftp.php" ]; then
+            php ${MOKO_CLI}/../deploy/deploy-sftp.php --path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json
+          fi
+          rm -f /tmp/deploy_key /tmp/sftp-config.json
+          echo "SFTP deploy to dev complete" >> $GITHUB_STEP_SUMMARY
+
+      - name: Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          DISPLAY="${{ steps.meta.outputs.display_version }}"
+          echo "## Update Server" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Field | Value |" >> $GITHUB_STEP_SUMMARY
+          echo "|-------|-------|" >> $GITHUB_STEP_SUMMARY
+          echo "| Stability | \`${STABILITY}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Version | \`${DISPLAY}\` |" >> $GITHUB_STEP_SUMMARY
@@ -27,10 +27,70 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

+### Changed
+- Migrated all workflow and template paths from `.github/` to `.mokogitea/`
+- Template source paths updated: `templates/gitea/` to `templates/mokogitea/`
+- HCL definition files removed -- Template repos are now the canonical source
+
+### Added
+- `branch-cleanup.yml`: auto-delete merged feature branches after PR merge
+
 ### Planned
 - License/subscription check
 - System email template branding (DB approach)

+### Added
+- Trusted IPs: configurable repeatable rows of IP addresses, CIDR ranges, and wildcards that bypass admin session timeout
+- Supports exact IPs (192.168.1.100), CIDR (10.0.0.0/24), and wildcards (192.168.1.*)
+- Each entry has a label and enabled toggle for easy management
+- Current IP display above trusted IPs table so admins can easily add their own IP
+
+### Fixed
+- Trusted IP session bypass: moved from `onAfterInitialise` to `boot()` so Joomla's session lifetime is extended before the session handler validates it (was too late, Joomla expired the session first)
+- updates.xml: removed stale pre-release entries pointing to non-existent dev artifacts, legacy plugin update entry that caused stable sites to attempt dev downloads
+- Removed duplicate `<updateservers>` from inner plugin manifest — only the package-level manifest should register the update server
+- Auto-cleanup of stale plugin-level update site entries on install/update (cleans `#__update_sites` and `#__update_sites_extensions`)
+
+## [02.06.00] - 2026-05-25
+
+### Added
+- Alias offline bypass: aliases with offline=No override Joomla's global offline setting, allowing access via alias domain while main site is down
+- Block non-master users from viewing or editing MokoWaaS plugin settings
+- Master user bypasses ALL tenant restrictions (install from URL, global config, sysinfo, installer, templates)
+- Admin Help menu redirected to configured support URL (replaces help.joomla.org)
+
+### Fixed
+- Install API endpoint: extract ZIP to temp directory before passing to Joomla Installer (was passing ZIP path directly)
+- Clean up extracted temp directory on success or failure
+- Update site disabled by Joomla when protected=1 — ensureProtectedFlag() now re-enables it
+- CI: auto-release fetches updates.xml from main before building (preserves all channels)
+- CI: version_check.php --fix runs after version bump in both workflows
+- CI: checksums attached as `[filename].sha256` files instead of in release body
+- CI: auto-release cleaned up — removed duplicate asset loops, inline Python updater, dead code
+- CI: Step 8b uses `release_body_update.php` CLI instead of inline Python
+- CI: Step 6 tag creation no longer gated by `is_minor` (was never set)
+
+### Changed
+- CI: auto-release uses stream tag `stable` instead of version tag `vXX`
+- CI: pre-release package build uses absolute paths (fixes relative path zip error)
+
+## [02.05.00] - 2026-05-24
+
+### Added
+- Joomla `protected=1` flag on all MokoWaaS extensions (framework-level disable/uninstall prevention)
+- Self-healing protected flag — restored each admin session if cleared
+- Block non-master disable via plugin list toggle (`plugins.publish`)
+- Package script sets `protected=1, locked=0` on every install/update
+- Legacy plugin entry in updates.xml for sites upgrading from standalone plugin
+
+### Fixed
+- CI: auto-release workflow `pkg_pkg_` duplication in release names, ZIP filenames, and SHA256 paths
+- CI: auto-release now strips existing type prefix and uses `<packagename>` for packages
+- CI: `updates_xml_build` was cascading entries for all lower channels on stable release — now writes only current channel
+- CI: `targetplatform` regex `((5.[0-9])|(6.[0-9]))` caused Gitea 500 on XML render — simplified to `(5|6)\..*`
+- updates.xml stable entry now has correct `<tag>stable</tag>` and download URL
+- README slimmed to overview, detailed content moved to wiki
+
 ## [02.03.10] - 2026-05-24

 ### Added
@@ -9,7 +9,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.04.00
+ VERSION: 02.13.00
 PATH: /README.md
 BRIEF: MokoWaaS platform plugin for Joomla
 -->
@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.04.00</version>
+	<version>02.13.00</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
@@ -31,6 +31,7 @@ namespace Moko\Plugin\System\MokoWaaS\Extension;

 defined('_JEXEC') or die;

+use Joomla\CMS\Extension\BootableExtensionInterface;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Log\Log;
 use Joomla\CMS\Plugin\CMSPlugin;
@@ -38,6 +39,7 @@ use Joomla\CMS\Router\Route;
 use Joomla\CMS\Language\Language;
 use Joomla\CMS\Uri\Uri;
 use Joomla\CMS\User\UserHelper;
+use Psr\Container\ContainerInterface;

 /**
 * MokoWaaS Brand System Plugin
@@ -47,7 +49,7 @@ use Joomla\CMS\User\UserHelper;
 *
 * @since  01.04.00
 */
-class MokoWaaS extends CMSPlugin
+class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 {
 	/**
 	 * Obfuscated Grafana URL (XOR + base64).
@@ -114,6 +116,37 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected $app;

+	/**
+	 * Boot the extension — runs BEFORE Joomla creates the session.
+	 *
+	 * Extends the Joomla session lifetime for trusted IPs so the
+	 * session handler does not destroy the session before
+	 * onAfterInitialise can run.
+	 *
+	 * @param   ContainerInterface  $container  The DI container.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.11.00
+	 */
+	public function boot(ContainerInterface $container): void
+	{
+		$timeout = (int) $this->params->get('admin_session_timeout', 0);
+
+		if ($timeout <= 0)
+		{
+			return;
+		}
+
+		if ($this->ipIsTrusted())
+		{
+			// Set both PHP and Joomla session lifetimes before the
+			// session handler runs its expiry check.
+			ini_set('session.gc_maxlifetime', 315360000);
+			Factory::getConfig()->set('lifetime', 525600);
+		}
+	}
+
 	/**
 	 * Event triggered after the framework has loaded and the application initialise method has been called.
 	 *
@@ -653,7 +686,7 @@ class MokoWaaS extends CMSPlugin
 		return [
 			'{{BRAND_NAME}}'   => $this->params->get('brand_name', 'MokoWaaS'),
 			'{{COMPANY_NAME}}' => $this->params->get('company_name', 'Moko Consulting'),
-			'{{SUPPORT_URL}}'  => $this->params->get('support_url', 'https://mokoconsulting.tech'),
+			'{{SUPPORT_URL}}'  => $this->params->get('support_url', 'https://mokoconsulting.tech/support'),
 		];
 	}

@@ -936,6 +969,7 @@ class MokoWaaS extends CMSPlugin
 		}

 		$this->injectFavicon($doc);
+		$this->redirectHelpMenu($doc);

 		// Hide MokoWaaS from plugin list for non-master users
 		if (!$this->isMasterUser())
@@ -975,6 +1009,32 @@ class MokoWaaS extends CMSPlugin
 		");
 	}

+	/**
+	 * Redirect the admin Help menu link to the configured support URL.
+	 *
+	 * Joomla's Atum template hardcodes the Help link to help.joomla.org.
+	 * This replaces it with the WaaS support URL via JS injection.
+	 *
+	 * @param   \Joomla\CMS\Document\HtmlDocument  $doc  Document object
+	 *
+	 * @return  void
+	 *
+	 * @since   02.10.00
+	 */
+	protected function redirectHelpMenu($doc)
+	{
+		$supportUrl = $this->params->get('support_url', 'https://mokoconsulting.tech/support');
+
+		$doc->addScriptDeclaration("
+			document.addEventListener('DOMContentLoaded', function() {
+				document.querySelectorAll('a[href*=\"help.joomla.org\"], a[href*=\"docs.joomla.org\"]').forEach(function(link) {
+					link.href = " . json_encode($supportUrl) . ";
+					link.target = '_blank';
+				});
+			});
+		");
+	}
+
 	/**
 	 * Protect the plugin from being disabled or uninstalled by non-master users.
 	 * Does NOT self-heal (no lock) — master users can still disable if needed.
@@ -1025,6 +1085,31 @@ class MokoWaaS extends CMSPlugin
 				$this->app->redirect('index.php?option=com_plugins');
 			}
 		}
+
+		// Block non-master from viewing or editing MokoWaaS plugin settings
+		if ($option === 'com_plugins')
+		{
+			$view       = $this->app->input->get('view', '');
+			$layout     = $this->app->input->get('layout', '');
+			$extensionId = (int) $this->app->input->get('extension_id', 0);
+
+			if (($view === 'plugin' || $layout === 'edit') && $extensionId > 0)
+			{
+				$db    = Factory::getDbo();
+				$query = $db->getQuery(true)
+					->select('COUNT(*)')
+					->from($db->quoteName('#__extensions'))
+					->where($db->quoteName('extension_id') . ' = ' . $extensionId)
+					->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+					->where($db->quoteName('type') . ' = ' . $db->quote('plugin'));
+
+				if ((int) $db->setQuery($query)->loadResult() > 0)
+				{
+					$this->app->enqueueMessage('MokoWaaS settings are restricted to the master user.', 'warning');
+					$this->app->redirect('index.php?option=com_plugins');
+				}
+			}
+		}
 	}

 	/**
@@ -1042,6 +1127,8 @@ class MokoWaaS extends CMSPlugin
 		try
 		{
 			$db = Factory::getDbo();
+
+			// Set protected=1, locked=0 on MokoWaaS extensions
 			$query = $db->getQuery(true)
 				->update($db->quoteName('#__extensions'))
 				->set($db->quoteName('protected') . ' = 1')
@@ -1051,6 +1138,18 @@ class MokoWaaS extends CMSPlugin
 				->where($db->quoteName('protected') . ' = 0');
 			$db->setQuery($query);
 			$db->execute();
+
+			// Ensure update site stays enabled (protected extensions get their update site disabled by Joomla)
+			$query = $db->getQuery(true)
+				->update($db->quoteName('#__update_sites') . ' AS us')
+				->join('INNER', $db->quoteName('#__update_sites_extensions') . ' AS use2 ON us.update_site_id = use2.update_site_id')
+				->join('INNER', $db->quoteName('#__extensions') . ' AS e ON use2.extension_id = e.extension_id')
+				->set('us.enabled = 1')
+				->where('us.enabled = 0')
+				->where('(' . $db->quoteName('e.element') . ' = ' . $db->quote('mokowaas')
+					. ' OR ' . $db->quoteName('e.element') . ' = ' . $db->quote('pkg_mokowaas') . ')');
+			$db->setQuery($query);
+			$db->execute();
 		}
 		catch (\Throwable $e)
 		{
@@ -2747,11 +2846,36 @@ class MokoWaaS extends CMSPlugin

 			file_put_contents($tmpFile, $zipData);

+			// Extract ZIP to temp directory
+			$extractDir = $this->app->getConfig()->get('tmp_path', JPATH_ROOT . '/tmp')
+				. '/mokowaas_extract_' . md5($url);
+
+			if (is_dir($extractDir))
+			{
+				$this->rmdirRecursive($extractDir);
+			}
+
+			mkdir($extractDir, 0755, true);
+
+			$zip = new \ZipArchive();
+
+			if ($zip->open($tmpFile) !== true)
+			{
+				@unlink($tmpFile);
+				$this->sendHealthResponse(500, ['error' => 'Failed to open ZIP']);
+
+				return;
+			}
+
+			$zip->extractTo($extractDir);
+			$zip->close();
+			@unlink($tmpFile);
+
 			// Install using Joomla's installer
 			$installer = \Joomla\CMS\Installer\Installer::getInstance();
-			$result    = $installer->install($tmpFile);
+			$result    = $installer->install($extractDir);

-			@unlink($tmpFile);
+			$this->rmdirRecursive($extractDir);

 			if ($result)
 			{
@@ -2774,6 +2898,11 @@ class MokoWaaS extends CMSPlugin
 		{
 			@unlink($tmpFile ?? '');

+			if (!empty($extractDir) && is_dir($extractDir))
+			{
+				$this->rmdirRecursive($extractDir);
+			}
+
 			$this->sendHealthResponse(500, [
 				'error'   => 'Install exception',
 				'message' => $e->getMessage(),
@@ -2782,6 +2911,42 @@ class MokoWaaS extends CMSPlugin
 		}
 	}

+	/**
+	 * Recursively remove a directory.
+	 *
+	 * @param   string  $dir  Directory path
+	 *
+	 * @return  void
+	 *
+	 * @since   02.06.00
+	 */
+	protected function rmdirRecursive(string $dir): void
+	{
+		if (!is_dir($dir))
+		{
+			return;
+		}
+
+		$items = new \RecursiveIteratorIterator(
+			new \RecursiveDirectoryIterator($dir, \FilesystemIterator::SKIP_DOTS),
+			\RecursiveIteratorIterator::CHILD_FIRST
+		);
+
+		foreach ($items as $item)
+		{
+			if ($item->isDir())
+			{
+				rmdir($item->getPathname());
+			}
+			else
+			{
+				unlink($item->getPathname());
+			}
+		}
+
+		rmdir($dir);
+	}
+
 	// ------------------------------------------------------------------
 	// Site Alias handling
 	// ------------------------------------------------------------------
@@ -2944,25 +3109,33 @@ class MokoWaaS extends CMSPlugin
 		}

 		// Offline: use Joomla's native offline mode for frontend requests
-		if (!empty($alias->offline) && (string) $alias->offline === '1'
-			&& $this->app->isClient('site'))
+		if ($this->app->isClient('site'))
 		{
-			// Allow health API to still respond
-			if ($this->app->input->get('mokowaas', '') !== '')
+			if (!empty($alias->offline) && (string) $alias->offline === '1')
 			{
-				return;
+				// Allow health API to still respond
+				if ($this->app->input->get('mokowaas', '') !== '')
+				{
+					return;
+				}
+
+				// Set custom offline message if provided
+				$message = $alias->offline_message ?? '';
+
+				if (!empty($message))
+				{
+					$this->app->getConfig()->set('offline_message', $message);
+				}
+
+				// Enable Joomla's native offline mode
+				$this->app->getConfig()->set('offline', 1);
 			}
-
-			// Set custom offline message if provided
-			$message = $alias->offline_message ?? '';
-
-			if (!empty($message))
+			else
 			{
-				$this->app->getConfig()->set('offline_message', $message);
+				// Alias is NOT offline — override Joomla's global offline setting
+				// This allows access via the alias domain even when the main site is offline
+				$this->app->getConfig()->set('offline', 0);
 			}
-
-			// Enable Joomla's native offline mode — renders through the template's offline.php
-			$this->app->getConfig()->set('offline', 1);
 		}
 	}

@@ -3203,6 +3376,12 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}

+		// Trusted IPs — session lifetime already extended in boot()
+		if ($this->ipIsTrusted())
+		{
+			return;
+		}
+
 		$session  = Factory::getSession();
 		$lastHit  = $session->get('mokowaas.last_activity', 0);
 		$now      = time();
@@ -3220,6 +3399,93 @@ class MokoWaaS extends CMSPlugin
 		$session->set('mokowaas.last_activity', $now);
 	}

+	/**
+	 * Check whether the current request IP matches any trusted IP entry.
+	 *
+	 * Supports exact IPs, CIDR notation (e.g. 10.0.0.0/8), and
+	 * wildcard patterns (e.g. 192.168.1.*).
+	 *
+	 * @return  bool  True if the current IP is in the trusted list.
+	 *
+	 * @since   02.11.00
+	 */
+	protected function ipIsTrusted(): bool
+	{
+		$entries = $this->params->get('trusted_ips', '');
+
+		if (empty($entries))
+		{
+			return false;
+		}
+
+		// Subform stores as JSON string or array
+		if (\is_string($entries))
+		{
+			$entries = json_decode($entries, true);
+		}
+
+		if (!\is_array($entries))
+		{
+			return false;
+		}
+
+		$ip     = $this->app
+			? $this->app->input->server->getString('REMOTE_ADDR', '')
+			: ($_SERVER['REMOTE_ADDR'] ?? '');
+		$ipLong = ip2long($ip);
+
+		if ($ipLong === false)
+		{
+			return false;
+		}
+
+		foreach ($entries as $entry)
+		{
+			if (empty($entry['enabled']) || empty($entry['ip']))
+			{
+				continue;
+			}
+
+			$range = trim($entry['ip']);
+
+			// Wildcard: 192.168.1.*
+			if (str_contains($range, '*'))
+			{
+				$pattern = '/^' . str_replace(['.', '*'], ['\\.', '\\d+'], $range) . '$/';
+
+				if (preg_match($pattern, $ip))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			// CIDR: 10.0.0.0/8
+			if (str_contains($range, '/'))
+			{
+				[$subnet, $bits] = explode('/', $range, 2);
+				$subnetLong      = ip2long($subnet);
+				$mask            = -1 << (32 - (int) $bits);
+
+				if ($subnetLong !== false && ($ipLong & $mask) === ($subnetLong & $mask))
+				{
+					return true;
+				}
+
+				continue;
+			}
+
+			// Exact match
+			if ($ip === $range)
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+

 	/**
 	 * Override Joomla upload restrictions at runtime.
@@ -3328,12 +3594,18 @@ class MokoWaaS extends CMSPlugin
 	 */
 	protected function enforceAdminRestrictions()
 	{
+		// Master user bypasses ALL restrictions
+		if ($this->isMasterUser())
+		{
+			return;
+		}
+
 		$input  = $this->app->input;
 		$option = $input->get('option', '');
 		$view   = $input->get('view', '');
 		$task   = $input->get('task', '');

-		// Disable install-from-URL for ALL users (safety net)
+		// Disable install-from-URL for non-master users
 		if ($this->params->get('disable_install_url', 1)
 			&& $option === 'com_installer'
 			&& stripos($task, 'install') !== false
@@ -3344,12 +3616,6 @@ class MokoWaaS extends CMSPlugin
 			return;
 		}

-		// Remaining restrictions only apply to non-master users
-		if ($this->isMasterUser())
-		{
-			return;
-		}
-
 		$blocked = [];

 		if ($this->params->get('restrict_installer', 1))
@@ -0,0 +1,40 @@
+<?php
+/**
+ * Copyright (C) 2025 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-LICENSE-IDENTIFIER: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: Joomla.Plugin
+ * INGROUP: MokoWaaS
+ * VERSION: 02.11.00
+ * PATH: /src/Field/CurrentIpField.php
+ * BRIEF: Read-only field that displays the current user's IP address
+ */
+
+namespace Moko\Plugin\System\MokoWaaS\Field;
+
+defined('_JEXEC') or die;
+
+use Joomla\CMS\Form\FormField;
+
+class CurrentIpField extends FormField
+{
+	protected $type = 'CurrentIp';
+
+	protected function getInput()
+	{
+		$currentIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+
+		return '<div class="alert alert-info mb-0 py-2">'
+			. '<strong>Your current IP:</strong> '
+			. '<code>' . htmlspecialchars($currentIp) . '</code> '
+			. '<small class="text-muted">&mdash; add this to the table below to keep your session alive.</small>'
+			. '</div>';
+	}
+
+	protected function getLabel()
+	{
+		return '';
+	}
+}
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<form>
+	<field
+		name="ip"
+		type="text"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC"
+		required="true"
+		hint="e.g. 192.168.1.100 or 10.0.0.0/24"
+		/>
+	<field
+		name="label"
+		type="text"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL"
+		description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC"
+		hint="e.g. Office network"
+		/>
+	<field
+		name="enabled"
+		type="radio"
+		label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL"
+		default="1"
+		class="btn-group btn-group-yesno"
+		>
+		<option value="1">JYES</option>
+		<option value="0">JNO</option>
+	</field>
+</form>
@@ -120,6 +120,13 @@ PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_LABEL="Force HTTPS"
 PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS. Supports reverse proxy setups."
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL="Admin Session Timeout"
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC="Minutes of idle time before admin sessions expire. 0 uses the Joomla default."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL="Trusted IPs (No Session Timeout)"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC="Sessions from these IP addresses or ranges will never time out. Supports exact IPs, CIDR notation (e.g. 10.0.0.0/24), and wildcards (e.g. 192.168.1.*)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL="IP / CIDR"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC="An IP address, CIDR range, or wildcard pattern."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC="A descriptive label for this entry (e.g. Office, VPN)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL="Enabled"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL="Minimum Password Length"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC="Minimum number of characters required for user passwords."
 PLG_SYSTEM_MOKOWAAS_PASSWORD_UPPER_LABEL="Require Uppercase"
@@ -120,6 +120,13 @@ PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_LABEL="Force HTTPS"
 PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_DESC="Redirect all HTTP requests to HTTPS. Supports reverse proxy setups."
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL="Admin Session Timeout"
 PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC="Minutes of idle time before admin sessions expire. 0 uses the Joomla default."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL="Trusted IPs (No Session Timeout)"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC="Sessions from these IP addresses or ranges will never time out. Supports exact IPs, CIDR notation (e.g. 10.0.0.0/24), and wildcards (e.g. 192.168.1.*)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_LABEL="IP / CIDR"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ADDR_DESC="An IP address, CIDR range, or wildcard pattern."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_LABEL="Label"
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_LABEL_DESC="A descriptive label for this entry (e.g. Office, VPN)."
+PLG_SYSTEM_MOKOWAAS_TRUSTED_IP_ENABLED_LABEL="Enabled"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL="Minimum Password Length"
 PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC="Minimum number of characters required for user passwords."
 PLG_SYSTEM_MOKOWAAS_PASSWORD_UPPER_LABEL="Require Uppercase"
@@ -30,16 +30,11 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.04.00</version>
+	<version>02.13.00</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>

-	<!-- Update server configuration -->
-	<updateservers>
-		<server type="extension" priority="1" name="MokoWaaS Update Server (Gitea)">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/raw/branch/main/updates.xml</server>
-	</updateservers>
-
 	<files>
 		<filename plugin="mokowaas">script.php</filename>
 		<folder>Extension</folder>
@@ -108,7 +103,7 @@
 					type="url"
 					label="PLG_SYSTEM_MOKOWAAS_SUPPORT_URL_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_SUPPORT_URL_DESC"
-					default="https://mokoconsulting.tech"
+					default="https://mokoconsulting.tech/support"
 					/>
 			</fieldset>
 			<fieldset name="waas_access"
@@ -310,6 +305,7 @@
 			<fieldset name="security"
 				label="PLG_SYSTEM_MOKOWAAS_FIELDSET_SECURITY_LABEL"
 				description="PLG_SYSTEM_MOKOWAAS_FIELDSET_SECURITY_DESC"
+				addfieldprefix="Moko\Plugin\System\MokoWaaS\Field"
 				>
 				<field name="force_https" type="radio" default="1"
 					label="PLG_SYSTEM_MOKOWAAS_FORCE_HTTPS_LABEL"
@@ -322,6 +318,22 @@
 					label="PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_SESSION_TIMEOUT_DESC"
 					default="60" hint="Minutes (0 = Joomla default)" />
+				<field
+					name="current_ip_display"
+					type="CurrentIp"
+					label=""
+					/>
+				<field
+					name="trusted_ips"
+					type="subform"
+					label="PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_LABEL"
+					description="PLG_SYSTEM_MOKOWAAS_TRUSTED_IPS_DESC"
+					formsource="plugins/system/mokowaas/forms/trusted_ip_entry.xml"
+					multiple="true"
+					layout="joomla.form.field.subform.repeatable-table"
+					groupByFieldset="false"
+					buttons="add,remove,move"
+					/>
 				<field name="password_min_length" type="number" default="12"
 					label="PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_LABEL"
 					description="PLG_SYSTEM_MOKOWAAS_PASSWORD_LENGTH_DESC" />
@@ -123,6 +123,7 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 		if ($type === 'install' || $type === 'update')
 		{
 			$this->enableAndLockPlugin();
+			$this->cleanupPluginUpdateSite();
 			$this->ensureMokoCassiopeia();
 			$this->installLanguageOverrides();
 			$this->updateLoginSupportUrls();
@@ -210,6 +211,77 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 		$db->execute();
 	}

+	/**
+	 * Remove the plugin-level update site so only the package-level one remains.
+	 *
+	 * Earlier versions registered an update server in the plugin manifest
+	 * (plg_system_mokowaas) in addition to the package manifest (pkg_mokowaas).
+	 * This caused Joomla to check for plugin-level updates that don't exist,
+	 * leading to failed downloads. Only the package update site should exist.
+	 *
+	 * @return  void
+	 *
+	 * @since   02.11.02
+	 */
+	private function cleanupPluginUpdateSite()
+	{
+		$db = Factory::getDbo();
+
+		// Find the extension_id for the plugin
+		$query = $db->getQuery(true)
+			->select($db->quoteName('extension_id'))
+			->from($db->quoteName('#__extensions'))
+			->where($db->quoteName('element') . ' = ' . $db->quote('mokowaas'))
+			->where($db->quoteName('type') . ' = ' . $db->quote('plugin'))
+			->where($db->quoteName('folder') . ' = ' . $db->quote('system'));
+		$db->setQuery($query);
+		$pluginId = (int) $db->loadResult();
+
+		if (!$pluginId)
+		{
+			return;
+		}
+
+		// Find update_site_ids linked to the plugin (not the package)
+		$query = $db->getQuery(true)
+			->select($db->quoteName('update_site_id'))
+			->from($db->quoteName('#__update_sites_extensions'))
+			->where($db->quoteName('extension_id') . ' = ' . $pluginId);
+		$db->setQuery($query);
+		$siteIds = $db->loadColumn();
+
+		if (empty($siteIds))
+		{
+			return;
+		}
+
+		// Delete the link rows
+		$db->setQuery(
+			$db->getQuery(true)
+				->delete($db->quoteName('#__update_sites_extensions'))
+				->where($db->quoteName('extension_id') . ' = ' . $pluginId)
+		)->execute();
+
+		// Delete orphaned update_sites rows (only if no other extension uses them)
+		foreach ($siteIds as $siteId)
+		{
+			$query = $db->getQuery(true)
+				->select('COUNT(*)')
+				->from($db->quoteName('#__update_sites_extensions'))
+				->where($db->quoteName('update_site_id') . ' = ' . (int) $siteId);
+			$db->setQuery($query);
+
+			if ((int) $db->loadResult() === 0)
+			{
+				$db->setQuery(
+					$db->getQuery(true)
+						->delete($db->quoteName('#__update_sites'))
+						->where($db->quoteName('update_site_id') . ' = ' . (int) $siteId)
+				)->execute();
+			}
+		}
+	}
+
 	/**
 	 * Ensure MokoOnyx is installed, locked, and set as default.
 	 *
@@ -482,7 +554,7 @@ class plgSystemMokoWaaSInstallerScript implements InstallerScriptInterface
 		return [
 			'{{BRAND_NAME}}'   => $params->get('brand_name', 'MokoWaaS'),
 			'{{COMPANY_NAME}}' => $params->get('company_name', 'Moko Consulting'),
-			'{{SUPPORT_URL}}'  => $params->get('support_url', 'https://mokoconsulting.tech'),
+			'{{SUPPORT_URL}}'  => $params->get('support_url', 'https://mokoconsulting.tech/support'),
 		];
 	}

@@ -7,7 +7,7 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.04.00</version>
+	<version>02.13.00</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
@@ -11,6 +11,7 @@ namespace Moko\Plugin\WebServices\MokoWaaS\Extension;
 defined('_JEXEC') or die;

 use Joomla\CMS\Plugin\CMSPlugin;
+use Joomla\CMS\Event\Application\BeforeApiRouteEvent;
 use Joomla\CMS\Router\ApiRouter;
 use Joomla\Event\SubscriberInterface;

@@ -36,14 +37,16 @@ final class MokoWaaSApi extends CMSPlugin implements SubscriberInterface
 	/**
 	 * Register API routes for MokoWaaS.
 	 *
-	 * @param   ApiRouter  $router  The API router
+	 * @param   BeforeApiRouteEvent  $event  The API route event (Joomla 6 typed event)
 	 *
 	 * @return  void
 	 *
 	 * @since   1.0.0
 	 */
-	public function onBeforeApiRoute(&$router): void
+	public function onBeforeApiRoute(BeforeApiRouteEvent $event): void
 	{
+		$router = $event->getRouter();
+
 		$router->createCRUDRoutes(
 			'v1/mokowaas/health',
 			'health',
@@ -2,7 +2,7 @@
 <extension type="package" method="upgrade">
 	<name>MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.04.00</version>
+	<version>02.13.00</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -1,83 +1,98 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 02.04.00
+ VERSION: 02.13.00
 -->

 <updates>
  <update>
-    <name>MokoWaaS</name>
-    <description>MokoWaaS update</description>
-    <element>mokowaas</element>
+    <name>Package - MokoWaaS</name>
+    <description>Package - MokoWaaS development build.</description>
+    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.04.00-dev</version>
-    <tags><tag>development</tag></tags>
-    <infourl title="MokoWaaS">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/development</infourl>
+    <client>site</client>
+    <version>02.13.00</version>
+    <creationDate>2026-05-28</creationDate>
+    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/development/pkg_mokowaas-02.04.00-dev.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.13.00.zip</downloadurl>
    </downloads>
-    <targetplatform name="joomla" version="(5|6)\..*" />
+    <sha256>55508a6bc63f9f72d5f8b7c728c8061a9b50a3fc1db9948fb61f985578dd5e65</sha256>
+    <tags><tag>dev</tag></tags>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
+    <targetplatform name="joomla" version="(5|6)\..*" />
  </update>
  <update>
-    <name>MokoWaaS</name>
-    <description>MokoWaaS update</description>
-    <element>mokowaas</element>
+    <name>Package - MokoWaaS</name>
+    <description>Package - MokoWaaS alpha build.</description>
+    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.04.00-alpha</version>
+    <client>site</client>
+    <version>02.13.00</version>
+    <creationDate>2026-05-28</creationDate>
+    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
+    <downloads>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.13.00.zip</downloadurl>
+    </downloads>
+    <sha256>55508a6bc63f9f72d5f8b7c728c8061a9b50a3fc1db9948fb61f985578dd5e65</sha256>
    <tags><tag>alpha</tag></tags>
-    <infourl title="MokoWaaS">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/alpha</infourl>
-    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/alpha/pkg_mokowaas-02.04.00-alpha.zip</downloadurl>
-    </downloads>
-    <targetplatform name="joomla" version="(5|6)\..*" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
+    <targetplatform name="joomla" version="(5|6)\..*" />
  </update>
  <update>
-    <name>MokoWaaS</name>
-    <description>MokoWaaS update</description>
-    <element>mokowaas</element>
+    <name>Package - MokoWaaS</name>
+    <description>Package - MokoWaaS beta build.</description>
+    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.04.00-beta</version>
+    <client>site</client>
+    <version>02.13.00</version>
+    <creationDate>2026-05-28</creationDate>
+    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
+    <downloads>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.13.00.zip</downloadurl>
+    </downloads>
+    <sha256>55508a6bc63f9f72d5f8b7c728c8061a9b50a3fc1db9948fb61f985578dd5e65</sha256>
    <tags><tag>beta</tag></tags>
-    <infourl title="MokoWaaS">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/beta</infourl>
-    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/beta/pkg_mokowaas-02.04.00-beta.zip</downloadurl>
-    </downloads>
-    <targetplatform name="joomla" version="(5|6)\..*" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
+    <targetplatform name="joomla" version="(5|6)\..*" />
  </update>
  <update>
-    <name>MokoWaaS</name>
-    <description>MokoWaaS update</description>
-    <element>mokowaas</element>
+    <name>Package - MokoWaaS</name>
+    <description>Package - MokoWaaS rc build.</description>
+    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.04.00-rc</version>
+    <client>site</client>
+    <version>02.13.00</version>
+    <creationDate>2026-05-28</creationDate>
+    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
+    <downloads>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.13.00.zip</downloadurl>
+    </downloads>
+    <sha256>55508a6bc63f9f72d5f8b7c728c8061a9b50a3fc1db9948fb61f985578dd5e65</sha256>
    <tags><tag>rc</tag></tags>
-    <infourl title="MokoWaaS">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/rc</infourl>
-    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/rc/pkg_mokowaas-02.04.00-rc.zip</downloadurl>
-    </downloads>
-    <targetplatform name="joomla" version="(5|6)\..*" />
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
+    <targetplatform name="joomla" version="(5|6)\..*" />
  </update>
  <update>
-    <name>MokoWaaS</name>
-    <description>MokoWaaS update</description>
-    <element>mokowaas</element>
+    <name>Package - MokoWaaS</name>
+    <description>Package - MokoWaaS stable build.</description>
+    <element>pkg_mokowaas</element>
    <type>package</type>
-    <version>02.04.00</version>
-    <tags><tag>stable</tag></tags>
-    <infourl title="MokoWaaS">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
+    <client>site</client>
+    <version>02.13.00</version>
+    <creationDate>2026-05-28</creationDate>
+    <infourl title='Package - MokoWaaS'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/tag/stable</infourl>
    <downloads>
-      <downloadurl type="full" format="zip">https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.04.00.zip</downloadurl>
+      <downloadurl type='full' format='zip'>https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS/releases/download/stable/pkg_mokowaas-02.13.00.zip</downloadurl>
    </downloads>
-    <targetplatform name="joomla" version="(5|6)\..*" />
+    <sha256>55508a6bc63f9f72d5f8b7c728c8061a9b50a3fc1db9948fb61f985578dd5e65</sha256>
+    <tags><tag>stable</tag></tags>
    <maintainer>Moko Consulting</maintainer>
    <maintainerurl>https://mokoconsulting.tech</maintainerurl>
+    <targetplatform name="joomla" version="(5|6)\..*" />
  </update>
 </updates>