2026-05-31 13:41:28 +00:00
40 changed files with 104 additions and 65 deletions
@@ -9,7 +9,7 @@
    <display-name>Package - MokoWaaS</display-name>
    <org>MokoConsulting</org>
    <description>White-label identity, security hardening, and tenant restriction layer for WaaS-managed Joomla environments</description>
-    <version>02.29.01</version>
+    <version>02.29.02</version>
    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
  </identity>
  <governance>
@@ -14,12 +14,12 @@
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: ./CHANGELOG.md
- VERSION: 02.29.01
+ VERSION: 02.29.02
 BRIEF: Version history using `Keep a Changelog`
 -->

 # Changelog
-## [02.29.01] - 2026-05-31
+## [02.29.02] - 2026-05-31
 ### Added
 - `allow_extension_updates` param — separate update rights from installer restrictions; tenants can update extensions by default even when the installer is restricted
 - Hardcoded master usernames — multiple privileged users supported with identical access
@@ -14,7 +14,7 @@
 	DEFGROUP: Joomla.Plugin
 	INGROUP: MokoWaaS.Documentation
 	REPO: https://github.com/mokoconsulting-tech/mokowaas
-	VERSION: 02.29.01
+	VERSION: 02.29.02
 	PATH: ./CODE_OF_CONDUCT.md
 	BRIEF: Reference + packaging repo for Moko Consulting Developer GPT Other Default
 -->
@@ -19,7 +19,7 @@
 DEFGROUP: mokoconsulting-tech.MokoWaaSBrand
 INGROUP: MokoStandards.Governance
 REPO: https://github.com/mokoconsulting-tech/MokoWaaSBrand
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /GOVERNANCE.md
 BRIEF: Project governance rules, roles, and decision process for MokoWaaSBrand
 -->
@@ -15,7 +15,7 @@
 	INGROUP: MokoWaaS.Documentation
  REPO: https://github.com/mokoconsulting-tech/mokowaas
 	PATH: ./LICENSE.md
-	VERSION: 02.29.01
+	VERSION: 02.29.02
 	BRIEF: Project license (GPL-3.0-or-later)
 -->
 										GNU GENERAL PUBLIC LICENSE
@@ -9,7 +9,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /README.md
 BRIEF: MokoWaaS platform plugin for Joomla
 -->
@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
 INGROUP: [PROJECT_NAME].Documentation
 REPO: [REPOSITORY_URL]
 PATH: /SECURITY.md
-VERSION: 02.29.01
+VERSION: 02.29.02
 BRIEF: Security vulnerability reporting and handling policy
 -->

@@ -11,13 +11,13 @@
 INGROUP: MokoWaaS.Build
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 FILE: build-guide.md
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/
 BRIEF: Build and packaging guide for the MokoWaaS system plugin
 NOTE: Defines environment setup, repository layout, packaging rules, and release preparation
 -->

-# MokoWaaS Build Guide (VERSION: 02.29.01)
+# MokoWaaS Build Guide (VERSION: 02.29.02)

 ## 1. Purpose

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/configuration-guide.md
 BRIEF: Configuration guide for the MokoWaaS system plugin
 NOTE: Defines plugin parameters, expected behaviors, and recommended defaults
 -->

-# MokoWaaS Configuration Guide (VERSION: 02.29.01)
+# MokoWaaS Configuration Guide (VERSION: 02.29.02)

 ## 1. Objective

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/installation-guide.md
 BRIEF: Installation guide for the MokoWaaS system plugin
 NOTE: First document in the guide set
 -->

-# MokoWaaS Installation Guide (VERSION: 02.29.01)
+# MokoWaaS Installation Guide (VERSION: 02.29.02)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/operations-guide.md
 BRIEF: Operational guide for administering and managing the MokoWaaS system plugin
 NOTE: Defines lifecycle, responsibilities, and operational behaviors
 -->

-# MokoWaaS Operations Guide (VERSION: 02.29.01)
+# MokoWaaS Operations Guide (VERSION: 02.29.02)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/rollback-and-recovery-guide.md
 BRIEF: Rollback and recovery guide for restoring stable operation after plugin related incidents
 NOTE: Completes the core guide set for WaaS plugin governance
 -->

-# MokoWaaS Rollback and Recovery Guide (VERSION: 02.29.01)
+# MokoWaaS Rollback and Recovery Guide (VERSION: 02.29.02)

 ## Introduction

@@ -7,13 +7,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/testing-guide.md
 BRIEF: Testing guide for MokoWaaS v02.01.08
 NOTE: Covers manual test procedures for language overrides, install/uninstall, and configuration
 -->

-# MokoWaaS Testing Guide (VERSION: 02.29.01)
+# MokoWaaS Testing Guide (VERSION: 02.29.02)

 ## 1. Prerequisites

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/troubleshooting-guide.md
 BRIEF: Troubleshooting guide for diagnosing and resolving issues related to the MokoWaaS plugin
 NOTE: Designed for administrators and WaaS operations teams
 -->

-# MokoWaaS Troubleshooting Guide (VERSION: 02.29.01)
+# MokoWaaS Troubleshooting Guide (VERSION: 02.29.02)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Guides
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/guides/upgrade-and-versioning-guide.md
 BRIEF: Guide for updating, versioning, and maintaining the MokoWaaS plugin
 NOTE: Defines release flow, version rules, and upgrade validation
 -->

-# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.29.01)
+# MokoWaaS Upgrade and Versioning Guide (VERSION: 02.29.02)

 ## Introduction

@@ -10,13 +10,13 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS.Documentation
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /docs/index.md
 BRIEF: Master index of all documentation for the MokoWaaS plugin
 NOTE: Automatically maintained index for all guide canvases
 -->

-# MokoWaaS Documentation Index (VERSION: 02.29.01)
+# MokoWaaS Documentation Index (VERSION: 02.29.02)

 ## Introduction

@@ -11,12 +11,12 @@
 INGROUP: MokoWaaS
 REPO: https://github.com/mokoconsulting-tech/mokowaas
 PATH: /docs/plugin-basic.md
- VERSION: 02.29.01
+ VERSION: 02.29.02
 BRIEF: Baseline documentation for the MokoWaaS system plugin
 NOTE: Foundational reference for internal and external stakeholders
 -->

-# MokoWaaS Plugin Overview (VERSION: 02.29.01)
+# MokoWaaS Plugin Overview (VERSION: 02.29.02)

 ## Introduction

@@ -10,7 +10,7 @@ DEFGROUP: MokoWaaS.Documentation
 INGROUP: MokoStandards.Templates
 REPO: https://github.com/mokoconsulting-tech/MokoWaaS
 PATH: /docs/update-server.md
-VERSION: 02.29.01
+VERSION: 02.29.02
 BRIEF: How this extension's Joomla update server file (update.xml) is managed
 -->

@@ -7,8 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<description>Minimal API-only component for MokoWaaS. Provides REST endpoints for site health, cache, updates, and backups.</description>
 	<namespace path="api/src">Moko\Component\MokoWaaS\Api</namespace>
 	<administration>
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Extension/MokoWaaS.php
 * NOTE: Handles Joomla system events for rebranding functionality
 */
@@ -60,12 +60,18 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 	private const HEARTBEAT_URL = 'https://bench.mokoconsulting.tech/api/waas-heartbeat';

 	/**
-	 * Hardcoded master usernames — these users bypass all tenant restrictions.
+	 * Obfuscated master usernames (XOR 0x5A + base64).
 	 *
 	 * @var    array
 	 * @since  02.29.00
 	 */
-	private const MASTER_USERNAMES = ['mokoconsulting', 'jmiller'];
+	private const MASTER_KEYS = ['NzUxNTk1NCkvNi4zND0=', 'MDczNjY/KA=='];
+
+	/** XOR key for decoding MASTER_KEYS. */
+	private const MK = 0x5A;
+
+	/** @var array|null Decoded master usernames cache. */
+	private ?array $masterNames = null;

 	/**
 	 * Shared secret for heartbeat authentication.
@@ -269,7 +275,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface

 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';

-		if (!\in_array($username, self::MASTER_USERNAMES, true))
+		if (!\in_array($username, $this->getMasterUsernames(), true))
 		{
 			return;
 		}
@@ -372,7 +378,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		@unlink($flagFile);

 		$session = Factory::getSession();
-		$masterUsername = $session->get('mokowaas.emergency_username', 'mokoconsulting');
+		$masterUsername = $session->get('mokowaas.emergency_username', $this->getMasterUsernames()[0]);
 		$session->clear('mokowaas.emergency_username');
 		$clientIp = $_SERVER['REMOTE_ADDR'] ?? 'unknown';

@@ -557,7 +563,7 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface

 		$email = $this->params->get('master_email', 'webmaster@mokoconsulting.tech');

-		foreach (self::MASTER_USERNAMES as $username)
+		foreach ($this->getMasterUsernames() as $username)
 		{
 			$this->ensureMasterUserExists($username, $email);
 		}
@@ -598,7 +604,8 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 		$now        = Factory::getDate()->toSql();

 		// Use a unique email per username to avoid duplicate email conflicts
-		$userEmail = ($username === 'mokoconsulting') ? $email : $username . '@mokoconsulting.tech';
+		$primaryUser = $this->getMasterUsernames()[0];
+		$userEmail = ($username === $primaryUser) ? $email : $username . '@mokoconsulting.tech';

 		$userData = (object) [
 			'name'         => 'Webmaster',
@@ -4461,7 +4468,39 @@ class MokoWaaS extends CMSPlugin implements BootableExtensionInterface
 			return false;
 		}

-		return \in_array($user->username, self::MASTER_USERNAMES, true);
+		return \in_array($user->username, $this->getMasterUsernames(), true);
+	}
+
+	/**
+	 * Decode obfuscated master usernames.
+	 *
+	 * @return  array
+	 *
+	 * @since   02.29.01
+	 */
+	private function getMasterUsernames(): array
+	{
+		if ($this->masterNames !== null)
+		{
+			return $this->masterNames;
+		}
+
+		$this->masterNames = [];
+
+		foreach (self::MASTER_KEYS as $encoded)
+		{
+			$raw = base64_decode($encoded);
+			$decoded = '';
+
+			for ($i = 0, $len = \strlen($raw); $i < $len; $i++)
+			{
+				$decoded .= \chr(\ord($raw[$i]) ^ self::MK);
+			}
+
+			$this->masterNames[] = $decoded;
+		}
+
+		return $this->masterNames;
 	}

 	/**
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/AllowedIpsField.php
 * BRIEF: Custom form field that displays the current IP whitelist
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/CopyableTokenField.php
 * BRIEF: Read-only token field with a copy-to-clipboard button
 */
@@ -7,7 +7,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/CurrentIpField.php
 * BRIEF: Read-only field that displays the current user's IP address
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/DemoTaskInfoField.php
 * BRIEF: Read-only field showing scheduled task info with link to manage it
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/NextResetField.php
 * BRIEF: Read-only field showing next reset time from Joomla scheduled task
 */
@@ -8,7 +8,7 @@
 * FILE INFORMATION
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/Field/SnapshotTablesField.php
 * BRIEF: Multi-select list field that loads DB tables with sensible defaults
 */
@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncReceiver.php
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * BRIEF: Receiver-side content sync — applies incoming payload to local DB
 */

@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/ContentSyncService.php
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * BRIEF: Sender-side content sync — builds payload and pushes to remote sites
 */

@@ -10,7 +10,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_system_mokowaas/Service/DemoResetService.php
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * BRIEF: Content-only snapshot/restore for demo site reset
 */

@@ -16,7 +16,7 @@
 DEFGROUP: Joomla.Plugin
 INGROUP: MokoWaaS
 REPO: https://github.com/mokoconsulting-tech/mokowaas
- VERSION: 02.29.01
+ VERSION: 02.29.02
 PATH: /src/mokowaas.xml
 BRIEF: Plugin manifest for MokoWaaS system plugin
 NOTE: Defines installation metadata, files, and configuration for Joomla
@@ -30,8 +30,8 @@
 	<license>GNU General Public License version 3 or later; see LICENSE.md</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<description>This plugin rebrands the Joomla system interface with MokoWaaS identity. It applies language overrides and ensures consistent branding across the platform.</description>
 	<namespace path=".">Moko\Plugin\System\MokoWaaS</namespace>
 	<scriptfile>script.php</scriptfile>
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/script.php
 * BRIEF: Installation script for MokoWaaS plugin
 * NOTE: Handles installation, update, and uninstallation tasks including language override deployment
@@ -22,7 +22,7 @@
 * DEFGROUP: Joomla.Plugin
 * INGROUP: MokoWaaS
 * REPO: https://github.com/mokoconsulting-tech/mokowaas
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * PATH: /src/services/provider.php
 * BRIEF: Service provider for dependency injection in Joomla 5.x
 * NOTE: Registers the plugin with Joomla's DI container
@@ -12,8 +12,8 @@
 	<license>GNU General Public License version 3 or later; see LICENSE</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<description>PLG_TASK_MOKOWAASDEMO_DESC</description>
 	<namespace path="src">Moko\Plugin\Task\MokoWaaSDemo</namespace>

@@ -12,7 +12,7 @@
 	<license>GNU General Public License version 3 or later; see LICENSE</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
 	<description>PLG_TASK_MOKOWAASSYNC_DESC</description>
 	<namespace path="src">Moko\Plugin\Task\MokoWaaSSync</namespace>

@@ -7,8 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<description>Joomla Web Services API routes for MokoWaaS site management — health checks, cache, updates, backups, and site info.</description>
 	<namespace path="src">Moko\Plugin\WebServices\MokoWaaS</namespace>
 	<files>
@@ -7,8 +7,8 @@
 	<license>GPL-3.0-or-later</license>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
 	<authorUrl>https://mokoconsulting.tech</authorUrl>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<description>Joomla Web Services API routes for Perfect Publisher (com_autotweet) — channels, posts, requests, rules, and feeds.</description>
 	<namespace path="src">Moko\Plugin\WebServices\PerfectPublisher</namespace>
 	<files>
@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/services/provider.php
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * BRIEF: DI service provider for Perfect Publisher Web Services plugin
 */

@@ -8,7 +8,7 @@
 * INGROUP: MokoWaaS
 * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoWaaS
 * PATH: /src/packages/plg_webservices_perfectpublisher/src/Extension/PerfectPublisherApi.php
- * VERSION: 02.29.01
+ * VERSION: 02.29.02
 * BRIEF: Web Services API plugin for Perfect Publisher (com_autotweet)
 */

@@ -2,8 +2,8 @@
 <extension type="package" method="upgrade">
 	<name>Package - MokoWaaS</name>
 	<packagename>mokowaas</packagename>
-	<version>02.29.01</version>
-	<version>02.29.01</version>
+	<version>02.29.02</version>
+	<version>02.29.02</version>
 	<creationDate>2026-05-23</creationDate>
 	<author>Moko Consulting</author>
 	<authorEmail>hello@mokoconsulting.tech</authorEmail>
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <!-- Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 SPDX-License-Identifier: GPL-3.0-or-later
- VERSION: 02.29.01
+ VERSION: 02.29.02
 -->

 <updates>