feat(cli): add 4 release pipeline CLI tools

- release_verify.php: Post-release artifact verification (ZIP integrity, manifest version, SHA256 vs updates.xml, disallowed files check) - release_validate.php: Pre-release sanity checks (version consistency across README, CHANGELOG, manifest, updates.xml, composer.json) - release_body_update.php: Update Gitea release body with changelog extract and checksums table via API - dev_branch_reset.php: Delete and recreate dev branch from main via Gitea API Resolves: #56, #60, #62, #64 Authored-by: Moko Consulting Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
fix: version_set_platform.php reads manifest.xml + supports joomla platform
2026-05-23 22:37:37 -05:00 · 2026-05-23 15:43:42 -05:00 · 2026-05-23 14:44:44 -05:00 · 2026-05-22 03:33:45 +00:00 · 2026-05-21 22:33:40 -05:00 · 2026-05-22 03:28:34 +00:00
469 changed files with 16601 additions and 32642 deletions
@@ -265,6 +265,11 @@ venv/
 *.coverage
 hypothesis/

+# ============================================================
+# Local wiki clone (not version controlled)
+# ============================================================
+wiki/
+
 # ============================================================
 # Dolibarr (base + runtime)
 # ============================================================
@@ -682,6 +687,7 @@ modulebuilder.txt
 !/bin/moko
 /cache/*
 /cli/*
+!/cli/*.php
 /components/com_ajax/*
 /components/com_banners/*
 /components/com_config/*
@@ -1062,3 +1068,5 @@ terraform.rc
 # but can be ignored if you want flexibility across different platforms
 # !.terraform.lock.hcl
 logs/validation/*.md
+profile.ps1
+.mcp.json
@@ -7,8 +7,8 @@ contact_links:
  - name: 💬 Ask a Question
    url: https://mokoconsulting.tech/
    about: Get help or ask questions through our website
-  - name: 📚 MokoStandards Documentation
-    url: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards
+  - name: 📚 moko-platform Documentation
+    url: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
    about: View our coding standards and best practices
  - name: 🔒 Report a Security Vulnerability
    url: https://git.mokoconsulting.tech/mokoconsulting-tech/.github-private/security/advisories/new
@@ -37,7 +37,7 @@ If you have ideas about how this could be implemented, share them here:
 Add any other context, mockups, or screenshots about the feature request here.

 ## Relevant Standards
-Does this relate to any standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+Does this relate to any standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform)?
 - [ ] Accessibility (WCAG 2.1 AA)
 - [ ] Localization (en_US/en_GB)
 - [ ] Security best practices
@@ -3,7 +3,7 @@ name: Question
 about: Ask a question about usage, features, or best practices
 title: '[QUESTION] '
 labels: ['question']
-assignees: ['jmiller-moko']
+assignees: ['jmiller']
 ---


@@ -35,7 +35,7 @@ Use this template only for:
 <!-- Describe how this could be addressed -->

 ## Standards Reference
-Does this relate to security standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/MokoStandards)?
+Does this relate to security standards in [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform)?
 - [ ] SPDX license identifiers
 - [ ] Secret management
 - [ ] Dependency security
@@ -3,7 +3,7 @@ name: Version Bump
 about: Request or track a version change
 title: '[VERSION] '
 labels: 'version, type: version'
-assignees: 'jmiller-moko'
+assignees: 'jmiller'
 ---

 ## Version Change
@@ -0,0 +1,246 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/branch-protection.yml
+# BRIEF: Apply standardised branch protection rules to all governed repositories
+#
+# +========================================================================+
+# |                   BRANCH PROTECTION SETUP                              |
+# +========================================================================+
+# |                                                                        |
+# |  Applies protection rules for: main, dev, rc/*, beta/*, alpha/*       |
+# |                                                                        |
+# |  main  — Require PR, block rejected reviews, no force push             |
+# |  dev   — Allow push, no force push, no delete                          |
+# |  rc/*  — Allow push, no force push, no delete                          |
+# |  beta/* — Allow push, no force push, no delete                         |
+# |  alpha/* — Allow push, no force push, no delete                        |
+# |                                                                        |
+# |  jmiller has override authority on all branches.                       |
+# |                                                                        |
+# +========================================================================+
+
+name: Branch Protection Setup
+
+on:
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly Monday 02:00 UTC
+  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: 'Preview mode (no changes)'
+        required: false
+        type: boolean
+        default: false
+      repos:
+        description: 'Comma-separated repo names (empty = all governed repos)'
+        required: false
+        type: string
+        default: ''
+
+env:
+  GITEA_URL: https://git.mokoconsulting.tech
+  GITEA_ORG: MokoConsulting
+
+permissions:
+  contents: read
+
+jobs:
+  protect:
+    name: Apply Branch Protection Rules
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Determine target repos
+        id: repos
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+
+          # Platform/standards/infra repos to exclude
+          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
+          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
+
+          if [ -n "${{ inputs.repos }}" ]; then
+            # User-specified repos
+            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
+          else
+            # Fetch all org repos
+            PAGE=1
+            REPOS=""
+            while true; do
+              BATCH=$(curl -sS \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
+                | jq -r '.[].name // empty')
+              [ -z "$BATCH" ] && break
+              REPOS="$REPOS $BATCH"
+              PAGE=$((PAGE + 1))
+            done
+
+            # Filter out excluded repos
+            FILTERED=""
+            for REPO in $REPOS; do
+              SKIP=false
+              for EX in $EXCLUDE; do
+                if [ "$REPO" = "$EX" ]; then
+                  SKIP=true
+                  break
+                fi
+              done
+              if [ "$SKIP" = "false" ]; then
+                FILTERED="$FILTERED $REPO"
+              fi
+            done
+            REPOS="$FILTERED"
+          fi
+
+          echo "repos=$REPOS" >> "$GITHUB_OUTPUT"
+          COUNT=$(echo "$REPOS" | wc -w)
+          echo "📋 Target repos (${COUNT}): $REPOS"
+
+      - name: Apply protection rules
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          DRY_RUN: ${{ inputs.dry_run || 'false' }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+          REPOS="${{ steps.repos.outputs.repos }}"
+
+          SUCCESS=0
+          FAILED=0
+          SKIPPED=0
+
+          # ── Rule definitions ──────────────────────────────────────
+          # Each rule: NAME|JSON_BODY
+          # jmiller has override (force push + push whitelist) on all branches
+
+          RULE_MAIN='{
+            "rule_name": "main",
+            "enable_push": true,
+            "enable_push_whitelist": true,
+            "push_whitelist_usernames": ["jmiller"],
+            "enable_force_push": true,
+            "enable_force_push_allowlist": true,
+            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "dismiss_stale_approvals": true,
+            "block_on_rejected_reviews": true,
+            "block_on_outdated_branch": false,
+            "priority": 1
+          }'
+
+          RULE_DEV='{
+            "rule_name": "dev",
+            "enable_push": true,
+            "enable_push_whitelist": false,
+            "enable_force_push": true,
+            "enable_force_push_allowlist": true,
+            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 2
+          }'
+
+          RULE_RC='{
+            "rule_name": "rc/*",
+            "enable_push": true,
+            "enable_push_whitelist": false,
+            "enable_force_push": true,
+            "enable_force_push_allowlist": true,
+            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 3
+          }'
+
+          RULE_BETA='{
+            "rule_name": "beta/*",
+            "enable_push": true,
+            "enable_push_whitelist": false,
+            "enable_force_push": true,
+            "enable_force_push_allowlist": true,
+            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 4
+          }'
+
+          RULE_ALPHA='{
+            "rule_name": "alpha/*",
+            "enable_push": true,
+            "enable_push_whitelist": false,
+            "enable_force_push": true,
+            "enable_force_push_allowlist": true,
+            "force_push_allowlist_usernames": ["jmiller"],
+            "enable_merge_whitelist": false,
+            "required_approvals": 0,
+            "block_on_rejected_reviews": false,
+            "priority": 5
+          }'
+
+          RULES=("$RULE_MAIN" "$RULE_DEV" "$RULE_RC" "$RULE_BETA" "$RULE_ALPHA")
+          RULE_NAMES=("main" "dev" "rc/*" "beta/*" "alpha/*")
+
+          # ── Apply rules to each repo ──────────────────────────────
+          for REPO in $REPOS; do
+            echo ""
+            echo "═══ ${REPO} ═══"
+
+            for i in "${!RULES[@]}"; do
+              RULE="${RULES[$i]}"
+              NAME="${RULE_NAMES[$i]}"
+
+              if [ "$DRY_RUN" = "true" ]; then
+                echo "  [DRY RUN] Would apply rule: ${NAME}"
+                SKIPPED=$((SKIPPED + 1))
+                continue
+              fi
+
+              # Delete existing rule if present (idempotent recreate)
+              ENCODED_NAME=$(echo "$NAME" | sed 's|/|%2F|g')
+              curl -sS -o /dev/null -w "" \
+                -X DELETE \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections/${ENCODED_NAME}" 2>/dev/null || true
+
+              # Create rule
+              RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "$RULE" \
+                "${API}/repos/${GITEA_ORG}/${REPO}/branch_protections")
+
+              HTTP=$(echo "$RESPONSE" | tail -1)
+              BODY=$(echo "$RESPONSE" | sed '$d')
+
+              if [ "$HTTP" = "201" ]; then
+                echo "  ✅ ${NAME}"
+                SUCCESS=$((SUCCESS + 1))
+              else
+                echo "  ❌ ${NAME} (HTTP ${HTTP}): $(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)"
+                FAILED=$((FAILED + 1))
+              fi
+            done
+          done
+
+          # ── Summary ───────────────────────────────────────────────
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Success: ${SUCCESS}"
+          echo "  ❌ Failed:  ${FAILED}"
+          echo "  ⏭️  Skipped: ${SKIPPED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            echo "::warning::${FAILED} rule(s) failed to apply"
+          fi
@@ -2,10 +2,9 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards-API.Automation
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /.gitea/workflows/bulk-repo-sync.yml
-# VERSION: 04.06.12
 # BRIEF: Bulk repo sync — runs from API repo, syncs standards to all governed repos

 name: Bulk Repository Sync
@@ -45,7 +44,6 @@ jobs:
  bulk-sync:
    name: Sync Standards to Repositories
    runs-on: ubuntu-latest
-    timeout-minutes: 120

    steps:
      - name: Checkout
@@ -103,10 +101,35 @@ jobs:
            git push || true
          fi

+      - name: Enforce Release Channel Tags
+        if: success()
+        continue-on-error: true
+        run: |
+          echo "Enforcing standard tags on all repos..."
+          if [ "${{ inputs.dry_run }}" = "true" ]; then
+            bash automation/enforce_tags.sh --dry-run || echo "Tag enforcement skipped (non-fatal)"
+          else
+            bash automation/enforce_tags.sh || echo "Tag enforcement had errors (non-fatal)"
+          fi
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GITEA_URL: https://git.mokoconsulting.tech
+          GITEA_ORG: MokoConsulting
+
      - name: Upload Sync Log
-        if: always()
+        if: always() && github.server_url == 'https://github.com'
        uses: actions/upload-artifact@v4
        with:
-          name: bulk-sync-log-${{ gitea.run_number }}
+          name: bulk-sync-log-${{ github.run_number }}
          path: /tmp/bulk_sync.log
          retention-days: 30
+
+      - name: Log Summary (Gitea)
+        if: always() && github.server_url != 'https://github.com'
+        run: |
+          if [ -f /tmp/bulk_sync.log ]; then
+            echo "## Sync Log (last 20 lines)" >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+            tail -20 /tmp/bulk_sync.log >> $GITHUB_STEP_SUMMARY
+            echo '```' >> $GITHUB_STEP_SUMMARY
+          fi
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  moko-platform Repository Manifest
+  Auto-generated by cleanup script.
+  See: https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home
+-->
+<moko-platform xmlns="https://standards.mokoconsulting.tech/moko-platform/1.0" schema-version="1.0">
+  <identity>
+    <name>moko-platform</name>
+    <org>MokoConsulting</org>
+    <description>Enterprise automation, validation, sync, and governance engine for all Moko Consulting repositories</description>
+    <license spdx="GPL-3.0-or-later">GNU General Public License v3</license>
+  </identity>
+  <governance>
+    <platform>generic</platform>
+    <standards-version>05.00.00</standards-version>
+    <standards-source>https://git.mokoconsulting.tech/MokoConsulting/moko-platform</standards-source>
+    <last-synced>2026-05-10T19:51:08+00:00</last-synced>
+  </governance>
+  <build>
+    <language>HCL</language>
+    <package-type>generic</package-type>
+    <entry-point>src/</entry-point>
+  </build>
+</moko-platform>
@@ -0,0 +1,97 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: moko-platform.CI
+# INGROUP: moko-platform
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/pr-branch-check.yml
+# BRIEF: PR branch merge policy enforcement
+#
+# Enforces branch merge policy:
+#   feature/* → dev only
+#   fix/*     → dev only
+#   hotfix/*  → dev or main (emergency)
+#   dev       → main only
+#   alpha/*   → dev only
+#   beta/*    → dev only
+#   rc/*      → main only
+
+name: Branch Policy Check
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+jobs:
+  check-target:
+    name: Verify merge target
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch policy
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            alpha/*|beta/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Pre-release branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            rc/*)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Release candidate branches must target 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo ""
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,128 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Automation
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/renovate.yml
+# BRIEF: Run Renovate Bot across all governed repos for dependency updates
+#
+# +========================================================================+
+# |                    RENOVATE DEPENDENCY UPDATES                         |
+# +========================================================================+
+# |                                                                        |
+# |  Runs Renovate CLI against all governed repos to create PRs for        |
+# |  outdated dependencies (composer, npm).                                |
+# |                                                                        |
+# |  - Scheduled: weekly Wednesday 04:00 UTC                               |
+# |  - Manual: dispatch with optional repo filter                          |
+# |  - Patch updates auto-merge, minor/major require review                |
+# |                                                                        |
+# +========================================================================+
+
+name: Renovate Dependency Updates
+
+on:
+  schedule:
+    - cron: '0 4 * * 3'  # Weekly Wednesday 04:00 UTC
+  workflow_dispatch:
+    inputs:
+      repos:
+        description: 'Comma-separated repo names (empty = all governed)'
+        required: false
+        type: string
+        default: ''
+      dry_run:
+        description: 'Preview mode (log only, no PRs)'
+        required: false
+        type: boolean
+        default: false
+
+env:
+  GITEA_URL: https://git.mokoconsulting.tech
+  GITEA_ORG: MokoConsulting
+  RENOVATE_VERSION: '39'
+
+permissions:
+  contents: read
+
+jobs:
+  renovate:
+    name: Run Renovate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Determine target repos
+        id: repos
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1"
+
+          EXCLUDE="gitea-org-config org-profile gitea-private .mokogitea-private MokoStandards moko-platform MokoTesting"
+          EXCLUDE="$EXCLUDE MokoStandards-Template-Client MokoStandards-Template-Dolibarr MokoStandards-Template-Generic MokoStandards-Template-Joomla MokoDoliProjTemplate"
+
+          if [ -n "${{ inputs.repos }}" ]; then
+            REPOS=$(echo "${{ inputs.repos }}" | tr ',' ' ')
+          else
+            PAGE=1
+            REPOS=""
+            while true; do
+              BATCH=$(curl -sS \
+                -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/orgs/${GITEA_ORG}/repos?page=${PAGE}&limit=50" \
+                | jq -r '.[].name // empty')
+              [ -z "$BATCH" ] && break
+              REPOS="$REPOS $BATCH"
+              PAGE=$((PAGE + 1))
+            done
+
+            FILTERED=""
+            for REPO in $REPOS; do
+              SKIP=false
+              for EX in $EXCLUDE; do
+                [ "$REPO" = "$EX" ] && SKIP=true && break
+              done
+              [ "$SKIP" = "false" ] && FILTERED="$FILTERED $REPO"
+            done
+            REPOS="$FILTERED"
+          fi
+
+          # Build comma-separated list for Renovate
+          REPO_LIST=""
+          for REPO in $REPOS; do
+            if [ -n "$REPO_LIST" ]; then
+              REPO_LIST="${REPO_LIST},${GITEA_ORG}/${REPO}"
+            else
+              REPO_LIST="${GITEA_ORG}/${REPO}"
+            fi
+          done
+
+          echo "repo_list=$REPO_LIST" >> "$GITHUB_OUTPUT"
+          COUNT=$(echo "$REPOS" | wc -w)
+          echo "📋 Target repos (${COUNT})"
+
+      - name: Run Renovate
+        if: steps.repos.outputs.repo_list != ''
+        env:
+          RENOVATE_TOKEN: ${{ secrets.GA_TOKEN }}
+          RENOVATE_PLATFORM: gitea
+          RENOVATE_ENDPOINT: ${{ env.GITEA_URL }}/api/v1
+          RENOVATE_GIT_AUTHOR: 'Renovate Bot <renovate@mokoconsulting.tech>'
+          RENOVATE_REPOSITORIES: ${{ steps.repos.outputs.repo_list }}
+          RENOVATE_DRY_RUN: ${{ inputs.dry_run == 'true' && 'full' || 'null' }}
+          LOG_LEVEL: info
+        run: |
+          npx --yes renovate@${RENOVATE_VERSION} \
+            --platform=gitea \
+            --endpoint="${GITEA_URL}/api/v1" \
+            --token="${RENOVATE_TOKEN}" \
+            --git-author="Renovate Bot <renovate@mokoconsulting.tech>" \
+            --autodiscover=false \
+            ${{ inputs.dry_run == 'true' && '--dry-run=full' || '' }} \
+            2>&1 | tee /tmp/renovate.log
+
+          echo "### Renovate Summary" >> $GITHUB_STEP_SUMMARY
+          grep -E "(INFO|WARN|ERROR)" /tmp/renovate.log | tail -30 >> $GITHUB_STEP_SUMMARY || true
@@ -0,0 +1,41 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/sync-wikis.yml
+# BRIEF: Daily sync of all Gitea wikis to consolidated GitHub wiki repo
+
+name: Sync Wikis to GitHub
+
+on:
+  schedule:
+    - cron: '0 5 * * *'  # Daily at 5am UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync-wikis:
+    name: Export wikis to GitHub
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Sync all wikis
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+        run: |
+          if [ -z "$GH_TOKEN" ]; then
+            echo "::error::GH_TOKEN secret not set"
+            exit 1
+          fi
+          bash scripts/sync-wikis-to-github.sh
@@ -0,0 +1,763 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/auto-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Universal build & release � detects platform from manifest.xml
+#
+# +========================================================================+
+# |              UNIVERSAL BUILD & RELEASE PIPELINE                        |
+# +========================================================================+
+# |                                                                        |
+# |  Reads manifest.xml (joomla|dolibarr|generic) to branch logic.       |
+# |                                                                        |
+# |  Platform-specific:                                                    |
+# |    joomla:   XML manifest, updates.xml, type-prefixed packages         |
+# |    dolibarr: mod*.class.php, update.txt, dev version reset             |
+# |    generic:  README-only, no update stream                             |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Build & Release"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+    paths:
+      - 'src/**'
+      - 'htdocs/**'
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+
+jobs:
+  release:
+    name: Build & Release Pipeline
+    runs-on: release
+    if: >-
+      github.event.pull_request.merged == true || github.event_name == 'workflow_dispatch'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          token: ${{ secrets.GA_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+        run: |
+          # Ensure PHP + Composer are available
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          git clone --depth 1 --branch main --quiet \
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api
+          cd /tmp/moko-platform-api
+          composer install --no-dev --no-interaction --quiet
+
+
+      # -- PLATFORM DETECTION ---------------------------------------------------
+      - name: Detect platform
+        id: platform
+        run: |
+          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
+          MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+          MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1 || true)
+          echo "manifest=${MANIFEST}" >> "$GITHUB_OUTPUT"
+          echo "mod_file=${MOD_FILE}" >> "$GITHUB_OUTPUT"
+
+      - name: "Step 1: Read version"
+        id: version
+        run: |
+          VERSION=$(php /tmp/moko-platform-api/cli/version_read.php --path .)
+          if [ -z "$VERSION" ]; then
+            echo "::error::No VERSION in README.md"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+          MAJOR=$(echo "$VERSION" | cut -d. -f1)
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "release_tag=v${MAJOR}" >> "$GITHUB_OUTPUT"
+          echo "skip=false" >> "$GITHUB_OUTPUT"
+          echo "branch=version/${MAJOR}" >> "$GITHUB_OUTPUT"
+
+      - name: "Step 1b: Bump version"
+        id: bump
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          MOKO_API="/tmp/moko-platform-api/cli"
+          BUMP=$(php ${MOKO_API}/version_bump.php --path . --minor)
+          VERSION=$(echo "$BUMP" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
+          [ -z "$VERSION" ] && VERSION=$(php ${MOKO_API}/version_read.php --path .)
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "Bumped to: ${VERSION}"
+
+      - name: Check if already released
+        if: steps.version.outputs.skip != 'true'
+        id: check
+        run: |
+          TAG="${{ steps.version.outputs.release_tag }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+
+          TAG_EXISTS=false
+          BRANCH_EXISTS=false
+
+          git rev-parse "$TAG" >/dev/null 2>&1 && TAG_EXISTS=true
+          git ls-remote --heads origin "$BRANCH" 2>/dev/null | grep -q "$BRANCH" && BRANCH_EXISTS=true
+
+          echo "tag_exists=$TAG_EXISTS" >> "$GITHUB_OUTPUT"
+          echo "branch_exists=$BRANCH_EXISTS" >> "$GITHUB_OUTPUT"
+
+          # Tag and branch may persist across patch releases — never skip
+          echo "already_released=false" >> "$GITHUB_OUTPUT"
+
+      # -- SANITY CHECKS -------------------------------------------------------
+      - name: "Sanity: Pre-release validation"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          ERRORS=0
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          MANIFEST="${{ steps.platform.outputs.manifest }}"
+          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          echo "## Pre-Release Sanity Checks (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+
+          # -- Version drift check (must pass before release) --------
+          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+          if [ "$README_VER" != "$VERSION" ]; then
+            echo "- Version drift: README says \`${README_VER}\` but releasing \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          else
+            echo "- Version consistent: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # Check CHANGELOG version matches
+          CL_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' CHANGELOG.md 2>/dev/null | head -1)
+          if [ -n "$CL_VER" ] && [ "$CL_VER" != "$VERSION" ]; then
+            echo "- CHANGELOG drift: \`${CL_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          fi
+
+          # Check composer.json version if present
+          if [ -f "composer.json" ]; then
+            COMP_VER=$(sed -n 's/.*"version"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p' composer.json 2>/dev/null | head -1)
+            if [ -n "$COMP_VER" ] && [ "$COMP_VER" != "$VERSION" ]; then
+              echo "- composer.json drift: \`${COMP_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+              ERRORS=$((ERRORS+1))
+            fi
+          fi
+
+          # Common checks
+          if [ ! -f "LICENSE" ]; then
+            echo "- Missing LICENSE file" >> $GITHUB_STEP_SUMMARY
+            ERRORS=$((ERRORS+1))
+          else
+            echo "- LICENSE present" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if [ ! -d "src" ] && [ ! -d "htdocs" ]; then
+            echo "- Warning: No src/ or htdocs/ directory" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- Source directory present" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          # -- Platform-specific checks --------
+          case "$PLATFORM" in
+            joomla)
+              if [ -n "$MANIFEST" ]; then
+                XML_VER=$(sed -n 's/.*<version>\([^<]*\)<\/version>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+                if [ -n "$XML_VER" ] && [ "$XML_VER" != "$VERSION" ]; then
+                  echo "- Manifest drift: \`${XML_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS+1))
+                else
+                  echo "- Manifest version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                fi
+                TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null)
+                echo "- Extension type: ${TYPE:-unknown}" >> $GITHUB_STEP_SUMMARY
+              else
+                echo "- No Joomla XML manifest (WaaS site)" >> $GITHUB_STEP_SUMMARY
+              fi ;;
+            dolibarr)
+              if [ -n "$MOD_FILE" ]; then
+                MOD_VER=$(sed -n "s/.*\\\$this->version = '\([^']*\)'.*/\1/p" "$MOD_FILE" 2>/dev/null | head -1)
+                if [ -n "$MOD_VER" ] && [ "$MOD_VER" != "$VERSION" ]; then
+                  echo "- Module drift: \`${MOD_VER}\` != \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                  ERRORS=$((ERRORS+1))
+                else
+                  echo "- Module version: \`${VERSION}\`" >> $GITHUB_STEP_SUMMARY
+                fi
+              else
+                echo "- No mod*.class.php found" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS+1))
+              fi
+              if [ ! -f "update.txt" ]; then
+                echo "- Missing update.txt" >> $GITHUB_STEP_SUMMARY
+                ERRORS=$((ERRORS+1))
+              fi ;;
+            *) echo "- Generic platform � no manifest checks" >> $GITHUB_STEP_SUMMARY ;;
+          esac
+
+          echo "" >> $GITHUB_STEP_SUMMARY
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "**${ERRORS} error(s) — release may be incomplete**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "**All sanity checks passed**" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 2: Create or update version/XX.YY archive branch ---------------
+      # Always runs — every version change on main archives to version/XX.YY
+      - name: "Step 2: Version archive branch"
+        if: steps.check.outputs.already_released != 'true'
+        run: |
+          BRANCH="${{ steps.version.outputs.branch }}"
+          IS_MINOR="${{ steps.version.outputs.is_minor }}"
+          PATCH="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PATCH_NUM=$(echo "$PATCH" | awk -F. '{print $3}')
+
+          # Check if branch exists
+          if git ls-remote --heads origin "$BRANCH" | grep -q "$BRANCH"; then
+            git push origin HEAD:"$BRANCH" --force
+            echo "Updated archive branch: ${BRANCH} (patch ${PATCH_NUM})" >> $GITHUB_STEP_SUMMARY
+          else
+            git checkout -b "$BRANCH" 2>/dev/null || git checkout "$BRANCH"
+            git push origin "$BRANCH" --force
+            echo "Created archive branch: ${BRANCH}" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 3: Set platform version ----------------------------------------
+      - name: "Step 3: Set platform version"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          php /tmp/moko-platform-api/cli/version_set_platform.php \
+            --path . --version "$VERSION" --branch main
+
+      # -- STEP 4: Update version badges ----------------------------------------
+      - name: "Step 4: Update version badges"
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          php /tmp/moko-platform-api/cli/badge_update.php --path . --version "${VERSION}" 2>/dev/null || true
+
+      - name: "Step 5: Write update stream"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.platform.outputs.platform == 'joomla'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          php /tmp/moko-platform-api/cli/updates_xml_build.php \
+            --path . --version "${VERSION}" --stability stable \
+            --gitea-url "${GITEA_URL}" --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            --github-output
+
+      - name: Commit release changes
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.already_released != 'true'
+        run: |
+          if git diff --quiet && git diff --cached --quiet; then
+            echo "No changes to commit"
+            exit 0
+          fi
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          # Set push URL with token for branch-protected repos
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git commit -m "chore(release): build ${VERSION} [skip ci]" \
+            --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
+          git push -u origin HEAD
+
+      # -- STEP 6: Create tag ---------------------------------------------------
+      - name: "Step 6: Create git tag"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.check.outputs.tag_exists != 'true' &&
+          steps.version.outputs.is_minor == 'true'
+        run: |
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          # Only create the major release tag if it doesn't exist yet
+          if ! git rev-parse "$RELEASE_TAG" >/dev/null 2>&1; then
+            git tag "$RELEASE_TAG"
+            git push origin "$RELEASE_TAG"
+            echo "Tag created: ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Tag ${RELEASE_TAG} already exists" >> $GITHUB_STEP_SUMMARY
+          fi
+          echo "Tag: ${TAG}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 7: Create or update Gitea Release --------------------------------
+      - name: "Step 7: Gitea Release"
+        if: >-
+          steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Reuse metadata from Step 5 (single source of truth)
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_NAME="${{ steps.updates.outputs.ext_name }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+
+          # Fallbacks if Step 5 was skipped
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          fi
+          [ -z "$EXT_NAME" ] && EXT_NAME="${GITEA_REPO}"
+
+          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null)
+          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+
+          # Build release name: "Pretty Name VERSION (type_element-VERSION)"
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
+
+          # Delete existing release if present (overwrite, not append)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$EXISTING_ID" ]; then
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
+            echo "Deleted previous stable release (id: ${EXISTING_ID})"
+          fi
+
+          # Create fresh release
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/releases" \
+            -d "$(python3 -c "import json; print(json.dumps({
+              'tag_name': '${RELEASE_TAG}',
+              'name': '${RELEASE_NAME}',
+              'body': '''## ${VERSION} ($(date +%Y-%m-%d))\n${NOTES}''',
+              'target_commitish': '${BRANCH}'
+            }))")"
+          echo "Release created: ${RELEASE_NAME}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 8: Build Joomla install ZIP + SHA-256 checksum ------------------
+      - name: "Step 8: Build package and update checksum"
+        if: >-
+          steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          REPO="${{ github.repository }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # All ZIPs upload to the major release tag (vXX)
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
+          RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+          if [ -z "$RELEASE_ID" ]; then
+            echo "No release ${RELEASE_TAG} found — skipping ZIP upload"
+            exit 0
+          fi
+
+          # Find extension element name from manifest
+          MANIFEST=$(find . -maxdepth 2 -name "*.xml" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+          [ -z "$MANIFEST" ] && exit 0
+
+          # Reuse element from Step 5, with same fallback chain
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          if [ -z "$EXT_ELEMENT" ]; then
+            EXT_ELEMENT=$(sed -n 's/.*<element>\([^<]*\)<\/element>.*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(sed -n 's/.*plugin="\([^"]*\)".*/\1/p' "$MANIFEST" 2>/dev/null | head -1)
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(basename "$MANIFEST" .xml | tr '[:upper:]' '[:lower:]')
+            [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+          fi
+          # ZIP name: type_folder_element-VERSION (e.g. plg_system_mokojgdpc-01.01.00.zip)
+          EXT_TYPE=$(sed -n 's/.*<extension[^>]*type="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          EXT_FOLDER=$(sed -n 's/.*<extension[^>]*group="\([^"]*\)".*/\1/p' "$MANIFEST" | head -1)
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
+
+          # -- Build install packages from src/ ----------------------------
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/"; exit 0; }
+
+          # ZIP package (type-aware via moko-platform PHP API)
+          php /tmp/moko-platform-api/cli/joomla_build.php             --path . --version "${VERSION}" --output /tmp
+          # Match the expected ZIP_NAME for upload
+          BUILT_ZIP=$(ls /tmp/${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip 2>/dev/null | head -1 || true)
+          if [ -n "$BUILT_ZIP" ] && [ "$BUILT_ZIP" != "/tmp/${ZIP_NAME}" ]; then
+            mv "$BUILT_ZIP" "/tmp/${ZIP_NAME}"
+          fi
+
+          # tar.gz package (flat source archive)
+          tar -czf "/tmp/${TAR_NAME}" -C "$SOURCE_DIR"             --exclude='.ftpignore' --exclude='sftp-config*'             --exclude='*.ppk' --exclude='*.pem' --exclude='*.key' --exclude='.env*' .
+
+          ZIP_SIZE=$(stat -c%s "/tmp/${ZIP_NAME}" 2>/dev/null || stat -f%z "/tmp/${ZIP_NAME}" 2>/dev/null || echo "unknown")
+          TAR_SIZE=$(stat -c%s "/tmp/${TAR_NAME}" 2>/dev/null || stat -f%z "/tmp/${TAR_NAME}" 2>/dev/null || echo "unknown")
+
+          # -- Calculate SHA-256 for both ----------------------------------
+          SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
+
+          # -- Delete existing assets with same name before uploading ------
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
+          for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
+            ASSET_ID=$(echo "$ASSETS" | python3 -c "
+          import sys,json
+          assets = json.load(sys.stdin)
+          for a in assets:
+              if a['name'] == '${ASSET_NAME}':
+                  print(a['id']); break
+          " 2>/dev/null || true)
+            if [ -n "$ASSET_ID" ]; then
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+                "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
+            fi
+          done
+
+          # -- Upload both to release tag ----------------------------------
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${ZIP_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
+
+          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @"/tmp/${TAR_NAME}" \
+            "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
+
+          # -- Update updates.xml with both download formats ---------------
+          if [ -f "updates.xml" ]; then
+            ZIP_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}"
+            TAR_URL="${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${TAR_NAME}"
+
+            # Use Python to update only the stable entry's downloads + sha256
+            export PY_ZIP_URL="$ZIP_URL" PY_TAR_URL="$TAR_URL" PY_SHA="$SHA256_ZIP"
+            python3 << 'PYEOF'
+          import re, os
+
+          with open("updates.xml") as f:
+              content = f.read()
+
+          zip_url = os.environ["PY_ZIP_URL"]
+          tar_url = os.environ["PY_TAR_URL"]
+          sha = os.environ["PY_SHA"]
+
+          # Find the stable update block and replace its downloads + sha256
+          def replace_stable(m):
+              block = m.group(0)
+              # Replace downloads block
+              new_downloads = (
+                  "    <downloads>\n"
+                  f"      <downloadurl type=\"full\" format=\"zip\">{zip_url}</downloadurl>\n"
+                  "    </downloads>"
+              )
+              block = re.sub(r'    <downloads>.*?</downloads>', new_downloads, block, flags=re.DOTALL)
+              # Add or replace sha256
+              if '<sha256>' in block:
+                  block = re.sub(r'    <sha256>.*?</sha256>', f'    <sha256>{sha}</sha256>', block)
+              else:
+                  block = block.replace('</downloads>', f'</downloads>\n    <sha256>{sha}</sha256>')
+              return block
+
+          content = re.sub(
+              r'  <update>.*?<tag>stable</tag>.*?</update>',
+              replace_stable,
+              content,
+              flags=re.DOTALL
+          )
+
+          with open("updates.xml", "w") as f:
+              f.write(content)
+          PYEOF
+
+            CURRENT_BRANCH="${{ github.ref_name }}"
+            git add updates.xml
+            git commit -m "chore(release): ZIP + tar.gz for ${VERSION} [skip ci]" \
+              --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>" || true
+            git push || true
+
+            # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
+            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
+
+            FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/contents/updates.xml?ref=main" | jq -r '.sha // empty')
+
+            if [ -n "$FILE_SHA" ]; then
+              CONTENT=$(base64 -w0 updates.xml)
+              curl -sf -X PUT -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                "${API}/contents/updates.xml" \
+                -d "$(jq -n \
+                  --arg content "$CONTENT" \
+                  --arg sha "$FILE_SHA" \
+                  --arg msg "chore: sync updates.xml ${VERSION} [skip ci]" \
+                  --arg branch "main" \
+                  '{content: $content, sha: $sha, message: $msg, branch: $branch}'
+                )" > /dev/null 2>&1 \
+                && echo "updates.xml synced to main via API" \
+                || echo "WARNING: failed to sync updates.xml to main"
+            else
+              echo "WARNING: could not get updates.xml SHA from main"
+            fi
+          fi
+
+          echo "### Packages" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Package | Size | SHA-256 |" >> $GITHUB_STEP_SUMMARY
+          echo "|---------|------|---------|" >> $GITHUB_STEP_SUMMARY
+          echo "| \`${ZIP_NAME}\` | ${ZIP_SIZE} | \`${SHA256_ZIP}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| \`${TAR_NAME}\` | ${TAR_SIZE} | \`${SHA256_TAR}\` |" >> $GITHUB_STEP_SUMMARY
+          echo "| Release | \`${RELEASE_TAG}\` | |" >> $GITHUB_STEP_SUMMARY
+          echo "| Download | [${ZIP_NAME}](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/download/${RELEASE_TAG}/${ZIP_NAME}) |" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 8b: Update release description with changelog + SHA ----------------
+      - name: "Step 8b: Update release body with changelog and SHA"
+        if: steps.version.outputs.skip != 'true'
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          EXT_ELEMENT="${{ steps.updates.outputs.ext_element }}"
+          EXT_TYPE="${{ steps.updates.outputs.ext_type }}"
+          EXT_FOLDER="${{ steps.updates.outputs.ext_folder }}"
+
+          # Build TYPE_PREFIX to match Step 8's ZIP naming
+          TYPE_PREFIX=""
+          case "${EXT_TYPE}" in
+            plugin)    TYPE_PREFIX="plg_${EXT_FOLDER}_" ;;
+            module)    TYPE_PREFIX="mod_" ;;
+            component) TYPE_PREFIX="com_" ;;
+            template)  TYPE_PREFIX="tpl_" ;;
+            library)   TYPE_PREFIX="lib_" ;;
+            package)   TYPE_PREFIX="pkg_" ;;
+          esac
+          ZIP_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.zip"
+          TAR_NAME="${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION}.tar.gz"
+
+          # Get SHA from the built files
+          SHA256_ZIP=""
+          [ -f "/tmp/${ZIP_NAME}" ] && SHA256_ZIP=$(sha256sum "/tmp/${ZIP_NAME}" | cut -d' ' -f1)
+          SHA256_TAR=""
+          [ -f "/tmp/${TAR_NAME}" ] && SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
+
+          # Extract latest changelog entry (strip the ## header to avoid duplicate)
+          CHANGELOG=""
+          if [ -f "CHANGELOG.md" ]; then
+            CHANGELOG=$(sed -n "/^## \[*${VERSION}/,/^## \[*[0-9]/p" CHANGELOG.md | sed '$d' | sed '1d')
+            [ -z "$CHANGELOG" ] && CHANGELOG=$(sed -n '/^## /,/^## /p' CHANGELOG.md | sed '$d' | sed '1d' | head -30)
+          fi
+
+          # Build release body (single header, no duplicate from changelog)
+          BODY="## ${VERSION} ($(date +%Y-%m-%d))\n\n"
+          if [ -n "$CHANGELOG" ]; then
+            BODY="${BODY}${CHANGELOG}\n\n"
+          fi
+          BODY="${BODY}---\n\n### Checksums\n\n"
+          BODY="${BODY}| File | SHA-256 |\n|------|--------|\n"
+          [ -n "$SHA256_ZIP" ] && BODY="${BODY}| \`${ZIP_NAME}\` | \`${SHA256_ZIP}\` |\n"
+          [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
+
+          # Get release ID and update body
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
+            python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = '''$(printf '%b' "$BODY")'''
+          data = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=data,
+              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              method='PATCH'
+          )
+          urllib.request.urlopen(req)
+          " 2>/dev/null && echo "Release body updated with changelog + SHA" >> $GITHUB_STEP_SUMMARY
+          fi
+
+      # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
+      - name: "Step 9: Mirror release to GitHub"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.version.outputs.stability == 'stable' &&
+          secrets.GH_TOKEN != ''
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
+          MAJOR="${{ steps.version.outputs.major }}"
+          BRANCH="${{ steps.version.outputs.branch }}"
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+
+          NOTES=$(php /tmp/moko-platform-api/cli/release_notes.php --path . --version "$VERSION" 2>/dev/null || true)
+          [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
+          echo "$NOTES" > /tmp/release_notes.md
+
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+
+          if [ -z "$EXISTING" ]; then
+            gh release create "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" \
+              --notes-file /tmp/release_notes.md \
+              --target "$BRANCH" || true
+          else
+            gh release edit "$RELEASE_TAG" \
+              --repo "$GH_REPO" \
+              --title "v${MAJOR} (latest: ${VERSION})" || true
+          fi
+
+          # Upload assets to GitHub mirror
+          for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
+            if [ -f "$PKG" ]; then
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+            fi
+          done
+          echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
+
+      # -- STEP 10: Sync main branch to GitHub mirror ----------------------------
+      - name: "Step 10: Push main to GitHub mirror"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          secrets.GH_TOKEN != ''
+        continue-on-error: true
+        run: |
+          GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
+          GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
+          GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
+          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git fetch origin main --depth=1
+          git push github origin/main:refs/heads/main --force 2>/dev/null \
+            && echo "main branch pushed to GitHub mirror" \
+            || echo "WARNING: GitHub mirror push failed"
+
+      # -- Clean up lesser pre-releases (cascade) ---------------------------------
+      # stable → deletes all | rc → beta,alpha,dev | beta → alpha,dev | alpha → dev
+      - name: "Delete lesser pre-release channels"
+        continue-on-error: true
+        run: |
+          php /tmp/moko-platform-api/cli/release_cascade.php \
+            --stability stable \
+            --token "${{ secrets.GA_TOKEN }}" \
+            --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
+            --gitea-url "${GITEA_URL}" 2>/dev/null || true
+
+      - name: "Step 11: Delete and recreate dev branch from main"
+        if: steps.version.outputs.skip != 'true'
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+
+          # Delete dev branch
+          curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/branches/dev" 2>/dev/null && echo "Deleted dev branch"
+
+          # Recreate dev from main (now includes version bump + changelog promotion)
+          curl -sf -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API_BASE}/branches" \
+            -d '{"new_branch_name":"dev","old_branch_name":"main"}' 2>/dev/null && echo "Recreated dev from main"
+
+          echo "Dev branch reset from main (keeps dev ahead after release)" >> $GITHUB_STEP_SUMMARY
+
+
+      # -- Dolibarr post-release: Reset dev version -----------------------------
+      - name: "Dolibarr: Reset dev version"
+        if: >-
+          steps.version.outputs.skip != 'true' &&
+          steps.platform.outputs.platform == 'dolibarr' &&
+          steps.platform.outputs.mod_file != ''
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          MOD_FILE="${{ steps.platform.outputs.mod_file }}"
+          ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
+          FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)
+          FILE_SHA=$(echo "$FILE_RESP" | python3 -c "import sys,json; print(json.load(sys.stdin).get('sha',''))" 2>/dev/null || true)
+          FILE_CONTENT=$(echo "$FILE_RESP" | python3 -c "import sys,json,base64; print(base64.b64decode(json.load(sys.stdin).get('content','')).decode())" 2>/dev/null || true)
+          if [ -n "$FILE_SHA" ] && [ -n "$FILE_CONTENT" ]; then
+            UPDATED=$(echo "$FILE_CONTENT" | sed "s/\$this->version = '[^']*'/\$this->version = 'development'/")
+            ENCODED=$(echo "$UPDATED" | base64 -w0)
+            curl -sf -X PUT -H "Authorization: token ${TOKEN}" -H "Content-Type: application/json" "${API_BASE}/contents/${ENCODED_PATH}" \
+              -d "$(jq -n --arg content \"$ENCODED\" --arg sha \"$FILE_SHA\" --arg msg \"chore(version): reset dev version [skip ci]\" --arg branch \"dev\" '{content:$content,sha:$sha,message:$msg,branch:$branch}')" > /dev/null 2>&1 || true
+          fi
+
+      # -- Summary --------------------------------------------------------------
+      - name: Pipeline Summary
+        if: always()
+        run: |
+          VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ "${{ steps.version.outputs.skip }}" = "true" ]; then
+            echo "## Release Skipped" >> $GITHUB_STEP_SUMMARY
+            echo "No VERSION in README.md" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ steps.check.outputs.already_released }}" = "true" ]; then
+            echo "## Already Released — ${VERSION}" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "## Build & Release Complete (${PLATFORM})" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "| Step | Result |" >> $GITHUB_STEP_SUMMARY
+            echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
+            echo "| Platform | \`${PLATFORM}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Version | \`${VERSION}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Branch | \`${{ steps.version.outputs.branch }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Tag | \`${{ steps.version.outputs.tag }}\` |" >> $GITHUB_STEP_SUMMARY
+            echo "| Release | [View](${GITEA_URL}/${GITEA_ORG}/${GITEA_REPO}/releases/tag/${{ steps.version.outputs.tag }}) |" >> $GITHUB_STEP_SUMMARY
+          fi
@@ -0,0 +1,213 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Maintenance
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/cascade-dev.yml.template
+# VERSION: 02.00.00
+# BRIEF: Forward-merge main → all open branches after every push to main
+#
+# +========================================================================+
+# |                CASCADE MAIN → ALL BRANCHES                             |
+# +========================================================================+
+# |                                                                        |
+# |  Triggers on every push to main (PR merges, bot commits, etc.)         |
+# |                                                                        |
+# |  1. List all branches matching: dev, rc/*, beta/*, alpha/*             |
+# |  2. For each: create PR (main → branch), auto-merge if clean           |
+# |  3. On conflict: leave PR open for manual resolution                   |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Cascade Main → Dev"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  cascade:
+    name: Cascade main → branches
+    runs-on: ubuntu-latest
+    if: >-
+      !contains(github.event.head_commit.message, '[skip ci]') &&
+      !contains(github.event.head_commit.message, '[skip cascade]')
+
+    steps:
+      - name: Discover target branches
+        id: branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+
+          # Fetch all branches (paginated)
+          PAGE=1
+          ALL_BRANCHES=""
+          while true; do
+            BATCH=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/branches?page=${PAGE}&limit=50" \
+              | jq -r '.[].name // empty')
+            [ -z "$BATCH" ] && break
+            ALL_BRANCHES="$ALL_BRANCHES $BATCH"
+            PAGE=$((PAGE + 1))
+          done
+
+          # Filter to cascade targets: dev, dev/*, rc/*, beta/*, alpha/*
+          TARGETS=""
+          for BRANCH in $ALL_BRANCHES; do
+            case "$BRANCH" in
+              dev|dev/*|rc/*|beta/*|alpha/*)
+                TARGETS="$TARGETS $BRANCH"
+                ;;
+            esac
+          done
+
+          TARGETS=$(echo "$TARGETS" | xargs)  # trim whitespace
+
+          if [ -z "$TARGETS" ]; then
+            echo "targets=" >> "$GITHUB_OUTPUT"
+            echo "ℹ️  No cascade target branches found"
+          else
+            echo "targets=$TARGETS" >> "$GITHUB_OUTPUT"
+            COUNT=$(echo "$TARGETS" | wc -w)
+            echo "📋 Found ${COUNT} target branch(es): ${TARGETS}"
+          fi
+
+      - name: Cascade to all target branches
+        if: steps.branches.outputs.targets != ''
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          SHORT_SHA="${GITHUB_SHA:0:7}"
+          TARGETS="${{ steps.branches.outputs.targets }}"
+
+          SUCCESS=0
+          CONFLICTS=0
+          SKIPPED=0
+          FAILED=0
+
+          for BRANCH in $TARGETS; do
+            echo ""
+            echo "═══ main → ${BRANCH} ═══"
+
+            # Check if branch is already up to date
+            ENCODED_BRANCH=$(echo "$BRANCH" | sed 's|/|%2F|g')
+            RESPONSE=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/compare/${ENCODED_BRANCH}...main")
+
+            AHEAD=$(echo "$RESPONSE" | jq '.total_commits // 0')
+
+            if [ "$AHEAD" -eq 0 ]; then
+              echo "  ✅ Already up to date"
+              SKIPPED=$((SKIPPED + 1))
+              continue
+            fi
+
+            echo "  ℹ️  main is ${AHEAD} commit(s) ahead"
+
+            # Check for existing cascade PR
+            EXISTING=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls?state=open&head=${GITEA_ORG}:main&base=${ENCODED_BRANCH}&limit=1")
+
+            EXISTING_COUNT=$(echo "$EXISTING" | jq 'length')
+            PR_NUMBER=""
+
+            if [ "$EXISTING_COUNT" -gt 0 ]; then
+              PR_NUMBER=$(echo "$EXISTING" | jq -r '.[0].number')
+              echo "  ℹ️  Reusing existing PR #${PR_NUMBER}"
+            else
+              # Create cascade PR
+              PR_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+                -X POST \
+                -H "Authorization: token ${GA_TOKEN}" \
+                -H "Content-Type: application/json" \
+                -d "{
+                  \"title\": \"chore: cascade main → ${BRANCH} (${SHORT_SHA}) [skip ci]\",
+                  \"body\": \"## Automatic cascade\\n\\nForward-merging \`main\` (${SHORT_SHA}) into \`${BRANCH}\`.\\n\\nIf conflicts exist, resolve manually and merge.\\n\\n> Auto-created by **Cascade Main → Dev**.\",
+                  \"head\": \"main\",
+                  \"base\": \"${BRANCH}\"
+                }" \
+                "${API}/pulls")
+
+              HTTP_CODE=$(echo "$PR_RESPONSE" | tail -1)
+              BODY=$(echo "$PR_RESPONSE" | sed '$d')
+              PR_NUMBER=$(echo "$BODY" | jq -r '.number // empty')
+
+              if [ "$HTTP_CODE" != "201" ] || [ -z "$PR_NUMBER" ]; then
+                MSG=$(echo "$BODY" | jq -r '.message // .' 2>/dev/null | head -1)
+                echo "  ❌ Failed to create PR (HTTP ${HTTP_CODE}): ${MSG}"
+                FAILED=$((FAILED + 1))
+                continue
+              fi
+
+              echo "  ✅ Created PR #${PR_NUMBER}"
+            fi
+
+            # Try auto-merge
+            PR_DATA=$(curl -sS \
+              -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/pulls/${PR_NUMBER}")
+
+            MERGEABLE=$(echo "$PR_DATA" | jq -r '.mergeable // false')
+
+            if [ "$MERGEABLE" != "true" ]; then
+              echo "  ⚠️  Conflicts — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+              continue
+            fi
+
+            MERGE_RESPONSE=$(curl -sS -w "\n%{http_code}" \
+              -X POST \
+              -H "Authorization: token ${GA_TOKEN}" \
+              -H "Content-Type: application/json" \
+              -d "{
+                \"Do\": \"merge\",
+                \"merge_message_field\": \"chore: cascade main → ${BRANCH} [skip ci]\",
+                \"delete_branch_after_merge\": false
+              }" \
+              "${API}/pulls/${PR_NUMBER}/merge")
+
+            MERGE_HTTP=$(echo "$MERGE_RESPONSE" | tail -1)
+
+            if [ "$MERGE_HTTP" = "200" ] || [ "$MERGE_HTTP" = "204" ]; then
+              echo "  ✅ Merged — ${BRANCH} is in sync"
+              SUCCESS=$((SUCCESS + 1))
+            else
+              MERGE_BODY=$(echo "$MERGE_RESPONSE" | sed '$d')
+              echo "  ⚠️  Merge failed (HTTP ${MERGE_HTTP}) — PR #${PR_NUMBER} left open"
+              CONFLICTS=$((CONFLICTS + 1))
+            fi
+          done
+
+          # Summary
+          echo ""
+          echo "════════════════════════════════════════"
+          echo "  ✅ Merged:    ${SUCCESS}"
+          echo "  ⚠️  Conflicts: ${CONFLICTS}"
+          echo "  ⏭️  Up to date: ${SKIPPED}"
+          echo "  ❌ Failed:    ${FAILED}"
+          echo "════════════════════════════════════════"
+
+          if [ "$FAILED" -gt 0 ]; then
+            exit 1
+          fi
@@ -0,0 +1,431 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/ci-platform.yml
+# VERSION: 01.00.00
+# BRIEF: moko-platform CI — the standards engine validates itself
+#
+# +========================================================================+
+# |                  MOKOSTANDARDS PLATFORM CI                             |
+# +========================================================================+
+# |                                                                        |
+# |  This is NOT a generic CI workflow. This is the self-validation        |
+# |  pipeline for the central moko-platform enterprise engine.           |
+# |                                                                        |
+# |  It dogfoods every tool the platform ships to governed repos:          |
+# |                                                                        |
+# |  Gate 1 — Code Quality       phpcs (PSR-12), phpstan (L5), psalm      |
+# |  Gate 2 — Unit Tests         phpunit with coverage threshold           |
+# |  Gate 3 — Self-Health        bin/moko health against its own repo     |
+# |  Gate 4 — Governance Checks  headers, secrets, structure, versions    |
+# |  Gate 5 — Template Lint      validate workflow templates parse clean   |
+# |                                                                        |
+# |  If it doesn't pass its own checks, it can't enforce them.            |
+# |                                                                        |
+# +========================================================================+
+
+name: "Platform: moko-platform CI"
+
+on:
+  push:
+    branches:
+      - main
+      - dev
+      - dev/**
+      - rc/**
+    paths-ignore:
+      - '**.md'
+      - 'wiki/**'
+      - '.gitea/ISSUE_TEMPLATE/**'
+  pull_request:
+    branches:
+      - main
+      - dev
+      - dev/**
+      - rc/**
+  workflow_dispatch:
+    inputs:
+      full_suite:
+        description: 'Run full validation suite (including slow checks)'
+        required: false
+        default: 'true'
+        type: boolean
+
+concurrency:
+  group: ci-platform-${{ github.repository }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+  PHP_VERSION: '8.2'
+
+jobs:
+  # ═══════════════════════════════════════════════════════════════════════
+  # Gate 1 — Code Quality
+  # ═══════════════════════════════════════════════════════════════════════
+  code-quality:
+    name: "Gate 1: Code Quality"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP ${{ env.PHP_VERSION }}
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq php${{ env.PHP_VERSION }}-cli php${{ env.PHP_VERSION }}-mbstring \
+            php${{ env.PHP_VERSION }}-xml php${{ env.PHP_VERSION }}-curl php${{ env.PHP_VERSION }}-zip \
+            php${{ env.PHP_VERSION }}-intl >/dev/null 2>&1
+          php -v
+
+      - name: Install Composer dependencies
+        run: |
+          composer install --no-interaction --prefer-dist
+          echo "Dependencies installed: $(composer show | wc -l) packages"
+
+      - name: "PHP Syntax Check"
+        run: |
+          ERRORS=0
+          CHECKED=0
+          while IFS= read -r -d '' file; do
+            CHECKED=$((CHECKED + 1))
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              echo "::error file=${file}::PHP syntax error"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find lib/ validate/ automation/ cli/ src/ deploy/ -name "*.php" -print0 2>/dev/null)
+
+          {
+            echo "### PHP Syntax"
+            echo "Checked ${CHECKED} files — ${ERRORS} error(s)"
+          } >> $GITHUB_STEP_SUMMARY
+
+          [ "$ERRORS" -eq 0 ] || exit 1
+
+      - name: "PHPCS (PSR-12)"
+        run: |
+          vendor/bin/phpcs --standard=phpcs.xml --report=summary lib/ validate/ automation/ 2>&1 || {
+            echo "::error::PHPCS found coding standard violations"
+            echo "### PHPCS" >> $GITHUB_STEP_SUMMARY
+            echo "Coding standard violations detected. Run \`composer phpcs\` locally." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          }
+          echo "### PHPCS" >> $GITHUB_STEP_SUMMARY
+          echo "PSR-12 compliance: passed" >> $GITHUB_STEP_SUMMARY
+
+      - name: "PHPStan (Level 5)"
+        run: |
+          vendor/bin/phpstan analyse -c phpstan.neon --no-progress --error-format=github 2>&1 || {
+            echo "::error::PHPStan found type errors"
+            echo "### PHPStan" >> $GITHUB_STEP_SUMMARY
+            echo "Static analysis errors detected. Run \`composer phpstan\` locally." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          }
+          echo "### PHPStan" >> $GITHUB_STEP_SUMMARY
+          echo "Static analysis (level 5): passed" >> $GITHUB_STEP_SUMMARY
+
+      - name: "Psalm"
+        continue-on-error: true
+        run: |
+          if [ -f "psalm.xml" ]; then
+            vendor/bin/psalm --config=psalm.xml --no-progress --output-format=github 2>&1 || {
+              echo "### Psalm" >> $GITHUB_STEP_SUMMARY
+              echo "Psalm found issues (advisory — not blocking)." >> $GITHUB_STEP_SUMMARY
+            }
+          fi
+
+  # ═══════════════════════════════════════════════════════════════════════
+  # Gate 2 — Unit Tests
+  # ═══════════════════════════════════════════════════════════════════════
+  tests:
+    name: "Gate 2: Unit Tests"
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    needs: code-quality
+
+    strategy:
+      matrix:
+        php: ['8.1', '8.2', '8.3']
+      fail-fast: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP ${{ matrix.php }}
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq php${{ matrix.php }}-cli php${{ matrix.php }}-mbstring \
+            php${{ matrix.php }}-xml php${{ matrix.php }}-curl php${{ matrix.php }}-zip \
+            php${{ matrix.php }}-intl >/dev/null 2>&1
+          php -v
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: "PHPUnit (PHP ${{ matrix.php }})"
+        run: |
+          vendor/bin/phpunit --testdox 2>&1
+          {
+            echo "### PHPUnit (PHP ${{ matrix.php }})"
+            echo "All tests passed."
+          } >> $GITHUB_STEP_SUMMARY
+
+  # ═══════════════════════════════════════════════════════════════════════
+  # Gate 3 — Self-Health (Dogfood)
+  # ═══════════════════════════════════════════════════════════════════════
+  self-health:
+    name: "Gate 3: Self-Health Check"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: code-quality
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup PHP
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq php${{ env.PHP_VERSION }}-cli php${{ env.PHP_VERSION }}-mbstring \
+            php${{ env.PHP_VERSION }}-xml php${{ env.PHP_VERSION }}-curl php${{ env.PHP_VERSION }}-zip >/dev/null 2>&1
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: "Run bin/moko health against self"
+        run: |
+          php bin/moko health -- --path . --json > /tmp/health-report.json 2>&1 || true
+          SCORE=$(cat /tmp/health-report.json | python3 -c "import sys,json; print(json.load(sys.stdin).get('percentage', 0))" 2>/dev/null || echo "0")
+          LEVEL=$(cat /tmp/health-report.json | python3 -c "import sys,json; print(json.load(sys.stdin).get('level', 'unknown'))" 2>/dev/null || echo "unknown")
+
+          {
+            echo "### Self-Health Report"
+            echo ""
+            echo "| Metric | Value |"
+            echo "|---|---|"
+            echo "| Score | ${SCORE}% |"
+            echo "| Level | ${LEVEL} |"
+            echo ""
+            echo "The platform must pass its own health check to enforce it on others."
+          } >> $GITHUB_STEP_SUMMARY
+
+          # Platform must score at least 80%
+          python3 -c "exit(0 if float('${SCORE}') >= 80.0 else 1)" || {
+            echo "::error::Self-health score ${SCORE}% is below 80% threshold"
+            exit 1
+          }
+
+  # ═══════════════════════════════════════════════════════════════════════
+  # Gate 4 — Governance Checks
+  # ═══════════════════════════════════════════════════════════════════════
+  governance:
+    name: "Gate 4: Governance"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: code-quality
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup PHP
+        run: |
+          sudo apt-get update -qq
+          sudo apt-get install -y -qq php${{ env.PHP_VERSION }}-cli php${{ env.PHP_VERSION }}-mbstring \
+            php${{ env.PHP_VERSION }}-xml php${{ env.PHP_VERSION }}-curl >/dev/null 2>&1
+
+      - name: Install dependencies
+        run: composer install --no-interaction --prefer-dist
+
+      - name: "License headers (SPDX)"
+        run: |
+          MISSING=0
+          CHECKED=0
+          while IFS= read -r -d '' file; do
+            CHECKED=$((CHECKED + 1))
+            if ! head -n 20 "$file" | grep -q "SPDX-License-Identifier:"; then
+              echo "::warning file=${file}::Missing SPDX header"
+              MISSING=$((MISSING + 1))
+            fi
+          done < <(find lib/ validate/ cli/ src/ automation/ deploy/ -name "*.php" -print0 2>/dev/null)
+
+          {
+            echo "### License Headers"
+            echo "Checked ${CHECKED} files — ${MISSING} missing SPDX headers"
+          } >> $GITHUB_STEP_SUMMARY
+
+          # Advisory — warn but don't fail (yet)
+          [ "$MISSING" -eq 0 ] || echo "::warning::${MISSING} files missing SPDX license headers"
+
+      - name: "Secret detection"
+        run: |
+          FOUND=0
+          # Check for common secret patterns in source files
+          while IFS= read -r -d '' file; do
+            if grep -qEi '(password|secret|token|apikey|api_key)\s*[:=]\s*["\x27][^\s]{8,}' "$file" 2>/dev/null; then
+              echo "::error file=${file}::Potential hardcoded secret detected"
+              FOUND=$((FOUND + 1))
+            fi
+          done < <(find lib/ validate/ cli/ src/ automation/ deploy/ -name "*.php" -print0 2>/dev/null)
+
+          {
+            echo "### Secret Detection"
+            if [ "$FOUND" -eq 0 ]; then
+              echo "No hardcoded secrets detected."
+            else
+              echo "${FOUND} potential secrets found."
+            fi
+          } >> $GITHUB_STEP_SUMMARY
+
+          [ "$FOUND" -eq 0 ] || exit 1
+
+      - name: "Version consistency"
+        run: |
+          # Extract version from composer.json
+          COMPOSER_VER=$(python3 -c "import json; print(json.load(open('composer.json'))['version'])")
+          # Extract version from README.md
+          README_VER=$(sed -n 's/.*VERSION:[[:space:]]*\([0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]\).*/\1/p' README.md 2>/dev/null | head -1)
+
+          {
+            echo "### Version Consistency"
+            echo "| Source | Version |"
+            echo "|---|---|"
+            echo "| composer.json | ${COMPOSER_VER} |"
+            echo "| README.md | ${README_VER:-not found} |"
+          } >> $GITHUB_STEP_SUMMARY
+
+          if [ -n "$README_VER" ] && [ "$COMPOSER_VER" != "$README_VER" ]; then
+            echo "::warning::Version mismatch: composer.json=${COMPOSER_VER} vs README.md=${README_VER}"
+          fi
+
+  # ═══════════════════════════════════════════════════════════════════════
+  # Gate 5 — Template Integrity
+  # ═══════════════════════════════════════════════════════════════════════
+  templates:
+    name: "Gate 5: Template Integrity"
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    needs: code-quality
+    if: github.event_name != 'push' || github.event.inputs.full_suite != 'false'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: "Validate workflow templates"
+        run: |
+          ERRORS=0
+          CHECKED=0
+
+          # Check all YAML workflow templates parse cleanly
+          while IFS= read -r -d '' file; do
+            CHECKED=$((CHECKED + 1))
+            if ! python3 -c "import yaml; yaml.safe_load(open('${file}'))" 2>/dev/null; then
+              echo "::error file=${file}::Invalid YAML"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find templates/workflows/ -name "*.yml" -o -name "*.yaml" 2>/dev/null | tr '\n' '\0')
+
+          # Also check the live workflows
+          while IFS= read -r -d '' file; do
+            CHECKED=$((CHECKED + 1))
+            if ! python3 -c "import yaml; yaml.safe_load(open('${file}'))" 2>/dev/null; then
+              echo "::error file=${file}::Invalid YAML"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find .mokogitea/workflows/ -name "*.yml" -o -name "*.yaml" 2>/dev/null | tr '\n' '\0')
+
+          {
+            echo "### Template Integrity"
+            echo "Validated ${CHECKED} YAML files — ${ERRORS} parse errors"
+          } >> $GITHUB_STEP_SUMMARY
+
+          [ "$ERRORS" -eq 0 ] || exit 1
+
+      - name: "Validate gitignore templates"
+        run: |
+          TEMPLATES=0
+          for GI in templates/configs/gitignore templates/configs/gitignore.dolibarr templates/configs/.gitignore.joomla; do
+            if [ -f "$GI" ]; then
+              TEMPLATES=$((TEMPLATES + 1))
+              # Verify required entries
+              for REQUIRED in ".claude/" "TODO.md" "*.min.css" "*.min.js" "wiki/"; do
+                if ! grep -q "$REQUIRED" "$GI"; then
+                  echo "::error file=${GI}::Missing required entry: ${REQUIRED}"
+                fi
+              done
+            fi
+          done
+
+          echo "### Gitignore Templates" >> $GITHUB_STEP_SUMMARY
+          echo "Validated ${TEMPLATES} gitignore templates." >> $GITHUB_STEP_SUMMARY
+
+      - name: "Validate PHP validation scripts"
+        run: |
+          ERRORS=0
+          CHECKED=0
+          while IFS= read -r -d '' file; do
+            CHECKED=$((CHECKED + 1))
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              echo "::error file=${file}::Validation script has syntax error"
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find validate/ -name "*.php" -print0 2>/dev/null)
+
+          {
+            echo "### Validation Scripts"
+            echo "Checked ${CHECKED} scripts — ${ERRORS} syntax errors"
+          } >> $GITHUB_STEP_SUMMARY
+
+          [ "$ERRORS" -eq 0 ] || { echo "::error::Validation scripts must be error-free"; exit 1; }
+
+  # ═══════════════════════════════════════════════════════════════════════
+  # Summary
+  # ═══════════════════════════════════════════════════════════════════════
+  summary:
+    name: "CI Summary"
+    runs-on: ubuntu-latest
+    needs: [code-quality, tests, self-health, governance, templates]
+    if: always()
+
+    steps:
+      - name: Check gate results
+        run: |
+          {
+            echo "# moko-platform CI"
+            echo ""
+            echo "| Gate | Job | Status |"
+            echo "|---|---|---|"
+            echo "| 1 | Code Quality | ${{ needs.code-quality.result }} |"
+            echo "| 2 | Unit Tests | ${{ needs.tests.result }} |"
+            echo "| 3 | Self-Health | ${{ needs.self-health.result }} |"
+            echo "| 4 | Governance | ${{ needs.governance.result }} |"
+            echo "| 5 | Templates | ${{ needs.templates.result }} |"
+            echo ""
+            echo "> *The standards engine must pass its own standards.*"
+          } >> $GITHUB_STEP_SUMMARY
+
+          # Fail if any required gate failed
+          if [ "${{ needs.code-quality.result }}" = "failure" ] || \
+             [ "${{ needs.tests.result }}" = "failure" ] || \
+             [ "${{ needs.self-health.result }}" = "failure" ] || \
+             [ "${{ needs.governance.result }}" = "failure" ] || \
+             [ "${{ needs.templates.result }}" = "failure" ]; then
+            echo "::error::One or more CI gates failed"
+            exit 1
+          fi
@@ -0,0 +1,87 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/cleanup.yml
+# VERSION: 01.00.00
+# BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
+
+name: "Universal: Repository Cleanup"
+
+on:
+  schedule:
+    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+
+jobs:
+  cleanup:
+    name: Clean Merged Branches
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Delete merged branches
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Merged Branch Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+
+          # List branches via API
+          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/branches?limit=50" | jq -r '.[].name')
+
+          DELETED=0
+          for BRANCH in $BRANCHES; do
+            # Skip protected branches
+            case "$BRANCH" in
+              main|master|develop|release/*|hotfix/*) continue ;;
+            esac
+
+            # Check if branch is merged into main
+            if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
+              echo "  Deleting merged branch: ${BRANCH}"
+              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+                "${API}/branches/${BRANCH}" 2>/dev/null || true
+              DELETED=$((DELETED + 1))
+            fi
+          done
+
+          echo "Deleted ${DELETED} merged branch(es)"
+
+      - name: Clean old workflow runs
+        env:
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+        run: |
+          echo "=== Workflow Run Cleanup ==="
+          API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
+          CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
+
+          # Get old completed runs
+          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
+            "${API}/actions/runs?status=completed&limit=50" | \
+            jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
+
+          DELETED=0
+          for RUN_ID in $RUNS; do
+            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
+              "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
+            DELETED=$((DELETED + 1))
+          done
+
+          echo "Deleted ${DELETED} old workflow run(s)"
@@ -4,15 +4,13 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Deploy
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
+# INGROUP: moko-platform.Deploy
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 # PATH: /templates/workflows/joomla/deploy-manual.yml.template
-# VERSION: 04.06.00
+# VERSION: 04.07.00
 # BRIEF: Manual SFTP deploy to dev server for Joomla repos
-# NOTE: Joomla repos use updates.xml for distribution. This is for manual
-#       dev server testing only — triggered via workflow_dispatch.

-name: Deploy to Dev (Manual)
+name: "Universal: Deploy to Dev (Manual)"

 on:
  workflow_dispatch:
@@ -42,7 +40,7 @@ jobs:
        run: |
          php -v && composer --version

-      - name: Setup MokoStandards tools
+      - name: Setup moko-platform tools
        env:
          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
@@ -50,10 +48,10 @@ jobs:
          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
        run: |
          git clone --depth 1 --branch main --quiet \
-            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \
-            /tmp/mokostandards-api 2>/dev/null || true
-          if [ -d "/tmp/mokostandards-api" ] && [ -f "/tmp/mokostandards-api/composer.json" ]; then
-            cd /tmp/mokostandards-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+            "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git" \
+            /tmp/moko-platform-api 2>/dev/null || true
+          if [ -d "/tmp/moko-platform-api" ] && [ -f "/tmp/moko-platform-api/composer.json" ]; then
+            cd /tmp/moko-platform-api && composer install --no-dev --no-interaction --quiet 2>/dev/null || true
          fi

      - name: Check FTP configuration
@@ -61,11 +59,10 @@ jobs:
        env:
          HOST: ${{ vars.DEV_FTP_HOST }}
          PATH_VAR: ${{ vars.DEV_FTP_PATH }}
-          SUFFIX: ${{ vars.DEV_FTP_SUFFIX }}
          PORT: ${{ vars.DEV_FTP_PORT }}
        run: |
          if [ -z "$HOST" ] || [ -z "$PATH_VAR" ]; then
-            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured — cannot deploy"
+            echo "DEV_FTP_HOST or DEV_FTP_PATH not configured -- cannot deploy"
            echo "skip=true" >> "$GITHUB_OUTPUT"
            exit 0
          fi
@@ -73,7 +70,6 @@ jobs:
          echo "host=$HOST" >> "$GITHUB_OUTPUT"

          REMOTE="${PATH_VAR%/}"
-          [ -n "$SUFFIX" ] && REMOTE="${REMOTE}/${SUFFIX#/}"
          echo "remote=$REMOTE" >> "$GITHUB_OUTPUT"

          [ -z "$PORT" ] && PORT="22"
@@ -88,7 +84,7 @@ jobs:
        run: |
          SOURCE_DIR="src"
          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
-          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ — nothing to deploy"; exit 0; }
+          [ ! -d "$SOURCE_DIR" ] && { echo "No src/ or htdocs/ -- nothing to deploy"; exit 0; }

          printf '{"host":"%s","port":%s,"username":"%s","remotePath":"%s"' \
            "${{ steps.check.outputs.host }}" "${{ steps.check.outputs.port }}" "$SFTP_USER" "${{ steps.check.outputs.remote }}" \
@@ -105,20 +101,33 @@ jobs:
          DEPLOY_ARGS=(--path . --src-dir "$SOURCE_DIR" --config /tmp/sftp-config.json)
          [ "${{ inputs.clear_remote }}" = "true" ] && DEPLOY_ARGS+=(--clear-remote)

-          PLATFORM=$(php /tmp/mokostandards-api/cli/platform_detect.php --path . 2>/dev/null || true)
-          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/mokostandards-api/deploy/deploy-joomla.php" ]; then
-            php /tmp/mokostandards-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
+          PLATFORM=$(php /tmp/moko-platform-api/cli/platform_detect.php --path . 2>/dev/null || true)
+          if [ "$PLATFORM" = "waas-component" ] && [ -f "/tmp/moko-platform-api/deploy/deploy-joomla.php" ]; then
+            php /tmp/moko-platform-api/deploy/deploy-joomla.php "${DEPLOY_ARGS[@]}"
          else
-            php /tmp/mokostandards-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
+            php /tmp/moko-platform-api/deploy/deploy-sftp.php "${DEPLOY_ARGS[@]}"
          fi

          rm -f /tmp/deploy_key /tmp/sftp-config.json

+
+      - name: Post-deploy health check
+        if: success() && steps.check.outputs.skip != 'true'
+        run: |
+          if [ -f "deploy/health-check.php" ]; then
+            SITE_URL="${{ vars.DEV_SITE_URL }}"
+            if [ -n "$SITE_URL" ]; then
+              php deploy/health-check.php --url "$SITE_URL" --checks http --timeout 30 || echo "::warning::Health check failed after deploy"
+            else
+              echo "DEV_SITE_URL not configured, skipping health check"
+            fi
+          fi
+
      - name: Summary
        if: always()
        run: |
          if [ "${{ steps.check.outputs.skip }}" = "true" ]; then
-            echo "### Deploy Skipped — FTP not configured" >> $GITHUB_STEP_SUMMARY
+            echo "### Deploy Skipped -- FTP not configured" >> $GITHUB_STEP_SUMMARY
          else
            echo "### Manual Dev Deploy Complete" >> $GITHUB_STEP_SUMMARY
            echo "" >> $GITHUB_STEP_SUMMARY
@@ -0,0 +1,96 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/gitleaks.yml.template
+# VERSION: 01.00.00
+# BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
+#
+# +========================================================================+
+# |                        SECRET SCANNING                                 |
+# +========================================================================+
+# |                                                                        |
+# |  Scans commits for leaked secrets using Gitleaks.                      |
+# |                                                                        |
+# |  - PR scan: only new commits in the PR                                 |
+# |  - Scheduled: full repo scan weekly                                    |
+# |  - Alerts via ntfy on findings                                         |
+# |                                                                        |
+# +========================================================================+
+
+name: "Universal: Secret Scanning"
+
+on:
+  pull_request:
+    branches:
+      - main
+      - 'dev/**'
+  schedule:
+    - cron: '0 5 * * 1'  # Weekly Monday 05:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  gitleaks:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Install Gitleaks
+        run: |
+          GITLEAKS_VERSION="8.21.2"
+          curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
+            | tar -xz -C /usr/local/bin gitleaks
+          gitleaks version
+
+      - name: Scan for secrets
+        id: scan
+        run: |
+          echo "### Secret Scanning" >> $GITHUB_STEP_SUMMARY
+          ARGS="--source . --verbose --report-format json --report-path /tmp/gitleaks-report.json"
+
+          if [ "${{ github.event_name }}" = "pull_request" ]; then
+            # Scan only PR commits
+            ARGS="$ARGS --log-opts=${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}"
+            echo "Scanning PR commits only" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "Full repository scan" >> $GITHUB_STEP_SUMMARY
+          fi
+
+          if gitleaks detect $ARGS 2>&1; then
+            echo "result=clean" >> "$GITHUB_OUTPUT"
+            echo "**No secrets detected.**" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "result=found" >> "$GITHUB_OUTPUT"
+            FINDINGS=$(jq length /tmp/gitleaks-report.json 2>/dev/null || echo "unknown")
+            echo "**${FINDINGS} potential secret(s) detected.**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Review the findings and rotate any exposed credentials immediately." >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+      - name: Notify on findings
+        if: failure() && steps.scan.outputs.result == 'found'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} — secrets detected in code" \
+            -H "Tags: rotating_light,key" \
+            -H "Priority: urgent" \
+            -d "Gitleaks found potential secrets. Review and rotate credentials immediately." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
@@ -0,0 +1,70 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Notifications
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/notify.yml
+# VERSION: 01.00.00
+# BRIEF: Push notifications via ntfy on release success or workflow failure
+
+name: "Universal: Notifications"
+
+on:
+  workflow_run:
+    workflows:
+      - "Joomla Build & Release"
+      - "Joomla Extension CI"
+      - "Deploy"
+    types:
+      - completed
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-releases' }}
+
+jobs:
+  notify:
+    name: Send Notification
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.workflow_run.conclusion == 'success' ||
+      github.event.workflow_run.conclusion == 'failure'
+
+    steps:
+      - name: Notify on success (releases only)
+        if: >-
+          github.event.workflow_run.conclusion == 'success' &&
+          contains(github.event.workflow_run.name, 'Release')
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} released" \
+            -H "Tags: white_check_mark,package" \
+            -H "Priority: default" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} completed successfully." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
+
+      - name: Notify on failure
+        if: github.event.workflow_run.conclusion == 'failure'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          WORKFLOW="${{ github.event.workflow_run.name }}"
+          URL="${{ github.event.workflow_run.html_url }}"
+
+          curl -sS \
+            -H "Title: ${REPO} workflow failed" \
+            -H "Tags: x,warning" \
+            -H "Priority: high" \
+            -H "Click: ${URL}" \
+            -d "${WORKFLOW} failed. Check the run for details." \
+            "${NTFY_URL}/${NTFY_TOPIC}"
@@ -0,0 +1,196 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/universal/pr-check.yml.template
+# VERSION: 05.00.00
+# BRIEF: PR gate — branch policy + code validation before merge
+
+name: "Universal: PR Check"
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, edited]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  # ── Branch Policy ──────────────────────────────────────────────────────
+  branch-policy:
+    name: Branch Policy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check branch merge target
+        run: |
+          HEAD="${{ github.head_ref }}"
+          BASE="${{ github.base_ref }}"
+
+          echo "PR: ${HEAD} → ${BASE}"
+
+          ALLOWED=true
+          REASON=""
+
+          case "$HEAD" in
+            feature/*|feat/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Feature branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            fix/*|bugfix/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Fix branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            hotfix/*)
+              if [ "$BASE" != "dev" ] && [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Hotfix branches can only target 'dev' or 'main', not '${BASE}'"
+              fi
+              ;;
+            alpha/*|beta/*)
+              if [ "$BASE" != "dev" ]; then
+                ALLOWED=false
+                REASON="Pre-release branches must target 'dev', not '${BASE}'"
+              fi
+              ;;
+            rc/*)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Release candidate branches must target 'main', not '${BASE}'"
+              fi
+              ;;
+            dev)
+              if [ "$BASE" != "main" ]; then
+                ALLOWED=false
+                REASON="Dev branch can only merge into 'main', not '${BASE}'"
+              fi
+              ;;
+          esac
+
+          if [ "$ALLOWED" = false ]; then
+            echo "::error::${REASON}"
+            echo "## Branch Policy Violation" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "${REASON}" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### Allowed merge paths:" >> $GITHUB_STEP_SUMMARY
+            echo "- \`feature/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`fix/*\` → \`dev\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`hotfix/*\` → \`dev\` or \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`dev\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            echo "- \`rc/*\` → \`main\`" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+
+          echo "Branch policy: OK (${HEAD} → ${BASE})"
+          echo "## Branch Policy: Passed" >> $GITHUB_STEP_SUMMARY
+
+  # ── Code Validation ────────────────────────────────────────────────────
+  validate:
+    name: Validate PR
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Detect platform
+        id: platform
+        run: |
+          # Read platform from XML manifest (<platform> tag) or plain text fallback
+          PLATFORM=$(sed -n 's/.*<platform>\([^<]*\)<\/platform>.*/\1/p' .mokogitea/manifest.xml 2>/dev/null | head -1)
+          [ -z "$PLATFORM" ] && PLATFORM=$(cat .mokogitea/manifest.xml 2>/dev/null | tr -d '[:space:]')
+          [ -z "$PLATFORM" ] && PLATFORM="generic"
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+
+      - name: Setup PHP
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml >/dev/null 2>&1
+          fi
+
+      - name: PHP syntax check
+        if: steps.platform.outputs.platform == 'joomla' || steps.platform.outputs.platform == 'dolibarr'
+        run: |
+          ERRORS=0
+          while IFS= read -r -d '' file; do
+            if ! php -l "$file" 2>&1 | grep -q "No syntax errors"; then
+              ERRORS=$((ERRORS + 1))
+            fi
+          done < <(find . -name "*.php" -not -path "./.git/*" -not -path "./vendor/*" -print0)
+          echo "PHP lint: ${ERRORS} error(s)"
+          [ "$ERRORS" -eq 0 ] || { echo "::error::PHP syntax errors found"; exit 1; }
+
+      - name: Validate platform manifest
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1)
+              if [ -z "$MANIFEST" ]; then
+                echo "::warning::No Joomla manifest found (WaaS site)"
+                exit 0
+              fi
+              echo "Manifest: ${MANIFEST}"
+              if command -v php &> /dev/null; then
+                php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('$MANIFEST'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::Manifest XML is malformed"; exit 1; }
+              fi
+              for ELEMENT in name version description; do
+                grep -q "<${ELEMENT}>" "$MANIFEST" || { echo "::error::Missing <${ELEMENT}> in manifest"; exit 1; }
+              done
+              echo "Joomla manifest valid"
+              ;;
+            dolibarr)
+              MOD_FILE=$(find . -maxdepth 4 -name "mod*.class.php" ! -path "./.git/*" -exec grep -l 'extends DolibarrModules' {} \; 2>/dev/null | head -1)
+              if [ -z "$MOD_FILE" ]; then
+                echo "::error::No mod*.class.php found"
+                exit 1
+              fi
+              echo "Dolibarr module: ${MOD_FILE}"
+              ;;
+            *)
+              echo "Generic platform — no manifest validation"
+              ;;
+          esac
+
+      - name: Check update stream format
+        run: |
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          case "$PLATFORM" in
+            joomla)
+              if [ -f "updates.xml" ]; then
+                if command -v php &> /dev/null; then
+                  php -r "libxml_use_internal_errors(true); \$x = simplexml_load_file('updates.xml'); if(!\$x){foreach(libxml_get_errors() as \$e) echo \$e->message; exit(1);}" || { echo "::error::updates.xml is malformed"; exit 1; }
+                fi
+                echo "updates.xml valid"
+              fi
+              ;;
+            dolibarr)
+              [ -f "update.txt" ] && echo "update.txt present" || echo "::warning::No update.txt"
+              ;;
+          esac
+
+      - name: Verify package source
+        run: |
+          SOURCE_DIR="src"
+          [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+          if [ ! -d "$SOURCE_DIR" ]; then
+            echo "::warning::No src/ or htdocs/ directory"
+            exit 0
+          fi
+          FILE_COUNT=$(find "$SOURCE_DIR" -type f | wc -l)
+          echo "Source: ${FILE_COUNT} files"
+          [ "$FILE_COUNT" -gt 0 ] || { echo "::error::Source directory is empty"; exit 1; }
@@ -0,0 +1,246 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /templates/workflows/universal/pre-release.yml.template
+# VERSION: 05.00.00
+# BRIEF: Manual pre-release — builds dev/alpha/beta/rc packages from any branch
+
+name: "Universal: Pre-Release"
+
+on:
+  workflow_dispatch:
+    inputs:
+      stability:
+        description: 'Pre-release channel'
+        required: true
+        type: choice
+        options:
+          - development
+          - alpha
+          - beta
+          - release-candidate
+
+permissions:
+  contents: write
+
+env:
+  GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
+  GITEA_ORG: ${{ vars.GITEA_ORG || github.repository_owner }}
+  GITEA_REPO: ${{ vars.GITEA_REPO || github.event.repository.name }}
+
+jobs:
+  build:
+    name: "Build Pre-Release (${{ inputs.stability }})"
+    runs-on: release
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GA_TOKEN }}
+
+      - name: Setup PHP
+        run: |
+          if ! command -v php &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
+          fi
+
+      - name: Setup moko-platform tools
+        env:
+          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
+        run: |
+          git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/moko-platform.git"             /tmp/moko-platform-api
+
+      - name: Detect platform
+        id: platform
+        run: |
+          php /tmp/moko-platform-api/cli/manifest_read.php --path . --github-output
+
+      - name: Resolve metadata
+        id: meta
+        run: |
+          STABILITY="${{ inputs.stability }}"
+          MOKO_API="/tmp/moko-platform-api/cli"
+
+          case "$STABILITY" in
+            development)        SUFFIX="-dev";   TAG="development" ;;
+            alpha)              SUFFIX="-alpha"; TAG="alpha" ;;
+            beta)               SUFFIX="-beta";  TAG="beta" ;;
+            release-candidate)  SUFFIX="-rc";    TAG="release-candidate" ;;
+          esac
+
+          # Bump patch version
+          BUMP_OUTPUT=$(php ${MOKO_API}/version_bump.php --path .)
+          VERSION=$(echo "$BUMP_OUTPUT" | grep -oP '\d{2}\.\d{2}\.\d{2}$' || true)
+          [ -z "$VERSION" ] && VERSION=$(php ${MOKO_API}/version_read.php --path .)
+          echo "Version: ${VERSION}"
+
+          # Update platform-specific manifest
+          php ${MOKO_API}/version_set_platform.php --path . --version "${VERSION}"
+
+          # Commit version bump
+          git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+          git config --local user.name "gitea-actions[bot]"
+          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git add -A
+          git diff --cached --quiet || {
+            git commit -m "chore(version): bump to ${VERSION} [skip ci]"
+            git push origin HEAD 2>&1
+          }
+
+          # Detect element from Joomla/Dolibarr manifest
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          EXT_ELEMENT=$(php ${MOKO_API}/manifest_read.php --path . --field name 2>/dev/null | tr -d ' ' | tr '[:upper:]' '[:lower:]' || true)
+          # For Joomla, prefer <element> tag
+          if [ "$PLATFORM" = "joomla" ]; then
+            MANIFEST=$(find . -maxdepth 3 -name "*.xml" ! -path "./.git/*" -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)
+            if [ -n "$MANIFEST" ]; then
+              ELEM=$(grep -oP "<element>\K[^<]+" "$MANIFEST" 2>/dev/null | head -1)
+              [ -n "$ELEM" ] && EXT_ELEMENT="$ELEM"
+            fi
+          fi
+          [ -z "$EXT_ELEMENT" ] && EXT_ELEMENT=$(echo "${GITEA_REPO}" | tr '[:upper:]' '[:lower:]' | tr -d ' -')
+
+          ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+
+          echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
+          echo "stability=${STABILITY}" >> "$GITHUB_OUTPUT"
+          echo "suffix=${SUFFIX}" >> "$GITHUB_OUTPUT"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+          echo "ext_element=${EXT_ELEMENT}" >> "$GITHUB_OUTPUT"
+
+          echo "=== Pre-Release: ${EXT_ELEMENT} ${VERSION}${SUFFIX} ==="
+
+      - name: Build package
+        id: zip
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          SUFFIX="${{ steps.meta.outputs.suffix }}"
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+
+          if [ "$PLATFORM" = "joomla" ]; then
+            php /tmp/moko-platform-api/cli/joomla_build.php               --path . --version "${VERSION}" --suffix "${SUFFIX}"               --output build --github-output
+          else
+            # Generic build: zip src/ directory
+            SOURCE_DIR="src"
+            [ ! -d "$SOURCE_DIR" ] && SOURCE_DIR="htdocs"
+            [ ! -d "$SOURCE_DIR" ] && { echo "::error::No src/ or htdocs/"; exit 1; }
+            EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
+            ZIP_NAME="${EXT_ELEMENT}-${VERSION}${SUFFIX}.zip"
+            mkdir -p build
+            cd "$SOURCE_DIR" && zip -r "../build/${ZIP_NAME}" . && cd ..
+            SHA256=$(sha256sum "build/${ZIP_NAME}" | cut -d' ' -f1)
+            echo "zip_name=${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+            echo "zip_path=build/${ZIP_NAME}" >> "$GITHUB_OUTPUT"
+            echo "sha256=${SHA256}" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create or replace Gitea release
+        id: release
+        continue-on-error: true
+        run: |
+          TAG="${{ steps.meta.outputs.tag }}"
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"
+          ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
+          EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          BRANCH=$(git branch --show-current)
+
+          BODY="## ${VERSION} ($(date +%Y-%m-%d))
+          **Channel:** ${STABILITY}
+          **SHA-256:** \`${SHA256}\`"
+
+          # Delete existing release
+          EXISTING_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
+            "${API}/releases/tags/${TAG}" | jq -r '.id // empty' 2>/dev/null)
+          if [ -n "$EXISTING_ID" ]; then
+            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+              "${API}/releases/${EXISTING_ID}" 2>/dev/null || true
+            curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+              "${API}/tags/${TAG}" 2>/dev/null || true
+          fi
+
+          # Create release
+          RELEASE_ID=$(curl -sS -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/json" \
+            "${API}/releases" \
+            -d "$(jq -n \
+              --arg tag "$TAG" \
+              --arg target "$BRANCH" \
+              --arg name "${EXT_ELEMENT} ${VERSION} (${STABILITY})" \
+              --arg body "$BODY" \
+              '{tag_name: $tag, target_commitish: $target, name: $name, body: $body, prerelease: true}'
+            )" | jq -r '.id')
+
+          echo "release_id=${RELEASE_ID}" >> "$GITHUB_OUTPUT"
+
+          # Upload ZIP
+          curl -sS -X POST -H "Authorization: token ${TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            "${API}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" \
+            --data-binary "@${{ steps.zip.outputs.zip_path }}"
+
+          echo "Released: ${EXT_ELEMENT} ${VERSION} (${STABILITY})"
+
+      - name: "Update updates.xml"
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          VERSION="${{ steps.meta.outputs.version }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+          SHA256="${{ steps.zip.outputs.sha256 }}"
+          php /tmp/moko-platform-api/cli/updates_xml_build.php             --path . --version "$VERSION" --stability "$STABILITY"             --sha "$SHA256"             --gitea-url "$GITEA_URL" --org "$GITEA_ORG" --repo "$GITEA_REPO"
+          if ! git diff --quiet updates.xml 2>/dev/null; then
+            git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
+            git config --local user.name "gitea-actions[bot]"
+            git add updates.xml
+            git commit -m "chore: update $STABILITY channel $VERSION [skip ci]"
+            git push origin HEAD 2>&1 || echo "WARNING: push failed"
+          fi
+
+      - name: "Sync updates.xml to all branches"
+        if: steps.platform.outputs.platform == 'joomla'
+        run: |
+          php /tmp/moko-platform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
+
+      - name: "Delete lesser pre-release channels (cascade)"
+        continue-on-error: true
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
+          STABILITY="${{ steps.meta.outputs.stability }}"
+
+          # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing
+          case "$STABILITY" in
+            release-candidate) TAGS_TO_DELETE="beta alpha development" ;;
+            beta)              TAGS_TO_DELETE="alpha development" ;;
+            alpha)             TAGS_TO_DELETE="development" ;;
+            *)                 TAGS_TO_DELETE="" ;;
+          esac
+
+          [ -z "$TAGS_TO_DELETE" ] && exit 0
+
+          for TAG in $TAGS_TO_DELETE; do
+            RELEASE_ID=$(curl -sS -H "Authorization: token ${TOKEN}" \
+              "${API_BASE}/releases/tags/${TAG}" 2>/dev/null | \
+              python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+            if [ -n "$RELEASE_ID" ] && [ "$RELEASE_ID" != "None" ]; then
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/releases/${RELEASE_ID}" 2>/dev/null || true
+              curl -sS -X DELETE -H "Authorization: token ${TOKEN}" \
+                "${API_BASE}/tags/${TAG}" 2>/dev/null || true
+              echo "Deleted: ${TAG} (id: ${RELEASE_ID})"
+            fi
+          done
@@ -7,19 +7,14 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoStandards.Validation
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
-# PATH: /.github/workflows/repo_health.yml
+# INGROUP: moko-platform.Validation
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/moko-platform
+# PATH: /templates/workflows/joomla/repo_health.yml.template
 # VERSION: 04.06.00
 # BRIEF: Enforces repository guardrails by validating release configuration, scripts governance, tooling availability, and core repository health artifacts.
-# NOTE: Field is user-managed.
 # ============================================================================

-name: Repo Health
-
-concurrency:
-  group: repo-health-${{ github.repository }}-${{ github.ref }}
-  cancel-in-progress: true
+name: "Generic: Repo Health"

 defaults:
  run:
@@ -50,13 +45,11 @@ env:
  RELEASE_OPTIONAL_REPO_VARS: DEV_FTP_SUFFIX

  # Scripts governance policy
-  # Note: directories listed without a trailing slash.
  SCRIPTS_REQUIRED_DIRS:
  SCRIPTS_ALLOWED_DIRS: scripts,scripts/fix,scripts/lib,scripts/release,scripts/run,scripts/validate

  # Repo health policy
-  # Files are listed as-is; directories must end with a trailing slash.
-  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.github/workflows/
+  REPO_REQUIRED_ARTIFACTS: README.md,LICENSE,CHANGELOG.md,CONTRIBUTING.md,CODE_OF_CONDUCT.md,.gitea/workflows/
  REPO_OPTIONAL_FILES: SECURITY.md,GOVERNANCE.md,.editorconfig,.gitattributes,.gitignore,README.md,docs/
  REPO_DISALLOWED_DIRS:
  REPO_DISALLOWED_FILES: TODO.md,todo.md
@@ -64,10 +57,10 @@ env:
  # Extended checks toggles
  EXTENDED_CHECKS: "true"

-  # File / directory variables (moved to top-level env)
+  # File / directory variables
  DOCS_INDEX: docs/docs-index.md
  SCRIPT_DIR: scripts
-  WORKFLOWS_DIR: .github/workflows
+  WORKFLOWS_DIR: .gitea/workflows
  SHELLCHECK_PATTERN: '*.sh'
  SPDX_FILE_GLOBS: '*.sh,*.php,*.js,*.ts,*.css,*.xml,*.yml,*.yaml'
  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
@@ -121,7 +114,7 @@ jobs:
          echo "allowed=${ALLOWED}" >> "$GITHUB_OUTPUT"

          {
-            echo "## 🔐 Access Authorization"
+            echo "## Access Authorization"
            echo ""
            echo "| Field | Value |"
            echo "|-------|-------|"
@@ -132,9 +125,9 @@ jobs:
            echo "| **Authorized** | ${ALLOWED} |"
            echo ""
            if [ "$ALLOWED" = "true" ]; then
-              echo "✅ ${ACTOR} authorized (${METHOD})"
+              echo "${ACTOR} authorized (${METHOD})"
            else
-              echo "❌ ${ACTOR} is NOT authorized. Requires admin or maintain role."
+              echo "${ACTOR} is NOT authorized. Requires admin or maintain role."
            fi
          } >> "${GITHUB_STEP_SUMMARY}"

@@ -291,7 +284,7 @@ jobs:
            exit 0
          fi

-          IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"
+          if [ -n "${SCRIPTS_REQUIRED_DIRS:-}" ]; then IFS=',' read -r -a required_dirs <<< "${SCRIPTS_REQUIRED_DIRS}"; else required_dirs=(); fi
          IFS=',' read -r -a allowed_dirs <<< "${SCRIPTS_ALLOWED_DIRS}"

          missing_dirs=()
@@ -395,23 +388,27 @@ jobs:
            exit 0
          fi

-          # Source directory: src/ or htdocs/ (either is valid)
+          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
+          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
+          if [ -n "${REPO_DISALLOWED_DIRS:-}" ]; then IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"; else disallowed_dirs=(); fi
+          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES:-}"
+
+          missing_required=()
+          missing_optional=()
+
+          # Source directory: src/ or htdocs/ (either is valid for extension repos)
+          SOURCE_DIR=""
          if [ -d "src" ]; then
            SOURCE_DIR="src"
          elif [ -d "htdocs" ]; then
            SOURCE_DIR="htdocs"
+          elif [ -d "deploy" ] || [ -d "cli" ] || [ -d "monitoring" ]; then
+            # Platform/tooling repos don't need src/
+            SOURCE_DIR=""
          else
            missing_required+=("src/ or htdocs/ (source directory required)")
          fi

-          IFS=',' read -r -a required_artifacts <<< "${REPO_REQUIRED_ARTIFACTS}"
-          IFS=',' read -r -a optional_files <<< "${REPO_OPTIONAL_FILES}"
-          IFS=',' read -r -a disallowed_dirs <<< "${REPO_DISALLOWED_DIRS}"
-          IFS=',' read -r -a disallowed_files <<< "${REPO_DISALLOWED_FILES}"
-
-          missing_required=()
-          missing_optional=()
-
          for item in "${required_artifacts[@]}"; do
            if printf '%s' "${item}" | grep -q '/$'; then
              d="${item%/}"
@@ -421,7 +418,6 @@ jobs:
            fi
          done

-          # Optional entries: handle files and directories (trailing slash indicates dir)
          for f in "${optional_files[@]}"; do
            if printf '%s' "${f}" | grep -q '/$'; then
              d="${f%/}"
@@ -445,8 +441,6 @@ jobs:
          dev_paths=()
          dev_branches=()

-          # Look for remote branches matching origin/dev*.
-          # A plain origin/dev is considered invalid; we require dev/<something> branches.
          while IFS= read -r b; do
            name="${b#origin/}"
            if [ "${name}" = 'dev' ]; then
@@ -456,14 +450,8 @@ jobs:
            fi
          done < <(git branch -r --list 'origin/dev*' | sed 's/^ *//')

-          # If there are no dev/* branches, fail the guardrail.
-          if [ "${#dev_paths[@]}" -eq 0 ]; then
-            missing_required+=("dev/* branch (e.g. dev/01.00.00)")
-          fi
-
-          # If a plain dev branch exists (origin/dev), flag it as invalid.
-          if [ "${#dev_branches[@]}" -gt 0 ]; then
-            missing_required+=("invalid branch dev (must be dev/<version>)")
+          if [ "${#dev_paths[@]}" -eq 0 ] && [ "${#dev_branches[@]}" -eq 0 ]; then
+            missing_required+=("dev or dev/* branch")
          fi

          content_warnings=()
@@ -489,26 +477,7 @@ jobs:
          export MISSING_OPTIONAL="$(printf '%s\n' "${missing_optional[@]:-}")"
          export CONTENT_WARNINGS="$(printf '%s\n' "${content_warnings[@]:-}")"

-          report_json="$(python3 - <<'PY'
-          import json
-          import os
-
-          profile = os.environ.get('PROFILE_RAW') or 'all'
-
-          missing_required = os.environ.get('MISSING_REQUIRED', '').splitlines() if os.environ.get('MISSING_REQUIRED') else []
-          missing_optional = os.environ.get('MISSING_OPTIONAL', '').splitlines() if os.environ.get('MISSING_OPTIONAL') else []
-          content_warnings = os.environ.get('CONTENT_WARNINGS', '').splitlines() if os.environ.get('CONTENT_WARNINGS') else []
-
-          out = {
-            'profile': profile,
-            'missing_required': [x for x in missing_required if x],
-            'missing_optional': [x for x in missing_optional if x],
-            'content_warnings': [x for x in content_warnings if x],
-          }
-
-          print(json.dumps(out, indent=2))
-          PY
-          )"
+          report_json=$(printf '{"profile":"%s","missing_required":%d,"missing_optional":%d,"content_warnings":%d}'             "$profile" "${#missing_required[@]}" "${#missing_optional[@]}" "${#content_warnings[@]}")

          {
            printf '%s\n' '### Repository health'
@@ -553,54 +522,47 @@ jobs:
            } >> "${GITHUB_STEP_SUMMARY}"
          fi

-          # ── Joomla-specific checks ───────────────────────────────────────
+          # -- Joomla-specific checks --
          joomla_findings=()

-          # XML manifest: find any XML file containing <extension
          MANIFEST="$(find . -maxdepth 2 -name '*.xml' -exec grep -l '<extension' {} \; 2>/dev/null | head -1 || true)"
          if [ -z "${MANIFEST}" ]; then
            joomla_findings+=("Joomla XML manifest not found (no *.xml with <extension> tag)")
          else
-            # Check <version> tag exists
            if ! grep -qP '<version>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <version> tag missing")
            fi
-            # Check extension type attribute
            if ! grep -qP 'type="(component|module|plugin|library|package|template|language)"' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: type attribute missing or invalid")
            fi
-            # Check <name> tag
            if ! grep -qP '<name>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <name> tag missing")
            fi
-            # Check <author> tag
            if ! grep -qP '<author>' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <author> tag missing")
            fi
-            # Check <namespace> for Joomla 5+
            if ! grep -qP '<namespace' "${MANIFEST}"; then
              joomla_findings+=("XML manifest: <namespace> missing (required for Joomla 5+)")
            fi
          fi

-          # Language files: check for at least one .ini file
          INI_COUNT="$(find . -name '*.ini' -type f 2>/dev/null | wc -l)"
          if [ "${INI_COUNT}" -eq 0 ]; then
            joomla_findings+=("No .ini language files found")
          fi

-          # updates.xml must exist in root (Joomla update server)
          if [ ! -f 'updates.xml' ]; then
            joomla_findings+=("updates.xml missing in root (required for Joomla update server)")
          fi

-          # index.html files for directory listing protection
-          INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
-          for dir in "${INDEX_DIRS[@]}"; do
-            if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
-              joomla_findings+=("${dir}/index.html missing (directory listing protection)")
-            fi
-          done
+          if [ -n "${SOURCE_DIR}" ]; then
+            INDEX_DIRS=("${SOURCE_DIR}" "${SOURCE_DIR}/admin" "${SOURCE_DIR}/site")
+            for dir in "${INDEX_DIRS[@]}"; do
+              if [ -d "${dir}" ] && [ ! -f "${dir}/index.html" ]; then
+                joomla_findings+=("${dir}/index.html missing (directory listing protection)")
+              fi
+            done
+          fi

          if [ "${#joomla_findings[@]}" -gt 0 ]; then
            {
@@ -624,14 +586,12 @@ jobs:
          extended_findings=()

          if [ "${extended_enabled}" = 'true' ]; then
-            # CODEOWNERS presence
            if [ -f '.github/CODEOWNERS' ] || [ -f 'CODEOWNERS' ] || [ -f 'docs/CODEOWNERS' ]; then
              :
            else
              extended_findings+=("CODEOWNERS not found (.github/CODEOWNERS preferred)")
            fi

-            # Workflow pinning advisory: flag uses @main/@master
            if ls "${WORKFLOWS_DIR}"/*.yml >/dev/null 2>&1 || ls "${WORKFLOWS_DIR}"/*.yaml >/dev/null 2>&1; then
              bad_refs="$(grep -RIn --include='*.yml' --include='*.yaml' -E '^[[:space:]]*uses:[[:space:]]*[^#]+@(main|master)\b' "${WORKFLOWS_DIR}" 2>/dev/null || true)"
              if [ -n "${bad_refs}" ]; then
@@ -647,51 +607,35 @@ jobs:
              fi
            fi

-            # Docs index link integrity (docs/docs-index.md)
            if [ -f "${DOCS_INDEX}" ]; then
-              missing_links="$(python3 - <<'PY'
-              import os
-              import re
-
-              idx = os.environ.get('DOCS_INDEX', 'docs/docs-index.md')
-              base = os.getcwd()
-
-              bad = []
-              pat = re.compile(r'\[[^\]]+\]\(([^)]+)\)')
-
-              with open(idx, 'r', encoding='utf-8') as f:
-                for line in f:
-                  for m in pat.findall(line):
-                    link = m.strip()
-                    if link.startswith('http://') or link.startswith('https://') or link.startswith('#') or link.startswith('mailto:'):
-                      continue
-                    if link.startswith('/'):
-                      rel = link.lstrip('/')
-                    else:
-                      rel = os.path.normpath(os.path.join(os.path.dirname(idx), link))
-                    rel = rel.split('#', 1)[0]
-                    rel = rel.split('?', 1)[0]
-                    if not rel:
-                      continue
-                    p = os.path.join(base, rel)
-                    if not os.path.exists(p):
-                      bad.append(rel)
-
-              print('\n'.join(sorted(set(bad))))
-              PY
-              )"
+              missing_links=""
+              while IFS= read -r docline; do
+                for link in $(echo "$docline" | grep -oE '\]\([^)]+\)' | sed 's/\](//' | sed 's/)$//' || true); do
+                  case "$link" in http://*|https://*|"#"*|mailto:*) continue ;; esac
+                  linkpath="${link%%#*}"
+                  linkpath="${linkpath%%\?*}"
+                  [ -z "$linkpath" ] && continue
+                  if [ "${linkpath:0:1}" = "/" ]; then
+                    testpath="${linkpath#/}"
+                  else
+                    testpath="$(dirname "${DOCS_INDEX}")/${linkpath}"
+                  fi
+                  [ ! -e "$testpath" ] && missing_links="${missing_links}${testpath} "
+                done
+              done < "${DOCS_INDEX}"
              if [ -n "${missing_links}" ]; then
                extended_findings+=("docs/docs-index.md contains broken relative links")
                {
                  printf '%s\n' '### Docs index link integrity'
                  printf '%s\n' 'Broken relative links:'
-                  while IFS= read -r l; do [ -n "${l}" ] && printf '%s\n' "- ${l}"; done <<< "${missing_links}"
+                  for bl in ${missing_links}; do
+                    printf '%s\n' "- ${bl}"
+                  done
                  printf '\n'
                } >> "${GITHUB_STEP_SUMMARY}"
              fi
            fi

-            # ShellCheck advisory
            if [ -d "${SCRIPT_DIR}" ]; then
              if ! command -v shellcheck >/dev/null 2>&1; then
                sudo apt-get update -qq
@@ -720,7 +664,6 @@ jobs:
              fi
            fi

-            # SPDX header advisory for common source types
            spdx_missing=()
            IFS=',' read -r -a spdx_globs <<< "${SPDX_FILE_GLOBS}"
            spdx_args=()
@@ -743,9 +686,8 @@ jobs:
              } >> "${GITHUB_STEP_SUMMARY}"
            fi

-            # Git hygiene advisory: branches older than 180 days (remote)
            stale_cutoff_days=180
-            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 [...]
+            stale_branches="$(git for-each-ref --format='%(refname:short) %(committerdate:unix)' refs/remotes/origin 2>/dev/null | awk -v now="$(date +%s)" -v days="${stale_cutoff_days}" '{if (now-$2 > days*86400) print $1}' | head -50)"
            if [ -n "${stale_branches}" ]; then
              extended_findings+=("Stale remote branches detected (advisory)")
              {
@@ -787,3 +729,41 @@ jobs:
          fi

          printf '%s\n' 'Repository health guardrails passed.' >> "${GITHUB_STEP_SUMMARY}"
+
+
+  site-health:
+    name: Site Health
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.3'
+
+      - name: Uptime check
+        if: env.URLS != ''
+        run: |
+          echo "$URLS" > /tmp/urls.txt
+          php monitoring/uptime-probe.php --urls /tmp/urls.txt --timeout 15 || echo "::warning::Some sites are down"
+          rm -f /tmp/urls.txt
+        env:
+          URLS: ${{ vars.MONITORED_URLS }}
+
+      - name: SSL certificate check
+        if: env.DOMAINS != ''
+        run: |
+          echo "$DOMAINS" > /tmp/domains.txt
+          php monitoring/ssl-check.php --domains /tmp/domains.txt --warn-days 30 || echo "::warning::SSL certificates expiring soon"
+          rm -f /tmp/domains.txt
+        env:
+          DOMAINS: ${{ vars.MONITORED_DOMAINS }}
+
+      - name: Summary
+        if: always()
+        run: |
+          echo "### Site Health" >> $GITHUB_STEP_SUMMARY
+          echo "Uptime and SSL checks completed." >> $GITHUB_STEP_SUMMARY
+
@@ -0,0 +1,98 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: moko-platform.Security
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH: /.gitea/workflows/security-audit.yml
+# VERSION: 01.00.00
+# BRIEF: Dependency vulnerability scanning for composer and npm packages
+
+name: "Universal: Security Audit"
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly on Monday at 06:00 UTC
+  pull_request:
+    branches:
+      - main
+    paths:
+      - 'composer.json'
+      - 'composer.lock'
+      - 'package.json'
+      - 'package-lock.json'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  NTFY_URL: ${{ vars.NTFY_URL || 'https://ntfy.mokoconsulting.tech' }}
+  NTFY_TOPIC: ${{ vars.NTFY_TOPIC || 'gitea-security' }}
+
+jobs:
+  audit:
+    name: Dependency Audit
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Composer audit
+        if: hashFiles('composer.lock') != ''
+        run: |
+          echo "=== Composer Security Audit ==="
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq
+            sudo apt-get install -y -qq php-cli composer >/dev/null 2>&1
+          fi
+          composer audit --format=plain 2>&1 | tee /tmp/composer-audit.txt
+          RESULT=$?
+          if [ $RESULT -ne 0 ]; then
+            echo "::warning::Composer vulnerabilities found"
+            echo "composer_vulnerable=true" >> "$GITHUB_ENV"
+          else
+            echo "No known vulnerabilities in composer dependencies"
+          fi
+
+      - name: NPM audit
+        if: hashFiles('package-lock.json') != ''
+        run: |
+          echo "=== NPM Security Audit ==="
+          npm audit --production 2>&1 | tee /tmp/npm-audit.txt || true
+          if npm audit --production 2>&1 | grep -q "found 0 vulnerabilities"; then
+            echo "No known vulnerabilities in npm dependencies"
+          else
+            echo "::warning::NPM vulnerabilities found"
+            echo "npm_vulnerable=true" >> "$GITHUB_ENV"
+          fi
+
+      - name: Notify on vulnerabilities
+        if: env.composer_vulnerable == 'true' || env.npm_vulnerable == 'true'
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          curl -sS \
+            -H "Title: ${REPO} has vulnerable dependencies" \
+            -H "Tags: lock,warning" \
+            -H "Priority: high" \
+            -d "Security audit found vulnerabilities. Review dependency updates." \
+            "${NTFY_URL}/${NTFY_TOPIC}" || true
+
+
+      - name: Joomla version audit
+        if: always()
+        run: |
+          if [ -f "monitoring/joomla-version-audit.php" ] && [ -n "$JOOMLA_SITES" ]; then
+            echo "$JOOMLA_SITES" > /tmp/sites.json
+            php monitoring/joomla-version-audit.php --sites /tmp/sites.json || true
+            echo "### Joomla Version Audit" >> $GITHUB_STEP_SUMMARY
+            rm -f /tmp/sites.json
+          else
+            echo "Joomla audit skipped (no script or JOOMLA_SITES_JSON not configured)"
+          fi
+        env:
+          JOOMLA_SITES: ${{ vars.JOOMLA_SITES_JSON }}
+
@@ -0,0 +1,126 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Root
+INGROUP: MokoStandards
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /CHANGELOG.md
+BRIEF: Release changelog
+-->
+
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+Version format: `XX.YY.ZZ` (zero-padded semver).
+
+## [Unreleased]
+
+## [05.00.00] - 2026-05-16
+
+### Added
+- `server-autoheal.sh` — boot-check, split system/content backups, self-installing with cron + systemd hook
+- Grafana library panels: legend (list, right) and multi-tooltip options on all 14 panels
+- Prometheus targets volume mount in monitoring Docker Compose
+
+### Fixed
+- MokoWaaS dashboard: remove `v_hidden` column — use explicit `filterFieldsByName` regex instead of broken `excludeByName`
+- MokoWaaS dashboard: simplify probe queries (remove redundant `and on(site_name)` joins)
+
+### Changed
+- Rename `gitea-server-setup` → `.mokogitea-private` in workflow EXCLUDE lists
+- Dolibarr Module ID Registry moved to MokoDolibarr wiki (moko-platform page is now a redirect)
+
+## [04.09.00] - 2026-05-12
+
+### Added
+- `<deploy>` section support in `.manifest.xml` schema: `source-dir`, `remote-subdir`, `excludes`, `dev-host`, `demo-host`
+- `manifest_read.php` now parses all deploy fields for CI consumption
+
+### Changed
+- Deploy workflows can now read deploy paths from manifest instead of guessing from directory structure
+
+## [04.08.00] - 2026-05-12
+
+### Added
+- `cli/manifest_read.php` -- full `.manifest.xml` parser for CI consumption
+  - Supports `--field`, `--all`, `--json`, and `--github-output` modes
+  - Backward-compatible with `.moko-platform` (XML) and `.mokostandards` (YAML) formats
+  - Replaces inline `sed` detection blocks in workflows
+
+### Changed
+- Workflows (`auto-release`, `pre-release`, `pr-check`) now use `manifest_read.php` for platform detection
+- `entry-point` field from manifest replaces `find` tree scan for mod file discovery
+- Platform detection outputs all manifest fields to `GITHUB_OUTPUT` (name, org, language, package-type, etc.)
+
+
+
+## [05.00.00] - 2026-05-11
+
+### Added
+- Centralized MokoWaaS Grafana dashboard for all Joomla sites (2-column layout)
+- MokoStandards MCP server with 24 governance tools
+- Wiki health check and GitHub wiki mirror sync
+- Daily wiki sync workflow — mirrors all Gitea wikis to GitHub
+- CHANGELOG `[Unreleased]` section check in repo health (5 pts)
+- Client platform type with detection and structure definition
+- PHPStan, Gitleaks, and Renovate — templates, workflows, and docs
+- Cascade and branch protection workflow documentation
+- Branch protection setup workflow
+- Client-site definition
+- Pre-release workflow for manual dev/alpha/beta/rc builds
+- PR-check, security-audit, notify, cleanup workflow definitions
+- Expanded workflow suite (10 workflows from MokoOnyx)
+- `.gitea/workflows` definitions to Joomla structure defs
+- Joomla workflow templates from MokoOnyx
+- Cleanup script to remove `.claude/` and `.mcp.json` from repos
+- Auto-discover all repos with wikis across all orgs
+- CLAUDE.md to repo health check, flag unwanted files
+- `.moko-platform` manifest (replaces `.mokostandards`)
+- PR branch policy check workflow
+
+### Changed
+- Major version bump: `04.05.00` → `05.00.00` across all definitions, templates, and wiki
+- Grafana endpoint dashboards: 2 columns per row (reduced congestion)
+- Sync engine clones template repos at runtime for workflows
+- Simplified platform types across definitions and sync engine
+- Removed `templates/github` — all CI/templates now in `.gitea/`
+- Removed `templates/workflows` — canonical source is now template repos
+- Updated mokostandards xmlns to point to MokoStandards-API repo
+- Comprehensive repo health check updates
+
+### Fixed
+- Remove gitea-actions[bot] from push whitelist (not a real user)
+- Delete-then-create branch protection rules to avoid 422
+- Patch version bump in pre-release workflow
+- Always emit `<client>` tag in UpdateXmlGenerator
+- Rewrite `updates.xml.template` with 5 stability channels
+- Migrate `.mokostandards` from `.github/` to `.gitea/` on Gitea
+
+## [04.05.00] - 2026-03-15
+
+### Added
+- Dual-platform support (Gitea + GitHub) and Joomla template tooling
+- Templates, CLI dirs, docs, and Gitea-first platform config
+- Sync to all branches, listBranches, ext-zip
+- All templates from MokoStandards
+
+### Changed
+- Migrated to Gitea-only workflows and API
+- Converted all gh CLI calls to Gitea API curl across workflow templates
+- Gitea-primary tokens: GA_TOKEN for Gitea API, GH_TOKEN for GitHub mirror
+- Updated all references to MokoConsulting org and Gitea URLs
+
+### Fixed
+- Guzzle base_uri resolution for Gitea API paths
+- Replace all hardcoded GitHub API URLs with platform adapter pattern
+- Split repoRoot into apiRoot + standardsRoot
+- Auto-release template: use Gitea API for main sync, auth push URL
+- Bulk_sync: resolve label names to IDs, fix username
+- Remove sha256: prefix from update XML templates
+
+## [04.00.00] - 2026-01-01
+
+- Initial release: MokoStandards Enterprise API extracted from MokoStandards
@@ -0,0 +1,37 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code when working with this repository.
+
+## Project Overview
+
+**moko-platform** -- Enterprise automation, validation, sync, and governance engine for all Moko Consulting repositories
+
+| Field | Value |
+|---|---|
+| **Platform** | generic |
+| **Language** | HCL |
+| **Default branch** | main |
+| **License** | GPL-3.0-or-later |
+| **Wiki** | [moko-platform Wiki](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki) |
+| **Standards** | [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home) |
+
+## Common Commands
+
+```bash
+composer install  # Install PHP dependencies
+```
+
+## Architecture
+
+See the [wiki](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki) for architecture details.
+
+## Rules
+
+- **Workflow directory**: `.mokogitea/` (not `.gitea/` or `.github/`)
+
+- **Never commit** `.claude/`, `.mcp.json`, `TODO.md`, or `*.min.css`/`*.min.js`
+- **Attribution**: use `Authored-by: Moko Consulting` in commits
+- **Branch strategy**: develop on `dev`, merge to `main` for release
+- **Minification**: handled at build time (CI) and runtime (MokoMinifyHelper for Joomla templates)
+- **Wiki**: documentation lives in the Gitea wiki, not in `docs/` files
+- **Standards**: this repo follows [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)
@@ -0,0 +1,40 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+
+Examples of unacceptable behavior:
+
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Other conduct which could reasonably be considered inappropriate
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the project team at hello@mokoconsulting.tech.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
+version 2.1.
+
+---
+
+*Moko Consulting <hello@mokoconsulting.tech>*
@@ -0,0 +1,30 @@
+# Contributing to moko-platform
+
+Thank you for your interest in contributing to the Moko Consulting platform.
+
+## How to Contribute
+
+1. **Fork** the repository
+2. Create a **feature branch** from `dev` (e.g., `feature/my-feature`)
+3. Make your changes following [MokoStandards](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/wiki/Home)
+4. Submit a **Pull Request** targeting `dev`
+
+## Branch Policy
+
+- `feature/*`, `fix/*` branches target `dev`
+- `hotfix/*` branches may target `dev` or `main`
+- `dev` merges to `main` for releases
+
+## Code Standards
+
+- PHP: follow PSR-12, use tabs for indentation
+- All files must include the Moko copyright header and SPDX identifier
+- Scripts must be self-contained (no external dependencies unless via composer)
+
+## Reporting Issues
+
+Use the [issue tracker](https://git.mokoconsulting.tech/MokoConsulting/moko-platform/issues) with the appropriate template.
+
+---
+
+*Moko Consulting <hello@mokoconsulting.tech>*
@@ -0,0 +1,35 @@
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  For the full license text, see <https://www.gnu.org/licenses/gpl-3.0.txt>
+
+  This program is free software: you can redistribute it and/or modify
+  it under the terms of the GNU General Public License as published by
+  the Free Software Foundation, either version 3 of the License, or
+  (at your option) any later version.
+
+  This program is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+  GNU General Public License for more details.
+
+  You should have received a copy of the GNU General Public License
+  along with this program.  If not, see <https://www.gnu.org/licenses/>.
@@ -1,3 +1,14 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Root
+INGROUP: MokoStandards
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /PLUGIN_SCRIPTS.md
+BRIEF: Plugin system CLI documentation
+-->
+
 # Plugin System CLI Scripts

 Command-line scripts for validating, health checking, and managing projects using the MokoStandards plugin system.
@@ -1,3 +1,14 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Root
+INGROUP: MokoStandards
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /README.md
+BRIEF: Project overview and documentation
+-->
+
 # MokoStandards Enterprise API

 PHP implementation of MokoStandards — enterprise standards, automation framework, workflow templates, and bulk sync tooling.
@@ -17,7 +28,7 @@ PHP implementation of MokoStandards — enterprise standards, automation framewo
 | `definitions/` | Repository structure definitions (`.tf` format) |
 | `deploy/` | Deployment scripts (SFTP, Joomla) |
 | `maintenance/` | Labels, inventory, SHA pinning, version sync |
-| `docs/` | API documentation, workflow guides, automation docs |
+| `tools/` | Standalone tools (legal doc generator) |
 | `tests/` | PHPUnit test suite |

 ## Installation
@@ -1,3 +1,14 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Index
+INGROUP: MokoStandards.Analysis
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /analysis/index.md
+BRIEF: Analysis directory index
+-->
+
 # Docs Index: /api/analysis

 ## Purpose
@@ -10,8 +10,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.Automation
 * INGROUP: MokoStandards.Scripts
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /automation/bulk_joomla_template.php
- * VERSION: 04.06.10
 * BRIEF: Bulk scaffold and sync Joomla template repositories
 *
 * USAGE
@@ -10,9 +10,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.Automation
 * INGROUP: MokoStandards.Scripts
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /automation/bulk_sync.php
- * VERSION: 04.06.00
 * BRIEF: Enterprise-grade bulk repository synchronization
 */

@@ -0,0 +1,123 @@
+#!/usr/bin/env bash
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+# BRIEF: Trigger a workflow across all client-waas repos in a Gitea org
+
+set -euo pipefail
+
+# ---------------------------------------------------------------------------
+# Usage
+# ---------------------------------------------------------------------------
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") GITEA_URL TOKEN ORG WORKFLOW [REF] [INPUTS]
+
+Arguments:
+  GITEA_URL   Base URL of the Gitea instance (e.g. https://git.mokoconsulting.tech)
+  TOKEN       Gitea API token with repo/action permissions
+  ORG         Organisation or user that owns the repos
+  WORKFLOW    Workflow filename to trigger (e.g. dependency-audit.yml)
+  REF         Branch ref to run against (default: main)
+  INPUTS      Optional JSON object of workflow inputs (e.g. '{"dry_run":"true"}')
+
+Example:
+  $(basename "$0") https://git.mokoconsulting.tech abc123 MokoConsulting dependency-audit.yml main '{"notify":"true"}'
+EOF
+  exit 1
+}
+
+# ---------------------------------------------------------------------------
+# Argument parsing
+# ---------------------------------------------------------------------------
+if [ $# -lt 4 ]; then
+  usage
+fi
+
+GITEA_URL="${1%/}"
+TOKEN="$2"
+ORG="$3"
+WORKFLOW="$4"
+REF="${5:-main}"
+INPUTS="${6:-{\}}"
+
+# ---------------------------------------------------------------------------
+# Fetch all repos in the org, paginated
+# ---------------------------------------------------------------------------
+echo "Fetching repos for org '${ORG}' on ${GITEA_URL} ..."
+
+PAGE=1
+LIMIT=50
+ALL_REPOS=""
+
+while true; do
+  RESPONSE=$(curl -s \
+    -H "Authorization: token ${TOKEN}" \
+    -H "Accept: application/json" \
+    "${GITEA_URL}/api/v1/orgs/${ORG}/repos?page=${PAGE}&limit=${LIMIT}")
+
+  # Break if empty array
+  COUNT=$(echo "$RESPONSE" | jq -r 'length')
+  if [ "$COUNT" -eq 0 ]; then
+    break
+  fi
+
+  NAMES=$(echo "$RESPONSE" | jq -r '.[].name')
+  ALL_REPOS="${ALL_REPOS}${NAMES}"$'\n'
+
+  if [ "$COUNT" -lt "$LIMIT" ]; then
+    break
+  fi
+
+  PAGE=$((PAGE + 1))
+done
+
+# ---------------------------------------------------------------------------
+# Filter for client-waas repos
+# ---------------------------------------------------------------------------
+CLIENT_REPOS=$(echo "$ALL_REPOS" | grep 'client-waas' | sort || true)
+
+if [ -z "$CLIENT_REPOS" ]; then
+  echo "No client-waas repos found in org '${ORG}'."
+  exit 0
+fi
+
+TOTAL=$(echo "$CLIENT_REPOS" | wc -l | tr -d ' ')
+echo "Found ${TOTAL} client-waas repo(s). Triggering workflow '${WORKFLOW}' (ref: ${REF}) ..."
+echo ""
+
+# ---------------------------------------------------------------------------
+# Trigger workflow for each repo
+# ---------------------------------------------------------------------------
+SUCCESS=0
+FAIL=0
+
+while IFS= read -r REPO; do
+  [ -z "$REPO" ] && continue
+
+  PAYLOAD=$(jq -n --arg ref "$REF" --argjson inputs "$INPUTS" '{ref: $ref, inputs: $inputs}')
+
+  HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' \
+    -X POST \
+    -H "Authorization: token ${TOKEN}" \
+    -H "Content-Type: application/json" \
+    -d "$PAYLOAD" \
+    "${GITEA_URL}/api/v1/repos/${ORG}/${REPO}/actions/workflows/${WORKFLOW}/dispatches")
+
+  if [ "$HTTP_CODE" -eq 204 ] || [ "$HTTP_CODE" -eq 201 ]; then
+    echo "  [OK]   ${ORG}/${REPO} (HTTP ${HTTP_CODE})"
+    SUCCESS=$((SUCCESS + 1))
+  else
+    echo "  [FAIL] ${ORG}/${REPO} (HTTP ${HTTP_CODE})"
+    FAIL=$((FAIL + 1))
+  fi
+done <<< "$CLIENT_REPOS"
+
+# ---------------------------------------------------------------------------
+# Summary
+# ---------------------------------------------------------------------------
+echo ""
+echo "Done. Success: ${SUCCESS} | Failed: ${FAIL} | Total: ${TOTAL}"
+
+if [ "$FAIL" -gt 0 ]; then
+  exit 1
+fi
@@ -0,0 +1,108 @@
+#!/usr/bin/env bash
+# =============================================================================
+# enforce_tags.sh — Ensure all repos have the 5 standard release channel tags
+#
+# Standard tags: development, alpha, beta, release-candidate, stable
+# Also removes non-standard tags (keeps vXX production tags)
+#
+# Usage:
+#   GA_TOKEN=xxx ./enforce_tags.sh [--dry-run] [--repos repo1,repo2]
+#
+# Called by: bulk-repo-sync.yml, infrastructure-tests/mirror-check.yml
+# =============================================================================
+set -euo pipefail
+
+GITEA_URL="${GITEA_URL:-https://git.mokoconsulting.tech}"
+ORG="${GITEA_ORG:-MokoConsulting}"
+TOKEN="${GA_TOKEN:?GA_TOKEN required}"
+DRY_RUN=false
+FILTER_REPOS=""
+
+STANDARD_TAGS=("development" "alpha" "beta" "release-candidate" "stable")
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --dry-run) DRY_RUN=true; shift ;;
+    --repos) FILTER_REPOS="$2"; shift 2 ;;
+    *) shift ;;
+  esac
+done
+
+api() {
+  local method="$1" path="$2" data="${3:-}"
+  local args=(-sf -H "Authorization: token $TOKEN" -H "Content-Type: application/json" -X "$method")
+  [[ -n "$data" ]] && args+=(-d "$data")
+  curl "${args[@]}" "$GITEA_URL/api/v1$path" 2>/dev/null
+}
+
+# Get repos
+REPOS=""
+for page in 1 2 3; do
+  BATCH=$(api GET "/orgs/$ORG/repos?limit=50&page=$page" | python3 -c "
+import sys,json
+for r in json.load(sys.stdin):
+    if not r.get(empty) and not r.get(archived):
+        print(r[name])
+" 2>/dev/null)
+  [[ -z "$BATCH" ]] && break
+  REPOS="$REPOS $BATCH"
+done
+
+# Filter if specified
+if [[ -n "$FILTER_REPOS" ]]; then
+  FILTERED=""
+  IFS=, read -ra FILTER_ARR <<< "$FILTER_REPOS"
+  for repo in $REPOS; do
+    for f in "${FILTER_ARR[@]}"; do
+      [[ "$repo" == "$f" ]] && FILTERED="$FILTERED $repo"
+    done
+  done
+  REPOS="$FILTERED"
+fi
+
+TOTAL=$(echo $REPOS | wc -w)
+ADDED=0
+DELETED=0
+ERRORS=0
+
+echo "Enforcing tags on $TOTAL repos (dry_run=$DRY_RUN)"
+
+for repo in $REPOS; do
+  TAGS=$(api GET "/repos/$ORG/$repo/tags?limit=50" | python3 -c "import sys,json; print( .join(t[name] for t in json.load(sys.stdin)))" 2>/dev/null)
+  MAIN_SHA=$(api GET "/repos/$ORG/$repo/branches/main" | python3 -c "import sys,json; print(json.load(sys.stdin)[commit][id])" 2>/dev/null)
+  [[ -z "$MAIN_SHA" ]] && continue
+
+  # Add missing standard tags
+  for st in "${STANDARD_TAGS[@]}"; do
+    if ! echo " $TAGS " | grep -q " $st "; then
+      if [[ "$DRY_RUN" == "true" ]]; then
+        echo "  [DRY] ADD $repo: $st"
+      else
+        STATUS=$(api POST "/repos/$ORG/$repo/tags" "{\"tag_name\":\"$st\",\"target\":\"$MAIN_SHA\"}" | python3 -c "import sys,json; print(ok)" 2>/dev/null || echo "err")
+        [[ "$STATUS" == "ok" ]] && ADDED=$((ADDED + 1)) || ERRORS=$((ERRORS + 1))
+      fi
+    fi
+  done
+
+  # Remove non-standard tags
+  for t in $TAGS; do
+    IS_STD=false
+    for st in "${STANDARD_TAGS[@]}"; do [[ "$t" == "$st" ]] && IS_STD=true; done
+    # Keep vXX production tags
+    if [[ "$t" =~ ^v[0-9]{1,3}$ ]]; then IS_STD=true; fi
+    
+    if [[ "$IS_STD" == "false" ]]; then
+      if [[ "$DRY_RUN" == "true" ]]; then
+        echo "  [DRY] DEL $repo: $t"
+      else
+        # Delete release first if exists
+        api DELETE "/repos/$ORG/$repo/releases/tags/$t" > /dev/null 2>&1 || true
+        api DELETE "/repos/$ORG/$repo/tags/$t" > /dev/null 2>&1
+        DELETED=$((DELETED + 1))
+        echo "  DEL $repo: $t"
+      fi
+    fi
+  done
+done
+
+echo "Done: $ADDED added, $DELETED deleted, $ERRORS errors (dry_run=$DRY_RUN)"
@@ -0,0 +1,315 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: MokoStandards.Automation
+ * INGROUP: MokoStandards
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /automation/enrich_mokostandards_xml.php
+ * BRIEF: Enrich XML manifests with repo-specific build and deploy details
+ *
+ * Enrich XML .mokostandards manifests with repo-specific build, deploy, and script details.
+ *
+ * Runs AFTER push_mokostandards_xml.php. Clones each repo, inspects its contents,
+ * and updates the manifest with discovered build/deploy/scripts config.
+ *
+ * Usage:
+ *   php automation/enrich_mokostandards_xml.php [--dry-run] [--repo NAME] [--skip NAME,NAME]
+ *
+ * Note: This script uses proc_open for shell commands. All arguments are escaped
+ * via escapeshellarg(). No user-supplied input reaches the shell unescaped.
+ */
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../vendor/autoload.php';
+
+use MokoEnterprise\MokoStandardsParser;
+
+$giteaUrl  = rtrim(getenv('GITEA_URL') ?: 'https://git.mokoconsulting.tech', '/');
+$giteaOrg  = getenv('GITEA_ORG') ?: 'MokoConsulting';
+$token     = getenv('GA_TOKEN') ?: getenv('GH_TOKEN') ?: '';
+
+$dryRun    = in_array('--dry-run', $argv, true);
+$repoFilter = null;
+$skipRepos = [];
+foreach ($argv as $i => $arg) {
+    if ($arg === '--repo' && isset($argv[$i + 1])) $repoFilter = $argv[$i + 1];
+    if ($arg === '--skip' && isset($argv[$i + 1])) $skipRepos = array_map('trim', explode(',', $argv[$i + 1]));
+}
+
+$parser = new MokoStandardsParser();
+$tmpBase = sys_get_temp_dir() . '/moko-enrich-' . getmypid();
+
+function safeExec(string $command, string $cwd = '.'): array {
+    $proc = proc_open($command, [1 => ['pipe', 'w'], 2 => ['pipe', 'w']], $pipes, $cwd);
+    if (!is_resource($proc)) return [1, "proc_open failed"];
+    $stdout = stream_get_contents($pipes[1]);
+    $stderr = stream_get_contents($pipes[2]);
+    fclose($pipes[1]); fclose($pipes[2]);
+    return [proc_close($proc), trim($stdout . "\n" . $stderr)];
+}
+
+function rmTree(string $dir): void {
+    if (!is_dir($dir)) return;
+    $it = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
+    $files = new RecursiveIteratorIterator($it, RecursiveIteratorIterator::CHILD_FIRST);
+    foreach ($files as $file) {
+        if ($file->isDir()) @rmdir($file->getPathname());
+        else { @chmod($file->getPathname(), 0777); @unlink($file->getPathname()); }
+    }
+    @rmdir($dir);
+}
+
+function gitCmd(string $workDir, string ...$args): array {
+    $cmd = 'git';
+    foreach ($args as $a) $cmd .= ' ' . escapeshellarg($a);
+    return safeExec($cmd, $workDir);
+}
+
+function fetchRepos(string $url, string $org, string $token): array {
+    $repos = []; $page = 1;
+    do {
+        $ch = curl_init("{$url}/api/v1/orgs/{$org}/repos?page={$page}&limit=50");
+        curl_setopt_array($ch, [CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPHEADER => ["Authorization: token {$token}"], CURLOPT_TIMEOUT => 30]);
+        $body = curl_exec($ch); $code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch);
+        if ($code !== 200) break;
+        $batch = json_decode($body, true); if (empty($batch)) break;
+        $repos = array_merge($repos, $batch); $page++;
+    } while (count($batch) >= 50);
+    return $repos;
+}
+
+function inspectRepo(string $workDir, string $platform): array {
+    $enrichment = [];
+    $build = [];
+
+    // Detect entry point
+    if (is_dir("{$workDir}/src")) {
+        foreach (glob("{$workDir}/src/*.xml") ?: [] as $xf) {
+            $c = file_get_contents($xf);
+            if (str_contains($c, '<extension') || str_contains($c, '<install')) {
+                $build['entry_point'] = 'src/' . basename($xf); break;
+            }
+        }
+        foreach (glob("{$workDir}/src/core/modules/mod*.class.php") ?: [] as $mf) {
+            $build['entry_point'] = str_replace("{$workDir}/", '', $mf); break;
+        }
+    }
+
+    // composer.json
+    if (file_exists("{$workDir}/composer.json")) {
+        $composer = json_decode(file_get_contents("{$workDir}/composer.json"), true) ?: [];
+        $phpReq = $composer['require']['php'] ?? null;
+        if ($phpReq) $build['runtime'] = "php:{$phpReq}";
+
+        $deps = [];
+        foreach (['joomla/cms', 'joomla/framework', 'dolibarr/dolibarr'] as $pd) {
+            if (isset($composer['require'][$pd])) $deps[] = ['name' => $pd, 'version' => $composer['require'][$pd], 'type' => 'platform'];
+        }
+        if (isset($composer['require']['mokoconsulting-tech/enterprise']))
+            $deps[] = ['name' => 'mokoconsulting-tech/enterprise', 'version' => $composer['require']['mokoconsulting-tech/enterprise'], 'type' => 'composer'];
+        if (!empty($deps)) $build['dependencies'] = $deps;
+    }
+
+    // Artifact from Makefile
+    if (file_exists("{$workDir}/Makefile")) {
+        $mk = file_get_contents("{$workDir}/Makefile");
+        if (preg_match('/\bdist\/(\S+\.zip)\b/', $mk, $m)) $build['artifact'] = ['format' => 'zip', 'path' => 'dist/', 'filename' => $m[1]];
+    }
+
+    if (!empty($build)) $enrichment['build'] = $build;
+
+    // Deploy targets from workflows
+    $targets = [];
+    $wfDir = is_dir("{$workDir}/.gitea/workflows") ? "{$workDir}/.gitea/workflows" : "{$workDir}/.github/workflows";
+    if (is_dir($wfDir)) {
+        foreach (['deploy-dev', 'deploy-demo', 'deploy-rs'] as $dn) {
+            $wf = "{$wfDir}/{$dn}.yml";
+            if (!file_exists($wf)) continue;
+            $wc = file_get_contents($wf);
+            $t = ['name' => str_replace('deploy-', '', $dn)];
+            if (str_contains($wc, 'sftp') || str_contains($wc, 'SFTP')) $t['method'] = 'sftp';
+            elseif (str_contains($wc, 'rsync')) $t['method'] = 'rsync';
+            if (str_contains($wc, 'src/')) $t['src_dir'] = 'src/';
+            if (preg_match('/branches:\s*\n\s*-\s*["\']?([^"\'}\s]+)/', $wc, $m)) $t['branch'] = $m[1];
+            $targets[] = $t;
+        }
+    }
+    if (!empty($targets)) $enrichment['deploy'] = $targets;
+
+    // Scripts from Makefile + composer
+    $scripts = [];
+    if (file_exists("{$workDir}/Makefile")) {
+        $mk = file_get_contents("{$workDir}/Makefile");
+        $known = ['build'=>'build','test'=>'test','lint'=>'lint','clean'=>'build','package'=>'build','validate'=>'validate','release'=>'release'];
+        if (preg_match_all('/^([a-zA-Z_-]+)\s*:/m', $mk, $matches)) {
+            foreach ($matches[1] as $tgt) {
+                $tl = strtolower($tgt);
+                if (isset($known[$tl])) $scripts[] = ['name'=>$tl, 'phase'=>$known[$tl], 'command'=>"make {$tgt}", 'desc'=>ucfirst($tl).' via make', 'runner'=>'make'];
+            }
+        }
+    }
+    if (file_exists("{$workDir}/composer.json")) {
+        $composer = json_decode(file_get_contents("{$workDir}/composer.json"), true) ?: [];
+        $km = ['test'=>'test','lint'=>'lint','cs'=>'lint','phpcs'=>'lint','phpstan'=>'lint','validate'=>'validate'];
+        foreach ($composer['scripts'] ?? [] as $sn => $cmd) {
+            $sl = strtolower($sn);
+            foreach ($km as $match => $phase) {
+                if (str_contains($sl, $match)) {
+                    $exists = false;
+                    foreach ($scripts as $s) { if ($s['name'] === $sl) { $exists = true; break; } }
+                    if (!$exists) $scripts[] = ['name'=>$sn, 'phase'=>$phase, 'command'=>"composer run {$sn}", 'desc'=>is_string($cmd)?$cmd:"Run {$sn}", 'runner'=>'composer'];
+                    break;
+                }
+            }
+        }
+    }
+    if (!empty($scripts)) $enrichment['scripts'] = $scripts;
+
+    return $enrichment;
+}
+
+function enrichManifestXml(string $xml, array $enrichment): string {
+    $dom = new DOMDocument('1.0', 'UTF-8');
+    $dom->preserveWhiteSpace = false;
+    $dom->formatOutput = true;
+    if (!$dom->loadXML($xml)) return $xml;
+
+    $ns = MokoStandardsParser::NAMESPACE_URI;
+    $root = $dom->documentElement;
+
+    foreach (['build', 'deploy', 'scripts'] as $tag) {
+        $toRemove = [];
+        $existing = $root->getElementsByTagNameNS($ns, $tag);
+        for ($i = 0; $i < $existing->length; $i++) $toRemove[] = $existing->item($i);
+        foreach ($toRemove as $node) $root->removeChild($node);
+    }
+
+    if (!empty($enrichment['build'])) {
+        $build = $dom->createElementNS($ns, 'build');
+        $b = $enrichment['build'];
+        foreach (['language', 'runtime'] as $f) { if (isset($b[$f])) $build->appendChild($dom->createElementNS($ns, $f, htmlspecialchars($b[$f], ENT_XML1))); }
+        if (isset($b['package_type'])) $build->appendChild($dom->createElementNS($ns, 'package-type', htmlspecialchars($b['package_type'], ENT_XML1)));
+        if (isset($b['entry_point'])) $build->appendChild($dom->createElementNS($ns, 'entry-point', htmlspecialchars($b['entry_point'], ENT_XML1)));
+        if (isset($b['artifact'])) {
+            $art = $dom->createElementNS($ns, 'artifact');
+            foreach (['format','path','filename'] as $af) { if (isset($b['artifact'][$af])) $art->appendChild($dom->createElementNS($ns, $af, htmlspecialchars($b['artifact'][$af], ENT_XML1))); }
+            $build->appendChild($art);
+        }
+        if (isset($b['dependencies'])) {
+            $deps = $dom->createElementNS($ns, 'dependencies');
+            foreach ($b['dependencies'] as $d) {
+                $req = $dom->createElementNS($ns, 'requires', '');
+                $req->setAttribute('name', $d['name']);
+                if (isset($d['version'])) $req->setAttribute('version', $d['version']);
+                if (isset($d['type'])) $req->setAttribute('type', $d['type']);
+                $deps->appendChild($req);
+            }
+            $build->appendChild($deps);
+        }
+        $root->appendChild($build);
+    }
+
+    if (!empty($enrichment['deploy'])) {
+        $deploy = $dom->createElementNS($ns, 'deploy');
+        foreach ($enrichment['deploy'] as $t) {
+            $target = $dom->createElementNS($ns, 'target');
+            $target->setAttribute('name', $t['name']);
+            $target->appendChild($dom->createElementNS($ns, 'host', '${{ secrets.' . strtoupper($t['name']) . '_HOST }}'));
+            $target->appendChild($dom->createElementNS($ns, 'path', '${{ secrets.' . strtoupper($t['name']) . '_PATH }}'));
+            if (isset($t['method'])) $target->appendChild($dom->createElementNS($ns, 'method', $t['method']));
+            if (isset($t['branch'])) $target->appendChild($dom->createElementNS($ns, 'branch', htmlspecialchars($t['branch'], ENT_XML1)));
+            if (isset($t['src_dir'])) $target->appendChild($dom->createElementNS($ns, 'src-dir', htmlspecialchars($t['src_dir'], ENT_XML1)));
+            $deploy->appendChild($target);
+        }
+        $root->appendChild($deploy);
+    }
+
+    if (!empty($enrichment['scripts'])) {
+        $scriptsEl = $dom->createElementNS($ns, 'scripts');
+        foreach ($enrichment['scripts'] as $s) {
+            $script = $dom->createElementNS($ns, 'script');
+            $script->setAttribute('name', $s['name']);
+            if (isset($s['phase'])) $script->setAttribute('phase', $s['phase']);
+            $script->appendChild($dom->createElementNS($ns, 'command', htmlspecialchars($s['command'], ENT_XML1)));
+            if (isset($s['desc'])) $script->appendChild($dom->createElementNS($ns, 'description', htmlspecialchars($s['desc'], ENT_XML1)));
+            if (isset($s['runner'])) $script->appendChild($dom->createElementNS($ns, 'runner', htmlspecialchars($s['runner'], ENT_XML1)));
+            $scriptsEl->appendChild($script);
+        }
+        $root->appendChild($scriptsEl);
+    }
+
+    return $dom->saveXML();
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────
+echo "=== MokoStandards XML Manifest Enrichment ===\n";
+echo "Mode: " . ($dryRun ? "DRY RUN" : "LIVE") . "\n";
+if (!empty($skipRepos)) echo "Skipping: " . implode(', ', $skipRepos) . "\n";
+echo "\n";
+
+if (empty($token)) { fprintf(STDERR, "ERROR: GA_TOKEN required\n"); exit(1); }
+
+$repos = fetchRepos($giteaUrl, $giteaOrg, $token);
+echo "Found " . count($repos) . " repositories\n\n";
+
+$stats = ['enriched' => 0, 'skipped' => 0, 'failed' => 0];
+
+foreach ($repos as $repo) {
+    $name = $repo['name'];
+    if ($repoFilter && $name !== $repoFilter) continue;
+    if (in_array($name, $skipRepos, true)) { echo "  {$name} ... SKIP (excluded)\n"; $stats['skipped']++; continue; }
+    if ($repo['archived'] ?? false) { $stats['skipped']++; continue; }
+
+    $defaultBranch = $repo['default_branch'] ?? 'main';
+    $httpsUrl = $repo['clone_url'] ?? "{$giteaUrl}/{$giteaOrg}/{$name}.git";
+    $authedUrl = preg_replace('#^https://#', "https://gitea-actions:{$token}@", $httpsUrl);
+
+    echo "  {$name} ... ";
+
+    $workDir = "{$tmpBase}/{$name}";
+    @mkdir($workDir, 0755, true);
+    [$ret] = safeExec('git clone --depth 1 --branch ' . escapeshellarg($defaultBranch) . ' ' . escapeshellarg($authedUrl) . ' ' . escapeshellarg($workDir));
+    if ($ret !== 0) { echo "FAIL (clone)\n"; $stats['failed']++; continue; }
+
+    $manifestPath = "{$workDir}/.mokogitea/.mokostandards";
+    if (!file_exists($manifestPath) || !str_contains(file_get_contents($manifestPath), '<mokostandards')) {
+        echo "SKIP (no XML manifest)\n"; $stats['skipped']++; rmTree($workDir); continue;
+    }
+
+    $existingXml = file_get_contents($manifestPath);
+    $platform = $parser->extractPlatform($existingXml) ?? 'default-repository';
+    $enrichment = inspectRepo($workDir, $platform);
+
+    if (!isset($enrichment['build'])) $enrichment['build'] = [];
+    $enrichment['build']['language'] = $enrichment['build']['language'] ?? $repo['language'] ?? MokoStandardsParser::platformLanguage($platform);
+    $enrichment['build']['package_type'] = $enrichment['build']['package_type'] ?? MokoStandardsParser::platformPackageType($platform);
+
+    $enrichedXml = enrichManifestXml($existingXml, $enrichment);
+    $dc = count($enrichment['deploy'] ?? []);
+    $sc = count($enrichment['scripts'] ?? []);
+    $details = "deploy={$dc} scripts={$sc}";
+
+    if ($dryRun) { echo "WOULD ENRICH [{$details}]\n"; $stats['enriched']++; rmTree($workDir); continue; }
+
+    file_put_contents($manifestPath, $enrichedXml);
+    gitCmd($workDir, 'config', 'user.name', 'gitea-actions[bot]');
+    gitCmd($workDir, 'config', 'user.email', 'gitea-actions[bot]@git.mokoconsulting.tech');
+    gitCmd($workDir, 'add', '.mokogitea/.mokostandards');
+
+    [$cr, $co] = gitCmd($workDir, 'commit', '-m', "chore: enrich .mokostandards with build/deploy/scripts\n\nAuto-detected: {$details}");
+    if ($cr !== 0) { echo "SKIP (no diff)\n"; $stats['skipped']++; rmTree($workDir); continue; }
+
+    [$pr] = gitCmd($workDir, 'push', 'origin', $defaultBranch);
+    if ($pr !== 0) { echo "FAIL (push)\n"; $stats['failed']++; }
+    else { echo "ENRICHED [{$details}]\n"; $stats['enriched']++; }
+
+    rmTree($workDir);
+}
+
+@rmdir($tmpBase);
+echo "\n=== Summary ===\nEnriched: {$stats['enriched']}\nSkipped:  {$stats['skipped']}\nFailed:   {$stats['failed']}\n";
@@ -1,3 +1,14 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Index
+INGROUP: MokoStandards.Automation
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /automation/index.md
+BRIEF: Automation directory index
+-->
+
 # Docs Index: /api/automation

 ## Purpose
@@ -9,9 +9,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.Automation
 * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /automation/migrate_to_gitea.php
- * VERSION: 04.06.10
 * BRIEF: Migrate repositories from GitHub to self-hosted Gitea instance
 *
 * USAGE
@@ -30,7 +29,7 @@ use MokoEnterprise\CliFramework;
 use MokoEnterprise\Config;
 use MokoEnterprise\PlatformAdapterFactory;
 use MokoEnterprise\GitHubAdapter;
-use MokoEnterprise\GiteaAdapter;
+use MokoEnterprise\MokoGiteaAdapter;

 /**
 * Gitea Migration Script
@@ -43,7 +42,7 @@ use MokoEnterprise\GiteaAdapter;
 class MigrateToGitea extends CliFramework
 {
 	private ?GitHubAdapter $github = null;
-	private ?GiteaAdapter  $gitea  = null;
+	private ?MokoGiteaAdapter  $gitea  = null;
 	private ?CheckpointManager $checkpoints = null;

 	protected function configure(): void
@@ -10,9 +10,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.Automation
 * INGROUP: MokoStandards.Scripts
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /automation/push_files.php
- * VERSION: 04.06.00
 * BRIEF: Push one or more specific files to one or more remote repositories
 */

@@ -0,0 +1,315 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: MokoStandards.Automation
+ * INGROUP: MokoStandards
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /automation/push_mokostandards_xml.php
+ * BRIEF: Push XML manifests to all governed repositories
+ *
+ * Push XML .mokostandards manifest to all governed repositories.
+ *
+ * Uses git SSH to bypass the Gitea reverse-proxy WAF that blocks
+ * API requests to paths containing ".mokogitea".
+ *
+ * Usage:
+ *   php automation/push_mokostandards_xml.php [--dry-run] [--repo NAME] [--force]
+ */
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../vendor/autoload.php';
+
+use MokoEnterprise\MokoStandardsParser;
+
+// ── Configuration ────────────────────────────────────────────────────────
+$giteaUrl  = rtrim(getenv('GITEA_URL') ?: 'https://git.mokoconsulting.tech', '/');
+$giteaOrg  = getenv('GITEA_ORG') ?: 'MokoConsulting';
+$token     = getenv('GA_TOKEN') ?: getenv('GH_TOKEN') ?: '';
+$sshBase   = 'ssh://gitea@git.mokoconsulting.tech:2222';
+
+// ── CLI args ─────────────────────────────────────────────────────────────
+$dryRun    = in_array('--dry-run', $argv, true);
+$force     = in_array('--force', $argv, true);
+$repoFilter = null;
+$skipRepos = [];
+foreach ($argv as $i => $arg) {
+    if ($arg === '--repo' && isset($argv[$i + 1])) {
+        $repoFilter = $argv[$i + 1];
+    }
+    if ($arg === '--skip' && isset($argv[$i + 1])) {
+        $skipRepos = array_map('trim', explode(',', $argv[$i + 1]));
+    }
+}
+
+$parser = new MokoStandardsParser();
+$tmpBase = sys_get_temp_dir() . '/moko-manifest-push-' . getmypid();
+
+// ── Platform detection heuristics (mirrors RepositorySynchronizer) ───────
+$CRM_PLATFORM_REPOS = ['MokoDolibarr', 'MokoDoliMods'];
+
+function detectPlatform(array $repo): string {
+    global $CRM_PLATFORM_REPOS;
+    $name = $repo['name'] ?? '';
+    $nameLower = strtolower($name);
+    $description = strtolower($repo['description'] ?? '');
+    $topics = $repo['topics'] ?? [];
+
+    if (in_array($name, $CRM_PLATFORM_REPOS, true)) return 'crm-platform';
+    if (in_array('dolibarr-platform', $topics)) return 'crm-platform';
+    if (in_array('joomla-template', $topics)) return 'joomla-template';
+    if (in_array('joomla', $topics) || in_array('joomla-extension', $topics)) return 'waas-component';
+    if (in_array('dolibarr', $topics) || in_array('dolibarr-module', $topics)) return 'crm-module';
+
+    if (str_contains($nameLower, 'template') && (str_contains($nameLower, 'joomla') || str_contains($nameLower, 'tpl'))) return 'joomla-template';
+    if (str_contains($nameLower, 'joomla') || str_contains($nameLower, 'waas')) return 'waas-component';
+    if (str_contains($nameLower, 'doli') || str_contains($nameLower, 'crm')) return 'crm-module';
+
+    if (str_contains($description, 'joomla template')) return 'joomla-template';
+    if (str_contains($description, 'joomla') || str_contains($description, 'component')) return 'waas-component';
+    if (str_contains($description, 'dolibarr') || str_contains($description, 'module')) return 'crm-module';
+
+    if (str_contains($nameLower, 'standard')) return 'standards-repository';
+    return 'default-repository';
+}
+
+/**
+ * Safe shell execution — uses proc_open with explicit arguments to avoid injection.
+ * @return array{int, string}
+ */
+function safeExec(string $command, string $cwd = '.'): array {
+    $proc = proc_open(
+        $command,
+        [1 => ['pipe', 'w'], 2 => ['pipe', 'w']],
+        $pipes,
+        $cwd
+    );
+    if (!is_resource($proc)) {
+        return [1, "proc_open failed for: {$command}"];
+    }
+    $stdout = stream_get_contents($pipes[1]);
+    $stderr = stream_get_contents($pipes[2]);
+    fclose($pipes[1]);
+    fclose($pipes[2]);
+    $code = proc_close($proc);
+    return [$code, trim($stdout . "\n" . $stderr)];
+}
+
+/** Recursively remove a directory (cross-platform). */
+function rmTree(string $dir): void {
+    if (!is_dir($dir)) return;
+    $it = new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS);
+    $files = new RecursiveIteratorIterator($it, RecursiveIteratorIterator::CHILD_FIRST);
+    foreach ($files as $file) {
+        if ($file->isDir()) {
+            @rmdir($file->getPathname());
+        } else {
+            // Clear read-only flag (git objects on Windows)
+            @chmod($file->getPathname(), 0777);
+            @unlink($file->getPathname());
+        }
+    }
+    @rmdir($dir);
+}
+
+/**
+ * Run a git command safely in a given working directory.
+ * @return array{int, string}
+ */
+function gitCmd(string $workDir, string ...$args): array {
+    $cmd = 'git';
+    foreach ($args as $a) {
+        $cmd .= ' ' . escapeshellarg($a);
+    }
+    return safeExec($cmd, $workDir);
+}
+
+// ── Fetch all repos via API ──────────────────────────────────────────────
+function fetchRepos(string $url, string $org, string $token): array {
+    $repos = [];
+    $page = 1;
+    do {
+        $ch = curl_init("{$url}/api/v1/orgs/{$org}/repos?page={$page}&limit=50");
+        curl_setopt_array($ch, [
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+            CURLOPT_TIMEOUT => 30,
+        ]);
+        $body = curl_exec($ch);
+        $code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if ($code !== 200) {
+            fprintf(STDERR, "API error (HTTP %d) fetching repos page %d\n", $code, $page);
+            break;
+        }
+
+        $batch = json_decode($body, true);
+        if (empty($batch)) break;
+        $repos = array_merge($repos, $batch);
+        $page++;
+    } while (count($batch) >= 50);
+
+    return $repos;
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────
+echo "=== MokoStandards XML Manifest Push ===\n";
+echo "Org: {$giteaOrg}\n";
+echo "Mode: " . ($dryRun ? "DRY RUN" : "LIVE") . "\n";
+if ($repoFilter) echo "Filter: {$repoFilter}\n";
+echo "\n";
+
+if (empty($token)) {
+    fprintf(STDERR, "ERROR: GA_TOKEN or GH_TOKEN environment variable required\n");
+    exit(1);
+}
+
+$repos = fetchRepos($giteaUrl, $giteaOrg, $token);
+echo "Found " . count($repos) . " repositories\n\n";
+
+$stats = ['created' => 0, 'updated' => 0, 'skipped' => 0, 'failed' => 0];
+
+foreach ($repos as $repo) {
+    $name = $repo['name'];
+    if ($repoFilter && $name !== $repoFilter) continue;
+    if (in_array($name, $skipRepos, true)) {
+        echo "  SKIP {$name} (excluded)\n";
+        $stats['skipped']++;
+        continue;
+    }
+    if ($repo['archived'] ?? false) {
+        echo "  SKIP {$name} (archived)\n";
+        $stats['skipped']++;
+        continue;
+    }
+
+    $platform      = detectPlatform($repo);
+    $defaultBranch = $repo['default_branch'] ?? 'main';
+    // Prefer HTTPS with token (SSH port 2222 may be blocked); fall back to SSH
+    $httpsUrl = $repo['clone_url'] ?? "{$giteaUrl}/{$giteaOrg}/{$name}.git";
+    // Embed token in HTTPS URL for push auth
+    $authedUrl = preg_replace('#^https://#', "https://gitea-actions:{$token}@", $httpsUrl);
+
+    echo "  {$name} [{$platform}] ... ";
+
+    // Generate XML manifest
+    $xmlContent = $parser->generate([
+        'name'              => $name,
+        'org'               => $giteaOrg,
+        'platform'          => $platform,
+        'standards_version' => '04.07.00',
+        'description'       => $repo['description'] ?? '',
+        'license'           => 'GPL-3.0-or-later',
+        'topics'            => $repo['topics'] ?? [],
+        'language'          => $repo['language'] ?? MokoStandardsParser::platformLanguage($platform),
+        'package_type'      => MokoStandardsParser::platformPackageType($platform),
+        'last_synced'       => date('c'),
+    ]);
+
+    if ($dryRun) {
+        echo "WOULD WRITE ({$platform})\n";
+        $stats['created']++;
+        continue;
+    }
+
+    // Clone shallow via HTTPS (token-authed)
+    $workDir = "{$tmpBase}/{$name}";
+    @mkdir($workDir, 0755, true);
+
+    [$ret, $out] = safeExec(
+        'git clone --depth 1 --branch ' . escapeshellarg($defaultBranch) . ' '
+        . escapeshellarg($authedUrl) . ' ' . escapeshellarg($workDir)
+    );
+    if ($ret !== 0) {
+        echo "FAIL (clone)\n";
+        fprintf(STDERR, "    %s\n", $out);
+        $stats['failed']++;
+        continue;
+    }
+
+    // Check if already XML and up-to-date
+    $manifestPath = "{$workDir}/.mokogitea/.mokostandards";
+    $existingIsXml = file_exists($manifestPath) && str_contains(file_get_contents($manifestPath), '<mokostandards');
+    if ($existingIsXml && !$force) {
+        $existingPlatform = $parser->extractPlatform(file_get_contents($manifestPath));
+        if ($existingPlatform === $platform) {
+            echo "SKIP (already XML)\n";
+            $stats['skipped']++;
+            rmTree($workDir);
+            continue;
+        }
+    }
+
+    // Write manifest
+    @mkdir("{$workDir}/.gitea", 0755, true);
+    file_put_contents($manifestPath, $xmlContent);
+
+    // Delete legacy files if present
+    $legacyDeleted = [];
+    foreach (['.mokostandards', '.github/.mokostandards'] as $legacy) {
+        $legacyPath = "{$workDir}/{$legacy}";
+        if (file_exists($legacyPath)) {
+            unlink($legacyPath);
+            $legacyDeleted[] = $legacy;
+        }
+    }
+
+    // Commit
+    $isNew = !$existingIsXml;
+    $commitMsg = $isNew
+        ? 'chore: add XML .mokostandards manifest'
+        : 'chore: update .mokostandards to XML format';
+    if (!empty($legacyDeleted)) {
+        $commitMsg .= "\n\nRemoved legacy: " . implode(', ', $legacyDeleted);
+    }
+
+    gitCmd($workDir, 'config', 'user.name', 'gitea-actions[bot]');
+    gitCmd($workDir, 'config', 'user.email', 'gitea-actions[bot]@git.mokoconsulting.tech');
+    gitCmd($workDir, 'add', '.mokogitea/.mokostandards');
+    foreach ($legacyDeleted as $lf) {
+        gitCmd($workDir, 'add', $lf);
+    }
+
+    [$commitRet, $commitOut] = gitCmd($workDir, 'commit', '-m', $commitMsg);
+    if ($commitRet !== 0 && str_contains($commitOut, 'nothing to commit')) {
+        echo "SKIP (no changes)\n";
+        $stats['skipped']++;
+        rmTree($workDir);
+        continue;
+    }
+    if ($commitRet !== 0) {
+        echo "FAIL (commit)\n";
+        fprintf(STDERR, "    %s\n", $commitOut);
+        $stats['failed']++;
+        rmTree($workDir);
+        continue;
+    }
+
+    [$pushRet, $pushOut] = gitCmd($workDir, 'push', 'origin', $defaultBranch);
+    if ($pushRet !== 0) {
+        echo "FAIL (push)\n";
+        fprintf(STDERR, "    %s\n", $pushOut);
+        $stats['failed']++;
+    } else {
+        $action = $isNew ? 'CREATED' : 'UPDATED';
+        echo "{$action}\n";
+        $stats[$isNew ? 'created' : 'updated']++;
+    }
+
+    // Cleanup
+    rmTree($workDir);
+}
+
+// Cleanup tmp base
+@rmdir($tmpBase);
+
+echo "\n=== Summary ===\n";
+echo "Created: {$stats['created']}\n";
+echo "Updated: {$stats['updated']}\n";
+echo "Skipped: {$stats['skipped']}\n";
+echo "Failed:  {$stats['failed']}\n";
@@ -10,9 +10,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.Automation
 * INGROUP: MokoStandards.Scripts
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /automation/repo_cleanup.php
- * VERSION: 04.06.00
 * BRIEF: Enterprise repository cleanup — branches, PRs, issues, workflows, labels, logs
 */

@@ -362,7 +361,7 @@ class RepoCleanup extends CLIApp
        } catch (\Exception $e) { /* fallback to main */ }

        // Check both workflow directories for retired workflows (supports dual-platform repos)
-        $wfDirs = array_unique(['.github/workflows', '.gitea/workflows', $this->adapter->getWorkflowDir()]);
+        $wfDirs = array_unique(['.github/workflows', '.mokogitea/workflows', $this->adapter->getWorkflowDir()]);
        foreach (self::RETIRED_WORKFLOWS as $wf) {
            foreach ($wfDirs as $wfDir) {
                $path = "{$wfDir}/{$wf}";
@@ -0,0 +1,678 @@
+#!/usr/bin/env bash
+# server-autoheal.sh - Auto-heal on restart + split backup management
+#
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# DEFGROUP: MokoStandards.Automation.ServerAutoheal
+# INGROUP:  MokoStandards.Automation
+# REPO:     https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+# PATH:     /automation/server-autoheal.sh
+# BRIEF:    Server auto-heal on unclean restart + split system/content backups
+#
+# Usage:
+#   server-autoheal.sh <command> [options]
+#
+# Commands:
+#   boot-check       Run at boot — auto-heals if no safe point exists
+#   set-safepoint    Mark current state as safe (call before planned shutdown)
+#   backup-system    Run a system backup (configs, packages, services)
+#   backup-content   Run a content backup (site files, databases, uploads)
+#   cleanup          Prune expired backups per retention policy
+#   status           Show safe point and backup status
+#
+# Scheduling (cron):
+#   @reboot          server-autoheal.sh boot-check
+#   0 3 * * *        server-autoheal.sh backup-system    (daily at 3am)
+#   0 */2 * * *      server-autoheal.sh backup-content   (every 2 hours)
+#   30 */2 * * *     server-autoheal.sh cleanup           (30 min after content backup)
+
+set -euo pipefail
+
+# ──────────────────────────────────────────────
+# Configuration — override via /etc/moko/autoheal.conf
+# ──────────────────────────────────────────────
+CONF_FILE="/etc/moko/autoheal.conf"
+[[ -f "$CONF_FILE" ]] && source "$CONF_FILE"
+
+BACKUP_ROOT="${BACKUP_ROOT:-/var/backups/moko}"
+SAFEPOINT_FILE="${SAFEPOINT_FILE:-/var/run/moko/safepoint}"
+LOG_FILE="${LOG_FILE:-/var/log/moko/autoheal.log}"
+LOCK_DIR="${LOCK_DIR:-/var/run/moko}"
+
+# System backup: configs, package lists, service state, cron
+SYSTEM_BACKUP_DIR="${BACKUP_ROOT}/system"
+SYSTEM_BACKUP_RETAIN="${SYSTEM_BACKUP_RETAIN:-7}"  # keep 7 daily system backups
+
+# Content backup: web roots, databases, uploads
+CONTENT_BACKUP_DIR="${BACKUP_ROOT}/content"
+CONTENT_BACKUP_RETAIN_HOURS="${CONTENT_BACKUP_RETAIN_HOURS:-24}"  # 1 day of content backups
+
+# Paths to back up — override these in /etc/moko/autoheal.conf
+SYSTEM_PATHS="${SYSTEM_PATHS:-/etc/nginx /etc/php /etc/mysql /etc/cron.d /etc/systemd/system}"
+CONTENT_PATHS="${CONTENT_PATHS:-/var/www}"
+DB_NAMES="${DB_NAMES:-}"  # space-separated list, empty = auto-detect all
+
+# ──────────────────────────────────────────────
+# Helpers
+# ──────────────────────────────────────────────
+log() {
+    local level="$1"; shift
+    local ts
+    ts=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
+    local msg="[$ts] [$level] $*"
+    echo "$msg" | tee -a "$LOG_FILE" >&2
+}
+
+ensure_dirs() {
+    mkdir -p "$SYSTEM_BACKUP_DIR" "$CONTENT_BACKUP_DIR" \
+             "$LOCK_DIR" "$(dirname "$LOG_FILE")"
+}
+
+acquire_lock() {
+    local lockfile="${LOCK_DIR}/autoheal-${1}.lock"
+    if [[ -f "$lockfile" ]]; then
+        local pid
+        pid=$(<"$lockfile")
+        if kill -0 "$pid" 2>/dev/null; then
+            log WARN "Another $1 operation is running (PID $pid), skipping"
+            exit 0
+        fi
+        rm -f "$lockfile"
+    fi
+    echo $$ > "$lockfile"
+    trap "rm -f '$lockfile'" EXIT
+}
+
+timestamp() {
+    date -u '+%Y%m%d_%H%M%S'
+}
+
+# ──────────────────────────────────────────────
+# Safe-point management
+# ──────────────────────────────────────────────
+cmd_set_safepoint() {
+    ensure_dirs
+    local ts
+    ts=$(timestamp)
+    cat > "$SAFEPOINT_FILE" <<EOF
+timestamp=$ts
+hostname=$(hostname)
+kernel=$(uname -r)
+uptime=$(uptime -s 2>/dev/null || echo "unknown")
+set_by=${SUDO_USER:-$(whoami)}
+EOF
+    log INFO "Safe point set at $ts by ${SUDO_USER:-$(whoami)}"
+}
+
+cmd_clear_safepoint() {
+    rm -f "$SAFEPOINT_FILE"
+    log INFO "Safe point cleared"
+}
+
+has_safepoint() {
+    [[ -f "$SAFEPOINT_FILE" ]]
+}
+
+# ──────────────────────────────────────────────
+# System backup (daily)
+# ──────────────────────────────────────────────
+cmd_backup_system() {
+    ensure_dirs
+    acquire_lock "system-backup"
+
+    local ts
+    ts=$(timestamp)
+    local archive="${SYSTEM_BACKUP_DIR}/system_${ts}.tar.gz"
+    local manifest="${SYSTEM_BACKUP_DIR}/system_${ts}.manifest"
+
+    log INFO "Starting system backup → $archive"
+
+    # Collect existing paths only
+    local existing_paths=()
+    for p in $SYSTEM_PATHS; do
+        [[ -e "$p" ]] && existing_paths+=("$p")
+    done
+
+    if [[ ${#existing_paths[@]} -eq 0 ]]; then
+        log WARN "No system paths found to back up"
+        return 1
+    fi
+
+    # Archive configs and system files
+    tar -czf "$archive" "${existing_paths[@]}" 2>/dev/null || true
+
+    # Capture package list and service state as manifest
+    {
+        echo "=== PACKAGES ==="
+        if command -v dpkg &>/dev/null; then
+            dpkg --get-selections
+        elif command -v rpm &>/dev/null; then
+            rpm -qa --qf '%{NAME}\t%{VERSION}\n'
+        fi
+        echo ""
+        echo "=== ENABLED SERVICES ==="
+        if command -v systemctl &>/dev/null; then
+            systemctl list-unit-files --state=enabled --no-pager 2>/dev/null || true
+        fi
+        echo ""
+        echo "=== CRONTABS ==="
+        for user_home in /var/spool/cron/crontabs/*; do
+            [[ -f "$user_home" ]] && echo "--- $(basename "$user_home") ---" && cat "$user_home"
+        done 2>/dev/null || true
+    } > "$manifest"
+
+    local size
+    size=$(du -sh "$archive" 2>/dev/null | cut -f1)
+    log INFO "System backup complete: $archive ($size)"
+
+    # Prune old system backups (keep $SYSTEM_BACKUP_RETAIN)
+    local count
+    count=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' | wc -l)
+    if [[ "$count" -gt "$SYSTEM_BACKUP_RETAIN" ]]; then
+        local to_remove=$((count - SYSTEM_BACKUP_RETAIN))
+        find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' -printf '%T+ %p\n' \
+            | sort | head -n "$to_remove" | awk '{print $2}' \
+            | while read -r f; do
+                rm -f "$f" "${f%.tar.gz}.manifest"
+                log INFO "Pruned old system backup: $f"
+            done
+    fi
+}
+
+# ──────────────────────────────────────────────
+# Content backup (every 2 hours)
+# ──────────────────────────────────────────────
+cmd_backup_content() {
+    ensure_dirs
+    acquire_lock "content-backup"
+
+    local ts
+    ts=$(timestamp)
+    local archive="${CONTENT_BACKUP_DIR}/content_${ts}.tar.gz"
+    local db_dump="${CONTENT_BACKUP_DIR}/content_${ts}.sql.gz"
+
+    log INFO "Starting content backup → $archive"
+
+    # Back up web content / uploads
+    local existing_paths=()
+    for p in $CONTENT_PATHS; do
+        [[ -e "$p" ]] && existing_paths+=("$p")
+    done
+
+    if [[ ${#existing_paths[@]} -gt 0 ]]; then
+        tar -czf "$archive" "${existing_paths[@]}" 2>/dev/null || true
+        local size
+        size=$(du -sh "$archive" 2>/dev/null | cut -f1)
+        log INFO "Content files archived: $archive ($size)"
+    else
+        log WARN "No content paths found to back up"
+    fi
+
+    # Database dump
+    if command -v mysqldump &>/dev/null || command -v mariadb-dump &>/dev/null; then
+        local dump_cmd="mysqldump"
+        command -v mariadb-dump &>/dev/null && dump_cmd="mariadb-dump"
+
+        local databases=()
+        if [[ -n "$DB_NAMES" ]]; then
+            read -ra databases <<< "$DB_NAMES"
+        else
+            # Auto-detect: dump all databases except system ones
+            databases=($(${dump_cmd%dump} -N -e \
+                "SELECT schema_name FROM information_schema.schemata
+                 WHERE schema_name NOT IN ('information_schema','performance_schema','mysql','sys')" \
+                2>/dev/null | tr '\n' ' ')) || true
+        fi
+
+        if [[ ${#databases[@]} -gt 0 ]]; then
+            $dump_cmd --single-transaction --routines --triggers \
+                --databases "${databases[@]}" 2>/dev/null \
+                | gzip > "$db_dump"
+            local db_size
+            db_size=$(du -sh "$db_dump" 2>/dev/null | cut -f1)
+            log INFO "Database dump complete: $db_dump ($db_size)"
+        else
+            log WARN "No databases found to dump"
+        fi
+    fi
+}
+
+# ──────────────────────────────────────────────
+# Cleanup — prune content backups older than retention
+# ──────────────────────────────────────────────
+cmd_cleanup() {
+    ensure_dirs
+    local before_count after_count
+
+    # Content: keep only last 24 hours (1 day)
+    before_count=$(find "$CONTENT_BACKUP_DIR" -name 'content_*' -type f | wc -l)
+    find "$CONTENT_BACKUP_DIR" -name 'content_*' -type f \
+        -mmin +$((CONTENT_BACKUP_RETAIN_HOURS * 60)) -delete 2>/dev/null || true
+    after_count=$(find "$CONTENT_BACKUP_DIR" -name 'content_*' -type f | wc -l)
+    local removed=$((before_count - after_count))
+    [[ "$removed" -gt 0 ]] && log INFO "Pruned $removed content backup(s) older than ${CONTENT_BACKUP_RETAIN_HOURS}h"
+
+    # System: keep N most recent (handled in backup-system, but double-check here)
+    before_count=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*' -type f | wc -l)
+    local max_system_files=$((SYSTEM_BACKUP_RETAIN * 2))  # .tar.gz + .manifest
+    if [[ "$before_count" -gt "$max_system_files" ]]; then
+        local excess=$((before_count - max_system_files))
+        find "$SYSTEM_BACKUP_DIR" -name 'system_*' -type f -printf '%T+ %p\n' \
+            | sort | head -n "$excess" | awk '{print $2}' \
+            | xargs -r rm -f
+        log INFO "Pruned excess system backups"
+    fi
+
+    log INFO "Cleanup complete"
+}
+
+# ──────────────────────────────────────────────
+# Boot check — the auto-heal entry point
+# ──────────────────────────────────────────────
+cmd_boot_check() {
+    ensure_dirs
+    acquire_lock "boot-check"
+
+    log INFO "=== Boot check started ==="
+    log INFO "Hostname: $(hostname), Kernel: $(uname -r)"
+
+    if has_safepoint; then
+        log INFO "Safe point found — server was shut down cleanly"
+        log INFO "Clearing safe point for next cycle"
+        cmd_clear_safepoint
+        log INFO "=== Boot check passed (clean restart) ==="
+        return 0
+    fi
+
+    log WARN "NO safe point found — server restarted without clean shutdown"
+    log WARN "Initiating auto-heal sequence..."
+
+    auto_heal
+    local rc=$?
+
+    # Set safe point after successful heal
+    if [[ $rc -eq 0 ]]; then
+        cmd_set_safepoint
+        log INFO "=== Boot check complete (healed successfully) ==="
+    else
+        log ERROR "=== Boot check FAILED — manual intervention required ==="
+    fi
+
+    return $rc
+}
+
+# ──────────────────────────────────────────────
+# Auto-heal strategy
+#
+# TODO: This is the core decision point. Implement the recovery
+# steps that match your server's architecture. See guidance below.
+#
+# Trade-offs to consider:
+#   - Restore-from-backup: safest, but content may be up to 2h stale
+#   - Service-restart-only: faster, keeps current data, but won't fix
+#     corrupted configs or broken filesystem state
+#   - Hybrid: restart services first, verify health, only restore if
+#     health checks fail — best of both worlds but more complex
+#
+# The function receives no arguments. Use the latest system + content
+# backups to restore if needed. Return 0 on success, 1 on failure.
+# ──────────────────────────────────────────────
+auto_heal() {
+    log INFO "Phase 1: Verify and repair filesystem"
+    # Check for common post-crash issues
+    repair_filesystem
+
+    log INFO "Phase 2: Restore system configuration if corrupted"
+    restore_system_if_needed
+
+    log INFO "Phase 3: Restart core services"
+    restart_services
+
+    log INFO "Phase 4: Verify health"
+    if ! verify_health; then
+        log WARN "Health check failed after service restart — restoring from backup"
+        restore_from_backup
+        restart_services
+
+        if ! verify_health; then
+            log ERROR "Health check still failing after restore — giving up"
+            return 1
+        fi
+    fi
+
+    log INFO "Auto-heal completed successfully"
+    return 0
+}
+
+# ──────────────────────────────────────────────
+# Heal sub-steps
+# ──────────────────────────────────────────────
+repair_filesystem() {
+    # Fix common post-crash filesystem issues
+    # Clear stale PID/lock/socket files that prevent services from starting
+    local stale_files=(
+        /var/run/nginx.pid
+        /var/run/mysqld/mysqld.pid
+        /var/run/php-fpm.pid
+        /var/lib/mysql/*.pid
+    )
+    for f in "${stale_files[@]}"; do
+        for expanded in $f; do
+            if [[ -f "$expanded" ]]; then
+                local pid
+                pid=$(<"$expanded") 2>/dev/null || true
+                if [[ -n "$pid" ]] && ! kill -0 "$pid" 2>/dev/null; then
+                    rm -f "$expanded"
+                    log INFO "Removed stale PID file: $expanded"
+                fi
+            fi
+        done
+    done
+
+    # Fix permissions on critical dirs that may get mangled
+    [[ -d /var/run/mysqld ]] && chown mysql:mysql /var/run/mysqld 2>/dev/null || true
+    [[ -d /var/lib/php/sessions ]] && chmod 1733 /var/lib/php/sessions 2>/dev/null || true
+
+    # Repair tmp/cache dirs
+    for d in /tmp /var/tmp; do
+        [[ -d "$d" ]] && chmod 1777 "$d" 2>/dev/null || true
+    done
+}
+
+restore_system_if_needed() {
+    # Find latest system backup
+    local latest_system
+    latest_system=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1 | awk '{print $2}')
+
+    if [[ -z "$latest_system" ]]; then
+        log WARN "No system backup available to verify against"
+        return 0
+    fi
+
+    # Check if critical configs exist and are non-empty
+    local needs_restore=false
+    local critical_configs=("/etc/nginx/nginx.conf" "/etc/php" "/etc/mysql")
+
+    for cfg in "${critical_configs[@]}"; do
+        if [[ -e "$cfg" ]]; then
+            # Config exists — check if it's a file and non-empty, or a directory
+            if [[ -f "$cfg" && ! -s "$cfg" ]]; then
+                log WARN "Critical config is empty: $cfg"
+                needs_restore=true
+                break
+            fi
+        fi
+    done
+
+    if $needs_restore; then
+        log WARN "Restoring system config from $latest_system"
+        tar -xzf "$latest_system" -C / 2>/dev/null || {
+            log ERROR "System restore failed from $latest_system"
+            return 1
+        }
+        log INFO "System config restored"
+    else
+        log INFO "System configs look intact — skipping restore"
+    fi
+}
+
+restart_services() {
+    if ! command -v systemctl &>/dev/null; then
+        log WARN "systemctl not available — skipping service restart"
+        return 0
+    fi
+
+    local services=("mysql" "mariadb" "nginx" "apache2" "php-fpm" "php8.1-fpm" "php8.2-fpm" "php8.3-fpm")
+
+    for svc in "${services[@]}"; do
+        if systemctl is-enabled "$svc" &>/dev/null; then
+            log INFO "Restarting $svc..."
+            systemctl restart "$svc" 2>/dev/null && \
+                log INFO "$svc restarted OK" || \
+                log WARN "$svc restart failed"
+        fi
+    done
+}
+
+verify_health() {
+    local failures=0
+
+    # Check critical services are running
+    local services=("mysql" "mariadb" "nginx" "apache2")
+    for svc in "${services[@]}"; do
+        if systemctl is-enabled "$svc" &>/dev/null; then
+            if ! systemctl is-active "$svc" &>/dev/null; then
+                log WARN "Service not running: $svc"
+                ((failures++))
+            fi
+        fi
+    done
+
+    # Check if web server responds
+    if command -v curl &>/dev/null; then
+        if ! curl -sf -o /dev/null --max-time 10 "http://localhost/" 2>/dev/null; then
+            log WARN "Local web server not responding"
+            ((failures++))
+        fi
+    fi
+
+    # Check if database accepts connections
+    if command -v mysqladmin &>/dev/null; then
+        if ! mysqladmin ping --silent 2>/dev/null; then
+            log WARN "Database not responding to ping"
+            ((failures++))
+        fi
+    fi
+
+    [[ $failures -eq 0 ]]
+}
+
+restore_from_backup() {
+    log WARN "=== Full restore from backup ==="
+
+    # Restore system config
+    local latest_system
+    latest_system=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1 | awk '{print $2}')
+
+    if [[ -n "$latest_system" ]]; then
+        log INFO "Restoring system from $latest_system"
+        tar -xzf "$latest_system" -C / 2>/dev/null || \
+            log ERROR "System restore failed"
+    fi
+
+    # Restore content
+    local latest_content
+    latest_content=$(find "$CONTENT_BACKUP_DIR" -name 'content_*.tar.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1 | awk '{print $2}')
+
+    if [[ -n "$latest_content" ]]; then
+        log INFO "Restoring content from $latest_content"
+        tar -xzf "$latest_content" -C / 2>/dev/null || \
+            log ERROR "Content restore failed"
+    fi
+
+    # Restore database
+    local latest_db
+    latest_db=$(find "$CONTENT_BACKUP_DIR" -name 'content_*.sql.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1 | awk '{print $2}')
+
+    if [[ -n "$latest_db" ]]; then
+        log INFO "Restoring database from $latest_db"
+        local mysql_cmd="mysql"
+        command -v mariadb &>/dev/null && mysql_cmd="mariadb"
+        zcat "$latest_db" | $mysql_cmd 2>/dev/null || \
+            log ERROR "Database restore failed"
+    fi
+}
+
+# ──────────────────────────────────────────────
+# Status
+# ──────────────────────────────────────────────
+cmd_status() {
+    echo "=== Moko Server Auto-Heal Status ==="
+    echo ""
+
+    # Safe point
+    if has_safepoint; then
+        echo "Safe point:  SET"
+        cat "$SAFEPOINT_FILE" | sed 's/^/  /'
+    else
+        echo "Safe point:  NOT SET (will auto-heal on next boot)"
+    fi
+    echo ""
+
+    # System backups
+    echo "System backups (${SYSTEM_BACKUP_DIR}):"
+    local sys_count
+    sys_count=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' 2>/dev/null | wc -l)
+    echo "  Count:     $sys_count (retain $SYSTEM_BACKUP_RETAIN)"
+    local latest_sys
+    latest_sys=$(find "$SYSTEM_BACKUP_DIR" -name 'system_*.tar.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1)
+    if [[ -n "$latest_sys" ]]; then
+        echo "  Latest:    $(echo "$latest_sys" | awk '{print $2}')"
+        echo "  Timestamp: $(echo "$latest_sys" | awk '{print $1}')"
+    else
+        echo "  Latest:    (none)"
+    fi
+    echo ""
+
+    # Content backups
+    echo "Content backups (${CONTENT_BACKUP_DIR}):"
+    local cnt_count
+    cnt_count=$(find "$CONTENT_BACKUP_DIR" -name 'content_*.tar.gz' 2>/dev/null | wc -l)
+    echo "  Count:     $cnt_count (retain ${CONTENT_BACKUP_RETAIN_HOURS}h)"
+    local latest_cnt
+    latest_cnt=$(find "$CONTENT_BACKUP_DIR" -name 'content_*.tar.gz' -printf '%T+ %p\n' \
+        2>/dev/null | sort -r | head -1)
+    if [[ -n "$latest_cnt" ]]; then
+        echo "  Latest:    $(echo "$latest_cnt" | awk '{print $2}')"
+        echo "  Timestamp: $(echo "$latest_cnt" | awk '{print $1}')"
+    else
+        echo "  Latest:    (none)"
+    fi
+    echo ""
+
+    # Disk usage
+    echo "Backup disk usage:"
+    du -sh "$SYSTEM_BACKUP_DIR" "$CONTENT_BACKUP_DIR" 2>/dev/null | sed 's/^/  /'
+}
+
+# ──────────────────────────────────────────────
+# Install helper — sets up cron + systemd
+# ──────────────────────────────────────────────
+cmd_install() {
+    local script_path
+    script_path=$(readlink -f "$0")
+
+    echo "Installing Moko Auto-Heal..."
+
+    # Create config directory
+    mkdir -p /etc/moko "$(dirname "$LOG_FILE")" "$LOCK_DIR"
+
+    # Write example config if none exists
+    if [[ ! -f "$CONF_FILE" ]]; then
+        cat > "$CONF_FILE" <<'CONF'
+# /etc/moko/autoheal.conf — Server auto-heal configuration
+# Uncomment and modify as needed
+
+# BACKUP_ROOT="/var/backups/moko"
+# SAFEPOINT_FILE="/var/run/moko/safepoint"
+# LOG_FILE="/var/log/moko/autoheal.log"
+
+# System backup paths (space-separated)
+# SYSTEM_PATHS="/etc/nginx /etc/php /etc/mysql /etc/cron.d /etc/systemd/system"
+
+# Content backup paths (space-separated)
+# CONTENT_PATHS="/var/www"
+
+# Database names (space-separated, empty = auto-detect all)
+# DB_NAMES=""
+
+# Retention
+# SYSTEM_BACKUP_RETAIN=7        # daily backups to keep
+# CONTENT_BACKUP_RETAIN_HOURS=24  # hours of content backups to keep
+CONF
+        echo "  Created config: $CONF_FILE"
+    fi
+
+    # Install cron jobs
+    local cron_file="/etc/cron.d/moko-autoheal"
+    cat > "$cron_file" <<CRON
+# Moko Server Auto-Heal — managed by server-autoheal.sh install
+SHELL=/bin/bash
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Boot check — auto-heal if no safe point
+@reboot root ${script_path} boot-check
+
+# System backup — daily at 3:00 AM
+0 3 * * * root ${script_path} backup-system
+
+# Content backup — every 2 hours
+0 */2 * * * root ${script_path} backup-content
+
+# Cleanup expired backups — 30 min after each content backup
+30 */2 * * * root ${script_path} cleanup
+CRON
+    echo "  Installed cron: $cron_file"
+
+    # Install shutdown hook to set safe point on clean shutdown
+    local shutdown_hook="/etc/systemd/system/moko-safepoint.service"
+    cat > "$shutdown_hook" <<UNIT
+[Unit]
+Description=Moko Safe Point — mark clean shutdown
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/true
+ExecStop=${script_path} set-safepoint
+
+[Install]
+WantedBy=multi-user.target
+UNIT
+    systemctl daemon-reload
+    systemctl enable moko-safepoint.service
+    echo "  Installed systemd hook: $shutdown_hook"
+
+    echo ""
+    echo "Done! Edit $CONF_FILE to configure paths for your server."
+    echo "Run '${script_path} status' to verify."
+}
+
+# ──────────────────────────────────────────────
+# Main dispatcher
+# ──────────────────────────────────────────────
+main() {
+    local cmd="${1:-help}"
+
+    case "$cmd" in
+        boot-check)       cmd_boot_check ;;
+        set-safepoint)    cmd_set_safepoint ;;
+        clear-safepoint)  cmd_clear_safepoint ;;
+        backup-system)    cmd_backup_system ;;
+        backup-content)   cmd_backup_content ;;
+        cleanup)          cmd_cleanup ;;
+        status)           cmd_status ;;
+        install)          cmd_install ;;
+        help|--help|-h)
+            sed -n '2,/^$/s/^# //p' "$0"
+            echo ""
+            echo "Commands: boot-check, set-safepoint, clear-safepoint,"
+            echo "          backup-system, backup-content, cleanup, status, install"
+            ;;
+        *)
+            echo "Unknown command: $cmd" >&2
+            echo "Run '$0 help' for usage" >&2
+            exit 1
+            ;;
+    esac
+}
+
+main "$@"
@@ -10,9 +10,8 @@
 * FILE INFORMATION
 * DEFGROUP: MokoStandards.CLI
 * INGROUP: MokoStandards
- * REPO: https://github.com/mokoconsulting-tech/MokoStandards
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /bin/moko
- * VERSION: 04.00.15
 * BRIEF: Unified CLI dispatcher — run any MokoStandards script without needing GitHub Actions
 *
 * USAGE
@@ -69,6 +68,11 @@ declare(strict_types=1);
 $repoRoot   = dirname(__DIR__);
 $autoloader = $repoRoot . '/vendor/autoload.php';

+// Support global Composer installs (e.g. composer global require)
+if (isset($GLOBALS['_composer_autoload_path'])) {
+    $autoloader = $GLOBALS['_composer_autoload_path'];
+}
+
 if (!is_file($autoloader)) {
    fwrite(STDERR, "Error: vendor/autoload.php not found.\nRun: composer install\n");
    exit(2);
@@ -7,11 +7,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/archive_repo.php
- * VERSION: 04.06.10
 * BRIEF: Gracefully retire a governed repository — archive, close issues/PRs, remove sync def
 *
 * USAGE
@@ -0,0 +1,68 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/badge_update.php
+ * BRIEF: Update [VERSION: XX.XX.XX] badges in all markdown files
+ *
+ * Usage:
+ *   php badge_update.php --path /repo --version 04.01.00
+ */
+
+declare(strict_types=1);
+
+$path = '.';
+$version = null;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+}
+
+if ($version === null) {
+	fwrite(STDERR, "Usage: badge_update.php --path . --version XX.YY.ZZ\n");
+	exit(1);
+}
+
+$root = realpath($path) ?: $path;
+$pattern = '/\[VERSION:\s*\d{2}\.\d{2}\.\d{2}\]/';
+$replacement = "[VERSION: {$version}]";
+$updated = 0;
+
+$iterator = new RecursiveIteratorIterator(
+	new RecursiveDirectoryIterator($root, RecursiveDirectoryIterator::SKIP_DOTS)
+);
+
+foreach ($iterator as $file) {
+	$filePath = $file->getPathname();
+
+	// Skip .git and vendor directories
+	if (preg_match('#[/\\\\](\.git|vendor)[/\\\\]#', $filePath)) {
+		continue;
+	}
+
+	// Only process markdown files
+	if (!preg_match('/\.md$/i', $filePath)) {
+		continue;
+	}
+
+	$content = file_get_contents($filePath);
+	if (preg_match($pattern, $content)) {
+		$newContent = preg_replace($pattern, $replacement, $content);
+		if ($newContent !== $content) {
+			file_put_contents($filePath, $newContent);
+			$relative = str_replace($root . DIRECTORY_SEPARATOR, '', $filePath);
+			echo "Updated: {$relative}\n";
+			$updated++;
+		}
+	}
+}
+
+echo "Updated {$updated} file(s) to {$replacement}\n";
+exit(0);
@@ -0,0 +1,319 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * This file is part of a Moko Consulting project.
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/bulk_workflow_trigger.php
+ * VERSION: 01.00.00
+ * BRIEF: Trigger a workflow across multiple repos at once
+ */
+
+declare(strict_types=1);
+
+final class BulkWorkflowTrigger
+{
+	private string $giteaUrl = 'https://git.mokoconsulting.tech';
+	private string $token = '';
+	private string $reposFile = '';
+	private string $org = '';
+	private string $workflow = '';
+	private string $ref = 'main';
+	private string $inputs = '';
+	private bool $dryRun = false;
+
+	public function run(): int
+	{
+		$this->parseArgs();
+
+		if ($this->token === '')
+		{
+			$this->log('ERROR: --token is required.');
+			$this->printUsage();
+			return 1;
+		}
+
+		if ($this->workflow === '')
+		{
+			$this->log('ERROR: --workflow is required.');
+			$this->printUsage();
+			return 1;
+		}
+
+		if ($this->reposFile === '' && $this->org === '')
+		{
+			$this->log('ERROR: Either --repos <file> or --org <org> is required.');
+			$this->printUsage();
+			return 1;
+		}
+
+		// Build repo list
+		$repos = $this->buildRepoList();
+
+		if ($repos === null || count($repos) === 0)
+		{
+			$this->log('ERROR: No repos found to process.');
+			return 1;
+		}
+
+		$this->log("Triggering workflow \"{$this->workflow}\" on ref \"{$this->ref}\" across " . count($repos) . " repo(s).");
+		$this->log("Gitea URL: {$this->giteaUrl}");
+
+		if ($this->dryRun)
+		{
+			$this->log('[DRY RUN] No requests will be sent.');
+		}
+
+		$this->log('');
+
+		// Parse inputs
+		$inputsDecoded = null;
+
+		if ($this->inputs !== '')
+		{
+			$inputsDecoded = json_decode($this->inputs, true);
+
+			if (!is_array($inputsDecoded))
+			{
+				$this->log('ERROR: --inputs must be valid JSON.');
+				return 1;
+			}
+		}
+
+		// Print header
+		$this->log(sprintf('%-40s | %s', 'Repo', 'Status'));
+		$this->log(str_repeat('-', 60));
+
+		$failCount = 0;
+
+		foreach ($repos as $repo)
+		{
+			$repo = trim($repo);
+
+			if ($repo === '' || strpos($repo, '/') === false)
+			{
+				continue;
+			}
+
+			[$owner, $repoName] = explode('/', $repo, 2);
+
+			if ($this->dryRun)
+			{
+				$this->log(sprintf('%-40s | %s', $repo, 'DRY RUN (skipped)'));
+				continue;
+			}
+
+			$payload = ['ref' => $this->ref];
+
+			if ($inputsDecoded !== null)
+			{
+				$payload['inputs'] = $inputsDecoded;
+			}
+
+			$response = $this->apiRequest(
+				'POST',
+				"/api/v1/repos/{$owner}/{$repoName}/actions/workflows/{$this->workflow}/dispatches",
+				json_encode($payload)
+			);
+
+			if ($response['code'] >= 200 && $response['code'] < 300)
+			{
+				$status = 'TRIGGERED';
+			}
+			elseif ($response['code'] === 404)
+			{
+				$status = 'FAILED (not found)';
+				$failCount++;
+			}
+			elseif ($response['code'] === 422)
+			{
+				$status = 'SKIPPED (unprocessable)';
+			}
+			else
+			{
+				$status = "FAILED (HTTP {$response['code']})";
+				$failCount++;
+			}
+
+			$this->log(sprintf('%-40s | %s', $repo, $status));
+		}
+
+		$this->log('');
+		$this->log('Done. ' . ($failCount > 0 ? "{$failCount} failure(s)." : 'All succeeded.'));
+
+		return $failCount > 0 ? 1 : 0;
+	}
+
+	private function parseArgs(): void
+	{
+		$args = $_SERVER['argv'] ?? [];
+		$count = count($args);
+
+		for ($i = 1; $i < $count; $i++)
+		{
+			switch ($args[$i])
+			{
+				case '--gitea-url':
+					$this->giteaUrl = rtrim($args[++$i] ?? '', '/');
+					break;
+				case '--token':
+					$this->token = $args[++$i] ?? '';
+					break;
+				case '--repos':
+					$this->reposFile = $args[++$i] ?? '';
+					break;
+				case '--org':
+					$this->org = $args[++$i] ?? '';
+					break;
+				case '--workflow':
+					$this->workflow = $args[++$i] ?? '';
+					break;
+				case '--ref':
+					$this->ref = $args[++$i] ?? 'main';
+					break;
+				case '--inputs':
+					$this->inputs = $args[++$i] ?? '';
+					break;
+				case '--dry-run':
+					$this->dryRun = true;
+					break;
+				case '--help':
+				case '-h':
+					$this->printUsage();
+					exit(0);
+				default:
+					$this->log("WARNING: Unknown argument: {$args[$i]}");
+					break;
+			}
+		}
+	}
+
+	private function printUsage(): void
+	{
+		$this->log('Usage: bulk_workflow_trigger.php --token <token> --workflow <file> [options]');
+		$this->log('');
+		$this->log('Options:');
+		$this->log('  --gitea-url <url>      Gitea URL (default: https://git.mokoconsulting.tech)');
+		$this->log('  --token <token>        Gitea API token');
+		$this->log('  --repos <file>         File with newline-separated owner/repo list');
+		$this->log('  --org <org>            Trigger on all repos in an org');
+		$this->log('  --workflow <filename>  Workflow file (e.g., "sync-servers.yml")');
+		$this->log('  --ref <branch>         Branch ref (default: "main")');
+		$this->log('  --inputs <json>        Workflow inputs as JSON string');
+		$this->log('  --dry-run              Show what would be done without triggering');
+		$this->log('  --help, -h             Show this help');
+	}
+
+	private function buildRepoList(): ?array
+	{
+		if ($this->reposFile !== '')
+		{
+			if (!file_exists($this->reposFile))
+			{
+				$this->log("ERROR: Repos file not found: {$this->reposFile}");
+				return null;
+			}
+
+			$content = file_get_contents($this->reposFile);
+			$lines = array_filter(array_map('trim', explode("\n", $content)), function (string $line): bool {
+				return $line !== '' && $line[0] !== '#';
+			});
+
+			return array_values($lines);
+		}
+
+		// Fetch all repos from org
+		$this->log("Fetching repos from org: {$this->org}");
+
+		$page = 1;
+		$repos = [];
+
+		while (true)
+		{
+			$response = $this->apiRequest('GET', "/api/v1/orgs/{$this->org}/repos?limit=50&page={$page}");
+
+			if ($response['code'] < 200 || $response['code'] >= 300)
+			{
+				if ($page === 1)
+				{
+					$this->log("ERROR: Could not fetch repos for org (HTTP {$response['code']}).");
+					return null;
+				}
+
+				break;
+			}
+
+			$data = json_decode($response['body'], true);
+
+			if (!is_array($data) || count($data) === 0)
+			{
+				break;
+			}
+
+			foreach ($data as $repo)
+			{
+				$fullName = $repo['full_name'] ?? '';
+
+				if ($fullName !== '')
+				{
+					$repos[] = $fullName;
+				}
+			}
+
+			$page++;
+		}
+
+		$this->log('Found ' . count($repos) . " repo(s) in org \"{$this->org}\".");
+
+		return $repos;
+	}
+
+	private function apiRequest(string $method, string $endpoint, ?string $body = null): array
+	{
+		$url = $this->giteaUrl . $endpoint;
+
+		$ch = curl_init();
+		curl_setopt($ch, CURLOPT_URL, $url);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, [
+			'Content-Type: application/json',
+			'Accept: application/json',
+			"Authorization: token {$this->token}",
+		]);
+
+		if ($body !== null)
+		{
+			curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+		}
+
+		$responseBody = curl_exec($ch);
+		$httpCode = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+		if (curl_errno($ch))
+		{
+			$error = curl_error($ch);
+			curl_close($ch);
+
+			return ['code' => 0, 'body' => "cURL error: {$error}"];
+		}
+
+		curl_close($ch);
+
+		return ['code' => $httpCode, 'body' => $responseBody];
+	}
+
+	private function log(string $message): void
+	{
+		fwrite(STDERR, $message . PHP_EOL);
+	}
+}
+
+$app = new BulkWorkflowTrigger();
+exit($app->run());
@@ -0,0 +1,82 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/changelog_promote.php
+ * BRIEF: Promote [Unreleased] section in CHANGELOG.md to a versioned entry
+ *
+ * Usage:
+ *   php changelog_promote.php --path /repo --version 04.01.00
+ *   php changelog_promote.php --path /repo --version 04.01.00 --date 2026-05-21
+ */
+
+declare(strict_types=1);
+
+$path = '.';
+$version = null;
+$date = date('Y-m-d');
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--date' && isset($argv[$i + 1])) $date = $argv[$i + 1];
+}
+
+if ($version === null) {
+	fwrite(STDERR, "Usage: changelog_promote.php --path . --version XX.YY.ZZ [--date YYYY-MM-DD]\n");
+	exit(1);
+}
+
+$changelog = realpath($path) . '/CHANGELOG.md';
+if (!file_exists($changelog)) {
+	fwrite(STDERR, "No CHANGELOG.md found at {$path}\n");
+	exit(1);
+}
+
+$content = file_get_contents($changelog);
+
+// Check if [Unreleased] section exists
+if (!preg_match('/## \[?Unreleased\]?/i', $content)) {
+	fwrite(STDERR, "No [Unreleased] section found in CHANGELOG.md\n");
+	exit(1);
+}
+
+// Replace [Unreleased] with versioned entry
+$content = preg_replace(
+	'/## \[Unreleased\]/i',
+	"## [{$version}] --- {$date}",
+	$content,
+	1
+);
+$content = preg_replace(
+	'/## Unreleased/i',
+	"## [{$version}] --- {$date}",
+	$content,
+	1
+);
+
+// Insert new [Unreleased] section after the first heading line (# Changelog)
+$lines = explode("\n", $content);
+$inserted = false;
+$result = [];
+
+foreach ($lines as $line) {
+	$result[] = $line;
+	if (!$inserted && preg_match('/^# /', $line)) {
+		$result[] = '';
+		$result[] = '## [Unreleased]';
+		$result[] = '';
+		$inserted = true;
+	}
+}
+
+$content = implode("\n", $result);
+file_put_contents($changelog, $content);
+echo "CHANGELOG promoted: [Unreleased] -> [{$version}] --- {$date}\n";
+exit(0);
@@ -0,0 +1,334 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * This file is part of a Moko Consulting project.
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/client_inventory.php
+ * VERSION: 01.00.00
+ * BRIEF: Discover and list all client-waas repos with their server configuration status
+ */
+
+declare(strict_types=1);
+
+final class ClientInventory
+{
+	private string $giteaUrl = 'https://git.mokoconsulting.tech';
+	private string $token = '';
+	private bool $jsonOutput = false;
+
+	public function run(): int
+	{
+		$this->parseArgs();
+
+		if ($this->token === '')
+		{
+			$this->log('ERROR: --token is required.');
+			$this->printUsage();
+			return 1;
+		}
+
+		$this->log("Scanning Gitea instance: {$this->giteaUrl}");
+
+		// Step 1: List all orgs
+		$orgs = $this->fetchOrgs();
+
+		if ($orgs === null)
+		{
+			$this->log('ERROR: Failed to fetch organizations.');
+			return 1;
+		}
+
+		$this->log('Found ' . count($orgs) . ' organization(s).');
+
+		// Step 2 & 3: For each org, find client-waas repos
+		$inventory = [];
+
+		foreach ($orgs as $org)
+		{
+			$orgName = $org['username'] ?? $org['name'] ?? '';
+
+			if ($orgName === '')
+			{
+				continue;
+			}
+
+			$repos = $this->fetchOrgRepos($orgName);
+
+			if ($repos === null)
+			{
+				$this->log("WARNING: Could not fetch repos for org: {$orgName}");
+				continue;
+			}
+
+			foreach ($repos as $repo)
+			{
+				$repoName = $repo['name'] ?? '';
+
+				if (strpos($repoName, 'client-waas') === false)
+				{
+					continue;
+				}
+
+				$hasDevConfig = $this->checkVariables($orgName, $repoName, ['DEV_SYNC_HOST', 'DEV_SYNC_PATH']);
+				$hasLiveConfig = $this->checkVariables($orgName, $repoName, ['LIVE_SSH_HOST', 'LIVE_SYNC_PATH']);
+
+				$lastPush = $repo['updated_at'] ?? 'unknown';
+
+				if ($lastPush !== 'unknown')
+				{
+					$lastPush = substr($lastPush, 0, 19);
+				}
+
+				$status = 'OK';
+
+				if (!$hasDevConfig && !$hasLiveConfig)
+				{
+					$status = 'UNCONFIGURED';
+				}
+				elseif (!$hasDevConfig)
+				{
+					$status = 'NO DEV';
+				}
+				elseif (!$hasLiveConfig)
+				{
+					$status = 'NO LIVE';
+				}
+
+				$inventory[] = [
+					'org'            => $orgName,
+					'repo'           => $repoName,
+					'has_dev_config' => $hasDevConfig,
+					'has_live_config' => $hasLiveConfig,
+					'last_push'      => $lastPush,
+					'status'         => $status,
+				];
+			}
+		}
+
+		// Output results
+		if ($this->jsonOutput)
+		{
+			fwrite(STDOUT, json_encode($inventory, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . PHP_EOL);
+			return 0;
+		}
+
+		if (count($inventory) === 0)
+		{
+			$this->log('No client-waas repos found.');
+			return 0;
+		}
+
+		// Print table
+		$this->log('');
+		$this->log(sprintf(
+			'%-20s | %-35s | %-10s | %-11s | %-19s | %s',
+			'Org', 'Repo', 'Dev Config', 'Live Config', 'Last Push', 'Status'
+		));
+		$this->log(str_repeat('-', 120));
+
+		foreach ($inventory as $entry)
+		{
+			$this->log(sprintf(
+				'%-20s | %-35s | %-10s | %-11s | %-19s | %s',
+				$entry['org'],
+				$entry['repo'],
+				$entry['has_dev_config'] ? 'Yes' : 'No',
+				$entry['has_live_config'] ? 'Yes' : 'No',
+				$entry['last_push'],
+				$entry['status']
+			));
+		}
+
+		$this->log('');
+		$this->log('Total: ' . count($inventory) . ' client-waas repo(s).');
+
+		return 0;
+	}
+
+	private function parseArgs(): void
+	{
+		$args = $_SERVER['argv'] ?? [];
+		$count = count($args);
+
+		for ($i = 1; $i < $count; $i++)
+		{
+			switch ($args[$i])
+			{
+				case '--gitea-url':
+					$this->giteaUrl = rtrim($args[++$i] ?? '', '/');
+					break;
+				case '--token':
+					$this->token = $args[++$i] ?? '';
+					break;
+				case '--json':
+					$this->jsonOutput = true;
+					break;
+				case '--help':
+				case '-h':
+					$this->printUsage();
+					exit(0);
+				default:
+					$this->log("WARNING: Unknown argument: {$args[$i]}");
+					break;
+			}
+		}
+	}
+
+	private function printUsage(): void
+	{
+		$this->log('Usage: client_inventory.php --token <token> [options]');
+		$this->log('');
+		$this->log('Options:');
+		$this->log('  --gitea-url <url>    Gitea URL (default: https://git.mokoconsulting.tech)');
+		$this->log('  --token <token>      Gitea API token');
+		$this->log('  --json               Output results as JSON');
+		$this->log('  --help, -h           Show this help');
+	}
+
+	private function fetchOrgs(): ?array
+	{
+		// Try admin endpoint first, fall back to user-visible orgs
+		$response = $this->apiRequest('GET', '/api/v1/admin/orgs?limit=50');
+
+		if ($response['code'] >= 200 && $response['code'] < 300)
+		{
+			$data = json_decode($response['body'], true);
+
+			if (is_array($data))
+			{
+				return $data;
+			}
+		}
+
+		$this->log('Admin orgs endpoint unavailable, falling back to user orgs...');
+
+		$response = $this->apiRequest('GET', '/api/v1/user/orgs?limit=50');
+
+		if ($response['code'] >= 200 && $response['code'] < 300)
+		{
+			$data = json_decode($response['body'], true);
+
+			if (is_array($data))
+			{
+				return $data;
+			}
+		}
+
+		return null;
+	}
+
+	private function fetchOrgRepos(string $org): ?array
+	{
+		$page = 1;
+		$allRepos = [];
+
+		while (true)
+		{
+			$response = $this->apiRequest('GET', "/api/v1/orgs/{$org}/repos?limit=50&page={$page}");
+
+			if ($response['code'] < 200 || $response['code'] >= 300)
+			{
+				return $page === 1 ? null : $allRepos;
+			}
+
+			$data = json_decode($response['body'], true);
+
+			if (!is_array($data) || count($data) === 0)
+			{
+				break;
+			}
+
+			$allRepos = array_merge($allRepos, $data);
+			$page++;
+		}
+
+		return $allRepos;
+	}
+
+	private function checkVariables(string $org, string $repo, array $requiredVars): bool
+	{
+		$response = $this->apiRequest('GET', "/api/v1/repos/{$org}/{$repo}/actions/variables");
+
+		if ($response['code'] < 200 || $response['code'] >= 300)
+		{
+			return false;
+		}
+
+		$data = json_decode($response['body'], true);
+
+		if (!is_array($data))
+		{
+			return false;
+		}
+
+		$existingVars = [];
+
+		foreach ($data as $variable)
+		{
+			if (isset($variable['name']))
+			{
+				$existingVars[] = $variable['name'];
+			}
+		}
+
+		foreach ($requiredVars as $var)
+		{
+			if (!in_array($var, $existingVars, true))
+			{
+				return false;
+			}
+		}
+
+		return true;
+	}
+
+	private function apiRequest(string $method, string $endpoint, ?string $body = null): array
+	{
+		$url = $this->giteaUrl . $endpoint;
+
+		$ch = curl_init();
+		curl_setopt($ch, CURLOPT_URL, $url);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, [
+			'Content-Type: application/json',
+			'Accept: application/json',
+			"Authorization: token {$this->token}",
+		]);
+
+		if ($body !== null)
+		{
+			curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+		}
+
+		$responseBody = curl_exec($ch);
+		$httpCode = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+		if (curl_errno($ch))
+		{
+			$error = curl_error($ch);
+			curl_close($ch);
+
+			return ['code' => 0, 'body' => "cURL error: {$error}"];
+		}
+
+		curl_close($ch);
+
+		return ['code' => $httpCode, 'body' => $responseBody];
+	}
+
+	private function log(string $message): void
+	{
+		fwrite(STDERR, $message . PHP_EOL);
+	}
+}
+
+$app = new ClientInventory();
+exit($app->run());
@@ -7,11 +7,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/create_project.php
- * VERSION: 04.06.00
 * BRIEF: Create baseline GitHub Projects for repositories with standard fields and views
 *
 * USAGE
@@ -163,7 +162,7 @@ function restGet(string $path, string $token, ?\MokoEnterprise\ApiClient $apiCli
 function detectPlatform(string $org, string $repo, string $token, ?\MokoEnterprise\ApiClient $apiClient = null): string
 {
 	// Try platform metadata dir first, then root
-	foreach (['.github/.mokostandards', '.gitea/.mokostandards', '.mokostandards'] as $path) {
+	foreach (['.github/.mokostandards', '.mokogitea/.mokostandards', '.mokostandards'] as $path) {
 		$data = restGet("repos/{$org}/{$repo}/contents/{$path}", $token, $apiClient);
 		if (!empty($data['content'])) {
 			$content = base64_decode($data['content']);
@@ -7,11 +7,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/create_repo.php
- * VERSION: 04.06.10
 * BRIEF: Scaffold a new governed repository with full MokoStandards baseline
 *
 * USAGE
@@ -159,10 +158,9 @@ SPDX-License-Identifier: GPL-3.0-or-later

 # FILE INFORMATION
 DEFGROUP: {$name}
-INGROUP: MokoStandards
+INGROUP: moko-platform
 REPO: {$repoUrl}
 PATH: /README.md
-VERSION: 01.00.00
 BRIEF: {$description}
 -->

@@ -0,0 +1,97 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/dev_branch_reset.php
+ * BRIEF: Delete and recreate dev branch from main via Gitea API
+ *
+ * Usage:
+ *   php dev_branch_reset.php --token TOKEN --api-base URL
+ *   php dev_branch_reset.php --token TOKEN --api-base URL --branch dev --from main
+ *
+ * Options:
+ *   --token          Gitea API token (required)
+ *   --api-base       Gitea API base URL (required)
+ *   --branch         Branch to reset (default: dev)
+ *   --from           Source branch (default: main)
+ *   --output-summary Write to $GITHUB_STEP_SUMMARY
+ */
+
+declare(strict_types=1);
+
+$token = null;
+$apiBase = null;
+$branch = 'dev';
+$from = 'main';
+$outputSummary = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--token' && isset($argv[$i + 1])) $token = $argv[$i + 1];
+	if ($arg === '--api-base' && isset($argv[$i + 1])) $apiBase = $argv[$i + 1];
+	if ($arg === '--branch' && isset($argv[$i + 1])) $branch = $argv[$i + 1];
+	if ($arg === '--from' && isset($argv[$i + 1])) $from = $argv[$i + 1];
+	if ($arg === '--output-summary') $outputSummary = true;
+}
+
+if ($token === null) $token = getenv('GA_TOKEN') ?: getenv('GITEA_TOKEN') ?: null;
+
+if ($token === null || $apiBase === null) {
+	fwrite(STDERR, "Usage: dev_branch_reset.php --token TOKEN --api-base URL [--branch dev] [--from main]\n");
+	exit(1);
+}
+
+// Delete branch (tolerate 404)
+$ch = curl_init("{$apiBase}/branches/{$branch}");
+curl_setopt_array($ch, [
+	CURLOPT_CUSTOMREQUEST => 'DELETE',
+	CURLOPT_RETURNTRANSFER => true,
+	CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+	CURLOPT_TIMEOUT => 30,
+]);
+curl_exec($ch);
+$delCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($delCode === 204 || $delCode === 200) {
+	echo "Deleted branch '{$branch}'\n";
+} elseif ($delCode === 404) {
+	echo "Branch '{$branch}' did not exist (skipped delete)\n";
+} else {
+	fwrite(STDERR, "WARNING: Delete branch returned HTTP {$delCode}\n");
+}
+
+// Create branch from source
+$payload = json_encode(['new_branch_name' => $branch, 'old_branch_name' => $from]);
+$ch = curl_init("{$apiBase}/branches");
+curl_setopt_array($ch, [
+	CURLOPT_POST => true,
+	CURLOPT_RETURNTRANSFER => true,
+	CURLOPT_HTTPHEADER => ["Authorization: token {$token}", "Content-Type: application/json"],
+	CURLOPT_POSTFIELDS => $payload,
+	CURLOPT_TIMEOUT => 30,
+]);
+$response = curl_exec($ch);
+$createCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($createCode === 201) {
+	echo "Recreated '{$branch}' from '{$from}'\n";
+} else {
+	fwrite(STDERR, "Failed to create branch '{$branch}' from '{$from}' (HTTP {$createCode})\n");
+	exit(1);
+}
+
+if ($outputSummary) {
+	$summaryFile = getenv('GITHUB_STEP_SUMMARY');
+	if ($summaryFile) {
+		file_put_contents($summaryFile, "Dev branch reset: '{$branch}' recreated from '{$from}'\n", FILE_APPEND);
+	}
+}
+
+exit(0);
@@ -0,0 +1,295 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/joomla_build.php
+ * VERSION: 05.00.01
+ * BRIEF: Build a Joomla extension ZIP from manifest — all types supported
+ * NOTE: Called by pre-release and auto-release workflows.
+ *
+ * USAGE
+ *   php joomla_build.php --path . --version 02.01.24
+ *   php joomla_build.php --path . --version 02.01.24 --suffix -dev
+ *   php joomla_build.php --path . --version 02.01.24 --output build --github-output
+ *
+ * Supports: plugin, module, component, template, package, library, file
+ */
+
+declare(strict_types=1);
+
+// ── Argument parsing ────────────────────────────────────────────────────
+$path      = '.';
+$version   = '';
+$suffix    = '';
+$outputDir = 'build';
+$ghOutput  = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path'    && isset($argv[$i + 1])) $path      = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version   = $argv[$i + 1];
+	if ($arg === '--suffix'  && isset($argv[$i + 1])) $suffix    = $argv[$i + 1];
+	if ($arg === '--output'  && isset($argv[$i + 1])) $outputDir = $argv[$i + 1];
+	if ($arg === '--github-output')                    $ghOutput  = true;
+}
+
+if ($version === '') {
+	fwrite(STDERR, "::error::--version is required\n");
+	exit(1);
+}
+
+$path = realpath($path) ?: $path;
+
+// ── Find source directory ──────────────────────────────────────────────
+$srcDir = null;
+foreach (['src', 'htdocs'] as $d) {
+	if (is_dir("{$path}/{$d}")) { $srcDir = "{$path}/{$d}"; break; }
+}
+if ($srcDir === null) {
+	fwrite(STDERR, "::error::No src/ or htdocs/ directory in {$path}\n");
+	exit(1);
+}
+
+// ── Find manifest ──────────────────────────────────────────────────────
+$manifest = findManifest($srcDir);
+if ($manifest === null) {
+	fwrite(STDERR, "::error::No Joomla manifest found in {$srcDir}\n");
+	exit(1);
+}
+
+fwrite(STDERR, "Manifest: {$manifest}\n");
+
+// ── Parse manifest ─────────────────────────────────────────────────────
+$meta = parseManifest($manifest);
+
+// Resolve language-key names (e.g. PLG_SYSTEM_MOKOWAAS -> "System - Moko WaaS")
+if (preg_match('/^[A-Z_]+$/', $meta['name'])) {
+	$resolved = resolveLanguageKey($srcDir, $meta['name']);
+	if ($resolved !== null) { $meta['name'] = $resolved; }
+}
+
+$prefix  = typePrefix($meta);
+$zipName = "{$prefix}{$meta['element']}-{$version}{$suffix}.zip";
+$zipPath = "{$outputDir}/{$zipName}";
+
+fwrite(STDERR, "=== Joomla Build: {$meta['type']} — {$meta['element']} {$version}{$suffix} ===\n");
+fwrite(STDERR, "  Type:    {$meta['type']}\n");
+fwrite(STDERR, "  Element: {$meta['element']}\n");
+fwrite(STDERR, "  Group:   " . ($meta['group'] ?: 'n/a') . "\n");
+fwrite(STDERR, "  Name:    {$meta['name']}\n");
+fwrite(STDERR, "  Output:  {$zipName}\n");
+
+// ── Build ──────────────────────────────────────────────────────────────
+if (!is_dir($outputDir)) { mkdir($outputDir, 0755, true); }
+
+if ($meta['type'] === 'package') {
+	buildPackageZip($srcDir, $zipPath);
+} else {
+	buildZip($srcDir, $zipPath);
+}
+
+$sha256 = hash_file('sha256', $zipPath);
+$size   = filesize($zipPath);
+
+fwrite(STDERR, "Package: {$zipPath} ({$size} bytes, SHA: " . substr($sha256, 0, 16) . "...)\n");
+
+// ── Output variables ───────────────────────────────────────────────────
+$vars = [
+	'zip_name'    => $zipName,
+	'zip_path'    => $zipPath,
+	'sha256'      => $sha256,
+	'ext_type'    => $meta['type'],
+	'ext_element' => $meta['element'],
+	'ext_name'    => $meta['name'],
+	'ext_group'   => $meta['group'],
+	'type_prefix' => $prefix,
+];
+
+if ($ghOutput && ($ghFile = getenv('GITHUB_OUTPUT')) !== false && $ghFile !== '') {
+	$fh = fopen($ghFile, 'a');
+	foreach ($vars as $k => $v) { fwrite($fh, "{$k}={$v}\n"); }
+	fclose($fh);
+	fwrite(STDERR, "Wrote " . count($vars) . " outputs to GITHUB_OUTPUT\n");
+} else {
+	foreach ($vars as $k => $v) { echo "{$k}={$v}\n"; }
+}
+
+exit(0);
+
+// ═══════════════════════════════════════════════════════════════════════
+// Functions
+// ═══════════════════════════════════════════════════════════════════════
+
+function findManifest(string $dir): ?string
+{
+	// Priority: pkg_*.xml (packages), then any *.xml with <extension>
+	foreach (glob("{$dir}/pkg_*.xml") ?: [] as $f) { return $f; }
+	foreach (glob("{$dir}/*.xml") ?: [] as $f) {
+		if (str_contains((string) file_get_contents($f), '<extension')) { return $f; }
+	}
+	// Broader nested search
+	$iter = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
+		RecursiveIteratorIterator::SELF_FIRST
+	);
+	foreach ($iter as $item) {
+		if ($item->isFile() && $item->getExtension() === 'xml') {
+			if (str_contains((string) file_get_contents($item->getPathname()), '<extension')) {
+				return $item->getPathname();
+			}
+		}
+	}
+	return null;
+}
+
+function parseManifest(string $file): array
+{
+	$xml     = simplexml_load_file($file);
+	$name    = (string) ($xml->name ?? '');
+	$type    = (string) ($xml->attributes()->type ?? 'component');
+	$element = (string) ($xml->element ?? '');
+	$group   = (string) ($xml->attributes()->group ?? '');
+
+	// Fallback element detection
+	if ($element === '') { $element = (string) ($xml->attributes()->plugin ?? ''); }
+	if ($element === '') { $element = (string) ($xml->attributes()->module ?? ''); }
+	if ($element === '') {
+		$element = strtolower(basename($file, '.xml'));
+		if (in_array($element, ['templatedetails', 'manifest'], true)) {
+			$element = strtolower(basename(dirname($file)));
+		}
+	}
+	if ($name === '') { $name = $element; }
+
+	return compact('name', 'type', 'element', 'group');
+}
+
+function typePrefix(array $meta): string
+{
+	return match ($meta['type']) {
+		'plugin'    => "plg_{$meta['group']}_",
+		'module'    => 'mod_',
+		'component' => 'com_',
+		'template'  => 'tpl_',
+		'package'   => 'pkg_',
+		'library'   => 'lib_',
+		default     => '',
+	};
+}
+
+function resolveLanguageKey(string $srcDir, string $key): ?string
+{
+	$iter = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($srcDir, FilesystemIterator::SKIP_DOTS)
+	);
+	foreach ($iter as $item) {
+		if ($item->isFile() && str_ends_with($item->getFilename(), '.sys.ini')) {
+			foreach (file($item->getPathname()) as $line) {
+				if (preg_match('/^' . preg_quote($key, '/') . '="(.+)"/', trim($line), $m)) {
+					return $m[1];
+				}
+			}
+		}
+	}
+	return null;
+}
+
+function isExcluded(string $name): bool
+{
+	if ($name === '.ftpignore') return true;
+	if (str_starts_with($name, 'sftp-config')) return true;
+	if (str_starts_with($name, '.env')) return true;
+	if (str_starts_with($name, '.build-trigger')) return true;
+	$ext = pathinfo($name, PATHINFO_EXTENSION);
+	return in_array($ext, ['ppk', 'pem', 'key', 'local'], true);
+}
+
+function buildZip(string $srcDir, string $outPath): void
+{
+	$zip = new ZipArchive();
+	if ($zip->open($outPath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== true) {
+		fwrite(STDERR, "::error::Cannot create ZIP: {$outPath}\n");
+		exit(1);
+	}
+	$iter = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($srcDir, FilesystemIterator::SKIP_DOTS),
+		RecursiveIteratorIterator::SELF_FIRST
+	);
+	foreach ($iter as $file) {
+		$local = str_replace('\\', '/', substr($file->getPathname(), strlen($srcDir) + 1));
+		if (isExcluded(basename($local))) continue;
+		$file->isDir() ? $zip->addEmptyDir($local) : $zip->addFile($file->getPathname(), $local);
+	}
+	$zip->close();
+}
+
+function buildPackageZip(string $srcDir, string $outPath): void
+{
+	fwrite(STDERR, "Building Joomla package (multi-extension)...\n");
+	$staging = sys_get_temp_dir() . '/moko_pkg_' . uniqid();
+	mkdir($staging, 0755, true);
+
+	// 1. Zip each sub-extension in packages/
+	$packagesDir = "{$srcDir}/packages";
+	if (is_dir($packagesDir)) {
+		foreach (glob("{$packagesDir}/*", GLOB_ONLYDIR) as $extDir) {
+			$subManifest = findManifest($extDir);
+			if ($subManifest) {
+				$sub = parseManifest($subManifest);
+				$subPrefix = typePrefix($sub);
+				$subZipName = "{$subPrefix}{$sub['element']}.zip";
+			} else {
+				$subZipName = basename($extDir) . '.zip';
+			}
+
+			fwrite(STDERR, "  Sub-extension: {$subZipName}\n");
+			buildZip($extDir, "{$staging}/{$subZipName}");
+		}
+	}
+
+	// 2. Copy package-level files (manifest, script, language)
+	foreach (glob("{$srcDir}/*.xml") ?: [] as $f) copy($f, "{$staging}/" . basename($f));
+	foreach (glob("{$srcDir}/*.php") ?: [] as $f) copy($f, "{$staging}/" . basename($f));
+	foreach (['language', 'administrator'] as $d) {
+		if (is_dir("{$srcDir}/{$d}")) {
+			copyTree("{$srcDir}/{$d}", "{$staging}/{$d}");
+		}
+	}
+
+	// 3. Create outer zip
+	buildZip($staging, $outPath);
+
+	// Cleanup
+	rmTree($staging);
+}
+
+function copyTree(string $src, string $dst): void
+{
+	if (!is_dir($dst)) mkdir($dst, 0755, true);
+	$iter = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($src, FilesystemIterator::SKIP_DOTS),
+		RecursiveIteratorIterator::SELF_FIRST
+	);
+	foreach ($iter as $item) {
+		$target = "{$dst}/" . $iter->getSubPathname();
+		$item->isDir() ? (is_dir($target) || mkdir($target, 0755, true)) : copy($item->getPathname(), $target);
+	}
+}
+
+function rmTree(string $dir): void
+{
+	if (!is_dir($dir)) return;
+	$iter = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($dir, FilesystemIterator::SKIP_DOTS),
+		RecursiveIteratorIterator::CHILD_FIRST
+	);
+	foreach ($iter as $item) {
+		$item->isDir() ? rmdir($item->getPathname()) : unlink($item->getPathname());
+	}
+	rmdir($dir);
+}
@@ -7,11 +7,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/joomla_release.php
- * VERSION: 04.06.00
 * BRIEF: Joomla release pipeline — build ZIP+tar.gz, upload to GitHub Release, update updates.xml
 *
 * USAGE
@@ -118,14 +117,21 @@ class JoomlaRelease extends CLIApp
            return 1;
        }

-        $zipName = "{$meta['element']}-{$displayVersion}.zip";
-        $tarName = "{$meta['element']}-{$displayVersion}.tar.gz";
+        $prefix  = $this->typePrefix($meta);
+        $zipName = "{$prefix}{$meta['element']}-{$displayVersion}.zip";
+        $tarName = "{$prefix}{$meta['element']}-{$displayVersion}.tar.gz";
        $zipPath = sys_get_temp_dir() . "/{$zipName}";
        $tarPath = sys_get_temp_dir() . "/{$tarName}";

+        $this->log('INFO', "Type: {$meta['type']}  |  Element: {$meta['element']}  |  Group: {$meta['group']}");
+
        $sha256 = 'dry-run';
        if (!$dryRun) {
-            $this->buildZip($srcDir, $zipPath);
+            if ($meta['type'] === 'package') {
+                $this->buildPackageZip($srcDir, $zipPath);
+            } else {
+                $this->buildZip($srcDir, $zipPath);
+            }
            $this->buildTarGz($srcDir, $tarPath);
            $sha256 = hash_file('sha256', $zipPath);
            $this->log('SUCCESS', "ZIP: {$zipName} (" . filesize($zipPath) . " bytes)");
@@ -228,6 +234,94 @@ class JoomlaRelease extends CLIApp

    // ── Package building ─────────────────────────────────────────────

+
+    /**
+     * Get the Joomla type prefix for ZIP naming.
+     *
+     * @param  array $meta  Parsed manifest metadata
+     * @return string  Prefix like "plg_system_", "mod_", "com_", etc.
+     */
+    private function typePrefix(array $meta): string
+    {
+        return match ($meta['type']) {
+            'plugin'    => "plg_{$meta['group']}_",
+            'module'    => 'mod_',
+            'component' => 'com_',
+            'template'  => 'tpl_',
+            'package'   => 'pkg_',
+            'library'   => 'lib_',
+            default     => '',
+        };
+    }
+
+    /**
+     * Build a Joomla package ZIP (type="package") with nested sub-extension zips.
+     *
+     * @param  string $srcDir   Source directory containing pkg_*.xml and packages/
+     * @param  string $outPath  Output ZIP path
+     */
+    private function buildPackageZip(string $srcDir, string $outPath): void
+    {
+        $staging = sys_get_temp_dir() . '/moko_pkg_' . uniqid();
+        mkdir($staging, 0755, true);
+
+        // 1. Zip each sub-extension in packages/
+        $packagesDir = $srcDir . '/packages';
+        if (is_dir($packagesDir)) {
+            foreach (glob("{$packagesDir}/*", GLOB_ONLYDIR) as $extDir) {
+                $subManifest = null;
+                foreach (glob("{$extDir}/*.xml") as $xml) {
+                    if (str_contains(file_get_contents($xml), '<extension')) {
+                        $subManifest = $xml;
+                        break;
+                    }
+                }
+
+                if ($subManifest) {
+                    $sub = $this->parseManifest($subManifest);
+                    $prefix = $this->typePrefix($sub);
+                    $subZipName = "{$prefix}{$sub['element']}.zip";
+                } else {
+                    $subZipName = basename($extDir) . '.zip';
+                }
+
+                $this->log('INFO', "  Sub-extension: {$subZipName}");
+                $this->buildZip($extDir, "{$staging}/{$subZipName}");
+            }
+        }
+
+        // 2. Copy package-level files (manifest, script, language)
+        foreach (glob("{$srcDir}/*.xml") as $f) { copy($f, "{$staging}/" . basename($f)); }
+        foreach (glob("{$srcDir}/*.php") as $f) { copy($f, "{$staging}/" . basename($f)); }
+        foreach (['language', 'administrator'] as $d) {
+            if (is_dir("{$srcDir}/{$d}")) {
+                $this->copyDir("{$srcDir}/{$d}", "{$staging}/{$d}");
+            }
+        }
+
+        // 3. Create the outer zip
+        $this->buildZip($staging, $outPath);
+
+        // Cleanup
+        $this->rmdir($staging);
+    }
+
+    /**
+     * Recursively copy a directory.
+     */
+    private function copyDir(string $src, string $dst): void
+    {
+        if (!is_dir($dst)) { mkdir($dst, 0755, true); }
+        $iter = new \RecursiveIteratorIterator(
+            new \RecursiveDirectoryIterator($src, \FilesystemIterator::SKIP_DOTS),
+            \RecursiveIteratorIterator::SELF_FIRST
+        );
+        foreach ($iter as $item) {
+            $target = $dst . '/' . $iter->getSubPathname();
+            $item->isDir() ? (is_dir($target) || mkdir($target, 0755, true)) : copy($item->getPathname(), $target);
+        }
+    }
+
    private function buildZip(string $srcDir, string $outPath): void
    {
        $zip = new \ZipArchive();
@@ -0,0 +1,173 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/manifest_read.php
+ * VERSION: 04.09.00
+ * BRIEF: Parse .manifest.xml and output requested field(s) for CI consumption
+ *
+ * Usage:
+ *   php manifest_read.php --path /repo --field platform
+ *   php manifest_read.php --path /repo --field entry-point
+ *   php manifest_read.php --path /repo --all
+ *   php manifest_read.php --path /repo --github-output
+ *
+ * Fields: name, org, description, license, license-spdx, platform,
+ *         standards-version, standards-source, language, package-type, entry-point,
+ *         source-dir, remote-subdir, excludes, dev-host, demo-host
+ *
+ * --all             Print all fields as KEY=VALUE lines
+ * --github-output   Append all fields to $GITHUB_OUTPUT (for Gitea/GitHub Actions)
+ * --json            Output all fields as JSON
+ * --field <name>    Print a single field value (no key, just value)
+ */
+
+declare(strict_types=1);
+
+// -- Argument parsing ---------------------------------------------------------
+$path  = '.';
+$field = null;
+$mode  = 'field';  // field | all | github-output | json
+
+foreach ($argv as $i => $arg) {
+    if ($arg === '--path'  && isset($argv[$i + 1])) $path  = $argv[$i + 1];
+    if ($arg === '--field' && isset($argv[$i + 1])) $field = $argv[$i + 1];
+    if ($arg === '--all')           $mode = 'all';
+    if ($arg === '--github-output') $mode = 'github-output';
+    if ($arg === '--json')          $mode = 'json';
+}
+
+// -- Locate manifest ----------------------------------------------------------
+$root = realpath($path) ?: $path;
+$manifestFile = null;
+
+// Priority: manifest.xml (current standard)
+$candidates = [
+    "{$root}/.mokogitea/manifest.xml",
+    "{$root}/.mokogitea/.manifest.xml",    // legacy (dot-prefixed)
+    "{$root}/.mokogitea/.moko-platform",  // legacy v4
+];
+
+foreach ($candidates as $candidate) {
+    if (file_exists($candidate)) {
+        $manifestFile = $candidate;
+        break;
+    }
+}
+
+if ($manifestFile === null) {
+    fwrite(STDERR, "No manifest found in {$root}
+");
+    exit(1);
+}
+
+// -- Parse XML ----------------------------------------------------------------
+$xml = @simplexml_load_file($manifestFile);
+
+if ($xml === false) {
+    // Fallback: try YAML format (.mokostandards legacy)
+    $content = file_get_contents($manifestFile);
+    $fields = [];
+    if (preg_match('/^platform:\s*(.+)/m', $content, $m)) {
+        $fields['platform'] = trim($m[1], " 	
+
+\"'");
+    }
+    if (preg_match('/^standards_version:\s*(.+)/m', $content, $m)) {
+        $fields['standards-version'] = trim($m[1], " 	
+
+\"'");
+    }
+    if (preg_match('/^governed_repo:\s*(.+)/m', $content, $m)) {
+        $fields['name'] = trim($m[1], " 	
+
+\"'");
+    }
+} else {
+    // Register namespace for XPath (optional, simple path works without)
+    $fields = [
+        'name'              => (string)($xml->identity->name ?? ''),
+        'org'               => (string)($xml->identity->org ?? ''),
+        'description'       => (string)($xml->identity->description ?? ''),
+        'license'           => (string)($xml->identity->license ?? ''),
+        'license-spdx'      => (string)($xml->identity->license['spdx'] ?? ''),
+        'platform'          => (string)($xml->governance->platform ?? ''),
+        'standards-version' => (string)($xml->governance->{"standards-version"} ?? ''),
+        'standards-source'  => (string)($xml->governance->{"standards-source"} ?? ''),
+        'language'          => (string)($xml->build->language ?? ''),
+        'package-type'      => (string)($xml->build->{"package-type"} ?? ''),
+        'entry-point'       => (string)($xml->build->{"entry-point"} ?? ''),
+        'source-dir'        => (string)($xml->deploy->{"source-dir"} ?? ''),
+        'remote-subdir'     => (string)($xml->deploy->{"remote-subdir"} ?? ''),
+        'excludes'          => (string)($xml->deploy->excludes ?? ''),
+        'dev-host'          => (string)($xml->deploy->{"dev-host"} ?? ''),
+        'demo-host'         => (string)($xml->deploy->{"demo-host"} ?? ''),
+        'manifest-file'     => $manifestFile,
+    ];
+}
+
+// Strip empty values for cleaner output
+$fields = array_filter($fields, fn($v) => $v !== '');
+
+// -- Output -------------------------------------------------------------------
+switch ($mode) {
+    case 'field':
+        if ($field === null) {
+            fwrite(STDERR, "Usage: manifest_read.php --path <dir> --field <name>
+");
+            fwrite(STDERR, "       manifest_read.php --path <dir> --all
+");
+            fwrite(STDERR, "       manifest_read.php --path <dir> --json
+");
+            fwrite(STDERR, "       manifest_read.php --path <dir> --github-output
+");
+            exit(2);
+        }
+        echo ($fields[$field] ?? '') . "
+";
+        break;
+
+    case 'all':
+        foreach ($fields as $k => $v) {
+            echo "{$k}={$v}
+";
+        }
+        break;
+
+    case 'json':
+        echo json_encode($fields, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "
+";
+        break;
+
+    case 'github-output':
+        $outputFile = getenv('GITHUB_OUTPUT');
+        if ($outputFile === false || $outputFile === '') {
+            fwrite(STDERR, "GITHUB_OUTPUT not set — printing to stdout instead
+");
+            foreach ($fields as $k => $v) {
+                // Convert field-name to FIELD_NAME for env var style
+                $envKey = str_replace('-', '_', $k);
+                echo "{$envKey}={$v}
+";
+            }
+        } else {
+            $fh = fopen($outputFile, 'a');
+            foreach ($fields as $k => $v) {
+                $envKey = str_replace('-', '_', $k);
+                fwrite($fh, "{$envKey}={$v}
+");
+            }
+            fclose($fh);
+            fwrite(STDERR, "Wrote " . count($fields) . " fields to GITHUB_OUTPUT
+");
+        }
+        break;
+}
+
+exit(0);
@@ -0,0 +1,288 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/package_build.php
+ * BRIEF: Build ZIP and tar.gz install packages for Joomla/Dolibarr/generic projects
+ *
+ * Usage:
+ *   php package_build.php --path /repo --version 04.01.00
+ *   php package_build.php --path /repo --version 04.01.00 --output-dir /tmp
+ *   php package_build.php --path /repo --version 04.01.00 --github-output
+ *
+ * Options:
+ *   --path          Repository root (default: .)
+ *   --version       Version string (required)
+ *   --output-dir    Directory for built packages (default: /tmp)
+ *   --type-prefix   Override type prefix (e.g. plg_system_)
+ *   --element       Override element name
+ *   --github-output Export zip_name, tar_name, sha256_zip, sha256_tar to $GITHUB_OUTPUT
+ *
+ * NOTE: Uses PHP exec() with escapeshellarg() for tar — all arguments are escaped.
+ */
+
+declare(strict_types=1);
+
+$path = '.';
+$version = null;
+$outputDir = '/tmp';
+$typePrefixOverride = null;
+$elementOverride = null;
+$githubOutput = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--output-dir' && isset($argv[$i + 1])) $outputDir = $argv[$i + 1];
+	if ($arg === '--type-prefix' && isset($argv[$i + 1])) $typePrefixOverride = $argv[$i + 1];
+	if ($arg === '--element' && isset($argv[$i + 1])) $elementOverride = $argv[$i + 1];
+	if ($arg === '--github-output') $githubOutput = true;
+}
+
+if ($version === null) {
+	fwrite(STDERR, "Usage: package_build.php --path . --version XX.YY.ZZ [--output-dir /tmp]\n");
+	exit(1);
+}
+
+$root = realpath($path) ?: $path;
+
+// -- Determine source directory -----------------------------------------------
+$sourceDir = null;
+foreach (['src', 'htdocs'] as $candidate) {
+	if (is_dir("{$root}/{$candidate}")) {
+		$sourceDir = "{$root}/{$candidate}";
+		break;
+	}
+}
+
+if ($sourceDir === null) {
+	fwrite(STDERR, "No src/ or htdocs/ directory found in {$root}\n");
+	exit(1);
+}
+
+// -- Determine element and type prefix from manifest --------------------------
+$extElement = $elementOverride;
+$typePrefix = $typePrefixOverride ?? '';
+$extType = '';
+$isPackage = false;
+
+if ($extElement === null || $typePrefixOverride === null) {
+	// Find manifest
+	$manifest = null;
+	foreach (glob("{$sourceDir}/pkg_*.xml") ?: [] as $f) {
+		if (strpos(file_get_contents($f), '<extension') !== false) {
+			$manifest = $f;
+			break;
+		}
+	}
+	if ($manifest === null) {
+		foreach (glob("{$sourceDir}/*.xml") ?: [] as $f) {
+			if (strpos(file_get_contents($f), '<extension') !== false) {
+				$manifest = $f;
+				break;
+			}
+		}
+	}
+
+	if ($manifest !== null) {
+		$xml = file_get_contents($manifest);
+
+		if ($extElement === null) {
+			if (preg_match('/<element>([^<]+)<\/element>/', $xml, $m)) $extElement = $m[1];
+			elseif (preg_match('/plugin="([^"]+)"/', $xml, $m)) $extElement = $m[1];
+			elseif (preg_match('/module="([^"]+)"/', $xml, $m)) $extElement = $m[1];
+			else $extElement = strtolower(pathinfo($manifest, PATHINFO_FILENAME));
+		}
+
+		if (preg_match('/<extension[^>]*type="([^"]+)"/', $xml, $m)) $extType = $m[1];
+		$extFolder = '';
+		if (preg_match('/<extension[^>]*group="([^"]+)"/', $xml, $m)) $extFolder = $m[1];
+
+		if ($typePrefixOverride === null) {
+			switch ($extType) {
+				case 'plugin':    $typePrefix = "plg_{$extFolder}_"; break;
+				case 'module':    $typePrefix = 'mod_'; break;
+				case 'component': $typePrefix = 'com_'; break;
+				case 'template':  $typePrefix = 'tpl_'; break;
+				case 'library':   $typePrefix = 'lib_'; break;
+				case 'package':   $typePrefix = 'pkg_'; break;
+			}
+		}
+
+		$isPackage = ($extType === 'package' && is_dir("{$sourceDir}/packages"));
+	}
+}
+
+if ($extElement === null) {
+	$extElement = strtolower(basename($root));
+}
+
+$zipName = "{$typePrefix}{$extElement}-{$version}.zip";
+$tarName = "{$typePrefix}{$extElement}-{$version}.tar.gz";
+$zipPath = "{$outputDir}/{$zipName}";
+$tarPath = "{$outputDir}/{$tarName}";
+
+// -- Exclude patterns ---------------------------------------------------------
+$excludePatterns = [
+	'.ftpignore',
+	'sftp-config*',
+	'*.ppk',
+	'*.pem',
+	'*.key',
+	'.env*',
+];
+
+// -- Build packages -----------------------------------------------------------
+if ($isPackage) {
+	echo "=== Building Joomla PACKAGE (multi-extension) ===\n";
+
+	$stagingDir = sys_get_temp_dir() . '/moko-pkg-' . uniqid();
+	mkdir($stagingDir, 0755, true);
+
+	// ZIP each sub-extension
+	foreach (glob("{$sourceDir}/packages/*/") ?: [] as $extDir) {
+		$subName = basename($extDir);
+		echo "  Packaging sub-extension: {$subName}\n";
+
+		$subZip = new ZipArchive();
+		$subZipPath = "{$stagingDir}/{$subName}.zip";
+		if ($subZip->open($subZipPath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== true) {
+			fwrite(STDERR, "Failed to create ZIP for {$subName}\n");
+			continue;
+		}
+
+		addDirectoryToZip($subZip, $extDir, '', $excludePatterns);
+		$subZip->close();
+	}
+
+	// Copy package-level files
+	foreach (array_merge(glob("{$sourceDir}/*.xml") ?: [], glob("{$sourceDir}/*.php") ?: []) as $f) {
+		copy($f, "{$stagingDir}/" . basename($f));
+	}
+
+	// Create ZIP from staging
+	$zip = new ZipArchive();
+	if ($zip->open($zipPath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== true) {
+		fwrite(STDERR, "Failed to create ZIP: {$zipPath}\n");
+		exit(1);
+	}
+	addDirectoryToZip($zip, $stagingDir, '', []);
+	$zip->close();
+
+	// Create tar.gz — all arguments are escaped via escapeshellarg()
+	$tarCmd = sprintf(
+		'tar -czf %s -C %s .',
+		escapeshellarg($tarPath),
+		escapeshellarg($stagingDir)
+	);
+	passthru($tarCmd, $tarReturn);
+
+	// Cleanup staging
+	$cleanCmd = sprintf('rm -rf %s', escapeshellarg($stagingDir));
+	passthru($cleanCmd);
+
+} else {
+	echo "=== Building standard extension package ===\n";
+
+	// ZIP
+	$zip = new ZipArchive();
+	if ($zip->open($zipPath, ZipArchive::CREATE | ZipArchive::OVERWRITE) !== true) {
+		fwrite(STDERR, "Failed to create ZIP: {$zipPath}\n");
+		exit(1);
+	}
+	addDirectoryToZip($zip, $sourceDir, '', $excludePatterns);
+	$zip->close();
+
+	// tar.gz — all arguments are escaped via escapeshellarg()
+	$excludeArgs = '';
+	foreach ($excludePatterns as $pattern) {
+		$excludeArgs .= ' --exclude=' . escapeshellarg($pattern);
+	}
+	$tarCmd = sprintf(
+		'tar -czf %s -C %s%s .',
+		escapeshellarg($tarPath),
+		escapeshellarg($sourceDir),
+		$excludeArgs
+	);
+	passthru($tarCmd, $tarReturn);
+}
+
+// -- Calculate SHA-256 --------------------------------------------------------
+$sha256Zip = hash_file('sha256', $zipPath);
+$sha256Tar = file_exists($tarPath) ? hash_file('sha256', $tarPath) : '';
+
+$zipSize = filesize($zipPath);
+$tarSize = file_exists($tarPath) ? filesize($tarPath) : 0;
+
+echo "\n";
+echo "ZIP: {$zipName} ({$zipSize} bytes)\n";
+echo "  SHA-256: {$sha256Zip}\n";
+if ($tarSize > 0) {
+	echo "TAR: {$tarName} ({$tarSize} bytes)\n";
+	echo "  SHA-256: {$sha256Tar}\n";
+}
+
+// -- Export to GITHUB_OUTPUT --------------------------------------------------
+if ($githubOutput) {
+	$ghOutput = getenv('GITHUB_OUTPUT');
+	$lines = [
+		"zip_name={$zipName}",
+		"tar_name={$tarName}",
+		"zip_path={$zipPath}",
+		"tar_path={$tarPath}",
+		"sha256_zip={$sha256Zip}",
+		"sha256_tar={$sha256Tar}",
+		"type_prefix={$typePrefix}",
+		"ext_element={$extElement}",
+	];
+	if ($ghOutput) {
+		file_put_contents($ghOutput, implode("\n", $lines) . "\n", FILE_APPEND);
+		fwrite(STDERR, "Exported " . count($lines) . " fields to GITHUB_OUTPUT\n");
+	} else {
+		foreach ($lines as $line) echo "{$line}\n";
+	}
+}
+
+exit(0);
+
+// =============================================================================
+// Helper: recursively add directory contents to a ZipArchive
+// =============================================================================
+function addDirectoryToZip(ZipArchive $zip, string $dir, string $prefix, array $excludes): void
+{
+	$iterator = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($dir, RecursiveDirectoryIterator::SKIP_DOTS),
+		RecursiveIteratorIterator::SELF_FIRST
+	);
+
+	foreach ($iterator as $file) {
+		$filePath = $file->getPathname();
+		$relativePath = $prefix . substr($filePath, strlen($dir) + 1);
+
+		// Check excludes
+		$basename = basename($filePath);
+		$skip = false;
+		foreach ($excludes as $pattern) {
+			if (fnmatch($pattern, $basename)) {
+				$skip = true;
+				break;
+			}
+		}
+		if ($skip) continue;
+
+		// Normalize path separators for ZIP
+		$relativePath = str_replace('\\', '/', $relativePath);
+
+		if ($file->isDir()) {
+			$zip->addEmptyDir($relativePath);
+		} else {
+			$zip->addFile($filePath, $relativePath);
+		}
+	}
+}
@@ -5,11 +5,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/platform_detect.php
- * VERSION: 04.06.00
 * BRIEF: Detect platform from .mokostandards file — outputs platform string
 */

@@ -5,11 +5,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/release.php
- * VERSION: 04.06.00
 * BRIEF: Automate the MokoStandards version branch release flow
 *
 * USAGE
@@ -32,8 +31,8 @@ foreach ($argv as $i => $arg) {
 $repoRoot = dirname(__DIR__, 2);
 $syncFile = "{$repoRoot}/lib/Enterprise/RepositorySynchronizer.php";
 // Check both workflow directories for the bulk-repo-sync workflow
-$bulkSyncFile = file_exists("{$repoRoot}/.gitea/workflows/bulk-repo-sync.yml")
-    ? "{$repoRoot}/.gitea/workflows/bulk-repo-sync.yml"
+$bulkSyncFile = file_exists("{$repoRoot}/.mokogitea/workflows/bulk-repo-sync.yml")
+    ? "{$repoRoot}/.mokogitea/workflows/bulk-repo-sync.yml"
    : "{$repoRoot}/.github/workflows/bulk-repo-sync.yml";
 $cleanupFile = "{$repoRoot}/templates/workflows/shared/repository-cleanup.yml.template";

@@ -0,0 +1,152 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/release_body_update.php
+ * BRIEF: Update Gitea release body with changelog extract and checksums
+ *
+ * Usage:
+ *   php release_body_update.php --version 04.01.00 --release-tag stable --token TOKEN --api-base URL
+ *   php release_body_update.php --version 04.01.00 --release-tag stable --token TOKEN --api-base URL --zip-name pkg.zip --zip-sha abc123
+ *
+ * Options:
+ *   --path           Repo root for CHANGELOG.md (default: .)
+ *   --version        Version string (required)
+ *   --release-tag    Gitea release tag (required)
+ *   --token          Gitea API token (required)
+ *   --api-base       Gitea API base URL (required)
+ *   --zip-name       ZIP filename for checksum table
+ *   --tar-name       tar.gz filename for checksum table
+ *   --zip-sha        SHA256 of ZIP
+ *   --tar-sha        SHA256 of tar.gz
+ *   --output-summary Write to $GITHUB_STEP_SUMMARY
+ */
+
+declare(strict_types=1);
+
+$path = '.';
+$version = null;
+$releaseTag = null;
+$token = null;
+$apiBase = null;
+$zipName = null;
+$tarName = null;
+$zipSha = null;
+$tarSha = null;
+$outputSummary = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--release-tag' && isset($argv[$i + 1])) $releaseTag = $argv[$i + 1];
+	if ($arg === '--token' && isset($argv[$i + 1])) $token = $argv[$i + 1];
+	if ($arg === '--api-base' && isset($argv[$i + 1])) $apiBase = $argv[$i + 1];
+	if ($arg === '--zip-name' && isset($argv[$i + 1])) $zipName = $argv[$i + 1];
+	if ($arg === '--tar-name' && isset($argv[$i + 1])) $tarName = $argv[$i + 1];
+	if ($arg === '--zip-sha' && isset($argv[$i + 1])) $zipSha = $argv[$i + 1];
+	if ($arg === '--tar-sha' && isset($argv[$i + 1])) $tarSha = $argv[$i + 1];
+	if ($arg === '--output-summary') $outputSummary = true;
+}
+
+if ($token === null) $token = getenv('GA_TOKEN') ?: getenv('GITEA_TOKEN') ?: null;
+
+if ($version === null || $releaseTag === null || $token === null || $apiBase === null) {
+	fwrite(STDERR, "Usage: release_body_update.php --version VER --release-tag TAG --token TOKEN --api-base URL\n");
+	exit(1);
+}
+
+$root = realpath($path) ?: $path;
+
+// Extract changelog section for this version
+$changelog = '';
+$clFile = "{$root}/CHANGELOG.md";
+if (file_exists($clFile)) {
+	$lines = file($clFile, FILE_IGNORE_NEW_LINES);
+	$capturing = false;
+	$clLines = [];
+	foreach ($lines as $line) {
+		if (preg_match('/^##\s.*' . preg_quote($version, '/') . '/', $line)) {
+			$capturing = true;
+			continue;
+		}
+		if ($capturing && preg_match('/^## /', $line)) break;
+		if ($capturing) $clLines[] = $line;
+	}
+	$changelog = trim(implode("\n", $clLines));
+}
+
+// Build release body
+$body = "## {$version} (" . date('Y-m-d') . ")\n\n";
+if (!empty($changelog)) {
+	$body .= "{$changelog}\n\n";
+}
+
+if ($zipSha !== null || $tarSha !== null) {
+	$body .= "---\n\n### Checksums\n\n| File | SHA-256 |\n|------|--------|\n";
+	if ($zipName !== null && $zipSha !== null) {
+		$body .= "| `{$zipName}` | `{$zipSha}` |\n";
+	}
+	if ($tarName !== null && $tarSha !== null) {
+		$body .= "| `{$tarName}` | `{$tarSha}` |\n";
+	}
+}
+
+// Get release ID by tag
+$ch = curl_init("{$apiBase}/releases/tags/{$releaseTag}");
+curl_setopt_array($ch, [
+	CURLOPT_RETURNTRANSFER => true,
+	CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+	CURLOPT_TIMEOUT => 30,
+]);
+$response = curl_exec($ch);
+$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($httpCode !== 200 || empty($response)) {
+	fwrite(STDERR, "Failed to get release for tag '{$releaseTag}' (HTTP {$httpCode})\n");
+	exit(1);
+}
+
+$release = json_decode($response, true);
+$releaseId = $release['id'] ?? null;
+
+if ($releaseId === null) {
+	fwrite(STDERR, "No release ID found for tag '{$releaseTag}'\n");
+	exit(1);
+}
+
+// PATCH release body
+$payload = json_encode(['body' => $body]);
+$ch = curl_init("{$apiBase}/releases/{$releaseId}");
+curl_setopt_array($ch, [
+	CURLOPT_CUSTOMREQUEST => 'PATCH',
+	CURLOPT_RETURNTRANSFER => true,
+	CURLOPT_HTTPHEADER => ["Authorization: token {$token}", "Content-Type: application/json"],
+	CURLOPT_POSTFIELDS => $payload,
+	CURLOPT_TIMEOUT => 30,
+]);
+$response = curl_exec($ch);
+$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($httpCode !== 200) {
+	fwrite(STDERR, "Failed to update release body (HTTP {$httpCode})\n");
+	exit(1);
+}
+
+echo "Release body updated for {$releaseTag} (release #{$releaseId})\n";
+
+if ($outputSummary) {
+	$summaryFile = getenv('GITHUB_STEP_SUMMARY');
+	if ($summaryFile) {
+		file_put_contents($summaryFile, "Release body updated with changelog + checksums\n", FILE_APPEND);
+	}
+}
+
+exit(0);
@@ -0,0 +1,116 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/release_cascade.php
+ * BRIEF: Delete lesser pre-release channels from Gitea when promoting stability
+ *
+ * Usage:
+ *   php release_cascade.php --stability stable --token TOKEN --api-base URL
+ *   php release_cascade.php --stability rc --token TOKEN --api-base URL
+ *
+ * Cascade rules:
+ *   stable -> deletes development, alpha, beta, release-candidate
+ *   rc     -> deletes development, alpha, beta
+ *   beta   -> deletes development, alpha
+ *   alpha  -> deletes development
+ */
+
+declare(strict_types=1);
+
+$stability = null;
+$token = null;
+$apiBase = null;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--stability' && isset($argv[$i + 1])) $stability = $argv[$i + 1];
+	if ($arg === '--token' && isset($argv[$i + 1])) $token = $argv[$i + 1];
+	if ($arg === '--api-base' && isset($argv[$i + 1])) $apiBase = $argv[$i + 1];
+}
+
+// Allow token from environment
+if ($token === null) {
+	$token = getenv('GA_TOKEN') ?: getenv('GITEA_TOKEN') ?: null;
+}
+
+if ($stability === null || $token === null || $apiBase === null) {
+	fwrite(STDERR, "Usage: release_cascade.php --stability [stable|rc|beta|alpha] --token TOKEN --api-base URL\n");
+	fwrite(STDERR, "  --api-base: e.g. https://git.mokoconsulting.tech/api/v1/repos/Org/Repo\n");
+	fwrite(STDERR, "  Token can also be set via GA_TOKEN or GITEA_TOKEN env var\n");
+	exit(1);
+}
+
+// Define cascade hierarchy
+$cascadeMap = [
+	'stable' => ['development', 'alpha', 'beta', 'release-candidate'],
+	'rc'     => ['development', 'alpha', 'beta'],
+	'beta'   => ['development', 'alpha'],
+	'alpha'  => ['development'],
+];
+
+if (!isset($cascadeMap[$stability])) {
+	fwrite(STDERR, "Unknown stability level: {$stability}\n");
+	fwrite(STDERR, "Valid options: stable, rc, beta, alpha\n");
+	exit(1);
+}
+
+$tagsToDelete = $cascadeMap[$stability];
+$deleted = 0;
+
+foreach ($tagsToDelete as $tag) {
+	// Get release by tag
+	$ch = curl_init("{$apiBase}/releases/tags/{$tag}");
+	curl_setopt_array($ch, [
+		CURLOPT_RETURNTRANSFER => true,
+		CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+		CURLOPT_TIMEOUT => 30,
+	]);
+	$response = curl_exec($ch);
+	$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+	curl_close($ch);
+
+	if ($httpCode !== 200 || empty($response)) {
+		continue;
+	}
+
+	$data = json_decode($response, true);
+	$releaseId = $data['id'] ?? null;
+
+	if ($releaseId === null) {
+		continue;
+	}
+
+	// Delete release
+	$ch = curl_init("{$apiBase}/releases/{$releaseId}");
+	curl_setopt_array($ch, [
+		CURLOPT_CUSTOMREQUEST => 'DELETE',
+		CURLOPT_RETURNTRANSFER => true,
+		CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+		CURLOPT_TIMEOUT => 30,
+	]);
+	curl_exec($ch);
+	curl_close($ch);
+
+	// Delete tag
+	$ch = curl_init("{$apiBase}/tags/{$tag}");
+	curl_setopt_array($ch, [
+		CURLOPT_CUSTOMREQUEST => 'DELETE',
+		CURLOPT_RETURNTRANSFER => true,
+		CURLOPT_HTTPHEADER => ["Authorization: token {$token}"],
+		CURLOPT_TIMEOUT => 30,
+	]);
+	curl_exec($ch);
+	curl_close($ch);
+
+	echo "Deleted: {$tag} (release id: {$releaseId})\n";
+	$deleted++;
+}
+
+echo "Cleaned up {$deleted} pre-release channel(s)\n";
+exit(0);
@@ -0,0 +1,239 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/release_manage.php
+ * BRIEF: Create/update Gitea releases, upload assets, update release body
+ *
+ * Usage:
+ *   # Create a release
+ *   php release_manage.php --action create --tag stable --name "My Plugin 04.01.00" \
+ *     --body "Release notes" --target main --token TOKEN --api-base URL
+ *
+ *   # Upload assets to a release
+ *   php release_manage.php --action upload --tag stable --files "/tmp/pkg.zip,/tmp/pkg.tar.gz" \
+ *     --token TOKEN --api-base URL
+ *
+ *   # Update release body (e.g. add SHA checksums)
+ *   php release_manage.php --action update-body --tag stable --body "New body" \
+ *     --token TOKEN --api-base URL
+ *
+ *   # Delete a release and its tag
+ *   php release_manage.php --action delete --tag stable --token TOKEN --api-base URL
+ *
+ * Options:
+ *   --action     create | upload | update-body | delete (required)
+ *   --tag        Release tag name (required)
+ *   --name       Release name/title (for create)
+ *   --body       Release body/description (for create, update-body)
+ *   --body-file  Read body from file instead of --body
+ *   --target     Target branch/commitish (for create, default: main)
+ *   --files      Comma-separated file paths to upload (for upload)
+ *   --token      Gitea API token (or GA_TOKEN/GITEA_TOKEN env var)
+ *   --api-base   Gitea API base URL (e.g. https://git.mokoconsulting.tech/api/v1/repos/Org/Repo)
+ *
+ * NOTE: This script uses PHP curl for all HTTP operations (no shell calls).
+ */
+
+declare(strict_types=1);
+
+$action = null;
+$tag = null;
+$name = null;
+$body = null;
+$bodyFile = null;
+$target = 'main';
+$files = [];
+$token = null;
+$apiBase = null;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--action' && isset($argv[$i + 1])) $action = $argv[$i + 1];
+	if ($arg === '--tag' && isset($argv[$i + 1])) $tag = $argv[$i + 1];
+	if ($arg === '--name' && isset($argv[$i + 1])) $name = $argv[$i + 1];
+	if ($arg === '--body' && isset($argv[$i + 1])) $body = $argv[$i + 1];
+	if ($arg === '--body-file' && isset($argv[$i + 1])) $bodyFile = $argv[$i + 1];
+	if ($arg === '--target' && isset($argv[$i + 1])) $target = $argv[$i + 1];
+	if ($arg === '--files' && isset($argv[$i + 1])) $files = array_filter(explode(',', $argv[$i + 1]));
+	if ($arg === '--token' && isset($argv[$i + 1])) $token = $argv[$i + 1];
+	if ($arg === '--api-base' && isset($argv[$i + 1])) $apiBase = $argv[$i + 1];
+}
+
+// Allow token from environment
+if ($token === null) {
+	$token = getenv('GA_TOKEN') ?: getenv('GITEA_TOKEN') ?: null;
+}
+
+// Read body from file if specified
+if ($bodyFile !== null && file_exists($bodyFile)) {
+	$body = file_get_contents($bodyFile);
+}
+
+if ($action === null || $tag === null || $token === null || $apiBase === null) {
+	fwrite(STDERR, "Usage: release_manage.php --action [create|upload|update-body|delete] --tag TAG --token TOKEN --api-base URL\n");
+	exit(1);
+}
+
+/**
+ * Make a Gitea API request using curl
+ */
+function giteaApi(string $url, string $method, string $token, ?string $jsonBody = null, ?string $filePath = null): array
+{
+	$ch = curl_init($url);
+	$headers = ["Authorization: token {$token}"];
+
+	$opts = [
+		CURLOPT_RETURNTRANSFER => true,
+		CURLOPT_TIMEOUT => 60,
+		CURLOPT_CUSTOMREQUEST => $method,
+	];
+
+	if ($jsonBody !== null) {
+		$headers[] = 'Content-Type: application/json';
+		$opts[CURLOPT_POSTFIELDS] = $jsonBody;
+	} elseif ($filePath !== null) {
+		$headers[] = 'Content-Type: application/octet-stream';
+		$opts[CURLOPT_POSTFIELDS] = file_get_contents($filePath);
+	}
+
+	$opts[CURLOPT_HTTPHEADER] = $headers;
+	curl_setopt_array($ch, $opts);
+
+	$response = curl_exec($ch);
+	$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+	curl_close($ch);
+
+	$data = json_decode($response ?: '{}', true) ?: [];
+	return ['code' => $httpCode, 'data' => $data];
+}
+
+/**
+ * Get release by tag
+ */
+function getReleaseByTag(string $apiBase, string $tag, string $token): ?array
+{
+	$result = giteaApi("{$apiBase}/releases/tags/{$tag}", 'GET', $token);
+	if ($result['code'] === 200 && isset($result['data']['id'])) {
+		return $result['data'];
+	}
+	return null;
+}
+
+// -- Action dispatch ----------------------------------------------------------
+switch ($action) {
+	case 'create':
+		// Delete existing release if present
+		$existing = getReleaseByTag($apiBase, $tag, $token);
+		if ($existing !== null) {
+			$existingId = $existing['id'];
+			giteaApi("{$apiBase}/releases/{$existingId}", 'DELETE', $token);
+			giteaApi("{$apiBase}/tags/{$tag}", 'DELETE', $token);
+			echo "Deleted previous release: {$tag} (id: {$existingId})\n";
+		}
+
+		$payload = json_encode([
+			'tag_name' => $tag,
+			'name' => $name ?? $tag,
+			'body' => $body ?? '',
+			'target_commitish' => $target,
+		]);
+
+		$result = giteaApi("{$apiBase}/releases", 'POST', $token, $payload);
+		if ($result['code'] >= 200 && $result['code'] < 300) {
+			$releaseId = $result['data']['id'] ?? 'unknown';
+			echo "Release created: {$name} (tag: {$tag}, id: {$releaseId})\n";
+		} else {
+			fwrite(STDERR, "Failed to create release: HTTP {$result['code']}\n");
+			fwrite(STDERR, json_encode($result['data']) . "\n");
+			exit(1);
+		}
+		break;
+
+	case 'upload':
+		if (empty($files)) {
+			fwrite(STDERR, "No files specified. Use --files /path/to/file1,/path/to/file2\n");
+			exit(1);
+		}
+
+		$release = getReleaseByTag($apiBase, $tag, $token);
+		if ($release === null) {
+			fwrite(STDERR, "No release found for tag: {$tag}\n");
+			exit(1);
+		}
+		$releaseId = $release['id'];
+
+		// Get existing assets to avoid duplicates
+		$assetsResult = giteaApi("{$apiBase}/releases/{$releaseId}/assets", 'GET', $token);
+		$existingAssets = $assetsResult['data'] ?? [];
+
+		foreach ($files as $filePath) {
+			$filePath = trim($filePath);
+			if (!file_exists($filePath)) {
+				fwrite(STDERR, "File not found: {$filePath}\n");
+				continue;
+			}
+
+			$fileName = basename($filePath);
+
+			// Delete existing asset with same name
+			foreach ($existingAssets as $asset) {
+				if (($asset['name'] ?? '') === $fileName) {
+					giteaApi("{$apiBase}/releases/{$releaseId}/assets/{$asset['id']}", 'DELETE', $token);
+					echo "Deleted existing asset: {$fileName}\n";
+					break;
+				}
+			}
+
+			// Upload
+			$uploadUrl = "{$apiBase}/releases/{$releaseId}/assets?name=" . urlencode($fileName);
+			$result = giteaApi($uploadUrl, 'POST', $token, null, $filePath);
+			if ($result['code'] >= 200 && $result['code'] < 300) {
+				echo "Uploaded: {$fileName}\n";
+			} else {
+				fwrite(STDERR, "Failed to upload {$fileName}: HTTP {$result['code']}\n");
+			}
+		}
+		break;
+
+	case 'update-body':
+		$release = getReleaseByTag($apiBase, $tag, $token);
+		if ($release === null) {
+			fwrite(STDERR, "No release found for tag: {$tag}\n");
+			exit(1);
+		}
+		$releaseId = $release['id'];
+
+		$payload = json_encode(['body' => $body ?? '']);
+		$result = giteaApi("{$apiBase}/releases/{$releaseId}", 'PATCH', $token, $payload);
+		if ($result['code'] >= 200 && $result['code'] < 300) {
+			echo "Release body updated for tag: {$tag}\n";
+		} else {
+			fwrite(STDERR, "Failed to update body: HTTP {$result['code']}\n");
+			exit(1);
+		}
+		break;
+
+	case 'delete':
+		$existing = getReleaseByTag($apiBase, $tag, $token);
+		if ($existing !== null) {
+			giteaApi("{$apiBase}/releases/{$existing['id']}", 'DELETE', $token);
+			giteaApi("{$apiBase}/tags/{$tag}", 'DELETE', $token);
+			echo "Deleted: {$tag} (id: {$existing['id']})\n";
+		} else {
+			echo "No release found for tag: {$tag}\n";
+		}
+		break;
+
+	default:
+		fwrite(STDERR, "Unknown action: {$action}\n");
+		fwrite(STDERR, "Valid actions: create, upload, update-body, delete\n");
+		exit(1);
+}
+
+exit(0);
@@ -5,11 +5,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/release_notes.php
- * VERSION: 04.06.00
 * BRIEF: Extract release notes from CHANGELOG.md for a given version
 */

@@ -0,0 +1,178 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/release_validate.php
+ * BRIEF: Pre-release validation — version consistency, required files, manifest checks
+ *
+ * Usage:
+ *   php release_validate.php --path /repo --version 04.01.00
+ *   php release_validate.php --path /repo --version 04.01.00 --platform joomla --output-summary
+ *
+ * Options:
+ *   --path           Repository root (default: .)
+ *   --version        Expected version string (required)
+ *   --platform       joomla|dolibarr|generic (default: joomla)
+ *   --output-summary Write markdown table to $GITHUB_STEP_SUMMARY
+ */
+
+declare(strict_types=1);
+
+$path = '.';
+$version = null;
+$platform = 'joomla';
+$outputSummary = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--platform' && isset($argv[$i + 1])) $platform = $argv[$i + 1];
+	if ($arg === '--output-summary') $outputSummary = true;
+}
+
+if ($version === null) {
+	fwrite(STDERR, "Usage: release_validate.php --path . --version XX.YY.ZZ [--platform joomla]\n");
+	exit(1);
+}
+
+$root = realpath($path) ?: $path;
+$pass = 0;
+$fail = 0;
+$warn = 0;
+$results = [];
+
+function addResult(string $check, string $status, string $details): void {
+	global $pass, $fail, $warn, $results;
+	$results[] = ['check' => $check, 'status' => $status, 'details' => $details];
+	if ($status === 'PASS') $pass++;
+	elseif ($status === 'FAIL') $fail++;
+	elseif ($status === 'WARN') $warn++;
+}
+
+// 1. README.md exists and contains VERSION
+if (!file_exists("{$root}/README.md")) {
+	addResult('README.md', 'FAIL', 'Not found');
+} else {
+	$readme = file_get_contents("{$root}/README.md");
+	if (preg_match('/VERSION:\s*' . preg_quote($version, '/') . '/', $readme) ||
+		strpos($readme, $version) !== false) {
+		addResult('README.md version', 'PASS', "`{$version}` found");
+	} else {
+		addResult('README.md version', 'FAIL', "`{$version}` not found in README.md");
+	}
+}
+
+// 2. CHANGELOG.md exists with matching section
+if (!file_exists("{$root}/CHANGELOG.md")) {
+	addResult('CHANGELOG.md', 'WARN', 'Not found');
+} else {
+	$cl = file_get_contents("{$root}/CHANGELOG.md");
+	if (preg_match('/^##\s.*' . preg_quote($version, '/') . '/m', $cl)) {
+		addResult('CHANGELOG.md version', 'PASS', "Section for `{$version}` found");
+	} else {
+		addResult('CHANGELOG.md version', 'WARN', "No section header for `{$version}`");
+	}
+}
+
+// 3. LICENSE file exists
+$licenseFound = false;
+foreach (['LICENSE', 'LICENSE.md', 'LICENSE.txt', 'COPYING'] as $lf) {
+	if (file_exists("{$root}/{$lf}")) { $licenseFound = true; break; }
+}
+addResult('LICENSE', $licenseFound ? 'PASS' : 'FAIL', $licenseFound ? 'Found' : 'Not found');
+
+// 4. Platform-specific checks
+if ($platform === 'joomla') {
+	// Find XML manifest
+	$manifest = null;
+	$searchDirs = ["{$root}/src", $root];
+	foreach ($searchDirs as $dir) {
+		if (!is_dir($dir)) continue;
+		foreach (glob("{$dir}/*.xml") as $xmlFile) {
+			$content = file_get_contents($xmlFile);
+			if (strpos($content, '<extension') !== false) {
+				$manifest = $xmlFile;
+				break 2;
+			}
+		}
+	}
+	if ($manifest === null) {
+		addResult('XML manifest', 'FAIL', 'No Joomla manifest found');
+	} else {
+		if (preg_match('/<version>([^<]+)<\/version>/', file_get_contents($manifest), $m)) {
+			$mVer = trim($m[1]);
+			if ($mVer === $version) {
+				addResult('Manifest version', 'PASS', "`{$mVer}` matches");
+			} else {
+				addResult('Manifest version', 'FAIL', "`{$mVer}` != `{$version}`");
+			}
+		} else {
+			addResult('Manifest version', 'FAIL', 'No <version> tag in manifest');
+		}
+	}
+
+	// updates.xml
+	if (!file_exists("{$root}/updates.xml")) {
+		addResult('updates.xml', 'WARN', 'Not found');
+	} else {
+		$ux = file_get_contents("{$root}/updates.xml");
+		if (preg_match('/<version>' . preg_quote($version, '/') . '<\/version>/', $ux)) {
+			addResult('updates.xml version', 'PASS', "`{$version}` found");
+		} else {
+			addResult('updates.xml version', 'FAIL', "`{$version}` not in updates.xml");
+		}
+	}
+} elseif ($platform === 'dolibarr') {
+	$modFile = null;
+	foreach (['src', 'htdocs'] as $sd) {
+		$pattern = "{$root}/{$sd}/mod*.class.php";
+		$matches = glob($pattern);
+		if (!empty($matches)) { $modFile = $matches[0]; break; }
+	}
+	if ($modFile === null) {
+		addResult('Dolibarr mod file', 'FAIL', 'No mod*.class.php found');
+	} else {
+		$mc = file_get_contents($modFile);
+		if (preg_match("/\\\$this->version\s*=\s*'" . preg_quote($version, '/') . "'/", $mc)) {
+			addResult('Dolibarr version', 'PASS', "`{$version}` matches");
+		} else {
+			addResult('Dolibarr version', 'FAIL', "`{$version}` not found in " . basename($modFile));
+		}
+	}
+}
+
+// 5. composer.json version (if present)
+if (file_exists("{$root}/composer.json")) {
+	$composer = json_decode(file_get_contents("{$root}/composer.json"), true);
+	if (isset($composer['version'])) {
+		if ($composer['version'] === $version) {
+			addResult('composer.json version', 'PASS', "`{$version}` matches");
+		} else {
+			addResult('composer.json version', 'WARN', "`{$composer['version']}` != `{$version}`");
+		}
+	}
+}
+
+// Output
+$table = "| Check | Result | Details |\n|-------|--------|--------|\n";
+foreach ($results as $r) {
+	$table .= "| {$r['check']} | {$r['status']} | {$r['details']} |\n";
+}
+$table .= "\n**Validation: {$pass} passed, {$fail} failed, {$warn} warnings**\n";
+
+echo $table;
+
+if ($outputSummary) {
+	$summaryFile = getenv('GITHUB_STEP_SUMMARY');
+	if ($summaryFile) {
+		file_put_contents($summaryFile, "### Pre-Release Validation\n\n{$table}\n", FILE_APPEND);
+	}
+}
+
+exit($fail > 0 ? 1 : 0);
@@ -0,0 +1,188 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/release_verify.php
+ * BRIEF: Verify a built release artifact — version, SHA256, disallowed files
+ *
+ * Usage:
+ *   php release_verify.php --zip-path /tmp/pkg.zip --version 04.01.00
+ *   php release_verify.php --zip-path /tmp/pkg.zip --version 04.01.00 --updates-xml updates.xml
+ *   php release_verify.php --zip-path /tmp/pkg.zip --version 04.01.00 --output-summary
+ *
+ * Options:
+ *   --zip-path       Path to ZIP file (required)
+ *   --version        Expected version string (required)
+ *   --platform       joomla|dolibarr|generic (default: joomla)
+ *   --updates-xml    Path to updates.xml for SHA256 comparison
+ *   --github-output  Export verify_pass, verify_fail to $GITHUB_OUTPUT
+ *   --output-summary Write markdown table to $GITHUB_STEP_SUMMARY
+ */
+
+declare(strict_types=1);
+
+$zipPath = null;
+$version = null;
+$platform = 'joomla';
+$updatesXml = null;
+$githubOutput = false;
+$outputSummary = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--zip-path' && isset($argv[$i + 1])) $zipPath = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--platform' && isset($argv[$i + 1])) $platform = $argv[$i + 1];
+	if ($arg === '--updates-xml' && isset($argv[$i + 1])) $updatesXml = $argv[$i + 1];
+	if ($arg === '--github-output') $githubOutput = true;
+	if ($arg === '--output-summary') $outputSummary = true;
+}
+
+if ($zipPath === null || $version === null) {
+	fwrite(STDERR, "Usage: release_verify.php --zip-path FILE --version XX.YY.ZZ [--platform joomla] [--updates-xml FILE]\n");
+	exit(1);
+}
+
+$pass = 0;
+$fail = 0;
+$warn = 0;
+$results = [];
+
+function addResult(string $check, string $status, string $details): void {
+	global $pass, $fail, $warn, $results;
+	$results[] = ['check' => $check, 'status' => $status, 'details' => $details];
+	if ($status === 'PASS') $pass++;
+	elseif ($status === 'FAIL') $fail++;
+	elseif ($status === 'WARN') $warn++;
+}
+
+// 1. ZIP exists and is readable
+if (!file_exists($zipPath) || !is_readable($zipPath)) {
+	addResult('ZIP exists', 'FAIL', "Not found or not readable: {$zipPath}");
+} else {
+	addResult('ZIP exists', 'PASS', basename($zipPath));
+
+	// 2. Extract ZIP
+	$tmpDir = sys_get_temp_dir() . '/release-verify-' . uniqid();
+	mkdir($tmpDir, 0755, true);
+
+	$zip = new ZipArchive();
+	if ($zip->open($zipPath) !== true) {
+		addResult('ZIP extract', 'FAIL', 'ZipArchive could not open file');
+	} else {
+		$zip->extractTo($tmpDir);
+		$zip->close();
+		addResult('ZIP extract', 'PASS', 'Extracted successfully');
+
+		// 3. Manifest version check (Joomla)
+		if ($platform === 'joomla') {
+			$manifest = null;
+			foreach (glob("{$tmpDir}/*.xml") as $xmlFile) {
+				$content = file_get_contents($xmlFile);
+				if (strpos($content, '<extension') !== false) {
+					$manifest = $xmlFile;
+					break;
+				}
+			}
+			if ($manifest !== null) {
+				if (preg_match('/<version>([^<]+)<\/version>/', file_get_contents($manifest), $m)) {
+					$manifestVer = trim($m[1]);
+					if ($manifestVer === $version) {
+						addResult('Manifest version', 'PASS', "`{$manifestVer}` matches release");
+					} else {
+						addResult('Manifest version', 'FAIL', "`{$manifestVer}` != `{$version}`");
+					}
+				} else {
+					addResult('Manifest version', 'WARN', 'No <version> tag in manifest');
+				}
+			} else {
+				addResult('Manifest version', 'WARN', 'No XML manifest found in ZIP');
+			}
+		}
+
+		// 4. SHA256 vs updates.xml
+		$zipSha = hash_file('sha256', $zipPath);
+		if ($updatesXml !== null && file_exists($updatesXml)) {
+			$uxContent = file_get_contents($updatesXml);
+			if (preg_match('/<sha256>([^<]+)<\/sha256>/', $uxContent, $m)) {
+				$expectedSha = trim($m[1]);
+				if ($zipSha === $expectedSha) {
+					addResult('SHA256 vs updates.xml', 'PASS', '`' . substr($zipSha, 0, 16) . '...`');
+				} else {
+					addResult('SHA256 vs updates.xml', 'FAIL', "ZIP=`" . substr($zipSha, 0, 16) . "...` updates.xml=`" . substr($expectedSha, 0, 16) . "...`");
+				}
+			} else {
+				addResult('SHA256 vs updates.xml', 'WARN', 'No <sha256> in updates.xml');
+			}
+		}
+
+		// 5. Disallowed files
+		$disallowed = ['.claude', '.mcp.json', 'TODO.md', 'todo.md', '.git', 'node_modules', '.env'];
+		$found = [];
+		$rit = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($tmpDir, RecursiveDirectoryIterator::SKIP_DOTS));
+		foreach ($rit as $file) {
+			$name = $file->getFilename();
+			if (in_array($name, $disallowed, true)) {
+				$found[] = $name;
+			}
+		}
+		if (count($found) > 0) {
+			addResult('Disallowed files', 'FAIL', 'Found: ' . implode(', ', array_unique($found)));
+		} else {
+			addResult('Disallowed files', 'PASS', 'None found');
+		}
+
+		// 6. Non-vendor .min files
+		$minCount = 0;
+		$rit = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($tmpDir, RecursiveDirectoryIterator::SKIP_DOTS));
+		foreach ($rit as $file) {
+			$rel = str_replace($tmpDir . '/', '', $file->getPathname());
+			if (strpos($rel, 'vendor/') !== false) continue;
+			if (preg_match('/\.(min\.css|min\.js)$/', $file->getFilename())) {
+				$minCount++;
+			}
+		}
+		if ($minCount > 0) {
+			addResult('Non-vendor .min files', 'WARN', "{$minCount} file(s) — should be generated at runtime");
+		} else {
+			addResult('Non-vendor .min files', 'PASS', 'None shipped');
+		}
+
+		// Clean up
+		$rit = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($tmpDir, RecursiveDirectoryIterator::SKIP_DOTS), RecursiveIteratorIterator::CHILD_FIRST);
+		foreach ($rit as $file) {
+			$file->isDir() ? rmdir($file->getPathname()) : unlink($file->getPathname());
+		}
+		rmdir($tmpDir);
+	}
+}
+
+// Output
+$table = "| Check | Result | Details |\n|-------|--------|--------|\n";
+foreach ($results as $r) {
+	$table .= "| {$r['check']} | {$r['status']} | {$r['details']} |\n";
+}
+$table .= "\n**Verification: {$pass} passed, {$fail} failed, {$warn} warnings**\n";
+
+echo $table;
+
+if ($outputSummary) {
+	$summaryFile = getenv('GITHUB_STEP_SUMMARY');
+	if ($summaryFile) {
+		file_put_contents($summaryFile, "### Release Verification\n\n{$table}\n", FILE_APPEND);
+	}
+}
+
+if ($githubOutput) {
+	$outputFile = getenv('GITHUB_OUTPUT');
+	if ($outputFile) {
+		file_put_contents($outputFile, "verify_pass={$pass}\nverify_fail={$fail}\nverify_warn={$warn}\n", FILE_APPEND);
+	}
+}
+
+exit($fail > 0 ? 1 : 0);
@@ -0,0 +1,250 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * This file is part of a Moko Consulting project.
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/scaffold_client.php
+ * VERSION: 01.00.00
+ * BRIEF: Scaffold a new client-waas repo from Template-Client-WaaS with pre-configured settings
+ */
+
+declare(strict_types=1);
+
+final class ScaffoldClient
+{
+	private string $name = '';
+	private string $org = '';
+	private string $giteaUrl = 'https://git.mokoconsulting.tech';
+	private string $token = '';
+	private bool $dryRun = false;
+
+	public function run(): int
+	{
+		$this->parseArgs();
+
+		if ($this->name === '' || $this->org === '' || $this->token === '')
+		{
+			$this->log('ERROR: --name, --org, and --token are required.');
+			$this->printUsage();
+			return 1;
+		}
+
+		$repoName = 'client-waas-' . $this->name;
+
+		$this->log("Scaffolding client repo: {$this->org}/{$repoName}");
+		$this->log("Gitea URL: {$this->giteaUrl}");
+
+		if ($this->dryRun)
+		{
+			$this->log('[DRY RUN] Would create repo from template MokoConsulting/Template-Client-WaaS');
+			$this->log("[DRY RUN] Repo: {$this->org}/{$repoName}");
+			$this->log("[DRY RUN] Description: \"{$this->name} WaaS site\"");
+			$this->log('[DRY RUN] Would create dev branch from main');
+			$this->printPostSetupInstructions($repoName);
+			return 0;
+		}
+
+		// Step 1: Create repo from template
+		$this->log('Step 1: Creating repo from template...');
+
+		$createPayload = json_encode([
+			'owner'       => $this->org,
+			'name'        => $repoName,
+			'description' => "{$this->name} WaaS site",
+			'private'     => true,
+			'git_content' => true,
+			'topics'      => true,
+			'labels'      => true,
+		]);
+
+		$response = $this->apiRequest(
+			'POST',
+			"/api/v1/repos/MokoConsulting/Template-Client-WaaS/generate",
+			$createPayload
+		);
+
+		if ($response['code'] < 200 || $response['code'] >= 300)
+		{
+			$this->log("ERROR: Failed to create repo (HTTP {$response['code']}).");
+			$this->log("Response: {$response['body']}");
+			return 1;
+		}
+
+		$this->log("Repo created: {$this->org}/{$repoName}");
+
+		// Step 2: Set repo description (already set via generate, but confirm)
+		$this->log('Step 2: Updating repo description...');
+
+		$updatePayload = json_encode([
+			'description' => "{$this->name} WaaS site",
+		]);
+
+		$response = $this->apiRequest(
+			'PATCH',
+			"/api/v1/repos/{$this->org}/{$repoName}",
+			$updatePayload
+		);
+
+		if ($response['code'] >= 200 && $response['code'] < 300)
+		{
+			$this->log('Description updated.');
+		}
+		else
+		{
+			$this->log("WARNING: Could not update description (HTTP {$response['code']}).");
+		}
+
+		// Step 3: Create dev branch from main
+		$this->log('Step 3: Creating dev branch from main...');
+
+		$branchPayload = json_encode([
+			'new_branch_name' => 'dev',
+			'old_branch_name' => 'main',
+		]);
+
+		$response = $this->apiRequest(
+			'POST',
+			"/api/v1/repos/{$this->org}/{$repoName}/branches",
+			$branchPayload
+		);
+
+		if ($response['code'] >= 200 && $response['code'] < 300)
+		{
+			$this->log('Branch "dev" created from "main".');
+		}
+		else
+		{
+			$this->log("WARNING: Could not create dev branch (HTTP {$response['code']}).");
+			$this->log("Response: {$response['body']}");
+		}
+
+		// Step 4: Print post-setup instructions
+		$this->printPostSetupInstructions($repoName);
+
+		$this->log('Scaffold complete.');
+
+		return 0;
+	}
+
+	private function parseArgs(): void
+	{
+		$args = $_SERVER['argv'] ?? [];
+		$count = count($args);
+
+		for ($i = 1; $i < $count; $i++)
+		{
+			switch ($args[$i])
+			{
+				case '--name':
+					$this->name = $args[++$i] ?? '';
+					break;
+				case '--org':
+					$this->org = $args[++$i] ?? '';
+					break;
+				case '--gitea-url':
+					$this->giteaUrl = rtrim($args[++$i] ?? '', '/');
+					break;
+				case '--token':
+					$this->token = $args[++$i] ?? '';
+					break;
+				case '--dry-run':
+					$this->dryRun = true;
+					break;
+				case '--help':
+				case '-h':
+					$this->printUsage();
+					exit(0);
+				default:
+					$this->log("WARNING: Unknown argument: {$args[$i]}");
+					break;
+			}
+		}
+	}
+
+	private function printUsage(): void
+	{
+		$this->log('Usage: scaffold_client.php --name <client-name> --org <gitea-org> --token <token> [options]');
+		$this->log('');
+		$this->log('Options:');
+		$this->log('  --name <name>        Client name (e.g., "clarksvillefurs")');
+		$this->log('  --org <org>          Gitea organization (e.g., "ClarksvilleFurs")');
+		$this->log('  --gitea-url <url>    Gitea URL (default: https://git.mokoconsulting.tech)');
+		$this->log('  --token <token>      Gitea API token');
+		$this->log('  --dry-run            Show what would be done without making changes');
+		$this->log('  --help, -h           Show this help');
+	}
+
+	private function printPostSetupInstructions(string $repoName): void
+	{
+		$this->log('');
+		$this->log('=== POST-SETUP INSTRUCTIONS ===');
+		$this->log('');
+		$this->log("Navigate to: {$this->giteaUrl}/{$this->org}/{$repoName}/settings");
+		$this->log('');
+		$this->log('Set the following REPO VARIABLES (Settings > Actions > Variables):');
+		$this->log('  DEV_SYNC_HOST     - Dev server hostname or IP');
+		$this->log('  DEV_SYNC_PORT     - Dev server SSH port (default: 22)');
+		$this->log('  DEV_SYNC_USER     - Dev server SSH username');
+		$this->log('  DEV_SYNC_PATH     - Dev server deploy path');
+		$this->log('  LIVE_SSH_HOST     - Live server hostname or IP');
+		$this->log('  LIVE_SSH_PORT     - Live server SSH port (default: 22)');
+		$this->log('  LIVE_SSH_USER     - Live server SSH username');
+		$this->log('  LIVE_SYNC_PATH    - Live server deploy path');
+		$this->log('');
+		$this->log('Set the following REPO SECRETS (Settings > Actions > Secrets):');
+		$this->log('  DEV_SYNC_KEY      - Private SSH key for dev server');
+		$this->log('  LIVE_SSH_KEY      - Private SSH key for live server');
+		$this->log('');
+		$this->log('================================');
+	}
+
+	private function apiRequest(string $method, string $endpoint, ?string $body = null): array
+	{
+		$url = $this->giteaUrl . $endpoint;
+
+		$ch = curl_init();
+		curl_setopt($ch, CURLOPT_URL, $url);
+		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
+		curl_setopt($ch, CURLOPT_HTTPHEADER, [
+			'Content-Type: application/json',
+			'Accept: application/json',
+			"Authorization: token {$this->token}",
+		]);
+
+		if ($body !== null)
+		{
+			curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+		}
+
+		$responseBody = curl_exec($ch);
+		$httpCode = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+
+		if (curl_errno($ch))
+		{
+			$error = curl_error($ch);
+			curl_close($ch);
+
+			return ['code' => 0, 'body' => "cURL error: {$error}"];
+		}
+
+		curl_close($ch);
+
+		return ['code' => $httpCode, 'body' => $responseBody];
+	}
+
+	private function log(string $message): void
+	{
+		fwrite(STDERR, $message . PHP_EOL);
+	}
+}
+
+$app = new ScaffoldClient();
+exit($app->run());
@@ -7,11 +7,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/sync_rulesets.php
- * VERSION: 04.06.10
 * BRIEF: Apply branch protection rules to all repos via platform adapter
 *
 * USAGE
@@ -0,0 +1,334 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/updates_xml_build.php
+ * BRIEF: Generate Joomla updates.xml from extension manifest metadata
+ *
+ * Usage:
+ *   php updates_xml_build.php --path /repo --version 04.01.00 --stability stable
+ *   php updates_xml_build.php --path /repo --version 04.01.00 --stability stable --sha SHA256
+ *   php updates_xml_build.php --path /repo --version 04.01.00 --stability stable --github-output
+ *
+ * Options:
+ *   --path         Repository root (default: .)
+ *   --version      Version string (required)
+ *   --stability    One of: stable, rc, beta, alpha, development (default: stable)
+ *   --sha          SHA-256 hash of the ZIP package (optional)
+ *   --gitea-url    Gitea instance URL (default: env GITEA_URL or https://git.mokoconsulting.tech)
+ *   --org          Organization (default: env GITEA_ORG)
+ *   --repo         Repository name (default: env GITEA_REPO)
+ *   --output       Output file path (default: updates.xml in --path)
+ *   --github-output  Export ext_element, ext_name, ext_type, ext_folder to $GITHUB_OUTPUT
+ */
+
+declare(strict_types=1);
+
+// -- Argument parsing ---------------------------------------------------------
+$path = '.';
+$version = null;
+$stability = 'stable';
+$sha = null;
+$giteaUrl = getenv('GITEA_URL') ?: 'https://git.mokoconsulting.tech';
+$org = getenv('GITEA_ORG') ?: '';
+$repo = getenv('GITEA_REPO') ?: '';
+$outputFile = null;
+$githubOutput = false;
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
+	if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
+	if ($arg === '--stability' && isset($argv[$i + 1])) $stability = $argv[$i + 1];
+	if ($arg === '--sha' && isset($argv[$i + 1])) $sha = $argv[$i + 1];
+	if ($arg === '--gitea-url' && isset($argv[$i + 1])) $giteaUrl = $argv[$i + 1];
+	if ($arg === '--org' && isset($argv[$i + 1])) $org = $argv[$i + 1];
+	if ($arg === '--repo' && isset($argv[$i + 1])) $repo = $argv[$i + 1];
+	if ($arg === '--output' && isset($argv[$i + 1])) $outputFile = $argv[$i + 1];
+	if ($arg === '--github-output') $githubOutput = true;
+}
+
+if ($version === null) {
+	fwrite(STDERR, "Usage: updates_xml_build.php --path . --version XX.YY.ZZ [--stability stable] [--sha SHA]\n");
+	exit(1);
+}
+
+$root = realpath($path) ?: $path;
+
+// -- Locate Joomla manifest ---------------------------------------------------
+$manifest = null;
+
+// Priority: pkg_*.xml in src/ > any extension XML in src/ > any in root
+$candidates = glob("{$root}/src/pkg_*.xml") ?: [];
+foreach ($candidates as $f) {
+	if (strpos(file_get_contents($f), '<extension') !== false) {
+		$manifest = $f;
+		break;
+	}
+}
+
+if ($manifest === null) {
+	$searchDirs = ["{$root}/src", "{$root}"];
+	foreach ($searchDirs as $dir) {
+		if (!is_dir($dir)) continue;
+		foreach (glob("{$dir}/*.xml") ?: [] as $f) {
+			if (strpos(file_get_contents($f), '<extension') !== false) {
+				$manifest = $f;
+				break 2;
+			}
+		}
+	}
+}
+
+if ($manifest === null) {
+	fwrite(STDERR, "No Joomla XML manifest found in {$root}\n");
+	exit(1);
+}
+
+// -- Parse extension metadata -------------------------------------------------
+$xml = file_get_contents($manifest);
+
+// Extract fields via regex (more portable than SimpleXML for malformed manifests)
+$extName = '';
+if (preg_match('/<name>([^<]+)<\/name>/', $xml, $m)) $extName = $m[1];
+
+$extType = '';
+if (preg_match('/<extension[^>]*type="([^"]+)"/', $xml, $m)) $extType = $m[1];
+
+$extElement = '';
+if (preg_match('/<element>([^<]+)<\/element>/', $xml, $m)) $extElement = $m[1];
+if (empty($extElement) && preg_match('/plugin="([^"]+)"/', $xml, $m)) $extElement = $m[1];
+if (empty($extElement) && preg_match('/module="([^"]+)"/', $xml, $m)) $extElement = $m[1];
+if (empty($extElement)) {
+	$fname = strtolower(pathinfo($manifest, PATHINFO_FILENAME));
+	if (in_array($fname, ['templatedetails', 'manifest'])) {
+		$extElement = strtolower(str_replace([' ', '-'], '', $repo ?: basename($root)));
+	} else {
+		$extElement = $fname;
+	}
+}
+
+$extClient = '';
+if (preg_match('/<extension[^>]*client="([^"]+)"/', $xml, $m)) $extClient = $m[1];
+
+$extFolder = '';
+if (preg_match('/<extension[^>]*group="([^"]+)"/', $xml, $m)) $extFolder = $m[1];
+
+$targetPlatform = '';
+if (preg_match('/(<targetplatform[^\/]*\/>)/', $xml, $m)) $targetPlatform = $m[1];
+if (empty($targetPlatform)) {
+	$targetPlatform = '<targetplatform name="joomla" version="((5.[0-9])|(6.[0-9]))" />';
+}
+
+$phpMinimum = '';
+if (preg_match('/<php_minimum>([^<]+)<\/php_minimum>/', $xml, $m)) $phpMinimum = $m[1];
+
+// Resolve language key names (e.g. PLG_SYSTEM_MOKOJOOMTOS)
+if (preg_match('/^[A-Z_]+$/', $extName)) {
+	$iniFiles = [];
+	$iterator = new RecursiveIteratorIterator(
+		new RecursiveDirectoryIterator($root, RecursiveDirectoryIterator::SKIP_DOTS)
+	);
+	foreach ($iterator as $file) {
+		if (preg_match('/\.sys\.ini$/i', $file->getFilename())) {
+			$iniFiles[] = $file->getPathname();
+		}
+	}
+	foreach ($iniFiles as $ini) {
+		$content = file_get_contents($ini);
+		if (preg_match('/^' . preg_quote($extName, '/') . '="([^"]+)"/m', $content, $m)) {
+			$extName = $m[1];
+			break;
+		}
+	}
+}
+
+// Fallbacks
+if (empty($extName)) $extName = $repo ?: basename($root);
+if (empty($extType)) $extType = 'component';
+
+// -- Build type prefix --------------------------------------------------------
+$typePrefix = '';
+switch ($extType) {
+	case 'plugin':    $typePrefix = "plg_{$extFolder}_"; break;
+	case 'module':    $typePrefix = 'mod_'; break;
+	case 'component': $typePrefix = 'com_'; break;
+	case 'template':  $typePrefix = 'tpl_'; break;
+	case 'library':   $typePrefix = 'lib_'; break;
+	case 'package':   $typePrefix = 'pkg_'; break;
+}
+
+// -- Export to GITHUB_OUTPUT if requested -------------------------------------
+if ($githubOutput) {
+	$ghOutput = getenv('GITHUB_OUTPUT');
+	$lines = [
+		"ext_element={$extElement}",
+		"ext_name={$extName}",
+		"ext_type={$extType}",
+		"ext_folder={$extFolder}",
+		"type_prefix={$typePrefix}",
+	];
+	if ($ghOutput) {
+		file_put_contents($ghOutput, implode("\n", $lines) . "\n", FILE_APPEND);
+		fwrite(STDERR, "Exported " . count($lines) . " fields to GITHUB_OUTPUT\n");
+	} else {
+		foreach ($lines as $line) echo "{$line}\n";
+	}
+}
+
+// -- Stability suffix map -----------------------------------------------------
+$stabilitySuffixMap = [
+	'stable'      => '',
+	'rc'          => '-rc',
+	'beta'        => '-beta',
+	'alpha'       => '-alpha',
+	'development' => '-dev',
+];
+
+$stabilityTagMap = [
+	'stable'      => 'stable',
+	'rc'          => 'rc',
+	'beta'        => 'beta',
+	'alpha'       => 'alpha',
+	'development' => 'development',
+];
+
+// -- Build update entries -----------------------------------------------------
+$releaseTag = $stabilityTagMap[$stability] ?? $stability;
+
+// For the primary entry: apply suffix if not stable
+$primarySuffix = $stabilitySuffixMap[$stability] ?? '';
+$primaryVersion = $version . $primarySuffix;
+
+$downloadUrl = "{$giteaUrl}/{$org}/{$repo}/releases/download/{$releaseTag}/{$typePrefix}{$extElement}-{$primaryVersion}.zip";
+$infoUrl = "{$giteaUrl}/{$org}/{$repo}/releases/tag/{$releaseTag}";
+
+// Build client tag
+$clientTag = '';
+if (!empty($extClient)) {
+	$clientTag = "    <client>{$extClient}</client>";
+} elseif ($extType === 'module' || $extType === 'plugin') {
+	$clientTag = '    <client>site</client>';
+}
+
+// Build folder tag
+$folderTag = '';
+if (!empty($extFolder) && $extType === 'plugin') {
+	$folderTag = "    <folder>{$extFolder}</folder>";
+}
+
+// PHP minimum tag
+$phpTag = '';
+if (!empty($phpMinimum)) {
+	$phpTag = "    <php_minimum>{$phpMinimum}</php_minimum>";
+}
+
+// SHA tag
+$shaTag = '';
+if (!empty($sha)) {
+	$shaTag = "    <sha256>{$sha}</sha256>";
+}
+
+/**
+ * Build a single <update> entry for a given stability tag
+ */
+function buildEntry(
+	string $tagName,
+	string $entryVersion,
+	string $entryDownloadUrl,
+	string $extName,
+	string $extElement,
+	string $extType,
+	string $clientTag,
+	string $folderTag,
+	string $infoUrl,
+	string $targetPlatform,
+	string $phpTag,
+	string $shaTag
+): string {
+	$lines = [];
+	$lines[] = '  <update>';
+	$lines[] = "    <name>{$extName}</name>";
+	$lines[] = "    <description>{$extName} update</description>";
+	$lines[] = "    <element>{$extElement}</element>";
+	$lines[] = "    <type>{$extType}</type>";
+	$lines[] = "    <version>{$entryVersion}</version>";
+	if (!empty($clientTag)) $lines[] = $clientTag;
+	if (!empty($folderTag)) $lines[] = $folderTag;
+	$lines[] = "    <tags><tag>{$tagName}</tag></tags>";
+	$lines[] = "    <infourl title=\"{$extName}\">{$infoUrl}</infourl>";
+	$lines[] = '    <downloads>';
+	$lines[] = "      <downloadurl type=\"full\" format=\"zip\">{$entryDownloadUrl}</downloadurl>";
+	$lines[] = '    </downloads>';
+	if (!empty($shaTag)) $lines[] = $shaTag;
+	$lines[] = "    {$targetPlatform}";
+	if (!empty($phpTag)) $lines[] = $phpTag;
+	$lines[] = '    <maintainer>Moko Consulting</maintainer>';
+	$lines[] = '    <maintainerurl>https://mokoconsulting.tech</maintainerurl>';
+	$lines[] = '  </update>';
+	return implode("\n", $lines);
+}
+
+// -- Determine which channels to write ----------------------------------------
+// Stable cascades to all channels; pre-releases only write their level and below
+// Each channel gets its own suffixed version:
+//   development -> 04.01.00-dev
+//   alpha       -> 04.01.00-alpha
+//   beta        -> 04.01.00-beta
+//   rc          -> 04.01.00-rc
+//   stable      -> 04.01.00
+$allChannels = ['development', 'alpha', 'beta', 'rc', 'stable'];
+$stabilityIndex = array_search($stability === 'development' ? 'development' : $stability, $allChannels);
+if ($stabilityIndex === false) $stabilityIndex = 4; // default to stable
+
+// Write entries for this stability and all below it
+$entries = [];
+for ($i = 0; $i <= $stabilityIndex; $i++) {
+	$channelName = $allChannels[$i];
+	$channelSuffix = $stabilitySuffixMap[$channelName] ?? '';
+	$channelVersion = $version . $channelSuffix;
+	$channelTag = $stabilityTagMap[$channelName] ?? $channelName;
+	$channelDownloadUrl = "{$giteaUrl}/{$org}/{$repo}/releases/download/{$channelTag}/{$typePrefix}{$extElement}-{$channelVersion}.zip";
+	$channelInfoUrl = "{$giteaUrl}/{$org}/{$repo}/releases/tag/{$channelTag}";
+
+	$entries[] = buildEntry(
+		$channelName,
+		$channelVersion,
+		$channelDownloadUrl,
+		$extName,
+		$extElement,
+		$extType,
+		$clientTag,
+		$folderTag,
+		$channelInfoUrl,
+		$targetPlatform,
+		$phpTag,
+		$shaTag
+	);
+}
+
+// -- Write updates.xml --------------------------------------------------------
+$year = date('Y');
+$output = <<<XML
+<?xml version='1.0' encoding='UTF-8'?>
+<!-- Copyright (C) {$year} Moko Consulting <hello@mokoconsulting.tech>
+ SPDX-License-Identifier: GPL-3.0-or-later
+ VERSION: {$primaryVersion}
+ -->
+
+<updates>
+XML;
+$output .= "\n" . implode("\n", $entries) . "\n</updates>\n";
+
+$dest = $outputFile ?? "{$root}/updates.xml";
+file_put_contents($dest, $output);
+
+$channelCount = count($entries);
+echo "updates.xml: {$primaryVersion} ({$channelCount} channel(s), stability={$stability})\n";
+echo "Output: {$dest}\n";
+exit(0);
@@ -0,0 +1,169 @@
+#!/usr/bin/env php
+<?php
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+ * PATH: /cli/updates_xml_sync.php
+ * VERSION: 05.00.01
+ * BRIEF: Sync updates.xml to target branches via Gitea API
+ * NOTE: Called by pre-release and auto-release workflows after updates.xml
+ *       is modified on the current branch. Pushes the file to other branches
+ *       without requiring a git checkout (avoids merge conflicts).
+ *
+ * Usage:
+ *   php updates_xml_sync.php --path /repo --branches main,dev --current dev
+ *   php updates_xml_sync.php --path /repo --branches main --current dev --version 02.01.27
+ *
+ * Options:
+ *   --path         Repository root containing updates.xml (default: .)
+ *   --branches     Comma-separated target branches to sync to (default: main,dev)
+ *   --current      Current branch to skip (required)
+ *   --version      Version string for commit message (optional)
+ *   --token        Gitea API token (default: env GA_TOKEN)
+ *   --gitea-url    Gitea instance URL (default: env GITEA_URL or https://git.mokoconsulting.tech)
+ *   --org          Organization (default: env GITEA_ORG)
+ *   --repo         Repository name (default: env GITEA_REPO)
+ */
+
+declare(strict_types=1);
+
+// ── Argument parsing ────────────────────────────────────────────────────
+$path      = '.';
+$branches  = 'main,dev';
+$current   = '';
+$version   = '';
+$token     = getenv('GA_TOKEN') ?: '';
+$giteaUrl  = getenv('GITEA_URL') ?: 'https://git.mokoconsulting.tech';
+$org       = getenv('GITEA_ORG') ?: '';
+$repo      = getenv('GITEA_REPO') ?: '';
+
+foreach ($argv as $i => $arg) {
+	if ($arg === '--path'      && isset($argv[$i + 1])) $path     = $argv[$i + 1];
+	if ($arg === '--branches'  && isset($argv[$i + 1])) $branches = $argv[$i + 1];
+	if ($arg === '--current'   && isset($argv[$i + 1])) $current  = $argv[$i + 1];
+	if ($arg === '--version'   && isset($argv[$i + 1])) $version  = $argv[$i + 1];
+	if ($arg === '--token'     && isset($argv[$i + 1])) $token    = $argv[$i + 1];
+	if ($arg === '--gitea-url' && isset($argv[$i + 1])) $giteaUrl = $argv[$i + 1];
+	if ($arg === '--org'       && isset($argv[$i + 1])) $org      = $argv[$i + 1];
+	if ($arg === '--repo'      && isset($argv[$i + 1])) $repo     = $argv[$i + 1];
+}
+
+if ($current === '') {
+	fwrite(STDERR, "Error: --current is required\n");
+	exit(1);
+}
+
+if ($token === '') {
+	fwrite(STDERR, "Error: --token or GA_TOKEN env is required\n");
+	exit(1);
+}
+
+if ($org === '' || $repo === '') {
+	fwrite(STDERR, "Error: --org and --repo (or GITEA_ORG/GITEA_REPO env) are required\n");
+	exit(1);
+}
+
+$updatesFile = rtrim($path, '/') . '/updates.xml';
+if (!file_exists($updatesFile)) {
+	fwrite(STDERR, "No updates.xml found at {$updatesFile}\n");
+	exit(0);
+}
+
+$content  = file_get_contents($updatesFile);
+$encoded  = base64_encode($content);
+$giteaUrl = rtrim($giteaUrl, '/');
+$apiBase  = "{$giteaUrl}/api/v1/repos/{$org}/{$repo}";
+$vLabel   = $version !== '' ? " {$version}" : '';
+
+$targets = array_filter(
+	array_map('trim', explode(',', $branches)),
+	fn($b) => $b !== '' && $b !== $current
+);
+
+if (empty($targets)) {
+	fwrite(STDERR, "No target branches to sync to (current: {$current})\n");
+	exit(0);
+}
+
+$synced = 0;
+$failed = 0;
+
+foreach ($targets as $branch) {
+	fwrite(STDERR, "Syncing updates.xml -> {$branch}...\n");
+
+	$sha = getFileSha($apiBase, $token, $branch);
+
+	if ($sha === null) {
+		fwrite(STDERR, "  WARNING: could not get SHA from {$branch}\n");
+		$failed++;
+		continue;
+	}
+
+	$ok = putFile($apiBase, $token, $branch, $encoded, $sha,
+		"chore: sync updates.xml{$vLabel} from {$current} [skip ci]");
+
+	if ($ok) {
+		fwrite(STDERR, "  Synced to {$branch}\n");
+		$synced++;
+	} else {
+		fwrite(STDERR, "  WARNING: push to {$branch} failed\n");
+		$failed++;
+	}
+}
+
+fwrite(STDERR, "Done: {$synced} synced, {$failed} failed\n");
+exit($failed > 0 ? 1 : 0);
+
+// ═══════════════════════════════════════════════════════════════════════
+
+function getFileSha(string $apiBase, string $token, string $branch): ?string
+{
+	$resp = apiCall('GET', "{$apiBase}/contents/updates.xml?ref={$branch}", $token);
+	return $resp['sha'] ?? null;
+}
+
+function putFile(string $apiBase, string $token, string $branch,
+	string $encoded, string $sha, string $msg): bool
+{
+	$resp = apiCall('PUT', "{$apiBase}/contents/updates.xml", $token, [
+		'content' => $encoded,
+		'sha'     => $sha,
+		'message' => $msg,
+		'branch'  => $branch,
+	]);
+	return $resp !== null;
+}
+
+function apiCall(string $method, string $url, string $token, ?array $data = null): ?array
+{
+	$headers = [
+		"Authorization: token {$token}",
+		'Content-Type: application/json',
+		'Accept: application/json',
+	];
+
+	$ch = curl_init($url);
+	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
+	curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+	curl_setopt($ch, CURLOPT_TIMEOUT, 30);
+	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+
+	if ($data !== null) {
+		curl_setopt($ch, CURLOPT_POSTFIELDS,
+			json_encode($data, JSON_UNESCAPED_SLASHES));
+	}
+
+	$body = curl_exec($ch);
+	$code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+	curl_close($ch);
+
+	return ($code >= 200 && $code < 300)
+		? (json_decode($body, true) ?: [])
+		: null;
+}
@@ -5,11 +5,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/version_bump.php
- * VERSION: 04.06.00
 * BRIEF: Auto-increment patch version in README.md — outputs old → new
 */

@@ -5,11 +5,10 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/version_read.php
- * VERSION: 04.06.00
 * BRIEF: Read VERSION from README.md — outputs just the version string
 */

@@ -5,12 +5,18 @@
 * SPDX-License-Identifier: GPL-3.0-or-later
 *
 * FILE INFORMATION
- * DEFGROUP: MokoStandards.CLI
- * INGROUP: MokoStandards
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-API
+ * DEFGROUP: moko-platform.CLI
+ * INGROUP: moko-platform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
 * PATH: /cli/version_set_platform.php
- * VERSION: 04.06.00
 * BRIEF: Set version in platform-specific files (Dolibarr $this->version, Joomla <version>)
+ *
+ * Usage:
+ *   php version_set_platform.php --path . --version 04.01.00
+ *   php version_set_platform.php --path . --version 04.01.00 --stability alpha
+ *
+ * When --stability is set to anything other than "stable", the suffix is
+ * appended to the version (e.g. 04.01.00-dev, 04.01.00-alpha, 04.01.00-rc).
 */

 declare(strict_types=1);
@@ -18,10 +24,13 @@ declare(strict_types=1);
 $path = '.';
 $version = null;
 $branch = null;
+$stability = 'stable';
+
 foreach ($argv as $i => $arg) {
    if ($arg === '--path' && isset($argv[$i + 1])) $path = $argv[$i + 1];
    if ($arg === '--version' && isset($argv[$i + 1])) $version = $argv[$i + 1];
    if ($arg === '--branch' && isset($argv[$i + 1])) $branch = $argv[$i + 1];
+    if ($arg === '--stability' && isset($argv[$i + 1])) $stability = $argv[$i + 1];
 }

 // Auto-detect branch from git or GitHub env
@@ -33,22 +42,54 @@ if ($branch === null) {
 }

 if ($version === null) {
-    fwrite(STDERR, "Usage: version_set_platform.php --path . --version development\n");
+    fwrite(STDERR, "Usage: version_set_platform.php --path . --version 04.01.00 [--stability dev]\n");
    exit(1);
 }

+// Append stability suffix for non-stable releases
+$stabilitySuffixMap = [
+    'stable'            => '',
+    'development'       => '-dev',
+    'dev'               => '-dev',
+    'alpha'             => '-alpha',
+    'beta'              => '-beta',
+    'rc'                => '-rc',
+    'release-candidate' => '-rc',
+];
+$suffix = $stabilitySuffixMap[$stability] ?? '';
+if ($suffix !== '' && !str_ends_with($version, $suffix)) {
+    $version .= $suffix;
+    echo "Version with stability suffix: {$version}\n";
+}
+
 $root = realpath($path) ?: $path;

-// Detect platform
+// Detect platform — check manifest.xml first, then legacy .mokostandards
 $platform = '';
-$mokoStandards = "{$root}/.github/.mokostandards";
-if (!file_exists($mokoStandards)) {
-    $mokoStandards = "{$root}/.mokostandards";
+
+// New format: .mokogitea/manifest.xml (XML with <platform> tag)
+$manifestXml = "{$root}/.mokogitea/manifest.xml";
+if (file_exists($manifestXml)) {
+    $xml = @simplexml_load_file($manifestXml);
+    if ($xml && isset($xml->governance->platform)) {
+        $platform = (string) $xml->governance->platform;
+    }
 }
-if (file_exists($mokoStandards)) {
-    $content = file_get_contents($mokoStandards);
-    if (preg_match('/^platform:\s*(.+)/m', $content, $m)) {
-        $platform = trim($m[1], " \t\n\r\"'");
+
+// Legacy: .mokostandards YAML file
+if (empty($platform)) {
+    $mokoStandards = "{$root}/.github/.mokostandards";
+    if (!file_exists($mokoStandards)) {
+        $mokoStandards = "{$root}/.mokogitea/.mokostandards";
+    }
+    if (!file_exists($mokoStandards)) {
+        $mokoStandards = "{$root}/.mokostandards";
+    }
+    if (file_exists($mokoStandards)) {
+        $content = file_get_contents($mokoStandards);
+        if (preg_match('/^platform:\s*(.+)/m', $content, $m)) {
+            $platform = trim($m[1], " \t\n\r\"'");
+        }
    }
 }

@@ -91,7 +132,7 @@ if ($platform === 'crm-module') {
 }

 // Joomla: <version> in XML manifests
-if ($platform === 'waas-component') {
+if (in_array($platform, ['waas-component', 'joomla'], true)) {
    foreach (glob("{$root}/src/*.xml") ?: glob("{$root}/*.xml") ?: [] as $file) {
        $content = file_get_contents($file);
        if (!str_contains($content, '<extension')) continue;
@@ -2,7 +2,7 @@
    "name": "mokoconsulting-tech/enterprise",
    "description": "MokoStandards Enterprise API \u2014 PHP implementation",
    "type": "library",
-    "version": "04.05.00",
+    "version": "05.00.01",
    "license": "GPL-3.0-or-later",
    "authors": [
        {
@@ -0,0 +1,206 @@
+/**
+ * Client Repository Structure Definition
+ * Standard repository structure for managed Joomla client sites (WaaS)
+ *
+ * This is NOT a Joomla extension — it's a full managed client site with
+ * deployment configs, monitoring, SFTP settings, and sync workflows.
+ * The src/ directory mirrors the Joomla site's public_html.
+ *
+ * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ * Schema Version: 1.0
+ */
+
+locals {
+  repository_structure = {
+    metadata = {
+      name             = "Client Site"
+      description      = "Managed Joomla client site — full site structure, not an extension"
+      repository_type  = "client"
+      platform         = "client"
+      last_updated     = "2026-05-09T00:00:00Z"
+      maintainer       = "Moko Consulting"
+      version          = "01.00.00"
+      schema_version   = "1.0"
+    }
+
+    detection_hints = [
+      "scripts/sftp-config/",
+      "scripts/sync-dev-to-live.sh",
+      "monitoring/grafana/",
+      "src/administrator/",
+      "src/components/",
+      "src/plugins/",
+      "src/templates/",
+      "src/media/templates/site/mokoonyx/"
+    ]
+
+    root_files = [
+      {
+        name              = "README.md"
+        extension         = "md"
+        description       = "Client site overview and deployment info"
+        required          = true
+        always_overwrite  = false
+        protected         = true
+      },
+      {
+        name              = "CHANGELOG.md"
+        extension         = "md"
+        description       = "Release history"
+        required          = true
+        always_overwrite  = false
+      },
+      {
+        name              = "LICENSE"
+        extension         = ""
+        description       = "GPL-3.0-or-later license file"
+        required          = true
+        always_overwrite  = true
+        template          = "templates/docs/required/LICENSE"
+      },
+      {
+        name              = "Makefile"
+        extension         = ""
+        description       = "Build and deployment targets (includes minify)"
+        required          = true
+        always_overwrite  = false
+      },
+      {
+        name              = "composer.json"
+        extension         = "json"
+        description       = "PHP dependencies"
+        required          = true
+        always_overwrite  = false
+      },
+      {
+        name              = ".gitignore"
+        extension         = ""
+        description       = "Git ignore rules (must include *.min.css, *.min.js, TODO.md)"
+        required          = true
+        always_overwrite  = false
+      }
+    ]
+
+    directories = [
+      {
+        name                = "src"
+        path                = "src"
+        description         = "Joomla site public_html mirror — deployed via SFTP"
+        required            = true
+        purpose             = "Contains the full Joomla site directory structure"
+        subdirectories = [
+          { name = "administrator", path = "src/administrator", description = "Joomla admin", required = true },
+          { name = "components",    path = "src/components",    description = "Frontend components", required = true },
+          { name = "plugins",       path = "src/plugins",       description = "Plugins", required = true },
+          { name = "modules",       path = "src/modules",       description = "Modules", required = true },
+          { name = "templates",     path = "src/templates",     description = "Templates", required = true },
+          { name = "media",         path = "src/media",         description = "Media assets", required = true },
+          { name = "images",        path = "src/images",        description = "Site images", required = false },
+          { name = "language",      path = "src/language",      description = "Language files", required = false },
+          { name = "libraries",     path = "src/libraries",     description = "Libraries", required = false },
+          { name = "layouts",       path = "src/layouts",       description = "Layouts", required = false }
+        ]
+      },
+      {
+        name                = "scripts"
+        path                = "scripts"
+        description         = "Deployment, sync, and monitoring scripts"
+        required            = true
+        purpose             = "Contains SFTP configs, sync scripts, and monitoring"
+        subdirectories = [
+          {
+            name                = "sftp-config"
+            path                = "scripts/sftp-config"
+            description         = "SFTP connection configs (dev + live)"
+            required            = true
+            files = [
+              {
+                name              = "sftp-config.dev.json"
+                extension         = "json"
+                description       = "Dev server SFTP connection"
+                required          = true
+                always_overwrite  = false
+              },
+              {
+                name              = "sftp-config.rs.json"
+                extension         = "json"
+                description       = "Live/release server SFTP connection"
+                required          = true
+                always_overwrite  = false
+              }
+            ]
+          }
+        ]
+      },
+      {
+        name                = "monitoring"
+        path                = "monitoring"
+        description         = "Grafana dashboard templates"
+        required            = true
+        purpose             = "Contains Panopticon-style Grafana dashboard JSON"
+        subdirectories = [
+          {
+            name                = "grafana"
+            path                = "monitoring/grafana"
+            description         = "Grafana dashboard JSON templates"
+            required            = true
+            files = [
+              {
+                name              = "client-joomla-dashboard.json"
+                extension         = "json"
+                description       = "Panopticon-style Grafana dashboard template"
+                required          = true
+                always_overwrite  = true
+                template          = "templates/monitoring/client-joomla-dashboard.json"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        name                = ".gitea"
+        path                = ".gitea"
+        description         = "Gitea configuration"
+        required            = true
+        purpose             = "Contains Gitea Actions workflows"
+        subdirectories = [
+          {
+            name                = "workflows"
+            path                = ".gitea/workflows"
+            description         = "Gitea Actions CI/CD workflows"
+            required            = true
+            files = [
+              {
+                name              = "auto-release.yml"
+                extension         = "yml"
+                description       = "Auto-release on merge to main"
+                required          = true
+                always_overwrite  = true
+              },
+              {
+                name              = "deploy.yml"
+                extension         = "yml"
+                description       = "Deploy src/ to servers via SFTP"
+                required          = true
+                always_overwrite  = true
+              },
+              {
+                name              = "add-endpoint.yml"
+                extension         = "yml"
+                description       = "Add monitoring endpoint to sites.json"
+                required          = true
+                always_overwrite  = true
+              }
+            ]
+          }
+        ]
+      }
+    ]
+  }
+}
+
+output "client_structure" {
+  description = "Client site repository structure definition"
+  value       = local.repository_structure
+}
@@ -86,6 +86,15 @@
        "description": "Build automation",
        "requirementStatus": "suggested",
        "audience": "developer"
+      },
+      {
+        "name": "renovate.json",
+        "extension": "json",
+        "description": "Renovate dependency management configuration",
+        "requirementStatus": "required",
+        "alwaysOverwrite": false,
+        "audience": "developer",
+        "template": "templates/configs/renovate.json"
      }
    ],
    "directories": [
@@ -158,7 +167,9 @@
              "branch-freeze.yml",
              "changelog-validation.yml",
              "repository-cleanup.yml",
-              "sync-version-on-merge.yml"
+              "sync-version-on-merge.yml",
+              "cascade-dev.yml",
+              "gitleaks.yml"
            ]
          }
        ]
@@ -4,7 +4,6 @@
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -13,11 +12,11 @@ locals {
    metadata = {
      name             = "MokoCRM Module"
      description      = "Standard repository structure for MokoCRM (Dolibarr) modules"
-      repository_type  = "crm-module"
+      repository_type  = "dolibarr"
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -167,13 +166,14 @@ EOT
        audience          = "developer"
      },
      {
-        name              = ".mokostandards"
-        extension         = "yml"
-        description       = "MokoStandards governance attachment — links this repo back to the standards source"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        required          = true
-        always_overwrite  = true
+        always_overwrite  = false
        audience          = "developer"
-        template          = "templates/configs/mokostandards.yml.template"
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
      },
      {
        name              = "GOVERNANCE.md"
@@ -184,6 +184,15 @@ EOT
        protected         = true
        audience          = "all"
        template          = "templates/docs/required/GOVERNANCE.md"
+      },
+      {
+        name              = "renovate.json"
+        extension         = "json"
+        description       = "Renovate dependency management configuration"
+        required          = true
+        always_overwrite  = false
+        audience          = "developer"
+        template          = "templates/configs/renovate.json"
      }
    ]

@@ -1092,6 +1101,22 @@ EOT
                requirement_status  = "required"
                always_overwrite    = true
                template            = "templates/workflows/dolibarr/repo_health.yml.template"
+              },
+              {
+                name                = "cascade-dev.yml"
+                extension           = "yml"
+                description         = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cascade-dev.yml"
+              },
+              {
+                name                = "gitleaks.yml"
+                extension           = "yml"
+                description         = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/gitleaks.yml"
              }
            ]
          },
@@ -4,7 +4,6 @@
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -17,7 +16,7 @@ locals {
      platform         = "multi-platform"
      last_updated     = "2026-01-15T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -119,13 +118,14 @@ locals {
        template            = "templates/configs/composer.generic.json"
      },
      {
-        name              = ".mokostandards"
-        extension         = "yml"
-        description       = "MokoStandards governance attachment — links this repo back to the standards source"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        required          = true
-        always_overwrite  = true
+        always_overwrite  = false
        audience          = "developer"
-        template          = "templates/configs/mokostandards.yml.template"
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
      },
      {
        name              = "GOVERNANCE.md"
@@ -4,7 +4,6 @@
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -17,7 +16,7 @@ locals {
      platform         = "multi-platform"
      last_updated     = "2026-01-16T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -193,6 +192,15 @@ locals {
        always_overwrite    = false
        audience            = "developer"
        template            = "templates/configs/composer.generic.json"
+      },
+      {
+        name                = "renovate.json"
+        extension           = "json"
+        description         = "Renovate dependency management configuration"
+        requirement_status  = "required"
+        always_overwrite    = false
+        audience            = "developer"
+        template            = "templates/configs/renovate.json"
      }
    ]

@@ -443,6 +451,22 @@ locals {
                requirement_status  = "required"
                always_overwrite    = true
                template            = "templates/workflows/shared/auto-dev-issue.yml.template"
+              },
+              {
+                name                = "cascade-dev.yml"
+                extension           = "yml"
+                description         = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cascade-dev.yml"
+              },
+              {
+                name                = "gitleaks.yml"
+                extension           = "yml"
+                description         = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/gitleaks.yml"
              }
            ]
          },
@@ -580,24 +604,46 @@ locals {
        {
          branch_pattern          = "main"
          require_pull_request    = true
-          required_approvals      = 1
-          require_code_owner_review = false
+          required_approvals      = 0
          dismiss_stale_reviews   = true
-          require_status_checks   = true
-          required_status_checks  = ["ci", "code-quality"]
-          enforce_admins          = false
+          block_on_rejected_reviews = true
          restrict_pushes         = true
+          push_whitelist          = ["jmiller"]
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+          enforce_admins          = false
        },
        {
-          branch_pattern          = "master"
-          require_pull_request    = true
-          required_approvals      = 1
-          require_code_owner_review = false
-          dismiss_stale_reviews   = true
-          require_status_checks   = true
-          required_status_checks  = ["ci"]
-          enforce_admins          = false
-          restrict_pushes         = true
+          branch_pattern          = "dev"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "rc/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "beta/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "alpha/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
        }
      ]

@@ -5,7 +5,6 @@
 *
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 *
 * NOTES
@@ -28,7 +27,7 @@ locals {
      platform         = "github-private"
      last_updated     = "2026-03-12T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
      visibility       = "private"
      sync_priority    = -1
@@ -116,12 +115,13 @@ locals {
        audience          = "developer"
      },
      {
-        name              = ".mokostandards.yml"
-        extension         = "yml"
-        description       = "MokoStandards governance marker — identifies this repo as platform=github-private"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        required          = true
-        always_overwrite  = true
-        template          = "templates/configs/mokostandards.yml.template"
+        always_overwrite  = false
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
      }
    ]

@@ -1,422 +0,0 @@
-/**
- * MokoWaaS Joomla Template Structure Definition
- * Standard repository structure for Joomla template projects
- *
- * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
- * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.06.10
- * Schema Version: 1.0
- */
-
-locals {
-  repository_structure = {
-    metadata = {
-      name             = "Joomla Template"
-      description      = "Standard repository structure for Joomla templates (site or administrator)"
-      repository_type  = "joomla-template"
-      platform         = "mokowaas"
-      last_updated     = "2026-04-14T00:00:00Z"
-      maintainer       = "Moko Consulting"
-      version          = "04.06.10"
-      schema_version   = "1.0"
-    }
-
-    root_files = [
-      {
-        name              = "README.md"
-        extension         = "md"
-        description       = "Developer-focused documentation for contributors and maintainers"
-        required          = true
-        always_overwrite  = false
-        protected         = true
-        audience          = "developer"
-      },
-      {
-        name              = "LICENSE"
-        extension         = ""
-        description       = "License file (GPL-3.0-or-later) - Default for Joomla templates"
-        required          = true
-        audience          = "general"
-        template          = "templates/licenses/GPL-3.0"
-        license_type      = "GPL-3.0-or-later"
-      },
-      {
-        name              = "CHANGELOG.md"
-        extension         = "md"
-        description       = "Version history and changes"
-        required          = true
-        audience          = "general"
-      },
-      {
-        name              = "SECURITY.md"
-        extension         = "md"
-        description       = "Security policy and vulnerability reporting"
-        required          = true
-        always_overwrite  = true
-        template          = "templates/docs/required/template-SECURITY.md"
-        audience          = "general"
-      },
-      {
-        name              = "CODE_OF_CONDUCT.md"
-        extension         = "md"
-        description       = "Community code of conduct"
-        required          = true
-        always_overwrite  = true
-        template          = "templates/docs/extra/template-CODE_OF_CONDUCT.md"
-        audience          = "contributor"
-      },
-      {
-        name              = "CONTRIBUTING.md"
-        extension         = "md"
-        description       = "Contribution guidelines"
-        required          = true
-        always_overwrite  = true
-        template          = "templates/docs/required/template-CONTRIBUTING.md"
-        audience          = "contributor"
-      },
-      {
-        name              = "templateDetails.xml"
-        extension         = "xml"
-        description       = "Joomla template manifest — declares template metadata, positions, styles, and dependencies"
-        required          = true
-        always_overwrite  = false
-        audience          = "developer"
-        stub_content      = <<-MOKO_END
-        <?xml version="1.0" encoding="utf-8"?>
-        <extension type="template" client="site" method="upgrade">
-        	<name>{{TEMPLATE_NAME}}</name>
-        	<creationDate>{{CREATION_DATE}}</creationDate>
-        	<author>Moko Consulting</author>
-        	<authorEmail>hello@mokoconsulting.tech</authorEmail>
-        	<authorUrl>https://mokoconsulting.tech</authorUrl>
-        	<copyright>Copyright (C) 2026 Moko Consulting. All rights reserved.</copyright>
-        	<license>GPL-3.0-or-later</license>
-        	<version>{{VERSION}}</version>
-        	<description>{{REPO_DESCRIPTION}}</description>
-
-        	<files>
-        		<filename>index.php</filename>
-        		<filename>component.php</filename>
-        		<filename>error.php</filename>
-        		<filename>offline.php</filename>
-        		<filename>templateDetails.xml</filename>
-        		<folder>html</folder>
-        		<folder>css</folder>
-        		<folder>js</folder>
-        		<folder>images</folder>
-        		<folder>language</folder>
-        	</files>
-
-        	<media destination="templates/site/{{TEMPLATE_SHORT_NAME}}" folder="media">
-        		<folder>css</folder>
-        		<folder>js</folder>
-        		<folder>images</folder>
-        		<folder>scss</folder>
-        	</media>
-
-        	<positions>
-        		<position>topbar</position>
-        		<position>navbar</position>
-        		<position>hero</position>
-        		<position>breadcrumbs</position>
-        		<position>sidebar-left</position>
-        		<position>sidebar-right</position>
-        		<position>main-top</position>
-        		<position>main-bottom</position>
-        		<position>footer</position>
-        		<position>debug</position>
-        	</positions>
-
-        	<updateservers>
-        		<server type="extension" priority="1" name="{{TEMPLATE_NAME}} Update Server">
-        			https://git.mokoconsulting.tech/MokoConsulting/{{REPO_NAME}}/raw/branch/main/updates.xml
-        		</server>
-        		<server type="extension" priority="2" name="{{TEMPLATE_NAME}} Update Server">
-        			https://git.mokoconsulting.tech/MokoConsulting/{{REPO_NAME}}/main/updates.xml
-        		</server>
-        	</updateservers>
-
-        	<config>
-        		<fields name="params">
-        			<fieldset name="basic">
-        				<field name="logoFile" type="media" label="Logo" />
-        				<field name="siteTitle" type="text" label="Site Title" default="" />
-        				<field name="siteDescription" type="text" label="Site Description" default="" />
-        				<field name="colorScheme" type="list" label="Color Scheme" default="light">
-        					<option value="light">Light</option>
-        					<option value="dark">Dark</option>
-        					<option value="auto">Auto (system preference)</option>
-        				</field>
-        			</fieldset>
-        			<fieldset name="advanced">
-        				<field name="fluidContainer" type="radio" label="Fluid Container" default="0">
-        					<option value="0">No</option>
-        					<option value="1">Yes</option>
-        				</field>
-        			</fieldset>
-        		</fields>
-        	</config>
-        </extension>
-        MOKO_END
-      },
-      {
-        name              = "updates.xml"
-        extension         = "xml"
-        description       = "Joomla template update server manifest — polled by Joomla for new versions (dual-platform: Gitea priority 1, GitHub priority 2)"
-        required          = true
-        always_overwrite  = false
-        audience          = "developer"
-        stub_content      = <<-MOKO_END
-        <updates>
-        	<update>
-        		<name>{{TEMPLATE_NAME}}</name>
-        		<description>{{REPO_DESCRIPTION}}</description>
-        		<element>tpl_{{TEMPLATE_SHORT_NAME}}</element>
-        		<type>template</type>
-        		<version>{{VERSION}}</version>
-        		<downloads>
-        			<downloadurl type="full" format="zip">
-        				https://git.mokoconsulting.tech/mokoconsulting-tech/{{REPO_NAME}}/releases/download/v{{VERSION}}/{{TEMPLATE_SHORT_NAME}}.zip
-        			</downloadurl>
-        			<downloadurl type="full" format="zip">
-        				https://git.mokoconsulting.tech/MokoConsulting/{{REPO_NAME}}/releases/download/v{{VERSION}}/{{TEMPLATE_SHORT_NAME}}.zip
-        			</downloadurl>
-        		</downloads>
-        		<targetplatform name="joomla" version="[56].*"/>
-        		<php_minimum>8.1</php_minimum>
-        	</update>
-        </updates>
-        MOKO_END
-      },
-      {
-        name                = "phpstan.neon"
-        extension           = "neon"
-        description         = "PHPStan static analysis config with Joomla framework class stubs"
-        required            = true
-        always_overwrite    = true
-        audience            = "developer"
-        template            = "templates/configs/phpstan.joomla.neon"
-      },
-      {
-        name                = "Makefile"
-        description         = "Build automation for Joomla template packaging"
-        required            = true
-        always_overwrite    = true
-        audience            = "developer"
-        template            = "templates/makefiles/Makefile.joomla.template"
-      },
-      {
-        name              = ".gitignore"
-        extension         = "gitignore"
-        description       = "Git ignore patterns for Joomla template development"
-        required          = true
-        always_overwrite  = false
-        audience          = "developer"
-        template          = "templates/configs/.gitignore.joomla"
-      },
-      {
-        name              = ".editorconfig"
-        extension         = "editorconfig"
-        description       = "Editor configuration for consistent coding style"
-        required          = true
-        always_overwrite  = true
-        template          = "templates/configs/.editorconfig"
-        audience          = "developer"
-      },
-      {
-        name              = ".ftpignore"
-        extension         = "ftpignore"
-        description       = "FTP/SFTP ignore patterns for deploy-joomla.php"
-        required          = false
-        always_overwrite  = false
-        audience          = "developer"
-      },
-    ]
-
-    subdirectories = [
-      {
-        name        = "src"
-        description = "Template source files — maps to templates/{name}/ on the Joomla server"
-        required    = true
-        files = [
-          {
-            name              = "index.php"
-            description       = "Main template entry point"
-            required          = true
-            always_overwrite  = false
-            stub_content      = <<-MOKO_END
-            <?php
-            /**
-             * @package     Joomla.Site
-             * @subpackage  Templates.{{TEMPLATE_SHORT_NAME}}
-             * @copyright   Copyright (C) 2026 Moko Consulting. All rights reserved.
-             * @license     GPL-3.0-or-later
-             */
-
-            defined('_JEXEC') or die;
-
-            use Joomla\CMS\Document\HtmlDocument;
-            use Joomla\CMS\Factory;
-            use Joomla\CMS\HTML\HTMLHelper;
-
-            /** @var HtmlDocument $this */
-
-            $app   = Factory::getApplication();
-            $wa    = $this->getWebAssetManager();
-            $doc   = $app->getDocument();
-            $lang  = $app->getLanguage();
-
-            // Load template CSS/JS via Web Asset Manager
-            $wa->useStyle('template.{{TEMPLATE_SHORT_NAME}}.css');
-            $wa->useScript('template.{{TEMPLATE_SHORT_NAME}}.js');
-
-            ?>
-            <!DOCTYPE html>
-            <html lang="<?php echo $this->language; ?>" dir="<?php echo $this->direction; ?>">
-            <head>
-            	<jdoc:include type="metas" />
-            	<jdoc:include type="styles" />
-            	<jdoc:include type="scripts" />
-            </head>
-            <body class="site <?php echo $this->direction === 'rtl' ? 'rtl' : 'ltr'; ?>">
-            	<header>
-            		<jdoc:include type="modules" name="topbar" style="none" />
-            		<jdoc:include type="modules" name="navbar" style="none" />
-            	</header>
-
-            	<jdoc:include type="modules" name="hero" style="none" />
-            	<jdoc:include type="modules" name="breadcrumbs" style="none" />
-
-            	<main>
-            		<jdoc:include type="modules" name="main-top" style="html5" />
-            		<jdoc:include type="message" />
-            		<jdoc:include type="component" />
-            		<jdoc:include type="modules" name="main-bottom" style="html5" />
-            	</main>
-
-            	<footer>
-            		<jdoc:include type="modules" name="footer" style="none" />
-            	</footer>
-
-            	<jdoc:include type="modules" name="debug" style="none" />
-            </body>
-            </html>
-            MOKO_END
-          },
-          {
-            name              = "error.php"
-            description       = "Error page template (404, 500, etc.)"
-            required          = true
-            always_overwrite  = false
-          },
-          {
-            name              = "offline.php"
-            description       = "Offline page template shown when site is in maintenance mode"
-            required          = true
-            always_overwrite  = false
-          },
-          {
-            name              = "component.php"
-            description       = "Component-only template (print view / raw output)"
-            required          = false
-            always_overwrite  = false
-          },
-        ]
-      },
-      {
-        name        = "src/html"
-        description = "Template overrides for Joomla component/module views"
-        required    = true
-        files = [
-          {
-            name              = "index.html"
-            description       = "Prevents directory listing"
-            required          = true
-            always_overwrite  = true
-            stub_content      = "<!DOCTYPE html><title></title>"
-          },
-        ]
-      },
-      {
-        name        = "src/css"
-        description = "Compiled CSS files"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "src/js"
-        description = "JavaScript files"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "src/images"
-        description = "Template images and icons"
-        required    = true
-        files = [
-          {
-            name              = "template_preview.png"
-            description       = "Template preview screenshot shown in Joomla admin"
-            required          = false
-            always_overwrite  = false
-          },
-          {
-            name              = "template_thumbnail.png"
-            description       = "Template thumbnail shown in template list"
-            required          = false
-            always_overwrite  = false
-          },
-        ]
-      },
-      {
-        name        = "src/language/en-GB"
-        description = "English language files for the template"
-        required    = true
-        files = [
-          {
-            name              = "tpl_{{TEMPLATE_SHORT_NAME}}.ini"
-            description       = "Main language strings"
-            required          = true
-            always_overwrite  = false
-          },
-          {
-            name              = "tpl_{{TEMPLATE_SHORT_NAME}}.sys.ini"
-            description       = "System language strings (used in admin template manager)"
-            required          = true
-            always_overwrite  = false
-          },
-        ]
-      },
-      {
-        name        = "media"
-        description = "Template media files — maps to media/templates/site/{name}/ on the Joomla server"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "media/css"
-        description = "Compiled CSS assets served from /media/"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "media/js"
-        description = "JavaScript assets served from /media/"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "media/images"
-        description = "Image assets served from /media/"
-        required    = true
-        files       = []
-      },
-      {
-        name        = "media/scss"
-        description = "SCSS source files (compiled to media/css/)"
-        required    = false
-        files       = []
-      },
-    ]
-  }
-}
@@ -4,7 +4,6 @@
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -13,11 +12,11 @@ locals {
    metadata = {
      name             = "MokoWaaS Component"
      description      = "Standard repository structure for MokoWaaS (Joomla) components"
-      repository_type  = "waas-component"
+      repository_type  = "joomla"
      platform         = "mokowaas"
      last_updated     = "2026-01-15T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -221,13 +220,14 @@ locals {
        template            = "templates/configs/composer.joomla.json"
      },
      {
-        name              = ".mokostandards"
-        extension         = "yml"
-        description       = "MokoStandards governance attachment — links this repo back to the standards source"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        required          = true
-        always_overwrite  = true
+        always_overwrite  = false
        audience          = "developer"
-        template          = "templates/configs/mokostandards.yml.template"
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
      },
      {
        name              = "GOVERNANCE.md"
@@ -238,6 +238,15 @@ locals {
        protected         = true
        audience          = "all"
        template          = "templates/docs/required/GOVERNANCE.md"
+      },
+      {
+        name              = "renovate.json"
+        extension         = "json"
+        description       = "Renovate dependency management configuration"
+        required          = true
+        always_overwrite  = false
+        audience          = "developer"
+        template          = "templates/configs/renovate.json"
      }
    ]

@@ -1022,105 +1031,113 @@ locals {
        subdirectories = [
          {
            name                = "workflows"
-            path                = ".github/workflows"
-            description         = "GitHub Actions workflows"
+            path                = ".gitea/workflows"
+            description         = "Gitea Actions CI/CD workflows"
            requirement_status  = "required"
            files = [
-              {
-                name                = "ci-joomla.yml"
-                extension           = "yml"
-                description         = "Joomla-specific CI workflow"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/joomla/ci-joomla.yml.template"
-              },
-              {
-                name                = "codeql-analysis.yml"
-                extension           = "yml"
-                description         = "CodeQL security analysis workflow"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/generic/codeql-analysis.yml.template"
-              },
-              {
-                name                = "standards-compliance.yml"
-                extension           = "yml"
-                description         = "MokoStandards compliance validation"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = ".github/workflows/standards-compliance.yml"
-              },
-              {
-                name                = "enterprise-firewall-setup.yml"
-                extension           = "yml"
-                description         = "Enterprise firewall configuration for trusted domain access"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/shared/enterprise-firewall-setup.yml.template"
-              },
-              {
-                name                = "deploy-dev.yml"
-                extension           = "yml"
-                description         = "SFTP deployment of src/ to the development server"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/shared/deploy-dev.yml.template"
-              },
-              {
-                name                = "deploy-demo.yml"
-                extension           = "yml"
-                description         = "SFTP deployment of src/ to the demo server on merge to main"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/shared/deploy-demo.yml.template"
-              },
-              {
-                name                = "deploy-rs.yml"
-                extension           = "yml"
-                description         = "SFTP deployment of src/ to the release staging server on merge to main"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/shared/deploy-rs.yml.template"
-              },
-              {
-                name                = "sync-version-on-merge.yml"
-                extension           = "yml"
-                description         = "Auto-bump patch version on merge and propagate to all file headers"
-                requirement_status  = "required"
-                always_overwrite    = true
-                template            = "templates/workflows/shared/sync-version-on-merge.yml.template"
-              },
              {
                name                = "auto-release.yml"
                extension           = "yml"
-                description         = "Auto-create GitHub Release on push to main with version from README.md"
+                description         = "Automated release — builds zip, creates Gitea release, updates SHA in updates.xml. Triggered by push to main (stable) or pre-release tags"
                requirement_status  = "required"
                always_overwrite    = true
-                template            = "templates/workflows/shared/auto-release.yml.template"
+                template            = "workflows/auto-release.yml"
              },
              {
-                name                = "repository-cleanup.yml"
+                name                = "ci-dolibarr.yml"
                extension           = "yml"
-                description         = "Scheduled cleanup: delete retired workflows, stale branches, old workflow runs"
+                description         = "Continuous integration — PHP linting, PHPStan static analysis, Dolibarr module validation"
                requirement_status  = "required"
                always_overwrite    = true
-                template            = "templates/workflows/shared/repository-cleanup.yml.template"
+                template            = "workflows/ci-dolibarr.yml"
              },
              {
-                name                = "auto-dev-issue.yml"
+                name                = "publish-to-mokodolimods.yml"
                extension           = "yml"
-                description         = "Auto-create tracking issue when a dev/** branch is pushed"
+                description         = "On release, copies src/ into htdocs/custom/ in mokodolimods repo and opens a PR"
                requirement_status  = "required"
                always_overwrite    = true
-                template            = "templates/workflows/shared/auto-dev-issue.yml.template"
+                template            = "workflows/publish-to-mokodolimods.yml"
              },
              {
-                name                = "repo_health.yml"
+                name                = "pre-release.yml"
                extension           = "yml"
-                description         = "Joomla-specific repository health check workflow"
+                description         = "Manual pre-release — builds dev/alpha/beta/rc packages with patch version bump"
                requirement_status  = "required"
                always_overwrite    = true
-                template            = "templates/workflows/joomla/repo_health.yml.template"
+                template            = "workflows/pre-release.yml"
+              },
+              {
+                name                = "deploy-manual.yml"
+                extension           = "yml"
+                description         = "Manual deployment — allows selecting target environment and branch for on-demand deploys"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/deploy-manual.yml"
+              },
+              {
+                name                = "repo-health.yml"
+                extension           = "yml"
+                description         = "Repository health checks — validates required files, structure compliance, and standards alignment"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/repo-health.yml"
+              },
+              {
+                name                = "update-server.yml"
+                extension           = "yml"
+                description         = "Update server maintenance — validates updates.xml format and ensures download URLs are reachable"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/update-server.yml"
+              },
+              {
+                name                = "pr-check.yml"
+                extension           = "yml"
+                description         = "PR gate — validates PHP syntax, manifest XML, and package build before merge to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/pr-check.yml"
+              },
+              {
+                name                = "security-audit.yml"
+                extension           = "yml"
+                description         = "Dependency vulnerability scanning — weekly schedule and on PR when lock files change"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/security-audit.yml"
+              },
+              {
+                name                = "notify.yml"
+                extension           = "yml"
+                description         = "Push notifications via ntfy on release success or workflow failure"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/notify.yml"
+              },
+              {
+                name                = "cleanup.yml"
+                extension           = "yml"
+                description         = "Scheduled cleanup — delete merged branches and old workflow runs weekly"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cleanup.yml"
+              },
+              {
+                name                = "cascade-dev.yml"
+                extension           = "yml"
+                description         = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cascade-dev.yml"
+              },
+              {
+                name                = "gitleaks.yml"
+                extension           = "yml"
+                description         = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/gitleaks.yml"
              }
            ]
          },
@@ -0,0 +1,484 @@
+/**
+ * MCP Server Repository Structure Definition
+ * Standard repository structure for Model Context Protocol (MCP) server projects
+ *
+ * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ * Schema Version: 1.0
+ */
+
+locals {
+  repository_structure = {
+    metadata = {
+      name             = "MCP Server"
+      description      = "Standard repository structure for Model Context Protocol (MCP) server projects — TypeScript/Node.js MCP servers that expose external APIs as AI assistant tools"
+      repository_type  = "mcp-server"
+      platform         = "mcp-server"
+      last_updated     = "2026-05-07T00:00:00Z"
+      maintainer       = "Moko Consulting"
+      version          = "04.06.00"
+      schema_version   = "1.0"
+    }
+
+    root_files = [
+      {
+        name                  = "README.md"
+        extension             = "md"
+        description           = "Project overview with tool reference table, install, and configuration"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "general"
+        source_path           = "templates/docs/required"
+        source_filename       = "template-README.md"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "README.md"
+        create_path           = false
+        template              = "templates/docs/required/template-README.md"
+      },
+      {
+        name                  = "LICENSE"
+        extension             = ""
+        description           = "License file (GPL-3.0-or-later)"
+        requirement_status    = "required"
+        audience              = "general"
+        source_path           = "templates/licenses"
+        source_filename       = "GPL-3.0"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "LICENSE"
+        create_path           = false
+        template              = "templates/licenses/GPL-3.0"
+      },
+      {
+        name                  = "CHANGELOG.md"
+        extension             = "md"
+        description           = "Version history and changes"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "general"
+        source_path           = "templates/docs/required"
+        source_filename       = "template-CHANGELOG.md"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "CHANGELOG.md"
+        create_path           = false
+        template              = "templates/docs/required/template-CHANGELOG.md"
+      },
+      {
+        name                  = "CONTRIBUTING.md"
+        extension             = "md"
+        description           = "Contribution guidelines"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "contributor"
+        source_path           = "templates/docs/required"
+        source_filename       = "template-CONTRIBUTING.md"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "CONTRIBUTING.md"
+        create_path           = false
+        template              = "templates/docs/required/template-CONTRIBUTING.md"
+      },
+      {
+        name                  = "SECURITY.md"
+        extension             = "md"
+        description           = "Security policy and vulnerability reporting"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "general"
+        source_path           = "templates/docs/required"
+        source_filename       = "template-SECURITY.md"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "SECURITY.md"
+        create_path           = false
+        template              = "templates/docs/required/template-SECURITY.md"
+      },
+      {
+        name                  = "CODE_OF_CONDUCT.md"
+        extension             = "md"
+        description           = "Community code of conduct"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "contributor"
+        source_path           = "templates/docs/extra"
+        source_filename       = "template-CODE_OF_CONDUCT.md"
+        source_type           = "template"
+        destination_path      = "."
+        destination_filename  = "CODE_OF_CONDUCT.md"
+        create_path           = false
+        template              = "templates/docs/extra/template-CODE_OF_CONDUCT.md"
+      },
+      {
+        name                  = "package.json"
+        extension             = "json"
+        description           = "Node.js project manifest — @mokoconsulting scoped, MCP SDK + Zod dependencies"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "developer"
+      },
+      {
+        name                  = "tsconfig.json"
+        extension             = "json"
+        description           = "TypeScript configuration — ES2022 target, Node16 module, strict mode"
+        requirement_status    = "required"
+        always_overwrite      = false
+        audience              = "developer"
+      },
+      {
+        name                  = "config.example.json"
+        extension             = "json"
+        description           = "Example multi-connection configuration file"
+        requirement_status    = "required"
+        always_overwrite      = false
+        protected             = true
+        audience              = "general"
+      },
+      {
+        name                  = ".gitignore"
+        extension             = "gitignore"
+        description           = "Git ignore patterns"
+        requirement_status    = "required"
+        always_overwrite      = false
+        audience              = "developer"
+      },
+      {
+        name                  = ".gitattributes"
+        extension             = "gitattributes"
+        description           = "Git attributes configuration"
+        requirement_status    = "required"
+        audience              = "developer"
+      },
+      {
+        name                  = ".gitmessage"
+        extension             = "gitmessage"
+        description           = "Conventional commit message template"
+        requirement_status    = "required"
+        always_overwrite      = true
+        audience              = "developer"
+      },
+      {
+        name                  = "Makefile"
+        description           = "Build automation — install, build, dev, clean, setup, start targets"
+        requirement_status    = "required"
+        always_overwrite      = false
+        audience              = "developer"
+      }
+    ]
+
+    directories = [
+      {
+        name                = "src"
+        path                = "src"
+        description         = "TypeScript source code"
+        requirement_status  = "required"
+        purpose             = "Contains MCP server entry point, API client, config loader, and type definitions"
+        files = [
+          {
+            name                = "index.ts"
+            extension           = "ts"
+            description         = "MCP server entry point — registers all API tools with McpServer"
+            requirement_status  = "required"
+          },
+          {
+            name                = "client.ts"
+            extension           = "ts"
+            description         = "HTTP client wrapper for the target API (GET/POST/PUT/DELETE)"
+            requirement_status  = "required"
+          },
+          {
+            name                = "config.ts"
+            extension           = "ts"
+            description         = "Configuration loader — reads ~/.{project}.json with multi-connection support"
+            requirement_status  = "required"
+          },
+          {
+            name                = "types.ts"
+            extension           = "ts"
+            description         = "TypeScript interfaces for connection, config, and API response types"
+            requirement_status  = "required"
+          }
+        ]
+      },
+      {
+        name                = "scripts"
+        path                = "scripts"
+        description         = "Setup and utility scripts"
+        requirement_status  = "required"
+        purpose             = "Contains interactive setup wizard and repo-specific helpers"
+        files = [
+          {
+            name                = "setup.mjs"
+            extension           = "mjs"
+            description         = "Interactive setup wizard — prompts for API connection details and writes config"
+            requirement_status  = "required"
+            always_overwrite    = false
+            protected           = true
+          }
+        ]
+      },
+      {
+        name                = "docs"
+        path                = "docs"
+        description         = "Documentation directory"
+        requirement_status  = "required"
+        purpose             = "Contains project documentation"
+        files = [
+          {
+            name                = "index.md"
+            extension           = "md"
+            description         = "Documentation index"
+            requirement_status  = "suggested"
+          }
+        ]
+      },
+      {
+        name                = ".gitea"
+        path                = ".gitea"
+        description         = "Gitea-specific configuration"
+        requirement_status  = "required"
+        purpose             = "Contains Gitea Actions workflows and platform configuration"
+        files = [
+          {
+            name                = ".mokostandards"
+            description         = "MokoStandards platform declaration — must contain 'platform: mcp-server'"
+            requirement_status  = "required"
+            always_overwrite    = false
+          }
+        ]
+        subdirectories = [
+          {
+            name                = "workflows"
+            path                = ".gitea/workflows"
+            description         = "Gitea Actions workflows"
+            requirement_status  = "required"
+            files = [
+              {
+                name                = "auto-release.yml"
+                extension           = "yml"
+                description         = "Auto-create release on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/auto-release.yml.template"
+              },
+              {
+                name                = "auto-dev-issue.yml"
+                extension           = "yml"
+                description         = "Auto-create tracking issue when a dev/** branch is pushed"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/auto-dev-issue.yml.template"
+              },
+              {
+                name                = "auto-assign.yml"
+                extension           = "yml"
+                description         = "Auto-assign issues and PRs"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/auto-assign.yml.template"
+              },
+              {
+                name                = "standards-compliance.yml"
+                extension           = "yml"
+                description         = "MokoStandards compliance validation"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/standards-compliance.yml.template"
+              },
+              {
+                name                = "codeql-analysis.yml"
+                extension           = "yml"
+                description         = "CodeQL security analysis"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/codeql-analysis.yml.template"
+              },
+              {
+                name                = "changelog-validation.yml"
+                extension           = "yml"
+                description         = "CHANGELOG validation on PR"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/changelog-validation.yml.template"
+              },
+              {
+                name                = "sync-version-on-merge.yml"
+                extension           = "yml"
+                description         = "Auto-bump patch version on merge"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/sync-version-on-merge.yml.template"
+              },
+              {
+                name                = "repository-cleanup.yml"
+                extension           = "yml"
+                description         = "Scheduled cleanup of stale branches and workflow runs"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/repository-cleanup.yml.template"
+              },
+              {
+                name                = "enterprise-firewall-setup.yml"
+                extension           = "yml"
+                description         = "Enterprise firewall configuration for trusted domain access"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/enterprise-firewall-setup.yml.template"
+              },
+              {
+                name                = "deploy-dev.yml"
+                extension           = "yml"
+                description         = "Deployment to development server"
+                requirement_status  = "suggested"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/deploy-dev.yml.template"
+              },
+              {
+                name                = "deploy-demo.yml"
+                extension           = "yml"
+                description         = "Deployment to demo server on merge to main"
+                requirement_status  = "suggested"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/deploy-demo.yml.template"
+              },
+              {
+                name                = "copilot-agent.yml"
+                extension           = "yml"
+                description         = "Copilot agent workflow for automated code review"
+                requirement_status  = "optional"
+                always_overwrite    = true
+                template            = "templates/workflows/shared/copilot-agent.yml.template"
+              },
+              {
+                name                = "mcp-build-test.yml"
+                extension           = "yml"
+                description         = "MCP server build validation — TypeScript compile, dist verification, tool count"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/mcp/mcp-build-test.yml.template"
+              },
+              {
+                name                = "mcp-sdk-check.yml"
+                extension           = "yml"
+                description         = "Weekly check for MCP SDK and Zod updates — creates issue when new version available"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "templates/workflows/mcp/mcp-sdk-check.yml.template"
+              },
+              {
+                name                = "mcp-tool-inventory.yml"
+                extension           = "yml"
+                description         = "Generate tool inventory report on push to main"
+                requirement_status  = "suggested"
+                always_overwrite    = true
+                template            = "templates/workflows/mcp/mcp-tool-inventory.yml.template"
+              }
+            ]
+          }
+        ]
+      },
+      {
+        name                = "dist"
+        path                = "dist"
+        description         = "Compiled JavaScript output (generated)"
+        requirement_status  = "not-allowed"
+        purpose             = "Generated directory that should not be committed"
+      },
+      {
+        name                = "node_modules"
+        path                = "node_modules"
+        description         = "Node.js dependencies (generated)"
+        requirement_status  = "not-allowed"
+        purpose             = "Generated directory that should not be committed"
+      }
+    ]
+
+    repository_requirements = {
+      secrets = [
+        {
+          name        = "GH_TOKEN"
+          description = "Org-level Gitea PAT — configure in org Actions secrets"
+          required    = true
+          scope       = "organisation"
+          used_in     = "Gitea Actions workflows"
+        }
+      ]
+
+      variables = [
+        {
+          name          = "NODE_VERSION"
+          description   = "Node.js version for CI/CD"
+          default_value = "20"
+          required      = false
+          scope         = "repository"
+        }
+      ]
+
+      branch_protections = [
+        {
+          branch_pattern          = "main"
+          require_pull_request    = true
+          required_approvals      = 1
+          require_code_owner_review = false
+          dismiss_stale_reviews   = true
+          require_status_checks   = true
+          required_status_checks  = ["ci"]
+          enforce_admins          = false
+          restrict_pushes         = true
+        }
+      ]
+
+      repository_settings = {
+        has_issues            = true
+        has_projects          = true
+        has_wiki              = false
+        has_discussions       = false
+        allow_merge_commit    = true
+        allow_squash_merge    = true
+        allow_rebase_merge    = false
+        delete_branch_on_merge = true
+        allow_auto_merge      = false
+      }
+
+      labels = [
+        {
+          name        = "bug"
+          color       = "d73a4a"
+          description = "Something isn't working"
+        },
+        {
+          name        = "enhancement"
+          color       = "a2eeef"
+          description = "New feature or request"
+        },
+        {
+          name        = "documentation"
+          color       = "0075ca"
+          description = "Improvements or additions to documentation"
+        },
+        {
+          name        = "security"
+          color       = "ee0701"
+          description = "Security vulnerability or concern"
+        },
+        {
+          name        = "new-tool"
+          color       = "5319e7"
+          description = "New MCP tool/endpoint to add"
+        },
+        {
+          name        = "api-change"
+          color       = "fbca04"
+          description = "Upstream API changed — tool needs update"
+        }
+      ]
+    }
+  }
+}
@@ -2,13 +2,12 @@
 * Dolibarr Platform Structure Definition
 * Standard repository structure for the full Dolibarr ERP/CRM installation
 *
- * This is distinct from crm-module — it defines the ENTIRE Dolibarr platform
+ * This is distinct from dolibarr — it defines the ENTIRE Dolibarr platform
 * (htdocs/, not src/). It does NOT have a module descriptor, numero, or
 * publish-to-mokodolimods workflow.
 *
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -17,11 +16,11 @@ locals {
    metadata = {
      name             = "Dolibarr Platform"
      description      = "Full Dolibarr ERP/CRM installation — htdocs/ root, not a module"
-      repository_type  = "crm-platform"
+      repository_type  = "platform"
      platform         = "dolibarr"
      last_updated     = "2026-03-31T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -84,12 +83,22 @@ locals {
        template          = "templates/configs/ftp_ignore"
      },
      {
-        name              = ".mokostandards"
-        extension         = ""
-        description       = "MokoStandards platform identifier"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        required          = true
-        always_overwrite  = true
-        template          = "templates/configs/mokostandards.yml.template"
+        always_overwrite  = false
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
+      },
+      {
+        name              = "renovate.json"
+        extension         = "json"
+        description       = "Renovate dependency management configuration"
+        required          = true
+        always_overwrite  = false
+        audience          = "developer"
+        template          = "templates/configs/renovate.json"
      }
    ]

@@ -218,6 +227,22 @@ locals {
                requirement_status  = "required"
                always_overwrite    = true
                template            = "templates/workflows/dolibarr/repo_health.yml.template"
+              },
+              {
+                name                = "cascade-dev.yml"
+                extension           = "yml"
+                description         = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cascade-dev.yml"
+              },
+              {
+                name                = "gitleaks.yml"
+                extension           = "yml"
+                description         = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/gitleaks.yml"
              }
            ]
          },
@@ -4,7 +4,6 @@
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -17,7 +16,7 @@ locals {
      platform         = "standards"
      last_updated     = "2026-03-03T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -199,12 +198,23 @@ locals {
        audience          = "developer"
      },
      {
-        name              = ".mokostandards"
-        extension         = ""
-        description       = "MokoStandards sync tracking file — records last sync date, version, and compliance status"
+        name              = ".gitea/.mokostandards"
+        extension         = "xml"
+        description       = "MokoStandards XML manifest — generated programmatically by RepositorySynchronizer::migrateMokoStandards()"
        requirement_status = "required"
-        always_overwrite  = true
+        always_overwrite  = false
        audience          = "developer"
+        template          = "managed-by-sync"
+        source_type       = "programmatic"
+      },
+      {
+        name              = "renovate.json"
+        extension         = "json"
+        description       = "Renovate dependency management configuration"
+        required          = true
+        always_overwrite  = false
+        audience          = "developer"
+        template          = "templates/configs/renovate.json"
      }
    ]

@@ -495,6 +505,22 @@ locals {
                requirement_status  = "required"
                always_overwrite    = true
                template            = "templates/workflows/shared/auto-dev-issue.yml.template"
+              },
+              {
+                name                = "cascade-dev.yml"
+                extension           = "yml"
+                description         = "Forward-merge main to all open branches (dev, rc/*, beta/*, alpha/*) on push to main"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/cascade-dev.yml"
+              },
+              {
+                name                = "gitleaks.yml"
+                extension           = "yml"
+                description         = "Secret scanning — detect leaked credentials, API keys, and tokens using Gitleaks"
+                requirement_status  = "required"
+                always_overwrite    = true
+                template            = "workflows/gitleaks.yml"
              }
            ]
          },
@@ -666,20 +692,52 @@ locals {
        }
      ]

-      branch_protections = {
-        main = {
-          required_status_checks = {
-            strict   = true
-            contexts = ["standards-compliance", "code-quality"]
-          }
-          enforce_admins                = false
-          required_pull_request_reviews = {
-            dismiss_stale_reviews           = true
-            require_code_owner_reviews      = true
-            required_approving_review_count = 1
-          }
+      branch_protections = [
+        {
+          branch_pattern          = "main"
+          require_pull_request    = true
+          required_approvals      = 0
+          dismiss_stale_reviews   = true
+          block_on_rejected_reviews = true
+          restrict_pushes         = true
+          push_whitelist          = ["jmiller"]
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+          enforce_admins          = false
+        },
+        {
+          branch_pattern          = "dev"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "rc/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "beta/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
+        },
+        {
+          branch_pattern          = "alpha/*"
+          require_pull_request    = false
+          required_approvals      = 0
+          restrict_pushes         = false
+          enable_force_push       = true
+          force_push_whitelist    = ["jmiller"]
        }
-      }
+      ]

      repository_settings = {
        has_issues      = true
@@ -1,3 +1,14 @@
+<!--
+Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+SPDX-License-Identifier: GPL-3.0-or-later
+FILE INFORMATION
+DEFGROUP: MokoStandards.Index
+INGROUP: MokoStandards.Definitions
+REPO: https://git.mokoconsulting.tech/MokoConsulting/moko-platform
+PATH: /definitions/index.md
+BRIEF: Definitions directory index
+-->
+
 # Docs Index: /api/definitions

 ## Purpose
@@ -83,7 +83,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -96,7 +95,7 @@ locals {
      platform         = "multi-platform"
      last_updated     = "2026-01-16T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -98,7 +98,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -111,7 +110,7 @@ locals {
      platform         = "multi-platform"
      last_updated     = "2026-01-16T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -99,7 +99,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -112,7 +111,7 @@ locals {
      platform         = "multi-platform"
      last_updated     = "2026-01-16T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -89,7 +89,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -102,7 +101,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -91,7 +91,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -104,7 +103,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -86,7 +86,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -99,7 +98,7 @@ locals {
      platform         = "mokowaas"
      last_updated     = "2026-01-15T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

@@ -90,7 +90,6 @@ locals {
 * 
 * Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
 * SPDX-License-Identifier: GPL-3.0-or-later
- * Version: 04.05.00
 * Schema Version: 1.0
 */

@@ -103,7 +102,7 @@ locals {
      platform         = "dolibarr"
      last_updated     = "2026-01-07T00:00:00Z"
      maintainer       = "Moko Consulting"
-      version          = "04.05.00"
+      version          = "05.00.00"
      schema_version   = "1.0"
    }

--- a/Show More
+++ b/Show More