chore: sync workflow-sync-trigger.yml from Template-Generic [skip ci]

- Surface HTTP errors instead of suppressing with @file_get_contents
- Add specific messages for 401/403/404 and missing token
- Fall back to package_type if extension_type not in API response
- Log warnings for malformed XML candidates
- Fix platform_detect.php endpoint from /manifest to /metadata

.gitmodules

@@ -0,0 +1,12 @@
+[submodule "templates/repos/Template-Client"]
+	path = templates/repos/Template-Client
+	url = https://git.mokoconsulting.tech/MokoConsulting/Template-Client.git
+[submodule "templates/repos/Template-Generic"]
+	path = templates/repos/Template-Generic
+	url = https://git.mokoconsulting.tech/MokoConsulting/Template-Generic.git
+[submodule "templates/repos/Template-Joomla"]
+	path = templates/repos/Template-Joomla
+	url = https://git.mokoconsulting.tech/MokoConsulting/Template-Joomla.git
+[submodule "templates/repos/Template-MCP"]
+	path = templates/repos/Template-MCP
+	url = https://git.mokoconsulting.tech/MokoConsulting/Template-MCP.git

.mokogitea/branch-protection.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Determine target repos
         id: repos
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1"
 
@@ -105,7 +105,7 @@ jobs:
 
       - name: Apply protection rules
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           DRY_RUN: ${{ inputs.dry_run || 'false' }}
         run: |
           API="${GITEA_URL}/api/v1"

.mokogitea/bulk-repo-sync.yml

@@ -84,8 +84,8 @@ jobs:
           echo "Running: php automation/bulk_sync.php ${{ steps.args.outputs.args }}"
           php automation/bulk_sync.php ${{ steps.args.outputs.args }} 2>&1 | tee /tmp/bulk_sync.log
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
           GIT_PLATFORM: gitea
           GITEA_URL: https://git.mokoconsulting.tech
           GITEA_ORG: MokoConsulting
@@ -112,7 +112,7 @@ jobs:
             bash automation/enforce_tags.sh || echo "Tag enforcement had errors (non-fatal)"
           fi
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           GITEA_URL: https://git.mokoconsulting.tech
           GITEA_ORG: MokoConsulting
 

.mokogitea/renovate.yml

@@ -57,7 +57,7 @@ jobs:
       - name: Determine target repos
         id: repos
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1"
 
@@ -107,7 +107,7 @@ jobs:
       - name: Run Renovate
         if: steps.repos.outputs.repo_list != ''
         env:
-          RENOVATE_TOKEN: ${{ secrets.GA_TOKEN }}
+          RENOVATE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           RENOVATE_PLATFORM: gitea
           RENOVATE_ENDPOINT: ${{ env.GITEA_URL }}/api/v1
           RENOVATE_GIT_AUTHOR: 'Renovate Bot <renovate@mokoconsulting.tech>'

.mokogitea/sync-wikis.yml

@@ -31,7 +31,7 @@ jobs:
 
       - name: Sync all wikis
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
           GITEA_URL: ${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}
         run: |
           if [ -z "$GH_TOKEN" ]; then

.mokogitea/workflows/auto-bump.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 # PATH: /.mokogitea/workflows/auto-bump.yml
-# VERSION: 09.23.00
+# VERSION: 09.02.00
 # BRIEF: Auto patch-bump version on every push to dev (skips merge commits)
 
 name: "Universal: Auto Version Bump"
@@ -43,21 +43,19 @@ jobs:
           token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 1
 
-      - name: Setup mokoplatform tools
+      - name: Setup mokocli tools
         run: |
-          if [ -f "/opt/mokoplatform/cli/version_bump.php" ] && [ -f "/opt/mokoplatform/vendor/autoload.php" ]; then
-            echo "Using pre-installed /opt/mokoplatform"
-            echo "MOKO_CLI=/opt/mokoplatform/cli" >> "$GITHUB_ENV"
+          if ! command -v composer &> /dev/null; then
+            sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
+          fi
+          if [ -d "/opt/mokocli/cli" ]; then
+            echo "MOKO_CLI=/opt/mokocli/cli" >> "$GITHUB_ENV"
           else
-            if ! command -v composer &> /dev/null; then
-              sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer >/dev/null 2>&1
-            fi
-            rm -rf /tmp/mokoplatform-api
             git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
-              /tmp/mokoplatform-api
-            cd /tmp/mokoplatform-api && composer install --no-dev --no-interaction --quiet
-            echo "MOKO_CLI=/tmp/mokoplatform-api/cli" >> "$GITHUB_ENV"
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokocli.git" \
+              /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo "MOKO_CLI=/tmp/mokocli/cli" >> "$GITHUB_ENV"
           fi
 
       - name: Bump version

.mokogitea/workflows/auto-release.yml

@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Release
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokoplatform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
 # PATH: /templates/workflows/universal/auto-release.yml.template
 # VERSION: 05.00.00
 # BRIEF: Universal build & release � detects platform from manifest.xml
@@ -66,25 +66,25 @@ jobs:
           token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 1
 
-      - name: Setup mokoplatform tools
+      - name: Setup mokocli tools
         env:
           MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
-          if [ -f /opt/mokoplatform/cli/version_bump.php ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
-            echo Using pre-installed /opt/mokoplatform
-            echo MOKO_CLI=/opt/mokoplatform/cli >> $GITHUB_ENV
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
           else
             echo Falling back to fresh clone
             if ! command -v composer > /dev/null 2>&1; then
               sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
             fi
-            rm -rf /tmp/mokoplatform-api
-            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git
-            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokoplatform-api
-            cd /tmp/mokoplatform-api
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli
             composer install --no-dev --no-interaction --quiet
-            echo MOKO_CLI=/tmp/mokoplatform-api/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
           fi
 
       - name: Rename branch to rc
@@ -109,6 +109,40 @@ jobs:
             --path . --stability rc --bump minor --branch rc \
             --token "${{ secrets.MOKOGITEA_TOKEN }}"
 
+      - name: Update RC release notes from CHANGELOG.md
+        run: |
+          API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Extract [Unreleased] section from changelog
+          NOTES=""
+          if [ -f "CHANGELOG.md" ]; then
+            NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
+          fi
+          [ -z "$NOTES" ] && NOTES="Release candidate"
+
+          # Find the RC release and update its body
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/releases/tags/release-candidate" \
+            | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
+
+          if [ -n "$RELEASE_ID" ]; then
+            python3 -c "
+          import json, urllib.request
+          body = open('/dev/stdin').read()
+          payload = json.dumps({'body': body}).encode()
+          req = urllib.request.Request(
+              '${API_BASE}/releases/${RELEASE_ID}',
+              data=payload, method='PATCH',
+              headers={
+                  'Authorization': 'token ${TOKEN}',
+                  'Content-Type': 'application/json'
+              })
+          urllib.request.urlopen(req)
+          " <<< "$NOTES"
+            echo "RC release notes updated from CHANGELOG.md"
+          fi
+
       - name: Summary
         if: always()
         run: |
@@ -149,50 +183,77 @@ jobs:
           fi
           echo "No conflict markers found"
 
-      - name: Setup mokoplatform tools
+      - name: Setup mokocli tools
         env:
           MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
           COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_MIRROR_TOKEN }}"}}'
         run: |
-          if [ -f /opt/mokoplatform/cli/version_bump.php ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
-            echo Using pre-installed /opt/mokoplatform
-            echo MOKO_CLI=/opt/mokoplatform/cli >> $GITHUB_ENV
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
           else
             echo Falling back to fresh clone
             if ! command -v composer > /dev/null 2>&1; then
               sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
             fi
-            rm -rf /tmp/mokoplatform-api
-            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git
-            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokoplatform-api
-            cd /tmp/mokoplatform-api
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli
             composer install --no-dev --no-interaction --quiet
-            echo MOKO_CLI=/tmp/mokoplatform-api/cli >> $GITHUB_ENV
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
           fi
 
+      - name: "Determine version bump level"
+        id: bump
+        run: |
+          # Fix/patch branches: version was already bumped by pre-release, just strip suffix
+          # Feature/dev branches: bump minor for the new stable release
+          HEAD_REF="${{ github.event.pull_request.head.ref || 'dev' }}"
+          case "$HEAD_REF" in
+            fix/*|patch/*|hotfix/*|bugfix/*) BUMP="none" ;;
+            *)                               BUMP="minor" ;;
+          esac
+          echo "level=${BUMP}" >> "$GITHUB_OUTPUT"
+          echo "Bump level: ${BUMP} (from branch: ${HEAD_REF})"
+
       - name: "Publish stable release"
         run: |
+          BUMP_FLAG=""
+          if [ "${{ steps.bump.outputs.level }}" != "none" ]; then
+            BUMP_FLAG="--bump ${{ steps.bump.outputs.level }}"
+          fi
           php ${MOKO_CLI}/release_publish.php \
-            --path . --stability stable --bump minor --branch main \
+            --path . --stability stable ${BUMP_FLAG} --branch main \
             --token "${{ secrets.MOKOGITEA_TOKEN }}"
 
-      - name: Update release notes from CHANGELOG.md
+      - name: Update release notes and promote changelog
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+
+          # Get the stable release info (version and ID)
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${TOKEN}" \
+            "${API_BASE}/releases/tags/stable" 2>/dev/null || echo '{}')
+          RELEASE_ID=$(python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" <<< "$RELEASE_JSON" 2>/dev/null || true)
+          # Extract version from release name (e.g. "06.17.00" or "v06.17.00")
+          VERSION=$(python3 -c "
+          import json, sys, re
+          r = json.load(sys.stdin)
+          name = r.get('name', '')
+          m = re.search(r'(\d+\.\d+\.\d+)', name)
+          print(m.group(1) if m else '')
+          " <<< "$RELEASE_JSON" 2>/dev/null || true)
 
           # Extract [Unreleased] section from changelog
+          NOTES=""
           if [ -f "CHANGELOG.md" ]; then
             NOTES=$(awk '/^## \[Unreleased\]/{found=1; next} /^## \[/{if(found) exit} found{print}' CHANGELOG.md)
-            [ -z "$NOTES" ] && NOTES="Stable release"
-          else
-            NOTES="Stable release"
           fi
+          [ -z "$NOTES" ] && NOTES="Stable release"
 
           # Update release body via API
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
-            "${API_BASE}/releases/tags/stable" | python3 -c "import json,sys; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
-
           if [ -n "$RELEASE_ID" ]; then
             python3 -c "
           import json, urllib.request
@@ -202,7 +263,7 @@ jobs:
               '${API_BASE}/releases/${RELEASE_ID}',
               data=payload, method='PATCH',
               headers={
-                  'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}',
+                  'Authorization': 'token ${TOKEN}',
                   'Content-Type': 'application/json'
               })
           urllib.request.urlopen(req)
@@ -210,6 +271,24 @@ jobs:
             echo "Release notes updated from CHANGELOG.md"
           fi
 
+          # Promote [Unreleased] → [version] in CHANGELOG.md and reset
+          if [ -n "$VERSION" ] && [ -f "CHANGELOG.md" ]; then
+            DATE=$(date +%Y-%m-%d)
+            python3 -c "
+          import sys
+          version, date = sys.argv[1], sys.argv[2]
+          content = open('CHANGELOG.md').read()
+          old = '## [Unreleased]'
+          new = f'## [Unreleased]\n\n## [{version}] --- {date}'
+          content = content.replace(old, new, 1)
+          open('CHANGELOG.md', 'w').write(content)
+          " "$VERSION" "$DATE"
+            git add CHANGELOG.md
+            git commit -m "chore: promote changelog [Unreleased] → [${VERSION}]" || true
+            git push origin main || true
+            echo "Changelog promoted: [Unreleased] → [${VERSION}]"
+          fi
+
       # -- STEP 9: Mirror to GitHub (stable only) --------------------------------
       - name: "Step 9: Mirror release to GitHub"
         if: >-

.mokogitea/workflows/branch-cleanup.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: MokoPlatform.Universal
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+# INGROUP: MokoStandards.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 # PATH: /.mokogitea/workflows/branch-cleanup.yml
-# VERSION: 09.23.00
+# VERSION: 01.00.00
 # BRIEF: Delete feature branches after PR merge
 
 name: "Branch Cleanup"

.mokogitea/workflows/ci-generic.yml

@@ -13,13 +13,6 @@
 name: "Generic: Project CI"
 
 on:
-  push:
-    branches:
-      - main
-      - dev
-      - dev/**
-      - rc/**
-      - version/**
   pull_request:
     branches:
       - main

.mokogitea/workflows/cleanup.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Maintenance
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
-# PATH: /.mokogitea/workflows/cleanup.yml
-# VERSION: 09.23.00
+# INGROUP: MokoStandards.Maintenance
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/cleanup.yml
+# VERSION: 01.00.00
 # BRIEF: Scheduled cleanup — delete merged branches and old workflow runs
 
 name: "Universal: Repository Cleanup"
@@ -33,17 +33,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.MOKOGITEA_TOKEN }}
+          token: ${{ secrets.GA_TOKEN }}
 
       - name: Delete merged branches
         env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
         run: |
           echo "=== Merged Branch Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
 
           # List branches via API
-          BRANCHES=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
+          BRANCHES=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
             "${API}/branches?limit=50" | jq -r '.[].name')
 
           DELETED=0
@@ -56,7 +56,7 @@ jobs:
             # Check if branch is merged into main
             if git merge-base --is-ancestor "origin/${BRANCH}" origin/main 2>/dev/null; then
               echo "  Deleting merged branch: ${BRANCH}"
-              curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
+              curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
                 "${API}/branches/${BRANCH}" 2>/dev/null || true
               DELETED=$((DELETED + 1))
             fi
@@ -66,20 +66,20 @@ jobs:
 
       - name: Clean old workflow runs
         env:
-          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+          GA_TOKEN: ${{ secrets.GA_TOKEN }}
         run: |
           echo "=== Workflow Run Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
           CUTOFF=$(date -d "30 days ago" +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -v-30d +%Y-%m-%dT%H:%M:%SZ)
 
           # Get old completed runs
-          RUNS=$(curl -sS -H "Authorization: token ${GITEA_TOKEN}" \
+          RUNS=$(curl -sS -H "Authorization: token ${GA_TOKEN}" \
             "${API}/actions/runs?status=completed&limit=50" | \
             jq -r ".workflow_runs[] | select(.created_at < \"${CUTOFF}\") | .id" 2>/dev/null)
 
           DELETED=0
           for RUN_ID in $RUNS; do
-            curl -sS -X DELETE -H "Authorization: token ${GITEA_TOKEN}" \
+            curl -sS -X DELETE -H "Authorization: token ${GA_TOKEN}" \
               "${API}/actions/runs/${RUN_ID}" 2>/dev/null || true
             DELETED=$((DELETED + 1))
           done

.mokogitea/workflows/gitleaks.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Security
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokoplatform
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/MokoStandards-API
 # PATH: /templates/workflows/gitleaks.yml.template
-# VERSION: 09.23.00
+# VERSION: 01.00.00
 # BRIEF: Secret scanning — detect leaked credentials, API keys, and tokens
 #
 # +========================================================================+

.mokogitea/workflows/issue-branch.yml

@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Automation
-# VERSION: 09.26.00
+# INGROUP: moko-platform.Automation
+# VERSION: 01.00.00
 # BRIEF: Auto-create feature branch when an issue is opened
 
 name: "Universal: Issue Branch"
@@ -28,7 +28,7 @@ jobs:
     steps:
       - name: Create branch and comment
         run: |
-          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
+          TOKEN="${{ secrets.GA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
           ISSUE_NUM="${{ github.event.issue.number }}"
           ISSUE_TITLE="${{ github.event.issue.title }}"

.mokogitea/workflows/notify.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Notifications
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
-# PATH: /.mokogitea/workflows/notify.yml
-# VERSION: 09.23.00
+# INGROUP: MokoStandards.Notifications
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/notify.yml
+# VERSION: 01.00.00
 # BRIEF: Push notifications via ntfy on release success or workflow failure
 
 name: "Universal: Notifications"

.mokogitea/workflows/pr-check.yml

@@ -4,8 +4,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.CI
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokoplatform
+# INGROUP: mokocli.CI
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
 # PATH: /templates/workflows/universal/pr-check.yml.template
 # VERSION: 09.23.00
 # BRIEF: PR gate — branch policy + code validation before merge

.mokogitea/workflows/pre-release.yml

@@ -4,23 +4,26 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Release
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+# INGROUP: mokocli.Release
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
 # PATH: /templates/workflows/universal/pre-release.yml.template
 # VERSION: 05.01.00
-# BRIEF: Manual pre-release -- builds dev/alpha/beta/rc packages from any branch
+# BRIEF: Auto pre-release on push to dev/alpha/beta/rc branches
 
 name: "Universal: Pre-Release"
 
 on:
-  pull_request:
-    types: [closed]
+  push:
     branches:
       - dev
-  pull_request_target:
-    types: [synchronize, opened, reopened]
-    branches:
-      - main
+      - 'fix/**'
+      - 'patch/**'
+      - 'hotfix/**'
+      - 'bugfix/**'
+      - 'chore/**'
+      - alpha
+      - beta
+      - rc
   workflow_dispatch:
     inputs:
       stability:
@@ -43,12 +46,11 @@ env:
 
 jobs:
   build:
-    name: "Build Pre-Release (${{ inputs.stability || 'development' }})"
+    name: "Build Pre-Release (${{ inputs.stability || github.ref_name }})"
     runs-on: release
     if: >-
       github.event_name == 'workflow_dispatch' ||
-      (github.event_name == 'pull_request' && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'dev') ||
-      (github.event_name == 'pull_request_target' && github.event.pull_request.base.ref == 'main')
+      github.event_name == 'push'
 
     steps:
       - name: Checkout
@@ -56,40 +58,47 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ secrets.MOKOGITEA_TOKEN }}
-          ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }}
+          ref: ${{ github.ref_name }}
 
-      - name: Setup mokoplatform tools
+      - name: Setup mokocli tools
         env:
           MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
-          # Use pre-installed /opt/mokoplatform if available (updated by cron every 6h)
-          if [ -f /opt/mokoplatform/cli/version_bump.php ] && [ -f /opt/mokoplatform/cli/manifest_element.php ] && [ -f /opt/mokoplatform/vendor/autoload.php ]; then
-            echo Using pre-installed /opt/mokoplatform
-            echo MOKO_CLI=/opt/mokoplatform/cli >> $GITHUB_ENV
+          # Use pre-installed /opt/mokocli if available (updated by cron every 6h)
+          if [ -f /opt/mokocli/cli/version_bump.php ] && [ -f /opt/mokocli/cli/manifest_element.php ] && [ -f /opt/mokocli/vendor/autoload.php ]; then
+            echo Using pre-installed /opt/mokocli
+            echo MOKO_CLI=/opt/mokocli/cli >> $GITHUB_ENV
           else
             echo Falling back to fresh clone
             if ! command -v composer > /dev/null 2>&1; then
               sudo apt-get update -qq && sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl composer > /dev/null 2>&1
             fi
-            rm -rf /tmp/mokoplatform-api
-            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git
-            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokoplatform-api
-            cd /tmp/mokoplatform-api && composer install --no-dev --no-interaction --quiet
-            echo MOKO_CLI=/tmp/mokoplatform-api/cli >> $GITHUB_ENV
+            rm -rf /tmp/mokocli
+            CLONE_URL=https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokocli.git
+            git clone --depth 1 --branch main --quiet $CLONE_URL /tmp/mokocli
+            cd /tmp/mokocli && composer install --no-dev --no-interaction --quiet
+            echo MOKO_CLI=/tmp/mokocli/cli >> $GITHUB_ENV
           fi
 
       - name: Detect platform
         id: platform
         run: |
+          # Auto-detect and update platform if not set in manifest
+          php ${MOKO_CLI}/platform_detect.php --path . --github-output 2>/dev/null || true
           php ${MOKO_CLI}/manifest_read.php --path . --github-output
 
       - name: Resolve metadata and bump version
         id: meta
         run: |
-          # Auto-detect stability: RC for PRs targeting main, else use input or default to development
-          if [ "${{ github.event_name }}" = "pull_request_target" ] && [ "${{ github.event.pull_request.base.ref }}" = "main" ]; then
-            STABILITY="release-candidate"
+          # Auto-detect stability from branch name on push, or use input on dispatch
+          if [ "${{ github.event_name }}" = "push" ]; then
+            case "${{ github.ref_name }}" in
+              rc)    STABILITY="release-candidate" ;;
+              alpha) STABILITY="alpha" ;;
+              beta)  STABILITY="beta" ;;
+              *)     STABILITY="development" ;;
+            esac
           else
             STABILITY="${{ inputs.stability || 'development' }}"
           fi
@@ -164,7 +173,7 @@ jobs:
           php ${MOKO_CLI}/release_create.php \
             --path . --version "$VERSION" --tag "$TAG" \
             --token "${{ secrets.MOKOGITEA_TOKEN }}" --api-base "$API_BASE" \
-            --repo "${GITEA_REPO}" --branch dev --prerelease
+            --repo "${GITEA_REPO}" --branch "${{ github.ref_name }}" --prerelease
 
       - name: Update release notes from CHANGELOG.md
         run: |

.mokogitea/workflows/repo-health.yml

@@ -7,8 +7,8 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Validation
-# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokoplatform
+# INGROUP: mokocli.Validation
+# REPO: https://git.mokoconsulting.tech/mokoconsulting-tech/mokocli
 # PATH: /templates/workflows/joomla/repo_health.yml.template
 # VERSION: 09.23.00
 # BRIEF: Enforces repository guardrails by validating scripts governance, tooling availability, and core repository health artifacts.
@@ -33,7 +33,8 @@ on:
           - scripts
           - repo
   pull_request:
-  push:
+    branches:
+      - main
 
 permissions:
   contents: read

.mokogitea/workflows/security-audit.yml

@@ -4,10 +4,10 @@
 #
 # FILE INFORMATION
 # DEFGROUP: Gitea.Workflow
-# INGROUP: mokoplatform.Security
-# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
-# PATH: /.mokogitea/workflows/security-audit.yml
-# VERSION: 09.23.00
+# INGROUP: MokoStandards.Security
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards
+# PATH: /.gitea/workflows/security-audit.yml
+# VERSION: 01.00.00
 # BRIEF: Dependency vulnerability scanning for composer and npm packages
 
 name: "Universal: Security Audit"
@@ -80,19 +80,3 @@ jobs:
             -H "Priority: high" \
             -d "Security audit found vulnerabilities. Review dependency updates." \
             "${NTFY_URL}/${NTFY_TOPIC}" || true
-
-
-      - name: Joomla version audit
-        if: always()
-        run: |
-          if [ -f "monitoring/joomla-version-audit.php" ] && [ -n "$JOOMLA_SITES" ]; then
-            echo "$JOOMLA_SITES" > /tmp/sites.json
-            php monitoring/joomla-version-audit.php --sites /tmp/sites.json || true
-            echo "### Joomla Version Audit" >> $GITHUB_STEP_SUMMARY
-            rm -f /tmp/sites.json
-          else
-            echo "Joomla audit skipped (no script or JOOMLA_SITES_JSON not configured)"
-          fi
-        env:
-          JOOMLA_SITES: ${{ vars.JOOMLA_SITES_JSON }}
-

.mokogitea/workflows/workflow-sync-trigger.yml

@@ -0,0 +1,73 @@
+# Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+# FILE INFORMATION
+# DEFGROUP: Gitea.Workflow
+# INGROUP: MokoPlatform.Universal
+# REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+# PATH: /.mokogitea/workflows/workflow-sync-trigger.yml
+# VERSION: 01.01.00
+# BRIEF: Trigger workflow sync to live repos when a PR is merged to main
+
+name: "Universal: Workflow Sync Trigger"
+
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - main
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
+
+jobs:
+  sync:
+    name: Sync workflows to live repos
+    runs-on: ubuntu-latest
+    if: >-
+      github.event.pull_request.merged == true &&
+      !contains(github.event.pull_request.title, '[skip sync]')
+
+    steps:
+      - name: Determine platform from repo name
+        id: platform
+        run: |
+          REPO="${{ github.event.repository.name }}"
+          case "$REPO" in
+            Template-Joomla)   PLATFORM="joomla" ;;
+            Template-Dolibarr) PLATFORM="dolibarr" ;;
+            Template-Go)       PLATFORM="go" ;;
+            Template-MCP)      PLATFORM="mcp" ;;
+            Template-Generic)  PLATFORM="" ;;
+            *)                 PLATFORM="" ;;
+          esac
+          echo "platform=$PLATFORM" >> "$GITHUB_OUTPUT"
+          echo "Platform: ${PLATFORM:-all}"
+
+      - name: Clone mokoplatform
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          GITEA_URL="${{ vars.GITEA_URL || 'https://git.mokoconsulting.tech' }}"
+          git clone --depth 1 "${GITEA_URL}/MokoConsulting/mokoplatform.git" /tmp/mokoplatform
+
+      - name: Install dependencies
+        run: |
+          cd /tmp/mokoplatform
+          composer install --no-dev --no-interaction --quiet 2>/dev/null || true
+
+      - name: Run workflow sync
+        env:
+          MOKOGITEA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
+        run: |
+          ARGS="--token ${MOKOGITEA_TOKEN}"
+          ARGS="${ARGS} --org ${{ vars.GITEA_ORG || github.repository_owner }}"
+          ARGS="${ARGS} --phase repos"
+
+          PLATFORM="${{ steps.platform.outputs.platform }}"
+          if [ -n "$PLATFORM" ]; then
+            ARGS="${ARGS} --platform-filter ${PLATFORM}"
+          fi
+
+          php /tmp/mokoplatform/cli/workflow_sync.php ${ARGS}

CHANGELOG.md

@@ -12,6 +12,12 @@ BRIEF: Release changelog
 # Changelog
 ## [Unreleased]
 
+## [09.29.00] --- 2026-06-09
+
+## [09.28.00] --- 2026-06-07
+
+## [09.27.00] --- 2026-06-07
+
 ## [09.26.00] --- 2026-06-07
 
 ### Added
@@ -35,19 +41,3 @@ BRIEF: Release changelog
 
 ### Removed
 - `mcp/servers/mokowaas_api/` — consolidated into mcp-mokowaas-api repo
-
-## [09.25.00] --- 2026-06-04
-
-## [09.23] --- 2026-05-31
-
-## [09.22] --- 2026-05-31
-
-### Changed
-- **refactor(cli):** migrate 64 legacy scripts to CliFramework (#235) — all tools in cli/, automation/, maintenance/, deploy/, release/ now extend CliFramework with free --help, --verbose, --quiet, --dry-run, --json, banners, and coloured logging
-
-### Fixed
-- fix: auto-detect org/repo in updates_xml_build from manifest and git remote
-- fix: restore hyphen in version suffixes
-- fix: release names use standardized format
-- fix: remove lesser stream copies, each stream updates independently
-- fix: sort updates.xml entries dev first, stable last

README.md

@@ -6,7 +6,7 @@ DEFGROUP: MokoPlatform.Root
 INGROUP: MokoPlatform
 REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
 PATH: /README.md
-VERSION: 09.26.00
+VERSION: 09.29.01
 BRIEF: Project overview and documentation
 -->
 

cli/branch_rename.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/branch_rename.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Rename a git branch via Gitea API (create new, update PR, delete old)
  */
 

cli/bulk_workflow_push.php

@@ -1,309 +1,407 @@
-#!/usr/bin/env php
-<?php
-
-/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
- *
- * This file is part of a Moko Consulting project.
- *
- * SPDX-License-Identifier: GPL-3.0-or-later
- *
- * FILE INFORMATION
- * DEFGROUP: mokoplatform.CLI
- * INGROUP: mokoplatform
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
- * PATH: /cli/bulk_workflow_push.php
- * VERSION: 09.26.00
- * BRIEF: Push a workflow file to all governed repos via the Gitea Contents API
- */
-
-declare(strict_types=1);
-
-require_once __DIR__ . '/../lib/Enterprise/CliFramework.php';
-
-use MokoEnterprise\CliFramework;
-
-class BulkWorkflowPushCli extends CliFramework
-{
-    private int $updated = 0;
-    private int $created = 0;
-    private int $skipped = 0;
-    private int $errors = 0;
-
-    protected function configure(): void
-    {
-        $this->setDescription('Push a workflow file to all governed repos via the Gitea Contents API');
-        $this->addArgument('--gitea-url', 'Gitea URL (default: https://git.mokoconsulting.tech)', 'https://git.mokoconsulting.tech');
-        $this->addArgument('--token', 'Gitea API token', '');
-        $this->addArgument('--org', 'Target organization', '');
-        $this->addArgument('--file', 'Local workflow file to push', '');
-        $this->addArgument('--dest', 'Destination path in repos (default: .mokogitea/workflows/<filename>)', '');
-        $this->addArgument('--branch', 'Target branch (default: main)', 'main');
-    }
-
-    protected function run(): int
-    {
-        $giteaUrl = rtrim($this->getArgument('--gitea-url'), '/');
-        $token = $this->getArgument('--token');
-        $org = $this->getArgument('--org');
-        $workflowFile = $this->getArgument('--file');
-        $destPath = $this->getArgument('--dest');
-        $branch = $this->getArgument('--branch');
-
-        if ($token === '') {
-            $this->log('ERROR', '--token is required.');
-            return 1;
-        }
-
-        if ($workflowFile === '') {
-            $this->log('ERROR', '--file is required.');
-            return 1;
-        }
-
-        if (!file_exists($workflowFile)) {
-            $this->log('ERROR', "File not found: {$workflowFile}");
-            return 1;
-        }
-
-        if ($org === '') {
-            $this->log('ERROR', '--org is required.');
-            return 1;
-        }
-
-        if ($destPath === '') {
-            $destPath = '.mokogitea/workflows/' . basename($workflowFile);
-        }
-
-        $localContent = file_get_contents($workflowFile);
-
-        if ($localContent === false) {
-            $this->log('ERROR', "Could not read file: {$workflowFile}");
-            return 1;
-        }
-
-        $this->log('INFO', "Pushing: {$workflowFile}");
-        $this->log('INFO', "  -> {$destPath} (branch: {$branch})");
-        $this->log('INFO', "  -> Org: {$org} @ {$giteaUrl}");
-
-        if ($this->dryRun) {
-            $this->log('INFO', '[DRY RUN] No changes will be made.');
-        }
-
-        echo "\n";
-
-        $repos = $this->fetchOrgRepos($giteaUrl, $token, $org);
-
-        if ($repos === null) {
-            return 1;
-        }
-
-        $this->log('INFO', "Found " . count($repos) . " repo(s) in \"{$org}\".");
-        echo "\n";
-        fprintf(STDERR, "%-45s | %s\n", 'Repo', 'Status');
-        fprintf(STDERR, "%s\n", str_repeat('-', 70));
-
-        $encodedContent = base64_encode($localContent);
-
-        foreach ($repos as $repo) {
-            $this->pushToRepo($giteaUrl, $token, $repo, $encodedContent, $localContent, $destPath, $branch);
-        }
-
-        echo "\n";
-        $this->log('INFO', "Done: {$this->created} created, {$this->updated} updated, "
-            . "{$this->skipped} skipped, {$this->errors} error(s).");
-
-        return $this->errors > 0 ? 1 : 0;
-    }
-
-    private function pushToRepo(
-        string $giteaUrl,
-        string $token,
-        string $repoFullName,
-        string $encodedContent,
-        string $localContent,
-        string $destPath,
-        string $branch
-    ): void {
-        [$owner, $repoName] = explode('/', $repoFullName, 2);
-
-        $existing = $this->apiRequest(
-            $giteaUrl,
-            $token,
-            'GET',
-            "/api/v1/repos/{$owner}/{$repoName}/contents/"
-                . "{$destPath}?ref={$branch}"
-        );
-
-        if ($existing['code'] === 200) {
-            $data = json_decode($existing['body'], true);
-            $remoteSha = $data['sha'] ?? '';
-            $remoteContent = base64_decode($data['content'] ?? '');
-
-            if ($remoteContent === $localContent) {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'IDENTICAL (skipped)');
-                $this->skipped++;
-                return;
-            }
-
-            if ($this->dryRun) {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'WOULD UPDATE');
-                $this->updated++;
-                return;
-            }
-
-            $payload = json_encode([
-                'content' => $encodedContent,
-                'sha' => $remoteSha,
-                'message' => "chore: sync {$destPath} "
-                    . "from mokoplatform [skip ci]",
-                'branch' => $branch,
-            ]);
-
-            $response = $this->apiRequest(
-                $giteaUrl,
-                $token,
-                'PUT',
-                "/api/v1/repos/{$owner}/{$repoName}/contents/"
-                    . $destPath,
-                $payload
-            );
-
-            if ($response['code'] === 200) {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'UPDATED');
-                $this->updated++;
-            } else {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$response['code']})");
-                $this->errors++;
-            }
-        } elseif ($existing['code'] === 404) {
-            if ($this->dryRun) {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'WOULD CREATE');
-                $this->created++;
-                return;
-            }
-
-            $payload = json_encode([
-                'content' => $encodedContent,
-                'message' => "chore: add {$destPath} "
-                    . "from mokoplatform [skip ci]",
-                'branch' => $branch,
-            ]);
-
-            $response = $this->apiRequest(
-                $giteaUrl,
-                $token,
-                'POST',
-                "/api/v1/repos/{$owner}/{$repoName}/contents/"
-                    . $destPath,
-                $payload
-            );
-
-            if ($response['code'] === 201) {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'CREATED');
-                $this->created++;
-            } else {
-                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$response['code']})");
-                $this->errors++;
-            }
-        } else {
-            fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$existing['code']})");
-            $this->errors++;
-        }
-    }
-
-    private function fetchOrgRepos(string $giteaUrl, string $token, string $org): ?array
-    {
-        $this->log('INFO', "Fetching repos from org: {$org}");
-
-        $page = 1;
-        $repos = [];
-
-        while (true) {
-            $response = $this->apiRequest(
-                $giteaUrl,
-                $token,
-                'GET',
-                "/api/v1/orgs/{$org}/repos?"
-                    . "limit=50&page={$page}"
-            );
-
-            if ($response['code'] < 200 || $response['code'] >= 300) {
-                if ($page === 1) {
-                    $this->log('ERROR', "Could not fetch repos "
-                        . "(HTTP {$response['code']}).");
-                    return null;
-                }
-
-                break;
-            }
-
-            $data = json_decode($response['body'], true);
-
-            if (!is_array($data) || count($data) === 0) {
-                break;
-            }
-
-            foreach ($data as $repo) {
-                if (!empty($repo['archived'])) {
-                    continue;
-                }
-
-                $fullName = $repo['full_name'] ?? '';
-
-                if ($fullName !== '') {
-                    $repos[] = $fullName;
-                }
-            }
-
-            $page++;
-        }
-
-        return $repos;
-    }
-
-    private function apiRequest(
-        string $giteaUrl,
-        string $token,
-        string $method,
-        string $endpoint,
-        ?string $body = null
-    ): array {
-        $url = $giteaUrl . $endpoint;
-
-        $ch = curl_init();
-        curl_setopt($ch, CURLOPT_URL, $url);
-        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
-        curl_setopt($ch, CURLOPT_HTTPHEADER, [
-            'Content-Type: application/json',
-            'Accept: application/json',
-            "Authorization: token {$token}",
-        ]);
-
-        if ($body !== null) {
-            curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
-        }
-
-        $responseBody = curl_exec($ch);
-        $httpCode = (int) curl_getinfo(
-            $ch,
-            CURLINFO_HTTP_CODE
-        );
-
-        if (curl_errno($ch)) {
-            $error = curl_error($ch);
-            curl_close($ch);
-
-            return [
-                'code' => 0,
-                'body' => "cURL error: {$error}",
-            ];
-        }
-
-        curl_close($ch);
-
-        return ['code' => $httpCode, 'body' => $responseBody];
-    }
-}
-
-$app = new BulkWorkflowPushCli();
-exit($app->execute());
+#!/usr/bin/env php
+<?php
+
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * This file is part of a Moko Consulting project.
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: mokocli.CLI
+ * INGROUP: mokocli
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
+ * PATH: /cli/bulk_workflow_push.php
+ * VERSION: 09.29.01
+ * BRIEF: Push a workflow file to all governed repos via the Gitea Contents API
+ */
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../lib/Enterprise/CliFramework.php';
+
+use MokoEnterprise\CliFramework;
+
+class BulkWorkflowPushCli extends CliFramework
+{
+    private int $updated = 0;
+    private int $created = 0;
+    private int $skipped = 0;
+    private int $errors = 0;
+
+    protected function configure(): void
+    {
+        $this->setDescription('Push a workflow file to all governed repos via the Gitea Contents API');
+        $this->addArgument('--gitea-url', 'Gitea URL (default: https://git.mokoconsulting.tech)', 'https://git.mokoconsulting.tech');
+        $this->addArgument('--token', 'Gitea API token', '');
+        $this->addArgument('--org', 'Target organization', '');
+        $this->addArgument('--file', 'Local workflow file to push', '');
+        $this->addArgument('--dest', 'Destination path in repos (default: .mokogitea/workflows/<filename>)', '');
+        $this->addArgument('--branch', 'Target branch (default: main)', 'main');
+    }
+
+    protected function run(): int
+    {
+        $giteaUrl = rtrim($this->getArgument('--gitea-url'), '/');
+        $token = $this->getArgument('--token');
+        $org = $this->getArgument('--org');
+        $workflowFile = $this->getArgument('--file');
+        $destPath = $this->getArgument('--dest');
+        $branch = $this->getArgument('--branch');
+
+        if ($token === '') {
+            $this->log('ERROR', '--token is required.');
+            return 1;
+        }
+
+        if ($workflowFile === '') {
+            $this->log('ERROR', '--file is required.');
+            return 1;
+        }
+
+        if (!file_exists($workflowFile)) {
+            $this->log('ERROR', "File not found: {$workflowFile}");
+            return 1;
+        }
+
+        if ($org === '') {
+            $this->log('ERROR', '--org is required.');
+            return 1;
+        }
+
+        if ($destPath === '') {
+            $destPath = '.mokogitea/workflows/' . basename($workflowFile);
+        }
+
+        $localContent = file_get_contents($workflowFile);
+
+        if ($localContent === false) {
+            $this->log('ERROR', "Could not read file: {$workflowFile}");
+            return 1;
+        }
+
+        $this->log('INFO', "Pushing: {$workflowFile}");
+        $this->log('INFO', "  -> {$destPath} (branch: {$branch})");
+        $this->log('INFO', "  -> Org: {$org} @ {$giteaUrl}");
+
+        if ($this->dryRun) {
+            $this->log('INFO', '[DRY RUN] No changes will be made.');
+        }
+
+        echo "\n";
+
+        $repos = $this->fetchOrgRepos($giteaUrl, $token, $org);
+
+        if ($repos === null) {
+            return 1;
+        }
+
+        $this->log('INFO', "Found " . count($repos) . " repo(s) in \"{$org}\".");
+        echo "\n";
+        fprintf(STDERR, "%-45s | %s\n", 'Repo', 'Status');
+        fprintf(STDERR, "%s\n", str_repeat('-', 70));
+
+        $encodedContent = base64_encode($localContent);
+
+        foreach ($repos as $repo) {
+            $this->pushToRepo($giteaUrl, $token, $repo, $encodedContent, $localContent, $destPath, $branch);
+        }
+
+        echo "\n";
+        $this->log('INFO', "Done: {$this->created} created, {$this->updated} updated, "
+            . "{$this->skipped} skipped, {$this->errors} error(s).");
+
+        return $this->errors > 0 ? 1 : 0;
+    }
+
+    private function pushToRepo(
+        string $giteaUrl,
+        string $token,
+        string $repoFullName,
+        string $encodedContent,
+        string $localContent,
+        string $destPath,
+        string $branch
+    ): void {
+        [$owner, $repoName] = explode('/', $repoFullName, 2);
+
+        $existing = $this->apiRequest(
+            $giteaUrl,
+            $token,
+            'GET',
+            "/api/v1/repos/{$owner}/{$repoName}/contents/"
+                . "{$destPath}?ref={$branch}"
+        );
+
+        if ($existing['code'] === 200) {
+            $data = json_decode($existing['body'], true);
+            $remoteSha = $data['sha'] ?? '';
+            $remoteContent = base64_decode($data['content'] ?? '');
+
+            if ($remoteContent === $localContent) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'IDENTICAL (skipped)');
+                $this->skipped++;
+                return;
+            }
+
+            if ($this->dryRun) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'WOULD UPDATE');
+                $this->updated++;
+                return;
+            }
+
+            $payload = json_encode([
+                'content' => $encodedContent,
+                'sha' => $remoteSha,
+                'message' => "chore: sync {$destPath} "
+                    . "from mokocli [skip ci]",
+                'branch' => $branch,
+            ]);
+
+            $response = $this->apiRequest(
+                $giteaUrl,
+                $token,
+                'PUT',
+                "/api/v1/repos/{$owner}/{$repoName}/contents/"
+                    . $destPath,
+                $payload
+            );
+
+            if ($response['code'] === 200) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'UPDATED');
+                $this->updated++;
+            } elseif ($response['code'] === 403) {
+                // Branch protection — fall back to chore branch + PR
+                $this->pushViaPR($giteaUrl, $token, $owner, $repoName, $encodedContent, $remoteSha, $destPath, $branch);
+            } else {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$response['code']})");
+                $this->errors++;
+            }
+        } elseif ($existing['code'] === 404) {
+            if ($this->dryRun) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'WOULD CREATE');
+                $this->created++;
+                return;
+            }
+
+            $payload = json_encode([
+                'content' => $encodedContent,
+                'message' => "chore: add {$destPath} "
+                    . "from mokocli [skip ci]",
+                'branch' => $branch,
+            ]);
+
+            $response = $this->apiRequest(
+                $giteaUrl,
+                $token,
+                'POST',
+                "/api/v1/repos/{$owner}/{$repoName}/contents/"
+                    . $destPath,
+                $payload
+            );
+
+            if ($response['code'] === 201) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'CREATED');
+                $this->created++;
+            } elseif ($response['code'] === 403) {
+                $this->pushViaPR($giteaUrl, $token, $owner, $repoName, $encodedContent, '', $destPath, $branch);
+            } else {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$response['code']})");
+                $this->errors++;
+            }
+        } else {
+            fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (HTTP {$existing['code']})");
+            $this->errors++;
+        }
+    }
+
+    /**
+     * Fallback: push via chore branch + PR when direct push is blocked (403).
+     */
+    private function pushViaPR(
+        string $giteaUrl,
+        string $token,
+        string $owner,
+        string $repoName,
+        string $encodedContent,
+        string $remoteSha,
+        string $destPath,
+        string $targetBranch
+    ): void {
+        $repoFullName = "{$owner}/{$repoName}";
+        $choreBranch = 'chore/workflow-sync';
+        $commitMsg = "chore: sync {$destPath} from mokocli [skip ci]";
+        $apiBase = "/api/v1/repos/{$owner}/{$repoName}";
+
+        // 1. Create chore branch from target
+        $branchPayload = json_encode([
+            'new_branch_name' => $choreBranch,
+            'old_branch_name' => $targetBranch,
+        ]);
+        $branchResp = $this->apiRequest($giteaUrl, $token, 'POST', "{$apiBase}/branches", $branchPayload);
+        if ($branchResp['code'] !== 201 && $branchResp['code'] !== 409) {
+            fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (branch create HTTP {$branchResp['code']})");
+            $this->errors++;
+            return;
+        }
+
+        // If branch already exists (409), get the current SHA of the file on that branch
+        if ($branchResp['code'] === 409 || $remoteSha === '') {
+            $existing = $this->apiRequest($giteaUrl, $token, 'GET',
+                "{$apiBase}/contents/{$destPath}?ref={$choreBranch}");
+            if ($existing['code'] === 200) {
+                $data = json_decode($existing['body'], true);
+                $remoteSha = $data['sha'] ?? '';
+            }
+        }
+
+        // 2. Push file to chore branch
+        $filePayload = ['content' => $encodedContent, 'message' => $commitMsg, 'branch' => $choreBranch];
+        if ($remoteSha !== '') {
+            $filePayload['sha'] = $remoteSha;
+            $method = 'PUT';
+        } else {
+            $method = 'POST';
+        }
+        $fileResp = $this->apiRequest($giteaUrl, $token, $method,
+            "{$apiBase}/contents/{$destPath}", json_encode($filePayload));
+        if ($fileResp['code'] !== 200 && $fileResp['code'] !== 201) {
+            // 422 = file unchanged, still create PR if branch is new
+            if ($fileResp['code'] !== 422) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (file push HTTP {$fileResp['code']})");
+                $this->errors++;
+                return;
+            }
+        }
+
+        // 3. Create PR
+        $prPayload = json_encode([
+            'title' => "chore: sync workflows from mokocli",
+            'body' => "Automated workflow sync via bulk_workflow_push.",
+            'head' => $choreBranch,
+            'base' => $targetBranch,
+        ]);
+        $prResp = $this->apiRequest($giteaUrl, $token, 'POST', "{$apiBase}/pulls", $prPayload);
+
+        if ($prResp['code'] === 201) {
+            $prData = json_decode($prResp['body'], true);
+            $prNumber = $prData['number'] ?? '?';
+
+            // 4. Auto-merge the PR
+            $mergePayload = json_encode(['Do' => 'merge', 'merge_message_field' => $commitMsg]);
+            $mergeResp = $this->apiRequest($giteaUrl, $token, 'POST',
+                "{$apiBase}/pulls/{$prNumber}/merge", $mergePayload);
+
+            if ($mergeResp['code'] === 200 || $mergeResp['code'] === 204) {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "UPDATED (via PR #{$prNumber}, merged)");
+                $this->updated++;
+            } else {
+                fprintf(STDERR, "%-45s | %s\n", $repoFullName, "PR #{$prNumber} created (merge HTTP {$mergeResp['code']})");
+                $this->updated++;
+            }
+        } elseif ($prResp['code'] === 409 || $prResp['code'] === 422) {
+            fprintf(STDERR, "%-45s | %s\n", $repoFullName, 'PR already exists');
+            $this->skipped++;
+        } else {
+            fprintf(STDERR, "%-45s | %s\n", $repoFullName, "ERROR (PR create HTTP {$prResp['code']})");
+            $this->errors++;
+        }
+    }
+
+    private function fetchOrgRepos(string $giteaUrl, string $token, string $org): ?array
+    {
+        $this->log('INFO', "Fetching repos from org: {$org}");
+
+        $page = 1;
+        $repos = [];
+
+        while (true) {
+            $response = $this->apiRequest(
+                $giteaUrl,
+                $token,
+                'GET',
+                "/api/v1/orgs/{$org}/repos?"
+                    . "limit=50&page={$page}"
+            );
+
+            if ($response['code'] < 200 || $response['code'] >= 300) {
+                if ($page === 1) {
+                    $this->log('ERROR', "Could not fetch repos "
+                        . "(HTTP {$response['code']}).");
+                    return null;
+                }
+
+                break;
+            }
+
+            $data = json_decode($response['body'], true);
+
+            if (!is_array($data) || count($data) === 0) {
+                break;
+            }
+
+            foreach ($data as $repo) {
+                if (!empty($repo['archived'])) {
+                    continue;
+                }
+
+                $fullName = $repo['full_name'] ?? '';
+
+                if ($fullName !== '') {
+                    $repos[] = $fullName;
+                }
+            }
+
+            $page++;
+        }
+
+        return $repos;
+    }
+
+    private function apiRequest(
+        string $giteaUrl,
+        string $token,
+        string $method,
+        string $endpoint,
+        ?string $body = null
+    ): array {
+        $url = $giteaUrl . $endpoint;
+
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $url);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, [
+            'Content-Type: application/json',
+            'Accept: application/json',
+            "Authorization: token {$token}",
+        ]);
+
+        if ($body !== null) {
+            curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+        }
+
+        $responseBody = curl_exec($ch);
+        $httpCode = (int) curl_getinfo(
+            $ch,
+            CURLINFO_HTTP_CODE
+        );
+
+        if (curl_errno($ch)) {
+            $error = curl_error($ch);
+            curl_close($ch);
+
+            return [
+                'code' => 0,
+                'body' => "cURL error: {$error}",
+            ];
+        }
+
+        curl_close($ch);
+
+        return ['code' => $httpCode, 'body' => $responseBody];
+    }
+}
+
+$app = new BulkWorkflowPushCli();
+exit($app->execute());

cli/bulk_workflow_trigger.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/bulk_workflow_trigger.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Trigger a workflow across multiple repos at once
  */
 

cli/client_dashboard.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/client_dashboard.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Generate unified client dashboard HTML
  */
 

cli/client_inventory.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/client_inventory.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Discover and list all client-waas repos with their server configuration status
  */
 

cli/client_provision.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/client_provision.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Provision a new client environment end-to-end
  */
 

cli/grafana_dashboard.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/grafana_dashboard.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Manage Grafana dashboards via API
  */
 

cli/joomla_build.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/joomla_build.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Build a Joomla extension ZIP from manifest — all types supported
  * NOTE: Called by pre-release and auto-release workflows.
  */

cli/joomla_metadata_validate.php

@@ -0,0 +1,507 @@
+#!/usr/bin/env php
+<?php
+
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: mokoplatform.CLI
+ * INGROUP: mokoplatform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+ * PATH: /cli/joomla_metadata_validate.php
+ * VERSION: 09.29.01
+ * BRIEF: Validate MokoGitea repo metadata against Joomla extension manifest XML
+ */
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../lib/Enterprise/CliFramework.php';
+
+use MokoEnterprise\CliFramework;
+
+class JoomlaMetadataValidateCli extends CliFramework
+{
+    /** Joomla element prefix map — must match MokoGitea's cleanJoomlaElement() */
+    private const JOOMLA_PREFIX = [
+        'package'   => 'pkg_',
+        'component' => 'com_',
+        'module'    => 'mod_',
+        'template'  => 'tpl_',
+        'library'   => 'lib_',
+        'file'      => 'file_',
+    ];
+
+    protected function configure(): void
+    {
+        $this->setDescription('Validate MokoGitea repo metadata against Joomla extension manifest XML');
+        $this->addArgument('--path', 'Repo root path (default: current directory)', '.');
+        $this->addArgument('--token', 'Gitea API token (or GITEA_TOKEN env)', '');
+        $this->addArgument('--org', 'Gitea org', 'MokoConsulting');
+        $this->addArgument('--repo', 'Repo name (auto-detected from git if empty)', '');
+        $this->addArgument('--api-base', 'Gitea API base URL', 'https://git.mokoconsulting.tech/api/v1');
+        $this->addArgument('--ci', 'CI mode: exit 1 on any error', false);
+        $this->addArgument('--json', 'Output as JSON', false);
+    }
+
+    protected function run(): int
+    {
+        $path     = realpath($this->getArgument('--path')) ?: $this->getArgument('--path');
+        $token    = $this->getArgument('--token') ?: getenv('GITEA_TOKEN') ?: '';
+        $org      = $this->getArgument('--org');
+        $repoName = $this->getArgument('--repo');
+        $apiBase  = rtrim($this->getArgument('--api-base'), '/');
+        $ciMode   = (bool) $this->getArgument('--ci');
+        $jsonMode = (bool) $this->getArgument('--json');
+
+        if (!is_dir($path)) {
+            $this->log('ERROR', "Path does not exist: {$path}");
+            return 1;
+        }
+
+        if ($repoName === '') {
+            $repoName = $this->detectRepoName($path);
+        }
+
+        // ── Step 1: Find the Joomla extension manifest XML ──────────
+        $joomlaXml = $this->findJoomlaManifest($path);
+
+        if ($joomlaXml === null) {
+            $this->log('ERROR', 'No Joomla extension manifest XML found');
+            return 1;
+        }
+
+        $this->log('INFO', "Joomla manifest: {$joomlaXml['path']}");
+
+        // ── Step 2: Load MokoGitea metadata ─────────────────────────
+        $metadata = $this->loadMetadata($path, $org, $repoName, $token, $apiBase);
+
+        if ($metadata === null) {
+            $this->log('ERROR', 'Could not load MokoGitea metadata');
+            return 1;
+        }
+
+        // ── Step 3: Compare ─────────────────────────────────────────
+        $results = $this->compare($metadata, $joomlaXml, $path);
+
+        // ── Step 4: Output ──────────────────────────────────────────
+        if ($jsonMode) {
+            echo json_encode([
+                'repo'    => $repoName,
+                'results' => $results,
+            ], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
+        } else {
+            $this->printResults($repoName, $results);
+        }
+
+        $errors = count(array_filter($results, fn($r) => $r['status'] === 'error'));
+
+        return ($ciMode && $errors > 0) ? 1 : 0;
+    }
+
+    // =================================================================
+    // Find Joomla manifest XML
+    // =================================================================
+
+    private function findJoomlaManifest(string $root): ?array
+    {
+        // Search common locations for a Joomla extension manifest
+        $candidates = [];
+
+        // Package manifest: source/pkg_*.xml
+        foreach (glob("{$root}/source/pkg_*.xml") as $file) {
+            $candidates[] = $file;
+        }
+
+        // Component manifest: source/packages/com_*/[name].xml
+        foreach (glob("{$root}/source/packages/com_*/*.xml") as $file) {
+            $basename = basename($file);
+            // Skip access.xml, config.xml, etc.
+            if (in_array($basename, ['access.xml', 'config.xml'], true)) {
+                continue;
+            }
+            $candidates[] = $file;
+        }
+
+        // Direct source/*.xml
+        foreach (glob("{$root}/source/*.xml") as $file) {
+            if (basename($file) !== 'pkg_mokosuitebackup.xml') {
+                // Already caught above
+            }
+            $candidates[] = $file;
+        }
+
+        // src/ fallback
+        foreach (glob("{$root}/src/pkg_*.xml") as $file) {
+            $candidates[] = $file;
+        }
+
+        // Find the first one that has <extension type="...">
+        foreach (array_unique($candidates) as $file) {
+            $content = file_get_contents($file);
+            if ($content === false) {
+                continue;
+            }
+
+            if (preg_match('/<extension\s[^>]*type=["\']([^"\']+)["\']/', $content, $typeMatch)) {
+                $xml = @simplexml_load_string($content);
+                if ($xml === false) {
+                    $relPath = str_replace($root . '/', '', $file);
+                    $relPath = str_replace($root . '\\', '', $relPath);
+                    $this->log('WARN', "Skipping {$relPath}: malformed XML");
+                    continue;
+                }
+
+                $type = strtolower($typeMatch[1]);
+                $relPath = str_replace($root . '/', '', $file);
+                $relPath = str_replace($root . '\\', '', $relPath);
+
+                return [
+                    'path' => $relPath,
+                    'type' => $type,
+                    'xml'  => $xml,
+                ];
+            }
+        }
+
+        return null;
+    }
+
+    // =================================================================
+    // Load metadata (from API)
+    // =================================================================
+
+    private function loadMetadata(string $root, string $org, string $repoName, string $token, string $apiBase): ?array
+    {
+        if ($token === '') {
+            $this->log('ERROR', 'No API token provided (use --token or set GITEA_TOKEN env var)');
+            return null;
+        }
+
+        $url = "{$apiBase}/repos/{$org}/{$repoName}/metadata";
+        $ctx = stream_context_create([
+            'http' => [
+                'header'        => "Authorization: token {$token}\r\nAccept: application/json\r\n",
+                'timeout'       => 10,
+                'ignore_errors' => true,
+            ],
+        ]);
+
+        $body = file_get_contents($url, false, $ctx);
+
+        // Extract HTTP status from response headers
+        $httpCode = 0;
+        if (isset($http_response_header[0]) && preg_match('/\d{3}/', $http_response_header[0], $m)) {
+            $httpCode = (int) $m[0];
+        }
+
+        if ($body === false) {
+            $this->log('ERROR', "Failed to connect to {$url} — check network or TLS configuration");
+            return null;
+        }
+
+        if ($httpCode === 404) {
+            $this->log('ERROR', "API endpoint not found: {$url}");
+            $this->log('ERROR', 'Server may need MokoGitea-Fork >= #650 (metadata endpoint rename)');
+            return null;
+        }
+
+        if ($httpCode === 401 || $httpCode === 403) {
+            $this->log('ERROR', "Authentication failed (HTTP {$httpCode}) — check your API token");
+            return null;
+        }
+
+        if ($httpCode >= 400) {
+            $this->log('ERROR', "API returned HTTP {$httpCode}: " . substr($body, 0, 200));
+            return null;
+        }
+
+        $data = json_decode($body, true);
+        if (!is_array($data)) {
+            $this->log('ERROR', "API returned invalid JSON from {$url}");
+            return null;
+        }
+
+        $data['source'] = 'api';
+        return $data;
+    }
+
+    // =================================================================
+    // Compare metadata against Joomla manifest
+    // =================================================================
+
+    private function compare(array $metadata, array $joomlaXml, string $root): array
+    {
+        $results = [];
+        $xml     = $joomlaXml['xml'];
+        $type    = $joomlaXml['type'];
+
+        // 1. Extension type
+        $metaType = $this->normalizeExtensionType(
+            $metadata['extension_type'] ?? $metadata['package_type'] ?? ''
+        );
+        $results[] = [
+            'field'    => 'extension_type',
+            'metadata' => $metaType,
+            'joomla'   => $type,
+            'status'   => ($metaType === $type) ? 'ok' : 'error',
+            'message'  => ($metaType === $type)
+                ? "matches <extension type=\"{$type}\">"
+                : "metadata has \"{$metaType}\" but Joomla manifest has \"{$type}\"",
+        ];
+
+        // 2. Element name
+        $metaName    = strtolower($metadata['name'] ?? '');
+        $metaElement = $this->deriveElement($metaType, $metaName);
+        $joomlaElement = $this->extractJoomlaElement($xml, $type);
+
+        $elementMatch = ($metaElement === $joomlaElement);
+        $results[] = [
+            'field'    => 'element',
+            'metadata' => $metaElement,
+            'joomla'   => $joomlaElement,
+            'status'   => $elementMatch ? 'ok' : 'error',
+            'message'  => $elementMatch
+                ? "derived correctly"
+                : "metadata derives \"{$metaElement}\" but Joomla uses \"{$joomlaElement}\"",
+        ];
+
+        // 3. Version
+        $metaVersion  = $metadata['version'] ?? '';
+        $joomlaVersion = (string) ($xml->version ?? '');
+
+        if ($metaVersion !== '' && $joomlaVersion !== '') {
+            // Strip dev/rc suffixes for comparison (CI bumps these)
+            $metaBase   = preg_replace('/-(dev|rc|alpha|beta)\d*$/', '', $metaVersion);
+            $joomlaBase = preg_replace('/-(dev|rc|alpha|beta)\d*$/', '', $joomlaVersion);
+            $versionMatch = ($metaBase === $joomlaBase);
+
+            $results[] = [
+                'field'    => 'version',
+                'metadata' => $metaVersion,
+                'joomla'   => $joomlaVersion,
+                'status'   => $versionMatch ? 'ok' : 'warn',
+                'message'  => $versionMatch
+                    ? 'matches (base version)'
+                    : "metadata has \"{$metaVersion}\" but Joomla has \"{$joomlaVersion}\"",
+            ];
+        }
+
+        // 4. PHP minimum (from composer.json)
+        $composerPhp = $this->readComposerPhpRequirement($root);
+        $metaPhp     = $metadata['php_minimum'] ?? '';
+
+        if ($composerPhp !== '' && $metaPhp !== '') {
+            $phpMatch = ($metaPhp === $composerPhp);
+            $results[] = [
+                'field'    => 'php_minimum',
+                'metadata' => $metaPhp,
+                'joomla'   => $composerPhp . ' (composer.json)',
+                'status'   => $phpMatch ? 'ok' : 'warn',
+                'message'  => $phpMatch
+                    ? 'matches composer.json'
+                    : "metadata has \"{$metaPhp}\" but composer.json requires \"{$composerPhp}\"",
+            ];
+        }
+
+        // 5. Description
+        $metaDesc   = $metadata['description'] ?? '';
+        $joomlaDesc = (string) ($xml->description ?? '');
+
+        // Joomla descriptions are often language keys, skip those
+        if ($metaDesc !== '' && $joomlaDesc !== '' && !str_starts_with($joomlaDesc, 'COM_') && !str_starts_with($joomlaDesc, 'PKG_')) {
+            $descMatch = ($metaDesc === $joomlaDesc);
+            $results[] = [
+                'field'    => 'description',
+                'metadata' => substr($metaDesc, 0, 60) . (strlen($metaDesc) > 60 ? '...' : ''),
+                'joomla'   => substr($joomlaDesc, 0, 60) . (strlen($joomlaDesc) > 60 ? '...' : ''),
+                'status'   => $descMatch ? 'ok' : 'info',
+                'message'  => $descMatch ? 'matches' : 'descriptions differ (informational)',
+            ];
+        }
+
+        return $results;
+    }
+
+    // =================================================================
+    // Helpers
+    // =================================================================
+
+    /**
+     * Normalize extension_type — map MokoGitea types to Joomla types.
+     */
+    private function normalizeExtensionType(string $type): string
+    {
+        return match (strtolower($type)) {
+            'joomla-extension' => 'package', // legacy mapping
+            default => strtolower($type),
+        };
+    }
+
+    /**
+     * Derive the Joomla element name from type + name.
+     * Replicates MokoGitea's cleanJoomlaElement() + prefix logic.
+     */
+    private function deriveElement(string $type, string $name): string
+    {
+        // Clean: lowercase, strip non-alphanumeric except . _ -
+        $clean = strtolower($name);
+        $clean = preg_replace('/[^a-z0-9._-]/', '', $clean);
+
+        $prefix = self::JOOMLA_PREFIX[$type] ?? '';
+
+        return $prefix . $clean;
+    }
+
+    /**
+     * Extract the element name from a Joomla manifest XML.
+     * Follows the same logic as Joomla's InstallerAdapter::getElement().
+     */
+    private function extractJoomlaElement(\SimpleXMLElement $xml, string $type): string
+    {
+        switch ($type) {
+            case 'package':
+                $packagename = (string) ($xml->packagename ?? '');
+                if ($packagename !== '') {
+                    return 'pkg_' . strtolower(preg_replace('/[^a-zA-Z0-9._-]/', '', $packagename));
+                }
+                break;
+
+            case 'component':
+                $element = (string) ($xml->element ?? '');
+                if ($element !== '') {
+                    $element = strtolower($element);
+                    return str_starts_with($element, 'com_') ? $element : 'com_' . $element;
+                }
+                $name = (string) ($xml->name ?? '');
+                $name = strtolower(preg_replace('/[^a-zA-Z0-9._-]/', '', $name));
+                return str_starts_with($name, 'com_') ? $name : 'com_' . $name;
+
+            case 'module':
+                $element = (string) ($xml->element ?? '');
+                if ($element !== '') {
+                    return strtolower($element);
+                }
+                break;
+
+            case 'plugin':
+                // Plugins derive element from the file attribute
+                if (isset($xml->files)) {
+                    foreach ($xml->files->children() as $file) {
+                        $plugin = (string) ($file->attributes()->plugin ?? '');
+                        if ($plugin !== '') {
+                            return strtolower($plugin);
+                        }
+                    }
+                }
+                break;
+
+            case 'library':
+                $libname = (string) ($xml->libraryname ?? '');
+                if ($libname !== '') {
+                    return strtolower($libname);
+                }
+                break;
+        }
+
+        // Fallback: use <name> tag
+        $name = (string) ($xml->name ?? '');
+        return strtolower(preg_replace('/[^a-zA-Z0-9._-]/', '', $name));
+    }
+
+    /**
+     * Read PHP version requirement from composer.json.
+     */
+    private function readComposerPhpRequirement(string $root): string
+    {
+        $composerFile = "{$root}/composer.json";
+
+        if (!is_file($composerFile)) {
+            return '';
+        }
+
+        $data = json_decode(file_get_contents($composerFile), true);
+
+        if (!is_array($data)) {
+            return '';
+        }
+
+        $phpReq = $data['require']['php'] ?? '';
+
+        // Extract version number from constraint like ">=8.1"
+        if (preg_match('/(\d+\.\d+)/', $phpReq, $m)) {
+            return $m[1];
+        }
+
+        return '';
+    }
+
+    private function detectRepoName(string $root): string
+    {
+        $gitConfig = "{$root}/.git/config";
+
+        if (!file_exists($gitConfig)) {
+            return basename($root);
+        }
+
+        $content = file_get_contents($gitConfig);
+
+        if (preg_match('/url\s*=\s*.*\/([^\/\s]+?)(?:\.git)?\s*$/m', $content, $m)) {
+            return $m[1];
+        }
+
+        return basename($root);
+    }
+
+    // =================================================================
+    // Output
+    // =================================================================
+
+    private function printResults(string $repoName, array $results): void
+    {
+        $errors = count(array_filter($results, fn($r) => $r['status'] === 'error'));
+        $warns  = count(array_filter($results, fn($r) => $r['status'] === 'warn'));
+        $oks    = count(array_filter($results, fn($r) => $r['status'] === 'ok'));
+
+        $this->log('INFO', "Validating {$repoName} Joomla metadata...\n");
+
+        foreach ($results as $r) {
+            $icon = match ($r['status']) {
+                'ok'    => "\xE2\x9C\x93", // ✓
+                'error' => "\xE2\x9C\x97", // ✗
+                'warn'  => "\xE2\x9A\xA0", // ⚠
+                default => "\xE2\x84\xB9", // ℹ
+            };
+
+            $line = sprintf(
+                "  %s %-16s %s",
+                $icon,
+                $r['field'],
+                $r['message']
+            );
+
+            $this->log(
+                match ($r['status']) {
+                    'error' => 'ERROR',
+                    'warn'  => 'WARN',
+                    'ok'    => 'OK',
+                    default => 'INFO',
+                },
+                $line
+            );
+        }
+
+        echo "\n";
+
+        if ($errors > 0) {
+            $this->log('ERROR', "{$errors} error(s) — update delivery will fail");
+        } elseif ($warns > 0) {
+            $this->log('WARN', "All critical checks passed, {$warns} warning(s)");
+        } else {
+            $this->log('OK', "All {$oks} checks passed");
+        }
+    }
+}
+
+$app = new JoomlaMetadataValidateCli();
+exit($app->execute());

cli/manifest_detect.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/manifest_detect.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Auto-detect manifest fields from source files and optionally push to API
  */
 
@@ -161,15 +161,18 @@ class ManifestDetectCli extends CliFramework
         $platform = $this->detectPlatform($root);
 
         $fields = [
-            'platform'     => $platform,
-            'name'         => '',
-            'description'  => '',
-            'version'      => '',
-            'element_name' => '',
-            'package_type' => '',
-            'language'     => '',
-            'entry_point'  => '',
-            'license_spdx' => '',
+            'platform'       => $platform,
+            'name'           => '',
+            'description'    => '',
+            'version'        => '',
+            'element_name'   => '',
+            'package_type'   => '',
+            'language'       => '',
+            'entry_point'    => '',
+            'license_spdx'   => '',
+            'display_name'   => '',
+            'target_version' => '',
+            'php_minimum'    => '',
         ];
 
         switch ($platform) {
@@ -316,7 +319,13 @@ class ManifestDetectCli extends CliFramework
         ];
         if (isset($prefixMap[$extType])) {
             $prefix = $prefixMap[$extType];
-            if (strpos($element, $prefix) !== 0 && strpos($element, '_') === false) {
+            // Only add prefix if not already present (check all known prefixes)
+            $hasPrefix = false;
+            foreach ($prefixMap as $p) {
+                if (strpos($element, $p) === 0) { $hasPrefix = true; break; }
+            }
+            if (strpos($element, 'plg_') === 0) { $hasPrefix = true; }
+            if (!$hasPrefix) {
                 $element = $prefix . $element;
             }
         } elseif ($extType === 'plugin') {
@@ -349,6 +358,30 @@ class ManifestDetectCli extends CliFramework
             }
         }
 
+        // Display name for update feeds
+        if (!empty($fields['name'])) {
+            $name = $fields['name'];
+            // If name already has "Type - " prefix, use as-is
+            if (preg_match('/^(Package|Component|Module|Plugin|Template|Library)\s*-\s*/i', $name)) {
+                $fields['display_name'] = $name;
+            } elseif (!empty($extType)) {
+                $fields['display_name'] = ucfirst($extType) . ' - ' . $name;
+            }
+        }
+
+        // Target Joomla version
+        if (preg_match('/<targetplatform\s[^>]*version="([^"]+)"/', $xml, $m)) {
+            $fields['target_version'] = trim($m[1]);
+        } else {
+            // Default for Joomla 5/6
+            $fields['target_version'] = '(5|6)\..*';
+        }
+
+        // PHP minimum
+        if (preg_match('/<php_minimum>([^<]+)<\/php_minimum>/', $xml, $m)) {
+            $fields['php_minimum'] = trim($m[1]);
+        }
+
         // License
         if (preg_match('/<license>([^<]+)<\/license>/', $xml, $m)) {
             $fields['license_spdx'] = $this->normalizeLicense(trim($m[1]));

cli/manifest_integrity.php

@@ -0,0 +1,564 @@
+#!/usr/bin/env php
+<?php
+
+/* Copyright (C) 2026 Moko Consulting <hello@mokoconsulting.tech>
+ *
+ * SPDX-License-Identifier: GPL-3.0-or-later
+ *
+ * FILE INFORMATION
+ * DEFGROUP: mokoplatform.CLI
+ * INGROUP: mokoplatform
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+ * PATH: /cli/manifest_integrity.php
+ * VERSION: 09.29.01
+ * BRIEF: Cross-check manifest API fields against repo contents across the org
+ */
+
+declare(strict_types=1);
+
+require_once __DIR__ . '/../lib/Enterprise/CliFramework.php';
+
+use MokoEnterprise\CliFramework;
+
+class ManifestIntegrityCli extends CliFramework
+{
+    protected function configure(): void
+    {
+        $this->setDescription('Cross-check manifest fields against repo contents across the org');
+        $this->addArgument('--path', 'Single repo path (local mode)', '');
+        $this->addArgument('--org', 'Gitea org (bulk mode)', 'MokoConsulting');
+        $this->addArgument('--repo', 'Single repo name (remote mode)', '');
+        $this->addArgument('--token', 'Gitea API token (or GITEA_TOKEN env)', '');
+        $this->addArgument('--api-base', 'Gitea API base URL', 'https://git.mokoconsulting.tech/api/v1');
+        $this->addArgument('--fix', 'Push fixes for detected drift', false);
+        $this->addArgument('--json', 'Output as JSON', false);
+        $this->addArgument('--quiet', 'Only show repos with issues', false);
+    }
+
+    protected function run(): int
+    {
+        $path     = $this->getArgument('--path');
+        $org      = $this->getArgument('--org');
+        $repoName = $this->getArgument('--repo');
+        $token    = $this->getArgument('--token') ?: getenv('GITEA_TOKEN') ?: '';
+        $apiBase  = rtrim($this->getArgument('--api-base'), '/');
+        $fixMode  = (bool) $this->getArgument('--fix');
+        $jsonMode = (bool) $this->getArgument('--json');
+        $quiet    = (bool) $this->getArgument('--quiet');
+
+        if ($token === '') {
+            $this->log('ERROR', 'API token required (use --token or GITEA_TOKEN env)');
+            return 1;
+        }
+
+        // ── Mode selection ──────────────────────────────────────────
+        if ($path !== '') {
+            // Local mode: detect from source + compare to API
+            return $this->checkLocal($path, $org, $repoName, $token, $apiBase, $fixMode, $jsonMode);
+        }
+
+        if ($repoName !== '') {
+            // Single remote repo
+            return $this->checkRemoteRepo($org, $repoName, $token, $apiBase, $fixMode, $jsonMode);
+        }
+
+        // Bulk mode: all repos in org
+        return $this->checkOrg($org, $token, $apiBase, $fixMode, $jsonMode, $quiet);
+    }
+
+    // =====================================================================
+    // Local mode — detect from source, compare to API
+    // =====================================================================
+
+    private function checkLocal(string $path, string $org, string $repoName, string $token, string $apiBase, bool $fix, bool $json): int
+    {
+        $root = realpath($path) ?: $path;
+        if (!is_dir($root)) {
+            $this->log('ERROR', "Path does not exist: {$path}");
+            return 1;
+        }
+
+        if ($repoName === '') {
+            $repoName = $this->detectRepoName($root);
+        }
+
+        // Run manifest_detect logic
+        $detected = $this->runDetect($root, $repoName);
+        $current = $this->fetchManifest($apiBase, $org, $repoName, $token);
+
+        if ($current === null) {
+            $this->log('ERROR', "Failed to fetch manifest for {$org}/{$repoName}");
+            return 1;
+        }
+
+        $issues = $this->validate($current, $detected, $repoName);
+
+        if ($json) {
+            echo json_encode(['repo' => $repoName, 'issues' => $issues], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
+        } else {
+            $this->printIssues($repoName, $issues);
+        }
+
+        if ($fix && !empty($issues)) {
+            return $this->applyFixes($apiBase, $org, $repoName, $token, $current, $issues);
+        }
+
+        return empty($issues) ? 0 : 1;
+    }
+
+    // =====================================================================
+    // Remote single repo mode — fetch source files via API
+    // =====================================================================
+
+    private function checkRemoteRepo(string $org, string $repoName, string $token, string $apiBase, bool $fix, bool $json): int
+    {
+        $current = $this->fetchManifest($apiBase, $org, $repoName, $token);
+        if ($current === null) {
+            $this->log('ERROR', "Failed to fetch manifest for {$org}/{$repoName}");
+            return 1;
+        }
+
+        $issues = $this->validateManifestOnly($current, $repoName);
+
+        if ($json) {
+            echo json_encode(['repo' => $repoName, 'issues' => $issues], JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
+        } else {
+            $this->printIssues($repoName, $issues);
+        }
+
+        if ($fix && !empty($issues)) {
+            return $this->applyFixes($apiBase, $org, $repoName, $token, $current, $issues);
+        }
+
+        return empty($issues) ? 0 : 1;
+    }
+
+    // =====================================================================
+    // Bulk org mode — check all repos
+    // =====================================================================
+
+    private function checkOrg(string $org, string $token, string $apiBase, bool $fix, bool $json, bool $quiet): int
+    {
+        $repos = $this->fetchOrgRepos($apiBase, $org, $token);
+        if ($repos === null) {
+            $this->log('ERROR', "Failed to fetch repos for org {$org}");
+            return 1;
+        }
+
+        $this->log('INFO', "Manifest Integrity Check — {$org} (" . count($repos) . " repos)");
+
+        $allResults = [];
+        $totalIssues = 0;
+        $reposWithIssues = 0;
+
+        foreach ($repos as $repo) {
+            $name = $repo['name'];
+            $manifest = $this->fetchManifest($apiBase, $org, $name, $token);
+
+            if ($manifest === null) {
+                if (!$quiet) {
+                    $this->log('WARN', "{$name}: no manifest");
+                }
+                continue;
+            }
+
+            $issues = $this->validateManifestOnly($manifest, $name);
+
+            if (!empty($issues)) {
+                $reposWithIssues++;
+                $totalIssues += count($issues);
+
+                if ($json) {
+                    $allResults[] = ['repo' => $name, 'issues' => $issues];
+                } else {
+                    $this->printIssues($name, $issues);
+                }
+
+                if ($fix) {
+                    $this->applyFixes($apiBase, $org, $name, $token, $manifest, $issues);
+                }
+            } elseif (!$quiet && !$json) {
+                $this->log('OK', "{$name}: clean");
+            }
+        }
+
+        if ($json) {
+            echo json_encode($allResults, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES) . "\n";
+        } else {
+            echo "\n";
+            $level = $reposWithIssues > 0 ? 'WARN' : 'OK';
+            $this->log($level, sprintf(
+                'Summary: %d repos checked, %d with issues (%d total issues)',
+                count($repos),
+                $reposWithIssues,
+                $totalIssues
+            ));
+        }
+
+        return $reposWithIssues > 0 ? 1 : 0;
+    }
+
+    // =====================================================================
+    // Validation rules
+    // =====================================================================
+
+    /**
+     * Full validation: compare API manifest against locally-detected fields.
+     */
+    private function validate(array $current, array $detected, string $repoName): array
+    {
+        $issues = [];
+
+        // Required fields that should never be empty
+        $required = ['platform', 'name', 'version', 'package_type', 'language', 'entry_point'];
+        foreach ($required as $field) {
+            if (empty($current[$field])) {
+                $fix = $detected[$field] ?? null;
+                $issues[] = [
+                    'field'    => $field,
+                    'severity' => 'error',
+                    'message'  => 'Missing required field',
+                    'current'  => '',
+                    'fix'      => $fix,
+                ];
+            }
+        }
+
+        // Drift detection: detected value differs from API
+        foreach ($detected as $field => $detectedValue) {
+            $currentValue = $current[$field] ?? '';
+            if ($detectedValue !== '' && $currentValue !== '' && $detectedValue !== $currentValue) {
+                // Version drift is expected on dev branches (suffix)
+                if ($field === 'version' && strpos($detectedValue, $currentValue) === 0) {
+                    continue; // e.g., detected "02.34.50-dev" vs API "02.34.50"
+                }
+                if ($field === 'version' && strpos($currentValue, $detectedValue) === 0) {
+                    continue;
+                }
+
+                $issues[] = [
+                    'field'    => $field,
+                    'severity' => 'warn',
+                    'message'  => 'Drift: source differs from manifest',
+                    'current'  => $currentValue,
+                    'fix'      => $detectedValue,
+                ];
+            }
+        }
+
+        // Platform-specific structure validation
+        $platform = $current['platform'] ?? '';
+        $issues = array_merge($issues, $this->validatePlatformStructure($platform, $current, $repoName));
+
+        return $issues;
+    }
+
+    /**
+     * API-only validation: check manifest fields for completeness and consistency
+     * without access to source files.
+     */
+    private function validateManifestOnly(array $manifest, string $repoName): array
+    {
+        $issues = [];
+
+        // Required fields
+        $required = ['platform', 'name', 'version', 'language'];
+        foreach ($required as $field) {
+            if (empty($manifest[$field])) {
+                $issues[] = [
+                    'field'    => $field,
+                    'severity' => 'error',
+                    'message'  => 'Missing required field',
+                    'current'  => '',
+                    'fix'      => null,
+                ];
+            }
+        }
+
+        // Recommended fields
+        $recommended = ['package_type', 'entry_point', 'license_spdx', 'description'];
+        foreach ($recommended as $field) {
+            if (empty($manifest[$field])) {
+                $issues[] = [
+                    'field'    => $field,
+                    'severity' => 'info',
+                    'message'  => 'Recommended field is empty',
+                    'current'  => '',
+                    'fix'      => null,
+                ];
+            }
+        }
+
+        // Platform-specific checks
+        $platform = $manifest['platform'] ?? '';
+        $issues = array_merge($issues, $this->validatePlatformStructure($platform, $manifest, $repoName));
+
+        return $issues;
+    }
+
+    /**
+     * Platform-specific validation rules.
+     */
+    private function validatePlatformStructure(string $platform, array $manifest, string $repoName): array
+    {
+        $issues = [];
+
+        switch ($platform) {
+            case 'joomla':
+            case 'waas-component':
+                // Joomla repos must have element_name
+                if (empty($manifest['element_name'])) {
+                    $issues[] = [
+                        'field'    => 'element_name',
+                        'severity' => 'error',
+                        'message'  => 'Joomla repos require element_name',
+                        'current'  => '',
+                        'fix'      => null,
+                    ];
+                }
+                // Language should be PHP
+                if (!empty($manifest['language']) && $manifest['language'] !== 'PHP') {
+                    $issues[] = [
+                        'field'    => 'language',
+                        'severity' => 'warn',
+                        'message'  => 'Joomla repos should have language=PHP',
+                        'current'  => $manifest['language'],
+                        'fix'      => 'PHP',
+                    ];
+                }
+                break;
+
+            case 'dolibarr':
+            case 'crm-module':
+                if (!empty($manifest['language']) && $manifest['language'] !== 'PHP') {
+                    $issues[] = [
+                        'field'    => 'language',
+                        'severity' => 'warn',
+                        'message'  => 'Dolibarr repos should have language=PHP',
+                        'current'  => $manifest['language'],
+                        'fix'      => 'PHP',
+                    ];
+                }
+                break;
+
+            case 'go':
+                if (!empty($manifest['language']) && $manifest['language'] !== 'Go') {
+                    $issues[] = [
+                        'field'    => 'language',
+                        'severity' => 'warn',
+                        'message'  => 'Go repos should have language=Go',
+                        'current'  => $manifest['language'],
+                        'fix'      => 'Go',
+                    ];
+                }
+                break;
+
+            case 'mcp':
+                if (!empty($manifest['language']) && !in_array($manifest['language'], ['TypeScript', 'JavaScript'], true)) {
+                    $issues[] = [
+                        'field'    => 'language',
+                        'severity' => 'warn',
+                        'message'  => 'MCP repos should have language=TypeScript or JavaScript',
+                        'current'  => $manifest['language'],
+                        'fix'      => null,
+                    ];
+                }
+                break;
+        }
+
+        // Version format check: should be XX.YY.ZZ
+        $version = $manifest['version'] ?? '';
+        if ($version !== '' && !preg_match('/^\d{2}\.\d{2}\.\d{2}/', $version)) {
+            // Allow semver for node/go repos
+            if (!in_array($platform, ['mcp', 'node', 'go'], true)) {
+                $issues[] = [
+                    'field'    => 'version',
+                    'severity' => 'info',
+                    'message'  => 'Version does not match XX.YY.ZZ format',
+                    'current'  => $version,
+                    'fix'      => null,
+                ];
+            }
+        }
+
+        return $issues;
+    }
+
+    // =====================================================================
+    // Output
+    // =====================================================================
+
+    private function printIssues(string $repoName, array $issues): void
+    {
+        if (empty($issues)) {
+            return;
+        }
+
+        $errors = count(array_filter($issues, fn($i) => $i['severity'] === 'error'));
+        $warns  = count(array_filter($issues, fn($i) => $i['severity'] === 'warn'));
+        $infos  = count($issues) - $errors - $warns;
+
+        echo "\n";
+        $summary = [];
+        if ($errors > 0) $summary[] = "{$errors} error(s)";
+        if ($warns > 0) $summary[] = "{$warns} warning(s)";
+        if ($infos > 0) $summary[] = "{$infos} info";
+        $this->log($errors > 0 ? 'ERROR' : 'WARN', "{$repoName} — " . implode(', ', $summary));
+
+        foreach ($issues as $issue) {
+            $icon = match ($issue['severity']) {
+                'error' => 'ERROR',
+                'warn'  => 'WARN',
+                default => 'INFO',
+            };
+            $msg = sprintf('  %-18s %s', $issue['field'], $issue['message']);
+            if ($issue['current'] !== '') {
+                $msg .= " (current: {$issue['current']})";
+            }
+            if ($issue['fix'] !== null) {
+                $msg .= " → fix: {$issue['fix']}";
+            }
+            $this->log($icon, $msg);
+        }
+    }
+
+    // =====================================================================
+    // Fix application
+    // =====================================================================
+
+    private function applyFixes(string $apiBase, string $org, string $repo, string $token, array $current, array $issues): int
+    {
+        $fixes = [];
+        foreach ($issues as $issue) {
+            if ($issue['fix'] !== null && $issue['fix'] !== '') {
+                $fixes[$issue['field']] = $issue['fix'];
+            }
+        }
+
+        if (empty($fixes)) {
+            $this->log('INFO', "{$repo}: no auto-fixable issues");
+            return 0;
+        }
+
+        $merged = array_merge($current, $fixes);
+        $url = "{$apiBase}/repos/{$org}/{$repo}/manifest";
+        $payload = json_encode($merged);
+
+        $ctx = stream_context_create([
+            'http' => [
+                'method'  => 'PUT',
+                'header'  => "Authorization: token {$token}\r\nContent-Type: application/json\r\nAccept: application/json\r\n",
+                'content' => $payload,
+                'timeout' => 10,
+            ],
+        ]);
+
+        $body = @file_get_contents($url, false, $ctx);
+        if ($body === false) {
+            $this->log('ERROR', "{$repo}: failed to push fixes");
+            return 1;
+        }
+
+        $this->log('OK', "{$repo}: fixed " . implode(', ', array_keys($fixes)));
+        return 0;
+    }
+
+    // =====================================================================
+    // API helpers
+    // =====================================================================
+
+    private function fetchManifest(string $apiBase, string $org, string $repo, string $token): ?array
+    {
+        $url = "{$apiBase}/repos/{$org}/{$repo}/manifest";
+        $ctx = stream_context_create([
+            'http' => [
+                'header'  => "Authorization: token {$token}\r\nAccept: application/json\r\n",
+                'timeout' => 10,
+            ],
+        ]);
+
+        $body = @file_get_contents($url, false, $ctx);
+        if ($body === false) return null;
+
+        $data = json_decode($body, true);
+        return is_array($data) ? $data : null;
+    }
+
+    private function fetchOrgRepos(string $apiBase, string $org, string $token): ?array
+    {
+        $allRepos = [];
+        $page = 1;
+        $limit = 50;
+
+        while (true) {
+            $url = "{$apiBase}/orgs/{$org}/repos?page={$page}&limit={$limit}";
+            $ctx = stream_context_create([
+                'http' => [
+                    'header'  => "Authorization: token {$token}\r\nAccept: application/json\r\n",
+                    'timeout' => 15,
+                ],
+            ]);
+
+            $body = @file_get_contents($url, false, $ctx);
+            if ($body === false) return null;
+
+            $repos = json_decode($body, true);
+            if (!is_array($repos) || empty($repos)) break;
+
+            $allRepos = array_merge($allRepos, $repos);
+
+            if (count($repos) < $limit) break;
+            $page++;
+        }
+
+        // Filter out archived and empty repos
+        return array_filter($allRepos, fn($r) => !($r['archived'] ?? false) && !($r['empty'] ?? false));
+    }
+
+    // =====================================================================
+    // Detection (delegates to manifest_detect logic)
+    // =====================================================================
+
+    private function runDetect(string $root, string $repoName): array
+    {
+        $script = __DIR__ . '/manifest_detect.php';
+        $redirect = PHP_OS_FAMILY === 'Windows' ? '2>NUL' : '2>/dev/null';
+        $cmd = sprintf(
+            'php %s --path %s --repo %s --json --quiet %s',
+            escapeshellarg($script),
+            escapeshellarg($root),
+            escapeshellarg($repoName),
+            $redirect
+        );
+
+        $output = shell_exec($cmd) ?? '';
+
+        // Extract JSON object from output (skip banner/log lines)
+        if (preg_match('/\{[^{}]*(?:\{[^{}]*\}[^{}]*)*\}/s', $output, $m)) {
+            $data = json_decode($m[0], true);
+            if (is_array($data)) {
+                return $data;
+            }
+        }
+
+        return [];
+    }
+
+    private function detectRepoName(string $root): string
+    {
+        $gitConfig = "{$root}/.git/config";
+        if (!file_exists($gitConfig)) {
+            return basename($root);
+        }
+
+        $content = file_get_contents($gitConfig);
+        if (preg_match('/url\s*=\s*.*\/([^\/\s]+?)(?:\.git)?\s*$/m', $content, $m)) {
+            return $m[1];
+        }
+
+        return basename($root);
+    }
+}
+
+$app = new ManifestIntegrityCli();
+exit($app->execute());

cli/manifest_licensing.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/manifest_licensing.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Ensure licensing tags (updateservers, dlid) in Joomla extension manifests
  */
 

cli/manifest_read.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/manifest_read.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Parse .manifest.xml and output requested field(s) for CI consumption
  */
 

cli/platform_detect.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/platform_detect.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Auto-detect repository platform type and optionally update manifest
  */
 
@@ -82,7 +82,7 @@ class PlatformDetectCli extends CliFramework
                 $giteaUrl,
                 $token,
                 'PATCH',
-                "/api/v1/repos/{$owner}/{$repo}/manifest",
+                "/api/v1/repos/{$owner}/{$repo}/metadata",
                 json_encode(['platform' => $platform])
             );
 

cli/release_cascade.php

@@ -6,12 +6,12 @@
  * SPDX-License-Identifier: GPL-3.0-or-later
  *
  * FILE INFORMATION
- * DEFGROUP: mokoplatform.CLI
- * INGROUP: mokoplatform
- * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
+ * DEFGROUP: mokocli.CLI
+ * INGROUP: mokocli
+ * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokocli
  * PATH: /cli/release_cascade.php
- * VERSION: 09.26.00
- * BRIEF: DEPRECATED — cascade behavior removed. Each release stream is independent.
+ * VERSION: 10.00.00
+ * BRIEF: Cascade release zip to all lower stability channels
  */
 
 declare(strict_types=1);
@@ -22,15 +22,320 @@ use MokoEnterprise\CliFramework;
 
 class ReleaseCascadeCli extends CliFramework
 {
+    /** Channel hierarchy: highest stability first. */
+    private const CHANNELS = ['stable', 'release-candidate', 'beta', 'alpha', 'development'];
+
+    /** Map stability input names to canonical tag names. */
+    private const TAG_MAP = [
+        'stable'            => 'stable',
+        'release-candidate' => 'release-candidate',
+        'rc'                => 'release-candidate',
+        'beta'              => 'beta',
+        'alpha'             => 'alpha',
+        'development'       => 'development',
+        'dev'               => 'development',
+    ];
+
     protected function configure(): void
     {
-        $this->setDescription('DEPRECATED — cascade behavior removed');
+        $this->setDescription('Cascade release zip to all lower stability channels');
+        $this->addArgument('--stability', 'Source stability channel (required)', '');
+        $this->addArgument('--token', 'Gitea API token (required)', '');
+        $this->addArgument('--api-base', 'Gitea API base URL for the repo (required)', '');
     }
 
     protected function run(): int
     {
-        $this->log('INFO', 'No-op (cascade behavior removed — each stream is independent)');
-        return 0;
+        $stability = strtolower($this->getArgument('--stability'));
+        $token     = $this->getArgument('--token');
+        $apiBase   = rtrim($this->getArgument('--api-base'), '/');
+
+        if ($token === '') {
+            $envToken = getenv('MOKOGITEA_TOKEN');
+            if ($envToken === false || $envToken === '') {
+                $envToken = getenv('GITEA_TOKEN');
+            }
+            if ($envToken !== false && $envToken !== '') {
+                $token = $envToken;
+            }
+        }
+
+        if ($stability === '' || $token === '' || $apiBase === '') {
+            $this->log('ERROR', 'Usage: release_cascade.php --stability CHANNEL --token TOKEN --api-base URL');
+            return 1;
+        }
+
+        $sourceTag = self::TAG_MAP[$stability] ?? null;
+        if ($sourceTag === null) {
+            $this->log('ERROR', "Unknown stability: {$stability}");
+            return 1;
+        }
+
+        // Find lower channels to cascade to
+        $lowerChannels = $this->getLowerChannels($sourceTag);
+        if (count($lowerChannels) === 0) {
+            $this->log('INFO', "No lower channels for '{$stability}' — nothing to cascade.");
+            return 0;
+        }
+
+        $this->log('INFO', "Cascading from '{$sourceTag}' to: " . implode(', ', $lowerChannels));
+
+        if ($this->dryRun) {
+            $this->log('INFO', '[DRY RUN] No changes will be made.');
+        }
+
+        // 1. Get source release
+        $sourceRelease = $this->giteaApi("{$apiBase}/releases/tags/{$sourceTag}", $token);
+        if ($sourceRelease === null) {
+            $this->log('WARN', "No release found at tag '{$sourceTag}' — nothing to cascade.");
+            return 0;
+        }
+
+        $sourceVersion = $sourceRelease['name'] ?? $sourceTag;
+        $sourceBody    = $sourceRelease['body'] ?? '';
+        $sourceAssets  = $sourceRelease['assets'] ?? [];
+
+        // Find zip assets (exclude .sha256 sidecars)
+        $zipAssets = array_filter($sourceAssets, function (array $asset): bool {
+            $name = strtolower($asset['name'] ?? '');
+            return str_ends_with($name, '.zip') && !str_ends_with($name, '.sha256');
+        });
+
+        // Also grab sha256 sidecars
+        $sha256Assets = array_filter($sourceAssets, function (array $asset): bool {
+            return str_ends_with(strtolower($asset['name'] ?? ''), '.zip.sha256');
+        });
+
+        if (count($zipAssets) === 0) {
+            $this->log('WARN', "Source release '{$sourceTag}' has no zip assets — nothing to cascade.");
+            return 0;
+        }
+
+        $this->log('INFO', "Source: {$sourceVersion} — " . count($zipAssets) . " zip(s)");
+        echo "\n";
+
+        // 2. Download source assets to temp files
+        $downloads = [];
+        foreach (array_merge($zipAssets, $sha256Assets) as $asset) {
+            $url = $asset['browser_download_url'] ?? '';
+            if ($url === '') {
+                continue;
+            }
+            $tmpFile = tempnam(sys_get_temp_dir(), 'cascade_');
+            if ($this->downloadFile($url, $token, $tmpFile)) {
+                $downloads[] = ['name' => $asset['name'], 'path' => $tmpFile];
+                $this->log('INFO', "Downloaded: {$asset['name']}");
+            } else {
+                $this->log('ERROR', "Failed to download: {$asset['name']}");
+            }
+        }
+
+        if (count($downloads) === 0) {
+            $this->log('ERROR', 'Could not download any source assets.');
+            return 1;
+        }
+
+        // 3. Cascade to each lower channel
+        $errors = 0;
+        foreach ($lowerChannels as $targetTag) {
+            echo "\n";
+            $result = $this->cascadeToChannel(
+                $apiBase, $token, $targetTag,
+                $sourceVersion, $sourceBody, $downloads
+            );
+            if (!$result) {
+                $errors++;
+            }
+        }
+
+        // 4. Cleanup temp files
+        foreach ($downloads as $dl) {
+            @unlink($dl['path']);
+        }
+
+        echo "\n";
+        $this->log('INFO', "Cascade complete. " . (count($lowerChannels) - $errors)
+            . "/" . count($lowerChannels) . " channels updated.");
+
+        return $errors > 0 ? 1 : 0;
+    }
+
+    /**
+     * Cascade assets to a single target channel.
+     */
+    private function cascadeToChannel(
+        string $apiBase,
+        string $token,
+        string $targetTag,
+        string $sourceVersion,
+        string $sourceBody,
+        array $downloads
+    ): bool {
+        $this->log('INFO', "→ {$targetTag}");
+
+        if ($this->dryRun) {
+            $this->log('INFO', "  [DRY RUN] Would cascade to {$targetTag}");
+            return true;
+        }
+
+        // Find existing release at target tag
+        $existing = $this->giteaApi("{$apiBase}/releases/tags/{$targetTag}", $token);
+
+        if ($existing !== null && !empty($existing['id'])) {
+            $releaseId = (int) $existing['id'];
+
+            // Delete existing assets
+            $existingAssets = $existing['assets'] ?? [];
+            foreach ($existingAssets as $asset) {
+                $assetId = $asset['id'] ?? 0;
+                if ($assetId > 0) {
+                    $this->giteaApi(
+                        "{$apiBase}/releases/{$releaseId}/assets/{$assetId}",
+                        $token, 'DELETE'
+                    );
+                }
+            }
+
+            // Update release metadata
+            $updatePayload = json_encode([
+                'name' => $sourceVersion,
+                'body' => $sourceBody,
+            ]);
+            $this->giteaApi(
+                "{$apiBase}/releases/{$releaseId}",
+                $token, 'PATCH', $updatePayload
+            );
+
+            $this->log('INFO', "  Updated release metadata (id: {$releaseId})");
+        } else {
+            // Create new release at target tag
+            // Use the source release's target commitish so the tag points to the same commit
+            $createPayload = json_encode([
+                'tag_name'          => $targetTag,
+                'target_commitish'  => 'main',
+                'name'              => $sourceVersion,
+                'body'              => $sourceBody,
+                'prerelease'        => ($targetTag !== 'stable'),
+            ]);
+            $newRelease = $this->giteaApi("{$apiBase}/releases", $token, 'POST', $createPayload);
+            if ($newRelease === null || empty($newRelease['id'])) {
+                $this->log('ERROR', "  Failed to create release at tag '{$targetTag}'");
+                return false;
+            }
+            $releaseId = (int) $newRelease['id'];
+            $this->log('INFO', "  Created release (id: {$releaseId})");
+        }
+
+        // Upload assets
+        foreach ($downloads as $dl) {
+            $uploadUrl = "{$apiBase}/releases/{$releaseId}/assets?name=" . rawurlencode($dl['name']);
+            $success = $this->uploadAsset($uploadUrl, $token, $dl['path'], $dl['name']);
+            if ($success) {
+                $this->log('INFO', "  Uploaded: {$dl['name']}");
+            } else {
+                $this->log('ERROR', "  Failed to upload: {$dl['name']}");
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Get all channels below the given source channel.
+     */
+    private function getLowerChannels(string $sourceTag): array
+    {
+        $idx = array_search($sourceTag, self::CHANNELS, true);
+        if ($idx === false) {
+            return [];
+        }
+        return array_slice(self::CHANNELS, $idx + 1);
+    }
+
+    /**
+     * Download a file via HTTP.
+     */
+    private function downloadFile(string $url, string $token, string $destPath): bool
+    {
+        $ch = curl_init($url);
+        if ($ch === false) {
+            return false;
+        }
+        $fp = fopen($destPath, 'wb');
+        if ($fp === false) {
+            return false;
+        }
+        curl_setopt_array($ch, [
+            CURLOPT_FOLLOWLOCATION => true,
+            CURLOPT_FILE           => $fp,
+            CURLOPT_HTTPHEADER     => ["Authorization: token {$token}"],
+            CURLOPT_TIMEOUT        => 120,
+        ]);
+        curl_exec($ch);
+        $code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+        fclose($fp);
+        return $code >= 200 && $code < 300;
+    }
+
+    /**
+     * Upload a file as a release asset via multipart form.
+     */
+    private function uploadAsset(string $url, string $token, string $filePath, string $fileName): bool
+    {
+        $ch = curl_init($url);
+        if ($ch === false) {
+            return false;
+        }
+        $cfile = new CURLFile($filePath, 'application/octet-stream', $fileName);
+        curl_setopt_array($ch, [
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_POST           => true,
+            CURLOPT_POSTFIELDS     => ['attachment' => $cfile],
+            CURLOPT_HTTPHEADER     => ["Authorization: token {$token}"],
+            CURLOPT_TIMEOUT        => 120,
+        ]);
+        $response = curl_exec($ch);
+        $code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+        return $code >= 200 && $code < 300;
+    }
+
+    /**
+     * Make an HTTP request to the Gitea API.
+     */
+    private function giteaApi(
+        string $url,
+        string $token,
+        string $method = 'GET',
+        ?string $body = null
+    ): ?array {
+        $ch = curl_init($url);
+        if ($ch === false) {
+            return null;
+        }
+        curl_setopt_array($ch, [
+            CURLOPT_RETURNTRANSFER => true,
+            CURLOPT_HTTPHEADER     => [
+                "Authorization: token {$token}",
+                'Content-Type: application/json',
+            ],
+            CURLOPT_TIMEOUT        => 30,
+            CURLOPT_CUSTOMREQUEST  => $method,
+        ]);
+        if ($body !== null) {
+            curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
+        }
+        $response = curl_exec($ch);
+        $httpCode = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if ($httpCode < 200 || $httpCode >= 300 || empty($response) || !is_string($response)) {
+            return null;
+        }
+
+        $decoded = json_decode($response, true);
+        return is_array($decoded) ? $decoded : null;
     }
 }
 

cli/release_publish.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/release_publish.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Publish a release and create copies for all lesser stability streams.
  */
 

cli/scaffold_client.php

@@ -12,7 +12,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/scaffold_client.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Scaffold a new client-waas repo from Template-Client-WaaS with pre-configured settings
  */
 

cli/updates_xml_sync.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/updates_xml_sync.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Sync updates.xml to target branches via Gitea API
  * NOTE: Called by pre-release and auto-release workflows after updates.xml
  *       is modified on the current branch. Pushes the file to other branches

cli/version_auto_bump.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/version_auto_bump.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Auto patch-bump, set stability suffix, and commit — single CLI replacing inline workflow bash
  */
 

cli/version_bump.php

@@ -232,9 +232,25 @@ class VersionBumpCli extends CliFramework
                     $pkgContent
                 );
             }
-            if ($updatedPkg !== $pkgContent) {
+            if ($updatedPkg !== $pkgContent && $updatedPkg !== null) {
                 file_put_contents($packageJsonFile, $updatedPkg);
                 fwrite(STDERR, "Updated package.json\n");
+            } elseif (preg_match('/("version"\s*:\s*")(\d+)\.(\d+)\.(\d+)(")/m', $pkgContent, $semM)) {
+                // Semver fallback: bump standard x.y.z version when XX.YY.ZZ pattern didn't match
+                $sMajor = (int)$semM[2];
+                $sMinor = (int)$semM[3];
+                $sPatch = (int)$semM[4];
+                switch ($type) {
+                    case 'major': $sMajor++; $sMinor = 0; $sPatch = 0; break;
+                    case 'minor': $sMinor++; $sPatch = 0; break;
+                    default: $sPatch++; break;
+                }
+                $semNew = "{$sMajor}.{$sMinor}.{$sPatch}";
+                $semUpdated = preg_replace('/("version"\s*:\s*")\d+\.\d+\.\d+(")/m', '${1}' . $semNew . '${2}', $pkgContent);
+                if ($semUpdated !== $pkgContent) {
+                    file_put_contents($packageJsonFile, $semUpdated);
+                    fwrite(STDERR, "Updated package.json (semver: {$semM[2]}.{$semM[3]}.{$semM[4]} -> $semNew)\n");
+                }
             }
         }
         $pyprojectFile = "{$root}/pyproject.toml";

cli/version_check.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/version_check.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Validate version consistency across README, manifests, and sub-packages
  */
 

cli/wiki_sync.php

@@ -10,7 +10,7 @@
  * INGROUP: mokoplatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /cli/wiki_sync.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Sync select wiki pages from mokoplatform to all template repos
  */
 

deploy/backup-before-deploy.php

@@ -12,7 +12,7 @@
  * INGROUP: MokoPlatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /deploy/backup-before-deploy.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Snapshot Joomla directories before deployment for rollback capability
  */
 

deploy/deploy-dolibarr.php

@@ -12,7 +12,7 @@
  * INGROUP: MokoPlatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /deploy/deploy-dolibarr.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Deploy Dolibarr module files to a remote server via SFTP/rsync
  */
 

deploy/health-check.php

@@ -12,7 +12,7 @@
  * INGROUP: MokoPlatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /deploy/health-check.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Post-deploy health check — verify a Joomla site is responding correctly
  */
 

deploy/rollback-joomla.php

@@ -12,7 +12,7 @@
  * INGROUP: MokoPlatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /deploy/rollback-joomla.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Rollback a Joomla deployment by restoring from a pre-deploy snapshot
  */
 

deploy/sync-joomla.php

@@ -12,7 +12,7 @@
  * INGROUP: MokoPlatform
  * REPO: https://git.mokoconsulting.tech/MokoConsulting/mokoplatform
  * PATH: /deploy/sync-joomla.php
- * VERSION: 09.26.00
+ * VERSION: 09.29.01
  * BRIEF: Sync Joomla site directories between two servers via rsync over SSH
  */
 

mcp/servers/mokobackup/.mokogitea/CLAUDE.md

@@ -28,7 +28,7 @@ src/
 ├── config.ts        # Loads ~/.mcp_mokobackup.json, resolves targets
 ├── client.ts        # Backup execution logic
 ├── akeeba.ts        # Akeeba Backup API integration (Joomla sites)
-├── mokobackup.ts    # MokoJoomBackup REST API integration
+├── mokobackup.ts    # MokoSuite Backup REST API integration
 └── types.ts         # BackupConfig, BackupTarget types
 ```
 

mcp/servers/mokobackup/src/mokobackup.ts

@@ -7,7 +7,7 @@ import type { BackupTarget, BackupResult, AkeebaBackupRecord } from './types.js'
 const TIMEOUT_MS = 300_000; // 5 min for backup operations
 
 /**
- * MokoJoomBackup client using Joomla Web Services API
+ * MokoSuite Backup client using Joomla Web Services API
  * Endpoint: /api/index.php/v1/mokobackup/*
  * Auth: Bearer token (Joomla API token)
  *

mcp/servers/mokocrm_api/CONTRIBUTING.md

@@ -14,7 +14,7 @@
 	DEFGROUP: dolibarr-api-mcp.Documentation
 	INGROUP: dolibarr-api-mcp
 	REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
-	VERSION: 09.26.00
+	VERSION: 09.29.01
 	PATH: ./CONTRIBUTING.md
 	BRIEF: Contribution guidelines for the project
 -->

mcp/servers/mokocrm_api/SECURITY.md

@@ -10,7 +10,7 @@ DEFGROUP: dolibarr-api-mcp.Documentation
 INGROUP: dolibarr-api-mcp
 REPO: https://git.mokoconsulting.tech/MokoConsulting/dolibarr-api-mcp
 PATH: /SECURITY.md
-VERSION: 09.26.00
+VERSION: 09.29.01
 BRIEF: Security vulnerability reporting and handling policy
 -->
 

mcp/servers/mokomonitor/.mokogitea/workflows/repo-health.yml

@@ -85,7 +85,7 @@ jobs:
       - name: Check actor permission (admin only)
         id: perm
         env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
           REPO: ${{ github.repository }}
           ACTOR: ${{ github.actor }}
         run: |

mcp/servers/mokomonitor/mcp_mokomonitor/.mokogitea/workflows/repo-health.yml

@@ -85,7 +85,7 @@ jobs:
       - name: Check actor permission (admin only)
         id: perm
         env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
           REPO: ${{ github.repository }}
           ACTOR: ${{ github.actor }}
         run: |

mcp/servers/mokossh/.mokogitea/workflows/auto-assign.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Assign unassigned issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           ASSIGNEE="jmiller"

mcp/servers/mokossh/.mokogitea/workflows/auto-dev-issue.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Create tracking issue and sub-issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           # For manual dispatch, use input; for auto, use event ref
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then

mcp/servers/mokossh/.mokogitea/workflows/auto-release.yml

@@ -55,14 +55,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
       - name: Setup mokoplatform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
         run: |
           # Ensure PHP + Composer are available
           if ! command -v composer &> /dev/null; then
@@ -287,7 +287,7 @@ jobs:
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
           # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -350,20 +350,20 @@ jobs:
           RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
 
           # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
           if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
             echo "Deleted previous stable release (id: ${EXISTING_ID})"
           fi
 
           # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/json" \
             "${API_BASE}/releases" \
             -d "$(python3 -c "import json; print(json.dumps({
@@ -385,7 +385,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
           # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
           if [ -z "$RELEASE_ID" ]; then
@@ -444,7 +444,7 @@ jobs:
           SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
 
           # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
           for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
             ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -455,18 +455,18 @@ jobs:
                   print(a['id']); break
           " 2>/dev/null || true)
             if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                 "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
             fi
           done
 
           # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${ZIP_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
 
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${TAR_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -523,7 +523,7 @@ jobs:
             git push || true
 
             # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
             API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
 
             FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -605,7 +605,7 @@ jobs:
           [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
 
           # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
             python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
 
@@ -617,7 +617,7 @@ jobs:
           req = urllib.request.Request(
               '${API_BASE}/releases/${RELEASE_ID}',
               data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
               method='PATCH'
           )
           urllib.request.urlopen(req)
@@ -629,10 +629,10 @@ jobs:
         if: >-
           steps.version.outputs.skip != 'true' &&
           steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -644,7 +644,7 @@ jobs:
           [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
           echo "$NOTES" > /tmp/release_notes.md
 
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
 
           if [ -z "$EXISTING" ]; then
             gh release create "$RELEASE_TAG" \
@@ -661,8 +661,8 @@ jobs:
           # Upload assets to GitHub mirror
           for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
             if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
             fi
           done
           echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -671,14 +671,14 @@ jobs:
       - name: "Step 10: Push main to GitHub mirror"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         run: |
           GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
           GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
           GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
           git fetch origin main --depth=1
           git push github origin/main:refs/heads/main --force 2>/dev/null \
             && echo "main branch pushed to GitHub mirror" \
@@ -691,7 +691,7 @@ jobs:
         run: |
           php /tmp/mokoplatform-api/cli/release_cascade.php \
             --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
             --gitea-url "${GITEA_URL}" 2>/dev/null || true
 
@@ -700,7 +700,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -724,7 +724,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           MOD_FILE="${{ steps.platform.outputs.mod_file }}"
           ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
           FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)

mcp/servers/mokossh/.mokogitea/workflows/cascade-dev.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Discover target branches
         id: branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
@@ -93,7 +93,7 @@ jobs:
       - name: Cascade to all target branches
         if: steps.branches.outputs.targets != ''
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           SHORT_SHA="${GITHUB_SHA:0:7}"

mcp/servers/mokossh/.mokogitea/workflows/cleanup.yml

@@ -33,11 +33,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Delete merged branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Merged Branch Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:
 
       - name: Clean old workflow runs
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Workflow Run Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"

mcp/servers/mokossh/.mokogitea/workflows/deploy-manual.yml

@@ -42,10 +42,10 @@ jobs:
 
       - name: Setup mokoplatform tools
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
         run: |
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git" \

mcp/servers/mokossh/.mokogitea/workflows/mcp-auto-release.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
       # ── Version ──────────────────────────────────────────────────────
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
           steps.version.outputs.skip != 'true' &&
           steps.check.outputs.tag_exists != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"

mcp/servers/mokossh/.mokogitea/workflows/pre-release.yml

@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Setup PHP
         run: |
@@ -54,7 +54,7 @@ jobs:
 
       - name: Setup mokoplatform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git"             /tmp/mokoplatform-api
@@ -89,7 +89,7 @@ jobs:
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git diff --cached --quiet || {
             git commit -m "chore(version): bump to ${VERSION} [skip ci]"
@@ -154,7 +154,7 @@ jobs:
           SHA256="${{ steps.zip.outputs.sha256 }}"
           ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
           EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           BRANCH=$(git branch --show-current)
 
@@ -212,13 +212,13 @@ jobs:
       - name: "Sync updates.xml to all branches"
         if: steps.platform.outputs.platform == 'joomla'
         run: |
-          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
+          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.MOKOGITEA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
 
       - name: "Delete lesser pre-release channels (cascade)"
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           STABILITY="${{ steps.meta.outputs.stability }}"
 
           # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing

mcp/servers/mokossh/.mokogitea/workflows/repo-health.yml

@@ -81,7 +81,7 @@ jobs:
       - name: Check actor permission (admin only)
         id: perm
         env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
           REPO: ${{ github.repository }}
           ACTOR: ${{ github.actor }}
         run: |

mcp/servers/mokossh/.mokogitea/workflows/repository-cleanup.yml

@@ -67,12 +67,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Check actor permission
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
       - name: Reset labels to standard set
         if: steps.tasks.outputs.reset_labels == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
       - name: Delete old sync branches
         if: steps.tasks.outputs.clean_branches == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
       - name: Clean up workflow runs
         if: steps.tasks.outputs.clean_workflows == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
       - name: Delete old workflow run logs
         if: steps.tasks.outputs.clean_logs == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
       - name: Delete old closed issues
         if: steps.tasks.outputs.delete_closed_issues == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)

mcp/servers/mokossh/.mokogitea/workflows/standards-compliance.yml

@@ -506,8 +506,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
       - name: Create or reopen tracking issue for standards violations
         if: failure()
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"

mcp/servers/mokossh/.mokogitea/workflows/sync-version-on-merge.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
             --create-issue \
             --repo "${{ github.repository }}"
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
 
       - name: Commit updated files
         if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}

mcp/servers/mokosuite_api/.mokogitea/auto-assign.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Assign unassigned issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           ASSIGNEE="jmiller"

mcp/servers/mokosuite_api/.mokogitea/auto-dev-issue.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Create tracking issue and sub-issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           # For manual dispatch, use input; for auto, use event ref
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then

mcp/servers/mokosuite_api/.mokogitea/auto-release.yml

@@ -59,13 +59,13 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -275,7 +275,7 @@ jobs:
           steps.version.outputs.skip != 'true' &&
           steps.check.outputs.tag_exists != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"

mcp/servers/mokosuite_api/.mokogitea/cascade-dev.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Discover target branches
         id: branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
@@ -93,7 +93,7 @@ jobs:
       - name: Cascade to all target branches
         if: steps.branches.outputs.targets != ''
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           SHORT_SHA="${GITHUB_SHA:0:7}"

mcp/servers/mokosuite_api/.mokogitea/deploy-demo.yml

@@ -84,7 +84,7 @@ jobs:
           # Prefer the org-scoped GH_TOKEN secret (needed for the org membership
           # fallback). Falls back to the built-in github.token so the collaborator
           # endpoint still works even if GH_TOKEN is not configured.
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           REPO="${{ github.repository }}"
@@ -421,8 +421,8 @@ jobs:
       - name: Setup MokoStandards deploy tools
         if: steps.source.outputs.skip == 'false' && steps.remote.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -647,7 +647,7 @@ jobs:
       - name: Create or update failure issue
         if: failure() && steps.remote.outputs.skip != 'true' && steps.conn.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"

mcp/servers/mokosuite_api/.mokogitea/deploy-dev.yml

@@ -89,7 +89,7 @@ jobs:
           # Prefer the org-scoped GH_TOKEN secret (needed for the org membership
           # fallback). Falls back to the built-in github.token so the collaborator
           # endpoint still works even if GH_TOKEN is not configured.
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           REPO="${{ github.repository }}"
@@ -421,8 +421,8 @@ jobs:
       - name: Setup MokoStandards deploy tools
         if: steps.source.outputs.skip == 'false' && steps.remote.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \

mcp/servers/mokosuite_api/.mokogitea/mcp-auto-release.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
       # ── Version ──────────────────────────────────────────────────────
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
           steps.version.outputs.skip != 'true' &&
           steps.check.outputs.tag_exists != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"

mcp/servers/mokosuite_api/.mokogitea/repository-cleanup.yml

@@ -67,12 +67,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Check actor permission
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
       - name: Reset labels to standard set
         if: steps.tasks.outputs.reset_labels == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
       - name: Delete old sync branches
         if: steps.tasks.outputs.clean_branches == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
       - name: Clean up workflow runs
         if: steps.tasks.outputs.clean_workflows == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
       - name: Delete old workflow run logs
         if: steps.tasks.outputs.clean_logs == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
       - name: Delete old closed issues
         if: steps.tasks.outputs.delete_closed_issues == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)

mcp/servers/mokosuite_api/.mokogitea/standards-compliance.yml

@@ -506,8 +506,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
       - name: Create or reopen tracking issue for standards violations
         if: failure()
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"

mcp/servers/mokosuite_api/.mokogitea/sync-version-on-merge.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
             --create-issue \
             --repo "${{ github.repository }}"
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
 
       - name: Commit updated files
         if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}

mcp/servers/mokosuite_api/.mokogitea/workflows/auto-assign.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Assign unassigned issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           ASSIGNEE="jmiller"

mcp/servers/mokosuite_api/.mokogitea/workflows/auto-dev-issue.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Create tracking issue and sub-issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           # For manual dispatch, use input; for auto, use event ref
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then

mcp/servers/mokosuite_api/.mokogitea/workflows/auto-release.yml

@@ -55,14 +55,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
       - name: Setup mokoplatform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
         run: |
           # Ensure PHP + Composer are available
           if ! command -v composer &> /dev/null; then
@@ -287,7 +287,7 @@ jobs:
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
           # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -350,20 +350,20 @@ jobs:
           RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
 
           # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
           if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
             echo "Deleted previous stable release (id: ${EXISTING_ID})"
           fi
 
           # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/json" \
             "${API_BASE}/releases" \
             -d "$(python3 -c "import json; print(json.dumps({
@@ -385,7 +385,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
           # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
           if [ -z "$RELEASE_ID" ]; then
@@ -444,7 +444,7 @@ jobs:
           SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
 
           # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
           for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
             ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -455,18 +455,18 @@ jobs:
                   print(a['id']); break
           " 2>/dev/null || true)
             if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                 "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
             fi
           done
 
           # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${ZIP_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
 
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${TAR_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -523,7 +523,7 @@ jobs:
             git push || true
 
             # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
             API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
 
             FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -605,7 +605,7 @@ jobs:
           [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
 
           # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
             python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
 
@@ -617,7 +617,7 @@ jobs:
           req = urllib.request.Request(
               '${API_BASE}/releases/${RELEASE_ID}',
               data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
               method='PATCH'
           )
           urllib.request.urlopen(req)
@@ -629,10 +629,10 @@ jobs:
         if: >-
           steps.version.outputs.skip != 'true' &&
           steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -644,7 +644,7 @@ jobs:
           [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
           echo "$NOTES" > /tmp/release_notes.md
 
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
 
           if [ -z "$EXISTING" ]; then
             gh release create "$RELEASE_TAG" \
@@ -661,8 +661,8 @@ jobs:
           # Upload assets to GitHub mirror
           for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
             if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
             fi
           done
           echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -671,14 +671,14 @@ jobs:
       - name: "Step 10: Push main to GitHub mirror"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         run: |
           GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
           GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
           GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
           git fetch origin main --depth=1
           git push github origin/main:refs/heads/main --force 2>/dev/null \
             && echo "main branch pushed to GitHub mirror" \
@@ -691,7 +691,7 @@ jobs:
         run: |
           php /tmp/mokoplatform-api/cli/release_cascade.php \
             --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
             --gitea-url "${GITEA_URL}" 2>/dev/null || true
 
@@ -700,7 +700,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -724,7 +724,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           MOD_FILE="${{ steps.platform.outputs.mod_file }}"
           ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
           FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)

mcp/servers/mokosuite_api/.mokogitea/workflows/cascade-dev.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Discover target branches
         id: branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
@@ -93,7 +93,7 @@ jobs:
       - name: Cascade to all target branches
         if: steps.branches.outputs.targets != ''
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           SHORT_SHA="${GITHUB_SHA:0:7}"

mcp/servers/mokosuite_api/.mokogitea/workflows/cleanup.yml

@@ -33,11 +33,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Delete merged branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Merged Branch Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:
 
       - name: Clean old workflow runs
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Workflow Run Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"

mcp/servers/mokosuite_api/.mokogitea/workflows/deploy-manual.yml

@@ -42,10 +42,10 @@ jobs:
 
       - name: Setup mokoplatform tools
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
         run: |
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git" \

mcp/servers/mokosuite_api/.mokogitea/workflows/mcp-auto-release.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
       # ── Version ──────────────────────────────────────────────────────
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -212,7 +212,7 @@ jobs:
           steps.version.outputs.skip != 'true' &&
           steps.check.outputs.tag_exists != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"

mcp/servers/mokosuite_api/.mokogitea/workflows/pre-release.yml

@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Setup PHP
         run: |
@@ -54,7 +54,7 @@ jobs:
 
       - name: Setup mokoplatform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
         run: |
           git clone --depth 1 --branch main --quiet             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/mokoplatform.git"             /tmp/mokoplatform-api
@@ -89,7 +89,7 @@ jobs:
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git diff --cached --quiet || {
             git commit -m "chore(version): bump to ${VERSION} [skip ci]"
@@ -154,7 +154,7 @@ jobs:
           SHA256="${{ steps.zip.outputs.sha256 }}"
           ZIP_NAME="${{ steps.zip.outputs.zip_name }}"
           EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           BRANCH=$(git branch --show-current)
 
@@ -212,13 +212,13 @@ jobs:
       - name: "Sync updates.xml to all branches"
         if: steps.platform.outputs.platform == 'joomla'
         run: |
-          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.GA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
+          php /tmp/mokoplatform-api/cli/updates_xml_sync.php             --path .             --current "${{ github.ref_name }}"             --branches main,dev             --version "${{ steps.meta.outputs.version }}"             --token "${{ secrets.MOKOGITEA_TOKEN }}"             --org "${GITEA_ORG}"             --repo "${GITEA_REPO}"             --gitea-url "${GITEA_URL}"
 
       - name: "Delete lesser pre-release channels (cascade)"
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           STABILITY="${{ steps.meta.outputs.stability }}"
 
           # Cascade: rc → beta,alpha,dev | beta → alpha,dev | alpha → dev | dev → nothing

mcp/servers/mokosuite_api/.mokogitea/workflows/repo-health.yml

@@ -81,7 +81,7 @@ jobs:
       - name: Check actor permission (admin only)
         id: perm
         env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
           REPO: ${{ github.repository }}
           ACTOR: ${{ github.actor }}
         run: |

mcp/servers/mokosuite_api/.mokogitea/workflows/repository-cleanup.yml

@@ -67,12 +67,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Check actor permission
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
       - name: Reset labels to standard set
         if: steps.tasks.outputs.reset_labels == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
       - name: Delete old sync branches
         if: steps.tasks.outputs.clean_branches == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
       - name: Clean up workflow runs
         if: steps.tasks.outputs.clean_workflows == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
       - name: Delete old workflow run logs
         if: steps.tasks.outputs.clean_logs == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
       - name: Delete old closed issues
         if: steps.tasks.outputs.delete_closed_issues == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)

mcp/servers/mokosuite_api/.mokogitea/workflows/standards-compliance.yml

@@ -506,8 +506,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -1970,8 +1970,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2042,8 +2042,8 @@ jobs:
 
       - name: Install API Package
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           if [ -f "composer.json" ]; then
             composer install --no-dev --no-interaction --prefer-dist --optimize-autoloader
@@ -2537,7 +2537,7 @@ jobs:
       - name: Create or reopen tracking issue for standards violations
         if: failure()
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           RUN_URL="${{ github.server_url }}/${REPO}/actions/runs/${{ github.run_id }}"

mcp/servers/mokosuite_api/.mokogitea/workflows/sync-version-on-merge.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Set up PHP
@@ -55,8 +55,8 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/mokoconsulting-tech/MokoStandards.git" \
@@ -106,7 +106,7 @@ jobs:
             --create-issue \
             --repo "${{ github.repository }}"
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
 
       - name: Commit updated files
         if: ${{ steps.readme_version.outputs.skip != 'true' && inputs.dry_run != true }}

mcp/servers/mokosuite_api/CONTRIBUTING.md

@@ -14,7 +14,7 @@
 	DEFGROUP: 
 	INGROUP: Project.Documentation
 	REPO: https://git.mokoconsulting.tech/MokoConsulting/MokoStandards-Template-Generic
-	VERSION: 09.26.00
+	VERSION: 09.29.01
 	PATH: ./CONTRIBUTING.md
 	BRIEF: Contribution guidelines for the project
 -->

mcp/servers/mokosuite_api/SECURITY.md

@@ -23,7 +23,7 @@ DEFGROUP: [PROJECT_NAME]
 INGROUP: [PROJECT_NAME].Documentation
 REPO: [REPOSITORY_URL]
 PATH: /SECURITY.md
-VERSION: 09.26.00
+VERSION: 09.29.01
 BRIEF: Security vulnerability reporting and handling policy
 -->
 

mcp/servers/windows/.mokogitea/workflows/auto-assign.yml

@@ -32,7 +32,7 @@ jobs:
     steps:
       - name: Assign unassigned issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           ASSIGNEE="jmiller"

mcp/servers/windows/.mokogitea/workflows/auto-dev-issue.yml

@@ -47,7 +47,7 @@ jobs:
     steps:
       - name: Create tracking issue and sub-issues
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           # For manual dispatch, use input; for auto, use event ref
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then

mcp/servers/windows/.mokogitea/workflows/auto-release.yml

@@ -53,14 +53,14 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
           fetch-depth: 0
 
       - name: Setup mokoplatform tools
         env:
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
           MOKO_CLONE_HOST: git.mokoconsulting.tech/MokoConsulting
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN }}"}}'
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT }}"}}'
         run: |
           # Ensure PHP + Composer are available
           if ! command -v composer &> /dev/null; then
@@ -286,7 +286,7 @@ jobs:
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
           # Set push URL with token for branch-protected repos
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git commit -m "chore(release): build ${VERSION} [skip ci]" \
             --author="gitea-actions[bot] <gitea-actions[bot]@mokoconsulting.tech>"
@@ -349,20 +349,20 @@ jobs:
           RELEASE_NAME="${EXT_NAME} ${VERSION} (${TYPE_PREFIX}${EXT_ELEMENT}-${VERSION})"
 
           # Delete existing release if present (overwrite, not append)
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           EXISTING_ID=$(echo "$EXISTING" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('id',''))" 2>/dev/null || true)
 
           if [ -n "$EXISTING_ID" ]; then
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/releases/${EXISTING_ID}" 2>/dev/null || true
-            curl -sS -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+            curl -sS -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
               "${API_BASE}/tags/${RELEASE_TAG}" 2>/dev/null || true
             echo "Deleted previous stable release (id: ${EXISTING_ID})"
           fi
 
           # Create fresh release
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/json" \
             "${API_BASE}/releases" \
             -d "$(python3 -c "import json; print(json.dumps({
@@ -384,7 +384,7 @@ jobs:
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
           # All ZIPs upload to the major release tag (vXX)
-          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_JSON=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null || true)
           RELEASE_ID=$(echo "$RELEASE_JSON" | python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
           if [ -z "$RELEASE_ID" ]; then
@@ -443,7 +443,7 @@ jobs:
           SHA256_TAR=$(sha256sum "/tmp/${TAR_NAME}" | cut -d' ' -f1)
 
           # -- Delete existing assets with same name before uploading ------
-          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          ASSETS=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets" 2>/dev/null || echo "[]")
           for ASSET_NAME in "$ZIP_NAME" "$TAR_NAME"; do
             ASSET_ID=$(echo "$ASSETS" | python3 -c "
@@ -454,18 +454,18 @@ jobs:
                   print(a['id']); break
           " 2>/dev/null || true)
             if [ -n "$ASSET_ID" ]; then
-              curl -sf -X DELETE -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+              curl -sf -X DELETE -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
                 "${API_BASE}/releases/${RELEASE_ID}/assets/${ASSET_ID}" 2>/dev/null || true
             fi
           done
 
           # -- Upload both to release tag ----------------------------------
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${ZIP_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${ZIP_NAME}" > /dev/null 2>&1 || true
 
-          curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             -H "Content-Type: application/octet-stream" \
             --data-binary @"/tmp/${TAR_NAME}" \
             "${API_BASE}/releases/${RELEASE_ID}/assets?name=${TAR_NAME}" > /dev/null 2>&1 || true
@@ -522,7 +522,7 @@ jobs:
             git push || true
 
             # Sync updates.xml to main via direct API (always runs — may be on version/XX branch)
-            GA_TOKEN="${{ secrets.GA_TOKEN }}"
+            GA_TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
             API="${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}"
 
             FILE_SHA=$(curl -sf -H "Authorization: token ${GA_TOKEN}" \
@@ -604,7 +604,7 @@ jobs:
           [ -n "$SHA256_TAR" ] && BODY="${BODY}| \`${TAR_NAME}\` | \`${SHA256_TAR}\` |\n"
 
           # Get release ID and update body
-          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" \
+          RELEASE_ID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" \
             "${API_BASE}/releases/tags/${RELEASE_TAG}" 2>/dev/null | \
             python3 -c "import sys,json; print(json.load(sys.stdin).get('id',''))" 2>/dev/null || true)
 
@@ -616,7 +616,7 @@ jobs:
           req = urllib.request.Request(
               '${API_BASE}/releases/${RELEASE_ID}',
               data=data,
-              headers={'Authorization': 'token ${{ secrets.GA_TOKEN }}', 'Content-Type': 'application/json'},
+              headers={'Authorization': 'token ${{ secrets.MOKOGITEA_TOKEN }}', 'Content-Type': 'application/json'},
               method='PATCH'
           )
           urllib.request.urlopen(req)
@@ -628,10 +628,10 @@ jobs:
         if: >-
           steps.version.outputs.skip != 'true' &&
           steps.version.outputs.stability == 'stable' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GH_TOKEN: ${{ secrets.GH_PAT }}
         run: |
           VERSION="${{ steps.bump.outputs.version || steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"
@@ -643,7 +643,7 @@ jobs:
           [ -z "$NOTES" ] && NOTES="Release ${VERSION}"
           echo "$NOTES" > /tmp/release_notes.md
 
-          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
+          EXISTING=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".tag_name // empty" || true)
 
           if [ -z "$EXISTING" ]; then
             gh release create "$RELEASE_TAG" \
@@ -660,8 +660,8 @@ jobs:
           # Upload assets to GitHub mirror
           for PKG in /tmp/${EXT_ELEMENT:-pkg}-${VERSION}.*; do
             if [ -f "$PKG" ]; then
-              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.GA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
-              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.GA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
+              _RELID=$(curl -sf -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/tags/$RELEASE_TAG" 2>/dev/null | jq -r ".id // empty")
+              [ -n "$_RELID" ] && curl -sf -X POST -H "Authorization: token ${{ secrets.MOKOGITEA_TOKEN }}" -H "Content-Type: application/octet-stream" "${GITEA_URL:-https://git.mokoconsulting.tech}/api/v1/repos/${{ github.repository }}/releases/${_RELID}/assets?name=$(basename $PKG)" --data-binary "@$PKG" > /dev/null 2>&1 || true
             fi
           done
           echo "GitHub mirror updated: ${GH_REPO} ${RELEASE_TAG}" >> $GITHUB_STEP_SUMMARY
@@ -670,14 +670,14 @@ jobs:
       - name: "Step 10: Push main to GitHub mirror"
         if: >-
           steps.version.outputs.skip != 'true' &&
-          secrets.GH_TOKEN != ''
+          secrets.GH_PAT != ''
         continue-on-error: true
         run: |
           GH_REPO="${{ vars.GH_MIRROR_REPO || github.repository }}"
           GH_ORG=$(echo "$GH_REPO" | cut -d/ -f1)
           GH_NAME=$(echo "$GH_REPO" | cut -d/ -f2)
-          git remote add github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
-            git remote set-url github "https://x-access-token:${{ secrets.GH_TOKEN }}@github.com/${GH_ORG}/${GH_NAME}.git"
+          git remote add github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git" 2>/dev/null || \
+            git remote set-url github "https://x-access-token:${{ secrets.GH_PAT }}@github.com/${GH_ORG}/${GH_NAME}.git"
           git fetch origin main --depth=1
           git push github origin/main:refs/heads/main --force 2>/dev/null \
             && echo "main branch pushed to GitHub mirror" \
@@ -690,7 +690,7 @@ jobs:
         run: |
           php /tmp/mokoplatform-api/cli/release_cascade.php \
             --stability stable \
-            --token "${{ secrets.GA_TOKEN }}" \
+            --token "${{ secrets.MOKOGITEA_TOKEN }}" \
             --org "${GITEA_ORG}" --repo "${GITEA_REPO}" \
             --gitea-url "${GITEA_URL}" 2>/dev/null || true
 
@@ -699,7 +699,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           # Delete dev branch
           curl -sf -X DELETE -H "Authorization: token ${TOKEN}" \
@@ -723,7 +723,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           MOD_FILE="${{ steps.platform.outputs.mod_file }}"
           ENCODED_PATH=$(echo "$MOD_FILE" | sed 's|^\./||' | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))")
           FILE_RESP=$(curl -sf -H "Authorization: token ${TOKEN}" "${API_BASE}/contents/${ENCODED_PATH}?ref=dev" 2>/dev/null || true)

mcp/servers/windows/.mokogitea/workflows/cascade-dev.yml

@@ -52,7 +52,7 @@ jobs:
       - name: Discover target branches
         id: branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
 
@@ -93,7 +93,7 @@ jobs:
       - name: Cascade to all target branches
         if: steps.branches.outputs.targets != ''
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           SHORT_SHA="${GITHUB_SHA:0:7}"

mcp/servers/windows/.mokogitea/workflows/cleanup.yml

@@ -33,11 +33,11 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Delete merged branches
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Merged Branch Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"
@@ -66,7 +66,7 @@ jobs:
 
       - name: Clean old workflow runs
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN }}
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN }}
         run: |
           echo "=== Workflow Run Cleanup ==="
           API="${GITEA_URL}/api/v1/repos/${{ github.repository }}"

mcp/servers/windows/.mokogitea/workflows/deploy-manual.yml

@@ -42,10 +42,10 @@ jobs:
 
       - name: Setup MokoStandards tools
         env:
-          GA_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
-          MOKO_CLONE_HOST: ${{ secrets.GA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GA_TOKEN || github.token }}"}}'
+          GA_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
+          MOKO_CLONE_HOST: ${{ secrets.MOKOGITEA_TOKEN && 'git.mokoconsulting.tech/MokoConsulting' || 'github.com/mokoconsulting-tech' }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.MOKOGITEA_TOKEN || github.token }}"}}'
         run: |
           git clone --depth 1 --branch main --quiet \
             "https://x-access-token:${MOKO_CLONE_TOKEN}@${MOKO_CLONE_HOST}/MokoStandards-API.git" \

mcp/servers/windows/.mokogitea/workflows/mcp-auto-release.yml

@@ -38,7 +38,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       # ── Build ────────────────────────────────────────────────────────
@@ -89,8 +89,8 @@ jobs:
       # ── Version ──────────────────────────────────────────────────────
       - name: Setup mokoplatform tools
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
-          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_TOKEN || github.token }}"}}'
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GH_PAT || github.token }}"}}'
         run: |
           git clone --depth 1 --branch version/04 --quiet \
             "https://x-access-token:${GH_TOKEN}@github.com/MokoConsulting/mokoplatform.git" \
@@ -212,7 +212,7 @@ jobs:
           steps.version.outputs.skip != 'true' &&
           steps.check.outputs.tag_exists != 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
           RELEASE_TAG="${{ steps.version.outputs.release_tag }}"

mcp/servers/windows/.mokogitea/workflows/pre-release.yml

@@ -43,7 +43,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.GA_TOKEN }}
+          token: ${{ secrets.MOKOGITEA_TOKEN }}
 
       - name: Setup tools
         run: |
@@ -58,7 +58,7 @@ jobs:
               sudo apt-get install -y -qq php-cli php-mbstring php-xml php-zip php-curl >/dev/null 2>&1
             fi
             git clone --depth 1 --branch main --quiet \
-              "https://x-access-token:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
+              "https://x-access-token:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/MokoConsulting/mokoplatform.git" \
               /tmp/mokoplatform-api
           fi
           # Set MOKO_CLI to whichever path exists
@@ -110,7 +110,7 @@ jobs:
           # Commit version bump
           git config --local user.email "gitea-actions[bot]@mokoconsulting.tech"
           git config --local user.name "gitea-actions[bot]"
-          git remote set-url origin "https://jmiller:${{ secrets.GA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
+          git remote set-url origin "https://jmiller:${{ secrets.MOKOGITEA_TOKEN }}@git.mokoconsulting.tech/${{ github.repository }}.git"
           git add -A
           git diff --cached --quiet || {
             git commit -m "chore(version): pre-release bump to ${VERSION} [skip ci]"
@@ -225,7 +225,7 @@ jobs:
           SHA256="${{ steps.zip.outputs.sha256 }}"
           ZIP_NAME="${{ steps.meta.outputs.zip_name }}"
           EXT_ELEMENT="${{ steps.meta.outputs.ext_element }}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
           API="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
           BRANCH=$(git branch --show-current)
 
@@ -351,7 +351,7 @@ jobs:
         continue-on-error: true
         run: |
           API_BASE="${GITEA_URL}/api/v1/repos/${GITEA_ORG}/${GITEA_REPO}"
-          TOKEN="${{ secrets.GA_TOKEN }}"
+          TOKEN="${{ secrets.MOKOGITEA_TOKEN }}"
 
           php ${MOKO_CLI}/release_cascade.php \
             --stability "${{ steps.meta.outputs.stability }}" \

mcp/servers/windows/.mokogitea/workflows/repo-health.yml

@@ -85,7 +85,7 @@ jobs:
       - name: Check actor permission (admin only)
         id: perm
         env:
-          TOKEN: ${{ secrets.GA_TOKEN || secrets.GA_TOKEN || github.token }}
+          TOKEN: ${{ secrets.MOKOGITEA_TOKEN || secrets.MOKOGITEA_TOKEN || github.token }}
           REPO: ${{ github.repository }}
           ACTOR: ${{ github.actor }}
         run: |

mcp/servers/windows/.mokogitea/workflows/repository-cleanup.yml

@@ -67,12 +67,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GH_TOKEN || github.token }}
+          token: ${{ secrets.GH_PAT || github.token }}
           fetch-depth: 0
 
       - name: Check actor permission
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           ACTOR="${{ github.actor }}"
           # Schedule triggers use github-actions[bot]
@@ -185,7 +185,7 @@ jobs:
       - name: Reset labels to standard set
         if: steps.tasks.outputs.reset_labels == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🏷️ Label Reset" >> $GITHUB_STEP_SUMMARY
@@ -267,7 +267,7 @@ jobs:
       - name: Delete old sync branches
         if: steps.tasks.outputs.clean_branches == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CURRENT="chore/sync-mokostandards-v04.05"
@@ -295,7 +295,7 @@ jobs:
       - name: Clean up workflow runs
         if: steps.tasks.outputs.clean_workflows == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           echo "## 🔄 Workflow Run Cleanup" >> $GITHUB_STEP_SUMMARY
@@ -317,7 +317,7 @@ jobs:
       - name: Delete old workflow run logs
         if: steps.tasks.outputs.clean_logs == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)
@@ -494,7 +494,7 @@ jobs:
       - name: Delete old closed issues
         if: steps.tasks.outputs.delete_closed_issues == 'true'
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN || github.token }}
+          GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
         run: |
           REPO="${{ github.repository }}"
           CUTOFF=$(date -u -d '30 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-30d +%Y-%m-%dT%H:%M:%SZ)