Skip to content

Releases: dknauss/Sudo

v4.7.0

Choose a tag to compare

@github-actions github-actions released this 16 Jul 19:29
3cf7ee7

What's Changed

  • docs(release): post-tag housekeeping β€” record v4.6.0 as latest tag by @dknauss in #176
  • test(e2e): harden multisite stack smoke, re-scope lane into release gate by @dknauss in #177
  • feat(editor): in-editor reauth β€” Milestone A (password path) by @dknauss in #178
  • docs: pre-release demo fix, canonical editor-scope doc, and lockdown research by @dknauss in #179
  • fix(demo): make in-editor reauth demo self-guiding (open inserter + notice) by @dknauss in #180
  • docs(readme): describe the self-guiding in-editor reauth demo by @dknauss in #181
  • docs(planning): in-editor sudo session-indicator research todo by @dknauss in #182
  • chore: ignore .codex/ and .playwright-mcp/ agent artifacts by @dknauss in #183
  • docs: reconcile planning/roadmap state to post-v4.5 editor-reauth reality by @dknauss in #184
  • feat(editor): in-editor 2FA β€” Milestone B (server-rendered provider partial) by @dknauss in #185
  • fix(challenge): strip provider _ajax_nonce before the full-page 2FA submit by @dknauss in #186
  • docs(demo): add in-editor 2FA Playground blueprint (Milestone B) by @dknauss in #187
  • fix(demo): let the in-editor 2FA blueprint reach the editor by @dknauss in #189
  • docs(state): close out the In-Editor Reauth track by @dknauss in #190
  • Enhance README with demo and reauth details by @dknauss in #191
  • fix(demo): list several rolling TOTP codes in the in-editor 2FA notice (supersedes #188) by @dknauss in #192
  • docs(readme): add in-editor two-factor modal screenshot by @dknauss in #193
  • Clarify reauth demo link in README by @dknauss in #194
  • feat(demo): multisite/network-admin scenario blueprint (#72) by @dknauss in #196
  • docs(readme): feature multisite demo as a 5th Playground badge by @dknauss in #197
  • docs(state): handoff β€” record demo/docs arc, leave #67 unclaimed by @dknauss in #198
  • release: v4.7.0 β€” in-editor reauth modal (Milestones A + B) by @dknauss in #199

Full Changelog: v4.6.0...v4.7.0

v4.6.0 β€” In-editor reauthentication & critical-event alerting

Choose a tag to compare

@dknauss dknauss released this 06 Jul 18:35
9ef1880

Feature release. Adds block-editor in-editor reauthentication (link-out increment) and an optional push-notification bridge for high-severity audit events, plus the admin user-identity harmonization that had been staged as 4.5.1. Backward-compatible β€” no migration required.

Highlights

  • In-editor reauthentication for the block editor. When a block-editor request is soft-blocked with sudo_required, the editor now shows an in-editor snackbar with a "Reauthenticate" action that opens the challenge page, instead of dead-ending on an opaque 403. Editor state is preserved; you grant a sudo session and retry. An apiFetch middleware detects the block (including inside a /batch/v1 envelope) and uses the server-emitted challenge_url verbatim, degrading to a plain message if that URL is absent or not same-origin. This is the link-out increment: the shipped client only opens the challenge page. Server-side plumbing for the forthcoming in-editor modal (grant-config localization + a logged-in-only nonce-refresh endpoint) also lands but is not yet consumed by the client; the in-editor password/2FA modal and automatic request re-dispatch come in a later release.

  • Optional critical-event alert bridge. New optional mu-plugin (bridges/wp-sudo-critical-alert-bridge.php) that pushes a notification when a high-severity audit hook fires β€” capability tamper, blocked escalation, reauth lockout, and dropped built-in rules (plus opt-in, throttled recovery-mode) β€” where the Stream/WSAL bridges only log. Emails the scope-appropriate admin out of the box, with a wp_sudo_critical_alert_dispatch filter to send Slack/Teams/webhook instead. Alerts are dispatched on shutdown (never delaying the gate), deduped per identity, and capped per recipient, with an overflow digest. A demo companion renders alerts inline for sandboxes without outbound network (e.g. WordPress Playground). Inert unless installed.

  • Harmonized user identity across admin surfaces. The Session Activity dashboard widget and the Settings β†’ Sudo Access tab now present users identically: full real name primary, username secondary (linked to user-edit when permitted), with an avatar and translated role chips. Also fixes a widget avatar that failed to render when the site's "Show Avatars" setting was off.

Notes

  • No migration required. The alert bridge is opt-in β€” drop it into wp-content/mu-plugins/.
  • Requires WordPress 6.4+ and PHP 8.2+.
  • Versioning: minor. The new documented public extension filters shipped with the alert bridge are a backward-compatible API addition (see VERSIONING.md).

Full changelog: see CHANGELOG.md β†’ 4.6.0, or git log v4.5.0..v4.6.0 --oneline.

What's Changed

  • chore(release): bump blueprint.json stable-demo target to v4.5.0 [MERGE AT TAG TIME] by @dknauss in #150
  • feat(admin): harmonize user identity on the dashboard widget + Access tab by @dknauss in #154
  • docs(packaging): exclude blueprint.json from the plugin ZIP + add a blueprint index by @dknauss in #153
  • docs(release): record v4.5.0 as the latest tagged release by @dknauss in #152
  • chore(release): 4.5.1 by @dknauss in #156
  • Add release confidence and Sudo Lite baselines by @dknauss in #155
  • docs(planning): block-editor reauth design phase β€” inventory, reviews, scope, Phase 2 plan by @dknauss in #157
  • docs: close missed review findings (5 merged PRs) + enable conversation-resolution gate by @dknauss in #159
  • docs(planning): re-land reauth PR #157 review fixes (merged before they landed) by @dknauss in #158
  • docs: footprint & performance stats for READMEs by @dknauss in #160
  • docs(readme): add Footprint and performance section (missed in #160) by @dknauss in #161
  • docs(readme): drop "hand-written PHP" phrasing (re-land, missed by #161 merge race) by @dknauss in #162
  • docs(lies-log): record #31 β€” false '#161 verified clean' confabulation by @dknauss in #163
  • feat(bridges): optional critical-event alert bridge + Playground inline demo by @dknauss in #166
  • feat(editor): surface sudo_required as link-out snackbar in block editor by @dknauss in #165
  • fix: worktree/tooling robustness (merge-aware size gate + verify-metrics .claude exclusion) by @dknauss in #167
  • feat(editor): Gutenberg reauth Increment 2, Task 2 β€” grant plumbing + nonce-refresh endpoint by @dknauss in #168
  • docs: critical-hook alerting snippet + roadmap a critical-event alert bridge by @dknauss in #164
  • chore(deps-dev): bump phpstan/phpstan from 2.2.2 to 2.2.5 by @dependabot[bot] in #169
  • chore(deps): bump actions/checkout from 4 to 7 by @dependabot[bot] in #171
  • chore(deps): bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in #170
  • chore(deps-dev): bump @wordpress/env from 11.9.0 to 11.10.0 by @dependabot[bot] in #172
  • chore(i18n): refresh translation template by @dknauss in #173
  • chore(release): re-scope staged release 4.5.1 β†’ 4.6.0 (minor) by @dknauss in #174
  • ci(release-confidence): de-scope the nginx-multisite smoke lane (tracked, non-regression) by @dknauss in #175

Full Changelog: v4.5.0...v4.6.0

Sudo 4.5.0 β€” Session Governance, Admin UX & Security Hardening

Choose a tag to compare

@dknauss dknauss released this 05 Jul 15:42
70cddfe

This is a recommended security update: WP Sudo 4.5.0 hardens the admin-escalation guard and session revocation, adds native bulk session revocation with dashboard visibility, and refines the Access-tab capability UI for readability and accessibility β€” WordPress 6.4+ / PHP 8.2+, no migration.

πŸ”’ Security hardening

  • Escalation-guard authority. The opt-in admin-escalation guard now requires the acting user to actually hold the promoting authority β€” promote_users for administrator grants (checked on the target blog) or existing super-admin for grant_super_admin β€” in addition to an active sudo session. Sudo is reauthentication, not authorization: a low-privilege account can hold a sudo session, so requiring the session alone could wave through an escalation reached via a broken-access-control route. Blocked grants still fire wp_sudo_escalation_blocked.
  • Session-revocation token binding. Users-list session revocation (row action and the new bulk action) now requires the operator's token-bound sudo session, not just a live expiry timestamp. A stolen auth cookie β€” or a second session without its own sudo β€” can no longer revoke other users' sessions. Revoking several sessions in a row no longer forces a re-challenge between them.

✨ Session governance & admin UX

  • Bulk session revocation. Revoking sessions is now a native "Revoke sudo sessions" entry in the Users-list Bulk actions dropdown (filter to the Sudo Active view, select, apply) β€” replacing the old toolbar button and its confirmation interstitial, mirroring core's password-reset bulk action. It enforces operator token-bound sudo, consumes one rate-limit slot per batch, skips your own row, and β€” hardening from external review β€” runs from a nonce-verified interceptor with a current-site membership guard, so forged user IDs can't revoke or probe other sites' sessions on multisite. Site-wide revoke remains available via wp sudo revoke --all.
  • Dashboard revocation visibility. The Session Activity widget now records and shows session_revoked events with the reason tag and operator, and gives escalation_blocked a readable "Escalation" label with distinct pill styling.
  • Access-tab readability, accessibility & i18n. The capability-holder table lists each capability on its own line with a human-readable label and a paired Revoke control β€” developer-centric slugs move to a hover tooltip and a screen-reader span instead of prominent run-on text. Each Revoke button gets a capability-specific accessible name, labels are translatable, and the revoke JS removes the whole item on success (no stale lingering entry).
  • Governance coverage panel fixes (multisite). The coverage panel now names the capability it actually scans (manage_network_options on multisite) and no longer false-flags super admins as unable to access Sudo settings.

πŸ”— Two Factor lifecycle bridge

  • The optional Two Factor bridge now also gates meaningful classic profile.php / user-edit.php provider lifecycle changes β€” enabling/disabling a provider, changing the primary provider, and TOTP enrollment/removal β€” behind an active sudo session. Unrelated profile saves and normalized no-op resubmissions are not gated.

🌐 Localization packaging

  • WP-CLI-backed Composer commands to regenerate and verify languages/wp-sudo.pot, the committed release-grade POT template, and documented workflow.

Compatibility

Requires WordPress 6.4+ and PHP 8.2+. No migration required.

Full Changelog: v4.2.2...v4.5.0

WP Sudo 4.2.1

Choose a tag to compare

@dknauss dknauss released this 28 Jun 05:11

4.2.1 - 2026-06-28

  • WordPress.org package readiness: cleaned Pressship/Plugin Check input-handling findings by unslashing request values at the flagged sites and shortening the 4.0.0 upgrade notice to fit directory limits.
  • Submission warning triage: reduced package validation to one documented slug warning (wp-sudo contains wp), added targeted notes/suppressions for intentional bridge, core-hook, and prepared-SQL false positives, and documented the slug decision in the WordPress.org submission checklist.
  • Release hygiene: refreshed package metrics and Psalm baseline entries after the cleanup.

WP Sudo 4.2.0

Choose a tag to compare

@dknauss dknauss released this 27 Jun 16:32

4.2.0 - 2026-06-27

  • Two Factor bridge hardening: the optional Two Factor bridge now gates REST
    factor-management operations behind WP Sudo, extending sudo coverage to a
    sensitive 2FA account-control surface.
  • Observability (WSAL bridge expansion): the optional WP Activity Log sensor
    bridge maps the additional security/governance audit hooks added in the 4.1.x
    line into WSAL events for escalation blocks, session revocation, recovery-mode
    use, governance-capability changes, missing built-in rules, and regex-rule
    failures.
  • Gutenberg REST UX groundwork: cookie-authenticated REST sudo_required
    responses now include a challenge_url so block-editor clients can direct the
    user to reauthenticate without using server-side Request_Stash replay.
    Headless REST policy responses (sudo_disabled / sudo_blocked) are
    unchanged.
  • Test hardening: added integration coverage for activation/deactivation
    lifecycle behavior, WP_Session_Tokens::destroy_all() login-session-binding
    invariants, and live admin-escalation guard hooks.
  • Planning and reference docs: documented the Gutenberg route inventory, the
    build-free vanilla-JS decision for Phase 2 editor UX work, API-only
    configuration surfaces, and the accepted blog-invariant Connectors matcher
    cache behavior.

WP Sudo 4.1.0 β€” security hardening

Choose a tag to compare

@dknauss dknauss released this 24 Jun 15:33
1a899fc

Security-hardening release. Requires WordPress 6.4+, PHP 8.2+.

  • Gate-completeness fixes (coordinated disclosure; affected versions ≀ 4.0.0): interactive effect-level backstop on admin_init + login-session binding of the sudo proof (#102); REST effect-level backstop for custom routes (#104).
  • Admin-escalation guard (opt-in, default OFF): refuses to grant a new administrator/super-admin without an active sudo session β€” hooks the capabilities-meta write + grant_super_admin, so it covers REST/AJAX/unauthenticated paths. Filters wp_sudo_guard_escalation / wp_sudo_allow_escalation, constant WP_SUDO_ALLOW_ESCALATION, high-severity wp_sudo_escalation_blocked event. Known limits: runtime user_has_cap/map_meta_cap grants and direct $wpdb writes are not caught (#111).
  • Docs aligned with shipped code (#113); Playground demo link bumped (#114).

Full notes: see CHANGELOG.md (## 4.1.0).

v4.0.0 β€” Pre-Public Hardening Baseline

Choose a tag to compare

@dknauss dknauss released this 22 Jun 01:53
661a72e

First WordPress.org-ready release. WP Sudo is action-gated reauthentication for WordPress: dangerous admin actions (plugin/theme/user/settings/network changes) require reauthentication before they proceed β€” regardless of role.

⚠️ Breaking changes

  • Removed the deprecated sudo_can() function β€” switch any calls to wp_sudo_can().
  • Removed the compatibility governance mode; governance is now always strict. The leftover wp_sudo_governance_mode option is removed automatically on upgrade (one-time dismissible notice, no manual cleanup).
  • Minimum requirements raised: WordPress 6.4, PHP 8.2.
  • WP_SUDO_RECOVERY_MODE remains the only break-glass lockout-recovery path.

Features

  • Connectors registry-aware matcher β€” gates connector credential writes (including core's wordpress_api_key) to POST /wp/v2/settings, including on WordPress 7.0.
  • WordPress.org readiness β€” listing name "Sudo – Admin Action Gating", SECURITY.md, submission checklist, and 9 listing screenshots.
  • Manual release environment matrix plus Connectors-credential manual verification in tests/MANUAL-TESTING.md.

Reliability / CI

  • Fixed a WordPress 7.0 upgrade-path fatal (prime wp_roles() before the capability query in the upgrader).
  • Added the Plugin Check (PCP) CI lane; rebalanced the E2E test groups.

Upgrade notes

If you used compatibility mode, no action is needed β€” the option is removed automatically. Confirm your host meets WP 6.4 / PHP 8.2 before upgrading.

Requirements: WordPress 6.4+, PHP 8.2+

v3.4.0

Choose a tag to compare

@dknauss dknauss released this 13 Jun 21:04
ccd632b

Maintenance/hardening release.

Highlights

  • Break-glass recovery mode hardened: WP_SUDO_RECOVERY_MODE is now role-gated to administrators (manage_options / manage_network_options) β€” non-admins gain nothing. A permanent, non-dismissible notice renders on the Sudo settings screen while active, and a new wp_sudo_recovery_mode_active audit hook fires (stored as a sampled recovery_mode event, ≀1 per user/hour). Break-glass usage is now explicit, bounded, and auditable.
  • Psalm gate repaired: the type-coverage gate had been silently passing without analyzing anything (a top-level exit in uninstall.php aborted the run). Fixed, with a guard that fails the gate loudly if no coverage figure is emitted; the shepherd.dev type-coverage badge reports again (~96%).
  • CI hardening: least-privilege permissions on all workflows; documentation-only PRs skip the heavy jobs without deadlocking required checks.
  • Docs audit: corrected confabulated AJAX handler names and the OTP-resend mechanism description, and replaced drift-prone hardcoded counts with links to docs/current-metrics.md.
  • Playground: recovery-mode and user-switching scenario blueprints for manual review.
  • Fixes: removed an obsolete Editor role-error notice workaround; fixed a random-order unit-test flake in SSL detection.

New public hook: wp_sudo_recovery_mode_active. Full notes in CHANGELOG.md.

πŸ€– Generated with Claude Code

WP Sudo 3.3.0

Choose a tag to compare

@dknauss dknauss released this 13 Jun 03:14

What's new

  • Governance backfill re-keyed to 3.3.0 (fixes strict-mode lockout): the migration that grants manage_wp_sudo and the other governance capabilities to existing single-site administrators was keyed at 3.1.0 β€” a version that never had a public release (tags went v3.1.1 β†’ v3.1.3 β†’ v3.2.0). Sites upgrading from any public 3.1.x release skipped the backfill, leaving no manage_wp_sudo holders and locking administrators out of Settings β†’ Sudo in the default strict governance mode (recovery only via WP_SUDO_RECOVERY_MODE). The routine is now keyed at 3.3.0 so it also runs once for sites already stamped 3.2.0, and it skips when any user already holds manage_wp_sudo, preserving deliberate Access-tab grant/revoke configurations.
  • Audit column clamping: Event_Store now clamps event, rule_id, surface, and ip values to their schema column widths before insert, so over-length values from third-party rules truncate predictably in PHP instead of erroring (strict MySQL, dropping the audit row) or truncating silently in the database.
  • wp_sudo_grant_session_on_login filter: the automatic sudo session granted on browser login can now be suppressed (return false) for shared-terminal/kiosk hardening or SSO integrations. Default behavior is unchanged. Note for SSO integrators: suppressing the grant for users without a usable WordPress password makes gated actions unreachable for them β€” see the developer reference. Closes audit register item F17.

Full history: CHANGELOG.md

WP Sudo 3.2.0

Choose a tag to compare

@dknauss dknauss released this 08 Jun 22:01

WP Sudo 3.2.0

Security hardening and release-readiness release for WordPress 7.0.

Playground

Stable release demo:

https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fv3.2.0%2Fblueprint.json

Demo credentials are admin / password; use password again for the WP Sudo reauthentication challenge.

Current main development demo:

https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fmain%2Fblueprint-main.json

Governance and capabilities

  • Adds the sudo_can() helper and fine-grained governance capabilities for WP Sudo administration.
  • Adds the Settings > Sudo Access tab for role/user grants and revocations, with gated grant/revoke actions and audit hooks.
  • Maps WP Sudo capability checks into WordPress capability checks for external tools and WP-CLI visibility.
  • Clarifies admin Help and public docs language around authentication vs authorization: Sudo verifies the account holder is still present; WordPress and target handlers still decide whether the user is allowed to perform the action.

Security hardening

  • Hardens 2FA lockout behavior so password success cannot clear counters before second-factor success.
  • Adds WPGraphQL request classification for JSON, GET/form, multipart operations, batches, tokenizer edge cases, and persisted-query fail-safe behavior.
  • Extends REST plugin gating to folder-style plugin slugs.
  • Fails closed on PCRE errors in built-in rules.
  • Gates WP Sudo settings writes on non-interactive surfaces.
  • Gates admin_email / new_admin_email writes on interactive and REST surfaces.
  • Changes IP lockout to ip + user_id to avoid shared-IP administrator DoS.
  • Honors FORCE_SSL_ADMIN for sudo/2FA cookie Secure flags.
  • Hardens REST cookie-vs-App-Password branch selection.
  • Minimizes request stash replay data, including suffix-based secret redaction and rule allowlists.
  • Validates App Password policy UUID ownership and cleans entries on App Password deletion.
  • Adds Site Health visibility when built-in gated actions are accidentally removed by filters.
  • Adds uninstall defense-in-depth while preserving WP-CLI uninstall behavior.

WordPress 7.0 and CI/release hygiene

  • Moves forward CI/local preview lanes from WordPress 7.0-RC1 to 7.0 GA.
  • Refreshes release-status, roadmap, current metrics, and SBOM metadata.
  • Stabilizes E2E challenge fixtures and wp-env helper behavior.
  • Shards the default Chromium Playwright E2E suite across four GitHub Actions runners while preserving the aggregate E2E Tests required check.
  • Includes final dependency and CI-maintenance merges: phpstan/phpstan 2.2.2, vimeo/psalm 6.16.1, codecov/codecov-action 7, actions/checkout 6, actions/github-script 9, and CI MySQL service pull routing through ECR Public.

Validation

Release tag v3.2.0 points to commit a06197f, after all latest Dependabot, CI maintenance, E2E sharding, and auth-boundary Help/docs copy updates were merged.

Original release validation included: composer validate --strict, composer verify:metrics, composer test:unit, composer test:integration, composer analyse, composer analyse:psalm, composer lint, composer audit, composer sbom, git diff --check, and Playwright test listing (61 tests).

Final retag validation included: targeted Admin Help unit coverage, composer test (777 tests, 2220 assertions), composer analyse, composer lint, and git diff --check.