Releases: dknauss/Sudo
Release list
v4.7.0
What's Changed
- docs(release): post-tag housekeeping β record v4.6.0 as latest tag by @dknauss in #176
- test(e2e): harden multisite stack smoke, re-scope lane into release gate by @dknauss in #177
- feat(editor): in-editor reauth β Milestone A (password path) by @dknauss in #178
- docs: pre-release demo fix, canonical editor-scope doc, and lockdown research by @dknauss in #179
- fix(demo): make in-editor reauth demo self-guiding (open inserter + notice) by @dknauss in #180
- docs(readme): describe the self-guiding in-editor reauth demo by @dknauss in #181
- docs(planning): in-editor sudo session-indicator research todo by @dknauss in #182
- chore: ignore .codex/ and .playwright-mcp/ agent artifacts by @dknauss in #183
- docs: reconcile planning/roadmap state to post-v4.5 editor-reauth reality by @dknauss in #184
- feat(editor): in-editor 2FA β Milestone B (server-rendered provider partial) by @dknauss in #185
- fix(challenge): strip provider _ajax_nonce before the full-page 2FA submit by @dknauss in #186
- docs(demo): add in-editor 2FA Playground blueprint (Milestone B) by @dknauss in #187
- fix(demo): let the in-editor 2FA blueprint reach the editor by @dknauss in #189
- docs(state): close out the In-Editor Reauth track by @dknauss in #190
- Enhance README with demo and reauth details by @dknauss in #191
- fix(demo): list several rolling TOTP codes in the in-editor 2FA notice (supersedes #188) by @dknauss in #192
- docs(readme): add in-editor two-factor modal screenshot by @dknauss in #193
- Clarify reauth demo link in README by @dknauss in #194
- feat(demo): multisite/network-admin scenario blueprint (#72) by @dknauss in #196
- docs(readme): feature multisite demo as a 5th Playground badge by @dknauss in #197
- docs(state): handoff β record demo/docs arc, leave #67 unclaimed by @dknauss in #198
- release: v4.7.0 β in-editor reauth modal (Milestones A + B) by @dknauss in #199
Full Changelog: v4.6.0...v4.7.0
v4.6.0 β In-editor reauthentication & critical-event alerting
Feature release. Adds block-editor in-editor reauthentication (link-out increment) and an optional push-notification bridge for high-severity audit events, plus the admin user-identity harmonization that had been staged as 4.5.1. Backward-compatible β no migration required.
Highlights
-
In-editor reauthentication for the block editor. When a block-editor request is soft-blocked with
sudo_required, the editor now shows an in-editor snackbar with a "Reauthenticate" action that opens the challenge page, instead of dead-ending on an opaque 403. Editor state is preserved; you grant a sudo session and retry. AnapiFetchmiddleware detects the block (including inside a/batch/v1envelope) and uses the server-emittedchallenge_urlverbatim, degrading to a plain message if that URL is absent or not same-origin. This is the link-out increment: the shipped client only opens the challenge page. Server-side plumbing for the forthcoming in-editor modal (grant-config localization + a logged-in-only nonce-refresh endpoint) also lands but is not yet consumed by the client; the in-editor password/2FA modal and automatic request re-dispatch come in a later release. -
Optional critical-event alert bridge. New optional mu-plugin (
bridges/wp-sudo-critical-alert-bridge.php) that pushes a notification when a high-severity audit hook fires β capability tamper, blocked escalation, reauth lockout, and dropped built-in rules (plus opt-in, throttled recovery-mode) β where the Stream/WSAL bridges only log. Emails the scope-appropriate admin out of the box, with awp_sudo_critical_alert_dispatchfilter to send Slack/Teams/webhook instead. Alerts are dispatched onshutdown(never delaying the gate), deduped per identity, and capped per recipient, with an overflow digest. A demo companion renders alerts inline for sandboxes without outbound network (e.g. WordPress Playground). Inert unless installed. -
Harmonized user identity across admin surfaces. The Session Activity dashboard widget and the Settings β Sudo Access tab now present users identically: full real name primary, username secondary (linked to user-edit when permitted), with an avatar and translated role chips. Also fixes a widget avatar that failed to render when the site's "Show Avatars" setting was off.
Notes
- No migration required. The alert bridge is opt-in β drop it into
wp-content/mu-plugins/. - Requires WordPress 6.4+ and PHP 8.2+.
- Versioning: minor. The new documented public extension filters shipped with the alert bridge are a backward-compatible API addition (see
VERSIONING.md).
Full changelog: see CHANGELOG.md β 4.6.0, or git log v4.5.0..v4.6.0 --oneline.
What's Changed
- chore(release): bump blueprint.json stable-demo target to v4.5.0 [MERGE AT TAG TIME] by @dknauss in #150
- feat(admin): harmonize user identity on the dashboard widget + Access tab by @dknauss in #154
- docs(packaging): exclude blueprint.json from the plugin ZIP + add a blueprint index by @dknauss in #153
- docs(release): record v4.5.0 as the latest tagged release by @dknauss in #152
- chore(release): 4.5.1 by @dknauss in #156
- Add release confidence and Sudo Lite baselines by @dknauss in #155
- docs(planning): block-editor reauth design phase β inventory, reviews, scope, Phase 2 plan by @dknauss in #157
- docs: close missed review findings (5 merged PRs) + enable conversation-resolution gate by @dknauss in #159
- docs(planning): re-land reauth PR #157 review fixes (merged before they landed) by @dknauss in #158
- docs: footprint & performance stats for READMEs by @dknauss in #160
- docs(readme): add Footprint and performance section (missed in #160) by @dknauss in #161
- docs(readme): drop "hand-written PHP" phrasing (re-land, missed by #161 merge race) by @dknauss in #162
- docs(lies-log): record #31 β false '#161 verified clean' confabulation by @dknauss in #163
- feat(bridges): optional critical-event alert bridge + Playground inline demo by @dknauss in #166
- feat(editor): surface sudo_required as link-out snackbar in block editor by @dknauss in #165
- fix: worktree/tooling robustness (merge-aware size gate + verify-metrics .claude exclusion) by @dknauss in #167
- feat(editor): Gutenberg reauth Increment 2, Task 2 β grant plumbing + nonce-refresh endpoint by @dknauss in #168
- docs: critical-hook alerting snippet + roadmap a critical-event alert bridge by @dknauss in #164
- chore(deps-dev): bump phpstan/phpstan from 2.2.2 to 2.2.5 by @dependabot[bot] in #169
- chore(deps): bump actions/checkout from 4 to 7 by @dependabot[bot] in #171
- chore(deps): bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in #170
- chore(deps-dev): bump @wordpress/env from 11.9.0 to 11.10.0 by @dependabot[bot] in #172
- chore(i18n): refresh translation template by @dknauss in #173
- chore(release): re-scope staged release 4.5.1 β 4.6.0 (minor) by @dknauss in #174
- ci(release-confidence): de-scope the nginx-multisite smoke lane (tracked, non-regression) by @dknauss in #175
Full Changelog: v4.5.0...v4.6.0
Sudo 4.5.0 β Session Governance, Admin UX & Security Hardening
This is a recommended security update: WP Sudo 4.5.0 hardens the admin-escalation guard and session revocation, adds native bulk session revocation with dashboard visibility, and refines the Access-tab capability UI for readability and accessibility β WordPress 6.4+ / PHP 8.2+, no migration.
π Security hardening
- Escalation-guard authority. The opt-in admin-escalation guard now requires the acting user to actually hold the promoting authority β
promote_usersfor administrator grants (checked on the target blog) or existing super-admin forgrant_super_adminβ in addition to an active sudo session. Sudo is reauthentication, not authorization: a low-privilege account can hold a sudo session, so requiring the session alone could wave through an escalation reached via a broken-access-control route. Blocked grants still firewp_sudo_escalation_blocked. - Session-revocation token binding. Users-list session revocation (row action and the new bulk action) now requires the operator's token-bound sudo session, not just a live expiry timestamp. A stolen auth cookie β or a second session without its own sudo β can no longer revoke other users' sessions. Revoking several sessions in a row no longer forces a re-challenge between them.
β¨ Session governance & admin UX
- Bulk session revocation. Revoking sessions is now a native "Revoke sudo sessions" entry in the Users-list Bulk actions dropdown (filter to the Sudo Active view, select, apply) β replacing the old toolbar button and its confirmation interstitial, mirroring core's password-reset bulk action. It enforces operator token-bound sudo, consumes one rate-limit slot per batch, skips your own row, and β hardening from external review β runs from a nonce-verified interceptor with a current-site membership guard, so forged user IDs can't revoke or probe other sites' sessions on multisite. Site-wide revoke remains available via
wp sudo revoke --all. - Dashboard revocation visibility. The Session Activity widget now records and shows
session_revokedevents with the reason tag and operator, and givesescalation_blockeda readable "Escalation" label with distinct pill styling. - Access-tab readability, accessibility & i18n. The capability-holder table lists each capability on its own line with a human-readable label and a paired Revoke control β developer-centric slugs move to a hover tooltip and a screen-reader span instead of prominent run-on text. Each Revoke button gets a capability-specific accessible name, labels are translatable, and the revoke JS removes the whole item on success (no stale lingering entry).
- Governance coverage panel fixes (multisite). The coverage panel now names the capability it actually scans (
manage_network_optionson multisite) and no longer false-flags super admins as unable to access Sudo settings.
π Two Factor lifecycle bridge
- The optional Two Factor bridge now also gates meaningful classic
profile.php/user-edit.phpprovider lifecycle changes β enabling/disabling a provider, changing the primary provider, and TOTP enrollment/removal β behind an active sudo session. Unrelated profile saves and normalized no-op resubmissions are not gated.
π Localization packaging
- WP-CLI-backed Composer commands to regenerate and verify
languages/wp-sudo.pot, the committed release-grade POT template, and documented workflow.
Compatibility
Requires WordPress 6.4+ and PHP 8.2+. No migration required.
Full Changelog: v4.2.2...v4.5.0
WP Sudo 4.2.1
4.2.1 - 2026-06-28
- WordPress.org package readiness: cleaned Pressship/Plugin Check input-handling findings by unslashing request values at the flagged sites and shortening the 4.0.0 upgrade notice to fit directory limits.
- Submission warning triage: reduced package validation to one documented slug warning (
wp-sudocontainswp), added targeted notes/suppressions for intentional bridge, core-hook, and prepared-SQL false positives, and documented the slug decision in the WordPress.org submission checklist. - Release hygiene: refreshed package metrics and Psalm baseline entries after the cleanup.
WP Sudo 4.2.0
4.2.0 - 2026-06-27
- Two Factor bridge hardening: the optional Two Factor bridge now gates REST
factor-management operations behind WP Sudo, extending sudo coverage to a
sensitive 2FA account-control surface. - Observability (WSAL bridge expansion): the optional WP Activity Log sensor
bridge maps the additional security/governance audit hooks added in the 4.1.x
line into WSAL events for escalation blocks, session revocation, recovery-mode
use, governance-capability changes, missing built-in rules, and regex-rule
failures. - Gutenberg REST UX groundwork: cookie-authenticated REST
sudo_required
responses now include achallenge_urlso block-editor clients can direct the
user to reauthenticate without using server-side Request_Stash replay.
Headless REST policy responses (sudo_disabled/sudo_blocked) are
unchanged. - Test hardening: added integration coverage for activation/deactivation
lifecycle behavior,WP_Session_Tokens::destroy_all()login-session-binding
invariants, and live admin-escalation guard hooks. - Planning and reference docs: documented the Gutenberg route inventory, the
build-free vanilla-JS decision for Phase 2 editor UX work, API-only
configuration surfaces, and the accepted blog-invariant Connectors matcher
cache behavior.
WP Sudo 4.1.0 β security hardening
Security-hardening release. Requires WordPress 6.4+, PHP 8.2+.
- Gate-completeness fixes (coordinated disclosure; affected versions β€ 4.0.0): interactive effect-level backstop on
admin_init+ login-session binding of the sudo proof (#102); REST effect-level backstop for custom routes (#104). - Admin-escalation guard (opt-in, default OFF): refuses to grant a new administrator/super-admin without an active sudo session β hooks the capabilities-meta write +
grant_super_admin, so it covers REST/AJAX/unauthenticated paths. Filterswp_sudo_guard_escalation/wp_sudo_allow_escalation, constantWP_SUDO_ALLOW_ESCALATION, high-severitywp_sudo_escalation_blockedevent. Known limits: runtimeuser_has_cap/map_meta_capgrants and direct$wpdbwrites are not caught (#111). - Docs aligned with shipped code (#113); Playground demo link bumped (#114).
Full notes: see CHANGELOG.md (## 4.1.0).
v4.0.0 β Pre-Public Hardening Baseline
First WordPress.org-ready release. WP Sudo is action-gated reauthentication for WordPress: dangerous admin actions (plugin/theme/user/settings/network changes) require reauthentication before they proceed β regardless of role.
β οΈ Breaking changes
- Removed the deprecated
sudo_can()function β switch any calls towp_sudo_can(). - Removed the
compatibilitygovernance mode; governance is now always strict. The leftoverwp_sudo_governance_modeoption is removed automatically on upgrade (one-time dismissible notice, no manual cleanup). - Minimum requirements raised: WordPress 6.4, PHP 8.2.
WP_SUDO_RECOVERY_MODEremains the only break-glass lockout-recovery path.
Features
- Connectors registry-aware matcher β gates connector credential writes (including core's
wordpress_api_key) toPOST /wp/v2/settings, including on WordPress 7.0. - WordPress.org readiness β listing name "Sudo β Admin Action Gating",
SECURITY.md, submission checklist, and 9 listing screenshots. - Manual release environment matrix plus Connectors-credential manual verification in
tests/MANUAL-TESTING.md.
Reliability / CI
- Fixed a WordPress 7.0 upgrade-path fatal (prime
wp_roles()before the capability query in the upgrader). - Added the Plugin Check (PCP) CI lane; rebalanced the E2E test groups.
Upgrade notes
If you used compatibility mode, no action is needed β the option is removed automatically. Confirm your host meets WP 6.4 / PHP 8.2 before upgrading.
Requirements: WordPress 6.4+, PHP 8.2+
v3.4.0
Maintenance/hardening release.
Highlights
- Break-glass recovery mode hardened:
WP_SUDO_RECOVERY_MODEis now role-gated to administrators (manage_options/manage_network_options) β non-admins gain nothing. A permanent, non-dismissible notice renders on the Sudo settings screen while active, and a newwp_sudo_recovery_mode_activeaudit hook fires (stored as a sampledrecovery_modeevent, β€1 per user/hour). Break-glass usage is now explicit, bounded, and auditable. - Psalm gate repaired: the type-coverage gate had been silently passing without analyzing anything (a top-level
exitinuninstall.phpaborted the run). Fixed, with a guard that fails the gate loudly if no coverage figure is emitted; the shepherd.dev type-coverage badge reports again (~96%). - CI hardening: least-privilege
permissionson all workflows; documentation-only PRs skip the heavy jobs without deadlocking required checks. - Docs audit: corrected confabulated AJAX handler names and the OTP-resend mechanism description, and replaced drift-prone hardcoded counts with links to
docs/current-metrics.md. - Playground: recovery-mode and user-switching scenario blueprints for manual review.
- Fixes: removed an obsolete Editor role-error notice workaround; fixed a random-order unit-test flake in SSL detection.
New public hook: wp_sudo_recovery_mode_active. Full notes in CHANGELOG.md.
π€ Generated with Claude Code
WP Sudo 3.3.0
What's new
- Governance backfill re-keyed to 3.3.0 (fixes strict-mode lockout): the migration that grants
manage_wp_sudoand the other governance capabilities to existing single-site administrators was keyed at3.1.0β a version that never had a public release (tags went v3.1.1 β v3.1.3 β v3.2.0). Sites upgrading from any public 3.1.x release skipped the backfill, leaving nomanage_wp_sudoholders and locking administrators out of Settings β Sudo in the default strict governance mode (recovery only viaWP_SUDO_RECOVERY_MODE). The routine is now keyed at3.3.0so it also runs once for sites already stamped3.2.0, and it skips when any user already holdsmanage_wp_sudo, preserving deliberate Access-tab grant/revoke configurations. - Audit column clamping:
Event_Storenow clampsevent,rule_id,surface, andipvalues to their schema column widths before insert, so over-length values from third-party rules truncate predictably in PHP instead of erroring (strict MySQL, dropping the audit row) or truncating silently in the database. wp_sudo_grant_session_on_loginfilter: the automatic sudo session granted on browser login can now be suppressed (returnfalse) for shared-terminal/kiosk hardening or SSO integrations. Default behavior is unchanged. Note for SSO integrators: suppressing the grant for users without a usable WordPress password makes gated actions unreachable for them β see the developer reference. Closes audit register item F17.
Full history: CHANGELOG.md
WP Sudo 3.2.0
WP Sudo 3.2.0
Security hardening and release-readiness release for WordPress 7.0.
Playground
Stable release demo:
Demo credentials are admin / password; use password again for the WP Sudo reauthentication challenge.
Current main development demo:
Governance and capabilities
- Adds the
sudo_can()helper and fine-grained governance capabilities for WP Sudo administration. - Adds the Settings > Sudo Access tab for role/user grants and revocations, with gated grant/revoke actions and audit hooks.
- Maps WP Sudo capability checks into WordPress capability checks for external tools and WP-CLI visibility.
- Clarifies admin Help and public docs language around authentication vs authorization: Sudo verifies the account holder is still present; WordPress and target handlers still decide whether the user is allowed to perform the action.
Security hardening
- Hardens 2FA lockout behavior so password success cannot clear counters before second-factor success.
- Adds WPGraphQL request classification for JSON, GET/form, multipart operations, batches, tokenizer edge cases, and persisted-query fail-safe behavior.
- Extends REST plugin gating to folder-style plugin slugs.
- Fails closed on PCRE errors in built-in rules.
- Gates WP Sudo settings writes on non-interactive surfaces.
- Gates
admin_email/new_admin_emailwrites on interactive and REST surfaces. - Changes IP lockout to
ip + user_idto avoid shared-IP administrator DoS. - Honors
FORCE_SSL_ADMINfor sudo/2FA cookie Secure flags. - Hardens REST cookie-vs-App-Password branch selection.
- Minimizes request stash replay data, including suffix-based secret redaction and rule allowlists.
- Validates App Password policy UUID ownership and cleans entries on App Password deletion.
- Adds Site Health visibility when built-in gated actions are accidentally removed by filters.
- Adds uninstall defense-in-depth while preserving WP-CLI uninstall behavior.
WordPress 7.0 and CI/release hygiene
- Moves forward CI/local preview lanes from WordPress
7.0-RC1to7.0GA. - Refreshes release-status, roadmap, current metrics, and SBOM metadata.
- Stabilizes E2E challenge fixtures and wp-env helper behavior.
- Shards the default Chromium Playwright E2E suite across four GitHub Actions runners while preserving the aggregate
E2E Testsrequired check. - Includes final dependency and CI-maintenance merges: phpstan/phpstan 2.2.2, vimeo/psalm 6.16.1, codecov/codecov-action 7, actions/checkout 6, actions/github-script 9, and CI MySQL service pull routing through ECR Public.
Validation
Release tag v3.2.0 points to commit a06197f, after all latest Dependabot, CI maintenance, E2E sharding, and auth-boundary Help/docs copy updates were merged.
Original release validation included: composer validate --strict, composer verify:metrics, composer test:unit, composer test:integration, composer analyse, composer analyse:psalm, composer lint, composer audit, composer sbom, git diff --check, and Playwright test listing (61 tests).
Final retag validation included: targeted Admin Help unit coverage, composer test (777 tests, 2220 assertions), composer analyse, composer lint, and git diff --check.