v3.0.0 — Operator tooling, policy control, event persistence

3.0.0

Headline changes

• Major milestone: operator tooling and visibility — WP Sudo now includes a Request / Rule Tester for representative admin, AJAX, and REST request shapes plus a Session Activity Dashboard Widget for active sessions, recent events, and current policy posture.
• Major milestone: policy control — Settings → Sudo now includes one-click Normal, Incident Lockdown, and Headless Friendly presets for the non-interactive surfaces, with confirmation, audit logging, and summary notices.
• Major milestone: ecosystem hardening — Connectors API credential writes saved through /wp/v2/settings now require sudo when they include connectors_*_api_key fields, protecting database-backed connector credentials without over-gating unrelated settings writes.

New platform capabilities

• Event persistence layer — audit events are now recorded through Event_Store and Event_Recorder, enabling the dashboard widget and future reporting. The shared wpsudo_events table includes 14-day retention, daily cron pruning, graceful degradation when the table is unavailable, and SQLite compatibility for Playground-style environments.

Security and recovery hardening

• Challenge lockout expiry recovery — corrected an edge case where the visible countdown could reach zero while the server still treated the lockout as active for that exact second, blocking an immediate retry. Password and IP lockouts now expire in sync with the countdown.
• Stale challenge and 2FA recovery flows — hardened recovery when a sudo session is already active or a user is returning from 2FA throttle/lockout flows, with expanded browser coverage for replay, resend, cancel, and recovery behavior.

Dashboard widget UX

• Active sessions: identity context — sessions panel now shows gravatars, username, role badge, display name, and time remaining for each active session. Responsive layout hides gravatars and names on small screens.
• Recent events: client-side filtering — dropdown filters for Time (1h / 24h / 7d), Event type, and Surface, applied client-side against 50 stored events. Filters laid out horizontally in a single row.
• Passed-event audit visibility defaults — wp_sudo_action_passed events (admin, REST, WPGraphQL) are now recorded by default so active-session actions stay visible in the audit timeline. Disabling passed-event logging now requires an explicit code override (constant/filter), and WP Sudo shows a warning notice when that override is active.
• Widget placement and layout — widget renders in the side column at high priority, active session cards use CSS Grid (repeat(auto-fit, minmax(180px, 1fr))) with scrollable container, usernames link to user-edit.php, and the empty-state panel now uses a clearer Site Health–style status layout.
• Users list "Sudo Active" filter — the Users → All Users screen gains a "Sudo Active (N)" view link that filters the list to users with an active sudo session via _wp_sudo_expires meta query.

Accessibility

• Dashboard widget table semantics — added scope="col" to table headers and screen-reader-only <caption> elements for the Recent Events and Policy Summary tables.

Compatibility and testing

• WordPress 7.0 readiness — forward test and preview lanes are now pinned to 7.0-RC1, with RC1 visual signoff recorded and the remaining RC/GA checklist documented for final release-day verification.
• Testing and compatibility breadth — added scheduled WordPress 6.3–6.6 compatibility coverage, explicit nginx + php-fpm + MariaDB and Playground SQLite browser smoke workflows, and a dedicated nginx + MariaDB multisite smoke lane.
• Testing workflow: local integration fallback — composer test:integration now falls back to the running wp-env tests-cli container when a local rebuild leaves the generated host-side MySQL endpoint stale, while CI continues to use the normal direct PHPUnit path.
• Testing posture: expanded CI and browser coverage shipped with this release; live suite counts are tracked in docs/current-metrics.md.

v2.14.0

• Feature: Playwright end-to-end coverage — added browser-verified challenge, cookie, gate UI, admin bar timer, keyboard shortcut, MU-plugin AJAX, multisite network-admin, and visual-regression coverage to exercise the real user flows around reauthentication.
• Fix: multisite symlink and network-admin flow hardening — preserved network-admin return URLs and supported symlinked local multisite installs used in Local and Studio-style development.
• Fix: bootstrap plugin URL handling — plugin asset URLs now preserve normal plugins_url filtering and custom plugin roots instead of assuming a fixed /wp-content/plugins/ path.
• Testing workflow: Local socket support — bin/install-wp-tests.sh can now auto-detect a single Local by Flywheel MySQL socket when TCP MySQL is unavailable, with updated contributor guidance for local integration setup.
• Repo hygiene — added GPL license and repository health files, and centralized live test/size counts in docs/current-metrics.md.
• 504 unit tests, 1311 assertions. 140 integration tests in CI.

v2.12.0

• Feature: WP-CLI operator commands — added wp sudo status, wp sudo revoke --user=<id>, and wp sudo revoke --all for session inspection and revocation workflows.
• Feature: Stream audit bridge — added optional bridges/wp-sudo-stream-bridge.php, mapping all 9 WP Sudo audit hooks into Stream records. Bridge remains inert when Stream APIs are unavailable and supports late plugin load order.
• Feature: public integration API (wp_sudo_check() / wp_sudo_require()) — added first-party helpers for third-party plugins/themes to require an active sudo session without registering full action rules. wp_sudo_require() can redirect to the challenge page in session-only mode (or return false when redirecting is disabled/unavailable) and emits wp_sudo_action_gated with surface public_api.
• Docs: release alignment — updated developer reference and manual testing docs for Stream bridge and public API helpers; refreshed roadmap and contributing guidance for current development priorities and repo-local integration test paths.
• Pre-release hygiene — regenerated bom.json.
• 494 unit tests, 1286 assertions. 135 integration tests in CI.

v2.11.1

• Docs release + metadata alignment — corrected post-v2.11.0 documentation drift: roadmap completion markers, RC re-test guidance, and release notes alignment across CHANGELOG.md, readme.md, and readme.txt.
• Version annotation fixes — corrected @since annotations introduced in the v2.11.0 development cycle so Phase 3/4 additions no longer reference the nonexistent 2.10.3 version.
• Pre-release hygiene — regenerated bom.json and updated ignore rules to keep .planning/private-reference/, .composer_cache/, and vendor_test/ out of commits.
• 478 unit tests, 1228 assertions. 130 integration tests in CI.

v2.11.0

• Phase 3 complete: Action Registry schema validation hardening — filtered wp_sudo_gated_actions rules are now normalized and validated before caching, preventing malformed third-party payloads from reaching gate matchers.
• Phase 3 complete: MU-loader resilience — loader basename/path resolution now follows an explicit fallback chain and correctly respects active plugin state in single-site and multisite environments.
• Phase 4 complete: WPGraphQL persisted-query strategy — GraphQL policy behavior was tightened and documented for persisted-query/headless setups, with expanded integration coverage of mutation classification and bypass behavior.
• Phase 4 complete: WSAL sensor bridge — added bridges/wp-sudo-wsal-sensor.php, mapping all 9 WP Sudo audit hooks to WP Activity Log events for security telemetry integration.
• Docs and planning closure — phase summaries and roadmap/planning artifacts updated to reflect completion across Phases 1–4 of the security hardening sprint.
• 478 unit tests, 1228 assertions. 130 integration tests in CI.

v2.10.0

What's New

WebAuthn Gating Bridge

New bridge plugin (bridges/wp-sudo-webauthn-bridge.php) gates WebAuthn security key registration and deletion behind WP Sudo's reauthentication. Without this bridge, an attacker with a hijacked session could silently register their own security key for persistent access — the same risk class as ungated Application Password creation.

• Gates webauthn_preregister, webauthn_register, and webauthn_delete_key AJAX actions
• Class-existence guard: rules only injected when Two Factor Provider for WebAuthn is active
• Drop into wp-content/mu-plugins/ to activate
• 6 unit tests, 29 assertions

WP 7.0 Notice CSS Fix

REST error notices in the Application Passwords section (profile.php) now have a visible light red background in WordPress 7.0+, where core removed .notice-error backgrounds. Scoped to #application-passwords-section — doesn't affect other admin notices.

CI Integration Test Fixes

Fixed 4 failing integration tests in ExitPathTest.php:

• Challenge constructor was called with wrong argument order
• simulate_admin_request() now calls set_current_screen() so is_admin() returns true in CI
• Grace window pass test was passing vacuously; now tests real gate logic

Documentation

• Developer reference: new "Gating Third-Party Plugin Actions" section with worked AJAX example
• Two Factor integration: WebAuthn bridge reference
• Manual testing: §20 WebAuthn bridge tests (5 steps)
• Contributing: bridge plugin table and creation guide, Playground limitations for WebAuthn
• ROADMAP: notice CSS marked fixed, WebAuthn challenge UX documented

Stats

• 411 unit tests, 1,008 assertions
• PHPStan level 6 — zero errors
• 14 files changed, +496 −7

---

Full Changelog: v2.9.2...v2.10.0

v2.9.2 — 2FA help text fix + readme expansion

What's changed

Bug fixes

• 2FA help text corrected — Settings → Sudo help tab said "The default 2FA window is 10 minutes". The code default (unchanged since v2.4.0) is 5 * MINUTE_IN_SECONDS — 5 minutes. Help text now reads "5 minutes". Note: the sudo session countdown visible in the admin bar is a completely separate timer; it remains at 15 minutes by default.
• Version constant drift resolved — phpstan-bootstrap.php and tests/bootstrap.php both defined WP_SUDO_VERSION = '2.8.0' two release cycles after the fact. Both now track the runtime version. Added a Version sync checklist to CLAUDE.md so this can't slip again.

Documentation

• readme.txt gains a "Why Sudo?" subsection in the Description with Patchstack 2026 exploitation statistics: 57% of all attacks target Broken Access Control, sudo-mitigated classes account for 80% of real-world WordPress exploitation, traditional WAFs block only 12–26%.
• Eight new FAQ entries added to readme.txt: what problem Sudo solves, how it differs from security plugins, limitations, brute-force protection, implicit login grant, password-change session expiry, grace period, and the 2FA verification window.
• Integration and unit test counts corrected in readme.txt.

No production logic changes. No database migrations. Safe to update.

---

397 unit tests, 944 assertions.

Full history: CHANGELOG.md

v2.9.1

• Docs: threat model kill chain — verified risk reduction data from Patchstack, Sucuri, Verizon DBIR, Wordfence, and OWASP Top 10:2025 added to security model and FAQ.
• Docs: project size table — readme.md gains a Project Size subsection (6,688 production lines, 11,555 test lines, 1.7:1 ratio); stale test counts corrected (375→397 unit, 73→92 integration); missing v2.8.0/v2.9.0 changelog entries added. CLAUDE.md gains size verification commands and pre-release checklist note.

Full Changelog: v2.9.0...v2.9.1

v2.9.0

• wp_sudo_action_allowed audit hook — fires when a gated action is permitted by an Unrestricted policy. Covers all five non-interactive surfaces: REST App Passwords, WP-CLI, Cron, XML-RPC, and WPGraphQL (mutations only). This is the ninth audit hook.
• Docs: CLAUDE.md accuracy audit — corrected six inaccuracies; logged one confabulation in llm_lies_log.txt.
• Docs: manual testing — MANUAL-TESTING.md adds §19 (Unrestricted audit hook verification) with forward references from existing Unrestricted subsections.

397 unit tests, 944 assertions. 92 integration tests in CI.

Full Changelog: v2.8.0...v2.9.0

v2.8.0

• Expire sudo session on password change — hooks after_password_reset and profile_update to invalidate any active sudo session when a user's password changes. Closes the gap where a compromised session persisted after a password reset.
• WPGraphQL conditional display — the WPGraphQL policy dropdown, help tab paragraph, and Site Health review all adapt based on whether WPGraphQL is installed.

391 unit tests, 929 assertions. 92 integration tests in CI.

Full Changelog: v2.7.0...v2.8.0