v2.14.0

• Feature: Playwright end-to-end coverage — added browser-verified challenge, cookie, gate UI, admin bar timer, keyboard shortcut, MU-plugin AJAX, multisite network-admin, and visual-regression coverage to exercise the real user flows around reauthentication.
• Fix: multisite symlink and network-admin flow hardening — preserved network-admin return URLs and supported symlinked local multisite installs used in Local and Studio-style development.
• Fix: bootstrap plugin URL handling — plugin asset URLs now preserve normal plugins_url filtering and custom plugin roots instead of assuming a fixed /wp-content/plugins/ path.
• Testing workflow: Local socket support — bin/install-wp-tests.sh can now auto-detect a single Local by Flywheel MySQL socket when TCP MySQL is unavailable, with updated contributor guidance for local integration setup.
• Repo hygiene — added GPL license and repository health files, and centralized live test/size counts in docs/current-metrics.md.
• 504 unit tests, 1311 assertions. 140 integration tests in CI.

v2.12.0

• Feature: WP-CLI operator commands — added wp sudo status, wp sudo revoke --user=<id>, and wp sudo revoke --all for session inspection and revocation workflows.
• Feature: Stream audit bridge — added optional bridges/wp-sudo-stream-bridge.php, mapping all 9 WP Sudo audit hooks into Stream records. Bridge remains inert when Stream APIs are unavailable and supports late plugin load order.
• Feature: public integration API (wp_sudo_check() / wp_sudo_require()) — added first-party helpers for third-party plugins/themes to require an active sudo session without registering full action rules. wp_sudo_require() can redirect to the challenge page in session-only mode (or return false when redirecting is disabled/unavailable) and emits wp_sudo_action_gated with surface public_api.
• Docs: release alignment — updated developer reference and manual testing docs for Stream bridge and public API helpers; refreshed roadmap and contributing guidance for current development priorities and repo-local integration test paths.
• Pre-release hygiene — regenerated bom.json.
• 494 unit tests, 1286 assertions. 135 integration tests in CI.

v2.11.1

• Docs release + metadata alignment — corrected post-v2.11.0 documentation drift: roadmap completion markers, RC re-test guidance, and release notes alignment across CHANGELOG.md, readme.md, and readme.txt.
• Version annotation fixes — corrected @since annotations introduced in the v2.11.0 development cycle so Phase 3/4 additions no longer reference the nonexistent 2.10.3 version.
• Pre-release hygiene — regenerated bom.json and updated ignore rules to keep .planning/private-reference/, .composer_cache/, and vendor_test/ out of commits.
• 478 unit tests, 1228 assertions. 130 integration tests in CI.

v2.11.0

• Phase 3 complete: Action Registry schema validation hardening — filtered wp_sudo_gated_actions rules are now normalized and validated before caching, preventing malformed third-party payloads from reaching gate matchers.
• Phase 3 complete: MU-loader resilience — loader basename/path resolution now follows an explicit fallback chain and correctly respects active plugin state in single-site and multisite environments.
• Phase 4 complete: WPGraphQL persisted-query strategy — GraphQL policy behavior was tightened and documented for persisted-query/headless setups, with expanded integration coverage of mutation classification and bypass behavior.
• Phase 4 complete: WSAL sensor bridge — added bridges/wp-sudo-wsal-sensor.php, mapping all 9 WP Sudo audit hooks to WP Activity Log events for security telemetry integration.
• Docs and planning closure — phase summaries and roadmap/planning artifacts updated to reflect completion across Phases 1–4 of the security hardening sprint.
• 478 unit tests, 1228 assertions. 130 integration tests in CI.

v2.10.0

What's New

WebAuthn Gating Bridge

New bridge plugin (bridges/wp-sudo-webauthn-bridge.php) gates WebAuthn security key registration and deletion behind WP Sudo's reauthentication. Without this bridge, an attacker with a hijacked session could silently register their own security key for persistent access — the same risk class as ungated Application Password creation.

• Gates webauthn_preregister, webauthn_register, and webauthn_delete_key AJAX actions
• Class-existence guard: rules only injected when Two Factor Provider for WebAuthn is active
• Drop into wp-content/mu-plugins/ to activate
• 6 unit tests, 29 assertions

WP 7.0 Notice CSS Fix

REST error notices in the Application Passwords section (profile.php) now have a visible light red background in WordPress 7.0+, where core removed .notice-error backgrounds. Scoped to #application-passwords-section — doesn't affect other admin notices.

CI Integration Test Fixes

Fixed 4 failing integration tests in ExitPathTest.php:

• Challenge constructor was called with wrong argument order
• simulate_admin_request() now calls set_current_screen() so is_admin() returns true in CI
• Grace window pass test was passing vacuously; now tests real gate logic

Documentation

• Developer reference: new "Gating Third-Party Plugin Actions" section with worked AJAX example
• Two Factor integration: WebAuthn bridge reference
• Manual testing: §20 WebAuthn bridge tests (5 steps)
• Contributing: bridge plugin table and creation guide, Playground limitations for WebAuthn
• ROADMAP: notice CSS marked fixed, WebAuthn challenge UX documented

Stats

• 411 unit tests, 1,008 assertions
• PHPStan level 6 — zero errors
• 14 files changed, +496 −7

---

Full Changelog: v2.9.2...v2.10.0

v2.9.2 — 2FA help text fix + readme expansion

What's changed

Bug fixes

• 2FA help text corrected — Settings → Sudo help tab said "The default 2FA window is 10 minutes". The code default (unchanged since v2.4.0) is 5 * MINUTE_IN_SECONDS — 5 minutes. Help text now reads "5 minutes". Note: the sudo session countdown visible in the admin bar is a completely separate timer; it remains at 15 minutes by default.
• Version constant drift resolved — phpstan-bootstrap.php and tests/bootstrap.php both defined WP_SUDO_VERSION = '2.8.0' two release cycles after the fact. Both now track the runtime version. Added a Version sync checklist to CLAUDE.md so this can't slip again.

Documentation

• readme.txt gains a "Why Sudo?" subsection in the Description with Patchstack 2026 exploitation statistics: 57% of all attacks target Broken Access Control, sudo-mitigated classes account for 80% of real-world WordPress exploitation, traditional WAFs block only 12–26%.
• Eight new FAQ entries added to readme.txt: what problem Sudo solves, how it differs from security plugins, limitations, brute-force protection, implicit login grant, password-change session expiry, grace period, and the 2FA verification window.
• Integration and unit test counts corrected in readme.txt.

No production logic changes. No database migrations. Safe to update.

---

397 unit tests, 944 assertions.

Full history: CHANGELOG.md

v2.9.1

• Docs: threat model kill chain — verified risk reduction data from Patchstack, Sucuri, Verizon DBIR, Wordfence, and OWASP Top 10:2025 added to security model and FAQ.
• Docs: project size table — readme.md gains a Project Size subsection (6,688 production lines, 11,555 test lines, 1.7:1 ratio); stale test counts corrected (375→397 unit, 73→92 integration); missing v2.8.0/v2.9.0 changelog entries added. CLAUDE.md gains size verification commands and pre-release checklist note.

Full Changelog: v2.9.0...v2.9.1

v2.9.0

• wp_sudo_action_allowed audit hook — fires when a gated action is permitted by an Unrestricted policy. Covers all five non-interactive surfaces: REST App Passwords, WP-CLI, Cron, XML-RPC, and WPGraphQL (mutations only). This is the ninth audit hook.
• Docs: CLAUDE.md accuracy audit — corrected six inaccuracies; logged one confabulation in llm_lies_log.txt.
• Docs: manual testing — MANUAL-TESTING.md adds §19 (Unrestricted audit hook verification) with forward references from existing Unrestricted subsections.

397 unit tests, 944 assertions. 92 integration tests in CI.

Full Changelog: v2.8.0...v2.9.0

v2.8.0

• Expire sudo session on password change — hooks after_password_reset and profile_update to invalidate any active sudo session when a user's password changes. Closes the gap where a compromised session persisted after a password reset.
• WPGraphQL conditional display — the WPGraphQL policy dropdown, help tab paragraph, and Site Health review all adapt based on whether WPGraphQL is installed.

391 unit tests, 929 assertions. 92 integration tests in CI.

Full Changelog: v2.7.0...v2.8.0

v2.7.0

WPGraphQL JWT Authentication Compatibility

• wp_sudo_wpgraphql_bypass filter — fires in Limited mode before mutation detection. Return true to allow a request through without sudo session checks. Solves compatibility with wp-graphql-jwt-authentication: the JWT login mutation was blocked by the default Limited policy, breaking the entire JWT authentication flow. A documented bridge mu-plugin exempts login and refreshJwtAuthToken mutations while keeping all other mutations gated. The filter does not fire in Disabled or Unrestricted mode.
• Fix: WPGraphQL listed in non-interactive entry points — the "How Sudo Works" help tab now includes WPGraphQL.

See developer reference for the filter signature and JWT bridge mu-plugin example.