chore(release): bump version to 2.12.0

dknauss · dknauss · commit e9bcba40afe2 · 2026-03-07T21:31:29.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,13 @@
 # Changelog
 
-## Unreleased
-
-- **Feature: public integration API (`wp_sudo_check()` / `wp_sudo_require()`)** — added first-party helpers for third-party plugins/themes to require an active sudo session without registering full action rules. `wp_sudo_require()` can redirect to the challenge page in session-only mode (or return `false` when redirecting is disabled/unavailable) and emits `wp_sudo_action_gated` with surface `public_api` for audit visibility.
-- **Docs: developer reference update** — documented the new public helper API, args, usage example, and added `public_api` to the documented `wp_sudo_action_gated` surface list.
-- **494 unit tests, 1286 assertions.**
+## 2.12.0
+
+- **Feature: WP-CLI operator commands** — added `wp sudo status`, `wp sudo revoke --user=<id>`, and `wp sudo revoke --all` for session inspection and revocation workflows.
+- **Feature: Stream audit bridge** — added optional `bridges/wp-sudo-stream-bridge.php`, mapping all 9 WP Sudo audit hooks into Stream records. Bridge remains inert when Stream APIs are unavailable and supports late plugin load order.
+- **Feature: public integration API (`wp_sudo_check()` / `wp_sudo_require()`)** — added first-party helpers for third-party plugins/themes to require an active sudo session without registering full action rules. `wp_sudo_require()` can redirect to the challenge page in session-only mode (or return `false` when redirecting is disabled/unavailable) and emits `wp_sudo_action_gated` with surface `public_api`.
+- **Docs: release alignment** — updated developer reference and manual testing docs for Stream bridge and public API helpers; refreshed roadmap and contributing guidance for current development priorities and repo-local integration test paths.
+- **Pre-release hygiene** — regenerated `bom.json`.
+- **494 unit tests, 1286 assertions. 135 integration tests in CI.**
 
 ## 2.11.1
 
diff --git a/bom.json b/bom.json
@@ -98,11 +98,11 @@
             "properties": [
                 {
                     "name": "cdx:composer:package:distReference",
-                    "value": "2dd36d20d82aee32baadb4adb2b208a70dcf718e"
+                    "value": "7da09738076e763760c467b1d05bfe70bf5583f4"
                 },
                 {
                     "name": "cdx:composer:package:sourceReference",
-                    "value": "2dd36d20d82aee32baadb4adb2b208a70dcf718e"
+                    "value": "7da09738076e763760c467b1d05bfe70bf5583f4"
                 },
                 {
                     "name": "cdx:composer:package:type",
diff --git a/phpstan-bootstrap.php b/phpstan-bootstrap.php
@@ -10,7 +10,7 @@
  */
 
 // Plugin constants (defined in wp-sudo.php at runtime).
-define( 'WP_SUDO_VERSION', '2.11.1' );
+define( 'WP_SUDO_VERSION', '2.12.0' );
 define( 'WP_SUDO_PLUGIN_DIR', __DIR__ . '/' );
 define( 'WP_SUDO_PLUGIN_URL', 'https://example.com/wp-content/plugins/wp-sudo/' );
 define( 'WP_SUDO_PLUGIN_BASENAME', 'wp-sudo/wp-sudo.php' );
diff --git a/readme.md b/readme.md
@@ -184,8 +184,8 @@ WP Sudo is built for correctness and contributor legibility, not just functional
 
 **Test-driven development.** New code requires a failing test before production code is written. The suite is split into two deliberate tiers:
 
-- **Unit tests** (478 tests, 1228 assertions) — use [Brain\Monkey](https://brain-wp.github.io/BrainMonkey/) to mock all WordPress functions. Run in ~0.5s with no database. Cover request matching, session state machine, policy enforcement, and hook registration.
-- **Integration tests** (130 tests) — run against real WordPress + MySQL via `WP_UnitTestCase`. Cover full reauth flows, bcrypt verification, transient TTL, REST and AJAX gating, Two Factor interaction, multisite session isolation, upgrader migrations, and all 9 audit hooks.
+- **Unit tests** (494 tests, 1286 assertions) — use [Brain\Monkey](https://brain-wp.github.io/BrainMonkey/) to mock all WordPress functions. Run in ~0.5s with no database. Cover request matching, session state machine, policy enforcement, and hook registration.
+- **Integration tests** (135 tests) — run against real WordPress + MySQL via `WP_UnitTestCase`. Cover full reauth flows, bcrypt verification, transient TTL, REST and AJAX gating, Two Factor interaction, multisite session isolation, upgrader migrations, and all 9 audit hooks.
 
 **Static analysis and code style.** PHPStan, Psalm (with WordPress stubs/plugin), and PHPCS (WordPress-Extra + WordPress-Docs + WordPressVIPMinimum) run on every push and pull request via GitHub Actions, alongside the full test matrix (PHP 8.1–8.4, WordPress latest + trunk). A nightly scheduled run catches WordPress trunk regressions early. Type coverage is published to Shepherd on default-branch pushes (`main`/`master`).
 
@@ -197,16 +197,16 @@ WP Sudo is built for correctness and contributor legibility, not just functional
 
 | Component | Size |
 |---|---|
-| **Production PHP** (`includes/`, `wp-sudo.php`, `uninstall.php`, `mu-plugin/`, `bridges/`) | 288 KB · 7,823 lines |
+| **Production PHP** (`includes/`, `wp-sudo.php`, `uninstall.php`, `mu-plugin/`, `bridges/`) | 312 KB · 8,438 lines |
 | **Assets** (screenshots, banner images) | 5.0 MB |
-| **Tests** (`tests/`) | 648 KB · 15,539 lines |
+| **Tests** (`tests/`) | 672 KB · 16,058 lines |
 | **Docs** (`docs/` + root-level md/txt) | 348 KB |
-| **Total PHP** (production + tests, excl. vendor) | 23,402 lines |
-| **Test-to-production ratio** | 2.0:1 |
+| **Total PHP** (production + tests, excl. vendor) | 24,496 lines |
+| **Test-to-production ratio** | 1.9:1 |
 
 No production dependencies. Dev dependencies (PHPUnit, PHPStan, Psalm, PHPCS, Brain\Monkey, Mockery) live in `vendor/` and are not shipped.
 
-*Last updated: 2026-03-05. See CLAUDE.md for the update command.*
+*Last updated: 2026-03-08. See CLAUDE.md for the update command.*
 
 ## Screenshots
 
@@ -240,6 +240,14 @@ No production dependencies. Dev dependencies (PHPUnit, PHPStan, Psalm, PHPCS, Br
 
 ## Changelog
 
+### 2.12.0
+
+- **Feature: WP-CLI operator commands** — added `wp sudo status`, `wp sudo revoke --user=<id>`, and `wp sudo revoke --all` for session inspection and revocation workflows.
+- **Feature: Stream audit bridge** — added optional `bridges/wp-sudo-stream-bridge.php`, mapping all 9 WP Sudo audit hooks into Stream records with inert behavior when Stream APIs are unavailable.
+- **Feature: public integration API (`wp_sudo_check()` / `wp_sudo_require()`)** — added first-party helpers for third-party plugins/themes to require active sudo sessions without full Gate-rule registration.
+- **Docs and release hygiene** — updated developer reference/manual testing for Stream + public API, refreshed roadmap priorities, and regenerated `bom.json`.
+- **494 unit tests, 1286 assertions. 135 integration tests in CI.**
+
 ### 2.11.1
 
 - **Docs release + metadata alignment** — corrected post-v2.11.0 documentation drift: roadmap completion markers, RC re-test guidance, and release notes alignment across `CHANGELOG.md`, `readme.md`, and `readme.txt`.
diff --git a/readme.txt b/readme.txt
@@ -9,7 +9,7 @@ Tags:              sudo, security, reauthentication, access control, admin prote
 Requires at least: 6.2
 Tested up to:      7.0
 Requires PHP:      8.0
-Stable tag:        2.11.1
+Stable tag:        2.12.0
 License:           GPL-2.0-or-later
 License URI:       https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -150,7 +150,7 @@ WP Sudo is built for correctness and contributor legibility, not just functional
 
 Architecture: a single SPL autoloader maps the WP_Sudo\* namespace to includes/class-*.php. The Gate class detects the entry surface (admin UI, AJAX, REST, WP-CLI, Cron, XML-RPC, Application Passwords, WPGraphQL), matches the incoming request against a registry of 29+ rules, and challenges, soft-blocks, or hard-blocks based on surface and policy. All gating decisions happen server-side in PHP hooks — JavaScript is used only for UX.
 
-Testing: the suite is split into two tiers. Unit tests (478 tests, 1228 assertions) use Brain\Monkey to mock WordPress functions and run in ~0.4s. Integration tests (130 tests) run against real WordPress + MySQL and cover full reauth flows, AJAX and REST gating, Two Factor interaction, multisite isolation, uninstall cleanup, and all 9 audit hooks.
+Testing: the suite is split into two tiers. Unit tests (494 tests, 1286 assertions) use Brain\Monkey to mock WordPress functions and run in ~0.4s. Integration tests (135 tests) run against real WordPress + MySQL and cover full reauth flows, AJAX and REST gating, Two Factor interaction, multisite isolation, uninstall cleanup, and all 9 audit hooks.
 
 CI: GitHub Actions runs PHPStan level 6 and PHPCS on every push and PR, the full test matrix across PHP 8.1-8.4 and WordPress latest + trunk, and a nightly scheduled run against WordPress trunk.
 
@@ -168,6 +168,13 @@ Extensibility: the action registry is filterable via wp_sudo_gated_actions. Nine
 
 == Changelog ==
 
+= 2.12.0 =
+* **Feature: WP-CLI operator commands** — added `wp sudo status`, `wp sudo revoke --user=<id>`, and `wp sudo revoke --all` for session inspection and revocation workflows.
+* **Feature: Stream audit bridge** — added optional `bridges/wp-sudo-stream-bridge.php`, mapping all 9 WP Sudo audit hooks into Stream records with inert behavior when Stream APIs are unavailable.
+* **Feature: public integration API (`wp_sudo_check()` / `wp_sudo_require()`)** — added first-party helpers for third-party plugins/themes to require active sudo sessions without full Gate-rule registration.
+* **Docs and release hygiene** — updated developer reference/manual testing for Stream + public API, refreshed roadmap priorities, and regenerated `bom.json`.
+* **494 unit tests, 1286 assertions. 135 integration tests in CI.**
+
 = 2.11.1 =
 * **Docs release + metadata alignment** — corrected post-v2.11.0 documentation drift: roadmap completion markers, RC re-test guidance, and release notes alignment across `CHANGELOG.md`, `readme.md`, and `readme.txt`.
 * **Version annotation fixes** — corrected `@since` annotations introduced in the v2.11.0 development cycle so Phase 3/4 additions no longer reference the nonexistent `2.10.3` version.
diff --git a/tests/bootstrap.php b/tests/bootstrap.php
@@ -15,7 +15,7 @@
 define( 'WP_CONTENT_DIR', '/tmp/fake-wordpress/wp-content' );
 
 // ── Plugin constants (normally defined in wp-sudo.php) ───────────────
-define( 'WP_SUDO_VERSION', '2.11.1' );
+define( 'WP_SUDO_VERSION', '2.12.0' );
 define( 'WP_SUDO_PLUGIN_DIR', dirname( __DIR__ ) . '/' );
 define( 'WP_SUDO_PLUGIN_URL', 'https://example.com/wp-content/plugins/wp-sudo/' );
 define( 'WP_SUDO_PLUGIN_BASENAME', 'wp-sudo/wp-sudo.php' );
diff --git a/wp-sudo.php b/wp-sudo.php
@@ -3,7 +3,7 @@
  * Plugin Name:       Sudo
  * Plugin URI:        https://github.com/dknauss/wp-sudo
  * Description:       Action-gated reauthentication for WordPress. Dangerous operations require password confirmation before they proceed — regardless of user role.
- * Version:           2.11.1
+ * Version:           2.12.0
  * Requires at least: 6.2
  * Requires PHP:      8.0
  * Author:            Dan Knauss
@@ -22,7 +22,7 @@
 }
 
 // Plugin version.
-define( 'WP_SUDO_VERSION', '2.11.1' );
+define( 'WP_SUDO_VERSION', '2.12.0' );
 
 // Plugin directory path.
 define( 'WP_SUDO_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );

Original file line number	Diff line number	Diff line change
`@@ -98,11 +98,11 @@`
`98`	`98`	`"properties": [`
`99`	`99`	`{`
`100`	`100`	`"name": "cdx:composer:package:distReference",`
`101`		`- "value": "2dd36d20d82aee32baadb4adb2b208a70dcf718e"`
	`101`	`+ "value": "7da09738076e763760c467b1d05bfe70bf5583f4"`
`102`	`102`	`},`
`103`	`103`	`{`
`104`	`104`	`"name": "cdx:composer:package:sourceReference",`
`105`		`- "value": "2dd36d20d82aee32baadb4adb2b208a70dcf718e"`
	`105`	`+ "value": "7da09738076e763760c467b1d05bfe70bf5583f4"`
`106`	`106`	`},`
`107`	`107`	`{`
`108`	`108`	`"name": "cdx:composer:package:type",`