|
| 1 | +# Copilot Instructions |
| 2 | + |
| 3 | +## Project Overview |
| 4 | + |
| 5 | +WP Sudo is a WordPress plugin that provides action-gated reauthentication. Dangerous operations (plugin activation, user deletion, critical settings changes, etc.) require password confirmation before they proceed — regardless of user role. |
| 6 | + |
| 7 | +**Requirements:** WordPress 6.2+, PHP 8.0+ |
| 8 | + |
| 9 | +## Commands |
| 10 | + |
| 11 | +```bash |
| 12 | +composer install # Install dev dependencies |
| 13 | +composer test # Run all unit tests (PHPUnit 9.6) |
| 14 | +composer lint # Run PHPCS (WordPress-Extra + WordPress-Docs + WordPressVIPMinimum) |
| 15 | +composer lint:fix # Auto-fix PHPCS violations |
| 16 | +composer analyse # Run PHPStan level 6 (use --memory-limit=1G if needed) |
| 17 | +composer sbom # Regenerate CycloneDX SBOM (bom.json) |
| 18 | +``` |
| 19 | + |
| 20 | +No build step. No npm. No production dependencies — only dev dependencies. |
| 21 | + |
| 22 | +Always run `composer test` and `composer analyse` before committing. |
| 23 | + |
| 24 | +## Repository Structure |
| 25 | + |
| 26 | +- `wp-sudo.php` — Plugin entry point, autoloader, lifecycle hooks. |
| 27 | +- `includes/` — Core PHP classes (namespace `WP_Sudo`). Key classes: Plugin, Gate, Action_Registry, Challenge, Sudo_Session, Request_Stash, Admin, Admin_Bar, Site_Health, Upgrader. |
| 28 | +- `admin/js/` — Vanilla JS for challenge page and admin bar timer. No build step. |
| 29 | +- `admin/css/` — Stylesheets for challenge page and admin bar. |
| 30 | +- `tests/Unit/` — PHPUnit tests using Brain\Monkey (no WordPress loaded). |
| 31 | +- `bridges/` — Drop-in 2FA bridge files for third-party plugins. |
| 32 | +- `docs/` — Integration guides, AI guidance, testing prompts. |
| 33 | +- `bom.json` — CycloneDX SBOM (regenerate with `composer sbom`). |
| 34 | + |
| 35 | +## Architecture |
| 36 | + |
| 37 | +**Bootstrap:** `plugins_loaded` → `Plugin::init()` → loads translations, runs upgrader, registers gate, sets up challenge page, initializes admin UI. |
| 38 | + |
| 39 | +**Gate pattern:** Multi-surface interceptor matches incoming requests against the Action Registry (28 rules across 7 categories). Admin requests get the stash-challenge-replay flow. AJAX/REST get error responses. CLI/Cron/XML-RPC follow per-surface policies (Disabled, Limited, Unrestricted). |
| 40 | + |
| 41 | +**Sessions:** Cryptographic token stored in user meta + httponly cookie. Progressive rate limiting (5 attempts → 5-min lockout). |
| 42 | + |
| 43 | +## Coding Standards |
| 44 | + |
| 45 | +- WordPress Coding Standards (WPCS) enforced via PHPCS. |
| 46 | +- PHPStan level 6 with `szepeviktor/phpstan-wordpress`. |
| 47 | +- Conventional commit messages. |
| 48 | +- WCAG 2.1 AA accessibility throughout (ARIA labels, focus management, screen reader announcements). |
| 49 | +- No inline `<script>` blocks — all JS is enqueued as external files (CSP-compatible). |
| 50 | + |
| 51 | +## Testing |
| 52 | + |
| 53 | +Tests use Brain\Monkey to mock WordPress functions/hooks without loading WordPress, plus Mockery for object mocking and Patchwork for redefining `setcookie` and `header`. |
| 54 | + |
| 55 | +PHPUnit strict mode: tests must assert something, produce no output, and not trigger warnings. |
0 commit comments