{"id":51525094,"url":"https://github.com/visiongaiatechnology/vgtdesk","last_synced_at":"2026-07-08T20:30:55.600Z","repository":{"id":359395853,"uuid":"1245778806","full_name":"visiongaiatechnology/vgtdesk","owner":"visiongaiatechnology","description":"VGT WP-Desk is a modular, zero-dependency WordPress Operator Workspace that transforms the classic WordPress admin interface into a high-performance, OS-style desktop environment. It combines a hook-preserving iframe workspace, per-user desktop state, multi-window productivity features, and an integrated defense-in-depth security","archived":false,"fork":false,"pushed_at":"2026-07-02T09:32:47.000Z","size":3938,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-07-02T10:28:22.678Z","etag":null,"topics":["dashboard","dashboard-design","os-theme","security","visiongaiatechnology","wordpress","wordpress-development","wordpresssecurity"],"latest_commit_sha":null,"homepage":"https://visiongaiatechnology.de","language":"PHP","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/visiongaiatechnology.png","metadata":{"files":{"readme":"README.md","changelog":"Changelog","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY_POSTURE.md","support":null,"governance":null,"roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-21T14:46:33.000Z","updated_at":"2026-07-02T09:32:51.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/visiongaiatechnology/vgtdesk","commit_stats":null,"previous_names":["visiongaiatechnology/vgtdesk"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/visiongaiatechnology/vgtdesk","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visiongaiatechnology%2Fvgtdesk","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visiongaiatechnology%2Fvgtdesk/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visiongaiatechnology%2Fvgtdesk/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visiongaiatechnology%2Fvgtdesk/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/visiongaiatechnology","download_url":"https://codeload.github.com/visiongaiatechnology/vgtdesk/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/visiongaiatechnology%2Fvgtdesk/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35278166,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-08T02:00:06.796Z","response_time":61,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dashboard","dashboard-design","os-theme","security","visiongaiatechnology","wordpress","wordpress-development","wordpresssecurity"],"created_at":"2026-07-08T20:30:55.515Z","updated_at":"2026-07-08T20:30:55.586Z","avatar_url":"https://github.com/visiongaiatechnology.png","language":"PHP","funding_links":["https://www.paypal.com/paypalme/dergoldenelotus"],"categories":[],"sub_categories":[],"readme":"# 🖥️ VGT WP-Desk — Hardened WordPress Operator Workspace\n\n\u003e *\"WordPress stays WordPress. The operator gets a hardened desktop above it.\"*\n\u003e *AGPLv3 — Local-first, framework-free and built for operators, not SaaS dashboards.*\n\n---\n\n[![License](https://img.shields.io/badge/License-AGPLv3-green?style=for-the-badge)](LICENSE)\n[![Version](https://img.shields.io/badge/Version-1.0.0--Beta__v4.1-brightgreen?style=for-the-badge)](#)\n[![Platform](https://img.shields.io/badge/Platform-WordPress-21759B?style=for-the-badge\u0026logo=wordpress)](#)\n[![PHP](https://img.shields.io/badge/PHP-8.1%2B-777BB4?style=for-the-badge\u0026logo=php)](#)\n[![Architecture](https://img.shields.io/badge/Architecture-Zero--Overheat_OS--Layer-blue?style=for-the-badge)](#)\n[![Engine](https://img.shields.io/badge/Engine-Vanilla_JS_%2F_CSS3-orange?style=for-the-badge)](#)\n[![Status](https://img.shields.io/badge/Status-BETA__V4.1-yellow?style=for-the-badge)](#)\n[![VGT](https://img.shields.io/badge/VGT-VisionGaiaTechnology-red?style=for-the-badge)](https://visiongaiatechnology.de)\n[![Security Review](https://img.shields.io/badge/Security_Posture-v4_Internal_Review-brightgreen?style=for-the-badge)](#security-posture--vgt-wp-desk-v4-stable)\n\n---\n\n## ⚠️ DISCLAIMER: BETA SOFTWARE\n\nThis project is currently in **Beta v4** and part of ongoing development at VisionGaia Technology. It is **not** yet a finalized production release.\n\n**Use at your own risk.** Test thoroughly in a staging environment before deploying to live sites.\n\nFound a bug or have an improvement? **Open an issue or contact us.**\n\n---\n\n## 🔐 Security Posture\n\nVGT WP-Desk v4 Stable has undergone an internal security posture review covering the desktop runtime, Security Center integrations, AJAX control layer, local telemetry, upload workflow and same-origin iframe workspace.\n\nWithin the reviewed scope, no exploitable vulnerabilities were identified.\n\nSee: [SECURITY_POSTURE.md](SECURITY_POSTURE.md)\n\n---\n\n\u003cimg width=\"2560\" height=\"1232\" alt=\"image\" src=\"https://github.com/user-attachments/assets/336383e1-653c-4353-aaea-7414d909b3bf\" /\u003e\n\n---\n\n## 🔍 What is VGT WP-Desk?\n\nVGT WP-Desk is a **modular, zero-dependency WordPress Operator Workspace** that transforms the classic WordPress admin interface into a high-performance, OS-style desktop environment with integrated security, diagnostics and local telemetry controls.\n\nIt is not a traditional admin theme and not a standalone security plugin. WP-Desk acts as a **hardened backend operating layer**: WordPress Core and third-party plugin interfaces remain intact, while WP-Desk provides a modern multi-window workspace, persistent per-user desktop state, same-origin iframe isolation and a unified Security Center.\n\nEngineered under the **Zero-Overheat Doctrine**, WP-Desk avoids heavy frameworks, external runtimes and build pipelines. The system is built with vanilla JavaScript, PHP and CSS, served locally from the WordPress installation, and designed to preserve compatibility with native WordPress hooks, admin screens and plugin workflows.\n\nInstalled plugins are automatically detected, mapped as desktop applications and opened inside a chromeless same-origin iframe workspace. This replaces fragmented sidebar navigation with a consistent operator cockpit while keeping the underlying WordPress admin screens functional and recognizable.\n\nStarting with **Beta v4**, WP-Desk evolves into a full **local-first operations and security environment**. The integrated Security Center combines **Sentinel**, **Throne Guard** and **Dattrack** into a single control layer for request protection, privilege hardening, diagnostics, local telemetry and recovery workflows.\n\n```text\nClassic WordPress Admin:\n→ Fragmented sidebar navigation\n→ Context-switching overhead\n→ No persistent workspace state\n→ Limited operational visibility\n→ No unified security control layer\n\nVGT WP-Desk Operator Workspace:\n→ OS-style multi-window desktop for WordPress\n→ Per-user opt-in with classic admin fallback\n→ Hook-preserving iframe workspace\n→ Automatic plugin-to-app mapping\n→ Folder Mode, layouts, widgets and persistent state\n→ Command Center for diagnostics and runtime operations\n→ Security Center integrating Sentinel, Throne Guard and Dattrack\n→ VGT Build Center unifying Form Builder, Chronos and Book Reader\n→ Sentinel Hardening Auditor with Cyberpunk scoring UI\n→ Local telemetry without third-party tracking\n→ Same-origin deep-link protection\n→ CSP-aware asset loading and DOM XSS hardening\n→ Zero-CDN, zero-build, zero-framework runtime\n```\n\n### Security Center\n\nThe WP-Desk Security Center brings the core VGT security components into one operator interface:\n\n```text\nVGT WP-Desk Security Center\n├── Sentinel\n│   ├── WAF status\n│   ├── threat logs\n│   ├── ban / unban controls\n│   └── request and payload protection\n│\n├── Throne Guard\n│   ├── privilege hardening\n│   ├── Master role protection\n│   ├── Superkey session gate\n│   └── toxic capability stripping\n│\n└── Dattrack\n    ├── local telemetry\n    ├── privacy-focused analytics\n    ├── visitor event insight\n    └── sovereign data storage\n```\n\n### VGT Build Center\n\nBeta v4 consolidates the builder toolchain under a single unified app icon (`dashicons-hammer`), replacing three separate menu entries:\n\n```text\nVGT Build Center\n├── Form Builder (Omega Vault)   ← AES-256-GCM encrypted form submissions\n├── Chronos Builder              ← WYSIWYG countdown and automation timer editor\n└── VGT Book Reader              ← Interactive PDF and media presentation system\n```\n\nSubmenus and AJAX routing load each builder interface directly into the iframe workspace — no context switching required.\n\nWP-Desk is designed for administrators, publishers, developers and security-conscious operators who want WordPress to remain self-hosted, extensible and familiar — while gaining a faster workspace, stronger operational control and a hardened local security layer.\n\n---\n\n## 🏛️ Architecture\n\n```\nWordPress Admin Request\n↓\nHeuristic Session Detection (PHP Engine)\n→ URL indicator: vgt_iframe=true\n→ Sec-Fetch-Dest: iframe header\n→ HTTP Referer analysis on form submissions\n↓\nSENTINEL CE BOOT SEQUENCE\n→ AEGIS WAF: anomaly scoring on all HTTP methods\n→ Input: 5-layer normalization pipeline\n→ Admin/editor exemption: SQLi/XSS weights zeroed; RCE/LFI active\n→ WAF exception: edit_posts + post.php / edit.php / wp-json REST endpoints\n→ CERBERUS: perimeter ban before WordPress user logic\n→ AIRLOCK: multipart/form-data binary inspection\n→ HADES: path masking + iframe continuity enforcement\n→ GHOST TRAP: honeypot access = instant hard-ban\n→ CHRONOS: async integrity scan (time-sliced cron)\n↓\nThrone Guard Capability Hardening \u0026 Session Gate\n→ 14 toxic Administrator permissions stripped → Master role exclusive\n→ SHA256 HMAC session fingerprinting (IP + User-Agent)\n→ Superkey verification (Argon2/Bcrypt) to unlock Master enclave\n→ Hardware Deactivation Lock\n→ CSP Admin Exception: nonce removed from admin CSP — preserves WP Core inline scripts\n↓\nModular PHP Kernel (Beta v4)\n→ desktop.php             ← lightweight bootstrapper / loader only\n→ WPDeskSettings          ← DB schema, settings tables, defaults\n→ WPDeskAppBuilder        ← dynamic WordPress menu parser → app matrix\n→ WPDeskPlugin            ← central controller: hooks, assets, AJAX dispatch, iframe rules\n↓\nPer-User Opt-in Check\n→ Desktop mode off by default\n→ Admin notice in classic backend → explicit per-user activation\n→ vgt_bypass=1 cookie → classic view for session\n↓\nIframeTransformer + CSP Nonce Bridge\n→ CSS-Grid injection into native WordPress list tables\n→ All injected styles/scripts receive Throne Guard request nonce\n↓\nDesktop Engine (9 Modules, Zero-Overheat)\n→ core → windows → draggable → icons → menus → widgets → spotlight → modals → folders\n→ VGTDeskEngine singleton — modules extend via Object.assign\n→ WordPress dependency chain guarantees load order\n↓\nRAM Hibernation Layer\n→ Minimized windows: iframe suspended to about:blank (memory freed)\n→ Restore: last URL rehydrated seamlessly from data-suspendedUrl\n↓\nPersistent Settings (Relational DB)\n→ {prefix}vgt_desk_settings — UNIQUE(user_id, setting_key)\n→ Delta-merge via array_replace_recursive\n→ Migration: wp_usermeta data imported on first load\n```\n\n\u003cimg width=\"1870\" height=\"1142\" alt=\"image\" src=\"https://github.com/user-attachments/assets/fbbb1b7f-cfce-45b7-86f3-28878a32cc09\" /\u003e\n\n---\n\n## 🧩 Feature Matrix\n\n### ⚡ 2.1 IframeTransformer — Hook-Preserving Tile Engine\n\n| Parameter | Value |\n|---|---|\n| **Method** | CSS-Grid injection into native WordPress admin list table DOM |\n| **Hook Preservation** | 100% — SEO columns, custom fields, all third-party hooks intact |\n| **Transformed Views** | Posts, Pages, Comments, Plugins |\n| **Layout Engine** | `display: grid !important` on native `tbody` element |\n| **CSP Compliance** | Full — Throne Guard nonce propagated to all injected assets |\n| **Dark Theme Injection** | Media, Themes, Menus pages receive consistent dark-mode overrides |\n| **SVG Branding** | Native SVG colors preserved — `filter: invert()` removed |\n\n\u003cimg width=\"1914\" height=\"914\" alt=\"Tile Engine Layout\" src=\"https://github.com/user-attachments/assets/3f3df87a-45ef-4666-a879-8831f791a0e2\" /\u003e\n\n---\n\n### 🖱️ 2.2 Multi-Window Workspace\n\n| Feature | Detail |\n|---|---|\n| **8-Edge Resizing** | Eight invisible edge/corner zones on every window |\n| **Drag Threshold (4px)** | Micro-jitter filtered — double-click isolation preserved |\n| **Double-Click Maximize** | Header double-click toggles maximize; drag-to-restore on dragging maximized window |\n| **Aero Snap** | Drag to top: maximize preview → drop to maximize. Drag to left/right edge: half-screen snap with preview outline |\n| **Window Bounds Guard** | Drag capped at `top: 0` — windows cannot slide under top bar |\n| **Resize Bounds Guard** | Top-edge resize stops at `top: 0` with correct height compensation |\n| **Iframe Isolation** | Chromeless iframe per window — full WordPress functionality, no navigation bleed |\n| **Hades Continuity** | Plugin redirect breakouts from iframe workspace structurally prevented |\n| **Custom Scrollbars** | Global slim translucent scrollbars matching glassmorphic style |\n\n\u003cimg width=\"1917\" height=\"908\" alt=\"Multi-Window Workspace\" src=\"https://github.com/user-attachments/assets/1b9b8656-5866-4443-a9a8-ed2c7f7a724b\" /\u003e\n\n---\n\n### 📁 2.3 Desktop Folder Mode\n\nApp grouping directly on the desktop workspace — no page reload required.\n\n**Creating \u0026 Managing Folders:**\n- Right-click empty desktop area → context menu → **📁 New Folder** → glassmorphic name prompt\n- Folders snap to the desktop icon grid with collision-avoidance\n- Right-click a folder icon → rename ✏️ or delete 🗑️ directly\n\n**Drag-and-Drop Grouping:**\n- Drag any app icon onto a folder icon — bounding box overlap detection triggers grouping\n- App icon disappears from desktop; coordinates cleared; settings saved automatically\n- Folder icon updates app count\n\n**Folder Window:**\n- Click folder → dedicated folder window with grouped app grid\n- Launch any grouped app directly from the folder window\n- Hover an app → × button restores it to the desktop workspace\n- Rename or delete folder — all contained apps are restored to default grid positions on deletion\n\n**Persistence:**\n- Full folder structure (names, contents, positions) persisted in `vgt_desk_settings` via delta-merge AJAX\n- Survives page reload — state rehydrated from DB on load\n\n---\n\n### 🔤 2.4 WordPress Submenus\n\nNative WordPress submenus surfaced as glassmorphic dropdown popups — no navigation away from the desktop required.\n\n**Backend (PHP):**\n- `build_dynamic_plugin_apps()` in `desktop.php` parses the global `$submenu` array\n- Capability check via `current_user_can` — users only see submenus they have access to\n- Submenu structure injected into the JS config under each app's `submenus` array\n\n**Frontend (XSS-Safe):**\n- Click an app icon or start menu item with submenus → `openSubmenuPopup()` renders at cursor position\n- All submenu items built via `document.createElement` + `textContent` — zero innerHTML injection\n- Clicking a submenu item loads the child page in the parent window's iframe (`vgt_iframe=true`)\n- Window title bar updates: `Parent Title › Submenu Title`\n\n---\n\n### 🖼️ 2.5 Multi-Layout Workspace\n\nThree complete OS aesthetic styles, switchable at runtime via Control Center or Spotlight CLI.\n\n| Layout | Style | Dock Position | Maximize Behavior |\n|---|---|---|---|\n| **macOS Cupertino** | Menu bar top, floating centered dock | Bottom | Full workspace bounds |\n| **Windows Redmond** | Bottom taskbar (full width), Windows 11 dock inside | Bottom bar | `height: calc(100% - 48px)` — taskbar stays visible |\n| **Linux Tux** | Vertical sidebar dock (left) | Left side | `left: 80px; width: calc(100% - 80px)` |\n\n**Windows 10 Start Menu:**\nThree-column layout: left sidebar strip (user profile, settings, power), center scrollable A–Z app list, right 3-column pinned tiles grid. Sections auto-hide when search filters empty them.\n\n**Spotlight CLI:** `/layout [macos|windows|linux]` — switches layout with sound feedback and icon recalculation.\n\n**Aero Snap Layout-Awareness:** Snap preview zones and half-screen drop targets shift to clear the active layout's taskbar/sidebar boundaries.\n\n**SVG Protocol Fix:** `esc_attr` instead of `esc_url` for `data:image/svg+xml;base64` URIs — WordPress no longer strips the `data:` protocol from custom SVGs.\n\n---\n\n### ⚙️ 2.6 Command Center\n\nUnified administration panel replacing the previous settings window — split glassmorphic layout with left navigation tabs and scrollable right content.\n\n**Real-Time Diagnostics:**\n- CPU load + RAM usage with live progress bars (red highlight above 80%)\n- Active Sentinel WAF / Throne Guard state\n- Database footprint across all 6 VGT metadata/log tables\n- Embedded terminal console with real-time system event log stream\n- 5-second polling loop — active only when Command Center is open\n\n**Enclave Security Center:**\n- Active IP Ban Manager — queries both Sentinel CE and Sentinel V7 tables\n- Unban IP: `ajax_unban_ip()` deletes blacklist record live\n- Superkey update: `ajax_update_superkey()` — verifies current key via `password_verify`, enforces 12-character minimum\n\n**Display \u0026 Personalization:**\n- Resolution scaling slider (10px–24px) — updates `--vgt-font-size` on `:root` + DB sync\n- Layout switcher (macOS / Windows / Linux)\n- Wallpaper selector + custom URL input (same-origin enforced — Beta v4)\n- HSL accent color theme matrix\n\n**Keyboard Shortcuts Mapper:**\n- Click \"Record\" → captures modifier key (Ctrl/Alt/Shift/Meta) + `e.code`\n- Saved to user settings — persisted in `vgt_desk_settings`\n- Global `initShortcuts()` listener matches recorded keys to desktop window actions\n\n---\n\n### 🛡️ 2.7 Sentinel Hardening Auditor *(New in Beta v4)*\n\nThe WordPress security audit system is now deeply integrated into the VGT Security Center, replacing the previous standalone view.\n\n**Sentinel Auto-Awareness:**\nAutomatically detects whether Sentinel CE or Enterprise V7 is active, checks which defense modules are running (Airlock, Cerberus, Titan) and reflects their state positively in the security index — no manual configuration.\n\n**Cyberpunk Scoring UI:**\n- **Cyber-corner brackets** — cards render with glowing cyan corner markers\n- **Animated scan line** — neon-blue vertical scanner animates during audit execution\n- **Angled cyber button** — start button rendered with futuristic `clip-path` bevel\n- **Cockpit-style score display** — large luminous digital index readout\n- **Interactive tier grid** — four tier boxes (DIAMANT / PLATIN GOLD / VGT SECURED / CRITICAL RISK) remain greyed out at idle; illuminate in their respective neon color on scan completion based on achieved score\n- **Red warning row highlighting** — all unresolved audit items receive a left-edge red indicator bar, a red-tinted row background and bright red status text — directing the administrator immediately to open vulnerabilities\n\n**Score Index Fix:**\n`ScoreMax` is no longer hardcoded to 33 but dynamically counts the actual number of test vectors executed (29). 27 passed tests now correctly report 93% instead of the previously distorted 82%.\n\n---\n\n### 🔒 2.8 Security Architecture — Defense in Depth\n\n**Integrated Sentinel CE (v1.7.1):**\n\nAEGIS, CERBERUS, AIRLOCK, HADES, CHRONOS, and GHOST TRAP integrated into boot sequence. See [Sentinel CE README](https://github.com/visiongaiatechnology/sentinelcom) for full module documentation.\n\n**AEGIS WAF Exceptions:**\n- `edit_posts` / `manage_options` users: all pattern weights zeroed on `post.php`, `edit.php`, `/wp-json/wp/v2/` — administrators can save posts containing technical terms without 403 blocks\n- WooCommerce checkout fields cleared before scan\n- Gutenberg REST API thresholds raised to 50\n\n**Integrity Scanner Hardening:**\n- `integrity_matrix.php` no longer stores executable PHP and is never loaded via `include`\n- Refactored to PHP/JSON hybrid: `\u003c?php defined('ABSPATH') || exit; ?\u003e` header prevents direct-access leak; data loaded via `file_get_contents` + `json_decode` — execution pathway eliminated\n\n**Path Jail (Plugin Scanner):**\n- Trailing slash boundary enforced on both base directory and target directory\n- Prevents directory shadowing (`plugins-backup/` matching against `plugins/`)\n\n**DOM XSS (Mock Console):**\n- Terminal input HTML-entity-escaped via strict regex before `innerHTML` render — self-XSS vector closed\n\n**Login Settings CSS Injection:**\n- `preg_replace('/[()\\'\\\"\\\\\\\\]/', '', ...)` applied to background image and logo URL values at save and render time\n- Prevents quote/parenthesis characters from breaking `url('...')` CSS context\n\n**Wallpaper Same-Origin Enforcement (Beta v4):**\n- On save, wallpaper URLs are restricted to same-origin connections, the WordPress media library (including CDNs) or local base64 presets\n- Eliminates cross-site image tracking vectors via external wallpaper servers\n\n**CSP Admin Fix:**\n- Nonce removed from `Content-Security-Policy` header during `is_admin()` — WordPress Core inline scripts (Heartbeat, inline-edit) no longer blocked by overly strict CSP\n\n**SAMEORIGIN Iframe Fix (Beta v4):**\n- `vault.php` previously sent `X-Frame-Options: DENY` — this blocked the Form Builder from loading inside the desktop workspace\n- Replaced with `SAMEORIGIN` combined with CSP `frame-ancestors 'self'`\n\n**Scope-Limited Error Handlers (Beta v4):**\n- Globally registered error handlers in the Security Center are now strictly scoped to `VGT_WPDESK_PATH`\n- Warnings from WordPress Core or third-party plugins can no longer trigger a \"Critical Kernel Failure\" in the audit system\n\n**SQL Identifier Hardening (Beta v4):**\n- SQL identifiers in the database optimization routine are backtick-escaped via `str_replace('`','``',$table)` — injection pattern closed\n\n**AJAX Exception Hardening (Beta v4 — DIAMANT VGT SUPREME):**\n- Five major AJAX actions (`ajax_ban_ip`, `ajax_get_task_manager_stats`, `ajax_unschedule_cron`, `ajax_kill_transient`, `ajax_optimize_database`) now catch typed exception hierarchies: `SecurityException`, `ValidationException`, `StorageException`, and a final `\\Throwable` fallback\n- Opaque generic responses returned to client on failure — full tracebacks written to server `error_log` only\n\n**Throne Guard Integration (v2.6.0):**\n- 14 toxic capabilities stripped from `administrator` → `master` role exclusive\n- SHA256 HMAC session fingerprinting — session hijacking neutralized\n- Superkey vault (Argon2/Bcrypt) with `password_verify` verification\n- Hardware Deactivation Lock\n- Jailed Upload Vault (`/mcp_vault/`) — GD/Imagick CDR re-encoding, EXIF strip, `umask(0077)`\n\n**WP-Desk Layer:**\n- AJAX Capability Guard on all persistence endpoints\n- Deep-Link Origin Guard: `URL.origin` validated — external origins blocked\n- CSRF Nonce Hardening on all state-changing AJAX actions\n- `escapeHTML()` + `cleanUrl()` (`javascript:` → `about:blank`) on all DOM injection\n\n---\n\n### 💡 2.9 Desktop Engine Modularization\n\n`desktop.js` (3,250+ lines) decomposed into 9 isolated modules under `assets/js/modules/`. Each module extends the global `window.VGTDeskEngine` singleton via `Object.assign` — no build pipeline, no transpiler.\n\n| Module | Responsibility |\n|---|---|\n| `desktop-core.js` | Config, XSS escaping, URL safety, AJAX sync, clock, Web Audio |\n| `desktop-windows.js` | Create, close, minimize, maximize, focus, iframe navigation, Command Center |\n| `desktop-draggable.js` | Window drag, resize, Aero Snap layout grids |\n| `desktop-icons.js` | Icon grid arrangement, drag-and-drop, collision detection |\n| `desktop-menus.js` | Dock, start menu, context menus, keyboard shortcuts, submenu popups, layout switcher |\n| `desktop-widgets.js` | Clock, Notes, Sentinel widget, CPU latency graph animation |\n| `desktop-spotlight.js` | Spotlight search (Alt+Space), CLI command parser (`/layout`) |\n| `desktop-modals.js` | Glassmorphic modal dialogs replacing native `prompt()` / `confirm()` |\n| `desktop-folders.js` | Folder create/rename/delete, drag-and-drop grouping, folder window management |\n\n**Main Orchestrator (`desktop.js`):** Reduced to 61 lines. Triggers module init routines in dependency order after `DOMContentLoaded`.\n\n**WordPress Dependency Chain:** `vgt-desktop-core` is the foundation (carries `wp_localize_script` config). All modules declare it as dependency. `vgt-desktop-js` declares all 9 modules as dependencies — WordPress guarantees load order automatically.\n\n---\n\n### 💾 2.10 Performance \u0026 Persistence\n\n**RAM Hibernation (Iframe Suspend):**\n- Minimizing a window: after CSS animation completes, `suspendIframe(id)` saves current `location.href` to `data-suspendedUrl` → iframe replaced with `about:blank` → client RAM freed\n- Restoring (dock/start menu): `data-suspendedUrl` rehydrated into iframe seamlessly\n- Closing: same suspension before removal\n\n**Custom Relational DB Layer:**\n- `{prefix}vgt_desk_settings` — `UNIQUE(user_id, setting_key)` index\n- Delta-merge: `array_replace_recursive` for JSON objects (folders, window positions, icon coordinates)\n- Migration: existing `wp_usermeta` data imported automatically on first desktop load\n- Single-query reads per settings fetch — no N+1 on startup\n\n**Per-User Opt-in:**\n- Desktop mode **off by default** for all users\n- Admin notice in classic backend → explicit per-user activation button\n- `Settings → Desktop as Default View` toggle for persistent preference\n- `?vgt_bypass=1` → classic view for session; `auto_redirect` set to `false` in DB — redirect loops permanently prevented\n\n**Viewport Dimension Auto-Fit (Beta v4):**\n- `#vgt-shell-root` width/height boundaries dynamically recalculated on resize (`innerWidth / zoom`, `innerHeight / zoom`) — eliminates blank borders and scrollbars under any zoom factor\n- Parent WordPress layout containers (`html`, `body`, `#wpwrap`, `#wpcontent`) forced to strictly clipped boundaries (`overflow: hidden !important`)\n- Widgets positioned on the right half of the workspace are saved as relative `right` properties — correct edge-relative spacing maintained across zoom changes\n\n**Cookie Hardening:**\n- `setcookie()` corrected to PHP 7.3+ `$cookie_options` array signature — fatal error on classic view toggle eliminated\n\n---\n\n### 🎨 2.11 Glassmorphic UI \u0026 Custom Modals\n\n**Wallpaper Engine:** Local WebP assets, preset collection + custom URL (same-origin enforced), zero third-party CDN requests.\n\n**Accent Colors:** Indigo / Emerald / Cyan / Amber / Rose — dynamically applied to badges, buttons, dock LEDs, Sentinel widget, snap preview borders.\n\n**Custom Modal Dialogues (`showModal`):**\n- Replaces all native `prompt()` and `confirm()` calls: folder create, folder rename, folder delete, settings reset\n- Glassmorphic overlay, styled to match desktop theme\n- Used in: `createNewFolder()`, `renameFolder()`, `deleteFolder()`, `resetAllSettings()`\n\n**Widget Visibility Manager:** Individual toggle grid in Control Center — Clock, System Metrics, Notes, Sentinel each independently togglable with immediate visual feedback.\n\n---\n\n## 📜 Changelog\n\n### v1.0.0-Beta v4.1 — Patch Release *(Current)*\n\n#### Sentinel CE → v1.7.1\n\nSentinel CE updated to v1.7.1 to ensure schema and activation updates re-run cleanly on existing installations.\n\n#### Stability \u0026 Rendering Fixes\n\n- **Black screen after Quarantine/Genesis accept** — resolved; workspace now renders correctly after operator actions\n- **Dashboard/DOM rendering hardened** — broken partial renders no longer block the entire admin UI\n- **Security Center / Build Center rendering stabilized** — edge-case load failures caught and recovered gracefully\n- **Widget positioning corrected** — widgets no longer drift off-screen to the right; positioning adapts cleanly to resolution and viewport changes\n- **Throne Guard detection after reinstall stabilized** — role and capability state correctly re-evaluated on fresh activations\n\n#### Sentinel Fallback Logic\n\n- Sentinel V7 and Sentinel CE now detect each other more reliably\n- CE automatically stands down when V7 is present and active\n- Encoding damage in UI text and symbols handled without triggering global re-encoding passes\n\n#### Sentinel CE Ban System\n\n- Temporary bans now support `expires_at` timestamps\n- Expired bans are automatically purged on evaluation\n- Database index added for ban expiry dates — performant at scale\n\n#### Vault \u0026 Scanner Hardening\n\n- **Vault protection hardened:** directories set to `0700`, protection files and manifest set to `0600`, all writes use `LOCK_EX`\n- **Scanner manifest hardening:** both temporary and final manifest files written with restrictive permissions\n\n#### Airlock Upload Protection\n\nAirlock's file upload inspection significantly expanded:\n\n- Real file size validation via `filesize()` — client-supplied size claims no longer trusted\n- MIME type detection via `finfo` — extension-based detection replaced\n- Image type cross-check via `IMAGETYPE_*` constants\n- SVG files blocked at upload stage\n- Archive path validation: ZIP and Office files inspected for traversal paths and executable content\n- SVG vector scan: files checked against script tags, event handlers, `javascript:` URIs, `foreignObject`, iframe/object/embed elements and external/data href vectors\n\n#### Network \u0026 IP Hardening\n\n- Cloudflare IPv4/IPv6 CIDR ranges added to IP resolution\n- Configurable trusted proxy CIDRs supported\n- `X-Forwarded-For`, `X-Real-IP` and `CF-Connecting-IP` evaluated only in trusted proxy context — no header spoofing surface in default mode\n\n#### Titan Security Headers\n\n- Deprecated `X-XSS-Protection` header removed\n- Optional CSP baseline added to Titan configuration\n\n#### Styx Lite\n\n- Optional outbound allowlist and denylist for external requests added\n- Dashboard configuration extended for CSP baseline, Styx outbound policy and trusted proxy CIDRs\n\n#### Compatibility\n\n- **PHP 7.4 compatibility restored:** PHP 8-only constructs (`match`, `str_contains`, `str_starts_with`, `str_ends_with`) removed — codebase now runs cleanly on PHP 7.4+\n- **Fatal in `class-vis-network.php` fixed:** invisible UTF-8 BOM before `\u003c?php` removed — `declare(strict_types=1)` now parses correctly\n\n---\n\n### v1.0.0-Beta v4 — Stability, Scaling \u0026 Security Update\n\n#### Modular PHP Kernel Architecture\n\nThe monolithic `desktop.php` has been fully decoupled into a clean object-oriented service structure:\n\n- `desktop.php` — reduced to a lightweight bootstrapper that declares the license and delegates startup\n- `class-vgt-wpdesk-settings.php` — encapsulates all DB schema creation, settings tables and defaults\n- `class-vgt-wpdesk-app-builder.php` — dynamically parses the WordPress menu and builds the app matrix for the desktop dock\n- `class-vgt-wpdesk-plugin.php` — central controller for hooks, assets, AJAX dispatching and iframe rules\n\n#### VGT Build Center Consolidation\n\nForm Builder, Chronos Builder and Book Reader consolidated under a single **VGT Build Center** app icon (`dashicons-hammer`). The main menu is decluttered; submenus and AJAX routing navigate each builder interface inside the iframe workspace seamlessly.\n\n#### Sentinel Hardening Auditor Integration\n\n- **Sentinel Auto-Awareness:** Detects active Sentinel CE or V7, checks running defense modules (Airlock, Cerberus, Titan) and reflects their status in the security index automatically\n- Raw JSON export boxes and export buttons removed — interface integrated cleanly into the admin view\n- **Cyberpunk UI:** Cyan corner brackets, animated neon scan line, angled clip-path start button, cockpit-style score display, interactive tier grid (DIAMANT / PLATIN GOLD / VGT SECURED / CRITICAL RISK) illuminating on scan completion\n- **Red warning row highlighting** on all unresolved audit items\n- **Score index fix:** `ScoreMax` now dynamically counts actual test vectors (29) — 27 passed tests correctly report 93% instead of 82%\n\n#### Dattrack Telemetry Integration \u0026 V7 Conflict Resolution\n\n- Dattrack integrated as an opt-in telemetry module within the desktop settings ecosystem\n- **Sentinel V7 class collision fix:** `class_exists('VGT_Crypto')` guards prevent PHP fatal `Cannot declare class` errors when premium suites are present\n- **Dynamic module activation:** `class_exists` + `method_exists` defensive wrappers on `VGT_Dashboard::get_vault_metrics()` — no critical failure on telemetry view navigation\n- **Premium isolation guard:** Engine boot deferred to `plugins_loaded` — if Sentinel V7 is active, Dattrack dashboard, app icons, widgets and wizard steps are hidden automatically (wizard shortens from 7 to 6 steps)\n\n#### UI Resolution Scaling \u0026 Window Snapping Fixes\n\n- **JS compiler restoration:** Fixed `SyntaxError: Identifier 'zoom' has already been declared` in `desktop-draggable.js` — this blocked all desktop JS module execution when scaling was adjusted\n- **Viewport auto-fit:** Dynamic `#vgt-shell-root` boundary recalculation on resize prevents blank borders and scrollbars at any zoom level\n- **Canvas overflow overrides:** Parent WordPress layout containers forced to `overflow: hidden !important`\n- **Drift-free widget docking:** Right-half widgets saved as relative `right` coordinates — correct spacing maintained across zoom changes\n- **Invisible wall fix:** Drag-and-drop boundaries recalculated relative to scaled zoom grids — free movement across all screen edges restored\n\n#### Security Hardening (DIAMANT VGT SUPREME)\n\n- **AJAX exception hardening:** Five major admin AJAX actions now catch typed exception hierarchies (`SecurityException`, `ValidationException`, `StorageException`, `\\Throwable`) — opaque generic responses to client, full tracebacks to `error_log` only\n- **Wallpaper same-origin enforcement:** External wallpaper URLs blocked — same-origin, WordPress media library or local base64 presets only\n- **SAMEORIGIN iframe fix:** `vault.php` `X-Frame-Options: DENY` replaced with `SAMEORIGIN` + CSP `frame-ancestors 'self'` — Form Builder loads correctly inside the workspace\n- **Scope-limited error handlers:** Security Center error handlers scoped to `VGT_WPDESK_PATH` — third-party plugin warnings can no longer trigger audit system failures\n- **SQL identifier hardening:** Backtick-escaping applied to table names in the DB optimization routine\n- **Recovery Center bugfix:** PHP fatal error resolved — deprecated `$this-\u003eget_user_settings()` replaced with static `WPDeskSettings` service call\n- **Sandbox test transparency:** Auditor now displays a clear notice that a temporary isolated test file is created in the uploads directory during scan and deleted immediately after\n\n#### File Headers\n\nAll files standardized with `// STATUS: 💠 DIAMANT VGT SUPREME` verification headers.\n\n---\n\n## ⚙️ Technical Specifications\n\n| Metric | Specification |\n|---|---|\n| **Required WordPress** | 6.0+ |\n| **Required PHP** | 8.1+ (Strict Types enforced) |\n| **Frontend Frameworks** | None — 100% Vanilla JS (ES6+) / CSS Custom Variables |\n| **Compilation Overhead** | Zero — no Node.js, no Vite, no TypeScript at runtime |\n| **JS Architecture** | 9 isolated modules + 61-line orchestrator |\n| **PHP Architecture** | Modular service classes (Settings / AppBuilder / Plugin) + lightweight bootstrapper |\n| **Database Footprint** | `{prefix}vgt_desk_settings` (relational, delta-merge) + `{prefix}mcp_user_roles` |\n| **Runtime External Calls** | Zero |\n| **WAF Engine** | AEGIS Anomaly Scoring — Sentinel CE v1.7.1 / Sentinel V7 |\n| **Session Hardening** | Throne Guard v2.6.0 |\n| **Bypass Mechanism** | `?vgt_bypass=1` — classic view for session |\n| **Default Mode** | Off — explicit per-user opt-in required |\n\n---\n\n## 🚀 Installation\n\n```bash\n# 1. Clone into WordPress plugins directory\ncd /var/www/html/wp-content/plugins/\ngit clone https://github.com/visiongaiatechnology/vgtdesk\n\n# 2. Activate in WordPress Admin\n# Plugins → VGT WP-Desk → Activate\n\n# 3. Opt-in to Desktop Mode\n# Admin notice appears in classic backend → click to activate for your user\n# Or: WP-Desk menu → Settings → Desktop as Default View\n\n# 4. Initialize Throne Guard (Critical — do this first)\n# Desktop → Master User Control app → set Superkey (12+ chars) + configure role hardening\n\n# 5. Configure Sentinel CE / V7\n# Desktop → Sentinel widget → verify AEGIS, CERBERUS, AIRLOCK, HADES, CHRONOS, GHOST TRAP active\n\n# 6. Select Layout (Optional)\n# Command Center → Display → Layout\n# Or: Alt+Space → /layout [macos|windows|linux]\n\n# 7. Emergency bypass (if locked out)\n# Append ?vgt_bypass=1 to any admin URL\n```\n\n---\n\n## 🔗 VGT Ecosystem\n\n| Tool | Type | Purpose |\n|---|---|---|\n| 🖥️ **VGT WP-Desk** | **OS-Layer / UX** | Premium desktop interface for WordPress backend — you are here |\n| 🏰 **VGT Throne Guard** | **Hardening** | Toxic capability stripping + Superkey vault — integrated |\n| ⚔️ **[VGT Sentinel](https://github.com/visiongaiatechnology/sentinelcom)** | **WAF / IDS** | Zero-Trust WordPress WAF — integrated |\n| 🛡️ **[VGT Myrmidon](https://github.com/visiongaiatechnology/vgtmyrmidon)** | **ZTNA** | Zero Trust device registry and cryptographic integrity verification |\n| ⚡ **[VGT Auto-Punisher](https://github.com/visiongaiatechnology/vgt-auto-punisher)** | **IDS** | L4+L7 Hybrid IDS — attackers terminated before they even knock |\n| 📊 **[VGT Dattrack](https://github.com/visiongaiatechnology/dattrack)** | **Analytics** | Sovereign analytics engine — your data, your server, no third parties |\n| 🔐 **[VGT Omega Vault](https://github.com/visiongaiatechnology/vgt-omega-vault)** | **Encrypted Forms** | AES-256-GCM form vault with drag-and-drop builder — integrated via Build Center |\n| 🌐 **[VGT Global Threat Sync](https://github.com/visiongaiatechnology/vgt-global-threat-sync)** | **Preventive** | Daily threat feed — block known attackers before arrival |\n\n---\n\n## 💰 Support the Project\n\n[![Donate via PayPal](https://img.shields.io/badge/Donate-PayPal-00457C?style=for-the-badge\u0026logo=paypal)](https://www.paypal.com/paypalme/dergoldenelotus)\n\n| Method | Address |\n|---|---|\n| **PayPal** | [paypal.me/dergoldenelotus](https://www.paypal.com/paypalme/dergoldenelotus) |\n| **Bitcoin** | `bc1q3ue5gq822tddmkdrek79adlkm36fatat3lz0dm` |\n| **ETH** | `0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85` |\n| **USDT (ERC-20)** | `0xD37DEfb09e07bD775EaaE9ccDaFE3a5b2348Fe85` |\n\n---\n\n## 🤝 Contributing\n\nPull requests are welcome. For major changes, open an issue first.\n\nLicensed under **AGPLv3** — *\"For Humans, not for SaaS Corporations.\"*\n\n---\n\n## 🏢 Built by VisionGaia Technology\n\n[![VGT](https://img.shields.io/badge/VGT-VisionGaia_Technology-red?style=for-the-badge)](https://visiongaiatechnology.de)\n\nVisionGaia Technology builds enterprise-grade infrastructure — engineered to the DIAMANT VGT SUPREME standard.\n\n\u003e *\"WP-Desk was built because WordPress administrators deserved a workspace that doesn't fragment their attention, doesn't phone home, and doesn't ask them to accept a degraded UX as the price of using the world's most popular CMS. Beta v4 raises the bar further: a modular PHP kernel, a consolidated Build Center, a Cyberpunk-grade security auditor and a full scaling overhaul — all still running on zero dependencies, zero build pipeline and zero external calls.\"*\n\n---\n\n*Version 1.0.0-Beta v4.1 — VGT WP-Desk // Modular PHP Kernel // 9-Engine Desktop // Multi-Layout (macOS/Windows/Linux) // Command Center // VGT Build Center // Sentinel Hardening Auditor // Folder Mode // Submenus // Aero Snap // RAM Hibernation // Dattrack Telemetry // Relational DB // Sentinel CE v1.7.1 // Throne Guard v2.6.0 // Airlock Upload Hardening // PHP 7.4 Compatible // Zero-Overheat Architecture // AGPLv3*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvisiongaiatechnology%2Fvgtdesk","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvisiongaiatechnology%2Fvgtdesk","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvisiongaiatechnology%2Fvgtdesk/lists"}