Peace Protocol

Peace Protocol enables WordPress site administrators to authenticate as their website and send cryptographically signed 「peace」 messages to other WordPress sites running the same protocol. This creates a decentralized network where admins can establish trust relationships, share peace, and enable cross-site interactions.

🔒 **Security-First Design**

Admin-Only Authentication

• WordPress Administrators Only: This plugin is designed exclusively for WordPress site administrators
• Site-Level Authentication: Admins authenticate as their website, not as individual users
• No Public Registration: No public user registration system – only federated users created after secure handshakes
• Cryptographic Tokens: Each site uses cryptographically secure tokens for authentication

Federated User System

• Limited Permissions: Federated users can only comment on posts, no admin access
• Automatic Cleanup: Federated users are removed when the plugin is uninstalled
• Role-Based Security: Federated users have the federated_peer role with minimal capabilities
• No Dashboard Access: Federated users cannot access WordPress admin areas

Token Security

• Cryptographically Secure: Tokens are generated using WordPress』s secure password generator
• Token Rotation: Support for multiple tokens with automatic rotation
• Secure Storage: Tokens are stored securely in WordPress options
• Expiring Authorization Codes: Authorization codes expire after 5 minutes

🌟 **Key Features**

Core Functionality

• Send Peace: Send cryptographically signed peace messages to other WordPress sites
• Peace Log Wall: Display received peace messages using the [peaceprotocol_log_wall] shortcode
• Automatic Feed Subscription: Automatically subscribe to peace feeds from sites you connect with
• Token Management: Generate, rotate, and manage authentication tokens
• User Banning System: Ban problematic users with reason tracking
• IndieAuth Support: Alternative authentication using the IndieAuth standard with PKCE

Federated Login System

• Cross-Site Authentication: Users from remote sites can comment as their site identity
• Seamless Integration: Works with existing WordPress comment systems
• Secure Handshake: Only sites completing the cryptographic handshake can create federated logins
• Automatic User Creation: Creates federated users automatically after successful handshake
• Dual Authentication: Support for both Peace Protocol tokens and IndieAuth standard

Admin Interface

• Token Management: Generate, view, and delete authentication tokens
• Feed Management: View and manage subscribed peace feeds
• Peace Log: View all received peace messages in the admin area
• User Banning: Ban users with reason tracking and management
• Settings Configuration: Configure button position and auto-insertion

Frontend Features

• Peace Button: Floating peace hand button (✌️) that can be positioned anywhere
• Auto-Insertion: Automatically insert the peace button on your site
• Shortcode Support: Use [peaceprotocol_hand_button] to manually place the button
• Responsive Design: Works on all devices and screen sizes
• Dark Mode Support: Automatically adapts to user』s color scheme preference
• Choice Modal: User-friendly modal to choose between Peace Protocol and IndieAuth authentication

Technical Features

• REST API: Modern REST API endpoints for all functionality
• AJAX Fallback: AJAX endpoints for sites with REST API disabled
• CORS Support: Proper CORS headers for cross-site communication
• Translation Ready: Full internationalization support with multiple languages
• Custom Post Types: Uses custom post types for peace logs
• IndieAuth Endpoints: Full IndieAuth specification compliance with authorization and token endpoints
• PKCE Support: Proof Key for Code Exchange for enhanced security

🚀 **How It Works**

For WordPress Administrators

1. Install & Activate: Install the plugin and activate it on your WordPress site
2. Generate Tokens: Go to Settings > Peace Protocol and generate authentication tokens
3. Send Peace: Use the peace button to send cryptographically signed peace to other sites
4. Build Network: Connect with other WordPress sites and build a network of trust

Federated Login Process

Peace Protocol Authentication

1. User from Site A visits Site B and wants to comment
2. User clicks 「Peace」 button on Site B
3. User chooses 「Login with Peace Protocol」 from the choice modal
4. Site B redirects to Site A for authentication
5. Site A validates the user and generates an authorization code
6. User is redirected back to Site B with the authorization code
7. Site B automatically logs in the user as a federated user from Site A
8. User can comment on Site B as 「siteacom」

IndieAuth Authentication

1. User from Site A visits Site B and wants to comment
2. User clicks 「Peace」 button on Site B
3. User chooses 「Login with IndieAuth」 from the choice modal
4. Site B discovers IndieAuth endpoints on Site A
5. Site B redirects to Site A』s IndieAuth authorization endpoint
6. Site A validates the user and generates an authorization code
7. User is redirected back to Site B with the authorization code
8. Site B exchanges the code for an access token using PKCE
9. Site B automatically logs in the user as a federated user from Site A
10. User can comment on Site B as 「Logged in as siteacom」

Security Flow

1. Cryptographic Handshake: Sites exchange cryptographically signed tokens
2. Token Validation: Each peace message is validated using secure tokens
3. Federated User Creation: Only after successful handshake are federated users created
4. Limited Permissions: Federated users have minimal permissions and no admin access
5. Automatic Cleanup: All federated data is removed on plugin uninstall

🛡️ **Security Considerations**

What This Plugin Does NOT Do

• ❌ No Public User Registration: Only WordPress administrators can use this plugin (federated users are created automatically after secure handshakes)
• ❌ No Admin Access for Federated Users: Federated users cannot access WordPress admin
• ❌ No Database Access: Federated users cannot access sensitive site data
• ❌ No File System Access: Federated users cannot upload or modify files
• ❌ No Plugin/Theme Management: Federated users cannot install or modify plugins/themes

What This Plugin DOES Do

• ✅ Site-to-Site Authentication: WordPress admins authenticate as their website
• ✅ Cryptographic Verification: All peace messages are cryptographically signed
• ✅ Limited Federated Access: Federated users can only comment on posts
• ✅ Automatic Cleanup: All federated data is removed on uninstall
• ✅ Secure Token Management: Tokens are cryptographically secure and can be rotated

🌍 **Internationalization**

Peace Protocol is fully translation-ready and includes translations for:
– English (default)
– Spanish (es_ES)
– French (fr_FR)
– Japanese (ja)
– Chinese Simplified (zh_CN)