Add support for application passwords via env vars and wp-cli.yml config

[Copilot]

WordPress 5.6+ application passwords could only be supplied by embedding credentials in the --http URL, exposing secrets in shell history and process listings.

Changes

• inc/Runner.php: Extracts credential resolution into a new Runner::resolve_auth() public static helper and supports three sources with explicit priority ordering:

Priority	Source
Highest	URL embedding — --http=admin:pass@example.com (existing, unchanged)
Medium	WP_REST_CLI_AUTH_USER / WP_REST_CLI_AUTH_PASSWORD environment variables
Lowest	http_user / http_password keys in wp-cli.yml

• Bug fix: URL-embedded credentials now work correctly even when --http has no scheme (e.g. --http=admin:pass@example.com). The URL is normalised before parse_url(), consistent with the existing auto_discover_api() behaviour.

• tests/Runner_Resolve_Auth_Test.php: New PHPUnit test file with 10 tests covering all priority cases and edge cases (config-only, env overrides config, URL overrides env, URL without scheme, empty env username skipped, password-less variants).

Usage

Environment variables (CI/CD, avoids secrets in config):

WP_REST_CLI_AUTH_USER=admin \
WP_REST_CLI_AUTH_PASSWORD="X9yS 9YYn pbaU 5H8A kJNO DEfe" \
wp --http=https://example.com rest post create --title=wibble

wp-cli.yml (persistent per-project defaults):

http_user: admin
http_password: "X9yS 9YYn pbaU 5H8A kJNO DEfe"

Application passwords with spaces work cleanly with both approaches without requiring URL encoding.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add support for application passwords</issue_title>
<issue_description>## Feature Request

• Yes, I reviewed the contribution guidelines.

Describe your use case and the problem you are facing

Application passwords as a REST API authentication as added back in WordPress 5.6. This allow for authenticated requests by passing username and application password. It would be great if RESTful command fully support this.

Currently it is possible to use application password by passing username and password in the command like this.

wp rest --http=http://admin:"X9yS 9YYn pbaU 5H8A kJNO DEfe"@www.example.com post create --content=wibble --title=wibble

However, this is not espcially secure. As the password is written in plan text in the command.

Describe the solution you'd like

There are a number of ways this could be implemented,

• New paramters.

wp rest --http=https://www.example.com --application_user=admin --application_password=password

• Use envoriment variables
  Username and password could be read in via envoriment variables.

• Via wp-cli.yml
  Username and password could be read in via wp-cli.yml

It would also be nice, if this command supported, application registion as well. But this is a nice to have.
</issue_description>

Comments on the Issue (you are @copilot in this section)

@danielbachhuber I'm open to a PR on this, and I don't have a strong opinion on the implementation at this point. I'd look at authentication for other CLI tools for inspiration.

Feel free to submit a pull request, if you'd like. Here is some guidance on our pull request best practices.</comment_new>

• Fixes Add support for application passwords #141

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[codecov]

Codecov Report

❌ Patch coverage is 95.83333% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
inc/Runner.php	95.83%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!