✨ Added Danger Zone action to reset all authentication

[rob-ghost]

Ghost now includes a one-click "Reset all authentication" action in Settings → Advanced → Danger Zone. After a suspected credential compromise (a leaked API key, a former staff member who shouldn't retain access, a stolen admin session) owners can rotate every API key, lock every staff user, and destroy every active staff session at once.

Active staff users hit the standard password-reset flow on their next sign-in. Suspended staff users stay suspended but still have their password rotated, so a leaked credential can't be reused if they're ever unsuspended. Members aren't affected.

The action records the operator who triggered it in the audit log.

[github-actions]

It looks like this PR contains a migration 👀
Here's the checklist for reviewing migrations:

General requirements

• ⚠️ Tested performance on staging database servers, as performance on local machines is not comparable to a production environment
• Satisfies idempotency requirement (both up() and down())
• Does not reference models
• Filename is in the correct format (and correctly ordered)
• Targets the next minor version
• All code paths have appropriate log messages
• Uses the correct utils
• Contains a minimal changeset
• Does not mix DDL/DML operations
• Tested in MySQL and SQLite

Schema changes

• Both schema change and related migration have been implemented
• For index changes: has been performance tested for large tables
• For new tables/columns: fields use the appropriate predefined field lengths
• For new tables/columns: field names follow the appropriate conventions
• Does not drop a non-alpha table outside of a major version

Data changes

• Mass updates/inserts are batched appropriately
• Does not loop over large tables/datasets
• Defends against missing or invalid data
• For settings updates: follows the appropriate guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: a91bdf7f-c74e-4675-a53e-0a7386b840ae

📥 Commits

Reviewing files that changed from the base of the PR and between 3b3aa38 and dd89eba.

⛔ Files ignored due to path filters (1)

• ghost/core/test/e2e-api/admin/__snapshots__/settings.test.js.snap is excluded by !**/*.snap

📒 Files selected for processing (2)

• apps/admin-x-settings/src/components/settings/advanced/labs/private-features.tsx
• ghost/core/core/shared/labs.js

💤 Files with no reviewable changes (1)

• apps/admin-x-settings/src/components/settings/advanced/labs/private-features.tsx

---

Walkthrough

This PR promotes the dangerZoneResetAuth feature flag from a private, user-editable setting to a globally always-enabled GA flag. The backend configuration is updated by adding dangerZoneResetAuth to the GA_FEATURES array and removing it from PRIVATE_FEATURES in labs.js. The corresponding user interface toggle is removed from the admin-x-settings private features component, eliminating the now-obsolete user control.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims features were 'Added' but the changeset actually promotes an existing feature from private/beta to general availability (GA), moving it from PRIVATE_FEATURES to GA_FEATURES and removing it from the UI.	Update title to reflect the actual change: 'Promote Danger Zone reset auth feature to general availability' or 'Enable Danger Zone reset auth for all users by default'.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description comprehensively explains the feature's functionality, user impact, and security implications, which aligns with the changeset that promotes the feature to general availability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/promote-danger-zone-reset-auth-to-ga

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.77%. Comparing base (83adc5c) to head (106663a).

Additional details and impacted files

@@                       Coverage Diff                       @@
##           feat/danger-zone-reset-actions   #28027   +/-   ##
===============================================================
  Coverage                           73.76%   73.77%           
===============================================================
  Files                                1526     1528    +2     
  Lines                              129268   129338   +70     
  Branches                            15484    15489    +5     
===============================================================
+ Hits                                95355    95417   +62     
- Misses                              32975    32983    +8     
  Partials                              938      938           

Flag	Coverage Δ
admin-tests	53.57% <ø> (ø)
e2e-tests	73.77% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.