The more I think about it the more I think sudo is the answer because it solves the real problem which is you don't want to run as root all the time. If I'm paranoid I could authenticate on every admin action without changing code. If I want to run as root all the time on my dev box that's ok too.
I looked at the code a bit and I think all you would need to do call sudo::checkauth in the request processor just before the other permission checks. If it's been too long since you authenticated redirect to reauthenticate and set a cookie that's a database key to the time.
You would also need a tcl interface so on package installs you could set defaults
If each entry in the sudo table is an object you could have even more control. For example I could create a /manage directory under a package and control access just like /admin