fix: stabilize playground sudo demo

Fix front-end admin bar sudo deactivation, stabilize Playground authentication, seed realistic demo activity, and update docs/link metadata.

Author: dknauss

admin/js/wp-sudo-challenge.js

@@ -19,8 +19,26 @@
 	// The challenge page must render at the top level so the full admin
 	// chrome is visible and the redirect/replay targets the correct frame.
 	if (window.top !== window.self) {
-		window.top.location.href = window.location.href;
-		return;
+		var canNavigateTop = true;
+		try {
+			var frame = window.frameElement;
+			if (frame && frame.hasAttribute('sandbox')) {
+				var sandboxTokens = (frame.getAttribute('sandbox') || '').split(/\s+/);
+				canNavigateTop = sandboxTokens.indexOf('allow-top-navigation') !== -1;
+			}
+		} catch (e) {
+			canNavigateTop = false;
+		}
+
+		if (canNavigateTop) {
+			try {
+				window.top.location.href = window.location.href;
+				return;
+			} catch (e) {
+				// Cross-origin/sandboxed hosts such as WordPress Playground must
+				// keep the challenge functional inside the embedded frame.
+			}
+		}
 	}
 
 	var config = window.wpSudoChallenge || {};

blueprint.json

@@ -1,30 +1,41 @@
 {
   "$schema": "https://playground.wordpress.net/blueprint-schema.json",
   "preferredVersions": {
+    "php": "8.2",
     "wp": "7.0-RC1"
   },
   "landingPage": "/wp-admin/",
   "steps": [
-    { "step": "login", "username": "admin", "password": "password" },
+    {
+      "step": "runPHP",
+      "code": "<?php require_once '/wordpress/wp-load.php'; global $wpdb; $user = get_user_by('login', 'admin'); if ($user) { $wpdb->update($wpdb->users, array('user_pass' => wp_hash_password('password')), array('ID' => $user->ID)); clean_user_cache($user); }"
+    },
+    {
+      "step": "login",
+      "username": "admin",
+      "password": "password"
+    },
     {
       "step": "installPlugin",
-      "pluginZipFile": {
-        "resource": "url",
-        "url": "https://github.com/dknauss/Sudo/archive/refs/tags/v3.1.1.zip"
+      "pluginData": {
+        "resource": "git:directory",
+        "url": "https://github.com/dknauss/Sudo",
+        "ref": "main",
+        "refType": "branch"
       },
       "options": { "activate": true }
     },
     {
       "step": "installPlugin",
-      "pluginZipFile": {
+      "pluginData": {
         "resource": "wordpress.org/plugins",
         "slug": "two-factor"
       },
       "options": { "activate": true }
     },
     {
       "step": "runPHP",
-      "code": "<?php require_once 'wordpress/wp-load.php'; $expires = time() + 900; update_user_meta(1, '_wp_sudo_expires', $expires); update_user_meta(1, '_wp_sudo_token', wp_hash(wp_generate_password(32, true, true))); $users = array( array('janesmith', 'jane@example.com', 'Jane', 'Smith', 'editor'), array('bobdev', 'bob@example.com', 'Bob', 'Developer', 'author'), array('carlosadmin', 'carlos@example.com', 'Carlos', 'García', 'administrator'), array('sarahops', 'sarah@example.com', 'Sarah', 'Nakamura', 'editor'), array('liwei', 'li@example.com', 'Li', 'Wei', 'contributor'), array('mariadev', 'maria@example.com', 'Maria', 'Santos', 'administrator'), array('alexkim', 'alex@example.com', 'Alex', 'Kim', 'editor'), array('priyapatel', 'priya@example.com', 'Priya', 'Patel', 'author'), array('tomjones', 'tom@example.com', 'Tom', 'Jones', 'subscriber'), array('ninafrost', 'nina@example.com', 'Nina', 'Frost', 'editor') ); foreach ($users as $u) { $uid = wp_insert_user(array('user_login' => $u[0], 'user_email' => $u[1], 'user_pass' => 'password', 'first_name' => $u[2], 'last_name' => $u[3], 'role' => $u[4])); if (!is_wp_error($uid)) { update_user_meta($uid, '_wp_sudo_expires', $expires); update_user_meta($uid, '_wp_sudo_token', wp_hash(wp_generate_password(32, true, true))); } } update_user_meta(1, 'meta-box-order_dashboard', array('side' => 'wp_sudo_activity,dashboard_quick_press,dashboard_primary', 'normal' => 'dashboard_site_health,dashboard_right_now,dashboard_activity')); update_user_meta(1, 'screen_layout_dashboard', 2); echo 'Created 10 test users with active sudo sessions';"
+      "code": "<?php require_once '/wordpress/wp-load.php'; $admin = get_user_by('login', 'admin'); $admin_id = $admin ? (int) $admin->ID : 1; if ($admin) { foreach (array('_wp_sudo_expires', '_wp_sudo_token', '_wp_sudo_failed_attempts', '_wp_sudo_lockout_until', '_wp_sudo_failure_event', '_wp_sudo_throttle_until', '_two_factor_enabled_providers', '_two_factor_provider', '_two_factor_totp_key', '_two_factor_backup_codes') as $key) { delete_user_meta($admin_id, $key); } } $session_lengths = array('janesmith' => 5, 'bobdev' => 7, 'carlosadmin' => 10, 'sarahops' => 12, 'mariadev' => 15); $demo_users = array(array('janesmith', 'jane@example.com', 'Jane', 'Smith', 'editor', true), array('bobdev', 'bob@example.com', 'Bob', 'Developer', 'author', true), array('carlosadmin', 'carlos@example.com', 'Carlos', 'García', 'administrator', true), array('sarahops', 'sarah@example.com', 'Sarah', 'Nakamura', 'editor', true), array('liwei', 'li@example.com', 'Li', 'Wei', 'contributor', false), array('mariadev', 'maria@example.com', 'Maria', 'Santos', 'administrator', true), array('alexkim', 'alex@example.com', 'Alex', 'Kim', 'editor', false), array('priyapatel', 'priya@example.com', 'Priya', 'Patel', 'author', false)); $user_ids = array(); foreach ($demo_users as $u) { $existing = get_user_by('login', $u[0]); $uid = $existing ? (int) $existing->ID : wp_insert_user(array('user_login' => $u[0], 'user_email' => $u[1], 'user_pass' => 'password', 'first_name' => $u[2], 'last_name' => $u[3], 'display_name' => trim($u[2] . ' ' . $u[3]), 'role' => $u[4])); if (!is_wp_error($uid)) { $uid = (int) $uid; $user_ids[$u[0]] = $uid; wp_update_user(array('ID' => $uid, 'user_email' => $u[1], 'first_name' => $u[2], 'last_name' => $u[3], 'display_name' => trim($u[2] . ' ' . $u[3]), 'role' => $u[4])); if ($u[5]) { $minutes = $session_lengths[$u[0]] ?? 15; update_user_meta($uid, '_wp_sudo_expires', time() + ($minutes * MINUTE_IN_SECONDS)); update_user_meta($uid, '_wp_sudo_token', wp_hash(wp_generate_password(32, true, true))); } else { delete_user_meta($uid, '_wp_sudo_expires'); delete_user_meta($uid, '_wp_sudo_token'); } } } if (class_exists('\\WP_Sudo\\Event_Store')) { \\WP_Sudo\\Event_Store::maybe_create_table(); \\WP_Sudo\\Event_Store::bulk_insert(array(array('user_id' => $admin_id, 'event' => 'action_gated', 'rule_id' => 'options.wp_sudo', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 90)), array('user_id' => $admin_id, 'event' => 'action_replayed', 'rule_id' => 'options.wp_sudo', 'surface' => '', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 70)), array('user_id' => $user_ids['mariadev'] ?? $admin_id, 'event' => 'action_passed', 'rule_id' => 'plugin.activate', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 240)), array('user_id' => $user_ids['carlosadmin'] ?? $admin_id, 'event' => 'action_gated', 'rule_id' => 'user.delete', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 520)), array('user_id' => $user_ids['sarahops'] ?? $admin_id, 'event' => 'action_blocked', 'rule_id' => 'auth.app_password', 'surface' => 'rest_app_password', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 960)), array('user_id' => $user_ids['bobdev'] ?? $admin_id, 'event' => 'action_allowed', 'rule_id' => 'tools.export', 'surface' => 'cli', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 1500)), array('user_id' => $user_ids['janesmith'] ?? $admin_id, 'event' => 'action_blocked', 'rule_id' => 'options.critical', 'surface' => 'xmlrpc', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 2300)), array('user_id' => $user_ids['liwei'] ?? $admin_id, 'event' => 'lockout', 'rule_id' => '', 'surface' => '', 'ip' => '127.0.0.1', 'context' => array('demo' => true, 'attempts' => 5), 'created_at' => gmdate('Y-m-d H:i:s', time() - 3600)))); } delete_transient('wp_sudo_active_sessions_' . (function_exists('get_current_blog_id') ? (int) get_current_blog_id() : 0)); update_user_meta($admin_id, 'meta-box-order_dashboard', array('side' => 'wp_sudo_activity,dashboard_quick_press,dashboard_primary', 'normal' => 'dashboard_site_health,dashboard_right_now,dashboard_activity')); update_user_meta($admin_id, 'screen_layout_dashboard', 2); echo 'Prepared WP Sudo demo data. Admin password: password. Sudo challenge password: password. Demo sessions: 5-15 minutes.';"
     }
   ]
 }

docs/current-metrics.md

@@ -2,15 +2,15 @@
 
 This file is the single source of truth for current repository counts.
 
-Last verified: 2026-05-10
-Verification environment: primary local repo checkout at `/Users/dan-knauss/Code/Sudo` using ephemeral pkgx PHP/Composer runtime
+Last verified: 2026-05-11
+Verification environment: GitHub Actions checkout for PR #38 using `composer verify:metrics`
 
 ## Test Metrics
 
 | Metric | Value | Verification |
 |---|---:|---|
-| Unit tests | 662 tests | `composer test:unit` |
-| Unit assertions | 1938 assertions | `composer test:unit` |
+| Unit tests | 664 tests | `composer test:unit` |
+| Unit assertions | 1954 assertions | `composer test:unit` |
 | Integration tests in suite | 160 test methods | `rg -c "function test" tests/Integration/*.php | awk -F: '{sum+=$2} END{print sum}'` |
 | Unit test files | 23 | `ls tests/Unit/*.php | wc -l` |
 | Integration test files | 22 | `ls tests/Integration/*.php | wc -l` |
@@ -19,11 +19,11 @@ Verification environment: primary local repo checkout at `/Users/dan-knauss/Code
 
 | Metric | Value | Verification |
 |---|---:|---|
-| Production PHP lines (`includes/`, `wp-sudo.php`, `uninstall.php`, `mu-plugin/`, `bridges/`) | 13,060 | `find ./includes ./wp-sudo.php ./uninstall.php ./mu-plugin ./bridges -type f -name "*.php" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
-| Tests PHP lines (`tests/`) | 23,477 | `find ./tests -type f -name "*.php" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
-| Production + tests PHP lines | 36,537 | sum of the two rows above |
-| Test-to-production ratio | 1.80:1 | `23477 / 13060` |
-| Total repo PHP lines (excluding `vendor/`, `vendor_test/`, `.tmp/`, `.git/`) | 36,800 | `find . -type f -name "*.php" ! -path "*/vendor/*" ! -path "*/vendor_test/*" ! -path "*/.tmp/*" ! -path "*/.git/*" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
+| Production PHP lines (`includes/`, `wp-sudo.php`, `uninstall.php`, `mu-plugin/`, `bridges/`) | 13,126 | `find ./includes ./wp-sudo.php ./uninstall.php ./mu-plugin ./bridges -type f -name "*.php" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
+| Tests PHP lines (`tests/`) | 23,559 | `find ./tests -type f -name "*.php" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
+| Production + tests PHP lines | 36,685 | sum of the two rows above |
+| Test-to-production ratio | 1.79:1 | `23559 / 13126` |
+| Total repo PHP lines (excluding `vendor/`, `vendor_test/`, `.tmp/`, `.git/`) | 36,948 | `find . -type f -name "*.php" ! -path "*/vendor/*" ! -path "*/vendor_test/*" ! -path "*/.tmp/*" ! -path "*/.git/*" -print0 | xargs -0 wc -l | tail -1 | awk '{print $1}'` |
 
 ## Architectural Facts
 
@@ -66,7 +66,7 @@ Source: `.github/workflows/phpunit.yml`, `.github/workflows/e2e.yml`, `.github/w
 
 ## Verification Notes
 
-- `composer test:unit` passed on 2026-05-10 (`662 tests`, `1938 assertions`).
+- `composer test:unit` passed on 2026-05-11 (`664 tests`, `1954 assertions`).
 - `composer test:integration` passed on 2026-04-20 (`165 tests`, `538 assertions`, `9 skipped`) using the repo wrapper's `wp-env` `tests-cli` fallback against the containerized `wordpress_test` database.
 - `WP_MULTISITE=1 composer test:integration` passed on 2026-04-20 (`165 tests`, `552 assertions`, `2 skipped`) using the same `wp-env` `tests-cli` fallback and database.
 - `composer analyse:phpstan` and `composer lint` passed on 2026-05-10.

includes/class-admin-bar.php

@@ -35,14 +35,21 @@ class Admin_Bar {
 	 */
 	public const DEACTIVATE_PARAM = 'wp_sudo_deactivate';
 
+	/**
+	 * Query parameter for the post-deactivation redirect target.
+	 *
+	 * @var string
+	 */
+	public const REDIRECT_PARAM = 'wp_sudo_redirect_to';
+
 	/**
 	 * Register hooks.
 	 *
 	 * @return void
 	 */
 	public function register(): void {
 		add_action( 'admin_bar_menu', array( $this, 'admin_bar_node' ), 100 );
-		add_action( 'admin_init', array( $this, 'handle_deactivate' ), 5, 0 );
+		add_action( 'init', array( $this, 'handle_deactivate' ), 5, 0 );
 		add_action( 'admin_enqueue_scripts', array( $this, 'enqueue_assets' ), 10, 0 );
 	}
 
@@ -72,13 +79,16 @@ public function admin_bar_node( $wp_admin_bar ): void {
 		$minutes = floor( $remaining / 60 );
 		$seconds = $remaining % 60;
 
-		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotValidated -- Fallback handles missing key.
-		$current_url = isset( $_SERVER['REQUEST_URI'] )
-			? set_url_scheme( home_url( sanitize_text_field( wp_unslash( $_SERVER['REQUEST_URI'] ) ) ) )
-			: admin_url();
+		$current_url = self::current_url();
 
 		$deactivate_url = wp_nonce_url(
-			add_query_arg( self::DEACTIVATE_PARAM, '1', $current_url ),
+			add_query_arg(
+				array(
+					self::DEACTIVATE_PARAM => '1',
+					self::REDIRECT_PARAM   => $current_url,
+				),
+				admin_url()
+			),
 			self::DEACTIVATE_NONCE,
 			'_wpnonce'
 		);
@@ -138,10 +148,53 @@ public function handle_deactivate(): void {
 
 		Sudo_Session::deactivate( $user_id );
 
-		wp_safe_redirect( remove_query_arg( array( self::DEACTIVATE_PARAM, '_wpnonce' ) ) );
+		wp_safe_redirect( self::deactivation_redirect_url() );
 		exit;
 	}
 
+	/**
+	 * Resolve the current URL used as the return target after deactivation.
+	 *
+	 * @return string
+	 */
+	private static function current_url(): string {
+		if ( ! isset( $_SERVER['REQUEST_URI'] ) ) {
+			return admin_url();
+		}
+
+		$scheme = is_ssl() ? 'https' : 'http';
+		$host   = sanitize_text_field( wp_unslash( $_SERVER['HTTP_HOST'] ?? '' ) );
+		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- esc_url_raw() sanitizes the full URL; sanitize_text_field() would corrupt encoded path/query segments.
+		$uri = wp_unslash( $_SERVER['REQUEST_URI'] );
+
+		if ( '' === $host ) {
+			return admin_url();
+		}
+
+		return esc_url_raw( $scheme . '://' . $host . $uri );
+	}
+
+	/**
+	 * Resolve and clean the post-deactivation redirect URL.
+	 *
+	 * @return string
+	 */
+	private static function deactivation_redirect_url(): string {
+		$redirect_url = admin_url();
+
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce is verified before this helper is called.
+		if ( isset( $_GET[ self::REDIRECT_PARAM ] ) && is_string( $_GET[ self::REDIRECT_PARAM ] ) ) {
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified; esc_url_raw() sanitizes the full URL.
+			$candidate = esc_url_raw( wp_unslash( $_GET[ self::REDIRECT_PARAM ] ) );
+
+			if ( '' !== $candidate ) {
+				$redirect_url = $candidate;
+			}
+		}
+
+		return remove_query_arg( array( self::DEACTIVATE_PARAM, self::REDIRECT_PARAM, '_wpnonce' ), $redirect_url );
+	}
+
 	/**
 	 * Enqueue admin bar assets when session is active.
 	 *

includes/class-dashboard-widget.php

@@ -38,6 +38,8 @@ class Dashboard_Widget {
 	 */
 	public static function init(): void {
 		add_action( 'wp_dashboard_setup', array( self::class, 'register' ) );
+		add_action( 'wp_sudo_activated', array( self::class, 'flush_active_sessions_cache' ), 10, 0 );
+		add_action( 'wp_sudo_deactivated', array( self::class, 'flush_active_sessions_cache' ), 10, 0 );
 	}
 
 	/**
@@ -167,9 +169,6 @@ private static function render_active_sessions(): void {
 			return;
 		}
 
-		// phpcs:ignore WordPress.WP.I18n.MissingTranslatorsComment -- Simple count.
-		echo '<p class="wp-sudo-active-count"><strong>' . esc_html( sprintf( _n( '%d active session', '%d active sessions', $count, 'wp-sudo' ), $count ) ) . '</strong></p>';
-
 		echo '<ul class="wp-sudo-user-list">';
 		foreach ( $users as $user ) {
 			if ( ! is_object( $user ) || ! isset( $user->ID ) ) {
@@ -236,6 +235,20 @@ private static function render_active_sessions(): void {
 		}
 	}
 
+	/**
+	 * Clear the active-sessions payload cache for the current site.
+	 *
+	 * @return void
+	 */
+	public static function flush_active_sessions_cache(): void {
+		if ( ! function_exists( 'delete_transient' ) ) {
+			return;
+		}
+
+		$blog_id = function_exists( 'get_current_blog_id' ) ? (int) get_current_blog_id() : 0;
+		delete_transient( self::ACTIVE_SESSIONS_CACHE_KEY . $blog_id );
+	}
+
 	/**
 	 * Return the active-sessions payload, using a short-TTL transient cache.
 	 *

readme.md

@@ -2,7 +2,7 @@
 
 WP Sudo adds **action-gated reauthentication** to WordPress so high-risk operations require fresh confirmation before they proceed.
 
-[![License: GPL v2+](https://img.shields.io/badge/License-GPL%20v2%2B-blue.svg)](https://www.gnu.org/licenses/gpl-2.0.html)
+[![License: GPL v2+](https://img.shields.io/badge/License-GPL%20v2%2B-blue.svg)](https://spdx.org/licenses/GPL-2.0-or-later.html)
 [![WordPress: 6.2+](https://img.shields.io/badge/WordPress-6.2%2B-0073aa.svg)](https://wordpress.org/)
 [![PHP: 8.0+](https://img.shields.io/badge/PHP-8.0%2B-777bb4.svg)](https://www.php.net/)
 [![PHPUnit](https://github.com/dknauss/Sudo/actions/workflows/phpunit.yml/badge.svg)](https://github.com/dknauss/Sudo/actions/workflows/phpunit.yml)
@@ -13,6 +13,8 @@ WP Sudo adds **action-gated reauthentication** to WordPress so high-risk operati
 [![Type Coverage](https://shepherd.dev/github/dknauss/Sudo/coverage.svg)](https://shepherd.dev/github/dknauss/Sudo)
 [![Try in Playground](https://img.shields.io/badge/Try%20it-Playground-3858e9?logo=wordpress&logoColor=white)](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/dknauss/Sudo/main/blueprint.json)
 
+Playground demo credentials are `admin` / `password`. When WP Sudo asks for reauthentication, enter the same password: `password`.
+
 > **3.1.1 hardening release:** WP Sudo tightens role-change interception, sensitive request replay, MU-plugin loading, audit bridge parity, and development dependency security. See [docs/release-status.md](docs/release-status.md) for current release posture.
 
 ## What’s new in 3.1.1

readme.txt

@@ -2,6 +2,8 @@ _WP Sudo 3.1.1 is a hardening release for action-gated reauthentication, tighten
 
 [Try it in WordPress Playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/dknauss/Sudo/main/blueprint.json)
 
+Playground demo credentials are `admin` / `password`. When WP Sudo asks for reauthentication, enter the same password: `password`.
+
 === Sudo ===
 Contributors:      dpknauss
 Donate link:       https://dan.knauss.ca
@@ -11,7 +13,7 @@ Tested up to:      6.9
 Requires PHP:      8.0
 Stable tag:        3.1.1
 License:           GPL-2.0-or-later
-License URI:       https://www.gnu.org/licenses/gpl-2.0.html
+License URI:       https://spdx.org/licenses/GPL-2.0-or-later.html
 
 WordPress security plugins guard the door. Sudo governs what can happen inside the house.