chore: release 3.1.3

Author: dknauss

.github/workflows/playground-preview.yml

@@ -27,18 +27,24 @@ jobs:
             const repoUrl = `https://github.com/${context.repo.owner}/${context.repo.repo}`;
 
             const blueprint = JSON.parse(fs.readFileSync('blueprint.json', 'utf8'));
-            const pluginStep = blueprint.steps.find(
-              step =>
-                step.step === 'installPlugin' &&
-                step.pluginData &&
-                step.pluginData.resource === 'git:directory',
-            );
+            const pluginStep = blueprint.steps.find(step => {
+              if (step.step !== 'installPlugin') {
+                return false;
+              }
+
+              const resource = step.pluginData || step.pluginZipFile || {};
+              return (
+                resource.resource === 'git:directory' ||
+                (resource.resource === 'url' && resource.url && resource.url.includes(`${context.repo.owner}/${context.repo.repo}`))
+              );
+            });
 
             if (!pluginStep) {
-              core.setFailed('blueprint.json does not contain a git:directory plugin install step.');
+              core.setFailed('blueprint.json does not contain a first-party plugin install step.');
               return;
             }
 
+            delete pluginStep.pluginZipFile;
             pluginStep.pluginData = {
               resource: 'git:directory',
               url: repoUrl,

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 3.1.3 - 2026-05-11
+
+- **Release Playground link:** the stable release Blueprint installs the tag ZIP through `pluginData` instead of using Playground's currently brittle `git:directory` tag fetch path.
+- **Playground link posture:** README Playground links now distinguish the immutable latest-release demo from the current `main` demo.
+- **Blueprint password seeding:** the demo Blueprint now uses WordPress core's `wp_set_password()` API instead of writing the password hash directly through `$wpdb`.
+
 ## 3.1.2 - 2026-05-11
 
 ### Playground and preview fixes

blueprint-main.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://playground.wordpress.net/blueprint-schema.json",
+  "preferredVersions": {
+    "php": "8.2",
+    "wp": "7.0-RC1"
+  },
+  "landingPage": "/wp-admin/",
+  "steps": [
+    {
+      "step": "runPHP",
+      "code": "<?php require_once '/wordpress/wp-load.php'; $user = get_user_by('login', 'admin'); if ($user) { wp_set_password('password', $user->ID); wp_set_current_user($user->ID); }"
+    },
+    {
+      "step": "login",
+      "username": "admin",
+      "password": "password"
+    },
+    {
+      "step": "installPlugin",
+      "pluginData": {
+        "resource": "url",
+        "url": "https://github.com/dknauss/Sudo/archive/refs/heads/main.zip"
+      },
+      "options": { "activate": true }
+    },
+    {
+      "step": "installPlugin",
+      "pluginData": {
+        "resource": "wordpress.org/plugins",
+        "slug": "two-factor"
+      },
+      "options": { "activate": true }
+    },
+    {
+      "step": "runPHP",
+      "code": "<?php require_once '/wordpress/wp-load.php'; $admin = get_user_by('login', 'admin'); $admin_id = $admin ? (int) $admin->ID : 1; if ($admin) { foreach (array('_wp_sudo_expires', '_wp_sudo_token', '_wp_sudo_failed_attempts', '_wp_sudo_lockout_until', '_wp_sudo_failure_event', '_wp_sudo_throttle_until', '_two_factor_enabled_providers', '_two_factor_provider', '_two_factor_totp_key', '_two_factor_backup_codes') as $key) { delete_user_meta($admin_id, $key); } } $session_lengths = array('janesmith' => 5, 'bobdev' => 7, 'carlosadmin' => 10, 'sarahops' => 12, 'mariadev' => 15); $demo_users = array(array('janesmith', 'jane@example.com', 'Jane', 'Smith', 'editor', true), array('bobdev', 'bob@example.com', 'Bob', 'Developer', 'author', true), array('carlosadmin', 'carlos@example.com', 'Carlos', 'García', 'administrator', true), array('sarahops', 'sarah@example.com', 'Sarah', 'Nakamura', 'editor', true), array('liwei', 'li@example.com', 'Li', 'Wei', 'contributor', false), array('mariadev', 'maria@example.com', 'Maria', 'Santos', 'administrator', true), array('alexkim', 'alex@example.com', 'Alex', 'Kim', 'editor', false), array('priyapatel', 'priya@example.com', 'Priya', 'Patel', 'author', false)); $user_ids = array(); foreach ($demo_users as $u) { $existing = get_user_by('login', $u[0]); $uid = $existing ? (int) $existing->ID : wp_insert_user(array('user_login' => $u[0], 'user_email' => $u[1], 'user_pass' => 'password', 'first_name' => $u[2], 'last_name' => $u[3], 'display_name' => trim($u[2] . ' ' . $u[3]), 'role' => $u[4])); if (!is_wp_error($uid)) { $uid = (int) $uid; $user_ids[$u[0]] = $uid; wp_update_user(array('ID' => $uid, 'user_email' => $u[1], 'first_name' => $u[2], 'last_name' => $u[3], 'display_name' => trim($u[2] . ' ' . $u[3]), 'role' => $u[4])); if ($u[5]) { $minutes = $session_lengths[$u[0]] ?? 15; update_user_meta($uid, '_wp_sudo_expires', time() + ($minutes * MINUTE_IN_SECONDS)); update_user_meta($uid, '_wp_sudo_token', wp_hash(wp_generate_password(32, true, true))); } else { delete_user_meta($uid, '_wp_sudo_expires'); delete_user_meta($uid, '_wp_sudo_token'); } } } if (class_exists('\\WP_Sudo\\Event_Store')) { \\WP_Sudo\\Event_Store::maybe_create_table(); \\WP_Sudo\\Event_Store::bulk_insert(array(array('user_id' => $admin_id, 'event' => 'action_gated', 'rule_id' => 'options.wp_sudo', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 90)), array('user_id' => $admin_id, 'event' => 'action_replayed', 'rule_id' => 'options.wp_sudo', 'surface' => '', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 70)), array('user_id' => $user_ids['mariadev'] ?? $admin_id, 'event' => 'action_passed', 'rule_id' => 'plugin.activate', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 240)), array('user_id' => $user_ids['carlosadmin'] ?? $admin_id, 'event' => 'action_gated', 'rule_id' => 'user.delete', 'surface' => 'admin', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 520)), array('user_id' => $user_ids['sarahops'] ?? $admin_id, 'event' => 'action_blocked', 'rule_id' => 'auth.app_password', 'surface' => 'rest_app_password', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 960)), array('user_id' => $user_ids['bobdev'] ?? $admin_id, 'event' => 'action_allowed', 'rule_id' => 'tools.export', 'surface' => 'cli', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 1500)), array('user_id' => $user_ids['janesmith'] ?? $admin_id, 'event' => 'action_blocked', 'rule_id' => 'options.critical', 'surface' => 'xmlrpc', 'ip' => '127.0.0.1', 'context' => array('demo' => true), 'created_at' => gmdate('Y-m-d H:i:s', time() - 2300)), array('user_id' => $user_ids['liwei'] ?? $admin_id, 'event' => 'lockout', 'rule_id' => '', 'surface' => '', 'ip' => '127.0.0.1', 'context' => array('demo' => true, 'attempts' => 5), 'created_at' => gmdate('Y-m-d H:i:s', time() - 3600)))); } delete_transient('wp_sudo_active_sessions_' . (function_exists('get_current_blog_id') ? (int) get_current_blog_id() : 0)); update_user_meta($admin_id, 'meta-box-order_dashboard', array('side' => 'wp_sudo_activity,dashboard_quick_press,dashboard_primary', 'normal' => 'dashboard_site_health,dashboard_right_now,dashboard_activity')); update_user_meta($admin_id, 'screen_layout_dashboard', 2); echo 'Prepared WP Sudo demo data. Admin password: password. Sudo challenge password: password. Demo sessions: 5-15 minutes.';"
+    }
+  ]
+}

blueprint.json

@@ -8,7 +8,7 @@
   "steps": [
     {
       "step": "runPHP",
-      "code": "<?php require_once '/wordpress/wp-load.php'; global $wpdb; $user = get_user_by('login', 'admin'); if ($user) { $wpdb->update($wpdb->users, array('user_pass' => wp_hash_password('password')), array('ID' => $user->ID)); clean_user_cache($user); }"
+      "code": "<?php require_once '/wordpress/wp-load.php'; $user = get_user_by('login', 'admin'); if ($user) { wp_set_password('password', $user->ID); wp_set_current_user($user->ID); }"
     },
     {
       "step": "login",
@@ -18,10 +18,8 @@
     {
       "step": "installPlugin",
       "pluginData": {
-        "resource": "git:directory",
-        "url": "https://github.com/dknauss/Sudo",
-        "ref": "v3.1.2",
-        "refType": "tag"
+        "resource": "url",
+        "url": "https://github.com/dknauss/Sudo/archive/refs/tags/v3.1.3.zip"
       },
       "options": { "activate": true }
     },

docs/release-status.md

@@ -12,28 +12,27 @@ This file is the canonical source for **current release state** in this reposito
 
 ## Latest public/tagged release
 
-- **Latest tagged release:** `3.1.2`
-- **Latest git tag observed:** `v3.1.2`
+- **Latest tagged release:** `3.1.3`
+- **Latest git tag observed:** `v3.1.3`
 
 ## Current `main` release target
 
 - **Next planned release:** `3.2.0` (planning lane; post-release development bump pending)
-- **Current `main` runtime version constant:** `3.1.2`
+- **Current `main` runtime version constant:** `3.1.3`
 - **Current metadata should match:** `readme.txt` stable tag, `wp-sudo.php`, `tests/bootstrap.php`, `phpstan-bootstrap.php`
-- **Current public stable metadata:** `readme.txt` stable tag `3.1.2`
+- **Current public stable metadata:** `readme.txt` stable tag `3.1.3`
 - **Last completed release checklist:** `docs/release-3.0.0-checklist.md`
 
 ## Latest release contents
 
-`3.1.2` includes the post-`v3.1.1` Playground and preview fixes that landed on `main`:
+`3.1.3` includes the post-`v3.1.2` Playground release-link fixes that landed on `main`:
 
-- Playground login and sudo challenge reauthentication now use the documented `admin` / `password` credential.
-- The Sudo toolbar item cancels active sessions correctly from front-end admin-bar contexts.
-- Dashboard widget active-session counts refresh after cancellation.
-- Playground demo data now includes recent privilege-action samples and staggered 5-15 minute demo sudo sessions.
-- Pull request Playground preview links now use the checked-in Blueprint and Playground's CORS-safe `git:directory` resource.
+- Stable release Playground links use the tagged raw Blueprint and install the tag ZIP through `pluginData`.
+- Current `main` Playground links use `blueprint-main.json` and install the main branch ZIP.
+- Pull request Playground previews continue to use the checked-in Blueprint but pin the plugin install to the PR commit.
+- Demo admin password seeding uses WordPress core's `wp_set_password()` API instead of a direct `$wpdb->users` update.
 
-Canonical source for post-tag drift after this release: `git log v3.1.2..main --oneline`
+Canonical source for post-tag drift after `3.1.3`: `git log v3.1.3..main --oneline`
 
 ## WordPress release posture
 

phpstan-bootstrap.php

@@ -10,7 +10,7 @@
  */
 
 // Plugin constants (defined in wp-sudo.php at runtime).
-define( 'WP_SUDO_VERSION', '3.1.2' );
+define( 'WP_SUDO_VERSION', '3.1.3' );
 define( 'WP_SUDO_PLUGIN_DIR', __DIR__ . '/' );
 define( 'WP_SUDO_PLUGIN_URL', 'https://example.com/wp-content/plugins/wp-sudo/' );
 define( 'WP_SUDO_PLUGIN_BASENAME', 'wp-sudo/wp-sudo.php' );

readme.md

@@ -11,19 +11,20 @@ WP Sudo adds **action-gated reauthentication** to WordPress so high-risk operati
 [![CodeQL](https://github.com/dknauss/Sudo/actions/workflows/codeql.yml/badge.svg)](https://github.com/dknauss/Sudo/actions/workflows/codeql.yml)
 [![Codecov](https://codecov.io/gh/dknauss/Sudo/graph/badge.svg?branch=main)](https://codecov.io/gh/dknauss/Sudo)
 [![Type Coverage](https://shepherd.dev/github/dknauss/Sudo/coverage.svg)](https://shepherd.dev/github/dknauss/Sudo)
-[![Try in Playground](https://img.shields.io/badge/Try%20it-Playground-3858e9?logo=wordpress&logoColor=white)](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/dknauss/Sudo/main/blueprint.json)
+[![Try latest release in Playground](https://img.shields.io/badge/Try%20release-Playground-3858e9?logo=wordpress&logoColor=white)](https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fv3.1.3%2Fblueprint.json)
+[![Try main in Playground](https://img.shields.io/badge/Try%20main-Playground-23282d?logo=wordpress&logoColor=white)](https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fmain%2Fblueprint-main.json)
 
 Playground demo credentials are `admin` / `password`. When WP Sudo asks for reauthentication, enter the same password: `password`.
 
-> **3.1.2 Playground patch:** WP Sudo fixes Playground reauthentication, front-end toolbar session cancellation, dashboard demo data, and PR preview links. See [docs/release-status.md](docs/release-status.md) for current release posture.
+> **3.1.3 Playground patch:** WP Sudo fixes Playground reauthentication, front-end toolbar session cancellation, dashboard demo data, and stable/main preview links. See [docs/release-status.md](docs/release-status.md) for current release posture.
 
-## What’s new in 3.1.2
+## What’s new in 3.1.3
 
 - **Playground authentication:** the demo explicitly resets `admin` to `password`, so login and sudo reauthentication use the same documented credential
 - **Toolbar cancellation:** clicking the Sudo toolbar item cancels an active session from wp-admin or the front end without navigating away unexpectedly
 - **Dashboard widget freshness:** active-session counts refresh immediately after session cancellation
 - **Demo activity:** Playground seeds recent privilege-action events and active demo users with varied 5-15 minute sudo windows
-- **Preview links:** pull request Playground previews now use the checked-in Blueprint with a CORS-safe `git:directory` plugin install
+- **Preview links:** release and main Playground demos are separate; pull request previews still pin to the PR commit
 
 ## Why WP Sudo exists
 

readme.txt

@@ -1,6 +1,7 @@
-_WP Sudo 3.1.2 is a Playground compatibility patch for action-gated reauthentication, fixing demo login, sudo challenge auth, toolbar cancellation, dashboard demo data, and PR preview links._
+_WP Sudo 3.1.3 is a Playground compatibility patch for action-gated reauthentication, fixing demo login, sudo challenge auth, toolbar cancellation, dashboard demo data, and stable/main preview links._
 
-[Try it in WordPress Playground](https://playground.wordpress.net/?blueprint-url=https://raw.githubusercontent.com/dknauss/Sudo/main/blueprint.json)
+[Try the latest release in WordPress Playground](https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fv3.1.3%2Fblueprint.json)
+[Try current main in WordPress Playground](https://playground.wordpress.net/?blueprint-url=https%3A%2F%2Fraw.githubusercontent.com%2Fdknauss%2FSudo%2Fmain%2Fblueprint-main.json)
 
 Playground demo credentials are `admin` / `password`. When WP Sudo asks for reauthentication, enter the same password: `password`.
 
@@ -11,7 +12,7 @@ Tags:              sudo, security, reauthentication, access control, admin prote
 Requires at least: 6.2
 Tested up to:      6.9
 Requires PHP:      8.0
-Stable tag:        3.1.2
+Stable tag:        3.1.3
 License:           GPL-2.0-or-later
 License URI:       https://spdx.org/licenses/GPL-2.0-or-later.html
 
@@ -23,13 +24,13 @@ WordPress has rich access control — roles, capabilities, policies on who can d
 
 This is not role-based escalation. Every logged-in user is treated the same: attempt a gated action without an active sudo session, get challenged. Sessions are time-bounded and non-extendable, enforcing the zero-trust principle that trust must be continuously earned, never assumed. WordPress capability checks still run after the gate, so Sudo adds a security layer without changing the permission model.
 
-= What’s new in 3.1.2? =
+= What’s new in 3.1.3? =
 
 * **Playground authentication** — the demo explicitly resets `admin` to `password`, so login and sudo reauthentication use the same documented credential
 * **Toolbar cancellation** — clicking the Sudo toolbar item cancels an active session from wp-admin or the front end without navigating away unexpectedly
 * **Dashboard widget freshness** — active-session counts refresh immediately after session cancellation
 * **Demo activity** — Playground seeds recent privilege-action events and active demo users with varied 5-15 minute sudo windows
-* **Preview links** — pull request Playground previews now use the checked-in Blueprint with a CORS-safe `git:directory` plugin install
+* **Preview links** — release and main Playground demos are separate; pull request previews still pin to the PR commit
 
 = Why Sudo? =
 
@@ -185,6 +186,11 @@ Extensibility: the action registry is filterable via wp_sudo_gated_actions. Ten
 
 == Changelog ==
 
+= 3.1.3 =
+* **Fix: release Playground link** — the stable release Blueprint installs the tag ZIP through `pluginData` instead of using Playground's currently brittle `git:directory` tag fetch path.
+* **Playground link posture** — README Playground links now distinguish the immutable latest-release demo from the current `main` demo.
+* **Blueprint password seeding** — the demo Blueprint now uses WordPress core's `wp_set_password()` API instead of writing the password hash directly through `$wpdb`.
+
 = 3.1.2 =
 * **Fix: Playground authentication** — the demo resets the `admin` user password before login so `admin` / `password` works for both WordPress login and WP Sudo reauthentication.
 * **Fix: toolbar session cancellation** — the Sudo admin bar item now cancels active sessions reliably from wp-admin and front-end contexts.

tests/bootstrap.php

@@ -19,7 +19,7 @@
 define( 'WPMU_PLUGIN_URL', 'https://example.com/wp-content/mu-plugins' );
 
 // ── Plugin constants (normally defined in wp-sudo.php) ───────────────
-define( 'WP_SUDO_VERSION', '3.1.2' );
+define( 'WP_SUDO_VERSION', '3.1.3' );
 define( 'WP_SUDO_PLUGIN_DIR', dirname( __DIR__ ) . '/' );
 define( 'WP_SUDO_PLUGIN_URL', 'https://example.com/wp-content/plugins/wp-sudo/' );
 define( 'WP_SUDO_PLUGIN_BASENAME', 'wp-sudo/wp-sudo.php' );

wp-sudo.php

@@ -3,7 +3,7 @@
  * Plugin Name:       Sudo
  * Plugin URI:        https://github.com/dknauss/Sudo
  * Description:       Action-gated reauthentication for WordPress. Dangerous operations require password confirmation before they proceed — regardless of user role.
- * Version:           3.1.2
+ * Version:           3.1.3
  * Requires at least: 6.2
  * Requires PHP:      8.0
  * Author:            Dan Knauss
@@ -24,7 +24,7 @@
 require_once __DIR__ . '/includes/class-bootstrap.php';
 
 // Plugin version.
-define( 'WP_SUDO_VERSION', '3.1.2' );
+define( 'WP_SUDO_VERSION', '3.1.3' );
 
 // Plugin directory path.
 define( 'WP_SUDO_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );