From b0d1a0ecbdad2544d629522528a1b879524cf686 Mon Sep 17 00:00:00 2001
From: Nol de Roos <108540791+nolderoos@users.noreply.github.com>
Date: Tue, 12 May 2026 00:42:26 +0200
Subject: [PATCH 1/7] =?UTF-8?q?feat:=20v1.1=20beta=20=E2=80=94=20login=20s?=
 =?UTF-8?q?tyling=20settings=20+=20iframe=20defenses?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 includes/Admin/Settings.php                  | 110 ++++++++++++++++
 includes/Frontend/LoginScreen.php            |   5 +
 includes/Installer.php                       |   4 +
 includes/helpers.php                         |   4 +
 readme.txt                                   |   4 +
 templates/login-shell.php                    |  28 ++++-
 tests/phpunit/Model/SettingsSanitizeTest.php | 124 +++++++++++++++++++
 tests/phpunit/stubs/wp-functions.php         |  27 ++++
 8 files changed, 305 insertions(+), 1 deletion(-)
 create mode 100644 tests/phpunit/Model/SettingsSanitizeTest.php

diff --git a/includes/Admin/Settings.php b/includes/Admin/Settings.php
index 8a8d95a..9c4b19e 100644
--- a/includes/Admin/Settings.php
+++ b/includes/Admin/Settings.php
@@ -28,6 +28,8 @@ final class Settings {
 
 	private const MAX_LINK_USES_PRESETS = [ 1, 2, 3, 5, 10 ];
 
+	private const FONT_STACK_KEYS = [ 'system', 'sans-modern', 'serif', 'mono', 'rounded' ];
+
 	// Keyed by extension regex (wp_check_filetype_and_ext format); membership checks hit values.
 	private const LOGO_MIMES = [
 		'png'      => 'image/png',
@@ -199,6 +201,10 @@ private static function render_section_branding( bool $weak_salts ): void {
 				<?php self::field_company_name(); ?>
 				<?php self::field_logo(); ?>
 				<?php self::field_brand_color(); ?>
+				<?php self::field_page_color(); ?>
+				<?php self::field_card_radius(); ?>
+				<?php self::field_card_width(); ?>
+				<?php self::field_font_stack(); ?>
 			</div>
 		</section>
 		<?php
@@ -368,6 +374,26 @@ public static function sanitize( $input ): array {
 			$out['brand_color']   = $sanitized ? $sanitized : '#2271b1';
 		}
 
+		// is_scalar guards prevent (string) cast on array/object from emitting
+		// "Array" notices on probe traffic. Mirrors throttle's is_array guard.
+		if ( isset( $input['page_color'] ) && is_scalar( $input['page_color'] ) ) {
+			$sanitized         = sanitize_hex_color( (string) $input['page_color'] );
+			$out['page_color'] = $sanitized ? $sanitized : '#eeeeee';
+		}
+
+		if ( isset( $input['card_radius'] ) && is_scalar( $input['card_radius'] ) ) {
+			$out['card_radius'] = max( 0, min( 32, absint( $input['card_radius'] ) ) );
+		}
+
+		if ( isset( $input['card_width'] ) && is_scalar( $input['card_width'] ) ) {
+			$out['card_width'] = max( 360, min( 640, absint( $input['card_width'] ) ) );
+		}
+
+		if ( isset( $input['font_stack'] ) && is_scalar( $input['font_stack'] ) ) {
+			$candidate         = sanitize_key( (string) $input['font_stack'] );
+			$out['font_stack'] = in_array( $candidate, self::FONT_STACK_KEYS, true ) ? $candidate : 'system';
+		}
+
 		if ( isset( $input['redirect_to_default'] ) ) {
 			$candidate                  = (string) $input['redirect_to_default'];
 			$out['redirect_to_default'] = in_array( $candidate, self::REDIRECT_OPTIONS, true ) ? $candidate : 'auto';
@@ -596,6 +622,90 @@ public static function field_brand_color(): void {
 		<?php
 	}
 
+	public static function field_page_color(): void {
+		$value = (string) magicauth_get_setting( 'page_color', '#eeeeee' );
+		$name  = sprintf( '%s[page_color]', self::OPTION_NAME );
+		?>
+		<div class="magicauth-row">
+			<div class="magicauth-row__main">
+				<span class="magicauth-row__label"><?php esc_html_e( 'Page background', 'magicauth' ); ?></span>
+				<p class="magicauth-row__help"><?php esc_html_e( 'Color behind the sign-in card. Choose a value distinct from white so the card stays visible.', 'magicauth' ); ?></p>
+			</div>
+			<div class="magicauth-row__control magicauth-row__control--stack">
+				<div class="magicauth-color">
+					<input type="color" value="<?php echo esc_attr( $value ); ?>" aria-label="<?php esc_attr_e( 'Color picker', 'magicauth' ); ?>">
+					<input type="text" class="magicauth-input magicauth-input--mono" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( $value ); ?>" maxlength="7" data-validate-hex>
+				</div>
+			</div>
+		</div>
+		<?php
+	}
+
+	public static function field_card_radius(): void {
+		$value = (int) magicauth_get_setting( 'card_radius', 6 );
+		$name  = sprintf( '%s[card_radius]', self::OPTION_NAME );
+		?>
+		<div class="magicauth-row">
+			<div class="magicauth-row__main">
+				<span class="magicauth-row__label"><?php esc_html_e( 'Card corner radius', 'magicauth' ); ?></span>
+				<p class="magicauth-row__help"><?php esc_html_e( 'Sign-in card corner softness, in pixels. 0 is sharp; 32 is heavily rounded.', 'magicauth' ); ?></p>
+			</div>
+			<div class="magicauth-row__control">
+				<input type="number" class="magicauth-input magicauth-input--num" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( (string) $value ); ?>" min="0" max="32" step="1">
+				<span style="font-size:13px;color:var(--tx-muted);"><?php esc_html_e( 'px', 'magicauth' ); ?></span>
+			</div>
+		</div>
+		<?php
+	}
+
+	public static function field_card_width(): void {
+		$value = (int) magicauth_get_setting( 'card_width', 480 );
+		$name  = sprintf( '%s[card_width]', self::OPTION_NAME );
+		?>
+		<div class="magicauth-row">
+			<div class="magicauth-row__main">
+				<span class="magicauth-row__label"><?php esc_html_e( 'Card max width', 'magicauth' ); ?></span>
+				<p class="magicauth-row__help"><?php esc_html_e( 'Card max width on desktop, in pixels. Shrinks below this on narrow viewports.', 'magicauth' ); ?></p>
+			</div>
+			<div class="magicauth-row__control">
+				<input type="number" class="magicauth-input magicauth-input--num" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( (string) $value ); ?>" min="360" max="640" step="20">
+				<span style="font-size:13px;color:var(--tx-muted);"><?php esc_html_e( 'px', 'magicauth' ); ?></span>
+			</div>
+		</div>
+		<?php
+	}
+
+	public static function field_font_stack(): void {
+		$value   = (string) magicauth_get_setting( 'font_stack', 'system' );
+		$name    = sprintf( '%s[font_stack]', self::OPTION_NAME );
+		$options = [
+			'system'      => __( 'System default', 'magicauth' ),
+			'sans-modern' => __( 'Modern sans (Inter)', 'magicauth' ),
+			'serif'       => __( 'Serif (Georgia)', 'magicauth' ),
+			'mono'        => __( 'Monospace', 'magicauth' ),
+			'rounded'     => __( 'Rounded', 'magicauth' ),
+		];
+		?>
+		<div class="magicauth-row">
+			<div class="magicauth-row__main">
+				<span class="magicauth-row__label"><?php esc_html_e( 'Font family', 'magicauth' ); ?></span>
+				<p class="magicauth-row__help"><?php esc_html_e( 'Font used on the sign-in card. Each option is a stack of system-installed fonts — nothing is loaded from the network.', 'magicauth' ); ?></p>
+			</div>
+			<div class="magicauth-row__control">
+				<div class="magicauth-select">
+					<select name="<?php echo esc_attr( $name ); ?>">
+						<?php foreach ( $options as $opt_value => $label ) : ?>
+							<option value="<?php echo esc_attr( $opt_value ); ?>" <?php selected( $value, $opt_value ); ?>>
+								<?php echo esc_html( $label ); ?>
+							</option>
+						<?php endforeach; ?>
+					</select>
+				</div>
+			</div>
+		</div>
+		<?php
+	}
+
 	public static function field_agency_credit_name(): void {
 		$value = (string) magicauth_get_setting( 'agency_credit_name', '' );
 		$name  = sprintf( '%s[agency_credit_name]', self::OPTION_NAME );
diff --git a/includes/Frontend/LoginScreen.php b/includes/Frontend/LoginScreen.php
index be16f8a..fa64a4a 100644
--- a/includes/Frontend/LoginScreen.php
+++ b/includes/Frontend/LoginScreen.php
@@ -51,6 +51,11 @@ public static function setup(): void {
 	public static function login_init(): void {
 		// nosniff defense-in-depth (pentest H-1).
 		header( 'X-Content-Type-Options: nosniff' );
+		// wp-login.php is never legitimately framed. DENY is stricter than core's SAMEORIGIN.
+		header( 'X-Frame-Options: DENY' );
+		// replace=false so we don't silently strip a security plugin's earlier CSP;
+		// the browser intersects multiple CSPs (strictest wins on frame-ancestors).
+		header( "Content-Security-Policy: frame-ancestors 'none'", false );
 
 		if ( isset( $_GET['magicauth'] ) && 'off' === $_GET['magicauth'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended
 			$nonce = isset( $_GET['_wpnonce'] ) ? sanitize_key( wp_unslash( (string) $_GET['_wpnonce'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended
diff --git a/includes/Installer.php b/includes/Installer.php
index b1231d8..f703ea4 100644
--- a/includes/Installer.php
+++ b/includes/Installer.php
@@ -115,6 +115,10 @@ public static function default_settings(): array {
 			'company_name'          => '',
 			'logo_attachment_id'    => 0,
 			'brand_color'           => '#2271b1',
+			'page_color'            => '#eeeeee',
+			'card_radius'           => 6,
+			'card_width'            => 480,
+			'font_stack'            => 'system',
 			'agency_credit_name'    => '',
 			'agency_credit_url'     => '',
 			'agency_credit_icon_id' => 0,
diff --git a/includes/helpers.php b/includes/helpers.php
index e328bbc..4d2983d 100644
--- a/includes/helpers.php
+++ b/includes/helpers.php
@@ -30,6 +30,10 @@ function magicauth_get_settings(): array {
 			'company_name'          => '',
 			'logo_attachment_id'    => 0,
 			'brand_color'           => '#2271b1',
+			'page_color'            => '#eeeeee',
+			'card_radius'           => 6,
+			'card_width'            => 480,
+			'font_stack'            => 'system',
 			'agency_credit_name'    => '',
 			'agency_credit_url'     => '',
 			'agency_credit_icon_id' => 0,
diff --git a/readme.txt b/readme.txt
index 9914330..0a15db5 100644
--- a/readme.txt
+++ b/readme.txt
@@ -74,5 +74,9 @@ MagicAuth registers a WordPress privacy exporter and eraser. Personal data store
 
 == Changelog ==
 
+= 1.1.0 =
+* Branding: page background color, card corner radius, card max width, and font family are now admin-controllable from Settings > MagicAuth.
+* Security: `wp-login.php` now sends `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'` to refuse framing entirely.
+
 = 1.0.0 =
 * Initial public release.
diff --git a/templates/login-shell.php b/templates/login-shell.php
index a1f118d..fa6ff76 100644
--- a/templates/login-shell.php
+++ b/templates/login-shell.php
@@ -19,17 +19,43 @@
 defined( 'ABSPATH' ) || exit;
 ?>
 <?php
-// Re-validate at output — esc_attr is HTML-context, not CSS.
+// Re-validate at output — esc_attr is HTML-context padding, not CSS sanitization.
+// Actual safety comes from: sanitize_hex_color() narrowing to [#0-9A-Fa-f],
+// (int) casts on numerics, and a hardcoded PHP allowlist map for font stacks
+// (the user-supplied value is a short key; the emitted CSS string is hardcoded).
 $shell_brand = function_exists( 'sanitize_hex_color' ) ? (string) sanitize_hex_color( (string) $brand_color ) : '';
 if ( '' === $shell_brand ) {
 	$shell_brand = '#2271b1';
 }
 $shell_brand_txt = magicauth_yiq_text_color( $shell_brand );
+
+$shell_page = function_exists( 'sanitize_hex_color' ) ? (string) sanitize_hex_color( (string) magicauth_get_setting( 'page_color', '#eeeeee' ) ) : '';
+if ( '' === $shell_page ) {
+	$shell_page = '#eeeeee';
+}
+$shell_radius = max( 0, min( 32, (int) magicauth_get_setting( 'card_radius', 6 ) ) );
+$shell_width  = max( 360, min( 640, (int) magicauth_get_setting( 'card_width', 480 ) ) );
+
+// Stored value is the KEY only; emitted CSS string is the hardcoded map value.
+// Every value must avoid '<' / '>' or a future maintainer can break the <style> block.
+$shell_font_stacks = [
+	'system'      => '-apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen-Sans, Ubuntu, Cantarell, "Helvetica Neue", sans-serif',
+	'sans-modern' => 'Inter, -apple-system, "Segoe UI", Roboto, "Helvetica Neue", sans-serif',
+	'serif'       => 'Georgia, "Times New Roman", Times, serif',
+	'mono'        => 'ui-monospace, SFMono-Regular, "SF Mono", Menlo, Consolas, "Liberation Mono", monospace',
+	'rounded'     => 'ui-rounded, "SF Pro Rounded", "Hiragino Maru Gothic ProN", Quicksand, Comfortaa, system-ui, sans-serif',
+];
+$shell_font_key   = (string) magicauth_get_setting( 'font_stack', 'system' );
+$shell_font_stack = $shell_font_stacks[ $shell_font_key ] ?? $shell_font_stacks['system'];
 ?>
 <style id="magicauth-shell-vars">
 :root {
 	--magicauth-color-primary: <?php echo esc_attr( $shell_brand ); ?>;
 	--magicauth-color-primary-text: <?php echo esc_attr( $shell_brand_txt ); ?>;
+	--magicauth-color-page: <?php echo esc_attr( $shell_page ); ?>;
+	--magicauth-radius-card: <?php echo (int) $shell_radius; ?>px;
+	--magicauth-card-max-width: <?php echo (int) $shell_width; ?>px;
+	--magicauth-font-family: <?php echo esc_attr( $shell_font_stack ); ?>;
 }
 /* Vertical-center the card; flex avoids fighting WP's default top-padding. */
 html, body.login {
diff --git a/tests/phpunit/Model/SettingsSanitizeTest.php b/tests/phpunit/Model/SettingsSanitizeTest.php
new file mode 100644
index 0000000..539861c
--- /dev/null
+++ b/tests/phpunit/Model/SettingsSanitizeTest.php
@@ -0,0 +1,124 @@
+<?php
+/**
+ * Admin\Settings::sanitize() — bounds and allowlist for v1.1 branding tokens.
+ *
+ * @package MagicAuth\Tests
+ */
+
+declare( strict_types=1 );
+
+namespace MagicAuth\Tests\Model;
+
+use MagicAuth\Admin\Settings;
+use MagicAuth\Installer;
+use PHPUnit\Framework\TestCase;
+
+final class SettingsSanitizeTest extends TestCase {
+
+	protected function setUp(): void {
+		magicauth_test_reset_state();
+		update_option( 'magicauth_settings', Installer::default_settings() );
+	}
+
+	private function sanitize( array $input ): array {
+		return Settings::sanitize( $input );
+	}
+
+	public function test_page_color_accepts_valid_hex(): void {
+		$out = $this->sanitize( [ 'page_color' => '#abcdef' ] );
+		$this->assertSame( '#abcdef', $out['page_color'] );
+	}
+
+	public function test_page_color_falls_back_on_garbage(): void {
+		$out = $this->sanitize( [ 'page_color' => 'not a color' ] );
+		$this->assertSame( '#eeeeee', $out['page_color'] );
+	}
+
+	public function test_page_color_array_input_is_ignored(): void {
+		$out = $this->sanitize( [ 'page_color' => [ '#ff0000' ] ] );
+		// is_scalar guard short-circuits; current default survives.
+		$this->assertSame( '#eeeeee', $out['page_color'] );
+	}
+
+	public function test_card_radius_clamps_above_max(): void {
+		$out = $this->sanitize( [ 'card_radius' => 9999 ] );
+		$this->assertSame( 32, $out['card_radius'] );
+	}
+
+	public function test_card_radius_accepts_bounds(): void {
+		$lo = $this->sanitize( [ 'card_radius' => 0 ] );
+		$hi = $this->sanitize( [ 'card_radius' => 32 ] );
+		$this->assertSame( 0, $lo['card_radius'] );
+		$this->assertSame( 32, $hi['card_radius'] );
+	}
+
+	public function test_card_radius_garbage_yields_zero(): void {
+		$out = $this->sanitize( [ 'card_radius' => 'foo' ] );
+		$this->assertSame( 0, $out['card_radius'] );
+	}
+
+	public function test_card_width_clamps_below_min(): void {
+		$out = $this->sanitize( [ 'card_width' => 100 ] );
+		$this->assertSame( 360, $out['card_width'] );
+	}
+
+	public function test_card_width_clamps_above_max(): void {
+		$out = $this->sanitize( [ 'card_width' => 9999 ] );
+		$this->assertSame( 640, $out['card_width'] );
+	}
+
+	public function test_card_width_accepts_bounds(): void {
+		$lo = $this->sanitize( [ 'card_width' => 360 ] );
+		$hi = $this->sanitize( [ 'card_width' => 640 ] );
+		$this->assertSame( 360, $lo['card_width'] );
+		$this->assertSame( 640, $hi['card_width'] );
+	}
+
+	public function test_font_stack_round_trips_allowlist(): void {
+		foreach ( [ 'system', 'sans-modern', 'serif', 'mono', 'rounded' ] as $key ) {
+			$out = $this->sanitize( [ 'font_stack' => $key ] );
+			$this->assertSame( $key, $out['font_stack'], "key '{$key}' should round-trip" );
+		}
+	}
+
+	public function test_font_stack_rejects_unknown_key(): void {
+		$out = $this->sanitize( [ 'font_stack' => 'pirate' ] );
+		$this->assertSame( 'system', $out['font_stack'] );
+	}
+
+	public function test_font_stack_rejects_array_input(): void {
+		// is_scalar guard rejects array entirely; default survives.
+		$out = $this->sanitize( [ 'font_stack' => [ 'rounded' ] ] );
+		$this->assertSame( 'system', $out['font_stack'] );
+	}
+
+	public function test_defaults_returned_for_missing_keys(): void {
+		// Simulates v1.0 -> v1.1 upgrade: stored option has no new keys.
+		update_option( 'magicauth_settings', [ 'ttl_minutes' => 10 ] );
+		$settings = magicauth_get_settings();
+		$this->assertSame( '#eeeeee', $settings['page_color'] );
+		$this->assertSame( 6, $settings['card_radius'] );
+		$this->assertSame( 480, $settings['card_width'] );
+		$this->assertSame( 'system', $settings['font_stack'] );
+	}
+
+	public function test_font_stacks_in_shell_template_contain_no_html_meta_chars(): void {
+		// HTML parsers treat '</style>' as a block-terminator regardless of CSS
+		// quoting. Pin a static assertion so a future maintainer adding e.g.
+		// 'fancy' => 'Helvetica<Neue>' cannot silently break the <style> emit.
+		$shell = file_get_contents( MAGICAUTH_DIR . 'templates/login-shell.php' );
+		$this->assertNotFalse( $shell, 'login-shell.php should be readable' );
+
+		// Extract the $shell_font_stacks array literal.
+		$ok = preg_match( '/\$shell_font_stacks\s*=\s*\[(.*?)\];/s', $shell, $m );
+		$this->assertSame( 1, $ok, '$shell_font_stacks map should be defined in login-shell.php' );
+
+		// Each quoted CSS value (the right-hand side of `=>`) must be free of `<` and `>`.
+		$matched = preg_match_all( "/=>\s*'([^']+)'/", $m[1], $values );
+		$this->assertGreaterThan( 0, $matched, 'expected at least one font-stack value' );
+		foreach ( $values[1] as $value ) {
+			$this->assertStringNotContainsString( '<', $value, "font stack value '{$value}' must not contain '<'" );
+			$this->assertStringNotContainsString( '>', $value, "font stack value '{$value}' must not contain '>'" );
+		}
+	}
+}
diff --git a/tests/phpunit/stubs/wp-functions.php b/tests/phpunit/stubs/wp-functions.php
index d7b74bb..ace9f1a 100644
--- a/tests/phpunit/stubs/wp-functions.php
+++ b/tests/phpunit/stubs/wp-functions.php
@@ -695,6 +695,33 @@ function retrieve_password( $user_login = '' ) {
 	}
 }
 
+if ( ! function_exists( 'absint' ) ) {
+	function absint( $maybeint ): int {
+		return abs( (int) $maybeint );
+	}
+}
+
+if ( ! function_exists( 'sanitize_hex_color' ) ) {
+	// Mirrors core: accepts #rgb / #rrggbb only; returns null otherwise.
+	function sanitize_hex_color( string $color ) {
+		if ( '' === $color ) {
+			return '';
+		}
+		if ( preg_match( '|^#([A-Fa-f0-9]{3}){1,2}$|', $color ) ) {
+			return $color;
+		}
+		return null;
+	}
+}
+
+if ( ! function_exists( 'add_settings_error' ) ) {
+	// Test-time recorder; lets tests assert that an error WAS raised when expected.
+	function add_settings_error( string $setting, string $code, string $message, string $type = 'error' ): void {
+		global $magicauth_test_state;
+		$magicauth_test_state['settings_errors'][] = compact( 'setting', 'code', 'message', 'type' );
+	}
+}
+
 if ( ! function_exists( 'magicauth_test_reset_state' ) ) {
 	/**
 	 * Test helper: wipe in-memory state between tests.

From 3b701954825454c89af56ec0e2d4a657031c61f5 Mon Sep 17 00:00:00 2001
From: Nol de Roos <108540791+nolderoos@users.noreply.github.com>
Date: Tue, 12 May 2026 09:22:01 +0200
Subject: [PATCH 2/7] further additions of dark mode and extra variables

---
 assets/css/magicauth-admin.css               |  52 +++
 assets/css/magicauth.css                     |  35 +-
 includes/Admin/Settings.php                  | 359 +++++++++++++++----
 includes/Frontend/LoginScreen.php            |   4 +
 includes/Installer.php                       |   3 +
 includes/helpers.php                         | 122 ++++++-
 readme.txt                                   |   5 +
 templates/login-shell.php                    |  40 +++
 tests/phpunit/Model/ContrastRatioTest.php    |  60 ++++
 tests/phpunit/Model/SettingsSanitizeTest.php | 145 ++++++++
 tests/phpunit/stubs/wp-functions.php         |  72 +++-
 11 files changed, 813 insertions(+), 84 deletions(-)
 create mode 100644 tests/phpunit/Model/ContrastRatioTest.php

diff --git a/assets/css/magicauth-admin.css b/assets/css/magicauth-admin.css
index 62df64f..36db28f 100644
--- a/assets/css/magicauth-admin.css
+++ b/assets/css/magicauth-admin.css
@@ -375,6 +375,58 @@ body.admin-bar .magicauth-admin .magicauth-topbar__bar { top: 32px; }
 	line-height: 1.55;
 }
 
+/* <details>/<summary> disclosure widget. <summary> is keyboard-focusable
+   natively; no JS. Native marker hidden so we can render our own chevron. */
+.magicauth-admin details.magicauth-block > summary {
+	list-style: none;
+	cursor: pointer;
+	user-select: none;
+	position: relative;
+	padding-right: 32px;
+}
+
+.magicauth-admin details.magicauth-block > summary::-webkit-details-marker { display: none; }
+
+.magicauth-admin details.magicauth-block > summary::after {
+	content: "";
+	position: absolute;
+	top: 0;
+	bottom: 0;
+	right: 8px;
+	margin: auto 0;
+	width: 9px;
+	height: 9px;
+	border-right: 2px solid var(--tx-muted);
+	border-bottom: 2px solid var(--tx-muted);
+	transform: rotate(45deg);
+	transform-origin: center;
+	transition: transform 0.15s ease;
+}
+
+.magicauth-admin details.magicauth-block[open] > summary::after {
+	transform: rotate(-135deg);
+}
+
+.magicauth-admin details.magicauth-block > summary:focus-visible {
+	outline: 2px solid var(--ettic-accent, #2271b1);
+	outline-offset: 4px;
+	border-radius: 4px;
+}
+
+/* Sub-card subheading inside .magicauth-card */
+.magicauth-admin .magicauth-card__subhead {
+	margin: 0 0 16px;
+	font-size: 13px;
+	font-weight: 600;
+	color: var(--tx-muted);
+	text-transform: uppercase;
+	letter-spacing: 0.04em;
+}
+
+.magicauth-admin .magicauth-card + .magicauth-card {
+	margin-top: 16px;
+}
+
 /* Cards. Namespaced to avoid colliding with WP core `.card` (caps at 520px). */
 .magicauth-admin .magicauth-card {
 	background: var(--ettic-surface);
diff --git a/assets/css/magicauth.css b/assets/css/magicauth.css
index d3f208c..dd22b26 100644
--- a/assets/css/magicauth.css
+++ b/assets/css/magicauth.css
@@ -13,6 +13,7 @@
 	--magicauth-color-divider: #e9ecef;
 	--magicauth-color-error: #b32d2e;
 	--magicauth-color-focus-ring: var(--magicauth-color-primary);
+	--magicauth-color-link: var(--magicauth-color-primary);
 	--magicauth-card-max-width: 480px;
 	--magicauth-card-padding: 56px 48px;
 	--magicauth-card-padding-mobile: 32px 24px;
@@ -325,7 +326,7 @@
 }
 
 .magicauth-link {
-	color: var(--magicauth-color-primary);
+	color: var(--magicauth-color-link, var(--magicauth-color-primary));
 	text-decoration: underline;
 	text-underline-offset: 2px;
 }
@@ -446,3 +447,35 @@
 		outline: 2px solid CanvasText;
 	}
 }
+
+/* Dark mode — explicit. Body-class specificity (0,1,1) beats :root (0,0,1),
+   so the shell-vars block can still set per-instance brand_color / link_color /
+   font_stack without being overridden. Curated values, not exposed to admin
+   pickers. The surface hex must match Admin\Settings::DARK_SURFACE_HEX. */
+body.magicauth-mode-dark {
+	--magicauth-color-page: #0e1116;
+	--magicauth-color-surface: #181c22;
+	--magicauth-color-code-bg: #202832;
+	--magicauth-color-text: #eef0f3;
+	--magicauth-color-text-muted: #9aa3ad;
+	--magicauth-color-border: #2a313a;
+	--magicauth-color-border-strong: #3a424c;
+	--magicauth-color-divider: #262d36;
+	--magicauth-color-error: #ff6b6b;
+}
+
+/* Dark mode — auto. Only kicks in when admin chose color_mode = auto AND
+   the visitor's browser reports a dark preference. */
+@media (prefers-color-scheme: dark) {
+	body.magicauth-mode-auto {
+		--magicauth-color-page: #0e1116;
+		--magicauth-color-surface: #181c22;
+		--magicauth-color-code-bg: #202832;
+		--magicauth-color-text: #eef0f3;
+		--magicauth-color-text-muted: #9aa3ad;
+		--magicauth-color-border: #2a313a;
+		--magicauth-color-border-strong: #3a424c;
+		--magicauth-color-divider: #262d36;
+		--magicauth-color-error: #ff6b6b;
+	}
+}
diff --git a/includes/Admin/Settings.php b/includes/Admin/Settings.php
index 9c4b19e..47691fa 100644
--- a/includes/Admin/Settings.php
+++ b/includes/Admin/Settings.php
@@ -30,6 +30,13 @@ final class Settings {
 
 	private const FONT_STACK_KEYS = [ 'system', 'sans-modern', 'serif', 'mono', 'rounded' ];
 
+	private const COLOR_MODE_KEYS = [ 'light', 'dark', 'auto' ];
+
+	// Curated dark-mode surface — must match the value emitted by magicauth.css
+	// for body.magicauth-mode-dark / .magicauth-mode-auto. Used by the
+	// brand-color contrast check below.
+	private const DARK_SURFACE_HEX = '#181c22';
+
 	// Keyed by extension regex (wp_check_filetype_and_ext format); membership checks hit values.
 	private const LOGO_MIMES = [
 		'png'      => 'image/png',
@@ -38,6 +45,14 @@ final class Settings {
 		'svg'      => 'image/svg+xml',
 	];
 
+	// Background images: raster only. SVG explicitly excluded — larger attack
+	// surface than logos and no rendering benefit at full-page scale.
+	private const BACKGROUND_MIMES = [
+		'png'      => 'image/png',
+		'jpg|jpeg' => 'image/jpeg',
+		'webp'     => 'image/webp',
+	];
+
 	public static function setup(): void {
 		add_action( 'admin_init', [ self::class, 'register' ] );
 		add_action( 'admin_menu', [ self::class, 'menu' ] );
@@ -175,70 +190,79 @@ public static function render_page(): void {
 
 	private static function render_section_general(): void {
 		?>
-		<section class="magicauth-block">
-			<header class="magicauth-block__head">
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
 				<h2><?php esc_html_e( 'General', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'How long links live and where users land afterwards.', 'magicauth' ); ?></p>
-			</header>
+			</summary>
 			<div class="magicauth-card">
 				<?php self::field_ttl_minutes(); ?>
 				<?php self::field_max_link_uses(); ?>
 				<?php self::field_redirect_to_default(); ?>
 			</div>
-		</section>
+		</details>
 		<?php
 	}
 
 	private static function render_section_branding( bool $weak_salts ): void {
 		?>
-		<section class="magicauth-block">
-			<header class="magicauth-block__head">
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
 				<h2><?php esc_html_e( 'Branding', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'How the sign-in card looks. Settings render on the branded login screen and in transactional emails.', 'magicauth' ); ?></p>
-			</header>
+			</summary>
+
 			<div class="magicauth-card">
+				<h3 class="magicauth-card__subhead"><?php esc_html_e( 'Identity', 'magicauth' ); ?></h3>
 				<?php self::field_replace_default( $weak_salts ); ?>
 				<?php self::field_company_name(); ?>
 				<?php self::field_logo(); ?>
 				<?php self::field_brand_color(); ?>
+				<?php self::field_link_color(); ?>
+			</div>
+
+			<div class="magicauth-card">
+				<h3 class="magicauth-card__subhead"><?php esc_html_e( 'Appearance', 'magicauth' ); ?></h3>
+				<?php self::field_color_mode(); ?>
 				<?php self::field_page_color(); ?>
+				<?php self::field_background_image(); ?>
 				<?php self::field_card_radius(); ?>
 				<?php self::field_card_width(); ?>
 				<?php self::field_font_stack(); ?>
 			</div>
-		</section>
+		</details>
 		<?php
 	}
 
 	private static function render_section_agency_credit(): void {
 		?>
-		<section class="magicauth-block">
-			<header class="magicauth-block__head">
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
 				<h2><?php esc_html_e( 'Agency credit', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'Optional "Built by [Brand]" line below the sign-in card. Renders only when name, URL, and favicon are all filled.', 'magicauth' ); ?></p>
-			</header>
+			</summary>
 			<div class="magicauth-card">
 				<?php self::field_agency_credit_name(); ?>
 				<?php self::field_agency_credit_url(); ?>
 				<?php self::field_agency_credit_icon(); ?>
 				<?php self::field_agency_credit_label(); ?>
 			</div>
-		</section>
+		</details>
 		<?php
 	}
 
 	private static function render_section_security(): void {
 		?>
-		<section class="magicauth-block">
-			<header class="magicauth-block__head">
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
 				<h2><?php esc_html_e( 'Security &amp; throttling', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'Recovery layers and rate-limit caps. The "Sign in with password" link is the unconditional safety net. Disable it only after site-wide password auth is already off.', 'magicauth' ); ?></p>
-			</header>
+			</summary>
 			<div class="magicauth-card">
 				<?php self::field_allow_password_login(); ?>
 				<?php self::field_throttle(); ?>
 			</div>
-		</section>
+		</details>
 		<?php
 	}
 
@@ -248,11 +272,11 @@ private static function render_section_diagnostics(): void {
 		$recovery_nonce = wp_create_nonce( 'magicauth-admin-recovery' );
 		$ajaxurl        = admin_url( 'admin-ajax.php' );
 		?>
-		<section class="magicauth-block">
-			<header class="magicauth-block__head">
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
 				<h2><?php esc_html_e( 'Diagnostics &amp; recovery', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'One-shot tools for debugging and unsticking the plugin. Destructive actions ask for confirmation.', 'magicauth' ); ?></p>
-			</header>
+			</summary>
 			<div class="magicauth-card magicauth-recovery"
 				data-ajaxurl="<?php echo esc_url( $ajaxurl ); ?>"
 				data-nonce="<?php echo esc_attr( $recovery_nonce ); ?>">
@@ -287,7 +311,7 @@ private static function render_section_diagnostics(): void {
 					</button>
 				</div>
 			</div>
-		</section>
+		</details>
 		<?php
 	}
 
@@ -394,6 +418,45 @@ public static function sanitize( $input ): array {
 			$out['font_stack'] = in_array( $candidate, self::FONT_STACK_KEYS, true ) ? $candidate : 'system';
 		}
 
+		if ( isset( $input['background_attachment_id'] ) ) {
+			$out['background_attachment_id'] = self::sanitize_background( absint( $input['background_attachment_id'] ) );
+		}
+
+		if ( isset( $input['link_color'] ) && is_scalar( $input['link_color'] ) ) {
+			$out['link_color'] = self::sanitize_link_color(
+				(string) $input['link_color'],
+				(string) ( $current['link_color'] ?? '' )
+			);
+		}
+
+		if ( isset( $input['color_mode'] ) && is_scalar( $input['color_mode'] ) ) {
+			$candidate         = sanitize_key( (string) $input['color_mode'] );
+			$out['color_mode'] = in_array( $candidate, self::COLOR_MODE_KEYS, true ) ? $candidate : 'light';
+		}
+
+		// Brand color × dark surface. Runs AFTER brand_color and color_mode
+		// are settled. SC 1.4.11 wants ≥3:1 for non-text UI; the focus ring
+		// on a dark surface is the at-risk element. Warn only — admins keep
+		// brand color sovereignty.
+		if ( in_array( ( $out['color_mode'] ?? 'light' ), [ 'dark', 'auto' ], true ) ) {
+			$brand_for_check = (string) ( $out['brand_color'] ?? '' );
+			if ( '' !== $brand_for_check ) {
+				$ratio = magicauth_contrast_ratio( $brand_for_check, self::DARK_SURFACE_HEX );
+				if ( $ratio < 3.0 ) {
+					add_settings_error(
+						self::OPTION_NAME,
+						'magicauth_brand_dark_contrast',
+						sprintf(
+							/* translators: %s: contrast ratio */
+							__( 'Brand color note: contrast against the dark-mode surface is %s — below the 3:1 minimum for UI elements. Focus indicators may be hard to see for visitors using dark mode.', 'magicauth' ),
+							number_format( $ratio, 2 )
+						),
+						'warning'
+					);
+				}
+			}
+		}
+
 		if ( isset( $input['redirect_to_default'] ) ) {
 			$candidate                  = (string) $input['redirect_to_default'];
 			$out['redirect_to_default'] = in_array( $candidate, self::REDIRECT_OPTIONS, true ) ? $candidate : 'auto';
@@ -421,6 +484,58 @@ private static function sanitize_credit_label( string $value ): string {
 		return substr( $clean, 0, 40 );
 	}
 
+	// Empty = inherit from brand. Graded against the fixed #ffffff card surface:
+	// <2.5:1 rejects (restore previous), 2.5–4.5 saves with warning, AA+ silent.
+	private static function sanitize_link_color( string $raw, string $current ): string {
+		$raw = trim( $raw );
+		if ( '' === $raw ) {
+			return '';
+		}
+
+		$sanitized = sanitize_hex_color( $raw );
+		if ( ! $sanitized ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_link_color_invalid',
+				__( 'Link color: invalid hex value, change ignored.', 'magicauth' ),
+				'error'
+			);
+			return $current;
+		}
+
+		$ratio   = magicauth_contrast_ratio( $sanitized, '#ffffff' );
+		$verdict = magicauth_contrast_evaluate( $ratio, 'normal' );
+
+		if ( 'fail' === $verdict ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_link_color_unreadable',
+				sprintf(
+					/* translators: %s: contrast ratio */
+					__( 'Link color: contrast ratio %s against the card surface is below the 2.5:1 readability floor. Change ignored.', 'magicauth' ),
+					number_format( $ratio, 2 )
+				),
+				'error'
+			);
+			return $current;
+		}
+
+		if ( 'warn' === $verdict ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_link_color_low_contrast',
+				sprintf(
+					/* translators: %s: contrast ratio */
+					__( 'Link color saved. Contrast against the card surface is %s — below the WCAG AA target of 4.5:1 for body text. Visitors may struggle to read the link.', 'magicauth' ),
+					number_format( $ratio, 2 )
+				),
+				'warning'
+			);
+		}
+
+		return $sanitized;
+	}
+
 	// Allowlist http(s) only — esc_url_raw alone permits mailto:/javascript:/etc.
 	private static function sanitize_agency_url( string $value ): string {
 		$value = trim( $value );
@@ -468,8 +583,9 @@ private static function sanitize_logo( int $attachment_id ): int {
 		if ( function_exists( 'finfo_open' ) ) {
 			$finfo = finfo_open( FILEINFO_MIME_TYPE );
 			if ( $finfo ) {
+				// finfo_close() is deprecated as of PHP 8.5 (objects auto-free)
+				// and a no-op on earlier versions once $finfo falls out of scope.
 				$mime = finfo_file( $finfo, $path );
-				finfo_close( $finfo );
 				if ( ! is_string( $mime ) || ! in_array( $mime, self::LOGO_MIMES, true ) ) {
 					add_settings_error( self::OPTION_NAME, 'magicauth_logo_bad_mime', __( 'Logo: file content does not match a supported image format.', 'magicauth' ), 'error' );
 					return 0;
@@ -480,6 +596,72 @@ private static function sanitize_logo( int $attachment_id ): int {
 		return $attachment_id;
 	}
 
+	// Validate background attachment. Raster only; SVG forbidden. Soft-warns
+	// above 1 MB but never blocks — admin knows their hosting better than we do.
+	private static function sanitize_background( int $attachment_id ): int {
+		if ( $attachment_id <= 0 ) {
+			return 0;
+		}
+		if ( ! wp_attachment_is_image( $attachment_id ) ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_bg_not_image',
+				__( 'Background: selected attachment is not an image.', 'magicauth' ),
+				'error'
+			);
+			return 0;
+		}
+		$path = get_attached_file( $attachment_id );
+		if ( ! is_string( $path ) || ! is_readable( $path ) ) {
+			return 0;
+		}
+
+		$check = wp_check_filetype_and_ext( $path, basename( $path ), self::BACKGROUND_MIMES );
+		if ( empty( $check['type'] ) || ! in_array( $check['type'], self::BACKGROUND_MIMES, true ) ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_bg_bad_ext',
+				__( 'Background: only PNG, JPG, or WebP are allowed.', 'magicauth' ),
+				'error'
+			);
+			return 0;
+		}
+
+		if ( function_exists( 'finfo_open' ) ) {
+			$finfo = finfo_open( FILEINFO_MIME_TYPE );
+			if ( $finfo ) {
+				// finfo_close() is deprecated as of PHP 8.5 (objects auto-free)
+				// and a no-op on earlier versions once $finfo falls out of scope.
+				$mime = finfo_file( $finfo, $path );
+				if ( ! is_string( $mime ) || ! in_array( $mime, self::BACKGROUND_MIMES, true ) ) {
+					add_settings_error(
+						self::OPTION_NAME,
+						'magicauth_bg_bad_mime',
+						__( 'Background: file content does not match a supported image format.', 'magicauth' ),
+						'error'
+					);
+					return 0;
+				}
+			}
+		}
+
+		$size = (int) @filesize( $path ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
+		if ( $size > 1024 * 1024 ) {
+			add_settings_error(
+				self::OPTION_NAME,
+				'magicauth_bg_large',
+				sprintf(
+					/* translators: %s: file size in MB */
+					__( 'Background image saved. File is %s MB — consider compressing for faster page load.', 'magicauth' ),
+					number_format( $size / ( 1024 * 1024 ), 1 )
+				),
+				'warning'
+			);
+		}
+
+		return $attachment_id;
+	}
+
 	public static function field_ttl_minutes(): void {
 		$value = (int) magicauth_get_setting( 'ttl_minutes', 10 );
 		$name  = sprintf( '%s[ttl_minutes]', self::OPTION_NAME );
@@ -521,32 +703,17 @@ public static function field_max_link_uses(): void {
 	}
 
 	public static function field_redirect_to_default(): void {
-		$value   = (string) magicauth_get_setting( 'redirect_to_default', 'auto' );
-		$name    = sprintf( '%s[redirect_to_default]', self::OPTION_NAME );
-		$options = [
-			'auto'  => __( 'Auto (admin or home, by capability)', 'magicauth' ),
-			'home'  => __( 'Site home', 'magicauth' ),
-			'admin' => __( 'Admin dashboard', 'magicauth' ),
-		];
-		?>
-		<div class="magicauth-row">
-			<div class="magicauth-row__main">
-				<span class="magicauth-row__label"><?php esc_html_e( 'Default redirect after sign-in', 'magicauth' ); ?></span>
-				<p class="magicauth-row__help"><?php esc_html_e( 'Where users land when no specific destination was requested.', 'magicauth' ); ?></p>
-			</div>
-			<div class="magicauth-row__control">
-				<div class="magicauth-select">
-					<select name="<?php echo esc_attr( $name ); ?>">
-						<?php foreach ( $options as $opt_value => $label ) : ?>
-							<option value="<?php echo esc_attr( $opt_value ); ?>" <?php selected( $value, $opt_value ); ?>>
-								<?php echo esc_html( $label ); ?>
-							</option>
-						<?php endforeach; ?>
-					</select>
-				</div>
-			</div>
-		</div>
-		<?php
+		self::render_select_field(
+			'redirect_to_default',
+			(string) magicauth_get_setting( 'redirect_to_default', 'auto' ),
+			__( 'Default redirect after sign-in', 'magicauth' ),
+			__( 'Where users land when no specific destination was requested.', 'magicauth' ),
+			[
+				'auto'  => __( 'Auto (admin or home, by capability)', 'magicauth' ),
+				'home'  => __( 'Site home', 'magicauth' ),
+				'admin' => __( 'Admin dashboard', 'magicauth' ),
+			]
+		);
 	}
 
 	public static function field_replace_default( bool $weak_salts = false ): void {
@@ -676,36 +843,65 @@ public static function field_card_width(): void {
 	}
 
 	public static function field_font_stack(): void {
-		$value   = (string) magicauth_get_setting( 'font_stack', 'system' );
-		$name    = sprintf( '%s[font_stack]', self::OPTION_NAME );
-		$options = [
-			'system'      => __( 'System default', 'magicauth' ),
-			'sans-modern' => __( 'Modern sans (Inter)', 'magicauth' ),
-			'serif'       => __( 'Serif (Georgia)', 'magicauth' ),
-			'mono'        => __( 'Monospace', 'magicauth' ),
-			'rounded'     => __( 'Rounded', 'magicauth' ),
-		];
+		self::render_select_field(
+			'font_stack',
+			(string) magicauth_get_setting( 'font_stack', 'system' ),
+			__( 'Font family', 'magicauth' ),
+			__( 'Font used on the sign-in card. Each option is a stack of system-installed fonts — nothing is loaded from the network.', 'magicauth' ),
+			[
+				'system'      => __( 'System default', 'magicauth' ),
+				'sans-modern' => __( 'Modern sans (Inter)', 'magicauth' ),
+				'serif'       => __( 'Serif (Georgia)', 'magicauth' ),
+				'mono'        => __( 'Monospace', 'magicauth' ),
+				'rounded'     => __( 'Rounded', 'magicauth' ),
+			]
+		);
+	}
+
+	public static function field_link_color(): void {
+		$value         = (string) magicauth_get_setting( 'link_color', '' );
+		$brand_raw     = (string) magicauth_get_setting( 'brand_color', '#2271b1' );
+		$brand_default = (string) ( sanitize_hex_color( $brand_raw ) ?: '#2271b1' );
+		$name          = sprintf( '%s[link_color]', self::OPTION_NAME );
 		?>
 		<div class="magicauth-row">
 			<div class="magicauth-row__main">
-				<span class="magicauth-row__label"><?php esc_html_e( 'Font family', 'magicauth' ); ?></span>
-				<p class="magicauth-row__help"><?php esc_html_e( 'Font used on the sign-in card. Each option is a stack of system-installed fonts — nothing is loaded from the network.', 'magicauth' ); ?></p>
+				<span class="magicauth-row__label"><?php esc_html_e( 'Link color', 'magicauth' ); ?></span>
+				<p class="magicauth-row__help"><?php esc_html_e( 'Color of text links on the sign-in card. Leave blank to follow brand color. Validated against the card surface for readability.', 'magicauth' ); ?></p>
 			</div>
-			<div class="magicauth-row__control">
-				<div class="magicauth-select">
-					<select name="<?php echo esc_attr( $name ); ?>">
-						<?php foreach ( $options as $opt_value => $label ) : ?>
-							<option value="<?php echo esc_attr( $opt_value ); ?>" <?php selected( $value, $opt_value ); ?>>
-								<?php echo esc_html( $label ); ?>
-							</option>
-						<?php endforeach; ?>
-					</select>
+			<div class="magicauth-row__control magicauth-row__control--stack">
+				<div class="magicauth-color">
+					<input type="color" value="<?php echo esc_attr( '' !== $value ? $value : $brand_default ); ?>" aria-label="<?php esc_attr_e( 'Color picker', 'magicauth' ); ?>">
+					<input type="text" class="magicauth-input magicauth-input--mono" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( $value ); ?>" maxlength="7" placeholder="<?php esc_attr_e( '(brand color)', 'magicauth' ); ?>" data-validate-hex>
 				</div>
 			</div>
 		</div>
 		<?php
 	}
 
+	public static function field_color_mode(): void {
+		self::render_select_field(
+			'color_mode',
+			(string) magicauth_get_setting( 'color_mode', 'light' ),
+			__( 'Color mode', 'magicauth' ),
+			__( "Light, dark, or follow the visitor's system preference. Page background color applies in light mode; dark mode uses a curated dark palette.", 'magicauth' ),
+			[
+				'light' => __( 'Light', 'magicauth' ),
+				'dark'  => __( 'Dark', 'magicauth' ),
+				'auto'  => __( "Auto (follow visitor's browser preference)", 'magicauth' ),
+			]
+		);
+	}
+
+	public static function field_background_image(): void {
+		self::render_media_picker_field(
+			'background_attachment_id',
+			(int) magicauth_get_setting( 'background_attachment_id', 0 ),
+			__( 'Page background image', 'magicauth' ),
+			__( 'Optional. PNG, JPG, or WebP. Rendered as a cover-fitted, centered background behind the sign-in card. Page background color shows through transparent areas or if the image fails to load.', 'magicauth' )
+		);
+	}
+
 	public static function field_agency_credit_name(): void {
 		$value = (string) magicauth_get_setting( 'agency_credit_name', '' );
 		$name  = sprintf( '%s[agency_credit_name]', self::OPTION_NAME );
@@ -817,6 +1013,35 @@ public static function field_throttle(): void {
 		<?php endforeach;
 	}
 
+	/**
+	 * Shared <select> field markup. Same row scaffold as the v1.0 select fields;
+	 * keeps three field_* methods at ~4 LOC each instead of 25.
+	 *
+	 * @param array<string,string> $options Map of stored value => translated label.
+	 */
+	private static function render_select_field( string $option_key, string $value, string $label, string $help, array $options ): void {
+		$name = sprintf( '%s[%s]', self::OPTION_NAME, $option_key );
+		?>
+		<div class="magicauth-row">
+			<div class="magicauth-row__main">
+				<span class="magicauth-row__label"><?php echo esc_html( $label ); ?></span>
+				<p class="magicauth-row__help"><?php echo esc_html( $help ); ?></p>
+			</div>
+			<div class="magicauth-row__control">
+				<div class="magicauth-select">
+					<select name="<?php echo esc_attr( $name ); ?>">
+						<?php foreach ( $options as $opt_value => $opt_label ) : ?>
+							<option value="<?php echo esc_attr( (string) $opt_value ); ?>" <?php selected( $value, (string) $opt_value ); ?>>
+								<?php echo esc_html( $opt_label ); ?>
+							</option>
+						<?php endforeach; ?>
+					</select>
+				</div>
+			</div>
+		</div>
+		<?php
+	}
+
 	// Shared media-picker markup. JS binds wp.media to any [data-magicauth-media-picker].
 	private static function render_media_picker_field( string $option_key, int $attachment_id, string $label, string $description ): void {
 		$src  = $attachment_id ? wp_get_attachment_image_src( $attachment_id, 'medium' ) : false;
diff --git a/includes/Frontend/LoginScreen.php b/includes/Frontend/LoginScreen.php
index fa64a4a..5299245 100644
--- a/includes/Frontend/LoginScreen.php
+++ b/includes/Frontend/LoginScreen.php
@@ -364,6 +364,10 @@ public static function filter_header_text( string $text ): string {
 
 	public static function filter_body_class( array $classes ): array {
 		$classes[] = 'magicauth-page';
+		$mode      = (string) magicauth_get_setting( 'color_mode', 'light' );
+		if ( in_array( $mode, [ 'light', 'dark', 'auto' ], true ) ) {
+			$classes[] = 'magicauth-mode-' . $mode;
+		}
 		return $classes;
 	}
 
diff --git a/includes/Installer.php b/includes/Installer.php
index f703ea4..d1216e8 100644
--- a/includes/Installer.php
+++ b/includes/Installer.php
@@ -115,10 +115,13 @@ public static function default_settings(): array {
 			'company_name'          => '',
 			'logo_attachment_id'    => 0,
 			'brand_color'           => '#2271b1',
+			'link_color'            => '',
 			'page_color'            => '#eeeeee',
+			'background_attachment_id' => 0,
 			'card_radius'           => 6,
 			'card_width'            => 480,
 			'font_stack'            => 'system',
+			'color_mode'            => 'light',
 			'agency_credit_name'    => '',
 			'agency_credit_url'     => '',
 			'agency_credit_icon_id' => 0,
diff --git a/includes/helpers.php b/includes/helpers.php
index 4d2983d..cf9d57f 100644
--- a/includes/helpers.php
+++ b/includes/helpers.php
@@ -10,8 +10,17 @@
 defined( 'ABSPATH' ) || exit;
 
 if ( ! function_exists( 'magicauth_get_settings' ) ) {
-	/** Settings merged onto defaults. */
+	/**
+	 * Settings merged onto defaults. Memoized per-request via $GLOBALS so the
+	 * 7 calls on the login render path don't each rebuild the defaults array
+	 * and run array_replace_recursive. Invalidated by the option-update hooks
+	 * registered at the bottom of this file (and by the test stubs).
+	 */
 	function magicauth_get_settings(): array {
+		if ( isset( $GLOBALS['magicauth_settings_cache'] ) && is_array( $GLOBALS['magicauth_settings_cache'] ) ) {
+			return $GLOBALS['magicauth_settings_cache'];
+		}
+
 		$defaults = [
 			'ttl_minutes'           => 10,
 			'max_link_uses'         => 2,
@@ -30,10 +39,13 @@ function magicauth_get_settings(): array {
 			'company_name'          => '',
 			'logo_attachment_id'    => 0,
 			'brand_color'           => '#2271b1',
+			'link_color'            => '',
 			'page_color'            => '#eeeeee',
+			'background_attachment_id' => 0,
 			'card_radius'           => 6,
 			'card_width'            => 480,
 			'font_stack'            => 'system',
+			'color_mode'            => 'light',
 			'agency_credit_name'    => '',
 			'agency_credit_url'     => '',
 			'agency_credit_icon_id' => 0,
@@ -48,8 +60,23 @@ function magicauth_get_settings(): array {
 			$saved = [];
 		}
 
-		return array_replace_recursive( $defaults, $saved );
+		$GLOBALS['magicauth_settings_cache'] = array_replace_recursive( $defaults, $saved );
+		return $GLOBALS['magicauth_settings_cache'];
+	}
+}
+
+if ( ! function_exists( 'magicauth_invalidate_settings_cache' ) ) {
+	/** Drop the per-request settings memo. Tests reset state; admin saves fire this. */
+	function magicauth_invalidate_settings_cache(): void {
+		unset( $GLOBALS['magicauth_settings_cache'] );
+	}
+}
+
+if ( function_exists( 'add_action' ) ) {
+	foreach ( [ 'update_option_magicauth_settings', 'add_option_magicauth_settings', 'delete_option_magicauth_settings' ] as $magicauth_cache_hook ) {
+		add_action( $magicauth_cache_hook, 'magicauth_invalidate_settings_cache' );
 	}
+	unset( $magicauth_cache_hook );
 }
 
 if ( ! function_exists( 'magicauth_get_setting' ) ) {
@@ -150,24 +177,101 @@ function magicauth_hash_email( string $email ): string {
 	}
 }
 
-if ( ! function_exists( 'magicauth_yiq_text_color' ) ) {
-	/** Black or white text for a hex bg via YIQ luminance. */
-	function magicauth_yiq_text_color( string $hex ): string {
+if ( ! function_exists( 'magicauth_hex_to_rgb' ) ) {
+	/**
+	 * Parse a 3- or 6-digit hex color (leading `#` optional) into [r, g, b]
+	 * ints (0–255). Returns null on malformed input.
+	 *
+	 * @return array{0:int,1:int,2:int}|null
+	 */
+	function magicauth_hex_to_rgb( string $hex ): ?array {
 		$hex = ltrim( $hex, '#' );
 		if ( 3 === strlen( $hex ) ) {
 			$hex = $hex[0] . $hex[0] . $hex[1] . $hex[1] . $hex[2] . $hex[2];
 		}
 		if ( 6 !== strlen( $hex ) || ! ctype_xdigit( $hex ) ) {
+			return null;
+		}
+		return [
+			(int) hexdec( substr( $hex, 0, 2 ) ),
+			(int) hexdec( substr( $hex, 2, 2 ) ),
+			(int) hexdec( substr( $hex, 4, 2 ) ),
+		];
+	}
+}
+
+if ( ! function_exists( 'magicauth_yiq_text_color' ) ) {
+	/** Black or white text for a hex bg via YIQ luminance. */
+	function magicauth_yiq_text_color( string $hex ): string {
+		$rgb = magicauth_hex_to_rgb( $hex );
+		if ( null === $rgb ) {
 			return '#ffffff';
 		}
-		$r   = hexdec( substr( $hex, 0, 2 ) );
-		$g   = hexdec( substr( $hex, 2, 2 ) );
-		$b   = hexdec( substr( $hex, 4, 2 ) );
-		$yiq = ( ( $r * 299 ) + ( $g * 587 ) + ( $b * 114 ) ) / 1000;
+		$yiq = ( ( $rgb[0] * 299 ) + ( $rgb[1] * 587 ) + ( $rgb[2] * 114 ) ) / 1000;
 		return $yiq >= 128 ? '#000000' : '#ffffff';
 	}
 }
 
+if ( ! function_exists( 'magicauth_contrast_ratio' ) ) {
+	/**
+	 * WCAG 2.1 relative-luminance contrast ratio between two hex colors.
+	 *
+	 * Range: 1.0 (identical) to 21.0 (pure black on pure white). Uses ITU-R
+	 * BT.709 coefficients and the sRGB gamma curve per the WCAG 2.1 spec.
+	 * Accepts 3- or 6-digit hex with optional leading `#`. Returns 1.0 (the
+	 * worst valid ratio) on malformed input — callers should pre-validate.
+	 */
+	function magicauth_contrast_ratio( string $hex_a, string $hex_b ): float {
+		$lum = static function ( string $hex ): ?float {
+			$rgb = magicauth_hex_to_rgb( $hex );
+			if ( null === $rgb ) {
+				return null;
+			}
+			$channels = [ $rgb[0] / 255.0, $rgb[1] / 255.0, $rgb[2] / 255.0 ];
+			foreach ( $channels as &$c ) {
+				$c = ( $c <= 0.03928 )
+					? $c / 12.92
+					: pow( ( $c + 0.055 ) / 1.055, 2.4 );
+			}
+			unset( $c );
+			return ( 0.2126 * $channels[0] ) + ( 0.7152 * $channels[1] ) + ( 0.0722 * $channels[2] );
+		};
+
+		$l1 = $lum( $hex_a );
+		$l2 = $lum( $hex_b );
+		if ( null === $l1 || null === $l2 ) {
+			return 1.0;
+		}
+		if ( $l2 > $l1 ) {
+			[ $l1, $l2 ] = [ $l2, $l1 ];
+		}
+		return ( $l1 + 0.05 ) / ( $l2 + 0.05 );
+	}
+}
+
+if ( ! function_exists( 'magicauth_contrast_evaluate' ) ) {
+	/**
+	 * Three-tier WCAG verdict on a contrast ratio.
+	 *
+	 * - 'fail' below 2.5:1 (unreadable territory; reject at sanitize).
+	 * - 'warn' from 2.5:1 to context floor (AA 4.5:1 normal, 3:1 large/UI).
+	 * - 'pass' at or above context floor.
+	 *
+	 * @param float  $ratio   Output of magicauth_contrast_ratio().
+	 * @param string $context 'normal'|'large'|'ui' — defaults to 'normal' (strictest).
+	 */
+	function magicauth_contrast_evaluate( float $ratio, string $context = 'normal' ): string {
+		$floor = 'normal' === $context ? 4.5 : 3.0;
+		if ( $ratio < 2.5 ) {
+			return 'fail';
+		}
+		if ( $ratio < $floor ) {
+			return 'warn';
+		}
+		return 'pass';
+	}
+}
+
 if ( ! function_exists( 'magicauth_current_user_can_control_user' ) ) {
 	/** Cap gate: edit_user + same-or-higher role. Filterable for custom hierarchies. */
 	function magicauth_current_user_can_control_user( int $target_user_id ): bool {
diff --git a/readme.txt b/readme.txt
index 0a15db5..6183e97 100644
--- a/readme.txt
+++ b/readme.txt
@@ -74,6 +74,11 @@ MagicAuth registers a WordPress privacy exporter and eraser. Personal data store
 
 == Changelog ==
 
+= 1.2.0 =
+* Branding: link color, color mode (light / dark / auto), and page background image are now admin-controllable from Settings > MagicAuth.
+* Branding: new color knobs are validated against WCAG 2.1 AA contrast at save time — accidents below the readability floor are rejected, low-contrast values save with a notice, AA+ values save silently.
+* UX: Branding section now splits into "Identity" and "Appearance" sub-cards; all settings sections are collapsible via native `<details>`/`<summary>`.
+
 = 1.1.0 =
 * Branding: page background color, card corner radius, card max width, and font family are now admin-controllable from Settings > MagicAuth.
 * Security: `wp-login.php` now sends `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'` to refuse framing entirely.
diff --git a/templates/login-shell.php b/templates/login-shell.php
index fa6ff76..673eb21 100644
--- a/templates/login-shell.php
+++ b/templates/login-shell.php
@@ -47,6 +47,30 @@
 ];
 $shell_font_key   = (string) magicauth_get_setting( 'font_stack', 'system' );
 $shell_font_stack = $shell_font_stacks[ $shell_font_key ] ?? $shell_font_stacks['system'];
+
+// link_color: empty stored value means "inherit from brand" — emit nothing
+// and let consumers fall back via `var(--magicauth-color-link, var(--primary))`.
+$shell_link = '';
+$link_raw   = (string) magicauth_get_setting( 'link_color', '' );
+if ( '' !== $link_raw && function_exists( 'sanitize_hex_color' ) ) {
+	$candidate = (string) sanitize_hex_color( $link_raw );
+	if ( '' !== $candidate ) {
+		$shell_link = $candidate;
+	}
+}
+
+// Background image — resolve attachment to a URL. Falls back to page_color
+// when the attachment is missing or `wp_get_attachment_image_src()` is unavailable.
+$shell_bg_url = '';
+$shell_bg_id  = (int) magicauth_get_setting( 'background_attachment_id', 0 );
+if ( $shell_bg_id > 0 && function_exists( 'wp_get_attachment_image_src' ) ) {
+	// 'large' (≤1024w) avoids serving a 5 MB original to every login render
+	// when CSS will background-size: cover it anyway.
+	$src = wp_get_attachment_image_src( $shell_bg_id, 'large' );
+	if ( is_array( $src ) && ! empty( $src[0] ) ) {
+		$shell_bg_url = (string) $src[0];
+	}
+}
 ?>
 <style id="magicauth-shell-vars">
 :root {
@@ -56,6 +80,9 @@
 	--magicauth-radius-card: <?php echo (int) $shell_radius; ?>px;
 	--magicauth-card-max-width: <?php echo (int) $shell_width; ?>px;
 	--magicauth-font-family: <?php echo esc_attr( $shell_font_stack ); ?>;
+<?php if ( '' !== $shell_link ) : ?>
+	--magicauth-color-link: <?php echo esc_attr( $shell_link ); ?>;
+<?php endif; ?>
 }
 /* Vertical-center the card; flex avoids fighting WP's default top-padding. */
 html, body.login {
@@ -101,6 +128,19 @@
 body.login.magicauth-page .magicauth-card {
 	display: block;
 }
+<?php if ( '' !== $shell_bg_url ) : ?>
+/* Background image — comes AFTER the body.login shorthand `background:`
+   so this longhand doesn't get clobbered by the shorthand's reset. */
+body.login {
+	background-image: url('<?php echo esc_url( $shell_bg_url ); ?>');
+	background-position: center;
+	background-size: cover;
+	background-repeat: no-repeat;
+}
+@media (prefers-reduced-data: reduce) {
+	body.login { background-image: none; }
+}
+<?php endif; ?>
 </style>
 
 <?php
diff --git a/tests/phpunit/Model/ContrastRatioTest.php b/tests/phpunit/Model/ContrastRatioTest.php
new file mode 100644
index 0000000..4e7de1d
--- /dev/null
+++ b/tests/phpunit/Model/ContrastRatioTest.php
@@ -0,0 +1,60 @@
+<?php
+/**
+ * magicauth_contrast_ratio() / magicauth_contrast_evaluate() — WCAG 2.1 math.
+ *
+ * @package MagicAuth\Tests
+ */
+
+declare( strict_types=1 );
+
+namespace MagicAuth\Tests\Model;
+
+use PHPUnit\Framework\TestCase;
+
+final class ContrastRatioTest extends TestCase {
+
+	public function test_black_on_white_is_21(): void {
+		$this->assertEqualsWithDelta( 21.0, magicauth_contrast_ratio( '#000', '#ffffff' ), 0.01 );
+	}
+
+	public function test_identical_colors_yield_1(): void {
+		$this->assertEqualsWithDelta( 1.0, magicauth_contrast_ratio( '#abcdef', '#abcdef' ), 0.001 );
+	}
+
+	public function test_wp_blue_on_white_is_aa_normal(): void {
+		$r = magicauth_contrast_ratio( '#2271b1', '#ffffff' );
+		$this->assertGreaterThanOrEqual( 4.5, $r );
+		$this->assertLessThan( 7.0, $r );
+	}
+
+	public function test_three_digit_hex_normalizes_like_six(): void {
+		$this->assertEqualsWithDelta(
+			magicauth_contrast_ratio( '#abc', '#ffffff' ),
+			magicauth_contrast_ratio( '#aabbcc', '#ffffff' ),
+			0.01
+		);
+	}
+
+	public function test_symmetric(): void {
+		$a = magicauth_contrast_ratio( '#123456', '#abcdef' );
+		$b = magicauth_contrast_ratio( '#abcdef', '#123456' );
+		$this->assertEqualsWithDelta( $a, $b, 0.001 );
+	}
+
+	public function test_garbage_input_returns_1(): void {
+		$this->assertSame( 1.0, magicauth_contrast_ratio( 'pirate', '#ffffff' ) );
+	}
+
+	public function test_alpha_hex_rejected(): void {
+		// 8-char form is not a valid 3/6-digit hex → 1.0 sentinel.
+		$this->assertSame( 1.0, magicauth_contrast_ratio( '#ff000080', '#ffffff' ) );
+	}
+
+	public function test_evaluate_thresholds(): void {
+		$this->assertSame( 'fail', magicauth_contrast_evaluate( 2.0, 'normal' ) );
+		$this->assertSame( 'warn', magicauth_contrast_evaluate( 4.0, 'normal' ) );
+		$this->assertSame( 'pass', magicauth_contrast_evaluate( 5.0, 'normal' ) );
+		$this->assertSame( 'pass', magicauth_contrast_evaluate( 3.5, 'ui' ) );
+		$this->assertSame( 'pass', magicauth_contrast_evaluate( 3.5, 'large' ) );
+	}
+}
diff --git a/tests/phpunit/Model/SettingsSanitizeTest.php b/tests/phpunit/Model/SettingsSanitizeTest.php
index 539861c..1a399bd 100644
--- a/tests/phpunit/Model/SettingsSanitizeTest.php
+++ b/tests/phpunit/Model/SettingsSanitizeTest.php
@@ -102,6 +102,151 @@ public function test_defaults_returned_for_missing_keys(): void {
 		$this->assertSame( 'system', $settings['font_stack'] );
 	}
 
+	public function test_link_color_accepts_empty(): void {
+		$out = $this->sanitize( [ 'link_color' => '' ] );
+		$this->assertSame( '', $out['link_color'] );
+		$this->assertEmpty( $this->settings_error_codes(), 'empty link_color should produce no notice' );
+	}
+
+	public function test_link_color_accepts_high_contrast_hex(): void {
+		$out = $this->sanitize( [ 'link_color' => '#0044aa' ] );
+		$this->assertSame( '#0044aa', $out['link_color'] );
+		$this->assertEmpty( $this->settings_error_codes(), 'AA+ link_color should be silent' );
+	}
+
+	public function test_link_color_rejects_invalid_hex(): void {
+		$out = $this->sanitize( [ 'link_color' => 'pirate' ] );
+		// Default link_color is empty; invalid input restores previous value.
+		$this->assertSame( '', $out['link_color'] );
+		$this->assertContains( 'magicauth_link_color_invalid', $this->settings_error_codes() );
+	}
+
+	public function test_link_color_rejects_unreadable_below_floor(): void {
+		// #bbbbbb on #ffffff ≈ 1.9:1 — well under the 2.5 hard floor.
+		$out = $this->sanitize( [ 'link_color' => '#bbbbbb' ] );
+		$this->assertSame( '', $out['link_color'], 'fail verdict must restore previous (empty default)' );
+		$this->assertContains( 'magicauth_link_color_unreadable', $this->settings_error_codes() );
+	}
+
+	public function test_link_color_saves_with_warning_in_warn_band(): void {
+		// #888888 on #ffffff ≈ 3.5:1 — between the 2.5 floor and AA 4.5.
+		$out = $this->sanitize( [ 'link_color' => '#888888' ] );
+		$this->assertSame( '#888888', $out['link_color'], 'warn verdict must still save' );
+		$this->assertContains( 'magicauth_link_color_low_contrast', $this->settings_error_codes() );
+	}
+
+	public function test_link_color_array_input_is_ignored(): void {
+		$out = $this->sanitize( [ 'link_color' => [ '#ff0000' ] ] );
+		$this->assertSame( '', $out['link_color'] );
+	}
+
+	public function test_color_mode_round_trips_allowlist(): void {
+		foreach ( [ 'light', 'dark', 'auto' ] as $mode ) {
+			$out = $this->sanitize( [ 'color_mode' => $mode ] );
+			$this->assertSame( $mode, $out['color_mode'], "mode '{$mode}' should round-trip" );
+		}
+	}
+
+	public function test_color_mode_rejects_unknown(): void {
+		$out = $this->sanitize( [ 'color_mode' => 'midnight' ] );
+		$this->assertSame( 'light', $out['color_mode'] );
+	}
+
+	public function test_color_mode_rejects_array_input(): void {
+		$out = $this->sanitize( [ 'color_mode' => [ 'dark' ] ] );
+		// Default survives via is_scalar guard.
+		$this->assertSame( 'light', $out['color_mode'] );
+	}
+
+	public function test_brand_dark_contrast_warning_fires_for_low_contrast(): void {
+		$out = $this->sanitize( [
+			'brand_color' => '#444444',
+			'color_mode'  => 'dark',
+		] );
+		$this->assertSame( '#444444', $out['brand_color'] );
+		$this->assertSame( 'dark', $out['color_mode'] );
+		$this->assertContains( 'magicauth_brand_dark_contrast', $this->settings_error_codes() );
+	}
+
+	public function test_brand_dark_contrast_silent_in_light_mode(): void {
+		// Same low-contrast brand, but light mode — no dark-surface check applies.
+		$out = $this->sanitize( [
+			'brand_color' => '#444444',
+			'color_mode'  => 'light',
+		] );
+		$this->assertNotContains( 'magicauth_brand_dark_contrast', $this->settings_error_codes() );
+	}
+
+	public function test_background_id_zero_clears(): void {
+		$out = $this->sanitize( [ 'background_attachment_id' => 0 ] );
+		$this->assertSame( 0, $out['background_attachment_id'] );
+		$this->assertEmpty( $this->settings_error_codes(), 'zero should be silent' );
+	}
+
+	public function test_background_id_rejects_non_image_attachment(): void {
+		$path = $this->make_temp_file( '.png', $this->one_pixel_png_bytes() );
+		try {
+			magicauth_test_register_attachment_file( 42, $path, false /* is_image = false */ );
+			$out = $this->sanitize( [ 'background_attachment_id' => 42 ] );
+			$this->assertSame( 0, $out['background_attachment_id'] );
+			$this->assertContains( 'magicauth_bg_not_image', $this->settings_error_codes() );
+		} finally {
+			@unlink( $path );
+		}
+	}
+
+	public function test_background_id_accepts_valid_png(): void {
+		$path = $this->make_temp_file( '.png', $this->one_pixel_png_bytes() );
+		try {
+			magicauth_test_register_attachment_file( 7, $path, true );
+			$out = $this->sanitize( [ 'background_attachment_id' => 7 ] );
+			$this->assertSame( 7, $out['background_attachment_id'] );
+			$this->assertEmpty( $this->settings_error_codes(), 'valid PNG should be silent' );
+		} finally {
+			@unlink( $path );
+		}
+	}
+
+	public function test_background_id_rejects_svg(): void {
+		$path = $this->make_temp_file( '.svg', '<svg xmlns="http://www.w3.org/2000/svg" width="1" height="1"/>' );
+		try {
+			magicauth_test_register_attachment_file( 11, $path, true );
+			$out = $this->sanitize( [ 'background_attachment_id' => 11 ] );
+			$this->assertSame( 0, $out['background_attachment_id'] );
+			$this->assertContains( 'magicauth_bg_bad_ext', $this->settings_error_codes() );
+		} finally {
+			@unlink( $path );
+		}
+	}
+
+	public function test_background_id_returns_zero_when_path_missing(): void {
+		// Image flag set but no path registered → get_attached_file() returns false.
+		global $magicauth_test_state;
+		$magicauth_test_state['attachment_is_image'][ 99 ] = true;
+		$out = $this->sanitize( [ 'background_attachment_id' => 99 ] );
+		$this->assertSame( 0, $out['background_attachment_id'] );
+	}
+
+	private function make_temp_file( string $extension, string $bytes ): string {
+		$path = sys_get_temp_dir() . '/magicauth-bg-test-' . uniqid( '', true ) . $extension;
+		file_put_contents( $path, $bytes );
+		return $path;
+	}
+
+	private function one_pixel_png_bytes(): string {
+		// Minimal 1×1 transparent PNG — finfo identifies as image/png.
+		return base64_decode(
+			'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNkYPhfDwAChwGA60e6kgAAAABJRU5ErkJggg==',
+			true
+		) ?: '';
+	}
+
+	/** @return list<string> */
+	private function settings_error_codes(): array {
+		$errors = $GLOBALS['magicauth_test_state']['settings_errors'] ?? [];
+		return array_map( static fn ( $e ) => (string) ( $e['code'] ?? '' ), $errors );
+	}
+
 	public function test_font_stacks_in_shell_template_contain_no_html_meta_chars(): void {
 		// HTML parsers treat '</style>' as a block-terminator regardless of CSS
 		// quoting. Pin a static assertion so a future maintainer adding e.g.
diff --git a/tests/phpunit/stubs/wp-functions.php b/tests/phpunit/stubs/wp-functions.php
index ace9f1a..94208cd 100644
--- a/tests/phpunit/stubs/wp-functions.php
+++ b/tests/phpunit/stubs/wp-functions.php
@@ -48,6 +48,9 @@ function update_option( string $option, $value, $autoload = null ): bool {
 		unset( $autoload );
 		global $magicauth_test_state;
 		$magicauth_test_state['options'][ $option ] = $value;
+		if ( 'magicauth_settings' === $option && function_exists( 'magicauth_invalidate_settings_cache' ) ) {
+			magicauth_invalidate_settings_cache();
+		}
 		return true;
 	}
 }
@@ -59,6 +62,9 @@ function add_option( string $option, $value ): bool {
 			return false;
 		}
 		$magicauth_test_state['options'][ $option ] = $value;
+		if ( 'magicauth_settings' === $option && function_exists( 'magicauth_invalidate_settings_cache' ) ) {
+			magicauth_invalidate_settings_cache();
+		}
 		return true;
 	}
 }
@@ -67,6 +73,9 @@ function add_option( string $option, $value ): bool {
 	function delete_option( string $option ): bool {
 		global $magicauth_test_state;
 		unset( $magicauth_test_state['options'][ $option ] );
+		if ( 'magicauth_settings' === $option && function_exists( 'magicauth_invalidate_settings_cache' ) ) {
+			magicauth_invalidate_settings_cache();
+		}
 		return true;
 	}
 }
@@ -656,6 +665,37 @@ function wp_get_attachment_image_src( int $id, string $size = 'thumbnail' ) {
 	}
 }
 
+if ( ! function_exists( 'wp_attachment_is_image' ) ) {
+	function wp_attachment_is_image( int $id ): bool {
+		global $magicauth_test_state;
+		return ! empty( $magicauth_test_state['attachment_is_image'][ $id ] );
+	}
+}
+
+if ( ! function_exists( 'get_attached_file' ) ) {
+	function get_attached_file( int $id ) {
+		global $magicauth_test_state;
+		return $magicauth_test_state['attachment_paths'][ $id ] ?? false;
+	}
+}
+
+if ( ! function_exists( 'wp_check_filetype_and_ext' ) ) {
+	// Simplified: match by file extension against the allowlist regex keys.
+	// Real WP also peeks at content via finfo; we leave that to the caller's
+	// own finfo block, since duplicating WP's logic here adds little value.
+	function wp_check_filetype_and_ext( string $file, string $filename, array $mimes = [] ): array {
+		unset( $file );
+		$ext = strtolower( (string) pathinfo( $filename, PATHINFO_EXTENSION ) );
+		foreach ( $mimes as $regex => $mime ) {
+			$alternatives = explode( '|', $regex );
+			if ( in_array( $ext, $alternatives, true ) ) {
+				return [ 'ext' => $ext, 'type' => $mime, 'proper_filename' => false ];
+			}
+		}
+		return [ 'ext' => false, 'type' => false, 'proper_filename' => false ];
+	}
+}
+
 if ( ! function_exists( 'magicauth_test_register_attachment' ) ) {
 	function magicauth_test_register_attachment( int $id, string $url ): void {
 		global $magicauth_test_state;
@@ -663,6 +703,19 @@ function magicauth_test_register_attachment( int $id, string $url ): void {
 	}
 }
 
+if ( ! function_exists( 'magicauth_test_register_attachment_file' ) ) {
+	/**
+	 * Test helper: bind an attachment ID to an on-disk path so sanitize_background()
+	 * sees a real file (finfo needs bytes). Marks the attachment as an image by
+	 * default; pass $is_image=false to simulate a non-image attachment.
+	 */
+	function magicauth_test_register_attachment_file( int $id, string $path, bool $is_image = true ): void {
+		global $magicauth_test_state;
+		$magicauth_test_state['attachment_paths'][ $id ]    = $path;
+		$magicauth_test_state['attachment_is_image'][ $id ] = $is_image;
+	}
+}
+
 if ( ! function_exists( 'magicauth_test_register_user' ) ) {
 	/**
 	 * Test helper: register a stub WP_User in the in-memory user table.
@@ -729,14 +782,19 @@ function add_settings_error( string $setting, string $code, string $message, str
 	function magicauth_test_reset_state(): void {
 		global $magicauth_test_state, $wpdb;
 		$magicauth_test_state = [
-			'options'     => [],
-			'usermeta'    => [],
-			'transients'  => [],
-			'users'       => [],
-			'actions'     => [],
-			'filters'     => [],
-			'attachments' => [],
+			'options'             => [],
+			'usermeta'            => [],
+			'transients'          => [],
+			'users'               => [],
+			'actions'             => [],
+			'filters'             => [],
+			'attachments'         => [],
+			'attachment_paths'    => [],
+			'attachment_is_image' => [],
 		];
+		if ( function_exists( 'magicauth_invalidate_settings_cache' ) ) {
+			magicauth_invalidate_settings_cache();
+		}
 		if ( isset( $wpdb ) && method_exists( $wpdb, 'truncate_magicauth_table' ) ) {
 			$wpdb->truncate_magicauth_table();
 		}

From f21d9ed19f787600764dac6788a63da140d226b8 Mon Sep 17 00:00:00 2001
From: r00bbert <280805750+r00bbert@users.noreply.github.com>
Date: Tue, 12 May 2026 14:11:45 +0200
Subject: [PATCH 3/7] fix: split branding and appearance

---
 assets/css/magicauth-admin.css | 14 --------------
 includes/Admin/Settings.php    | 14 +++++++++++---
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/assets/css/magicauth-admin.css b/assets/css/magicauth-admin.css
index 36db28f..242fc93 100644
--- a/assets/css/magicauth-admin.css
+++ b/assets/css/magicauth-admin.css
@@ -413,20 +413,6 @@ body.admin-bar .magicauth-admin .magicauth-topbar__bar { top: 32px; }
 	border-radius: 4px;
 }
 
-/* Sub-card subheading inside .magicauth-card */
-.magicauth-admin .magicauth-card__subhead {
-	margin: 0 0 16px;
-	font-size: 13px;
-	font-weight: 600;
-	color: var(--tx-muted);
-	text-transform: uppercase;
-	letter-spacing: 0.04em;
-}
-
-.magicauth-admin .magicauth-card + .magicauth-card {
-	margin-top: 16px;
-}
-
 /* Cards. Namespaced to avoid colliding with WP core `.card` (caps at 520px). */
 .magicauth-admin .magicauth-card {
 	background: var(--ettic-surface);
diff --git a/includes/Admin/Settings.php b/includes/Admin/Settings.php
index 47691fa..b1bbd08 100644
--- a/includes/Admin/Settings.php
+++ b/includes/Admin/Settings.php
@@ -178,6 +178,7 @@ public static function render_page(): void {
 				<div class="magicauth-stack">
 					<?php self::render_section_general(); ?>
 					<?php self::render_section_branding( $weak_salts ); ?>
+					<?php self::render_section_appearance(); ?>
 					<?php self::render_section_agency_credit(); ?>
 					<?php self::render_section_security(); ?>
 					<?php self::render_section_diagnostics(); ?>
@@ -211,18 +212,25 @@ private static function render_section_branding( bool $weak_salts ): void {
 				<h2><?php esc_html_e( 'Branding', 'magicauth' ); ?></h2>
 				<p><?php esc_html_e( 'How the sign-in card looks. Settings render on the branded login screen and in transactional emails.', 'magicauth' ); ?></p>
 			</summary>
-
 			<div class="magicauth-card">
-				<h3 class="magicauth-card__subhead"><?php esc_html_e( 'Identity', 'magicauth' ); ?></h3>
 				<?php self::field_replace_default( $weak_salts ); ?>
 				<?php self::field_company_name(); ?>
 				<?php self::field_logo(); ?>
 				<?php self::field_brand_color(); ?>
 				<?php self::field_link_color(); ?>
 			</div>
+		</details>
+		<?php
+	}
 
+	private static function render_section_appearance(): void {
+		?>
+		<details class="magicauth-block" open>
+			<summary class="magicauth-block__head">
+				<h2><?php esc_html_e( 'Appearance', 'magicauth' ); ?></h2>
+				<p><?php esc_html_e( 'Layout and theme of the sign-in card. Color mode, page background, sizing, and typography.', 'magicauth' ); ?></p>
+			</summary>
 			<div class="magicauth-card">
-				<h3 class="magicauth-card__subhead"><?php esc_html_e( 'Appearance', 'magicauth' ); ?></h3>
 				<?php self::field_color_mode(); ?>
 				<?php self::field_page_color(); ?>
 				<?php self::field_background_image(); ?>

From 5ec6e8fe8c2f1254c97c4989d5c5e0bb6aee266a Mon Sep 17 00:00:00 2001
From: r00bbert <280805750+r00bbert@users.noreply.github.com>
Date: Tue, 12 May 2026 14:12:38 +0200
Subject: [PATCH 4/7] fix: link color follows brand when blank

---
 assets/js/magicauth-admin.js | 44 ++++++++++++++++++++++++++++++++++++
 includes/Admin/Settings.php  |  2 +-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/assets/js/magicauth-admin.js b/assets/js/magicauth-admin.js
index 6424c47..67b59ce 100644
--- a/assets/js/magicauth-admin.js
+++ b/assets/js/magicauth-admin.js
@@ -12,6 +12,7 @@
 	function init() {
 		initMediaPickers();
 		initColorPickers();
+		initColorFollowers();
 		initRowDirtyMarks();
 		initDirtyTracking();
 		initCharCounters();
@@ -107,6 +108,49 @@
 		} );
 	}
 
+	// Follower color pickers: when the text input is blank, the swatch mirrors
+	// a source picker (e.g. link_color follows brand_color). Typing a hex or
+	// picking a swatch color writes to the text input, which disconnects.
+	function initColorFollowers() {
+		var HEX_RE = /^#?[0-9a-fA-F]{6}$/;
+		var normalize = function ( v ) { return v.charAt( 0 ) === '#' ? v : '#' + v; };
+
+		document.querySelectorAll( '.magicauth-admin .magicauth-color[data-magicauth-color-follows]' ).forEach( function ( follower ) {
+			var sourceKey = follower.getAttribute( 'data-magicauth-color-follows' );
+			if ( ! sourceKey ) {
+				return;
+			}
+			var sourceText = document.querySelector( 'input[name="magicauth_settings[' + sourceKey + ']"]' );
+			var swatch     = follower.querySelector( 'input[type="color"]' );
+			var text       = follower.querySelector( 'input[type="text"]' );
+			if ( ! sourceText || ! swatch || ! text ) {
+				return;
+			}
+
+			function isConnected() { return '' === text.value.trim(); }
+			function mirrorFromSource() {
+				var v = sourceText.value.trim();
+				if ( HEX_RE.test( v ) ) {
+					swatch.value = normalize( v );
+				}
+			}
+
+			// Cleared text → snap swatch back to source.
+			text.addEventListener( 'input', function () {
+				if ( isConnected() ) {
+					mirrorFromSource();
+				}
+			} );
+
+			// Source moved → mirror only while connected.
+			sourceText.addEventListener( 'input', function () {
+				if ( isConnected() ) {
+					mirrorFromSource();
+				}
+			} );
+		} );
+	}
+
 	// Per-row dirty mark — auto-injected, opacity toggled via .is-dirty
 	function initRowDirtyMarks() {
 		document.querySelectorAll( '.magicauth-admin .magicauth-row' ).forEach( function ( row ) {
diff --git a/includes/Admin/Settings.php b/includes/Admin/Settings.php
index 47691fa..f29015d 100644
--- a/includes/Admin/Settings.php
+++ b/includes/Admin/Settings.php
@@ -870,7 +870,7 @@ public static function field_link_color(): void {
 				<p class="magicauth-row__help"><?php esc_html_e( 'Color of text links on the sign-in card. Leave blank to follow brand color. Validated against the card surface for readability.', 'magicauth' ); ?></p>
 			</div>
 			<div class="magicauth-row__control magicauth-row__control--stack">
-				<div class="magicauth-color">
+				<div class="magicauth-color" data-magicauth-color-follows="brand_color">
 					<input type="color" value="<?php echo esc_attr( '' !== $value ? $value : $brand_default ); ?>" aria-label="<?php esc_attr_e( 'Color picker', 'magicauth' ); ?>">
 					<input type="text" class="magicauth-input magicauth-input--mono" name="<?php echo esc_attr( $name ); ?>" value="<?php echo esc_attr( $value ); ?>" maxlength="7" placeholder="<?php esc_attr_e( '(brand color)', 'magicauth' ); ?>" data-validate-hex>
 				</div>

From ad87fbc62d52f571274a466cbc09c3727f86ba80 Mon Sep 17 00:00:00 2001
From: r00bbert <280805750+r00bbert@users.noreply.github.com>
Date: Tue, 12 May 2026 14:13:11 +0200
Subject: [PATCH 5/7] fix: match diagnostics row padding

---
 assets/css/magicauth-admin.css | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/assets/css/magicauth-admin.css b/assets/css/magicauth-admin.css
index 36db28f..c5b676f 100644
--- a/assets/css/magicauth-admin.css
+++ b/assets/css/magicauth-admin.css
@@ -885,7 +885,7 @@ body.admin-bar .magicauth-admin .magicauth-topbar__bar { top: 32px; }
 	align-items: center;
 	justify-content: space-between;
 	gap: 16px;
-	padding: 14px 8px;
+	padding: 14px;
 	position: relative;
 }
 

From 124fdc189e86c0a317ddcd4b1a85daa31d53ae97 Mon Sep 17 00:00:00 2001
From: Nol de Roos <108540791+nolderoos@users.noreply.github.com>
Date: Tue, 12 May 2026 14:59:33 +0200
Subject: [PATCH 6/7] fix: point Plugin URI to plugins.ettic.nl/magicauth

Updates the Plugin URI header so the "Visit plugin site" link on the
WordPress Plugins screen resolves to the canonical product page instead
of the GitHub source repo.
---
 magicauth.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/magicauth.php b/magicauth.php
index 21db5cb..401a33f 100644
--- a/magicauth.php
+++ b/magicauth.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * Plugin Name:       MagicAuth
- * Plugin URI:        https://github.com/EtticDevelopment/magicauth
+ * Plugin URI:        https://plugins.ettic.nl/magicauth
  * Description:       Passwordless WordPress sign-in via email magic link or 6-character code.
  * Version:           1.0.0
  * Requires at least: 6.4

From ab13245f4f65a2a4d14d1b70937bd5923ccb7159 Mon Sep 17 00:00:00 2001
From: Nol de Roos <108540791+nolderoos@users.noreply.github.com>
Date: Wed, 13 May 2026 11:56:15 +0200
Subject: [PATCH 7/7] fix: address CodeRabbit feedback on login styling PR
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Item 4 (Minor): initialize follower swatch on first render so the
  preview matches the source picker before any user input.
  https://github.com/EtticDevelopment/magicauth/pull/4#discussion_r3226398090
- Item 5 (Nitpick): add prominent bidirectional SYNC-LOCK comments
  cross-referencing the duplicated dark-surface hex in both
  assets/css/magicauth.css and includes/Admin/Settings.php. Chose
  option (c) — option (a) would require injecting only one of nine
  dark-mode tokens via PHP, creating asymmetry vs the eight others
  that legitimately live in CSS.
- Item 6 (Nitpick): same SYNC-LOCK comment on the PHP constant side
  names both CSS line numbers and the cascade direction.
- Item 7 (Nitpick): extract magic number into
  private const BACKGROUND_SIZE_SOFT_LIMIT_BYTES = 1024 * 1024 and
  replace both call sites.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 assets/css/magicauth.css     | 18 ++++++++++++++----
 assets/js/magicauth-admin.js |  5 +++++
 includes/Admin/Settings.php  | 18 +++++++++++++-----
 3 files changed, 32 insertions(+), 9 deletions(-)

diff --git a/assets/css/magicauth.css b/assets/css/magicauth.css
index dd22b26..a93abd0 100644
--- a/assets/css/magicauth.css
+++ b/assets/css/magicauth.css
@@ -451,10 +451,16 @@
 /* Dark mode — explicit. Body-class specificity (0,1,1) beats :root (0,0,1),
    so the shell-vars block can still set per-instance brand_color / link_color /
    font_stack without being overridden. Curated values, not exposed to admin
-   pickers. The surface hex must match Admin\Settings::DARK_SURFACE_HEX. */
+   pickers.
+   !!! SYNC-LOCK !!! --magicauth-color-surface (#181c22) MUST equal the PHP
+   constant MagicAuth\Admin\Settings::DARK_SURFACE_HEX
+   (includes/Admin/Settings.php:~42). The PHP constant feeds the brand-color
+   contrast check; the CSS variable paints the card. If either changes without
+   the other, dark-mode contrast warnings will lie. Value also duplicated at
+   line ~482 below (auto-mode @media block) — update all three together. */
 body.magicauth-mode-dark {
 	--magicauth-color-page: #0e1116;
-	--magicauth-color-surface: #181c22;
+	--magicauth-color-surface: #181c22; /* SYNC with Settings::DARK_SURFACE_HEX */
 	--magicauth-color-code-bg: #202832;
 	--magicauth-color-text: #eef0f3;
 	--magicauth-color-text-muted: #9aa3ad;
@@ -465,11 +471,15 @@ body.magicauth-mode-dark {
 }
 
 /* Dark mode — auto. Only kicks in when admin chose color_mode = auto AND
-   the visitor's browser reports a dark preference. */
+   the visitor's browser reports a dark preference.
+   !!! SYNC-LOCK !!! --magicauth-color-surface (#181c22) MUST equal the PHP
+   constant MagicAuth\Admin\Settings::DARK_SURFACE_HEX
+   (includes/Admin/Settings.php:~42). See full note above the explicit-dark
+   block (~line 451). Three locations to update in lockstep. */
 @media (prefers-color-scheme: dark) {
 	body.magicauth-mode-auto {
 		--magicauth-color-page: #0e1116;
-		--magicauth-color-surface: #181c22;
+		--magicauth-color-surface: #181c22; /* SYNC with Settings::DARK_SURFACE_HEX */
 		--magicauth-color-code-bg: #202832;
 		--magicauth-color-text: #eef0f3;
 		--magicauth-color-text-muted: #9aa3ad;
diff --git a/assets/js/magicauth-admin.js b/assets/js/magicauth-admin.js
index 67b59ce..497b670 100644
--- a/assets/js/magicauth-admin.js
+++ b/assets/js/magicauth-admin.js
@@ -148,6 +148,11 @@
 					mirrorFromSource();
 				}
 			} );
+
+			// Initial render: if follower is blank, mirror immediately.
+			if ( isConnected() ) {
+				mirrorFromSource();
+			}
 		} );
 	}
 
diff --git a/includes/Admin/Settings.php b/includes/Admin/Settings.php
index b33921d..b81960a 100644
--- a/includes/Admin/Settings.php
+++ b/includes/Admin/Settings.php
@@ -32,9 +32,13 @@ final class Settings {
 
 	private const COLOR_MODE_KEYS = [ 'light', 'dark', 'auto' ];
 
-	// Curated dark-mode surface — must match the value emitted by magicauth.css
-	// for body.magicauth-mode-dark / .magicauth-mode-auto. Used by the
-	// brand-color contrast check below.
+	// Curated dark-mode surface — used by the brand-color contrast check below.
+	// !!! SYNC-LOCK !!! This value MUST equal the --magicauth-color-surface
+	// declarations in assets/css/magicauth.css at:
+	//   - line ~463 (body.magicauth-mode-dark block)
+	//   - line ~482 (@media (prefers-color-scheme: dark) > body.magicauth-mode-auto)
+	// Three locations, one truth. If you change one, change all three or the
+	// contrast warning shown to admins will disagree with the rendered card.
 	private const DARK_SURFACE_HEX = '#181c22';
 
 	// Keyed by extension regex (wp_check_filetype_and_ext format); membership checks hit values.
@@ -53,6 +57,10 @@ final class Settings {
 		'webp'     => 'image/webp',
 	];
 
+	// Background image soft-limit. Files larger than this trigger a non-blocking
+	// "consider compressing" admin notice but still save successfully.
+	private const BACKGROUND_SIZE_SOFT_LIMIT_BYTES = 1024 * 1024; // 1 MB.
+
 	public static function setup(): void {
 		add_action( 'admin_init', [ self::class, 'register' ] );
 		add_action( 'admin_menu', [ self::class, 'menu' ] );
@@ -654,14 +662,14 @@ private static function sanitize_background( int $attachment_id ): int {
 		}
 
 		$size = (int) @filesize( $path ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged
-		if ( $size > 1024 * 1024 ) {
+		if ( $size > self::BACKGROUND_SIZE_SOFT_LIMIT_BYTES ) {
 			add_settings_error(
 				self::OPTION_NAME,
 				'magicauth_bg_large',
 				sprintf(
 					/* translators: %s: file size in MB */
 					__( 'Background image saved. File is %s MB — consider compressing for faster page load.', 'magicauth' ),
-					number_format( $size / ( 1024 * 1024 ), 1 )
+					number_format( $size / self::BACKGROUND_SIZE_SOFT_LIMIT_BYTES, 1 )
 				),
 				'warning'
 			);