Restore Django 6 runtime target and align docs/metadata

Smartappli · Smartappli · commit 79ab9889b5e2 · 2026-03-17T00:50:37.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,26 @@
 # Changelog
 
+## 0.9.4
+
+- Restored Django runtime target to 6.0.3.
+- Audited and stabilized review queue/export behavior and batch segment assignment paths.
+- Hardened production security defaults (non-default `DJANGO_SECRET_KEY`, required `ALLOWED_HOSTS`, optional TLS/HSTS controls).
+- Updated dependency constraints to newer maintained versions (Django, Granian, Argon2, psycopg, redis, Ruff).
+- Kept Granian as the default ASGI runtime across docs and metadata.
+
+## 0.9.3
+
+- Refined review queue filtering logic into a shared helper for maintainability.
+- Aligned review-segment CSV export with active queue filters used in the UI.
+- Bumped release metadata and docs to 0.9.3.
+- Documented Granian as the default ASGI command for local startup parity.
+
+## 0.9.2
+
+- Added batch assignment for review segments directly from the session player.
+- Added finer review queue filters (project, status, assignee, reviewer, and text search).
+- Added CSV analytics export for review segments from the review queue.
+
 ## 0.9.1
 
 - Added segment-level review queues and session review segments.
diff --git a/README.md b/README.md
@@ -1,8 +1,8 @@
-# PyBehaviorLog 0.9.1
+# PyBehaviorLog 0.9.4
 
 PyBehaviorLog is an ASGI-first behavioral observation platform built with Django 6.0.3. It is designed for research teams who need video-assisted coding, live observations, structured ethograms, review workflows, and exportable analytics without being locked into a desktop-only workflow.
 
-## What is in this 0.9.1 archive
+## What is in this 0.9.4 archive
 
 This version extends the earlier CowLog/BORIS-inspired foundations with:
 
@@ -23,7 +23,7 @@ This version extends the earlier CowLog/BORIS-inspired foundations with:
 - PostgreSQL 18 + Redis 8 container stack
 - Argon2 password hashing
 - database-backed sessions
-- Django 6 built-in CSP middleware support
+- Django CSP middleware support
 - unit tests, coverage gate, pre-commit, and GitHub Actions CI
 - built-in BORIS/CowLog round-trip certification fixtures and comparison helpers
 - BORIS-style CSV/TSV/XLSX session imports
@@ -57,9 +57,11 @@ source .venv/bin/activate
 pip install -r requirements.txt
 python manage.py migrate
 python manage.py createsuperuser
-python manage.py runserver
+granian --interface asgi --host 127.0.0.1 --port 8000 config.asgi:application
 ```
 
+For ASGI-parity in local development, use Granian (instead of the Django dev server) as shown above.
+
 ## Quick start with Docker
 
 ```bash
@@ -120,8 +122,25 @@ This repository is marked as **AGPL-3.0-only**.
 - Management commands: `export_project_bundle` and `release_report`.
 
 
-## New in 0.9.1
+## New in 0.9.2
 
 - Added segment-level review queues and assignee/reviewer workflow.
 - Added session review segments with CRUD screens and queue dashboard.
 - Included review segments in JSON and BORIS-like session exports/imports.
+- Added batch assignment of review segments from the session player.
+- Added finer review queue filtering by project, status, assignee/reviewer, and search text.
+- Added CSV export for review-segment analytics from the review queue.
+
+## New in 0.9.3
+
+- Refined review queue filtering internals for consistency between UI and CSV export.
+- Export now honors the same active queue and filter parameters as the dashboard.
+- Minor release polish and metadata/documentation update to 0.9.3.
+
+
+## New in 0.9.4
+
+- Full pass on review-queue/batch-assignment code paths with consistency fixes for filtered exports.
+- Hardened security defaults for production (`DJANGO_SECRET_KEY`, `ALLOWED_HOSTS`, TLS/HSTS flags).
+- Refreshed runtime/development dependencies to newer maintained versions.
+- Confirmed Granian remains the default ASGI server for local and deployment workflows.
diff --git a/config/settings.py b/config/settings.py
@@ -12,6 +12,7 @@
 from pathlib import Path
 from urllib.parse import urlparse
 
+from django.core.exceptions import ImproperlyConfigured
 from django.utils.csp import CSP
 from django.utils.translation import gettext_lazy as _
 
@@ -103,11 +104,22 @@ def build_database_config() -> dict[str, object]:
     }
 
 
-SECRET_KEY = env('DJANGO_SECRET_KEY', 'django-insecure-pybehaviorlog-0-8-change-me')
+DEFAULT_SECRET_KEY = 'django-insecure-pybehaviorlog-0-8-change-me'
+SECRET_KEY = env('DJANGO_SECRET_KEY', DEFAULT_SECRET_KEY)
 DEBUG = env_bool('DJANGO_DEBUG', True)
 ALLOWED_HOSTS = env_list('DJANGO_ALLOWED_HOSTS', '127.0.0.1,localhost')
 CSRF_TRUSTED_ORIGINS = env_list('DJANGO_CSRF_TRUSTED_ORIGINS')
 
+if not DEBUG and SECRET_KEY == DEFAULT_SECRET_KEY:
+    raise ImproperlyConfigured(
+        'DJANGO_SECRET_KEY must be set to a unique non-default value when DJANGO_DEBUG=0.'
+    )
+
+if not DEBUG and not ALLOWED_HOSTS:
+    raise ImproperlyConfigured(
+        'DJANGO_ALLOWED_HOSTS must define at least one host when DJANGO_DEBUG=0.'
+    )
+
 INSTALLED_APPS = [
     'django.contrib.admin',
     'django.contrib.auth',
@@ -233,6 +245,10 @@ def build_database_config() -> dict[str, object]:
 SECURE_REFERRER_POLICY = 'same-origin'
 SECURE_CONTENT_TYPE_NOSNIFF = True
 SECURE_CROSS_ORIGIN_OPENER_POLICY = 'same-origin'
+SECURE_SSL_REDIRECT = env_bool('SECURE_SSL_REDIRECT', not DEBUG)
+SECURE_HSTS_SECONDS = env_int('SECURE_HSTS_SECONDS', 0 if DEBUG else 60 * 60 * 24 * 30)
+SECURE_HSTS_INCLUDE_SUBDOMAINS = env_bool('SECURE_HSTS_INCLUDE_SUBDOMAINS', not DEBUG)
+SECURE_HSTS_PRELOAD = env_bool('SECURE_HSTS_PRELOAD', False)
 
 SECURE_CSP = {
     'default-src': [CSP.SELF],
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -41,7 +41,7 @@ Authentication sessions are stored in the database (`django.contrib.sessions.bac
 ## Security defaults
 
 - Argon2 is the first password hasher.
-- Django 6 CSP middleware is enabled.
+- Django CSP middleware is enabled.
 - CSRF cookies and session cookies are hardened.
 - `X-Frame-Options` is set to `DENY`.
 - `SECURE_PROXY_SSL_HEADER` is configured for reverse proxy deployments.
diff --git a/docs/deployment.md b/docs/deployment.md
@@ -56,3 +56,12 @@ coverage run manage.py test
 coverage report --fail-under=80
 pre-commit run --all-files
 ```
+
+
+## Local ASGI run
+
+Use Granian directly to mirror production ASGI behavior:
+
+```bash
+granian --interface asgi --host 127.0.0.1 --port 8000 config.asgi:application
+```
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -1,4 +1,4 @@
 -r requirements.txt
 coverage[toml]>=7.6,<8
 pre-commit>=4.2,<5
-ruff>=0.11,<1
+ruff>=0.12,<1
diff --git a/requirements.txt b/requirements.txt
@@ -1,6 +1,6 @@
 Django==6.0.3
-argon2-cffi>=23.1,<26
-granian>=2.2,<3
-openpyxl==3.1.5
-psycopg[binary,pool]>=3.2,<4
-redis[hiredis]>=5.2,<7
+argon2-cffi>=25.1,<26
+granian>=2.5,<3
+openpyxl>=3.1.5,<3.2
+psycopg[binary,pool]>=3.2.6,<3.3
+redis[hiredis]>=5.2.1,<7
diff --git a/templates/tracker/review_queue.html b/templates/tracker/review_queue.html
@@ -9,6 +9,11 @@
         <h1>{% trans 'Review queue' %}</h1>
         <p>{% trans 'Segment-level assignments for coding, checking, and reviewer handoff across projects.' %}</p>
     </div>
+    <div class="header-actions">
+        <a href="{% url 'tracker:review_queue_export_segment_analytics_csv' %}?filter={{ active_filter }}&project={{ project_filter|urlencode }}&status={{ status_filter|urlencode }}&assignee={{ assignee_filter|urlencode }}&reviewer={{ reviewer_filter|urlencode }}&q={{ query_filter|urlencode }}" role="button" class="secondary">
+            {% trans 'Export segment analytics (CSV)' %}
+        </a>
+    </div>
 </header>
 
 <section class="card-grid">
@@ -34,6 +39,57 @@ <h3>{% trans 'Outstanding overall' %}</h3>
         <h3>{% trans 'Segments' %}</h3>
         <span class="pill">{{ active_filter }}</span>
     </div>
+    <form method="get" class="timeline-toolbar wrap-controls" style="margin-bottom: 1rem;">
+        <div>
+            <label for="filter-select">{% trans 'Queue filter' %}</label>
+            <select id="filter-select" name="filter">
+                <option value="assigned" {% if active_filter == 'assigned' %}selected{% endif %}>{% trans 'Assigned to me' %}</option>
+                <option value="review" {% if active_filter == 'review' %}selected{% endif %}>{% trans 'Waiting for my review' %}</option>
+                <option value="outstanding" {% if active_filter == 'outstanding' %}selected{% endif %}>{% trans 'Outstanding overall' %}</option>
+                <option value="all" {% if active_filter == 'all' %}selected{% endif %}>{% trans 'All segments' %}</option>
+            </select>
+        </div>
+        <div>
+            <label for="project-select">{% trans 'Project' %}</label>
+            <select id="project-select" name="project">
+                <option value="">{% trans 'All projects' %}</option>
+                {% for project in projects %}
+                    <option value="{{ project.id }}" {% if project_filter == project.id|stringformat:'s' %}selected{% endif %}>{{ project.name }}</option>
+                {% endfor %}
+            </select>
+        </div>
+        <div>
+            <label for="status-select">{% trans 'Status' %}</label>
+            <select id="status-select" name="status">
+                <option value="">{% trans 'All statuses' %}</option>
+                <option value="open" {% if status_filter == 'open' %}selected{% endif %}>{% trans 'Open only' %}</option>
+                <option value="todo" {% if status_filter == 'todo' %}selected{% endif %}>{% trans 'To do' %}</option>
+                <option value="in_progress" {% if status_filter == 'in_progress' %}selected{% endif %}>{% trans 'In progress' %}</option>
+                <option value="done" {% if status_filter == 'done' %}selected{% endif %}>{% trans 'Done' %}</option>
+            </select>
+        </div>
+        <div>
+            <label for="assignee-select">{% trans 'Assignee' %}</label>
+            <select id="assignee-select" name="assignee">
+                <option value="">{% trans 'Any' %}</option>
+                <option value="me" {% if assignee_filter == 'me' %}selected{% endif %}>{% trans 'Assigned to me' %}</option>
+                <option value="unassigned" {% if assignee_filter == 'unassigned' %}selected{% endif %}>{% trans 'Unassigned' %}</option>
+            </select>
+        </div>
+        <div>
+            <label for="reviewer-select">{% trans 'Reviewer' %}</label>
+            <select id="reviewer-select" name="reviewer">
+                <option value="">{% trans 'Any' %}</option>
+                <option value="me" {% if reviewer_filter == 'me' %}selected{% endif %}>{% trans 'Me' %}</option>
+                <option value="unassigned" {% if reviewer_filter == 'unassigned' %}selected{% endif %}>{% trans 'Unassigned' %}</option>
+            </select>
+        </div>
+        <div>
+            <label for="search-input">{% trans 'Search' %}</label>
+            <input id="search-input" type="text" name="q" value="{{ query_filter }}" placeholder="{% trans 'Project, session, segment' %}">
+        </div>
+        <div class="align-end"><button type="submit" class="secondary">{% trans 'Apply filters' %}</button></div>
+    </form>
     <div class="table-wrapper">
         <table>
             <thead><tr><th>{% trans 'Project' %}</th><th>{% trans 'Session' %}</th><th>{% trans 'Segment' %}</th><th>{% trans 'Range' %}</th><th>{% trans 'Status' %}</th><th>{% trans 'Assignee' %}</th><th>{% trans 'Reviewer' %}</th></tr></thead>
diff --git a/templates/tracker/session_player.html b/templates/tracker/session_player.html
@@ -235,12 +235,48 @@ <h3>{% trans 'Annotations' %}</h3>
                 <h3>{% trans 'Review segments' %}</h3>
                 {% if can_review_session %}<a href="{% url 'tracker:segment_create' session.pk %}" class="secondary" role="button">{% trans 'New segment' %}</a>{% endif %}
             </div>
+            {% if can_review_session %}
+            <form method="post" action="{% url 'tracker:segment_batch_assign' session.pk %}" class="integrity-box compact-box" style="margin-bottom: 1rem;">
+                {% csrf_token %}
+                <div class="timeline-toolbar wrap-controls">
+                    <div>
+                        <label for="batch-assignee">{% trans 'Assignee' %}</label>
+                        <select id="batch-assignee" name="assignee">
+                            <option value="">{% trans 'Unassigned' %}</option>
+                            {% for user in segment_form.fields.assignee.queryset %}
+                                <option value="{{ user.pk }}">{{ user.username }}</option>
+                            {% endfor %}
+                        </select>
+                        <label><input type="checkbox" name="set_assignee" value="1"> {% trans 'Apply assignee' %}</label>
+                    </div>
+                    <div>
+                        <label for="batch-reviewer">{% trans 'Reviewer' %}</label>
+                        <select id="batch-reviewer" name="reviewer">
+                            <option value="">{% trans 'Unassigned' %}</option>
+                            {% for user in segment_form.fields.reviewer.queryset %}
+                                <option value="{{ user.pk }}">{{ user.username }}</option>
+                            {% endfor %}
+                        </select>
+                        <label><input type="checkbox" name="set_reviewer" value="1"> {% trans 'Apply reviewer' %}</label>
+                    </div>
+                    <div>
+                        <label for="batch-status">{% trans 'Status' %}</label>
+                        <select id="batch-status" name="status">
+                            {% for value, label in segment_form.fields.status.choices %}
+                                <option value="{{ value }}">{{ label }}</option>
+                            {% endfor %}
+                        </select>
+                        <label><input type="checkbox" name="set_status" value="1"> {% trans 'Apply status' %}</label>
+                    </div>
+                    <div class="align-end"><button type="submit" class="secondary">{% trans 'Batch assign selected segments' %}</button></div>
+                </div>
             <div class="table-wrapper compact-table-wrapper">
                 <table>
-                    <thead><tr><th>{% trans 'Title' %}</th><th>{% trans 'Range' %}</th><th>{% trans 'Status' %}</th><th>{% trans 'Assignee' %}</th><th>{% trans 'Reviewer' %}</th><th>{% trans 'Actions' %}</th></tr></thead>
+                    <thead><tr>{% if can_review_session %}<th>{% trans 'Select' %}</th>{% endif %}<th>{% trans 'Title' %}</th><th>{% trans 'Range' %}</th><th>{% trans 'Status' %}</th><th>{% trans 'Assignee' %}</th><th>{% trans 'Reviewer' %}</th><th>{% trans 'Actions' %}</th></tr></thead>
                     <tbody>
                     {% for segment in segments %}
                         <tr>
+                            {% if can_review_session %}<td><input type="checkbox" name="segment_ids" value="{{ segment.pk }}"></td>{% endif %}
                             <td>{{ segment.title }}</td>
                             <td>{{ segment.start_seconds }}s → {{ segment.end_seconds }}s</td>
                             <td>{{ segment.get_status_display }}</td>
@@ -253,12 +289,34 @@ <h3>{% trans 'Review segments' %}</h3>
                                 {% else %}—{% endif %}
                             </td>
                         </tr>
+                    {% empty %}
+                        <tr><td colspan="{% if can_review_session %}7{% else %}6{% endif %}">{% trans 'No review segments defined yet.' %}</td></tr>
+                    {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+            </form>
+            {% else %}
+            <div class="table-wrapper compact-table-wrapper">
+                <table>
+                    <thead><tr><th>{% trans 'Title' %}</th><th>{% trans 'Range' %}</th><th>{% trans 'Status' %}</th><th>{% trans 'Assignee' %}</th><th>{% trans 'Reviewer' %}</th><th>{% trans 'Actions' %}</th></tr></thead>
+                    <tbody>
+                    {% for segment in segments %}
+                        <tr>
+                            <td>{{ segment.title }}</td>
+                            <td>{{ segment.start_seconds }}s → {{ segment.end_seconds }}s</td>
+                            <td>{{ segment.get_status_display }}</td>
+                            <td>{{ segment.assignee.username|default:'—' }}</td>
+                            <td>{{ segment.reviewer.username|default:'—' }}</td>
+                            <td>—</td>
+                        </tr>
                     {% empty %}
                         <tr><td colspan="6">{% trans 'No review segments defined yet.' %}</td></tr>
                     {% endfor %}
                     </tbody>
                 </table>
             </div>
+            {% endif %}
         </article>
 
         <article>
diff --git a/tracker/tests/test_views.py b/tracker/tests/test_views.py
@@ -399,6 +399,70 @@ def test_review_queue_and_segment_crud(self):
         segment.refresh_from_db()
         self.assertEqual(segment.status, ObservationSegment.STATUS_DONE)
 
+    def test_segment_batch_assign_and_review_queue_filters_and_export(self):
+        session = self.project.sessions.create(title='Batch session', observer=self.user, session_kind='live')
+        first = ObservationSegment.objects.create(
+            session=session,
+            title='Intro segment',
+            start_seconds='0',
+            end_seconds='5',
+            status=ObservationSegment.STATUS_TODO,
+            assignee=self.user,
+            reviewer=self.reviewer,
+        )
+        second = ObservationSegment.objects.create(
+            session=session,
+            title='Core segment',
+            start_seconds='5',
+            end_seconds='15',
+            status=ObservationSegment.STATUS_IN_PROGRESS,
+            assignee=None,
+            reviewer=self.reviewer,
+        )
+
+        reviewer_client = Client()
+        reviewer_client.login(username='reviewer', password='pass12345')
+        batch_response = reviewer_client.post(
+            reverse('tracker:segment_batch_assign', args=[session.pk]),
+            data={
+                'segment_ids': [first.pk, second.pk],
+                'set_assignee': '1',
+                'assignee': self.reviewer.pk,
+                'set_status': '1',
+                'status': ObservationSegment.STATUS_DONE,
+            },
+        )
+        self.assertEqual(batch_response.status_code, 302)
+        first.refresh_from_db()
+        second.refresh_from_db()
+        self.assertEqual(first.assignee_id, self.reviewer.pk)
+        self.assertEqual(second.assignee_id, self.reviewer.pk)
+        self.assertEqual(first.status, ObservationSegment.STATUS_DONE)
+        self.assertEqual(second.status, ObservationSegment.STATUS_DONE)
+
+        queue_response = reviewer_client.get(
+            reverse('tracker:review_queue'),
+            {
+                'filter': 'all',
+                'status': 'done',
+                'assignee': 'me',
+                'q': 'Core',
+            },
+        )
+        self.assertEqual(queue_response.status_code, 200)
+        self.assertContains(queue_response, 'Core segment')
+        self.assertNotContains(queue_response, 'Intro segment')
+
+        export_response = reviewer_client.get(
+            reverse('tracker:review_queue_export_segment_analytics_csv'),
+            {'filter': 'all', 'status': 'done', 'assignee': 'me', 'q': 'Core'},
+        )
+        self.assertEqual(export_response.status_code, 200)
+        self.assertEqual(export_response['Content-Type'], 'text/csv; charset=utf-8')
+        csv_payload = export_response.content.decode('utf-8')
+        self.assertIn('Core segment', csv_payload)
+        self.assertNotIn('Intro segment', csv_payload)
+
     def test_session_export_json_contains_segments(self):
         session = self.project.sessions.create(title='Segment export', observer=self.user, session_kind='live')
         ObservationSegment.objects.create(
diff --git a/tracker/urls.py b/tracker/urls.py
diff --git a/tracker/views.py b/tracker/views.py
