arthexis 0.1.8__py3-none-any.whl → 0.1.10__py3-none-any.whl

core/views.py

@@ -1,23 +1,74 @@
 import json
 import shutil
-from datetime import date, timedelta
+from datetime import timedelta
 
 import requests
+from django.conf import settings
 from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth import authenticate, login
+from django.contrib import messages
+from django.contrib.sites.models import Site
 from django.http import Http404, JsonResponse
-from django.shortcuts import get_object_or_404, render, redirect
+from django.shortcuts import get_object_or_404, redirect, render, resolve_url
+from django.utils import timezone
+from django.utils.translation import gettext as _
+from django.urls import NoReverseMatch, reverse
 from django.views.decorators.csrf import csrf_exempt
+from django.views.decorators.http import require_GET, require_POST
+from django.utils.http import url_has_allowed_host_and_scheme
 from pathlib import Path
+from urllib.parse import urlsplit, urlunsplit
 import subprocess
 
+from utils import revision
 from utils.api import api_login_required
 
-from .models import Product, Subscription, EnergyAccount, PackageRelease
+from .models import Product, EnergyAccount, PackageRelease, Todo
 from .models import RFID
+
+
+@staff_member_required
+def odoo_products(request):
+    """Return available products from the user's Odoo instance."""
+
+    profile = getattr(request.user, "odoo_profile", None)
+    if not profile or not profile.is_verified:
+        raise Http404
+    try:
+        products = profile.execute(
+            "product.product",
+            "search_read",
+            [],
+            {"fields": ["name"], "limit": 50},
+        )
+    except Exception:
+        return JsonResponse({"detail": "Unable to fetch products"}, status=502)
+    items = [{"id": p.get("id"), "name": p.get("name", "")} for p in products]
+    return JsonResponse(items, safe=False)
+
+
+@require_GET
+def version_info(request):
+    """Return the running application version and Git revision."""
+
+    version = ""
+    version_path = Path(settings.BASE_DIR) / "VERSION"
+    if version_path.exists():
+        version = version_path.read_text(encoding="utf-8").strip()
+    return JsonResponse(
+        {
+            "version": version,
+            "revision": revision.get_revision(),
+        }
+    )
+
+
 from . import release as release_utils
 
 
+TODO_FIXTURE_DIR = Path(__file__).resolve().parent / "fixtures"
+
+
 def _append_log(path: Path, message: str) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
     with path.open("a", encoding="utf-8") as fh:
@@ -30,6 +81,53 @@ def _clean_repo() -> None:
     subprocess.run(["git", "clean", "-fd"], check=False)
 
 
+def _sync_release_with_revision(release: PackageRelease) -> tuple[bool, str]:
+    """Ensure ``release`` matches the repository revision and version.
+
+    Returns a tuple ``(updated, previous_version)`` where ``updated`` is
+    ``True`` when any field changed and ``previous_version`` is the version
+    before synchronization.
+    """
+
+    from packaging.version import InvalidVersion, Version
+
+    previous_version = release.version
+    updated_fields: set[str] = set()
+
+    repo_version: Version | None = None
+    version_path = Path("VERSION")
+    if version_path.exists():
+        try:
+            repo_version = Version(version_path.read_text(encoding="utf-8").strip())
+        except InvalidVersion:
+            repo_version = None
+
+    try:
+        release_version = Version(release.version)
+    except InvalidVersion:
+        release_version = None
+
+    if repo_version is not None:
+        bumped_repo_version = Version(
+            f"{repo_version.major}.{repo_version.minor}.{repo_version.micro + 1}"
+        )
+        if release_version is None or release_version < bumped_repo_version:
+            release.version = str(bumped_repo_version)
+            release_version = bumped_repo_version
+            updated_fields.add("version")
+
+    current_revision = revision.get_revision()
+    if current_revision and current_revision != release.revision:
+        release.revision = current_revision
+        updated_fields.add("revision")
+
+    if updated_fields:
+        release.save(update_fields=list(updated_fields))
+        PackageRelease.dump_fixture()
+
+    return bool(updated_fields), previous_version
+
+
 def _changelog_notes(version: str) -> str:
     path = Path("CHANGELOG.rst")
     if not path.exists():
@@ -47,7 +145,80 @@ def _changelog_notes(version: str) -> str:
     return ""
 
 
-def _step_check_pypi(release, ctx, log_path: Path) -> None:
+class PendingTodos(Exception):
+    """Raised when TODO items require acknowledgment before proceeding."""
+
+
+class ApprovalRequired(Exception):
+    """Raised when release manager approval is required before continuing."""
+
+
+def _format_condition_failure(todo: Todo, result) -> str:
+    """Return a localized error message for a failed TODO condition."""
+
+    if result.error and result.resolved:
+        detail = _("%(condition)s (error: %(error)s)") % {
+            "condition": result.resolved,
+            "error": result.error,
+        }
+    elif result.error:
+        detail = _("Error: %(error)s") % {"error": result.error}
+    elif result.resolved:
+        detail = result.resolved
+    else:
+        detail = _("Condition evaluated to False")
+    return _("Condition failed for %(todo)s: %(detail)s") % {
+        "todo": todo.request,
+        "detail": detail,
+    }
+
+
+def _get_return_url(request) -> str:
+    """Return a safe URL to redirect back to after completing a TODO."""
+
+    candidates = [request.GET.get("next"), request.POST.get("next")]
+    referer = request.META.get("HTTP_REFERER")
+    if referer:
+        candidates.append(referer)
+
+    for candidate in candidates:
+        if not candidate:
+            continue
+        if url_has_allowed_host_and_scheme(
+            candidate,
+            allowed_hosts={request.get_host()},
+            require_https=request.is_secure(),
+        ):
+            return candidate
+    return resolve_url("admin:index")
+
+
+def _step_check_todos(release, ctx, log_path: Path) -> None:
+    pending_qs = Todo.objects.filter(is_deleted=False, done_on__isnull=True)
+    if pending_qs.exists():
+        ctx["todos"] = list(
+            pending_qs.values("id", "request", "url", "request_details")
+        )
+        if not ctx.get("todos_ack"):
+            raise PendingTodos()
+    todos = list(Todo.objects.filter(is_deleted=False))
+    for todo in todos:
+        todo.delete()
+    removed = []
+    for path in TODO_FIXTURE_DIR.glob("todos__*.json"):
+        removed.append(str(path))
+        path.unlink()
+    if removed:
+        subprocess.run(["git", "add", *removed], check=False)
+        subprocess.run(
+            ["git", "commit", "-m", "chore: remove TODO fixtures"],
+            check=False,
+        )
+    ctx.pop("todos", None)
+    ctx.pop("todos_ack", None)
+
+
+def _step_check_version(release, ctx, log_path: Path) -> None:
     from . import release as release_utils
     from packaging.version import Version
 
@@ -107,13 +278,9 @@ def _step_check_pypi(release, ctx, log_path: Path) -> None:
     _append_log(log_path, f"Checking if version {release.version} exists on PyPI")
     if release_utils.network_available():
         try:
-            resp = requests.get(
-                f"https://pypi.org/pypi/{release.package.name}/json"
-            )
+            resp = requests.get(f"https://pypi.org/pypi/{release.package.name}/json")
             if resp.ok and release.version in resp.json().get("releases", {}):
-                raise Exception(
-                    f"Version {release.version} already on PyPI"
-                )
+                raise Exception(f"Version {release.version} already on PyPI")
         except Exception as exc:
             # network errors should be logged but not crash
             if "already on PyPI" in str(exc):
@@ -123,8 +290,40 @@ def _step_check_pypi(release, ctx, log_path: Path) -> None:
         _append_log(log_path, "Network unavailable, skipping PyPI check")
 
 
+def _step_handle_migrations(release, ctx, log_path: Path) -> None:
+    _append_log(log_path, "Freeze, squash and approve migrations")
+
+
+def _step_changelog_docs(release, ctx, log_path: Path) -> None:
+    _append_log(log_path, "Compose CHANGELOG and documentation")
+
+
+def _step_pre_release_actions(release, ctx, log_path: Path) -> None:
+    _append_log(log_path, "Execute pre-release actions")
+    version_path = Path("VERSION")
+    version_path.write_text(f"{release.version}\n", encoding="utf-8")
+    subprocess.run(["git", "add", "VERSION"], check=True)
+    diff = subprocess.run(
+        ["git", "diff", "--cached", "--quiet", "--", "VERSION"],
+        check=False,
+    )
+    if diff.returncode != 0:
+        subprocess.run(
+            ["git", "commit", "-m", f"pre-release commit {release.version}"],
+            check=True,
+        )
+    else:
+        _append_log(log_path, "No changes detected for VERSION; skipping commit")
+        subprocess.run(["git", "reset", "HEAD", "VERSION"], check=False)
+
+
+def _step_run_tests(release, ctx, log_path: Path) -> None:
+    _append_log(log_path, "Complete test suite with --all flag")
+
+
 def _step_promote_build(release, ctx, log_path: Path) -> None:
     from . import release as release_utils
+
     _append_log(log_path, "Generating build files")
     try:
         try:
@@ -138,22 +337,16 @@ def _step_promote_build(release, ctx, log_path: Path) -> None:
             version=release.version,
             creds=release.to_credentials(),
         )
+        from glob import glob
+
+        paths = ["VERSION", *glob("core/fixtures/releases__*.json")]
         diff = subprocess.run(
-            [
-                "git",
-                "status",
-                "--porcelain",
-                "VERSION",
-                "core/fixtures/releases.json",
-            ],
+            ["git", "status", "--porcelain", *paths],
             capture_output=True,
             text=True,
         )
         if diff.stdout.strip():
-            subprocess.run(
-                ["git", "add", "VERSION", "core/fixtures/releases.json"],
-                check=True,
-            )
+            subprocess.run(["git", "add", *paths], check=True)
             subprocess.run(
                 [
                     "git",
@@ -175,6 +368,41 @@ def _step_promote_build(release, ctx, log_path: Path) -> None:
     _append_log(new_log, "Build complete")
 
 
+def _step_release_manager_approval(release, ctx, log_path: Path) -> None:
+    if release.to_credentials() is None:
+        ctx.pop("release_approval", None)
+        if not ctx.get("approval_credentials_missing"):
+            _append_log(log_path, "Release manager publishing credentials missing")
+        ctx["approval_credentials_missing"] = True
+        ctx["awaiting_approval"] = True
+        raise ApprovalRequired()
+
+    missing_before = ctx.pop("approval_credentials_missing", None)
+    if missing_before:
+        ctx.pop("awaiting_approval", None)
+    decision = ctx.get("release_approval")
+    if decision == "approved":
+        ctx.pop("release_approval", None)
+        ctx.pop("awaiting_approval", None)
+        ctx.pop("approval_credentials_missing", None)
+        _append_log(log_path, "Release manager approved release")
+        return
+    if decision == "rejected":
+        ctx.pop("release_approval", None)
+        ctx.pop("awaiting_approval", None)
+        ctx.pop("approval_credentials_missing", None)
+        _append_log(log_path, "Release manager rejected release")
+        raise RuntimeError(
+            _("Release manager rejected the release. Restart required."),
+        )
+    if not ctx.get("awaiting_approval"):
+        ctx["awaiting_approval"] = True
+        _append_log(log_path, "Awaiting release manager approval")
+    else:
+        ctx["awaiting_approval"] = True
+    raise ApprovalRequired()
+
+
 def _step_publish(release, ctx, log_path: Path) -> None:
     from . import release as release_utils
 
@@ -184,16 +412,27 @@ def _step_publish(release, ctx, log_path: Path) -> None:
         version=release.version,
         creds=release.to_credentials(),
     )
-    release.pypi_url = f"https://pypi.org/project/{release.package.name}/{release.version}/"
+    release.pypi_url = (
+        f"https://pypi.org/project/{release.package.name}/{release.version}/"
+    )
     release.save(update_fields=["pypi_url"])
     PackageRelease.dump_fixture()
     _append_log(log_path, "Upload complete")
 
 
+FIXTURE_REVIEW_STEP_NAME = "Freeze, squash and approve migrations"
+
+
 PUBLISH_STEPS = [
-    ("Check version availability", _step_check_pypi),
-    ("Generate build", _step_promote_build),
-    ("Publish", _step_publish),
+    ("Check version number availability", _step_check_version),
+    ("Confirm release TODO completion", _step_check_todos),
+    (FIXTURE_REVIEW_STEP_NAME, _step_handle_migrations),
+    ("Compose CHANGELOG and documentation", _step_changelog_docs),
+    ("Execute pre-release actions", _step_pre_release_actions),
+    ("Build release artifacts", _step_promote_build),
+    ("Complete test suite with --all flag", _step_run_tests),
+    ("Get Release Manager Approval", _step_release_manager_approval),
+    ("Upload final build to PyPI", _step_publish),
 ]
 
 
@@ -233,8 +472,8 @@ def product_list(request):
 
 @csrf_exempt
 @api_login_required
-def add_subscription(request):
-    """Create a subscription for an energy account from POSTed JSON."""
+def add_live_subscription(request):
+    """Create a live subscription for an energy account from POSTed JSON."""
 
     if request.method != "POST":
         return JsonResponse({"detail": "POST required"}, status=400)
@@ -257,32 +496,55 @@ def add_subscription(request):
     except Product.DoesNotExist:
         return JsonResponse({"detail": "invalid product"}, status=404)
 
-    sub = Subscription.objects.create(
-        account_id=account_id,
-        product=product,
-        next_renewal=date.today() + timedelta(days=product.renewal_period),
+    try:
+        account = EnergyAccount.objects.get(id=account_id)
+    except EnergyAccount.DoesNotExist:
+        return JsonResponse({"detail": "invalid account"}, status=404)
+
+    start_date = timezone.now().date()
+    account.live_subscription_product = product
+    account.live_subscription_start_date = start_date
+    account.live_subscription_next_renewal = start_date + timedelta(
+        days=product.renewal_period
     )
-    return JsonResponse({"id": sub.id})
+    account.save()
+
+    return JsonResponse({"id": account.id})
 
 
 @api_login_required
-def subscription_list(request):
-    """Return subscriptions for the given account_id."""
+def live_subscription_list(request):
+    """Return live subscriptions for the given account_id."""
 
     account_id = request.GET.get("account_id")
     if not account_id:
         return JsonResponse({"detail": "account_id required"}, status=400)
 
-    subs = list(
-        Subscription.objects.filter(account_id=account_id)
-        .select_related("product")
-        .values(
-            "id",
-            "product__name",
-            "next_renewal",
+    try:
+        account = EnergyAccount.objects.select_related("live_subscription_product").get(
+            id=account_id
         )
-    )
-    return JsonResponse({"subscriptions": subs})
+    except EnergyAccount.DoesNotExist:
+        return JsonResponse({"detail": "invalid account"}, status=404)
+
+    subs = []
+    product = account.live_subscription_product
+    if product:
+        next_renewal = account.live_subscription_next_renewal
+        if not next_renewal and account.live_subscription_start_date:
+            next_renewal = account.live_subscription_start_date + timedelta(
+                days=product.renewal_period
+            )
+
+        subs.append(
+            {
+                "id": account.id,
+                "product__name": product.name,
+                "next_renewal": next_renewal,
+            }
+        )
+
+    return JsonResponse({"live_subscriptions": subs})
 
 
 @csrf_exempt
@@ -303,6 +565,7 @@ def rfid_batch(request):
         tags = [
             {
                 "rfid": t.rfid,
+                "custom_label": t.custom_label,
                 "energy_accounts": list(t.energy_accounts.values_list("id", flat=True)),
                 "allowed": t.allowed,
                 "color": t.color,
@@ -329,12 +592,11 @@ def rfid_batch(request):
                 continue
             allowed = row.get("allowed", True)
             energy_accounts = row.get("energy_accounts") or []
-            color = (
-                (row.get("color") or RFID.BLACK).strip().upper() or RFID.BLACK
-            )
+            color = (row.get("color") or RFID.BLACK).strip().upper() or RFID.BLACK
             released = row.get("released", False)
             if isinstance(released, str):
                 released = released.lower() == "true"
+            custom_label = (row.get("custom_label") or "").strip()
 
             tag, _ = RFID.objects.update_or_create(
                 rfid=rfid.upper(),
@@ -342,10 +604,13 @@ def rfid_batch(request):
                     "allowed": allowed,
                     "color": color,
                     "released": released,
+                    "custom_label": custom_label,
                 },
             )
             if energy_accounts:
-                tag.energy_accounts.set(EnergyAccount.objects.filter(id__in=energy_accounts))
+                tag.energy_accounts.set(
+                    EnergyAccount.objects.filter(id__in=energy_accounts)
+                )
             else:
                 tag.energy_accounts.clear()
             count += 1
@@ -364,6 +629,22 @@ def release_progress(request, pk: int, action: str):
     lock_path = Path("locks") / f"release_publish_{pk}.json"
     restart_path = Path("locks") / f"release_publish_{pk}.restarts"
 
+    if not release.is_current:
+        if release.is_published:
+            raise Http404("Release is not current")
+        updated, previous_version = _sync_release_with_revision(release)
+        if updated:
+            request.session.pop(session_key, None)
+            if lock_path.exists():
+                lock_path.unlink()
+            if restart_path.exists():
+                restart_path.unlink()
+            log_dir = Path("logs")
+            for log_file in log_dir.glob(
+                f"{release.package.name}-{previous_version}*.log"
+            ):
+                log_file.unlink()
+
     if request.GET.get("restart"):
         count = 0
         if restart_path.exists():
@@ -393,6 +674,28 @@ def release_progress(request, pk: int, action: str):
         ctx = {"step": 0}
         if restart_path.exists():
             restart_path.unlink()
+
+    manager = release.release_manager or release.package.release_manager
+    credentials_ready = bool(release.to_credentials())
+    if credentials_ready and ctx.get("approval_credentials_missing"):
+        ctx.pop("approval_credentials_missing", None)
+
+    ack_todos_requested = bool(request.GET.get("ack_todos"))
+
+    if request.GET.get("start"):
+        ctx["started"] = True
+        ctx["paused"] = False
+    if (
+        ctx.get("awaiting_approval")
+        and not ctx.get("approval_credentials_missing")
+        and credentials_ready
+    ):
+        if request.GET.get("approve"):
+            ctx["release_approval"] = "approved"
+        if request.GET.get("reject"):
+            ctx["release_approval"] = "rejected"
+    if request.GET.get("pause") and ctx.get("started"):
+        ctx["paused"] = True
     restart_count = 0
     if restart_path.exists():
         try:
@@ -402,47 +705,213 @@ def release_progress(request, pk: int, action: str):
     step_count = ctx.get("step", 0)
     step_param = request.GET.get("step")
 
+    pending_qs = Todo.objects.filter(is_deleted=False, done_on__isnull=True)
+    pending_items = list(pending_qs)
+    if ack_todos_requested:
+        if pending_items:
+            failures = []
+            for todo in pending_items:
+                result = todo.check_on_done_condition()
+                if not result.passed:
+                    failures.append((todo, result))
+            if failures:
+                ctx.pop("todos_ack", None)
+                for todo, result in failures:
+                    messages.error(request, _format_condition_failure(todo, result))
+            else:
+                ctx["todos_ack"] = True
+        else:
+            ctx["todos_ack"] = True
+
+    if pending_items and not ctx.get("todos_ack"):
+        ctx["todos"] = [
+            {
+                "id": todo.pk,
+                "request": todo.request,
+                "url": todo.url,
+                "request_details": todo.request_details,
+            }
+            for todo in pending_items
+        ]
+    else:
+        ctx.pop("todos", None)
+
     identifier = f"{release.package.name}-{release.version}"
     log_name = f"{identifier}.log"
     if ctx.get("log") != log_name:
-        ctx = {"step": 0, "log": log_name}
+        ctx = {
+            "step": 0,
+            "log": log_name,
+            "started": ctx.get("started", False),
+        }
         step_count = 0
     log_path = Path("logs") / log_name
     ctx.setdefault("log", log_name)
+    ctx.setdefault("paused", False)
 
-    if step_count == 0 and (step_param is None or step_param == "0"):
+    if (
+        ctx.get("started")
+        and step_count == 0
+        and (step_param is None or step_param == "0")
+    ):
         if log_path.exists():
             log_path.unlink()
 
     steps = PUBLISH_STEPS
+    fixtures_step_index = next(
+        (
+            index
+            for index, (name, _) in enumerate(steps)
+            if name == FIXTURE_REVIEW_STEP_NAME
+        ),
+        None,
+    )
     error = ctx.get("error")
 
-    if step_param is not None and not error and step_count < len(steps):
+    if (
+        ctx.get("started")
+        and not ctx.get("paused")
+        and step_param is not None
+        and not error
+        and step_count < len(steps)
+    ):
         to_run = int(step_param)
         if to_run == step_count:
             name, func = steps[to_run]
             try:
                 func(release, ctx, log_path)
-                step_count += 1
-                ctx["step"] = step_count
-                request.session[session_key] = ctx
-                lock_path.parent.mkdir(parents=True, exist_ok=True)
-                lock_path.write_text(json.dumps(ctx), encoding="utf-8")
+            except PendingTodos:
+                pass
+            except ApprovalRequired:
+                pass
             except Exception as exc:  # pragma: no cover - best effort logging
                 _append_log(log_path, f"{name} failed: {exc}")
                 ctx["error"] = str(exc)
                 request.session[session_key] = ctx
                 lock_path.parent.mkdir(parents=True, exist_ok=True)
                 lock_path.write_text(json.dumps(ctx), encoding="utf-8")
+            else:
+                step_count += 1
+                ctx["step"] = step_count
+                request.session[session_key] = ctx
+                lock_path.parent.mkdir(parents=True, exist_ok=True)
+                lock_path.write_text(json.dumps(ctx), encoding="utf-8")
 
     done = step_count >= len(steps) and not ctx.get("error")
 
-    log_content = log_path.read_text(encoding="utf-8") if log_path.exists() else ""
-    next_step = step_count if not done and not ctx.get("error") else None
+    show_log = ctx.get("started") or step_count > 0 or done or ctx.get("error")
+    if show_log and log_path.exists():
+        log_content = log_path.read_text(encoding="utf-8")
+    else:
+        log_content = ""
+    next_step = (
+        step_count
+        if ctx.get("started")
+        and not ctx.get("paused")
+        and not done
+        and not ctx.get("error")
+        else None
+    )
+    has_pending_todos = bool(ctx.get("todos") and not ctx.get("todos_ack"))
+    if has_pending_todos:
+        next_step = None
+    awaiting_approval = bool(ctx.get("awaiting_approval"))
+    approval_credentials_missing = bool(ctx.get("approval_credentials_missing"))
+    if awaiting_approval:
+        next_step = None
+    if approval_credentials_missing:
+        next_step = None
+    paused = ctx.get("paused", False)
+
+    step_names = [s[0] for s in steps]
+    approval_credentials_ready = credentials_ready
+    credentials_blocking = approval_credentials_missing or (
+        awaiting_approval and not approval_credentials_ready
+    )
+    step_states = []
+    for index, name in enumerate(step_names):
+        if index < step_count:
+            status = "complete"
+            icon = "✅"
+            label = _("Completed")
+        elif error and index == step_count:
+            status = "error"
+            icon = "❌"
+            label = _("Failed")
+        elif paused and ctx.get("started") and index == step_count and not done:
+            status = "paused"
+            icon = "⏸️"
+            label = _("Paused")
+        elif (
+            has_pending_todos
+            and ctx.get("started")
+            and index == step_count
+            and not done
+        ):
+            status = "blocked"
+            icon = "📝"
+            label = _("Awaiting checklist")
+        elif (
+            credentials_blocking
+            and ctx.get("started")
+            and index == step_count
+            and not done
+        ):
+            status = "missing-credentials"
+            icon = "🔐"
+            label = _("Credentials required")
+        elif (
+            awaiting_approval
+            and approval_credentials_ready
+            and ctx.get("started")
+            and index == step_count
+            and not done
+        ):
+            status = "awaiting-approval"
+            icon = "🤝"
+            label = _("Awaiting approval")
+        elif ctx.get("started") and index == step_count and not done:
+            status = "active"
+            icon = "⏳"
+            label = _("In progress")
+        else:
+            status = "pending"
+            icon = "⬜"
+            label = _("Pending")
+        step_states.append(
+            {
+                "index": index + 1,
+                "name": name,
+                "status": status,
+                "icon": icon,
+                "label": label,
+            }
+        )
+
+    is_running = ctx.get("started") and not paused and not done and not ctx.get("error")
+    can_resume = ctx.get("started") and paused and not done and not ctx.get("error")
+    release_manager_owner = manager.owner_display() if manager else ""
+    try:
+        current_user_admin_url = reverse(
+            "admin:teams_user_change", args=[request.user.pk]
+        )
+    except NoReverseMatch:
+        current_user_admin_url = reverse(
+            "admin:core_user_change", args=[request.user.pk]
+        )
+
+    fixtures_summary = ctx.get("fixtures")
+    if (
+        fixtures_summary
+        and fixtures_step_index is not None
+        and step_count > fixtures_step_index
+    ):
+        fixtures_summary = None
+
     context = {
         "release": release,
         "action": "publish",
-        "steps": [s[0] for s in steps],
+        "steps": step_names,
         "current_step": step_count,
         "next_step": next_step,
         "done": done,
@@ -450,8 +919,22 @@ def release_progress(request, pk: int, action: str):
         "log_content": log_content,
         "log_path": str(log_path),
         "cert_log": ctx.get("cert_log"),
-        "fixtures": ctx.get("fixtures"),
+        "fixtures": fixtures_summary,
+        "todos": ctx.get("todos"),
         "restart_count": restart_count,
+        "started": ctx.get("started", False),
+        "paused": paused,
+        "show_log": show_log,
+        "step_states": step_states,
+        "has_pending_todos": has_pending_todos,
+        "awaiting_approval": awaiting_approval,
+        "approval_credentials_missing": approval_credentials_missing,
+        "approval_credentials_ready": approval_credentials_ready,
+        "release_manager_owner": release_manager_owner,
+        "has_release_manager": bool(manager),
+        "current_user_admin_url": current_user_admin_url,
+        "is_running": is_running,
+        "can_resume": can_resume,
     }
     request.session[session_key] = ctx
     if done or ctx.get("error"):
@@ -461,3 +944,88 @@ def release_progress(request, pk: int, action: str):
         lock_path.parent.mkdir(parents=True, exist_ok=True)
         lock_path.write_text(json.dumps(ctx), encoding="utf-8")
     return render(request, "core/release_progress.html", context)
+
+
+def _todo_iframe_url(request, todo: Todo) -> str:
+    """Return a safe iframe URL for ``todo`` scoped to the current host."""
+
+    fallback = reverse("admin:core_todo_change", args=[todo.pk])
+    raw_url = (todo.url or "").strip()
+    if not raw_url:
+        return fallback
+
+    parsed = urlsplit(raw_url)
+    if not parsed.scheme and not parsed.netloc:
+        return raw_url
+
+    if parsed.scheme and parsed.scheme.lower() not in {"http", "https"}:
+        return fallback
+
+    request_host = request.get_host().strip().lower()
+    host_without_port = request_host.split(":", 1)[0]
+    allowed_hosts = {
+        request_host,
+        host_without_port,
+        "localhost",
+        "127.0.0.1",
+        "0.0.0.0",
+        "::1",
+    }
+
+    site_domain = ""
+    try:
+        site_domain = Site.objects.get_current().domain.strip().lower()
+    except Site.DoesNotExist:
+        site_domain = ""
+    if site_domain:
+        allowed_hosts.add(site_domain)
+        allowed_hosts.add(site_domain.split(":", 1)[0])
+
+    for host in getattr(settings, "ALLOWED_HOSTS", []):
+        if not isinstance(host, str):
+            continue
+        normalized = host.strip().lower()
+        if not normalized or normalized.startswith("*"):
+            continue
+        allowed_hosts.add(normalized)
+        allowed_hosts.add(normalized.split(":", 1)[0])
+
+    hostname = (parsed.hostname or "").strip().lower()
+    netloc = parsed.netloc.strip().lower()
+    if hostname in allowed_hosts or netloc in allowed_hosts:
+        path = parsed.path or "/"
+        if not path.startswith("/"):
+            path = f"/{path}"
+        return urlunsplit(("", "", path, parsed.query, parsed.fragment)) or fallback
+
+    return fallback
+
+
+@staff_member_required
+def todo_focus(request, pk: int):
+    todo = get_object_or_404(Todo, pk=pk, is_deleted=False)
+    if todo.done_on:
+        return redirect(_get_return_url(request))
+
+    iframe_url = _todo_iframe_url(request, todo)
+    context = {
+        "todo": todo,
+        "iframe_url": iframe_url,
+        "next_url": _get_return_url(request),
+        "done_url": reverse("todo-done", args=[todo.pk]),
+    }
+    return render(request, "core/todo_focus.html", context)
+
+
+@staff_member_required
+@require_POST
+def todo_done(request, pk: int):
+    todo = get_object_or_404(Todo, pk=pk, is_deleted=False, done_on__isnull=True)
+    redirect_to = _get_return_url(request)
+    result = todo.check_on_done_condition()
+    if not result.passed:
+        messages.error(request, _format_condition_failure(todo, result))
+        return redirect(redirect_to)
+    todo.done_on = timezone.now()
+    todo.save(update_fields=["done_on"])
+    return redirect(redirect_to)