arthexis 0.1.9__py3-none-any.whl → 0.1.11__py3-none-any.whl

{arthexis-0.1.9.dist-info → arthexis-0.1.11.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arthexis
-Version: 0.1.9
+Version: 0.1.11
 Summary: Django-based MESH system
 Author-email: "Rafael J. Guillén-Osorio" <tecnologia@gelectriic.com>
 License-Expression: GPL-3.0-only
@@ -43,6 +43,7 @@ Requires-Dist: django-celery-beat==2.8.1
 Requires-Dist: django-debug-toolbar==6.0.0
 Requires-Dist: django-import-export==4.3.9
 Requires-Dist: django-object-actions==5.0.0
+Requires-Dist: django-otp==1.5.4
 Requires-Dist: django-timezone-field==7.1
 Requires-Dist: dnspython==2.7.0
 Requires-Dist: docutils==0.22
@@ -57,12 +58,14 @@ Requires-Dist: incremental==24.7.2
 Requires-Dist: kombu==5.5.4
 Requires-Dist: libipld==3.1.1
 Requires-Dist: Markdown==3.8.2
+Requires-Dist: mdx_truly_sane_lists==1.3
 Requires-Dist: mcp==1.14.0
 Requires-Dist: mfrc522==0.0.7; sys_platform == "linux"
 Requires-Dist: outcome==1.3.0.post0
 Requires-Dist: packaging==25.0
 Requires-Dist: pillow==11.3.0
 Requires-Dist: prompt_toolkit==3.0.51
+Requires-Dist: psutil==5.9.8
 Requires-Dist: psycopg==3.2.9
 Requires-Dist: psycopg-binary==3.2.9
 Requires-Dist: pyasn1==0.6.1
@@ -112,50 +115,100 @@ Dynamic: license-file
 
 # Arthexis Constellation
 
+[![Coverage](https://raw.githubusercontent.com/arthexis/arthexis/main/coverage.svg)](https://github.com/arthexis/arthexis/actions/workflows/coverage.yml) [![OCPP 1.6 Coverage](https://raw.githubusercontent.com/arthexis/arthexis/main/ocpp_coverage.svg)](https://raw.githubusercontent.com/arthexis/arthexis/main/ocpp_coverage.svg)
+
 ## Purpose
 
 Arthexis Constellation is a [narrative-driven](https://en.wikipedia.org/wiki/Narrative) [Django](https://www.djangoproject.com/)-based [software suite](https://en.wikipedia.org/wiki/Software_suite) that centralizes tools for managing [electric vehicle charging infrastructure](https://en.wikipedia.org/wiki/Charging_station) and orchestrating [energy](https://en.wikipedia.org/wiki/Energy)-related [products](https://en.wikipedia.org/wiki/Product_(business)) and [services](https://en.wikipedia.org/wiki/Service_(economics)).
 
-## Features
-
-- Compatible with the [Open Charge Point Protocol (OCPP) 1.6](https://www.openchargealliance.org/protocols/ocpp-16/)
-- [API](https://en.wikipedia.org/wiki/API) integration with [Odoo](https://www.odoo.com/) 1.6
+## Current Features
+
+- Compatible with the [Open Charge Point Protocol (OCPP) 1.6](https://www.openchargealliance.org/protocols/ocpp-16/) central system, handling:
+  - Lifecycle & sessions
+    - `BootNotification`
+    - `Heartbeat`
+    - `StatusNotification`
+    - `StartTransaction`
+    - `StopTransaction`
+  - Access & metering
+    - `Authorize`
+    - `MeterValues`
+  - Maintenance & firmware
+    - `DiagnosticsStatusNotification`
+    - `FirmwareStatusNotification`
+- [API](https://en.wikipedia.org/wiki/API) integration with [Odoo](https://www.odoo.com/), syncing:
+  - Employee credentials via `res.users`
+  - Product catalog lookups via `product.product`
 - Runs on [Windows 11](https://www.microsoft.com/windows/windows-11) and [Ubuntu 22.04 LTS](https://releases.ubuntu.com/22.04/)
 - Tested for the [Raspberry Pi 4 Model B](https://www.raspberrypi.com/products/raspberry-pi-4-model-b/)
 
-Project under active development.
+Project under rapid active and open development.
 
-## Four Role Architecture
+## Role Architecture
 
 Arthexis Constellation ships in four node roles tailored to different deployment scenarios.
 
-| Role | Description & Common Features |
-| --- | --- |
-| Terminal | Single-User Research & Development<br>Features: GUI Toast |
-| Control | Single-Device Testing & Special Task Appliances<br>Features: AP Public Wi-Fi, Celery Queue, GUI Toast, LCD Screen, NGINX Server, RFID Scanner |
-| Satellite | Multi-Device Edge, Network & Data Acquisition<br>Features: AP Router, Celery Queue, NGINX Server, RFID Scanner |
-| Constellation | Multi-User Cloud & Orchestration<br>Features: Celery Queue, NGINX Server |
+<table border="1" cellpadding="8" cellspacing="0">
+  <thead>
+    <tr>
+      <th align="left">Role</th>
+      <th align="left">Description &amp; Common Features</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td valign="top"><strong>Terminal</strong></td>
+      <td valign="top"><strong>Single-User Research &amp; Development</strong><br />Features: GUI Toast</td>
+    </tr>
+    <tr>
+      <td valign="top"><strong>Control</strong></td>
+      <td valign="top"><strong>Single-Device Testing &amp; Special Task Appliances</strong><br />Features: AP Public Wi-Fi, Celery Queue, GUI Toast, LCD Screen, NGINX Server, RFID Scanner</td>
+    </tr>
+    <tr>
+      <td valign="top"><strong>Satellite</strong></td>
+      <td valign="top"><strong>Multi-Device Edge, Network &amp; Data Acquisition</strong><br />Features: AP Router, Celery Queue, NGINX Server, RFID Scanner</td>
+    </tr>
+    <tr>
+      <td valign="top"><strong>Constellation</strong></td>
+      <td valign="top"><strong>Multi-User Cloud &amp; Orchestration</strong><br />Features: Celery Queue, NGINX Server</td>
+    </tr>
+  </tbody>
+</table>
 
 ## Quick Guide
 
 ### 1. Clone
-- **[Linux](https://en.wikipedia.org/wiki/Linux)**: open a [terminal](https://en.wikipedia.org/wiki/Command-line_interface) and run  
-  `git clone https://github.com/arthexis/arthexis.git`
+- **[Linux](https://en.wikipedia.org/wiki/Linux)**: open a [terminal](https://en.wikipedia.org/wiki/Command-line_interface) and run `git clone https://github.com/arthexis/arthexis.git`.
 - **[Windows](https://en.wikipedia.org/wiki/Microsoft_Windows)**: open [PowerShell](https://learn.microsoft.com/powershell/) or [Git Bash](https://gitforwindows.org/) and run the same command.
 
 ### 2. Start and stop
-- **[VS Code](https://code.visualstudio.com/)**: open the folder, go to the
-  **Run and Debug** panel (`Ctrl+Shift+D`), select the **Run Server** (or
-  **Debug Server**) configuration, and press the green start button. Stop the
-  server with the red square button (`Shift+F5`).
-- **[Shell](https://en.wikipedia.org/wiki/Shell_(computing))**: on Linux run [`./start.sh`](start.sh) and stop with [`./stop.sh`](stop.sh); on Windows run [`start.bat`](start.bat) and stop with `Ctrl+C`.
+Terminal nodes can start directly with the scripts below without installing; Control, Satellite, and Constellation roles require installation first. Both approaches listen on [`http://localhost:8000/`](http://localhost:8000/) by default.
+
+- **[VS Code](https://code.visualstudio.com/)**
+   - Open the folder and go to the **Run and Debug** panel (`Ctrl+Shift+D`).
+   - Select the **Run Server** (or **Debug Server**) configuration.
+   - Press the green start button. Stop the server with the red square button (`Shift+F5`).
+
+- **[Shell](https://en.wikipedia.org/wiki/Shell_(computing))**
+   - Linux: run [`./start.sh`](start.sh) and stop with [`./stop.sh`](stop.sh).
+   - Windows: run [`start.bat`](start.bat) and stop with `Ctrl+C`.
 
 ### 3. Install and upgrade
-- **Linux**: use [`./install.sh`](install.sh) with options like `--service NAME`, `--public` or `--internal`, `--port PORT`, `--upgrade`, `--auto-upgrade`, `--latest`, `--celery`, `--lcd-screen`, `--no-lcd-screen`, `--clean`, `--datasette`. Upgrade with [`./upgrade.sh`](upgrade.sh) using flags such as `--latest`, `--clean`, or `--no-restart`.
-- **Windows**: run [`install.bat`](install.bat) to install and [`upgrade.bat`](upgrade.bat) to upgrade.
+- **Linux:**
+   - Run [`./install.sh`](install.sh) with a node role flag:
+     - `--terminal` – default when unspecified and recommended if you're unsure. Terminal nodes can also use the start/stop scripts above without installing.
+     - `--control` – prepares the single-device testing appliance.
+     - `--satellite` – configures the edge data acquisition node.
+     - `--constellation` – enables the multi-user orchestration stack.
+   - Use `./install.sh --help` to list every available flag if you need to customize the node beyond the role defaults.
+   - Upgrade with [`./upgrade.sh`](upgrade.sh).
+
+- **Windows:**
+   - Run [`install.bat`](install.bat) to install (Terminal role) and [`upgrade.bat`](upgrade.bat) to upgrade.
+   - Installation is not required to start in Terminal mode (the default).
 
 ### 4. Administration
-Visit [`http://localhost:8888/admin/`](http://localhost:8888/admin/) for the [Django admin](https://docs.djangoproject.com/en/stable/ref/contrib/admin/) and [`http://localhost:8888/admindocs/`](http://localhost:8888/admindocs/) for the [admindocs](https://docs.djangoproject.com/en/stable/ref/contrib/admin/admindocs/). Use port `8000` if you started with [`start.bat`](start.bat) or the `--public` option.
+Visit [`http://localhost:8000/admin/`](http://localhost:8000/admin/) for the [Django admin](https://docs.djangoproject.com/en/stable/ref/contrib/admin/) and [`http://localhost:8000/admindocs/`](http://localhost:8000/admindocs/) for the [admindocs](https://docs.djangoproject.com/en/stable/ref/contrib/admin/admindocs/). Use `--port` with the start scripts or installer when you need to expose a different port.
 
 ## Support
 

arthexis-0.1.11.dist-info/RECORD

@@ -0,0 +1,99 @@
+arthexis-0.1.11.dist-info/licenses/LICENSE,sha256=IwGE9guuL-ryRPEKi6wFPI_zOhg7zDZbTYuHbSt_SAk,35823
+config/__init__.py,sha256=8_b7rx_-Xcuzu3Z7mSR94q3PAhjyYqLFQi3IOEz6hcI,108
+config/active_app.py,sha256=MET_G7oHL7GkoSo3VkkMzymM-PwsSZazMLZxpgjFLTo,388
+config/asgi.py,sha256=n09URedOmQ_59II3UCl3iodGSDWOuN_A8DFyfLjuylA,803
+config/auth_app.py,sha256=2NkC_iYQxnpbv0gYxW4xp5DgQtdkVLpa-JzAF-638ZE,205
+config/celery.py,sha256=qRTHgNYfT2OyIz4cW49YiiKgVgzLs2mSfAEQBgso0M4,743
+config/context_processors.py,sha256=bjLSqbz7Qw6knPosIc4KNFEl5HsJHOe23htoNsul40E,2404
+config/horologia_app.py,sha256=u1hTYcEmIqh82Gt5YNPvR5ta2MnVatELvD9ByFrCH1A,194
+config/loadenv.py,sha256=bhFbHTbRJSkSwrFk3UInKEKQ8ZY-poatOGi7rC57YAI,298
+config/logging.py,sha256=334jADN4dM5GNHaCWlYPOKYa5BhfxbsuejH_QDALG6g,1793
+config/middleware.py,sha256=EvraDumepnKwCDswHGXb1mK7vud_dEEoZ4eh0IQ7fhQ,744
+config/offline.py,sha256=mhQjCUzdOwSzZ6oLgPDJR48xaPIDzOi34ARUEz43seE,1431
+config/settings.py,sha256=pJzArbxvM6Imyn4gs1YRn1WP3GaZThXFJM8ZxAAmNzg,22548
+config/urls.py,sha256=MmbES50lTHyMZ6risgXAGfevncN7j4HC74jR4PX_5xY,5228
+config/wsgi.py,sha256=Fu-ONO2SgYeU6rhmy909P-uLX-n8ALJQObdm9MHPS-k,450
+core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/admin.py,sha256=MKubxItiTTtEOo2Lh8CqUvQ3KLBa80e5C5Y0gsMqhe4,93074
+core/admin_history.py,sha256=NIDWkosJoHMaucBvUjq8VmmL-0e8ngJ4l4XA89d4jwQ,1833
+core/admindocs.py,sha256=GufdugiNEG87xGSDYVq4CBMhGRubsQCzgz-FqDIqzpM,5367
+core/apps.py,sha256=qOKq5hB4FSRb85I3Sv3OjZzhVkn7xONix65r1qMg3HM,10312
+core/auto_upgrade.py,sha256=BkoE7rJuYAmwoMux22NqujWZYjYXtN40GBloC0sNMY4,1799
+core/backends.py,sha256=VsZZwskII6QLnxP6Ff593V7o9lqXXfN2_bIfZXrvjyI,8222
+core/entity.py,sha256=dkPywTVk981fV8bOEoZw-1SMrdh8T0jVAUZnRxg3dDg,4505
+core/environment.py,sha256=egNX3vP9xRJt0dqxNZFXi25ZMhe3IZH3Vjne1_k7hxo,1645
+core/fields.py,sha256=4nJ_tngso8NHs6HBl8nn5PWvbcOiuAgkoM6hixrFm64,5580
+core/github_helper.py,sha256=k9LmxL0Ec5MzFwZsbMpWMMJ-5tGMe-5yRoI8V0sbFsw,682
+core/github_issues.py,sha256=LKqt-Ilx5TRYnx2LXttc54Nvuh3_1VRP0u_M3whe09c,4963
+core/lcd_screen.py,sha256=mkKtIJjHGDLaV4t80L-JScsZXbLhlYUDknAcvV9Ijr0,2651
+core/liveupdate.py,sha256=kTgbE2gnU3PPIV-88Bw2swSl1aGp6stSdBYqBFbLvx0,716
+core/log_paths.py,sha256=6UXYk6QIUmRO3ecFaFH3dgJ_pf4C_wUN6b0JqUhLVBY,3045
+core/mailer.py,sha256=OF3UgrTVs2St60tQG3ORV7_N6AWK6EtuB04KQXDop_Q,2829
+core/middleware.py,sha256=a4XL0pld4YiG-vanHrzYbJNHv64s75lvmG9inoG1ln0,3479
+core/models.py,sha256=ZpovGr3Tnyayu0f9Id2F0uYtnVhHo90flMFH9ixjubQ,90459
+core/notifications.py,sha256=YtNDGxNveZ6t3tlMXJ7wIaZZTWIZfOKy6vN9mXkeYnA,4021
+core/public_wifi.py,sha256=A08IPJqcdgUKSWbktyqsV4ol8C0uxDxZy1s1ECuPdBE,6526
+core/reference_utils.py,sha256=sRkwL68c16neg8EBMeZTVGjXQvVhB1zQqrd3EIsb4nA,3735
+core/release.py,sha256=thtgbfAnxHlOODM8xUVETgY5aAIbddWan0wW9lKmtQI,11064
+core/sigil_builder.py,sha256=63KSTh7AohG0szr_amBov0zoZuTE8bWqmgsEfPsZHCg,4992
+core/sigil_context.py,sha256=8xrGiB2L1dFfSTrVLsFPLKfkhRwCXXZ0-EXvZdPeTMU,459
+core/sigil_resolver.py,sha256=PAGwF3ugsqN85tKyIvT0YCDCM2MU_Mct2mCJz8XY1s4,11413
+core/system.py,sha256=i-35lmzW6JxfwDZSUuDRT0cwPjqbIkWEYR0WVvqfADM,15080
+core/tasks.py,sha256=hwowcVsbwME-75KN90D2r0kX_YPMZEVevOrrxIxpM34,10595
+core/temp_passwords.py,sha256=Kp4C-y1Hh4GeV1vSOCw3ZyIjcRMts186lUgtEkd3rxY,5452
+core/test_system_info.py,sha256=sHCuo-qyw0BKacbGXFhTWxkuPgywdMGiQ_6YK022n-E,4803
+core/tests.py,sha256=A_85lR9Qf5TE9xuCHGuM3l0_0SrH8F1qsi6sf-ip8q4,58690
+core/tests_liveupdate.py,sha256=D1o2gPopnK7wDCeDQlJ-tfitWh4umZQFRxSTCFY-puc,527
+core/urls.py,sha256=x-LNCxCgrLINdBsJTUUcAuMS5EK5Sh1ybvsVuUnJfLw,436
+core/user_data.py,sha256=kOzcWJcR-d05E7QYoNzKqQSm9bnKJvtG6zq0zRf-tDI,21371
+core/views.py,sha256=xnwgWVv3q6SnpYZ4ItIrILmjtD5bKWAsjtUYQ-5vnd0,44773
+core/widgets.py,sha256=ihah_-NtFJ3oRCS3TdcT6iHCUTlg1tUULJsVCu05C0o,1379
+core/workgroup_urls.py,sha256=2bC8mOMkxIj04WsNis0Td6AmmJFr6z27Ol5epIvhO28,424
+core/workgroup_views.py,sha256=pFJ4PIRN3WWpRyombpWDKKteYQYoI7lu7ddSEKojD7I,2983
+nodes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+nodes/actions.py,sha256=HHnwByTBc3guOORvrKOuvUFID-_BpBq6OENE_PDgk9s,2335
+nodes/admin.py,sha256=40YXBolvHjhzZRJM1o4svnIyghMI9KWUDlS-PtKheTc,21483
+nodes/apps.py,sha256=KijGydsQBS-8Q8uBc0ahDZXSSCMzP3tQcYIEigJxdCE,2077
+nodes/backends.py,sha256=-g7PIbGtIn_3kGoi2w_mJ6zVjvUKTRRWhHABPnnf29g,6081
+nodes/dns.py,sha256=X8PML9rPR7i6NwCSqqxnlO1qpHHRo8uA-XePDTQZYrY,7251
+nodes/lcd.py,sha256=7MqS3jV_De2ysSmTtXQfYTWaxdfbmm6YfNdb_7qIVZc,5923
+nodes/models.py,sha256=D-MPUe672JaF5NUU-ASAes860hJmiHeU5VHUD03Pe-c,46986
+nodes/tasks.py,sha256=jorbN4h0PqWMBRMFdkGgJtvG8GPFwGr5Hxlm5In3EeY,1568
+nodes/tests.py,sha256=4lKlM_uHYKirtLgOne4ygwEDowi2PPl2ZvEtwJzUfhI,86073
+nodes/urls.py,sha256=20yZDZf4DNgIZ9hQWsUzjp8k5Fryg9ukk761_KGQt9k,548
+nodes/utils.py,sha256=B9BD3bKBkwDjIqyp0pyjnKQQlRbGRVQndfoaMEJoNDc,2815
+nodes/views.py,sha256=lrT90AsOXeqpvkZnlCPv78mXILGJ8FwJzgsjU-wAZ4Y,15611
+ocpp/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+ocpp/admin.py,sha256=Rw0PinweVSaBjIQIcgj_cgfalNRBHcrAh3JInx8Hn7A,17129
+ocpp/apps.py,sha256=mCZ5Z0ei7z7c62luIcIhbEuwL1N4czQFSToOkGvRmms,867
+ocpp/consumers.py,sha256=0kLqiDAt0rsC62s8lmS6mW2Oj-LZuzjs0Pz4ci6L4oQ,36577
+ocpp/evcs.py,sha256=O53rCHdxKcgPsj7o57rDiNHTVvEii3DTtQ3djWFTohw,34065
+ocpp/models.py,sha256=46BYGGX4AhbBigXLV3PWLKP043JF96Wolho1q-ZPoa8,23929
+ocpp/reference_utils.py,sha256=sTgbXfmz00f23LBBkpO-sBGoJf1qaEshHeSofLReYCc,1114
+ocpp/routing.py,sha256=g9vPnLw-D1N8L_mW0_oCe-nTDibjC0Et-SFxe8NFAOI,308
+ocpp/simulator.py,sha256=es6SJNzKUwLwrLy-zDdRu__n34V2RZSQRb8SeZHh4Fw,15636
+ocpp/store.py,sha256=FyyZW2YKTWleuNdHTo_RsUO2InZZJhvMYyuZmLgQZe4,14051
+ocpp/tasks.py,sha256=cOcJBshckFKs8GnACvmYZUBG116amtLRAzEP-JNqlZ0,905
+ocpp/test_export_import.py,sha256=TK1__E4K5WrLYPIx-1iJWoIhuRCnOtXc2cYEpGigd3U,4660
+ocpp/test_rfid.py,sha256=hX8VZ2HRyBGjtQLClZ1gy28dOj25RT2r9eK3l9XkmJg,25877
+ocpp/tests.py,sha256=CcTn-bRDsb78NbK2hbH66TnlUwOno8y7ug0u8bgIz9k,107230
+ocpp/transactions_io.py,sha256=OvRynP3DeC9ZpHD3Ez-0YPNPJXFcdSOSKg0nRrwzBJ0,6507
+ocpp/urls.py,sha256=jl6AQLtmLMvrNXP3dQKgPe9Kvaul4oaYd80DskpzVBc,1750
+ocpp/views.py,sha256=3E6hJ0Tqr-_KRjvB7cunEsjtNI8Y9XzktPDhaAlIM7o,37166
+pages/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+pages/admin.py,sha256=JcwBwtQD8E2XKhPpt6bfznW3cU18XZyWvp5B8Zlr0eQ,12772
+pages/apps.py,sha256=mfCxegmnRqKcszyEwpQhZpW9JWOuEYdVereU_w49BXg,298
+pages/checks.py,sha256=an-MlMCIG-FSKmdgOhYV0VOoB_wDQD7dxKD03Hjrzts,1567
+pages/context_processors.py,sha256=iNSTFYFJsrhj0DjsB3ixVNDZw7nrowlnZAcCDyR4NS4,3697
+pages/defaults.py,sha256=rF_V5oD5JQX1tMxdMs_rCsS21Vn_NZpTESahzLNTPws,595
+pages/forms.py,sha256=NuG7ONP1HYY6O5gRoQaRSwSRchcSonRm3rulsqGSqvY,5081
+pages/middleware.py,sha256=fUdAscLa6h2EqJTFUjhVijfSf82gBfm6XUZTVygWAnk,5227
+pages/models.py,sha256=mSlw5JTgh2s_SsFzrNgq48BOhX8uc6mjZFy-kYXUjMo,9955
+pages/tests.py,sha256=6WXtb2p301tqXPT_327Y8Zw5uAsqp5hREh6nF8wWa-o,74552
+pages/urls.py,sha256=hvbdrMDc735CFwCbCU96t80IY9jDpMTpI0zQhoaxL0M,981
+pages/utils.py,sha256=7kik1W0Gk6SFxYGhg6shfI2W9Xdcv1sCpkRCQ883a88,311
+pages/views.py,sha256=X_ZoJH2DEQp8xUZMtZotTxnslABwsmFKQzYfWopktZM,41135
+arthexis-0.1.11.dist-info/METADATA,sha256=uA-HTbP7vjQzwm9FtJjxgl28g8MszSr7ntnxH9MyVlM,10175
+arthexis-0.1.11.dist-info/WHEEL,sha256=_zCd3N1l69ArxyTb8rzEoP9TpbYXkqRFSNOD5OuxnTs,91
+arthexis-0.1.11.dist-info/top_level.txt,sha256=J2a2q8_BWrCZ8H2WFUNMBfO2jz8j2gax6zZh-_1QDac,29
+arthexis-0.1.11.dist-info/RECORD,,

config/context_processors.py

@@ -64,5 +64,6 @@ def site_and_node(request: HttpRequest):
         "badge_admin_site_name": site_name or (site.domain if site else ""),
         "badge_site_color": site_color,
         "badge_node_color": node_color,
+        "current_site_domain": site.domain if site else host,
         "TIME_ZONE": settings.TIME_ZONE,
     }

config/settings.py

@@ -20,6 +20,7 @@ from core.log_paths import select_log_dir
 from django.utils.translation import gettext_lazy as _
 from celery.schedules import crontab
 from django.http import request as http_request
+from django.http.request import split_domain_port
 from django.middleware.csrf import CsrfViewMiddleware
 from django.core.exceptions import DisallowedHost
 from django.contrib.sites import shortcuts as sites_shortcuts
@@ -34,13 +35,36 @@ if not hasattr(encoding, "force_text"):  # pragma: no cover - Django>=5 compatib
     encoding.force_text = force_str
 
 
+
 _original_validate_host = http_request.validate_host
 
 
-def _validate_host_with_subnets(host, allowed_hosts):
+def _strip_ipv6_brackets(host: str) -> str:
+    if host.startswith("[") and host.endswith("]"):
+        return host[1:-1]
+    return host
+
+
+def _extract_ip_from_host(host: str):
+    """Return an :mod:`ipaddress` object for ``host`` when possible."""
+
+    candidate = _strip_ipv6_brackets(host)
     try:
-        ip = ipaddress.ip_address(host)
+        return ipaddress.ip_address(candidate)
     except ValueError:
+        domain, _port = split_domain_port(host)
+        if domain and domain != host:
+            candidate = _strip_ipv6_brackets(domain)
+            try:
+                return ipaddress.ip_address(candidate)
+            except ValueError:
+                return None
+    return None
+
+
+def _validate_host_with_subnets(host, allowed_hosts):
+    ip = _extract_ip_from_host(host)
+    if ip is None:
         return _original_validate_host(host, allowed_hosts)
     for pattern in allowed_hosts:
         try:
@@ -98,13 +122,27 @@ SECRET_KEY = _load_secret_key()
 
 # SECURITY WARNING: don't run with debug turned on in production!
 
-# Enable DEBUG and related tooling when running in Terminal mode.
+# Determine the current node role for role-specific settings while leaving
+# DEBUG control to the environment.
 NODE_ROLE = os.environ.get("NODE_ROLE")
 if NODE_ROLE is None:
     role_lock = BASE_DIR / "locks" / "role.lck"
     NODE_ROLE = role_lock.read_text().strip() if role_lock.exists() else "Terminal"
 
-DEBUG = NODE_ROLE == "Terminal"
+def _env_bool(name: str, default: bool) -> bool:
+    value = os.environ.get(name)
+    if value is None:
+        return default
+
+    normalized = value.strip().lower()
+    if normalized in {"1", "true", "yes", "on"}:
+        return True
+    if normalized in {"0", "false", "no", "off"}:
+        return False
+    return default
+
+
+DEBUG = _env_bool("DEBUG", False)
 
 ALLOWED_HOSTS = [
     "localhost",
@@ -117,6 +155,18 @@ ALLOWED_HOSTS = [
 ]
 
 
+_DEFAULT_PORTS = {"http": "80", "https": "443"}
+
+
+def _get_allowed_hosts() -> list[str]:
+    from django.conf import settings as django_settings
+
+    configured = getattr(django_settings, "ALLOWED_HOSTS", None)
+    if configured is None:
+        return ALLOWED_HOSTS
+    return list(configured)
+
+
 def _iter_local_hostnames(hostname: str, fqdn: str | None = None) -> list[str]:
     """Return unique hostname variants for the current machine."""
 
@@ -152,34 +202,143 @@ for host in _iter_local_hostnames(_local_hostname, _local_fqdn):
 
 # Allow CSRF origin verification for hosts within allowed subnets.
 _original_origin_verified = CsrfViewMiddleware._origin_verified
+_original_check_referer = CsrfViewMiddleware._check_referer
+
+
+def _host_is_allowed(host: str, allowed_hosts: list[str]) -> bool:
+    if http_request.validate_host(host, allowed_hosts):
+        return True
+    domain, _port = split_domain_port(host)
+    if domain and domain != host:
+        return http_request.validate_host(domain, allowed_hosts)
+    return False
+
+
+def _parse_forwarded_header(header_value: str) -> list[dict[str, str]]:
+    entries: list[dict[str, str]] = []
+    if not header_value:
+        return entries
+    for forwarded_part in header_value.split(","):
+        entry: dict[str, str] = {}
+        for element in forwarded_part.split(";"):
+            if "=" not in element:
+                continue
+            key, value = element.split("=", 1)
+            entry[key.strip().lower()] = value.strip().strip('"')
+        if entry:
+            entries.append(entry)
+    return entries
+
+
+def _get_request_scheme(request, forwarded_entry: dict[str, str] | None = None) -> str:
+    """Return the scheme used by the client, honoring proxy headers."""
+
+    if forwarded_entry and forwarded_entry.get("proto", "").lower() in {"http", "https"}:
+        return forwarded_entry["proto"].lower()
+
+    if request.is_secure():
+        return "https"
+
+    forwarded_proto = request.META.get("HTTP_X_FORWARDED_PROTO", "")
+    if forwarded_proto:
+        candidate = forwarded_proto.split(",")[0].strip().lower()
+        if candidate in {"http", "https"}:
+            return candidate
+
+    forwarded_header = request.META.get("HTTP_FORWARDED", "")
+    for forwarded_entry in _parse_forwarded_header(forwarded_header):
+        candidate = forwarded_entry.get("proto", "").lower()
+        if candidate in {"http", "https"}:
+            return candidate
+
+    return "http"
+
+
+def _normalize_origin_tuple(scheme: str | None, host: str) -> tuple[str, str, str | None] | None:
+    if not scheme or scheme.lower() not in {"http", "https"}:
+        return None
+    domain, port = split_domain_port(host)
+    normalized_host = _strip_ipv6_brackets(domain.strip().lower())
+    if not normalized_host:
+        return None
+    normalized_port = port.strip() if isinstance(port, str) else port
+    if not normalized_port:
+        normalized_port = _DEFAULT_PORTS.get(scheme.lower())
+    if normalized_port is not None:
+        normalized_port = str(normalized_port)
+    return scheme.lower(), normalized_host, normalized_port
+
+
+def _normalized_request_origin(origin: str) -> tuple[str, str, str | None] | None:
+    parsed = urlsplit(origin)
+    if not parsed.scheme or not parsed.hostname:
+        return None
+    scheme = parsed.scheme.lower()
+    host = parsed.hostname.lower()
+    port = str(parsed.port) if parsed.port is not None else _DEFAULT_PORTS.get(scheme)
+    return scheme, host, port
+
+
+def _candidate_origin_tuples(request, allowed_hosts: list[str]) -> list[tuple[str, str, str | None]]:
+    default_scheme = _get_request_scheme(request)
+    candidates: list[tuple[str, str, str | None]] = []
+    seen: set[tuple[str, str, str | None]] = set()
+
+    def _append_candidate(scheme: str | None, host: str) -> None:
+        if not scheme or not host:
+            return
+        normalized = _normalize_origin_tuple(scheme, host)
+        if normalized is None:
+            return
+        if not _host_is_allowed(host, allowed_hosts):
+            return
+        if normalized in seen:
+            return
+        candidates.append(normalized)
+        seen.add(normalized)
 
+    forwarded_header = request.META.get("HTTP_FORWARDED", "")
+    for forwarded_entry in _parse_forwarded_header(forwarded_header):
+        host = forwarded_entry.get("host", "").strip()
+        scheme = _get_request_scheme(request, forwarded_entry)
+        _append_candidate(scheme, host)
+
+    forwarded_host = request.META.get("HTTP_X_FORWARDED_HOST", "")
+    if forwarded_host:
+        host = forwarded_host.split(",")[0].strip()
+        _append_candidate(default_scheme, host)
 
-def _origin_verified_with_subnets(self, request):
-    request_origin = request.META["HTTP_ORIGIN"]
     try:
         good_host = request.get_host()
     except DisallowedHost:
-        pass
-    else:
-        good_origin = "%s://%s" % (
-            "https" if request.is_secure() else "http",
-            good_host,
-        )
-        if request_origin == good_origin:
+        good_host = ""
+    if good_host:
+        _append_candidate(default_scheme, good_host)
+
+    return candidates
+
+
+def _origin_verified_with_subnets(self, request):
+    request_origin = request.META["HTTP_ORIGIN"]
+    allowed_hosts = _get_allowed_hosts()
+    normalized_origin = _normalized_request_origin(request_origin)
+    if normalized_origin is None:
+        return _original_origin_verified(self, request)
+
+    origin_ip = _extract_ip_from_host(normalized_origin[1])
+
+    for candidate in _candidate_origin_tuples(request, allowed_hosts):
+        if candidate == normalized_origin:
             return True
-        try:
-            origin_host = urlsplit(request_origin).hostname
-            origin_ip = ipaddress.ip_address(origin_host)
-            request_ip = ipaddress.ip_address(good_host.split(":")[0])
-        except ValueError:
-            pass
-        else:
-            for pattern in ALLOWED_HOSTS:
+
+        candidate_ip = _extract_ip_from_host(candidate[1])
+        if origin_ip and candidate_ip:
+            for pattern in allowed_hosts:
                 try:
                     network = ipaddress.ip_network(pattern)
                 except ValueError:
                     continue
-                if origin_ip in network and request_ip in network:
+                if origin_ip in network and candidate_ip in network:
                     return True
     return _original_origin_verified(self, request)
 
@@ -187,6 +346,49 @@ def _origin_verified_with_subnets(self, request):
 CsrfViewMiddleware._origin_verified = _origin_verified_with_subnets
 
 
+def _check_referer_with_forwarded(self, request):
+    referer = request.META.get("HTTP_REFERER")
+    if referer is None:
+        return _original_check_referer(self, request)
+
+    try:
+        parsed = urlsplit(referer)
+    except ValueError:
+        return _original_check_referer(self, request)
+
+    if "" in (parsed.scheme, parsed.netloc):
+        return _original_check_referer(self, request)
+
+    if parsed.scheme.lower() != "https":
+        return _original_check_referer(self, request)
+
+    normalized_referer = _normalize_origin_tuple(parsed.scheme.lower(), parsed.netloc)
+    if normalized_referer is None:
+        return _original_check_referer(self, request)
+
+    allowed_hosts = _get_allowed_hosts()
+    referer_ip = _extract_ip_from_host(normalized_referer[1])
+
+    for candidate in _candidate_origin_tuples(request, allowed_hosts):
+        if candidate == normalized_referer:
+            return
+
+        candidate_ip = _extract_ip_from_host(candidate[1])
+        if referer_ip and candidate_ip:
+            for pattern in allowed_hosts:
+                try:
+                    network = ipaddress.ip_network(pattern)
+                except ValueError:
+                    continue
+                if referer_ip in network and candidate_ip in network:
+                    return
+
+    return _original_check_referer(self, request)
+
+
+CsrfViewMiddleware._check_referer = _check_referer_with_forwarded
+
+
 # Application definition
 
 LOCAL_APPS = [
@@ -195,7 +397,6 @@ LOCAL_APPS = [
     "ocpp",
     "awg",
     "pages",
-    "man",
     "teams",
 ]
 
@@ -203,6 +404,8 @@ INSTALLED_APPS = [
     "whitenoise.runserver_nostatic",
     "django.contrib.admin",
     "django.contrib.admindocs",
+    "django_otp",
+    "django_otp.plugins.otp_totp",
     "config.auth_app.AuthConfig",
     "django.contrib.contenttypes",
     "django.contrib.sessions",
@@ -250,6 +453,7 @@ MIDDLEWARE = [
     "django.middleware.common.CommonMiddleware",
     "django.middleware.csrf.CsrfViewMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
+    "django_otp.middleware.OTPMiddleware",
     "core.middleware.AdminHistoryMiddleware",
     "core.middleware.SigilContextMiddleware",
     "pages.middleware.ViewHistoryMiddleware",
@@ -268,6 +472,9 @@ if DEBUG:
 
 CSRF_FAILURE_VIEW = "pages.views.csrf_failure"
 
+# Allow staff TODO pages to embed internal admin views inside iframes.
+X_FRAME_OPTIONS = "SAMEORIGIN"
+
 ROOT_URLCONF = "config.urls"
 
 TEMPLATES = [
@@ -325,10 +532,15 @@ AUTH_USER_MODEL = "core.User"
 
 # Enable RFID authentication backend and restrict default admin login to localhost
 AUTHENTICATION_BACKENDS = [
+    "core.backends.TempPasswordBackend",
     "core.backends.LocalhostAdminBackend",
+    "core.backends.TOTPBackend",
     "core.backends.RFIDBackend",
 ]
 
+# Issuer name used when generating otpauth URLs for authenticator apps.
+OTP_TOTP_ISSUER = os.environ.get("OTP_TOTP_ISSUER", "Arthexis")
+
 # Database
 # https://docs.djangoproject.com/en/5.2/ref/settings/#databases
 
@@ -405,10 +617,10 @@ AUTH_PASSWORD_VALIDATORS = [
 LANGUAGE_CODE = "en-us"
 
 LANGUAGES = [
-    ("en", _("English")),
     ("es", _("Spanish")),
-    ("fr", _("French")),
-    ("ru", _("Russian")),
+    ("en", _("English")),
+    ("it", _("Italian")),
+    ("de", _("German")),
 ]
 
 LOCALE_PATHS = [BASE_DIR / "locale"]
@@ -426,6 +638,13 @@ USE_TZ = True
 STATIC_URL = "/static/"
 STATIC_ROOT = BASE_DIR / "static"
 STATICFILES_STORAGE = "whitenoise.storage.CompressedManifestStaticFilesStorage"
+
+# Allow development and freshly-updated environments to serve assets which have
+# not yet been collected into ``STATIC_ROOT``. Without this setting WhiteNoise
+# only looks for files inside ``STATIC_ROOT`` and dashboards like the public
+# traffic chart fail to load their JavaScript dependencies.
+WHITENOISE_USE_FINDERS = True
+WHITENOISE_AUTOREFRESH = DEBUG
 MEDIA_URL = "/media/"
 MEDIA_ROOT = BASE_DIR / "media"