django-admin-react 0.1.0a1__py3-none-any.whl

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Martín Castro Álvarez and django-admin-react contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

django_admin_react/README.md

@@ -0,0 +1,57 @@
+# django_admin_react/ — the Python package
+
+This directory **is** the artifact published to PyPI. Everything else
+in the repository supports it.
+
+## Layout
+
+```
+django_admin_react/
+├── __init__.py          # __version__ and AppConfig entry point
+├── apps.py              # Django AppConfig
+├── conf.py              # settings.DJANGO_ADMIN_REACT lazy loader
+├── urls.py              # mountable URL patterns (api/v1/ + SPA fallback)
+├── views.py             # SPA index view
+├── api/
+│   ├── __init__.py
+│   ├── urls.py          # API URL patterns
+│   ├── permissions.py   # IsStaffUser + ModelAdmin gates
+│   ├── registry.py      # AdminSite introspection helpers
+│   ├── serializers.py   # conservative field serialization
+│   └── views/           # one file per endpoint (registry/list/detail/...)
+├── templates/admin_react/
+│   └── index.html       # SPA shell template
+└── static/admin_react/  # built React bundle drops here
+```
+
+## Rules
+
+- This package may **not** import from `frontend/`, `examples/`, or
+  `tests/`. It is self-contained.
+- It may **not** import a consumer's models. All access goes through
+  `admin.site._registry` and `ModelAdmin` methods.
+- It may **not** hardcode example model names (`Account`, `Book`,
+  `Transaction`, …). If you see one, fix it.
+- Settings live under a single dict `settings.DJANGO_ADMIN_REACT`. Read
+  them through `django_admin_react.conf`, never via
+  `django.conf.settings.DJANGO_ADMIN_REACT` directly.
+
+## Implementation status
+
+| File                          | Status             | Lands in PR |
+| ----------------------------- | ------------------ | ----------- |
+| `__init__.py`, `apps.py`      | Stub               | #1          |
+| `conf.py`                     | Stub w/ defaults   | #1 → flesh out in #2 |
+| `urls.py`                     | Routes wired, views stubbed | #1 → #6 |
+| `views.py`                    | SpaIndexView stub  | #6          |
+| `api/permissions.py`          | Empty              | #3          |
+| `api/registry.py`             | Empty              | #3          |
+| `api/serializers.py`          | Empty              | #4          |
+| `api/views/registry.py`       | Empty              | #3          |
+| `api/views/list.py`           | Empty              | #4          |
+| `api/views/detail.py`         | Empty              | #4          |
+| `api/views/create.py`         | Empty              | #5          |
+| `api/views/update.py`         | Empty              | #5          |
+| `api/views/delete.py`         | Empty              | #5          |
+| `templates/admin_react/index.html` | Placeholder  | #6          |
+| `static/admin_react/`         | `.gitkeep`         | populated at build time |

django_admin_react/__init__.py

@@ -0,0 +1,10 @@
+"""django-admin-react — a React single-page admin for Django.
+
+The actual implementation lands across PRs #2-#7. This package is
+currently a skeleton that defines the layout and the Django AppConfig
+entry point only. See `ARCHITECTURE.md` for the design contract.
+"""
+
+__version__ = "0.0.0"
+
+default_app_config = "django_admin_react.apps.DjangoAdminReactConfig"

django_admin_react/api/README.md

@@ -0,0 +1,31 @@
+# django_admin_react/api/
+
+JSON API package. See [`/docs/api-contract.md`](../../docs/api-contract.md)
+for the wire format and [`/ARCHITECTURE.md`](../../ARCHITECTURE.md) §4 for
+the design.
+
+## Rules
+
+- Every view consults `ModelAdmin` for permissions, queryset, form,
+  serialization. No exceptions.
+- No direct `Model.objects.all()` — start from
+  `ModelAdmin.get_queryset(request)`.
+- Client-provided `app_label`/`model_name` are resolved through
+  `admin.site._registry` only.
+- CSRF on unsafe methods. Never exempt yourself.
+- Conservative serializer with `str()` fallback (see
+  `serializers.py`).
+- A denylist of sensitive-shaped field names is applied on top of the
+  admin form's own exclusion (defense in depth).
+
+## Layout
+
+| File              | Purpose                                                      |
+| ----------------- | ------------------------------------------------------------ |
+| `urls.py`         | URL patterns for all API endpoints.                          |
+| `permissions.py`  | Staff + AdminSite.has_permission gate; per-op delegation.    |
+| `registry.py`     | AdminSite introspection helpers.                             |
+| `serializers.py`  | Conservative field serialization + denylist.                 |
+| `views/`          | One module per endpoint.                                     |
+
+Implementation status is tracked in `../README.md`.

django_admin_react/api/__init__.py

@@ -0,0 +1,5 @@
+"""JSON API for django_admin_react.
+
+See `docs/api-contract.md` for the wire contract. All endpoints live
+here; nothing in this subpackage may bypass ModelAdmin.
+"""

django_admin_react/api/permissions.py

@@ -0,0 +1,80 @@
+"""Permission helpers.
+
+The package's default permission gate is:
+
+    user.is_authenticated and user.is_active and user.is_staff
+    and admin_site.has_permission(request)
+
+Per-operation gates always go through the relevant
+``ModelAdmin.has_*_permission(request, obj=None)`` method.
+
+See ``SECURITY.md`` §3 (rules 1 and 12) for the contract this enforces.
+"""
+
+from __future__ import annotations
+
+from typing import Final
+
+from django.contrib.admin.sites import AdminSite
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.http import JsonResponse
+
+from django_admin_react.api.registry import get_admin_site
+
+
+def _user_is_active_staff(request: HttpRequest) -> bool:
+    """Return True iff the request user is authenticated, active, and staff.
+
+    The triple check is intentional and each part is load-bearing.
+
+    - ``is_authenticated`` rejects ``AnonymousUser``.
+    - ``is_active`` ensures a deactivated account loses access immediately;
+      relying on ``is_staff`` alone would still let a disabled superuser
+      through.
+    - ``is_staff`` is the standard Django admin gate.
+
+    ``getattr(user, "is_active", False)`` (rather than ``user.is_active``)
+    is defensive: a custom user model might omit the attribute, and the
+    safe default is "no".
+    """
+    user = getattr(request, "user", None)
+    return bool(
+        user is not None
+        and user.is_authenticated
+        and getattr(user, "is_active", False)
+        and getattr(user, "is_staff", False)
+    )
+
+
+def is_admin_user(request: HttpRequest, admin_site: AdminSite | None = None) -> bool:
+    """Return True iff the request may access the package's API.
+
+    The package's default policy is staff-only (rule 1 in ``SECURITY.md``
+    §3). ``AdminSite.has_permission`` is the consumer's escape hatch: if
+    a consumer's custom site allows non-staff users to access the admin,
+    this package follows that decision (`ARCHITECTURE.md` §4.2).
+    """
+    if not _user_is_active_staff(request):
+        return False
+    site = admin_site if admin_site is not None else get_admin_site()
+    return bool(site.has_permission(request))
+
+
+_FORBIDDEN_BODY: Final[dict[str, dict[str, str]]] = {
+    "error": {"code": "forbidden", "message": "You do not have permission."}
+}
+
+
+def forbidden_response() -> HttpResponse:
+    """Return the package's canonical 403 envelope.
+
+    The body never includes data identifying the resource (per ``SECURITY.md``
+    §3 rule 12). For unauthenticated requests, callers may also want to
+    redirect to ``settings.LOGIN_URL`` — that's a caller-level choice and
+    not encoded here.
+    """
+    response = JsonResponse(_FORBIDDEN_BODY, status=403)
+    # Discourage caching of a permission decision.
+    response["Cache-Control"] = "no-store"
+    return response

django_admin_react/api/registry.py

@@ -0,0 +1,200 @@
+"""AdminSite introspection helpers.
+
+The package looks up ``ModelAdmin`` instances **only** through the
+configured admin site's ``_registry`` (rule 3 in ``SECURITY.md`` §3).
+Client-provided ``app_label`` / ``model_name`` strings are never used
+to ``import_string`` a model directly.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Iterable
+
+from django.apps import apps
+from django.contrib.admin.options import ModelAdmin
+from django.contrib.admin.sites import AdminSite
+from django.db.models import Model
+from django.http import HttpRequest
+from django.utils.module_loading import import_string
+
+
+def get_admin_site() -> AdminSite:
+    """Resolve the configured admin site instance.
+
+    Configured via ``settings.DJANGO_ADMIN_REACT["ADMIN_SITE"]``;
+    defaults to ``django.contrib.admin.site``. Resolution is lazy: we
+    look up the dotted path each call so tests can override settings via
+    Django's standard ``override_settings`` decorator without having to
+    reload this module.
+    """
+    from django_admin_react import conf
+
+    dotted_path: str = conf.ADMIN_SITE
+    site = import_string(dotted_path)
+    if not isinstance(site, AdminSite):
+        raise TypeError(
+            "DJANGO_ADMIN_REACT['ADMIN_SITE'] must point to an AdminSite "
+            f"instance; got {type(site).__name__} at {dotted_path!r}."
+        )
+    return site
+
+
+def iter_visible_models(
+    admin_site: AdminSite, request: HttpRequest
+) -> Iterable[tuple[type[Model], ModelAdmin]]:
+    """Yield (model, model_admin) pairs the request may view.
+
+    Filters by:
+
+    - ``ModelAdmin.has_module_permission(request)`` — gate per app.
+    - ``ModelAdmin.has_view_permission(request)`` — gate per model.
+
+    Both must return truthy. Order is the registration order in
+    ``_registry`` (Django preserves dict insertion order).
+    """
+    for model, model_admin in admin_site._registry.items():
+        if not model_admin.has_module_permission(request):
+            continue
+        if not model_admin.has_view_permission(request):
+            continue
+        yield model, model_admin
+
+
+def _model_permissions(model_admin: ModelAdmin, request: HttpRequest) -> dict[str, bool]:
+    """The four ``has_*_permission`` answers, as plain booleans."""
+    return {
+        "view": bool(model_admin.has_view_permission(request)),
+        "add": bool(model_admin.has_add_permission(request)),
+        "change": bool(model_admin.has_change_permission(request)),
+        "delete": bool(model_admin.has_delete_permission(request)),
+    }
+
+
+def _model_entry(model: type[Model], model_admin: ModelAdmin, request: HttpRequest) -> dict:
+    """Single ``models[]`` element for the registry response.
+
+    Wire shape is documented in ``docs/api-contract.md`` §2. Only
+    metadata + the four ``has_*_permission`` booleans go on the wire;
+    no model field schemas, no row counts — those are detail/list
+    endpoint responsibilities.
+    """
+    meta = model._meta
+    return {
+        "app_label": meta.app_label,
+        "model_name": meta.model_name,
+        "object_name": meta.object_name,
+        "verbose_name": str(meta.verbose_name),
+        "verbose_name_plural": str(meta.verbose_name_plural),
+        "permissions": _model_permissions(model_admin, request),
+    }
+
+
+def _user_payload(request: HttpRequest) -> dict:
+    """``user`` block on the registry response (contract §2).
+
+    Exposes only data the user already knows about themselves: pk,
+    username, display name, ``is_staff``, ``is_superuser``. No email,
+    no group memberships, no permission codenames, no last-login
+    timestamp — the SPA does not need them and the registry endpoint
+    must stay deny-by-default (``SECURITY.md`` §3 rule 12).
+
+    ``getattr(user, "is_active", False)`` style defaults are used so
+    a custom user model missing an attribute degrades to "no" rather
+    than raising.
+    """
+    user = request.user
+    full_name = (user.get_full_name() or "").strip() if hasattr(user, "get_full_name") else ""
+    display_name = full_name or user.get_username()
+    return {
+        "id": user.pk,
+        "username": user.get_username(),
+        "is_staff": bool(getattr(user, "is_staff", False)),
+        "is_superuser": bool(getattr(user, "is_superuser", False)),
+        "display_name": display_name,
+    }
+
+
+def _mount_from_request(request: HttpRequest) -> str:
+    """Best-effort recovery of the consumer-chosen mount prefix.
+
+    The view's URL pattern is fixed inside this package (``api/v1/registry/``),
+    so anything in front of that on ``request.path`` is the mount the
+    consumer configured (`ARCHITECTURE.md` §4.5).
+    """
+    suffix = "api/v1/registry/"
+    path = request.path
+    idx = path.rfind(suffix)
+    if idx == -1:
+        # Should not happen — the URL config routed us here. Fall back to '/'.
+        return "/"
+    return path[:idx] or "/"
+
+
+def build_registry_payload(admin_site: AdminSite, request: HttpRequest) -> dict:
+    """Build the ``GET /api/v1/registry/`` response body.
+
+    The shape is documented in ``docs/api-contract.md`` §2.
+    """
+    apps_payload: dict[str, dict] = {}
+    for model, model_admin in iter_visible_models(admin_site, request):
+        app_label = model._meta.app_label
+        bucket = apps_payload.setdefault(
+            app_label,
+            {
+                "app_label": app_label,
+                "verbose_name": _app_verbose_name(app_label),
+                "models": [],
+            },
+        )
+        bucket["models"].append(_model_entry(model, model_admin, request))
+
+    return {
+        "mount": _mount_from_request(request),
+        "user": _user_payload(request),
+        "apps": list(apps_payload.values()),
+    }
+
+
+def _app_verbose_name(app_label: str) -> str:
+    """Return the human-readable app name, falling back to the label."""
+    try:
+        return str(apps.get_app_config(app_label).verbose_name)
+    except LookupError:
+        return app_label
+
+
+def resolve_model(
+    admin_site: AdminSite,
+    request: HttpRequest,
+    app_label: str,
+    model_name: str,
+) -> tuple[type[Model], ModelAdmin] | None:
+    """Look up a registered ``(model, model_admin)`` by client-given strings.
+
+    Client-provided ``app_label`` and ``model_name`` are **never** trusted.
+    They are resolved through ``AdminSite._registry`` (rule 3 in
+    ``SECURITY.md`` §3) and the resolution is gated by
+    ``has_module_permission`` and ``has_view_permission``.
+
+    Returns ``None`` if the model is not registered or the request is not
+    permitted to view it. The caller must convert that to a 404, per
+    ``ACCEPTANCE.md`` §3.1 B-7 and §4.3 S-11/S-12.
+    """
+    if not isinstance(app_label, str) or not isinstance(model_name, str):
+        return None
+    target = (app_label.lower(), model_name.lower())
+    for model, model_admin in admin_site._registry.items():
+        meta = model._meta
+        if (meta.app_label, meta.model_name) != target:
+            continue
+        if not model_admin.has_module_permission(request):
+            return None
+        if not model_admin.has_view_permission(request):
+            return None
+        return model, model_admin
+    return None
+
+
+def model_permissions(model_admin: ModelAdmin, request: HttpRequest) -> dict[str, bool]:
+    """Public alias for the four ``has_*_permission`` booleans."""
+    return _model_permissions(model_admin, request)

django_admin_react/api/serializers.py

@@ -0,0 +1,183 @@
+"""Conservative field serialization.
+
+The wire format is described in ``docs/api-contract.md`` §4. This module
+converts Python / Django values into the JSON payload, after the admin
+form's exclusion rules have been applied. The sensitive-name denylist
+below is defense-in-depth on top of those rules.
+
+Rules (binding; see ``ACCEPTANCE.md`` §3.5 and §4.7):
+
+- Pass-through: ``str``, ``int``, ``float``, ``bool``, ``None``.
+- ``Decimal``, ``UUID``, ``date``, ``datetime``, ``time`` → string forms.
+- ``ForeignKey`` → ``{"id": pk, "label": str(related)}``.
+- ``ManyToMany`` → ``"unsupported"`` v1.
+- Anything else → ``str(value)`` (never raises).
+- Field names matching the denylist are never emitted.
+"""
+
+from __future__ import annotations
+
+import datetime as _dt
+import decimal
+import uuid
+from collections.abc import Iterable
+from typing import Any
+from typing import Final
+
+from django.db.models import Field
+from django.db.models import ForeignKey
+from django.db.models import ManyToManyField
+from django.db.models import Model
+
+SENSITIVE_NAME_SUBSTRINGS: Final[tuple[str, ...]] = (
+    "password",
+    "secret",
+    "token",
+    "api_key",
+    "apikey",
+    "hash",
+    "private_key",
+    "session",
+    "nonce",
+    "salt",
+)
+
+
+def is_sensitive_field_name(name: str) -> bool:
+    """Return True iff ``name`` matches any entry in the denylist."""
+    if not isinstance(name, str):
+        return True
+    lowered = name.lower()
+    return any(s in lowered for s in SENSITIVE_NAME_SUBSTRINGS)
+
+
+def filter_sensitive(names: Iterable[str]) -> list[str]:
+    """Drop any field name that matches the denylist."""
+    return [n for n in names if not is_sensitive_field_name(n)]
+
+
+def serialize_value(value: Any) -> Any:
+    """Convert a Python value to its JSON-compatible wire form."""
+    if value is None or isinstance(value, bool | int | float | str):
+        return value
+    if isinstance(value, decimal.Decimal):
+        return str(value)
+    if isinstance(value, uuid.UUID):
+        return str(value)
+    if isinstance(value, _dt.datetime):
+        return value.isoformat()
+    if isinstance(value, _dt.date):
+        return value.isoformat()
+    if isinstance(value, _dt.time):
+        return value.isoformat()
+    if isinstance(value, Model):
+        return {"id": value.pk, "label": label_for(value)}
+    return str(value)
+
+
+def serialize_fk_value(value: Model | None) -> dict[str, Any] | None:
+    """Serialize an FK as ``{"id": pk, "label": str(obj)}`` or ``None``."""
+    if value is None:
+        return None
+    return {"id": value.pk, "label": label_for(value)}
+
+
+def label_for(obj: Model) -> str:
+    """Return a human-readable label for ``obj`` (``str(obj)`` with fallback).
+
+    Django models that raise on ``__str__`` (e.g. missing related rows
+    during a half-migrated state) would otherwise crash a list page.
+    The fallback ``<ClassName: pk>`` keeps the UI responsive and never
+    raises.
+
+    Centralized here so the views, the registry payload, and the
+    serializer label objects identically — a UX win and a single
+    point of defense for ``__str__`` exceptions.
+    """
+    try:
+        return str(obj)
+    except Exception:
+        return f"<{obj.__class__.__name__}: {obj.pk}>"
+
+
+_TYPE_BY_INTERNAL: Final[dict[str, str]] = {
+    "AutoField": "integer",
+    "BigAutoField": "integer",
+    "BigIntegerField": "integer",
+    "BooleanField": "boolean",
+    "CharField": "string",
+    "DateField": "date",
+    "DateTimeField": "datetime",
+    "DecimalField": "decimal",
+    "EmailField": "email",
+    "FloatField": "float",
+    "ForeignKey": "foreignkey",
+    "IntegerField": "integer",
+    "OneToOneField": "foreignkey",
+    "PositiveBigIntegerField": "integer",
+    "PositiveIntegerField": "integer",
+    "PositiveSmallIntegerField": "integer",
+    "SlugField": "slug",
+    "SmallIntegerField": "integer",
+    "TextField": "text",
+    "TimeField": "time",
+    "URLField": "url",
+    "UUIDField": "uuid",
+}
+
+
+def field_type_for(field: Field) -> str:
+    """Closed v1-vocabulary type for a Django model field."""
+    if isinstance(field, ManyToManyField):
+        return "unsupported"
+    internal = field.get_internal_type()
+    return _TYPE_BY_INTERNAL.get(internal, "unsupported")
+
+
+def field_choices(field: Field) -> list[dict[str, Any]] | None:
+    """Serialize a Django field's ``choices`` as a list of ``{value, label}``.
+
+    Returns ``None`` when the field has no choices (so the wire payload
+    omits the key entirely rather than emitting a misleading empty
+    list). Labels are coerced via ``str(...)`` so lazy translation
+    proxies resolve to the request locale before serialization.
+    """
+    choices = getattr(field, "choices", None)
+    if not choices:
+        return None
+    return [{"value": v, "label": str(lbl)} for v, lbl in choices]
+
+
+def field_metadata(
+    field: Field,
+    *,
+    label: str,
+    required: bool,
+    readonly: bool,
+    help_text: str,
+    value: Any,
+) -> dict[str, Any]:
+    """Per-field metadata block for the detail endpoint."""
+    type_ = field_type_for(field)
+    metadata: dict[str, Any] = {
+        "type": type_,
+        "label": label,
+        "required": required,
+        "readonly": readonly,
+        "help_text": help_text,
+        "value": value,
+    }
+    if isinstance(field, ForeignKey):
+        related = field.related_model
+        if related is not None:
+            meta = related._meta
+            metadata["to"] = {"app_label": meta.app_label, "model_name": meta.model_name}
+    if getattr(field, "max_length", None):
+        metadata["max_length"] = field.max_length
+    if type_ == "decimal":
+        metadata["decimal_places"] = getattr(field, "decimal_places", None)
+    choices = field_choices(field)
+    if choices is not None:
+        metadata["type"] = "choice"
+        metadata["choices"] = choices
+    return metadata

django_admin_react/api/urls.py

@@ -0,0 +1,84 @@
+"""URL patterns for the JSON API.
+
+Mounted under the consumer's chosen prefix at ``api/v1/``. See
+``django_admin_react/urls.py`` and ``docs/api-contract.md`` for the
+overall path layout.
+
+Each path serves multiple HTTP methods via a thin dispatch class so the
+per-method implementation files stay focused. CSRF protection is the
+consumer's middleware (`SECURITY.md` §3 rule 4); no view here is
+``@csrf_exempt``.
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.urls import path
+from django.views.generic import View
+
+from django_admin_react.api.views.create import CreateView
+from django_admin_react.api.views.destroy import DestroyView
+from django_admin_react.api.views.detail import DetailView
+from django_admin_react.api.views.list import ListView
+from django_admin_react.api.views.registry import RegistryView
+from django_admin_react.api.views.update import UpdateView
+
+
+class CollectionView(View):
+    """Dispatch GET → list, POST → create for ``/<app>/<model>/``.
+
+    The collection URL serves two HTTP verbs; rather than overloading
+    a single view module, we dispatch to dedicated per-verb views so
+    each verb's security gates and tests stay self-contained.
+    """
+
+    http_method_names = ["get", "post"]
+
+    def get(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        """Forward GET to ``ListView`` (contract §3)."""
+        return ListView.as_view()(request, *args, **kwargs)
+
+    def post(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        """Forward POST to ``CreateView`` (contract §5.1)."""
+        return CreateView.as_view()(request, *args, **kwargs)
+
+
+class InstanceView(View):
+    """Dispatch GET / PATCH / DELETE for ``/<app>/<model>/<pk>/``.
+
+    Same pattern as :class:`CollectionView` — per-verb dispatch keeps
+    the security gates and tests for read / change / delete cleanly
+    separated.
+    """
+
+    http_method_names = ["get", "patch", "delete"]
+
+    def get(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        """Forward GET to ``DetailView`` (contract §4)."""
+        return DetailView.as_view()(request, *args, **kwargs)
+
+    def patch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        """Forward PATCH to ``UpdateView`` (contract §5.2)."""
+        return UpdateView.as_view()(request, *args, **kwargs)
+
+    def delete(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        """Forward DELETE to ``DestroyView`` (contract §5.3)."""
+        return DestroyView.as_view()(request, *args, **kwargs)
+
+
+urlpatterns: list = [
+    path("registry/", RegistryView.as_view(), name="registry"),
+    path(
+        "<str:app_label>/<str:model_name>/",
+        CollectionView.as_view(),
+        name="collection",
+    ),
+    path(
+        "<str:app_label>/<str:model_name>/<str:pk>/",
+        InstanceView.as_view(),
+        name="instance",
+    ),
+]