django-admin-react 0.2.0a2__tar.gz → 0.2.0a4__tar.gz

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: django-admin-react
-Version: 0.2.0a2
+Version: 0.2.0a4
 Summary: A drop-in React single-page admin for Django, driven entirely by ModelAdmin.
 License: MIT
 Keywords: django,admin,react,spa,tailwind

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/dates.py

@@ -143,11 +143,7 @@ def build_buckets(
         .annotate(_count=Count("pk"))
         .order_by("_bucket")
     )
-    return [
-        {"value": r["_bucket"], "count": r["_count"]}
-        for r in rows
-        if r["_bucket"] is not None
-    ]
+    return [{"value": r["_bucket"], "count": r["_count"]} for r in rows if r["_bucket"] is not None]
 
 
 def date_hierarchy_payload(

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/filters.py

@@ -34,6 +34,7 @@ Hard rules (`SECURITY.md` §3):
 
 from __future__ import annotations
 
+import logging
 from typing import Any
 
 from django.contrib.admin import SimpleListFilter
@@ -49,6 +50,8 @@ from django.http import HttpRequest
 
 from django_admin_react.api.serializers import is_sensitive_field_name
 
+logger = logging.getLogger(__name__)
+
 # PM ruling (Q-PM-03): FK filters in v1 surface up to ≤ 25 options
 # inline; larger target tables defer to a follow-up that combines
 # list_filter with autocomplete (#59). Keep the cap explicit so a
@@ -273,7 +276,8 @@ def apply_filters(queryset: QuerySet, model_admin: ModelAdmin, request: HttpRequ
         if filter_cls is not None and issubclass(filter_cls, SimpleListFilter):
             try:
                 instance = filter_cls(request, request.GET.copy(), model_admin.model, model_admin)
-            except Exception:  # pragma: no cover
+            except Exception:  # pragma: no cover - skip a misbehaving consumer filter
+                logger.debug("Skipping list_filter %r: instantiation failed", entry, exc_info=True)
                 continue
             try:
                 narrowed = instance.queryset(request, queryset)

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/inlines.py

@@ -32,9 +32,11 @@ from django.db.models import ManyToManyField
 from django.db.models import Model
 from django.http import HttpRequest
 
+from django_admin_react.api.serializers import field_type_for
 from django_admin_react.api.serializers import filter_sensitive
 from django_admin_react.api.serializers import is_sensitive_field_name
 from django_admin_react.api.serializers import label_for
+from django_admin_react.api.serializers import safe_get_field
 from django_admin_react.api.serializers import serialize_fk_value
 from django_admin_react.api.serializers import serialize_value
 
@@ -124,9 +126,7 @@ def _spec_for_inline(
 
     rows: list[dict[str, Any]] = []
     if can_view:
-        rows = _rows_for_inline(
-            inline, parent, fk_name, visible_fields, request
-        )
+        rows = _rows_for_inline(inline, parent, fk_name, visible_fields, request)
 
     return {
         "name": fk_name + "_set" if not hasattr(child_model, fk_name + "_set") else fk_name,
@@ -183,9 +183,7 @@ def _visible_inline_fields(
     visible = [
         name
         for name in declared
-        if name not in excluded
-        and name != fk_back
-        and not is_sensitive_field_name(name)
+        if name not in excluded and name != fk_back and not is_sensitive_field_name(name)
     ]
     return filter_sensitive(visible)
 
@@ -196,7 +194,17 @@ def _fields_meta(
     visible_fields: list[str],
     request: HttpRequest,
 ) -> list[dict[str, Any]]:
-    """Per-field metadata for the inline header — minimal shape."""
+    """Per-field metadata for the inline header.
+
+    Carries ``type`` + ``required`` (in addition to ``name`` / ``label``
+    / ``readonly``) so the SPA can render a *typed* input per inline
+    field in edit mode — the prerequisite for inline editing (#54
+    write-half UI). ``type`` reuses the same closed vocabulary
+    (``field_type_for``) the top-level detail descriptor uses, so the
+    frontend can route inline fields through the same ``FieldInput``
+    component. Additive — existing read-only consumers ignore the new
+    keys.
+    """
     readonly = set(inline.get_readonly_fields(request, None) or ())
     out: list[dict[str, Any]] = []
     for name in visible_fields:
@@ -204,11 +212,19 @@ def _fields_meta(
             label = label_for_field(name, child_model, inline)
         except Exception:  # pragma: no cover
             label = name
+        model_field = safe_get_field(child_model, name)
+        field_type = field_type_for(model_field) if model_field is not None else "unsupported"
+        # ``required`` mirrors the form layer: a field is required when
+        # it is not ``blank``. ``safe_get_field`` returning ``None`` (a
+        # method-only ``list_display`` entry) → not required / unsupported.
+        required = bool(model_field is not None and not getattr(model_field, "blank", True))
         out.append(
             {
                 "name": name,
                 "label": str(label),
                 "readonly": name in readonly,
+                "type": field_type,
+                "required": required,
             }
         )
     return out
@@ -246,7 +262,5 @@ def _rows_for_inline(
                 fields_payload[name] = [serialize_fk_value(r) for r in related]
             else:
                 fields_payload[name] = serialize_value(value, field=model_field)
-        rows.append(
-            {"pk": obj.pk, "label": label_for(obj), "fields": fields_payload}
-        )
+        rows.append({"pk": obj.pk, "label": label_for(obj), "fields": fields_payload})
     return rows

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/serializers.py

@@ -153,8 +153,7 @@ def _looks_like_range(value: Any) -> bool:
     dependency.
     """
     return all(
-        hasattr(value, attr)
-        for attr in ("lower", "upper", "lower_inc", "upper_inc", "isempty")
+        hasattr(value, attr) for attr in ("lower", "upper", "lower_inc", "upper_inc", "isempty")
     )
 
 
@@ -197,11 +196,26 @@ def _serialize_range_value(value: Any, field: Field | None) -> dict[str, Any]:
     }
 
 
-def serialize_fk_value(value: Model | None) -> dict[str, Any] | None:
-    """Serialize an FK as ``{"id": pk, "label": str(obj)}`` or ``None``."""
+def serialize_fk_value(value: Model | None, *, admin_site: Any = None) -> dict[str, Any] | None:
+    """Serialize an FK as ``{"id": pk, "label": str(obj)}`` or ``None``.
+
+    When ``admin_site`` is provided **and** the related model is
+    registered on it, the envelope also carries
+    ``to: {"app_label": <real>, "model_name": ...}`` so the SPA can
+    render the cell as a navigable link to the related object's detail
+    page (#184). The target is **omitted** when the related model isn't
+    registered — surfacing a link the detail endpoint would 404 on (and
+    leaking adjacency to an unregistered model) is the exact posture
+    #89 removed from filter descriptors. ``app_label`` is the real
+    ``_meta.app_label`` the detail URL resolves against.
+    """
     if value is None:
         return None
-    return {"id": value.pk, "label": label_for(value)}
+    out: dict[str, Any] = {"id": value.pk, "label": label_for(value)}
+    if admin_site is not None and type(value) in getattr(admin_site, "_registry", {}):
+        meta = value._meta
+        out["to"] = {"app_label": meta.app_label, "model_name": meta.model_name}
+    return out
 
 
 def label_for(obj: Model) -> str:

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/urls.py

@@ -26,6 +26,7 @@ from django_admin_react.api.views.auth import LogoutView
 from django_admin_react.api.views.autocomplete import AutocompleteView
 from django_admin_react.api.views.bulk import BulkUpdateView
 from django_admin_react.api.views.create import CreateView
+from django_admin_react.api.views.create_form import AddFormView
 from django_admin_react.api.views.delete_preview import DeletePreviewView
 from django_admin_react.api.views.destroy import DestroyView
 from django_admin_react.api.views.detail import DetailView
@@ -110,6 +111,14 @@ urlpatterns: list = [
         BulkUpdateView.as_view(),
         name="bulk_update",
     ),
+    # Add-form schema — the create page's field descriptors for a NEW
+    # object. Literal ``add`` must precede the ``<pk>`` instance route
+    # below so it isn't swallowed as a pk.
+    path(
+        "<str:app_label>/<str:model_name>/add/",
+        AddFormView.as_view(),
+        name="add_form",
+    ),
     path(
         "<str:app_label>/<str:model_name>/",
         CollectionView.as_view(),

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/views/actions.py

@@ -31,6 +31,7 @@ from __future__ import annotations
 
 from typing import Any
 
+from django.contrib.admin.utils import model_format_dict
 from django.db import transaction
 from django.http import HttpRequest
 from django.http import HttpResponse
@@ -138,9 +139,22 @@ def actions_payload(model_admin: Any, request: HttpRequest) -> list[dict[str, An
     confirmation step regardless — this hint is a UX optimisation.
     """
     raw = model_admin.get_actions(request) or {}
+    # Django's built-in `delete_selected` (and any action whose
+    # `short_description` uses the admin's `%(verbose_name)s` /
+    # `%(verbose_name_plural)s` placeholders) ships a *format string*,
+    # not a finished label — Django interpolates it at render time via
+    # `model_format_dict(opts)`. Do the same here so the SPA shows
+    # "Delete selected files", never the raw "%(verbose_name_plural)s".
+    fmt = model_format_dict(model_admin.model._meta)
     out: list[dict[str, Any]] = []
     for name, (_callable, _resolved_name, description) in raw.items():
-        label = str(description) if description else name
+        raw_label = str(description) if description else name
+        try:
+            label = raw_label % fmt
+        except (KeyError, ValueError, TypeError):
+            # Not a %-format string, or references a key we don't
+            # provide — surface the label verbatim rather than crashing.
+            label = raw_label
         requires_conf = "delete" in (label.lower() + " " + name.lower())
         out.append(
             {

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/views/autocomplete.py

@@ -91,8 +91,7 @@ class AutocompleteView(View):
 
         if not model_admin.search_fields:
             return bad_request(
-                "The target admin does not declare search_fields; "
-                "autocomplete is not available."
+                "The target admin does not declare search_fields; " "autocomplete is not available."
             )
 
         q = (request.GET.get("q") or "").strip()
@@ -101,9 +100,7 @@ class AutocompleteView(View):
 
         queryset = model_admin.get_queryset(request)
         if q:
-            queryset, may_have_duplicates = model_admin.get_search_results(
-                request, queryset, q
-            )
+            queryset, may_have_duplicates = model_admin.get_search_results(request, queryset, q)
             if may_have_duplicates:
                 queryset = queryset.distinct()
 

django_admin_react-0.2.0a4/django_admin_react/api/views/create_form.py

@@ -0,0 +1,96 @@
+"""``GET /api/v1/<app>/<model>/add/`` — the create-form schema.
+
+The detail view (``/<pk>/``) needs an existing object; the SPA's
+create page needs the same field descriptors + fieldsets for a *new*
+object. This view builds that payload from an unsaved instance, the
+add form (``get_form(request, obj=None, change=False)`` — exactly how
+Django's add view builds it), and the read-visible field set.
+
+It deliberately reuses the detail view's descriptor builders so the
+field shape is byte-for-byte identical to what edit renders — the SPA
+uses one ``FieldInput`` component for both.
+
+Hard rules: staff gate (rule 1), model resolved through the registry
+(rule 3), ``has_add_permission`` gate (rule 6 — create is gated on
+add, not view), sensitive-name denylist applied (S-31).
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.http import JsonResponse
+from django.views.generic import View
+
+from django_admin_react.api.permissions import forbidden_response
+from django_admin_react.api.permissions import is_admin_user
+from django_admin_react.api.registry import get_admin_site
+from django_admin_react.api.registry import model_permissions
+from django_admin_react.api.registry import resolve_model
+from django_admin_react.api.views.detail import _descriptor_for
+from django_admin_react.api.views.detail import _fieldsets_payload
+from django_admin_react.api.views.detail import _visible_field_names
+from django_admin_react.api.writes import not_found_response
+
+
+class AddFormView(View):
+    """``GET /api/v1/<app_label>/<model_name>/add/`` — empty create form."""
+
+    http_method_names = ["get"]
+
+    def get(
+        self,
+        request: HttpRequest,
+        app_label: str,
+        model_name: str,
+        *args: Any,
+        **kwargs: Any,
+    ) -> HttpResponse:
+        admin_site = get_admin_site()
+        if not is_admin_user(request, admin_site=admin_site):
+            return forbidden_response(request)
+
+        resolved = resolve_model(admin_site, request, app_label, model_name)
+        if resolved is None:
+            return not_found_response()
+        model, model_admin = resolved
+
+        # Create is gated on add — not view. A user who can view but
+        # not add must not be handed an add form.
+        if not model_admin.has_add_permission(request):
+            return forbidden_response(request)
+
+        # Unsaved instance so descriptor builders have field defaults to
+        # read (FK → None, M2M → [] via the guards in _descriptor_for).
+        obj = model()
+
+        visible_names = _visible_field_names(model_admin, request, None)
+        readonly = set(model_admin.get_readonly_fields(request, None) or ())
+        # The ADD form — change=False, obj=None — exactly how Django's
+        # add view constructs it (``ModelAdmin._changeform_view`` with
+        # add=True passes change=False).
+        form = model_admin.get_form(request, obj=None, change=False)()
+
+        fields: dict[str, dict[str, Any]] = {}
+        for name in visible_names:
+            fields[name] = _descriptor_for(
+                model=model,
+                model_admin=model_admin,
+                obj=obj,
+                name=name,
+                form=form,
+                is_readonly=name in readonly,
+            )
+
+        payload = {
+            "app_label": model._meta.app_label,
+            "model_name": model._meta.model_name,
+            "permissions": model_permissions(model_admin, request),
+            "fieldsets": _fieldsets_payload(model_admin, request, None, visible_names),
+            "fields": fields,
+        }
+        response = JsonResponse(payload, status=200)
+        response["Cache-Control"] = "no-store"
+        return response

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/views/list.py

@@ -112,7 +112,10 @@ class ListView(View):
         list_display = list(model_admin.get_list_display(request))
         columns = _columns_payload(model_admin, list_display, request)
 
-        results = [_row_for(obj, model_admin, list_display, request) for obj in queryset[start:end]]
+        results = [
+            _row_for(obj, model_admin, list_display, request, admin_site)
+            for obj in queryset[start:end]
+        ]
 
         body: dict[str, Any] = {
             "app_label": model._meta.app_label,
@@ -267,6 +270,7 @@ def _row_for(
     model_admin: ModelAdmin,
     list_display: list[str],
     request: HttpRequest,
+    admin_site: Any = None,
 ) -> dict[str, Any]:
     """Build one ``results[]`` entry for the list response.
 
@@ -283,11 +287,11 @@ def _row_for(
             _f, _attr, value = lookup_field(name, obj, model_admin)
         except Exception:  # pragma: no cover — defensive
             value = ""
-        fields[name] = _serialize_list_value(obj, name, value)
+        fields[name] = _serialize_list_value(obj, name, value, admin_site)
     return {"pk": obj.pk, "label": label_for(obj), "fields": fields}
 
 
-def _serialize_list_value(obj: Model, name: str, value: Any) -> Any:
+def _serialize_list_value(obj: Model, name: str, value: Any, admin_site: Any = None) -> Any:
     """Serialize a single ``list_display`` cell.
 
     FK fields go through the FK envelope (``{"id", "label"}``);
@@ -300,5 +304,5 @@ def _serialize_list_value(obj: Model, name: str, value: Any) -> Any:
     """
     model_field = safe_get_field(obj, name)
     if isinstance(model_field, ForeignKey):
-        return serialize_fk_value(value)
+        return serialize_fk_value(value, admin_site=admin_site)
     return serialize_value(value, field=model_field)

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/api/views/schema.py

@@ -254,9 +254,7 @@ def _components() -> dict[str, Any]:
                         "type": "array",
                         "items": {"$ref": "#/components/schemas/ActionSpec"},
                     },
-                    "date_hierarchy": {
-                        "$ref": "#/components/schemas/DateHierarchy"
-                    },
+                    "date_hierarchy": {"$ref": "#/components/schemas/DateHierarchy"},
                     "page": {"type": "integer"},
                     "page_size": {"type": "integer"},
                     "total": {"type": "integer"},
@@ -337,9 +335,7 @@ def _components() -> dict[str, Any]:
                     },
                     "fields": {
                         "type": "object",
-                        "additionalProperties": {
-                            "$ref": "#/components/schemas/FieldDescriptor"
-                        },
+                        "additionalProperties": {"$ref": "#/components/schemas/FieldDescriptor"},
                     },
                 },
             },
@@ -365,11 +361,7 @@ def _components() -> dict[str, Any]:
         "responses": {
             "Error": {
                 "description": "Error envelope.",
-                "content": {
-                    "application/json": {
-                        "schema": {"$ref": "#/components/schemas/Error"}
-                    }
-                },
+                "content": {"application/json": {"schema": {"$ref": "#/components/schemas/Error"}}},
             }
         },
     }
@@ -462,9 +454,7 @@ def _ok_response(schema_ref: str) -> dict[str, Any]:
         "200": {
             "description": "OK.",
             "content": {
-                "application/json": {
-                    "schema": {"$ref": f"#/components/schemas/{schema_ref}"}
-                }
+                "application/json": {"schema": {"$ref": f"#/components/schemas/{schema_ref}"}}
             },
         },
         "403": {"$ref": "#/components/responses/Error"},

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/conf.py

@@ -41,6 +41,34 @@ DEFAULTS: dict[str, Any] = {
     #                        URL or a path under your ``STATIC_URL``.
     "BRAND_TITLE": None,
     "BRAND_LOGO_URL": None,
+    # ``REACT_LOGIN`` — opt-in React-rendered login (Issue #167).
+    # Default ``False`` keeps today's behavior: ``SpaIndexView``
+    # redirects anonymous / unauthorized users to Django's HTML login
+    # (or the package's own ``<mount>/login/`` page). When ``True``,
+    # the SPA shell is served to anonymous users (with the CSRF cookie
+    # set) so the React app can render its own login form, which POSTs
+    # to ``/api/v1/login/``. The auth *mechanism* is unchanged — still
+    # Django's ``authenticate``/``login`` behind the JSON endpoint
+    # (`api/views/auth.py`); only the UI surface differs. The shell
+    # carries no user data, so serving it to anonymous users discloses
+    # nothing the static bundle wouldn't, and every data API call still
+    # returns 403 until the user authenticates.
+    "REACT_LOGIN": False,
+    # PWA (Issue #86) — all optional; sane defaults make the manifest
+    # work with zero config. See ``django_admin_react/pwa.py`` +
+    # ``docs/ux/pwa.md``.
+    #
+    # ``PWA_NAME``       — installed-app name. ``None`` (default) falls
+    #                      back to the AdminSite ``site_header``, then
+    #                      ``"Django admin"``.
+    # ``PWA_SHORT_NAME`` — home-screen label. Defaults to ``"Admin"``.
+    # ``PWA_ICONS``      — list of ``{src, sizes, type[, purpose]}``
+    #                      dicts. ``None`` (default) uses the shipped
+    #                      192/512/maskable set under
+    #                      ``static/dar/icons/``.
+    "PWA_NAME": None,
+    "PWA_SHORT_NAME": None,
+    "PWA_ICONS": None,
 }
 
 
@@ -58,6 +86,10 @@ class _PackageSettings:
     ENABLE_PROFILING: bool = DEFAULTS["ENABLE_PROFILING"]
     BRAND_TITLE: str | None = DEFAULTS["BRAND_TITLE"]
     BRAND_LOGO_URL: str | None = DEFAULTS["BRAND_LOGO_URL"]
+    REACT_LOGIN: bool = DEFAULTS["REACT_LOGIN"]
+    PWA_NAME: str | None = DEFAULTS["PWA_NAME"]
+    PWA_SHORT_NAME: str | None = DEFAULTS["PWA_SHORT_NAME"]
+    PWA_ICONS: list[dict[str, str]] | None = DEFAULTS["PWA_ICONS"]
 
 
 def _load() -> _PackageSettings:

django_admin_react-0.2.0a4/django_admin_react/pwa.py

@@ -0,0 +1,152 @@
+"""PWA surface: web app manifest + service worker (Issue #86).
+
+Wire/UX contract: ``docs/ux/pwa.md``. The Security lane owns this
+surface because its load-bearing properties are security ones:
+
+- The **manifest** (``<mount>/web.manifest``) is served unauthenticated
+  (the install prompt fires before login) and is computed at request
+  time, but it carries **no per-user data** — only static/global values
+  (mount-derived ``start_url``/``scope``, the AdminSite header, icons,
+  theme colours from the client hint). An anonymous reader learns
+  nothing they couldn't get from the static bundle.
+- The **service worker** (``<mount>/sw.js``) is served with
+  ``Service-Worker-Allowed: <mount>`` so its scope is exactly the mount
+  and **never** sibling Django views. It honours ``Cache-Control:
+  no-store`` (so the package's no-store API reads are never cached),
+  never caches non-GET requests (mutation safety), and exposes a
+  cache-purge message used on logout so read-cached payloads can't
+  outlive the session (``pwa.md`` §5 — defense-in-depth atop session
+  expiry).
+
+Both views live **outside** ``api/`` because they're served at the
+mount root, not under ``api/v1/``, and the manifest is intentionally
+anonymous (unlike every API endpoint, which is staff-gated).
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.http import JsonResponse
+from django.shortcuts import render
+from django.views.generic import View
+
+from django_admin_react import conf as dar_conf
+from django_admin_react.api.registry import get_admin_site
+
+# Theme colours keyed by the resolved colour scheme. Kept here (not in
+# the SPA's CSS-var system) because the manifest is rendered server-side
+# before any CSS loads; these are the install-banner / splash colours
+# Android uses, and they only need to *approximate* the SPA theme.
+_THEME_COLOURS = {
+    "light": {"background": "#ffffff", "theme": "#2563eb"},
+    "dark": {"background": "#0b0f19", "theme": "#3b82f6"},
+}
+
+_DEFAULT_ICONS: list[dict[str, str]] = [
+    {"src": "static/dar/icons/icon-192.png", "sizes": "192x192", "type": "image/png"},
+    {"src": "static/dar/icons/icon-512.png", "sizes": "512x512", "type": "image/png"},
+    {
+        "src": "static/dar/icons/icon-512-maskable.png",
+        "sizes": "512x512",
+        "type": "image/png",
+        "purpose": "maskable",
+    },
+]
+
+
+def _mount(request: HttpRequest, suffix: str) -> str:
+    """Reconstruct the consumer's mount prefix from ``request.path``.
+
+    The view is routed at ``<mount>/<suffix>`` (e.g. ``web.manifest``),
+    so stripping the known suffix off ``request.path`` yields the mount.
+    Mirrors ``views._mount_from_request`` but is local so this module
+    has no import dependency on the SPA index view.
+    """
+    path = request.path
+    idx = path.rfind(suffix)
+    if idx == -1:
+        return "/"
+    return path[:idx] or "/"
+
+
+def _resolved_scheme(request: HttpRequest) -> str:
+    """Resolve light/dark from the ``Sec-CH-Prefers-Color-Scheme`` hint.
+
+    Pairs with the theming client-hint path (``theming.md`` §2). Any
+    value other than a case-insensitive ``"dark"`` resolves to light —
+    the safe, neutral default when the hint is absent or unexpected.
+    """
+    hint = (request.headers.get("Sec-CH-Prefers-Color-Scheme") or "").strip().lower()
+    return "dark" if hint == "dark" else "light"
+
+
+class ManifestView(View):
+    """``GET <mount>/web.manifest`` — the PWA web app manifest.
+
+    Unauthenticated by design (the install prompt needs it pre-login).
+    Carries no per-user data; every field is static or mount-/header-
+    derived. ``Cache-Control: no-store`` is **not** set — the manifest
+    is deliberately cacheable/network-first (``pwa.md`` §2.1).
+    """
+
+    http_method_names = ["get"]
+
+    def get(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        mount = _mount(request, "web.manifest")
+        scheme = _resolved_scheme(request)
+        colours = _THEME_COLOURS[scheme]
+
+        admin_site = get_admin_site()
+        site_header = getattr(admin_site, "site_header", None)
+        name = dar_conf.PWA_NAME or (str(site_header) if site_header else "Django admin")
+        short_name = dar_conf.PWA_SHORT_NAME or "Admin"
+        icons = dar_conf.PWA_ICONS or _DEFAULT_ICONS
+
+        manifest = {
+            "name": name,
+            "short_name": short_name,
+            "start_url": mount,
+            "scope": mount,
+            "display": "standalone",
+            "orientation": "any",
+            "background_color": colours["background"],
+            "theme_color": colours["theme"],
+            "icons": icons,
+        }
+        response = JsonResponse(manifest, content_type="application/manifest+json")
+        # Vary on the client hint so a light/dark cache entry doesn't
+        # serve the wrong splash colours to the other scheme.
+        response["Vary"] = "Sec-CH-Prefers-Color-Scheme"
+        return response
+
+
+class ServiceWorkerView(View):
+    """``GET <mount>/sw.js`` — the hand-rolled service worker.
+
+    Served with ``Service-Worker-Allowed: <mount>`` so the SW can claim
+    the whole mount as its scope (a SW's default scope is its own path;
+    the header widens it to the mount root). The JS is rendered from a
+    template with the mount injected so the SW's fetch interception is
+    bounded to the mount and never touches sibling Django views.
+    """
+
+    http_method_names = ["get"]
+
+    def get(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
+        mount = _mount(request, "sw.js")
+        response = render(
+            request,
+            "admin_react/sw.js",
+            {"mount": mount},
+            content_type="application/javascript",
+        )
+        # Allow the SW to control the entire mount, not just ``<mount>/sw.js``.
+        response["Service-Worker-Allowed"] = mount
+        # The SW script itself should not be cached aggressively — a new
+        # deploy must be able to ship a new SW. ``no-cache`` (revalidate)
+        # not ``no-store`` so the browser's SW update check still works.
+        response["Cache-Control"] = "no-cache"
+        return response

{django_admin_react-0.2.0a2 → django_admin_react-0.2.0a4}/django_admin_react/static/admin_react/.vite/manifest.json

@@ -1,11 +1,11 @@
 {
   "index.html": {
-    "file": "assets/index-BE3CZdBI.js",
+    "file": "assets/index-Ch1wOBLJ.js",
     "name": "index",
     "src": "index.html",
     "isEntry": true,
     "css": [
-      "assets/index-xZLX3uph.css"
+      "assets/index-Cf63Q57m.css"
     ]
   }
 }