plain 0.62.1__tar.gz → 0.64.0__tar.gz

{plain-0.62.1 → plain-0.64.0}/.gitignore

@@ -11,8 +11,6 @@ plain*/tests/.plain
 # Ottobot
 .aider*
 
-/llms-full.txt
-
 # Plain temp dirs
 .plain
 

{plain-0.62.1 → plain-0.64.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: plain
-Version: 0.62.1
+Version: 0.64.0
 Summary: A web framework for building products with Python.
 Author-email: Dave Gaeddert <dave.gaeddert@dropseed.dev>
 License-File: LICENSE

{plain-0.62.1 → plain-0.64.0}/plain/CHANGELOG.md

@@ -1,5 +1,29 @@
 # plain changelog
 
+## [0.64.0](https://github.com/dropseed/plain/releases/plain@0.64.0) (2025-09-19)
+
+### What's changed
+
+- Added `plain-build` command as a standalone executable ([4b39ca4](https://github.com/dropseed/plain/commit/4b39ca4599))
+- Removed `constant_time_compare` utility function in favor of `hmac.compare_digest` ([55f3f55](https://github.com/dropseed/plain/commit/55f3f5596d))
+- CLI now forces colors in CI environments (GitHub Actions, GitLab CI, etc.) for better output visibility ([56f7d2b](https://github.com/dropseed/plain/commit/56f7d2b312))
+
+### Upgrade instructions
+
+- Replace any usage of `plain.utils.crypto.constant_time_compare` with `hmac.compare_digest` or `secrets.compare_digest`
+
+## [0.63.0](https://github.com/dropseed/plain/releases/plain@0.63.0) (2025-09-12)
+
+### What's changed
+
+- Model manager attribute renamed from `objects` to `query` throughout codebase ([037a239](https://github.com/dropseed/plain/commit/037a239ef4))
+- Simplified HTTPS redirect middleware by removing `HTTPS_REDIRECT_EXEMPT_PATHS` and `HTTPS_REDIRECT_HOST` settings ([d264cd3](https://github.com/dropseed/plain/commit/d264cd306b))
+- Database backups are now created automatically during migrations when `DEBUG=True` unless explicitly disabled ([c802307](https://github.com/dropseed/plain/commit/c8023074e9))
+
+### Upgrade instructions
+
+- Remove any `HTTPS_REDIRECT_EXEMPT_PATHS` and `HTTPS_REDIRECT_HOST` settings from your configuration - the HTTPS redirect middleware now performs a blanket redirect. For advanced redirect logic, write custom middleware.
+
 ## [0.62.1](https://github.com/dropseed/plain/releases/plain@0.62.1) (2025-09-09)
 
 ### What's changed
@@ -126,7 +150,7 @@
 
 - Update your URL patterns from `<int:pk>` to `<int:id>` in your URLconf
 - Update view code that accesses `self.url_kwargs["pk"]` to use `self.url_kwargs["id"]` instead
-- Replace any QuerySet filters using `pk` with `id` (e.g., `Model.objects.get(pk=1)` becomes `Model.objects.get(id=1)`)
+- Replace any QuerySet filters using `pk` with `id` (e.g., `Model.query.get(pk=1)` becomes `Model.query.get(id=1)`)
 
 ## [0.54.1](https://github.com/dropseed/plain/releases/plain@0.54.1) (2025-07-20)
 

{plain-0.62.1 → plain-0.64.0}/plain/chores/README.md

@@ -27,7 +27,7 @@ def clear_expired():
     """
     Delete sessions that have expired.
     """
-    result = Session.objects.filter(expires_at__lt=timezone.now()).delete()
+    result = Session.query.filter(expires_at__lt=timezone.now()).delete()
     return f"{result[0]} expired sessions deleted"
 ```
 

{plain-0.62.1 → plain-0.64.0}/plain/cli/agent/request.py

@@ -64,7 +64,7 @@ def request(path, method, data, user_id, follow, content_type, headers):
 
                     # Get the user
                     try:
-                        user = User.objects.get(id=user_id)
+                        user = User.query.get(id=user_id)
                         client.force_login(user)
                         click.secho(
                             f"Authenticated as user {user_id}", fg="green", dim=True

{plain-0.62.1 → plain-0.64.0}/plain/cli/formatting.py

@@ -1,3 +1,5 @@
+import os
+
 import click
 from click.formatting import iter_rows, measure_table, term_len, wrap_text
 
@@ -59,3 +61,13 @@ class PlainHelpFormatter(click.HelpFormatter):
 
 class PlainContext(click.Context):
     formatter_class = PlainHelpFormatter
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        # Force colors in CI environments
+        if any(
+            os.getenv(var)
+            for var in ["CI", "FORCE_COLOR", "GITHUB_ACTIONS", "GITLAB_CI"]
+        ) and not any(os.getenv(var) for var in ["NO_COLOR", "PYTEST_CURRENT_TEST"]):
+            self.color = True

{plain-0.62.1 → plain-0.64.0}/plain/cli/upgrade.py

@@ -153,7 +153,6 @@ def build_prompt(before_after: dict[str, tuple[str | None, str | None]]) -> str:
             "   - Process ALL packages before testing or validation",
             "   - After all packages are updated, run `uv run plain fix --unsafe-fixes` and `uv run plain pre-commit` to check results",
             "   - DO NOT commit any changes",
-            "   - DO NOT run `plain migrate` with the `--no-backup` option",
             "   - Keep code changes minimal and focused - avoid unnecessary comments",
             "",
             "3. **Available tools:**",

{plain-0.62.1 → plain-0.64.0}/plain/internal/middleware/https.py

@@ -1,5 +1,3 @@
-import re
-
 from plain.http import ResponseRedirect
 from plain.runtime import settings
 
@@ -8,16 +6,12 @@ class HttpsRedirectMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
-        # Settings for https (compile regexes once)
+        # Settings for HTTPS
         self.https_redirect_enabled = settings.HTTPS_REDIRECT_ENABLED
-        self.https_redirect_host = settings.HTTPS_REDIRECT_HOST
-        self.https_redirect_exempt = [
-            re.compile(r) for r in settings.HTTPS_REDIRECT_EXEMPT_PATHS
-        ]
 
     def __call__(self, request):
         """
-        Rewrite the URL based on settings.APPEND_SLASH
+        Perform a blanket HTTP→HTTPS redirect when enabled.
         """
 
         if redirect_response := self.maybe_https_redirect(request):
@@ -26,15 +20,8 @@ class HttpsRedirectMiddleware:
         return self.get_response(request)
 
     def maybe_https_redirect(self, request):
-        if (
-            self.https_redirect_enabled
-            and not request.is_https()
-            and not any(
-                pattern.search(request.path_info)
-                for pattern in self.https_redirect_exempt
-            )
-        ):
-            host = self.https_redirect_host or request.get_host()
+        if self.https_redirect_enabled and not request.is_https():
+            host = request.get_host()
             return ResponseRedirect(
                 f"https://{host}{request.get_full_path()}", status_code=301
             )

{plain-0.62.1 → plain-0.64.0}/plain/runtime/global_settings.py

@@ -37,17 +37,11 @@ DEFAULT_RESPONSE_HEADERS = {
     "X-Frame-Options": "DENY",
 }
 
-# Whether to redirect all non-HTTPS requests to HTTPS.
+# Whether to redirect all non-HTTPS requests to HTTPS (blanket redirect).
+# For anything more advanced (custom host, path exemptions, etc.), write
+# your own middleware.
 HTTPS_REDIRECT_ENABLED = True
 
-# Regex patterns for paths that should be exempt from HTTPS redirect
-# Examples: [r"^/health$", r"/api/internal/.*", r"/dev/.*"]
-HTTPS_REDIRECT_EXEMPT_PATHS: list[str] = []
-
-# Custom host to redirect to for HTTPS. If None, uses the same host as the request.
-# Useful for redirecting to a different domain (e.g., "secure.example.com")
-HTTPS_REDIRECT_HOST = None
-
 # If your Plain app is behind a proxy that sets a header to specify secure
 # connections, AND that proxy ensures that user-submitted headers with the
 # same name are ignored (so that people can't spoof it), set this value to

{plain-0.62.1 → plain-0.64.0}/plain/signing.py

@@ -35,12 +35,14 @@ These functions make use of all of them.
 
 import base64
 import datetime
+import hmac
 import json
 import time
 import zlib
 
 from plain.runtime import settings
-from plain.utils.crypto import constant_time_compare, salted_hmac
+from plain.utils.crypto import salted_hmac
+from plain.utils.encoding import force_bytes
 from plain.utils.regex_helper import _lazy_re_compile
 
 _SEP_UNSAFE = _lazy_re_compile(r"^[A-z0-9-_=]*$")
@@ -196,7 +198,9 @@ class Signer:
             raise BadSignature(f'No "{self.sep}" found in value')
         value, sig = signed_value.rsplit(self.sep, 1)
         for key in [self.key, *self.fallback_keys]:
-            if constant_time_compare(sig, self.signature(value, key)):
+            if hmac.compare_digest(
+                force_bytes(sig), force_bytes(self.signature(value, key))
+            ):
                 return value
         raise BadSignature(f'Signature "{sig}" does not match')
 

{plain-0.62.1 → plain-0.64.0}/plain/test/README.md

@@ -24,7 +24,7 @@ def test_client_example():
     assert client.session["example"] == "value"
 
     # Logging in
-    user = User.objects.first()
+    user = User.query.first()
     client.force_login(user)
     response = client.get("/protected/")
     assert response.status_code == 200

{plain-0.62.1 → plain-0.64.0}/plain/utils/crypto.py

@@ -62,11 +62,6 @@ def get_random_string(length, allowed_chars=RANDOM_STRING_CHARS):
     return "".join(secrets.choice(allowed_chars) for i in range(length))
 
 
-def constant_time_compare(val1, val2):
-    """Return True if the two strings are equal, False otherwise."""
-    return secrets.compare_digest(force_bytes(val1), force_bytes(val2))
-
-
 def pbkdf2(password, salt, iterations, dklen=0, digest=None):
     """Return the hash of password using pbkdf2."""
     if digest is None:

{plain-0.62.1 → plain-0.64.0}/plain/views/README.md

@@ -179,7 +179,7 @@ class ExampleDetailView(DetailView):
     template_name = "detail.html"
 
     def get_object(self):
-        return MyObjectClass.objects.get(
+        return MyObjectClass.query.get(
             id=self.url_kwargs["id"],
             user=self.request.user,  # Limit access
         )
@@ -197,7 +197,7 @@ class ExampleUpdateView(UpdateView):
     success_url = "."
 
     def get_object(self):
-        return MyObjectClass.objects.get(
+        return MyObjectClass.query.get(
             id=self.url_kwargs["id"],
             user=self.request.user,  # Limit access
         )
@@ -211,7 +211,7 @@ class ExampleDeleteView(DeleteView):
     # Just POST to this view to delete the object.
 
     def get_object(self):
-        return MyObjectClass.objects.get(
+        return MyObjectClass.query.get(
             id=self.url_kwargs["id"],
             user=self.request.user,  # Limit access
         )
@@ -221,7 +221,7 @@ class ExampleListView(ListView):
     template_name = "list.html"
 
     def get_objects(self):
-        return MyObjectClass.objects.filter(
+        return MyObjectClass.query.filter(
             user=self.request.user,  # Limit access
         )
 ```

{plain-0.62.1 → plain-0.64.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "plain"
-version = "0.62.1"
+version = "0.64.0"
 description = "A web framework for building products with Python."
 authors = [{name = "Dave Gaeddert", email = "dave.gaeddert@dropseed.dev"}]
 readme = "README.md"
@@ -18,6 +18,7 @@ plain = "plain.cli.core:cli"
 # Make this directly available without loading Plain,
 # for use in upgrade scripts.
 plain-changelog = "plain.cli.changelog:changelog"
+plain-build = "plain.cli.build:build"
 
 [tool.uv]
 dev-dependencies = [