feat(spa): create — Add form completes CRUD

The SPA could read/edit/delete but not create. This adds the create
path so a new object can be added entirely from /admin2/, completing
core CRUD parity with the Django admin.

Backend:
- views/create_form.py — GET <app>/<model>/add/ returns the
  create-form schema (fieldsets + field descriptors) for a NEW object.
  Builds an unsaved instance + the ADD form (get_form(request,
  obj=None, change=False) — exactly how Django's add view constructs
  it) and reuses the detail view's descriptor builders so the field
  shape is byte-identical to edit (one FieldInput renders both).
  Gated on has_add_permission (create is gated on add, not view).
  Sensitive-name denylist applied. No pk/label/inlines (it's a new
  object). urls.py: `add/` route before the `<pk>` instance route.

Frontend:
- AddFormResponse contract type + ApiClient.addForm().
- CreatePage.tsx — fetches the add-form schema, renders the shared
  FieldInput form, POSTs via createObject, surfaces field-level
  validation errors, navigates to the new object's detail on success.
- App.tsx — `:app/:model/add` route (literal `add` ranks above the
  `:pk` route in React Router, so it can't be mistaken for a detail).
- ListPage — "+ Add <Model>" button in the header, shown only when
  permissions.add.

Create goes through ModelAdmin.get_form() → is_valid() → save_model()
on the backend (the existing POST path); the SPA only builds the
payload + renders errors.

Tests (tests/test_create_form.py): anon→redirect/403, non-staff→403,
staff+add→200 with field descriptors, staff without add perm→403,
unregistered→404, and the add form is built with change=False/obj=None
(Django add-view contract). 22/22 create-form + detail tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: martin-castro-laminr-ai

django_admin_react/api/urls.py

@@ -26,6 +26,7 @@
 from django_admin_react.api.views.autocomplete import AutocompleteView
 from django_admin_react.api.views.bulk import BulkUpdateView
 from django_admin_react.api.views.create import CreateView
+from django_admin_react.api.views.create_form import AddFormView
 from django_admin_react.api.views.delete_preview import DeletePreviewView
 from django_admin_react.api.views.destroy import DestroyView
 from django_admin_react.api.views.detail import DetailView
@@ -110,6 +111,14 @@ def delete(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpRespons
         BulkUpdateView.as_view(),
         name="bulk_update",
     ),
+    # Add-form schema — the create page's field descriptors for a NEW
+    # object. Literal ``add`` must precede the ``<pk>`` instance route
+    # below so it isn't swallowed as a pk.
+    path(
+        "<str:app_label>/<str:model_name>/add/",
+        AddFormView.as_view(),
+        name="add_form",
+    ),
     path(
         "<str:app_label>/<str:model_name>/",
         CollectionView.as_view(),

django_admin_react/api/views/create_form.py

@@ -0,0 +1,96 @@
+"""``GET /api/v1/<app>/<model>/add/`` — the create-form schema.
+
+The detail view (``/<pk>/``) needs an existing object; the SPA's
+create page needs the same field descriptors + fieldsets for a *new*
+object. This view builds that payload from an unsaved instance, the
+add form (``get_form(request, obj=None, change=False)`` — exactly how
+Django's add view builds it), and the read-visible field set.
+
+It deliberately reuses the detail view's descriptor builders so the
+field shape is byte-for-byte identical to what edit renders — the SPA
+uses one ``FieldInput`` component for both.
+
+Hard rules: staff gate (rule 1), model resolved through the registry
+(rule 3), ``has_add_permission`` gate (rule 6 — create is gated on
+add, not view), sensitive-name denylist applied (S-31).
+"""
+
+from __future__ import annotations
+
+from typing import Any
+
+from django.http import HttpRequest
+from django.http import HttpResponse
+from django.http import JsonResponse
+from django.views.generic import View
+
+from django_admin_react.api.permissions import forbidden_response
+from django_admin_react.api.permissions import is_admin_user
+from django_admin_react.api.registry import get_admin_site
+from django_admin_react.api.registry import model_permissions
+from django_admin_react.api.registry import resolve_model
+from django_admin_react.api.views.detail import _descriptor_for
+from django_admin_react.api.views.detail import _fieldsets_payload
+from django_admin_react.api.views.detail import _visible_field_names
+from django_admin_react.api.writes import not_found_response
+
+
+class AddFormView(View):
+    """``GET /api/v1/<app_label>/<model_name>/add/`` — empty create form."""
+
+    http_method_names = ["get"]
+
+    def get(
+        self,
+        request: HttpRequest,
+        app_label: str,
+        model_name: str,
+        *args: Any,
+        **kwargs: Any,
+    ) -> HttpResponse:
+        admin_site = get_admin_site()
+        if not is_admin_user(request, admin_site=admin_site):
+            return forbidden_response(request)
+
+        resolved = resolve_model(admin_site, request, app_label, model_name)
+        if resolved is None:
+            return not_found_response()
+        model, model_admin = resolved
+
+        # Create is gated on add — not view. A user who can view but
+        # not add must not be handed an add form.
+        if not model_admin.has_add_permission(request):
+            return forbidden_response(request)
+
+        # Unsaved instance so descriptor builders have field defaults to
+        # read (FK → None, M2M → [] via the guards in _descriptor_for).
+        obj = model()
+
+        visible_names = _visible_field_names(model_admin, request, None)
+        readonly = set(model_admin.get_readonly_fields(request, None) or ())
+        # The ADD form — change=False, obj=None — exactly how Django's
+        # add view constructs it (``ModelAdmin._changeform_view`` with
+        # add=True passes change=False).
+        form = model_admin.get_form(request, obj=None, change=False)()
+
+        fields: dict[str, dict[str, Any]] = {}
+        for name in visible_names:
+            fields[name] = _descriptor_for(
+                model=model,
+                model_admin=model_admin,
+                obj=obj,
+                name=name,
+                form=form,
+                is_readonly=name in readonly,
+            )
+
+        payload = {
+            "app_label": model._meta.app_label,
+            "model_name": model._meta.model_name,
+            "permissions": model_permissions(model_admin, request),
+            "fieldsets": _fieldsets_payload(model_admin, request, None, visible_names),
+            "fields": fields,
+        }
+        response = JsonResponse(payload, status=200)
+        response["Cache-Control"] = "no-store"
+        return response

frontend/apps/web/src/App.tsx

@@ -7,6 +7,7 @@ import { HomePage } from './pages/HomePage';
 import { ListPage } from './pages/ListPage';
 import { DetailPage } from './pages/DetailPage';
 import { LoginPage } from './pages/LoginPage';
+import { CreatePage } from './pages/CreatePage';
 
 export function App() {
   const registry = useRegistry();
@@ -30,6 +31,10 @@ export function App() {
       <Routes>
         <Route path="/" element={<HomePage />} />
         <Route path=":appLabel/:modelName" element={<ListPage />} />
+        {/* Literal `add` is ranked above the `:pk` route by React
+            Router, so /app/model/add opens the create form, not a
+            detail with pk="add". */}
+        <Route path=":appLabel/:modelName/add" element={<CreatePage />} />
         <Route path=":appLabel/:modelName/:pk" element={<DetailPage />} />
         <Route
           path="*"

frontend/apps/web/src/pages/CreatePage.tsx

@@ -0,0 +1,159 @@
+// CreatePage — add a new object.
+//
+// Fetches the create-form schema from GET <app>/<model>/add/ (same
+// field/fieldset shape as detail, for an unsaved object), renders the
+// shared FieldInput form, and POSTs via createObject. Field-level
+// validation errors come back in the envelope and render next to each
+// input. On success, navigates to the new object's detail page.
+
+import { useEffect, useState } from 'react';
+import { Link, useNavigate, useParams } from 'react-router-dom';
+
+import {
+  ApiError,
+  createObject,
+  useApiClient,
+  type AddFormResponse,
+  type WriteValue,
+} from '@dar/data';
+import { Button, Card, EmptyState, Spinner } from '@dar/ui';
+
+import { FieldInput } from '../components/FieldInput';
+
+export function CreatePage() {
+  const params = useParams<{ appLabel: string; modelName: string }>();
+  const appLabel = params.appLabel ?? '';
+  const modelName = params.modelName ?? '';
+  const client = useApiClient();
+  const navigate = useNavigate();
+
+  const [schema, setSchema] = useState<AddFormResponse | null>(null);
+  const [loadError, setLoadError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let alive = true;
+    setSchema(null);
+    setLoadError(null);
+    client
+      .addForm(appLabel, modelName)
+      .then((s) => {
+        if (alive) setSchema(s);
+      })
+      .catch((e: unknown) => {
+        if (alive) setLoadError(e instanceof Error ? e.message : 'Could not load the add form.');
+      });
+    return () => {
+      alive = false;
+    };
+  }, [client, appLabel, modelName]);
+
+  if (loadError) {
+    return <EmptyState title="Couldn't open the add form" description={loadError} />;
+  }
+  if (!schema) return <Spinner label="Loading…" />;
+
+  return (
+    <div className="space-y-4">
+      <header>
+        <Link to={`/${appLabel}/${modelName}`} className="text-sm text-blue-600 hover:underline">
+          ← Back to list
+        </Link>
+        <h1 className="mt-1 text-2xl font-semibold">Add {appLabel} · {modelName}</h1>
+      </header>
+      <CreateForm
+        schema={schema}
+        onCreate={async (payload) => {
+          const created = await createObject({ client, appLabel, modelName, payload });
+          navigate(`/${appLabel}/${modelName}/${created.pk}`);
+        }}
+        onCancel={() => navigate(`/${appLabel}/${modelName}`)}
+      />
+    </div>
+  );
+}
+
+interface CreateFormProps {
+  schema: AddFormResponse;
+  onCreate: (payload: Record<string, WriteValue>) => Promise<void>;
+  onCancel: () => void;
+}
+
+function CreateForm({ schema, onCreate, onCancel }: CreateFormProps) {
+  const [values, setValues] = useState<Record<string, WriteValue>>(() => {
+    const init: Record<string, WriteValue> = {};
+    for (const [name, field] of Object.entries(schema.fields)) {
+      if (field.readonly) continue;
+      const v = field.value;
+      // Seed with the model default where the wire carries a scalar;
+      // FK envelopes / arrays / html start empty for a new object.
+      init[name] = v !== null && typeof v !== 'object' ? v : null;
+    }
+    return init;
+  });
+  const [errors, setErrors] = useState<Record<string, string[]>>({});
+  const [nonFieldError, setNonFieldError] = useState<string | null>(null);
+  const [saving, setSaving] = useState(false);
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setSaving(true);
+    setErrors({});
+    setNonFieldError(null);
+    try {
+      await onCreate(values);
+    } catch (err) {
+      if (err instanceof ApiError && err.envelope?.error) {
+        const fieldErrors = err.envelope.error.fields ?? {};
+        setErrors(fieldErrors);
+        if (Object.keys(fieldErrors).length === 0) {
+          setNonFieldError(err.envelope.error.message || 'Create failed.');
+        }
+      } else {
+        setNonFieldError(err instanceof Error ? err.message : 'Create failed.');
+      }
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  return (
+    <form onSubmit={handleSubmit} className="space-y-4">
+      {nonFieldError && (
+        <div className="rounded border border-red-300 bg-red-50 px-3 py-2 text-sm text-red-700">
+          {nonFieldError}
+        </div>
+      )}
+      {schema.fieldsets.map((fieldset, idx) => (
+        <Card
+          key={`cfs-${idx}-${fieldset.title ?? 'default'}`}
+          title={fieldset.title ?? undefined}
+        >
+          <div className="divide-y divide-gray-100">
+            {fieldset.fields.map((name) => {
+              const field = schema.fields[name];
+              if (!field) return null;
+              return (
+                <FieldInput
+                  key={name}
+                  name={name}
+                  field={field}
+                  value={values[name] ?? null}
+                  error={errors[name]}
+                  onChange={(v) => setValues((prev) => ({ ...prev, [name]: v }))}
+                />
+              );
+            })}
+          </div>
+        </Card>
+      ))}
+      <div className="flex gap-2">
+        <Button type="submit" variant="primary" disabled={saving}>
+          {saving ? 'Saving…' : 'Add'}
+        </Button>
+        <Button type="button" variant="secondary" onClick={onCancel} disabled={saving}>
+          Cancel
+        </Button>
+      </div>
+    </form>
+  );
+}

frontend/apps/web/src/pages/ListPage.tsx

@@ -7,7 +7,7 @@
 
 import { useEffect, useMemo, useState } from 'react';
 import { ListFilter } from 'lucide-react';
-import { useNavigate, useParams, useSearchParams } from 'react-router-dom';
+import { Link, useNavigate, useParams, useSearchParams } from 'react-router-dom';
 
 import {
   useApiClient,
@@ -173,16 +173,27 @@ export function ListPage() {
 
   return (
     <div className="space-y-4">
-      <header>
-        <h1 className="text-2xl font-semibold">
-          <span className="capitalize">{appLabel}</span> ·{' '}
-          {data.verbose_name_plural
-            ? capitalize(data.verbose_name_plural)
-            : data.object_name || modelName}
-        </h1>
-        <p className="text-sm text-gray-500">
-          {data.total.toLocaleString()} object{data.total === 1 ? '' : 's'}
-        </p>
+      <header className="flex items-start justify-between gap-4">
+        <div>
+          <h1 className="text-2xl font-semibold">
+            <span className="capitalize">{appLabel}</span> ·{' '}
+            {data.verbose_name_plural
+              ? capitalize(data.verbose_name_plural)
+              : data.object_name || modelName}
+          </h1>
+          <p className="text-sm text-gray-500">
+            {data.total.toLocaleString()} object{data.total === 1 ? '' : 's'}
+          </p>
+        </div>
+        {data.permissions.add && (
+          <Link
+            to={`/${appLabel}/${modelName}/add`}
+            className="shrink-0 rounded-md border border-blue-600 bg-blue-600 px-3 py-2 text-sm font-medium text-white hover:bg-blue-700"
+          >
+            + Add{' '}
+            {data.verbose_name ? capitalize(data.verbose_name) : modelName}
+          </Link>
+        )}
       </header>
 
       {/* Toolbar row (#177 / #182): Actions dropdown (only when rows are

frontend/packages/api/src/client.ts

@@ -6,6 +6,7 @@
 
 import type {
   ActionRunResponse,
+  AddFormResponse,
   CreatePayload,
   CreateResponse,
   DetailResponse,
@@ -173,6 +174,11 @@ export class ApiClient {
     return this.request<LoginResponse>('POST', 'login/', { username, password });
   }
 
+  /** The create-form schema for a NEW object (GET <app>/<model>/add/). */
+  addForm(appLabel: string, modelName: string): Promise<AddFormResponse> {
+    return this.request<AddFormResponse>('GET', `${appLabel}/${modelName}/add/`);
+  }
+
   create(appLabel: string, modelName: string, payload: CreatePayload): Promise<CreateResponse> {
     return this.request<CreateResponse>('POST', `${appLabel}/${modelName}/`, payload);
   }

frontend/packages/api/src/contract.ts

@@ -246,6 +246,20 @@ export interface DetailResponse {
   inlines: InlineDescriptor[];
 }
 
+/**
+ * Response of `GET /api/v1/<app>/<model>/add/` — the create-form schema
+ * for a NEW object. Same field/fieldset shape as the detail response
+ * (so one FieldInput renders both), minus the per-object bits (pk,
+ * label, inlines). Field values carry the model defaults.
+ */
+export interface AddFormResponse {
+  app_label: string;
+  model_name: string;
+  permissions: Permissions;
+  fieldsets: FieldsetDescriptor[];
+  fields: Record<string, FieldDescriptor>;
+}
+
 export interface CreateResponse {
   pk: number | string;
   label: string;

frontend/packages/data/src/index.ts

@@ -10,6 +10,7 @@ export type { ApiProviderProps } from './api-context';
 export { ApiClient, ApiError } from '@dar/api';
 export type {
   ActionDescriptor,
+  AddFormResponse,
   ActionRunResponse,
   ApiClientConfig,
   ColumnDescriptor,