docs(readme)+chore(deps): PyPI page polish + Django 6 support (#75)

README rework, scoped to the PyPI consumer's needs:

- Drop "Option B — install from source" (contributor-only, confused
  the install path).
- Drop "Documentation map" (those links are on GitHub once the user
  is in the repo; they're not what a `pip install` consumer needs).
- Drop "Developer scripts" (lint.sh / build.sh / deploy.sh —
  contributor-only).
- Convert relative `docs/screenshots/*.png` image refs to absolute
  `https://raw.githubusercontent.com/.../main/...` URLs so PyPI's
  renderer can resolve them.
- Expand "Extend without writing React" from 5 ModelAdmin knobs to
  ~10 with concrete examples: list_display, sortable_by,
  search_fields, ordering, exclude/readonly_fields, fieldsets,
  has_*_permission (with row-level), get_queryset, save_model,
  custom AdminSite + DJANGO_ADMIN_REACT['ADMIN_SITE'] pointer.
- New "What's not yet supported (tracked)" table mapping each
  unsupported feature to its tracker Issue (#54..#65) with a
  practical workaround per row.
- Convert internal doc links (CONTRIBUTING.md, SECURITY.md, LICENSE)
  to absolute github.com URLs so they survive on the PyPI page.
- Update the Security section to point at GitHub's Private
  Vulnerability Reporting (drops the `security@<TO-BE-CONFIGURED>`
  placeholder for end-users).

pyproject.toml:

- Bump Django range from `>=5.0,<6.0` to `>=5.0,<7.0` so 6.x
  releases install cleanly. Comment documents the bump policy.
- Add `Framework :: Django :: 6.0` classifier.
- Add `Programming Language :: Python :: 3.13` classifier.

PyPI rendering caveat: the image URLs only resolve once the repo is
public; the new PyPI release page only updates when a new version
(0.1.0a2) is published. README + classifier changes are the
prerequisite; the public flip + new release are the trigger.

Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

README.md

@@ -4,16 +4,14 @@ A drop-in **React single-page admin** for any Django 5+ project. Same
 `pip install`, same `INSTALLED_APPS`, same `urls.py include()` — and
 your `ModelAdmin` classes drive everything. No React code on your side.
 
-> **Pre-alpha (`0.1.0a1`).** Available on PyPI as an alpha; install
-> from source for the latest. Track progress on the
+> **Pre-alpha.** Available on PyPI as an alpha. Pin tightly; expect
+> breaking changes between alpha releases. Track progress on the
 > [Project board](https://github.com/users/MartinCastroAlvarez/projects/3)
 > and the [Issues list](https://github.com/MartinCastroAlvarez/django-admin-react/issues).
 
 ---
 
-## Install in your Django project
-
-### Option A — once on PyPI (planned)
+## Install
 
 ```bash
 pip install django-admin-react
@@ -51,57 +49,28 @@ Tailwind-styled SPA driven by your existing `ModelAdmin` classes.
 The wheel ships the **pre-built React bundle**. You do **not** need
 Node, pnpm, or any frontend toolchain to install or run.
 
-### Option B — install from source (today)
-
-```bash
-git clone https://github.com/MartinCastroAlvarez/django-admin-react.git
-cd django-admin-react
-./scripts/build.sh              # builds the SPA + Python wheel
-pip install dist/*.whl          # install into your venv
-```
-
-Then wire it into your project as in Option A.
-
 ### Optional configuration
 
 All settings are optional. Defaults shown:
 
 ```python
 DJANGO_ADMIN_REACT = {
-    "ADMIN_SITE": "django.contrib.admin.site",   # dotted path
+    "ADMIN_SITE": "django.contrib.admin.site",   # dotted path to AdminSite instance
     "DEFAULT_PAGE_SIZE": 25,
     "MAX_PAGE_SIZE": 200,
     "ENABLE_PROFILING": False,
 }
 ```
 
----
-
-## Extend without writing React
-
-Just edit your `ModelAdmin` — the UI follows. No JS required.
-
-```python
-# yourapp/admin.py
-from django.contrib import admin
-from .models import Invoice
-
-@admin.register(Invoice)
-class InvoiceAdmin(admin.ModelAdmin):
-    list_display = ("number", "customer", "total", "issued_at")
-    search_fields = ("number", "customer__name")
-    readonly_fields = ("total",)            # ← UI hides the input
-    list_filter = ("status",)               # ← UI surfaces the filter
+### Requirements
 
-    def has_add_permission(self, request):
-        return request.user.has_perm("billing.create_invoice")
-        #                                                     ↑
-        # UI hides the Add button automatically when this returns False.
-```
-
-Permissions, querysets, search, validation — all your `ModelAdmin`'s
-answers, surfaced verbatim in the React UI. The package never invents
-its own permission model.
+- **Python**: 3.10+
+- **Django**: 5.0, 5.1, 5.2, 6.0 (and any later 6.x)
+- **Database**: anything Django supports — the package is ORM-only, no
+  direct SQL.
+- **Auth**: Django's built-in session + CSRF. Works with custom
+  `AUTH_USER_MODEL`, custom `AUTHENTICATION_BACKENDS`, and custom
+  `AdminSite.has_permission`.
 
 ---
 
@@ -112,30 +81,196 @@ its own permission model.
 > shell is in flight; until then, the images below show the
 > **legacy HTML admin** running against the example apps — i.e.,
 > the experience `django-admin-react` modernises. Once the SPA
-> renders, this section regenerates from the same script. Tracked
-> on the [Project board](https://github.com/users/MartinCastroAlvarez/projects/3).
+> renders, this section regenerates from the same script.
 
 | Login (the entry door)                            | Admin index (legacy)                                    |
 | ------------------------------------------------- | ------------------------------------------------------- |
-| ![Login](docs/screenshots/01-admin-login.png)     | ![Admin index](docs/screenshots/02-admin-index.png)     |
+| ![Login](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/01-admin-login.png)     | ![Admin index](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/02-admin-index.png)     |
 
 | Library / Authors — list view                                  | Library / Author — detail view                                  |
 | -------------------------------------------------------------- | --------------------------------------------------------------- |
-| ![Author list](docs/screenshots/03-admin-library-list.png)     | ![Author detail](docs/screenshots/05-admin-library-detail.png)  |
+| ![Author list](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/03-admin-library-list.png)     | ![Author detail](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/05-admin-library-detail.png)  |
 
 | Mobile (375 px)                                                       | API: `GET /api/v1/registry/` JSON                       |
 | --------------------------------------------------------------------- | ------------------------------------------------------- |
-| ![Mobile list](docs/screenshots/04-admin-library-list-mobile.png)     | ![Registry JSON](docs/screenshots/06-registry-api-json.png) |
+| ![Mobile list](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/04-admin-library-list-mobile.png)     | ![Registry JSON](https://raw.githubusercontent.com/MartinCastroAlvarez/django-admin-react/main/docs/screenshots/06-registry-api-json.png) |
 
 Every screenshot uses a deterministic synthetic seed (no real
-people, accounts, or PII). Regenerate with:
+people, accounts, or PII).
 
-```bash
-bash scripts/screenshots.sh
+---
+
+## Extend without writing React
+
+Everything below is **just `ModelAdmin`**. No JavaScript. No new
+classes. The UI follows whatever your admin declares.
+
+### Pick what columns appear on the list view
+
+```python
+@admin.register(Invoice)
+class InvoiceAdmin(admin.ModelAdmin):
+    list_display = ("number", "customer", "status", "total", "issued_at")
+```
+
+### Make columns sortable
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    list_display   = ("number", "customer", "status", "total", "issued_at")
+    sortable_by    = ("issued_at", "total")        # everything else is fixed
+```
+
+### Add free-text search
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    search_fields  = ("number", "customer__name", "notes__icontains")
+    # The SPA wires `?q=<term>` to `ModelAdmin.get_search_results` verbatim.
 ```
 
-The script boots a one-off SQLite DB, seeds fixtures, captures via
-Playwright (Chromium), and writes the six PNGs above.
+### Default ordering
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    ordering = ("-issued_at",)
+```
+
+### Hide a field from the form
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    exclude         = ("internal_audit_hash",)   # never reaches the SPA
+    readonly_fields = ("total",)                 # rendered as read-only
+```
+
+The SPA respects `exclude` and `readonly_fields` exactly the way the
+legacy admin does. Sensitive-named fields (`password`, `secret`,
+`token`, `api_key`, `hash`, `private_key`, `session`, `nonce`, `salt`)
+are filtered on top of those rules as defense-in-depth.
+
+### Group fields into sections
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    fieldsets = (
+        ("Identity",     {"fields": ("number", "customer")}),
+        ("Money",        {"fields": ("subtotal", "tax", "total")}),
+        ("Lifecycle",    {"fields": ("status", "issued_at", "paid_at")}),
+        ("Internal",     {"fields": ("notes",), "classes": ("collapse",)}),
+    )
+```
+
+### Per-row permission gating
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    def has_add_permission(self, request):
+        return request.user.has_perm("billing.create_invoice")
+
+    def has_change_permission(self, request, obj=None):
+        if obj is None:
+            return request.user.has_perm("billing.change_invoice")
+        return obj.owner_id == request.user.id   # row-level rule
+
+    def has_delete_permission(self, request, obj=None):
+        return False    # nobody deletes invoices
+
+    def has_view_permission(self, request, obj=None):
+        return request.user.has_perm("billing.view_invoice")
+```
+
+The SPA hides the **Add** / **Save** / **Delete** buttons automatically
+based on these. UI never invents a permission; it asks `ModelAdmin`.
+
+### Restrict the queryset
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        if request.user.is_superuser:
+            return qs
+        return qs.filter(owner=request.user)
+```
+
+The list view never sees rows the queryset excludes. **No
+`Model.objects.all()` in the package** — every list, search, and
+detail lookup starts at `ModelAdmin.get_queryset(request)`.
+
+### Custom save hook
+
+```python
+class InvoiceAdmin(admin.ModelAdmin):
+    def save_model(self, request, obj, form, change):
+        obj.last_edited_by = request.user
+        super().save_model(request, obj, form, change)
+```
+
+Writes always go through `ModelAdmin.get_form()` → `form.is_valid()`
+→ `save_model()`. Signals, audit logs, and post-save hooks all fire
+exactly like they do in `/admin/`.
+
+### Use a custom `AdminSite`
+
+```python
+# myproject/admin.py
+from django.contrib.admin import AdminSite
+
+class StaffAdminSite(AdminSite):
+    site_header = "Operations Console"
+    site_title  = "Ops"
+    index_title = "Welcome"
+
+    def has_permission(self, request):
+        return request.user.is_active and request.user.is_staff and \
+               request.user.groups.filter(name="ops").exists()
+
+staff_admin = StaffAdminSite(name="staff")
+
+# myproject/settings.py
+DJANGO_ADMIN_REACT = {
+    "ADMIN_SITE": "myproject.admin.staff_admin",
+}
+```
+
+The SPA inherits the custom site's permission gate and the
+`ModelAdmin` registrations on that site — no parallel registry.
+
+### Pre-built form / queryset overrides still work
+
+`get_form`, `get_fieldsets`, `get_fields`, `get_exclude`,
+`get_readonly_fields`, `get_search_results`, `get_list_display`,
+`get_sortable_by` — all of them are called by the SPA the same way the
+HTML admin calls them. If you customised them for `/admin/`, the SPA
+already honours those customisations.
+
+---
+
+## What's not yet supported (tracked)
+
+The pre-alpha intentionally ships a small backend. The following
+`ModelAdmin` features are on the roadmap but not in the alpha — open
+issues with acceptance signals:
+
+| Feature | Issue | Workaround for now |
+|---|---|---|
+| `inlines` (`TabularInline` / `StackedInline`) | [#54](https://github.com/MartinCastroAlvarez/django-admin-react/issues/54) | Edit the child model directly under its own admin URL |
+| `ManyToManyField` read + write | [#55](https://github.com/MartinCastroAlvarez/django-admin-react/issues/55) | Exclude the field; manage relation through a dedicated admin |
+| `list_filter` (the left sidebar) | [#56](https://github.com/MartinCastroAlvarez/django-admin-react/issues/56) | Use `search_fields` for the same intent |
+| `FileField` / `ImageField` upload | [#57](https://github.com/MartinCastroAlvarez/django-admin-react/issues/57) | Use the legacy admin for these models |
+| `ModelAdmin.actions` + bulk select | [#58](https://github.com/MartinCastroAlvarez/django-admin-react/issues/58) | One-off DRF endpoint or management command |
+| `autocomplete_fields` / `raw_id_fields` | [#59](https://github.com/MartinCastroAlvarez/django-admin-react/issues/59) | Keep FK target tables small for now |
+| `JSONField` / `ArrayField` / range types (and `register_field_type` hook) | [#60](https://github.com/MartinCastroAlvarez/django-admin-react/issues/60) | Mark as `readonly`; edit via shell |
+| `list_editable` + bulk PATCH | [#61](https://github.com/MartinCastroAlvarez/django-admin-react/issues/61) | Edit row-by-row |
+| `date_hierarchy` drill-down | [#62](https://github.com/MartinCastroAlvarez/django-admin-react/issues/62) | `?ordering=-date_field` and scroll |
+| Session-expiry / re-login modal | [#63](https://github.com/MartinCastroAlvarez/django-admin-react/issues/63) | Browser refresh on 403 |
+| OpenAPI / JSON Schema endpoint | [#64](https://github.com/MartinCastroAlvarez/django-admin-react/issues/64) | Hand-maintain types from `docs/api-contract.md` |
+| Per-model React extension points | [#65](https://github.com/MartinCastroAlvarez/django-admin-react/issues/65) | Use the legacy admin for model-specific UIs |
+
+Mount the SPA at a **second path** (`path("admin2/", include("django_admin_react.urls"))`)
+alongside `/admin/` while the gaps close. Both run off the same
+`ModelAdmin` registrations.
 
 ---
 
@@ -150,59 +285,27 @@ Playwright (Chromium), and writes the six PNGs above.
 - **Configurable URL prefix** — `/admin/`, `/admin-react/`, anywhere.
 - **Conservative & secure-by-default** — never exposes models the
   admin doesn't already expose; never writes fields the admin form
-  excludes; CSRF on every unsafe method.
+  excludes; CSRF on every unsafe method; `Cache-Control: no-store`
+  on every API response; sensitive-name denylist on top of the
+  admin's own `exclude` rules.
 - **Boring + auditable** — no parallel permission system, no
   client-side workarounds for backend permissions, conservative
   serializer with `str()` fallback.
 
 ---
 
-## Documentation map
-
-| Doc                                                             | Topic                                       |
-| ---------------------------------------------------------------- | -------------------------------------------- |
-| [Project board](https://github.com/users/MartinCastroAlvarez/projects/3) | Live status of in-flight / planned work — priority, area, phase |
-| [Issues](https://github.com/MartinCastroAlvarez/django-admin-react/issues) | Backlog with acceptance criteria             |
-| [Discussions](https://github.com/MartinCastroAlvarez/django-admin-react/discussions) | Announcements, Q&A, ideas, show-and-tell     |
-| [`ARCHITECTURE.md`](ARCHITECTURE.md)                             | Design contract                              |
-| [`SECURITY.md`](SECURITY.md)                                     | Threat model, guarantees, required tests     |
-| [`CONTRIBUTING.md`](CONTRIBUTING.md)                             | Dev workflow                                 |
-| [`CLAUDE.md`](CLAUDE.md)                                         | Rules for AI contributors                    |
-| [`docs/api-contract.md`](docs/api-contract.md)                   | Full API spec                                |
-| [`docs/data-layer.md`](docs/data-layer.md)                       | `@dar/data` design (SWR + debounce)          |
-| [`docs/agents/pr-workflow.md`](docs/agents/pr-workflow.md)       | How agents send / review / merge PRs         |
-| [`docs/agents/autonomy-policy.md`](docs/agents/autonomy-policy.md) | What's auto-mergeable vs human-only        |
-| [`docs/agents/decisions.md`](docs/agents/decisions.md)           | Decisions log                                |
-| [`scripts/README.md`](scripts/README.md)                         | `lint.sh` / `build.sh` / `deploy.sh`         |
-| [`examples/README.md`](examples/README.md)                       | Demo Django apps                             |
-
----
-
-## Developer scripts
-
-```bash
-./scripts/lint.sh        # ruff + black + isort + flake8 + pylint + mypy + bandit + prettier + tsc
-./scripts/build.sh       # pnpm install + vite build + poetry build (wheel ships pre-built SPA)
-./scripts/deploy.sh      # poetry publish to PyPI (requires POETRY_PYPI_TOKEN_PYPI)
-```
-
-The Merger runs `./scripts/lint.sh` before every merge — there is
-no CI in this repo by design.
-
----
-
 ## License
 
-MIT — see [`LICENSE`](LICENSE).
+MIT — see [`LICENSE`](https://github.com/MartinCastroAlvarez/django-admin-react/blob/main/LICENSE).
 
 ## Security
 
-Please report security issues privately. See
-[`SECURITY.md`](SECURITY.md) §4. Do **not** open a public issue.
+Please report security issues privately through GitHub's Private
+Vulnerability Reporting on the repository (Security → Advisories).
+See [`SECURITY.md`](https://github.com/MartinCastroAlvarez/django-admin-react/blob/main/SECURITY.md).
+Do **not** open a public issue.
 
 ## Contributing
 
 Humans and AI agents both welcome. Start with
-[`CONTRIBUTING.md`](CONTRIBUTING.md). AI agents must also read
-[`CLAUDE.md`](CLAUDE.md), [`docs/agents/pr-workflow.md`](docs/agents/pr-workflow.md),
-and [`docs/agents/autonomy-policy.md`](docs/agents/autonomy-policy.md).
+[`CONTRIBUTING.md`](https://github.com/MartinCastroAlvarez/django-admin-react/blob/main/CONTRIBUTING.md).

pyproject.toml

@@ -16,13 +16,15 @@ classifiers = [
     "Framework :: Django :: 5.0",
     "Framework :: Django :: 5.1",
     "Framework :: Django :: 5.2",
+    "Framework :: Django :: 6.0",
     "Intended Audience :: Developers",
     "License :: OSI Approved :: MIT License",
     "Operating System :: OS Independent",
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
     "Topic :: Internet :: WWW/HTTP :: Site Management",
     "Topic :: Software Development :: Libraries :: Python Modules",
 ]
@@ -37,7 +39,9 @@ include = [
 
 [tool.poetry.dependencies]
 python = "^3.10"
-django = ">=5.0,<6.0"
+# Django 5.0 → 5.2 LTS → 6.x. Bump the upper bound when 7.0 ships and
+# we've verified the package still passes its test matrix on it.
+django = ">=5.0,<7.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^8.0"