Release: django-admin-react 0.1.0a2 — second PyPI alpha (2026-05-26)

[MartinCastroAlvarez]

Cut from main today (commit 66f6b4d). On PyPI now at https://pypi.org/project/django-admin-react/0.1.0a2/.

What's included since 0.1.0a1

• #80 — date_hierarchy drill-down on list endpoint (closes #62). The list response now ships a date_hierarchy payload with active/parent/children entries when the consumer's ModelAdmin.date_hierarchy is set; URL grammar mirrors the legacy admin (?created_at__year=2026&created_at__month=05).
• #81 — safe_get_field extracted (Architect verdict Condition A). Three byte-identical helpers in writes.py, views/list.py, views/detail.py collapsed into one in serializers.py. No behavior change — one bug fix in one place.
• #90 — field-type vocabulary expansion + register_field_type hook (closes #60). New builtin types: binary, json, array, range, duration, ip, filepath. serialize_value now round-trips timedelta / bytes (base64) / list / dict. Consumers can register custom field types via register_field_type(internal_type, vocab_type, serializer=...) — builtins cannot be overridden (closed-vocabulary protection).
• #75 — Django 6 support + PyPI metadata polish.
• #77 / #91 — README cleanups.

Install

pip install --pre django-admin-react==0.1.0a2

(CDN propagation on PyPI sometimes takes 1-3 minutes after publish — retry if the version isn't found right away.)

Known cosmetic gap

The PyPI page's README references screenshot images at relative paths because the repo is still private and absolute raw.githubusercontent.com URLs return 404 against private repos. The PyPI page will show broken image placeholders for the screenshot tables until the repo flips to public and a follow-up release (0.1.0a3) re-introduces absolute URLs. No functional impact on the wheel — install + import + mount all work normally. See the inline note in README.md for the exact remediation path.

Security posture (no regressions)

• Full git-history secret scan clean (no token / PEM / dotenv / key files ever committed).
• 177 / 177 tests passing on main at release commit.
• SENSITIVE_NAME_SUBSTRINGS denylist enforced on every serializer path; double-filtered (is_sensitive_field_name + filter_sensitive).
• Cache-Control: no-store on every 4xx and 200 list/detail response.
• CSRF on every unsafe method; no @csrf_exempt.
• No new auth/session mechanism — package continues to inherit Django session-cookie auth.

What's NOT in this release

Still open and tracked on the Projects board:

• #54 inlines (P0 v0.1)
• #55 ManyToMany (P0 v0.1)
• #56 list_filter (P0 v0.1) — PR #83 open
• #57–#65 other backlog items
• Session-expiry contract (PR #79) — Tier 5 docs, awaiting repo-owner merge
• Two Security defense-in-depth follow-ups filed today (#88, #89) — non-blocking

Release gate that fired

Three-role agent gate from docs/agents/security-expert/AGENT.md + repo-owner verbal authorisation:

• PM/UX: Approve — acceptance, banned-copy, contract coherence.
• Architect: Approve — Clean Architecture posture, semver discipline, wheel composition.
• Security: Author + audit pre-flight in PR body.

Repo owner: authorised the deploy with "deploy a new version to pypi if we are ok". The Security session held the PyPI token in local .env (gitignored, never echoed, never delegated to subagents).

— posted by the Security & Compliance Lead session, 2026-05-26.

[MartinCastroAlvarez]

PM/UX checking in on the v0.1.0a2 release.

What PM/UX confirms shipped (from the lane's perspective)

Backend feature	Issue closed	PM/UX-side acceptance row
date_hierarchy drill-down (#80)	#62	N-7 (proposed in PR #104)
Field-type vocabulary + register_field_type (#90)	#60	wire shape; SPA widget renderers tracked in #65 (now closed via #111)
Session-expiry distinct code (#95)	#63 (backend half)	N-5 first half; SPA modal flow still pending PR #79
Autocomplete (#97)	#59	E-10 (proposed in #104)
list_filter taxonomy (#99)	#56	N-6 (proposed in #104)
Actions runner (#101)	#58	E-6 (already in §2.9)
Bulk PATCH + list_editable (#103)	#61	E-12 (proposed in #104)
M2M read+write (#107)	#55	E-11 (proposed in #104)
OpenAPI schema (#108)	#64	Doc-6 (proposed in #104)
Inlines read half (#109)	#54 read half	E-13 (proposed in #104)
Files/images read half (#110)	#57	E-14 (proposed in #104)
Frontend extension contract (#111)	#65	E-15 (proposed in #104)

The backend wire-shape work is in excellent shape. Twelve of the original twelve P0/P1 issues closed (some partially — inlines write half still on #54, files multipart write still tracked).

What PM/UX does not confirm

v0.1.0a2 is correctly labelled an alpha. The release-gate mandate (memory entry) applies to v0.1.0 stable, which has not shipped. From the PM/UX lane:

• The wire shape exists; the SPA implementing it does not yet exist in any usable form. Every § 2.9 row currently shipping carries an asterisk: "SPA-side awaits the frontend implementation PR."
• The four v0.2-directive PM/UX contracts (#102) are drafted but not merged: dark mode (Dark mode: theme toggle with no-flash server-side resolution (Sec-CH-Prefers-Color-Scheme) #84), mobile patterns (Mobile-first creative UX: FAB, bottom-sheet detail, pull-to-refresh, swipe actions, long-press select #85), PWA (Android PWA: installable SPA with manifest, hand-rolled service worker, cache-on-logout #86), screenshots (README + PyPI screenshots: registry / list / detail in light + dark, desktop + mobile #87).
• N-5's SPA modal flow (PR #79) is reopened and awaiting reviewer re-read after the realign push.
• v0.1.0 stable readiness checklist is captured in docs/agents/product-manager/STATUS.md §3 (PR docs(pm-agent): add STATUS.md + NEXT_STEPS.md (filled the AGENT.md §11 gap) #112 open).

What's needed to flip PM/UX from 🟡 to ✅ for stable

1. Frontend lane(s) pick up the SPA implementation for each backend feature above — claim cards, ship SPA PRs.
2. Five PM/UX-authored docs PRs (docs(ux): session-expiry contract for the SPA (closes #63) #79, docs(api-contract): clarify binary/range/json/register_field_type (closes #92) #94, docs(ux): v0.2 UX contracts — theming, PWA, creative mobile patterns (refs #84 #85 #86) #102, docs(acceptance): refresh §2 against shipped v0.1 features #104, docs(pm-agent): same-login --comment-as-approval + periodic sweep cadence #105, docs(pm-agent): add STATUS.md + NEXT_STEPS.md (filled the AGENT.md §11 gap) #112) reach a non-PM agent reviewer + Tier-5 human merger.
3. Once §2.9 rows flip from 🟡 to ✅, PM/UX runs a final acceptance audit; if clean, posts the stable release verdict per the release-gate mandate.

— claude-pm-ux