fix(spa): smart-route action redirect URLs (#620) + release 1.4.13

[MartinCastroAlvarez]

Closes #620. Also tags v1.4.13 to ship every change accumulated on main since v1.4.12.

#620 — what actually broke

A ModelAdmin action that returns HttpResponseRedirect(some_url) was silently no-op'd from the operator's POV. The issue blamed the API for swallowing the response, but the API correctly extracts response["Location"] into the JSON envelope's redirect field (api/views/actions.py:256). The real bug was SPA-side: DetailPage piped redirect straight into React Router's navigate — scoped to the SPA's BrowserRouter basename, so any URL outside the SPA mount silently failed:

• Legacy admin paths (/admin/<app>/<model>/<pk>/change/)
• Hijack / impersonate URLs (/hijack/release-user/?next=…)
• Cross-origin downloads (signed S3 URLs)

Fix

New followActionRedirect helper picks the right primitive per URL:

• Same origin AND under the SPA mount → navigate (no full reload, basename-relative path)
• Anything else → window.location.assign (full browser navigation)

Helper is dependency-injected (currentOrigin, assignLocation) so tests can lock the routing logic without touching jsdom's non-configurable window.location.

What else lands in 1.4.13

All already merged on main since 1.4.12:

• [audit] DJANGO_ADMIN_REACT settings dict is alien to stock Django admin — read consumer's AdminSite first, fall back to the dict #631 (PR feat(spa): read --dar-primary from AdminSite.site_primary_color (#631) #641) — PRIMARY_COLOR reads site_primary_color off the configured AdminSite first.
• [audit] raw_id_fields & radio_fields widget hints declared in the wire contract are not rendered by the SPA #626 (PR feat(spa): render raw_id_fields and radio_fields hints (#626) #642) — raw_id_fields + radio_fields widget hints now render their intended controls.
• [audit] ModelAdmin.get_urls() custom views open as a same-window popout, not a SPA route #623 / [audit] change_form_template / change_list_template / change_password_template overrides are silently ignored #624 / [security] XSS via mark_safe / format_html in list_display callables — document the transitive risk + recommend safe pattern #633 / [security] No login throttling on /api/v1/login/ — document recommended brute-force defense + verify django-axes integration #634 / [security] Cross-origin API_URL_PREFIX needs explicit CORS + cookie config — undocumented adoption pitfall #635 (PR docs(readme): honest hooks-carry-through + hardening + cross-origin sections (#623 #624 #633 #634 #635) #640) — README sections for stock-Django hooks that don't carry through, safe list_display callables, hardening (django-axes), cross-origin (CORS + cookies).
• PR chore(ci): rename release.yml → publish.yml to match PyPI Trusted Publisher #638 — release.yml → publish.yml rename for PyPI Trusted Publisher config alignment.

Verification

• 6 new vitests in action-redirect.test.ts cover SPA-internal path, search + hash preservation, legacy-admin path, cross-origin URL, hijack pattern, malformed URL.
• pnpm test — 187 / 187 ✓ (up from 181 / 181)
• pnpm -r typecheck ✓
• pnpm lint ✓
• pnpm -w build ✓

🤖 Generated with Claude Code