[FIX] Revert djangorestframework 3.15.2 → 3.14.0 to avoid UniqueTogetherValidator errors (#2098)

[FIX] Revert djangorestframework 3.15.2 -> 3.14.0 to unblock staging

The DRF 3.15.2 bump (#2087) regressed rc.343. DRF 3.15 auto-derives
multi-field UniqueTogetherValidators from model UniqueConstraints, which
3.14 only did for legacy unique_together. Two breakages followed for every
ModelSerializer(fields="__all__") over a model using Meta.constraints:

1. Server-set constraint fields (e.g. organization) -> "<field>: required"
   on create. Partially patched by #2092 for the 5 org-attached models.
2. Client-supplied constraint fields (TableSettings, ProfileManager,
   agentic table settings, lookups) -> "...must make a unique set" raised at
   is_valid(), short-circuiting the views' intended
   `except IntegrityError: raise DuplicateData(<friendly>)` path. This both
   replaced the friendly message and moved the error from a top-level
   `detail` string into nested `non_field_errors`, which the frontend does
   not surface -> silent failures (e.g. duplicate LLM profile name, table
   settings no longer editable after first save).

Pin back to 3.14.0 to restore the known-good behaviour across the whole
unique-constraint class at once. The CVE-2024-21520 XSS patch carried by
3.15.2 is intentionally deprioritized; the 3.15 upgrade will be reattempted
later with a serializer-level fix (drop auto-derived uniqueness validators).

Reverts only the DRF entry from #2087; other batched bumps untouched. The
org `editable=False` changes (#2092) remain correct no-ops under 3.14 (org
is set server-side in save() from UserContext), so no rollback is needed there.


Claude-Session: https://claude.ai/code/session_01G8hAHc4HUo42zY1g9LAjKu

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: chandrasekharan-zipstack

backend/pyproject.toml

@@ -19,7 +19,7 @@ dependencies = [
     "cron-descriptor==1.4.0", # For cron string description
     "cryptography>=48.0.1",
     "django==4.2.30",
-    "djangorestframework==3.15.2",
+    "djangorestframework==3.14.0",
     "django-cors-headers==4.3.1",
     # Pinning django-celery-beat to avoid build issues
     "django-celery-beat==2.5.0",

backend/uv.lock

@@ -45,7 +45,7 @@ hook-check-django-migrations = [
     "celery>=5.3.4",
     "cron-descriptor==1.4.0",
     "django==4.2.30",
-    "djangorestframework==3.15.2",
+    "djangorestframework==3.14.0",
     # Pinning django-celery-beat to avoid build issues
     "django-celery-beat==2.5.0",
     "django-cors-headers>=4.3.1",