Review queue filtering, CSV export and batch segment assignment; production security hardening and dependency/docs update

[Smartappli]

Motivation

• Improve review workflows by exposing finer queue filters, enabling CSV exports that match UI filters, and allowing batch assignment of review segments from the session player.
• Harden production runtime defaults to avoid accidental insecure deployments by requiring a non-default DJANGO_SECRET_KEY and at least one ALLOWED_HOSTS when DJANGO_DEBUG=0 and by adding optional TLS/HSTS toggles.
• Refresh runtime/development dependency constraints and align documentation and release metadata with the updated behavior and runtime guidance.

Description

• Implemented server-side review queue filtering via a shared helper _filter_review_segments and exposed project choices via _review_queue_project_choices, then wired these into review_queue view and template filters.
• Added CSV export endpoint review_queue_export_segment_analytics_csv and corresponding URL, template export button, and CSV payload generation that honor the same filters as the UI.
• Added session-level batch assignment with segment_batch_assign view, URL, form UI in session_player.html, audit logging, validation of assignee/reviewer/status, and checkbox-driven apply flags.
• Hardened config/settings.py by requiring a non-default DJANGO_SECRET_KEY and non-empty ALLOWED_HOSTS when DJANGO_DEBUG is false, and added SECURE_SSL_REDIRECT and HSTS settings; added ImproperlyConfigured import.
• Bumped release metadata version to 0.9.4, refreshed README.md, CHANGELOG.md, docs/ and updated dependency pins in requirements.txt and requirements-dev.txt (Granian, argon2, psycopg, redis, Ruff).

Testing

• Added test_segment_batch_assign_and_review_queue_filters_and_export to tracker/tests/test_views.py which exercises batch assignment, filtered queue results, and the CSV export, and it passed under the repository test suite.
• Ran the test suite with python manage.py test and coverage run manage.py test as part of development validation and the tests completed successfully.
• Verified template-level behaviors via the new integration test assertions for presence/absence of filtered segments in both the HTML queue and CSV payload.

---

Codex Task

Summary by CodeRabbit

Release Notes: Version 0.9.4

• Security

  • Hardened production security defaults, including required configuration for secret key and allowed hosts.
  • Added optional TLS/HSTS controls for production environments.

• Enhancements

  • Improved review queue export to preserve applied filters in exported analytics.
  • Stabilized review queue and batch segment assignment behavior.

• Chores

  • Updated dependencies to newer maintained versions (Django, Granian, Argon2, psycopg, redis, Ruff).

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d7af9316-b8af-4bc3-afdd-30611c6837a4

📥 Commits

Reviewing files that changed from the base of the PR and between e3e5067 and ae671bd.

📒 Files selected for processing (9)

• CHANGELOG.md
• README.md
• config/settings.py
• docs/architecture.md
• requirements-dev.txt
• requirements.txt
• templates/tracker/review_queue.html
• tracker/tests/test_views.py
• tracker/views.py

---

📝 Walkthrough

Walkthrough

Release 0.9.4 update includes security hardening of Django settings (enforcing non-default secret key and ALLOWED_HOSTS in production), updated dependency constraints for Django, Granian, Argon2, psycopg, and redis, refactored review queue filtering logic to consolidate multi-criterion filtering, and updated documentation version references.

Changes

Cohort / File(s)	Summary
Documentation & Version Bumps CHANGELOG.md, README.md, docs/architecture.md	Version updated to 0.9.4 with changelog entries documenting security hardening, dependency updates, and review queue auditing. Minor wording adjustment from "Django 6 CSP" to "Django CSP middleware support."
Security Configuration config/settings.py	Added runtime validation for SECRET_KEY and ALLOWED_HOSTS when DEBUG is disabled; introduced DEFAULT_SECRET_KEY fallback and new HSTS/SSL redirect security settings (SECURE_SSL_REDIRECT, SECURE_HSTS_SECONDS, SECURE_HSTS_INCLUDE_SUBDOMAINS, SECURE_HSTS_PRELOAD).
Dependency Constraints requirements.txt, requirements-dev.txt	Updated minimum versions: argon2-cffi (≥25.1), granian (≥2.5), psycopg (≥3.2.6), redis (≥5.2.1), openpyxl (tightened to <3.2), ruff (≥0.12).
Review Queue Refactoring tracker/views.py, tracker/tests/test_views.py, templates/tracker/review_queue.html	Consolidated review queue and CSV export filtering logic by centralizing calls to _filter_review_segments helper; added query parameters (filter, project, status, assignee, reviewer, q) to export URL to preserve filters; updated tests to parse and validate CSV payload.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Release 0.9.2: batch segment assignment, refined review-queue filters, and CSV analytics export #5: Modifies the same review queue filtering and CSV export logic in tracker/views.py, indicating potential overlap or precedent in review queue refactoring patterns.

Poem

🐰 Secrets locked up, tight and secure,
Dependencies refreshed, versions pure,
Queue filters consolidated with care,
From 0.9.3 to .4, a version to share!
Django stands firmer, production-grade strong. ✨

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/update-to-version-0.9.2-t7tekg

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

PyBehaviorLog/tracker/views.py

Lines 4925 to 4929 in 79ab988

	if status_value and status_value not in {
	ObservationSegment.STATUS_TODO,
	ObservationSegment.STATUS_IN_PROGRESS,
	ObservationSegment.STATUS_DONE,
	}:

Reject empty status when batch status updates are enabled

The status validation only runs when status_value is truthy, so a POST with set_status=1 and an empty status bypasses the guard and then writes '' into ObservationSegment.status. Because CharField(choices=...) is not enforced on save(), this can persist an out-of-choice status and break downstream queue filters/reports that assume todo|in_progress|done values; this is reachable from any authenticated reviewer sending a crafted request.

---

PyBehaviorLog/tracker/views.py

Line 4853 in 79ab988

rows = list(queue.get(filter_name, queue['all']))

Align invalid queue-filter fallback with the review page

The review page falls back to queue['assigned'] for unknown filter values, but the CSV export falls back to queue['all'], so the same query string can show one dataset in HTML and export a broader one in CSV. This silently changes analytics scope for stale/bookmarked invalid filters (or tampered URLs), which undermines the stated behavior that CSV should match the active queue filters.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".