feat: Implement initial schema and add various API, service, and management command enhancements across the application.

backend/config/settings/security.py

@@ -35,15 +35,11 @@ TURNSTILE_VERIFY_URL = config(
 # X-XSS-Protection: Enables browser's built-in XSS filter
 # Note: Modern browsers are deprecating this in favor of CSP, but it's still
 # useful for older browsers
-SECURE_BROWSER_XSS_FILTER = config(
-    "SECURE_BROWSER_XSS_FILTER", default=True, cast=bool
-)
+SECURE_BROWSER_XSS_FILTER = config("SECURE_BROWSER_XSS_FILTER", default=True, cast=bool)
 
 # X-Content-Type-Options: Prevents MIME type sniffing attacks
 # When True, adds "X-Content-Type-Options: nosniff" header
-SECURE_CONTENT_TYPE_NOSNIFF = config(
-    "SECURE_CONTENT_TYPE_NOSNIFF", default=True, cast=bool
-)
+SECURE_CONTENT_TYPE_NOSNIFF = config("SECURE_CONTENT_TYPE_NOSNIFF", default=True, cast=bool)
 
 # X-Frame-Options: Protects against clickjacking attacks
 # DENY = Never allow framing (most secure)
@@ -53,24 +49,18 @@ X_FRAME_OPTIONS = config("X_FRAME_OPTIONS", default="DENY")
 # Referrer-Policy: Controls how much referrer information is sent
 # strict-origin-when-cross-origin = Send full URL for same-origin,
 # only origin for cross-origin, nothing for downgrade
-SECURE_REFERRER_POLICY = config(
-    "SECURE_REFERRER_POLICY", default="strict-origin-when-cross-origin"
-)
+SECURE_REFERRER_POLICY = config("SECURE_REFERRER_POLICY", default="strict-origin-when-cross-origin")
 
 # Cross-Origin-Opener-Policy: Prevents cross-origin attacks via window references
 # same-origin = Document can only be accessed by windows from same origin
-SECURE_CROSS_ORIGIN_OPENER_POLICY = config(
-    "SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin"
-)
+SECURE_CROSS_ORIGIN_OPENER_POLICY = config("SECURE_CROSS_ORIGIN_OPENER_POLICY", default="same-origin")
 
 # =============================================================================
 # HSTS (HTTP Strict Transport Security) Configuration
 # =============================================================================
 
 # Include subdomains in HSTS policy
-SECURE_HSTS_INCLUDE_SUBDOMAINS = config(
-    "SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True, cast=bool
-)
+SECURE_HSTS_INCLUDE_SUBDOMAINS = config("SECURE_HSTS_INCLUDE_SUBDOMAINS", default=True, cast=bool)
 
 # HSTS max-age in seconds (31536000 = 1 year, recommended minimum)
 SECURE_HSTS_SECONDS = config("SECURE_HSTS_SECONDS", default=31536000, cast=int)
@@ -82,9 +72,7 @@ SECURE_HSTS_PRELOAD = config("SECURE_HSTS_PRELOAD", default=False, cast=bool)
 # URLs exempt from SSL redirect (e.g., health checks)
 # Format: comma-separated list of URL patterns
 SECURE_REDIRECT_EXEMPT = config(
-    "SECURE_REDIRECT_EXEMPT",
-    default="",
-    cast=lambda v: [s.strip() for s in v.split(",") if s.strip()]
+    "SECURE_REDIRECT_EXEMPT", default="", cast=lambda v: [s.strip() for s in v.split(",") if s.strip()]
 )
 
 # Redirect all HTTP requests to HTTPS
@@ -93,9 +81,7 @@ SECURE_SSL_REDIRECT = config("SECURE_SSL_REDIRECT", default=False, cast=bool)
 # Header used by proxy to indicate HTTPS
 # Common values: ('HTTP_X_FORWARDED_PROTO', 'https')
 _proxy_ssl_header = config("SECURE_PROXY_SSL_HEADER", default="")
-SECURE_PROXY_SSL_HEADER = (
-    tuple(_proxy_ssl_header.split(",")) if _proxy_ssl_header else None
-)
+SECURE_PROXY_SSL_HEADER = tuple(_proxy_ssl_header.split(",")) if _proxy_ssl_header else None
 
 # =============================================================================
 # Session Cookie Security
@@ -143,9 +129,7 @@ AUTHENTICATION_BACKENDS = [
 
 AUTH_PASSWORD_VALIDATORS = [
     {
-        "NAME": (
-            "django.contrib.auth.password_validation.UserAttributeSimilarityValidator"
-        ),
+        "NAME": ("django.contrib.auth.password_validation.UserAttributeSimilarityValidator"),
     },
     {
         "NAME": "django.contrib.auth.password_validation.MinimumLengthValidator",