snapshot: preserve session hardening and account surface

backend/workflows/checks.py

@@ -0,0 +1,57 @@
+import sys
+
+from django.conf import settings
+from django.core.checks import Error, Warning, register
+
+
+@register()
+def security_settings_check(app_configs, **kwargs):
+    # Keep production checks strict in normal runtime, but avoid blocking the
+    # entire Django test runner before per-test overrides can take effect.
+    if 'test' in sys.argv and not settings.RUN_SECURITY_CHECKS_DURING_TESTS:
+        return []
+
+    issues = []
+
+    if not settings.DEBUG and settings.SECRET_KEY == 'unsafe-dev-key':
+        issues.append(
+            Error(
+                'DJANGO_SECRET_KEY is using the development fallback while DEBUG is disabled.',
+                id='workdock.E001',
+            )
+        )
+
+    if not settings.DEBUG and not settings.ALLOWED_HOSTS:
+        issues.append(
+            Error(
+                'ALLOWED_HOSTS must be configured when DEBUG is disabled.',
+                id='workdock.E002',
+            )
+        )
+
+    if not settings.DEBUG and not settings.SESSION_COOKIE_SECURE:
+        issues.append(
+            Error(
+                'Secure session cookies must be enabled when DEBUG is disabled.',
+                id='workdock.E003',
+            )
+        )
+
+    if not settings.DEBUG and not settings.CSRF_COOKIE_SECURE:
+        issues.append(
+            Error(
+                'Secure CSRF cookies must be enabled when DEBUG is disabled.',
+                id='workdock.E004',
+            )
+        )
+
+    if not settings.DEBUG and not settings.SECURE_SSL_REDIRECT:
+        issues.append(
+            Warning(
+                'SECURE_SSL_REDIRECT is disabled while DEBUG is off.',
+                hint='Enable DJANGO_SECURE_SSL_REDIRECT=1 behind HTTPS-aware proxying.',
+                id='workdock.W001',
+            )
+        )
+
+    return issues