Enhance accessibility and security with ARIA labels and rate limiting

.jules/palette.md

@@ -5,3 +5,7 @@
 ## 2025-03-10 - Add ARIA Labels to Copy Buttons
 **Learning:** Many "Copy" buttons in the app use the `copy-btn` class but lack `aria-label`s. Screen readers might just read "Copy" out of context, which can be confusing (e.g., "Copy what?").
 **Action:** Add descriptive `aria-label` attributes to these buttons (e.g., `aria-label="{% trans 'Copy calendar link' %}"`) to improve accessibility.
+
+## 2025-03-10 - Add Contextual ARIA Labels to Action Buttons in Lists
+**Learning:** Action buttons like "Approve" and "Dismiss" in dynamically generated lists (like survey assignments) lack context for screen readers when they don't explicitly reference the target item. A user tabbing through the page would hear "Approve, button", "Dismiss, button", etc., multiple times without knowing *what* is being approved.
+**Action:** Always add descriptive `aria-label` attributes to generic action buttons inside iterative loops, using `{% blocktrans %}` to include the item's name dynamically (e.g., `aria-label="{% blocktrans with name=a.survey.name %}Approve {{ name }}{% endblocktrans %}"`).

.jules/sentinel.md

@@ -7,3 +7,8 @@
 **Vulnerability:** The `demo_portal_login` view was missing rate limiting, making it vulnerable to brute-force or DoS attacks.
 **Learning:** Even endpoints designed for demo purposes need to be protected. The `django-ratelimit` decorator with `block=True` should be applied uniformly to all authentication-related endpoints.
 **Prevention:** Always ensure the `@ratelimit(key="ip", rate="...", method="POST", block=True)` decorator is present on any view that processes login or authentication requests. Also make sure the import is present: `from django_ratelimit.decorators import ratelimit`.
+
+## 2024-03-05 - [Missing Rate Limiting on Invite Endpoints]
+**Vulnerability:** The `invite_accept` endpoint in `apps/auth_app/invite_views.py` allowed unauthenticated users to accept invites and register without rate limits.
+**Learning:** This made it vulnerable to brute force and DoS attacks by making it easy to test combinations of `code` or flood the endpoint with POST requests.
+**Prevention:** As with all public/authentication-related endpoints, ensure the `@ratelimit(key="ip", rate="...", method=["GET", "POST"], block=True)` decorator is applied. When using `key="ip"`, note that it assumes correct proxy settings are present (e.g. `X-Forwarded-For`) so it doesn't just block the proxy IP.

CLAUDE.md

@@ -258,6 +258,7 @@ Current DRRs (all in `tasks/design-rationale/` — see `README.md` there for the
 - `data-access-residency-policy.md` — Canadian residency by data access level
 - `document-integration.md` — SharePoint + Google Drive integration
 - `encryption-key-rotation.md` — Key rotation procedures and custody
+- `evaluation-microdata-export.md` — De-identified microdata export for external evaluators, k-anonymity pipeline
 - `executive-dashboard-redesign.md` — Dashboard UX with accessibility focus
 - `fhir-informed-modelling.md` — FHIR concepts without FHIR compliance
 - `funder-reporting-profiles.md` — Template-based funder reporting (Parking Lot)

REVIEW.md

@@ -0,0 +1,46 @@
+# Code Review Rules for KoNote
+
+## Privacy & Consent
+
+- Any view that queries `ProgressNote` and displays note content to staff **must** apply PHIPA consent filtering. List views: `apply_consent_filter()`. Single-note views: `check_note_consent_or_403()`. See `tasks/design-rationale/phipa-consent-enforcement.md`.
+- PII fields use encrypted property accessors (`client.first_name`, not `_first_name_encrypted`). Never query encrypted fields in SQL — filter in Python.
+- Audit log writes must use the audit database: `AuditLog.objects.using("audit")`.
+
+## Forms & Validation
+
+- Always use Django `ModelForm` in `forms.py` for validation. Never use raw `request.POST.get()` directly in views.
+
+## Templates & Frontend
+
+- Use `{{ term.client }}` for terminology — never hardcode "client", "participant", etc.
+- Use `{{ features.programs }}` for feature toggles.
+- No React, Vue, webpack, or npm. Server-rendered Django templates + HTMX + Pico CSS only.
+- HTMX responses must have global `htmx:responseError` handling so errors don't fail silently.
+- Checkboxes must be **inside** the `<label>` tag (Pico CSS requirement). Use `{% include "includes/_form_field.html" %}` in form loops.
+
+## Accessibility
+
+- WCAG 2.2 AA: semantic HTML, colour contrast, alt text, keyboard navigation.
+
+## Translations
+
+- New or modified templates with user-visible text must use `{% trans %}` or `{% blocktrans %}` tags.
+- Check that corresponding French translations exist in `locale/fr/LC_MESSAGES/django.po`.
+
+## Spelling
+
+- Canadian English: colour, centre, behaviour, organisation, but **-ize** not -ise (organize, optimize, analyze). Use "program" not "programme" in English.
+
+## Design Rationale
+
+- Before approving changes to features covered by a Design Rationale Record (`tasks/design-rationale/`), check that the PR does not re-introduce a rejected anti-pattern.
+
+## Testing & QA
+
+- New or changed views should have corresponding tests (permissions, form validation, happy path).
+- New URL routes should have a matching entry in `konote-qa-scenarios/pages/page-inventory.yaml`.
+- Migrations must be included when models change.
+
+## Admin Routes
+
+- All `/admin/*` routes are admin-only, enforced by RBAC middleware. New admin routes must follow this pattern.

TODO.md

@@ -102,6 +102,23 @@ Step-by-step commands for each task are in [tasks/recurring-tasks.md](tasks/recu
 - [ ] Push Circle/CircleMember Entity lists — depends on above (FIELD-ODK-CIRCLES1)
 - [ ] Agency-facing documentation — ODK Collect setup, device loss protocol (FIELD-ODK-DOC1)
 
+### Phase: Evaluation Export Governance & Documentation (see tasks/eval-export-governance.md)
+
+**Code & UI:**
+- [ ] Add reason field to evaluation export permission grant — free-text logged when `report.evaluation_export` is granted. Detailed implementation prompt in [tasks/phase-eval-gov1-prompt.md](tasks/phase-eval-gov1-prompt.md) — a new session can pick this up cold (EVAL-GOV1)
+- [ ] Admin dashboard card for evaluation export — shows N authorised users, last export date, click-through to permission list (EVAL-GOV2)
+- [ ] Permission audit list page — who has the permission, granted by whom, when, why, last used, revoke button (EVAL-GOV3)
+- [ ] Export history view — past evaluation exports with program, evaluator, counts, status (EVAL-GOV4)
+- [ ] Agreement expiry warning — banner on export history when evaluator agreement has passed (EVAL-GOV5)
+- [ ] Wire up `is_evaluation_exportable` custom field groups — form dynamically shows exportable groups as QI columns (EVAL-GOV6)
+- [ ] Pipeline test suite — consent filtering, k-anonymity, blocking, pseudonymous IDs, CSV output (EVAL-GOV7)
+
+**Documentation:**
+- [ ] Update admin reporting guide with evaluation export section — `docs/admin/reporting.md` (EVAL-DOC1)
+- [ ] Update deployment protocol — add evaluation export to permissions interview — `tasks/agency-permissions-interview.md` Section 7 (EVAL-DOC2)
+- [ ] Add evaluation export section to user guide — `docs/help.md` (EVAL-DOC3)
+- [ ] ED-facing one-page evaluation export reference — `docs/evaluation-export-guide.md` (EVAL-DOC4)
+
 ### Phase: Documentation & Website Updates
 
 _All documentation tasks completed — see Recently Done._
@@ -129,6 +146,9 @@ Not yet clear we should build these, or the design isn't settled. May be too com
 
 ## Recently Done
 
+- [x] Close Evaluator Export admin bypass — removed `is_admin` bypass in `can_create_evaluation_export` + nav check, added missing Team Members link to admin menu, wired `seed_eval_export_demo` into container-startup orchestrator with Casey/Morgan/Eva granted, added fast-path short-circuit, hoisted `EVAL_EXPORT_GRANTEES` constant, added regression tests (`EvaluatorExportPermissionTest` in `tests/test_export_permissions.py`), wrote EVAL-GOV1 implementation prompt — PRs #617, #622, #623, #624 — 2026-04-09 (EVAL-GOV-BYPASS1)
+- [x] De-identified evaluation microdata export — 10-step de-identification pipeline with k-anonymity (k=5), pseudonymous IDs, generalised demographics, population thresholds, enhanced audit trail, preview/confirm flow, permission-gated nav — 2026-04-07 (EVAL-EXPORT1)
+- [x] Insights quality & language features — DQ1: practice signal contextual sentence + month count in summary bar; CONF1: raised theme auto-link threshold from 2→3 words; LANG1: EN/FR language detection on quotes, AI prompt language awareness, FR pills on mixed-language Insights pages — PR #595 — 2026-04-03 (INSIGHTS-DQ1, INSIGHTS-CONF1, INSIGHTS-LANG1)
 - [x] Dashboard & Insights enrichment — FHIR metadata features: program summary sentences, practice indicators, goal source distribution on Insights; stale episodes attention signal on Dashboard; batch query optimization; simplified both pages (removed funder stats, cohort comparison, cross-tab, dashboard bloat — 8 sections → 5 on Insights, ~20 rows → ~8 per program card) — PRs #529-#533 — 2026-03-16 (ENRICH1)
 - [x] Expand accessibility tests to cover portal flow (dashboard, journal, goals) and report/chart flow (outcome insights) — axe-core tests in test_a11y_ci.py — 2026-03-12 (REV26-A11Y1)
 - [x] AI provider configuration guide for operators — docs/ai-provider-guide.md covering cloud vs self-hosted, data residency, configuration, costs — 2026-03-12 (REV26-AI4)

apps/admin_settings/checks.py

@@ -184,7 +184,7 @@ def check_demo_data_health(app_configs, **kwargs):
     if not ClientFile.objects.filter(is_demo=True).exists():
         return warnings
 
-    programs = Program.objects.filter(is_active=True)
+    programs = Program.objects.filter(status="active")
     low_programs = []
 
     for prog in programs:

apps/admin_settings/management/commands/apply_setup.py

@@ -223,17 +223,31 @@ def _apply_metrics(enabled_names, disabled_names, stdout):
 
     enabled_count = 0
     disabled_count = 0
-
-    for name in enabled_names:
-        updated = MetricDefinition.objects.filter(name=name).update(is_enabled=True)
+    configured_count = 0
+
+    for entry in enabled_names:
+        # Support both plain names and dicts with properties
+        if isinstance(entry, dict):
+            name = entry["name"]
+            updates = {"is_enabled": True}
+            if "cadence_sessions" in entry:
+                updates["cadence_sessions"] = entry["cadence_sessions"]
+            updated = MetricDefinition.objects.filter(name=name).update(**updates)
+            if updated:
+                configured_count += 1
+        else:
+            updated = MetricDefinition.objects.filter(name=entry).update(is_enabled=True)
         enabled_count += updated
 
     for name in disabled_names:
         updated = MetricDefinition.objects.filter(name=name).update(is_enabled=False)
         disabled_count += updated
 
-    _log(stdout, f"  Metrics: {enabled_count} enabled, {disabled_count} disabled.")
-    return {"Metrics": f"{enabled_count} enabled, {disabled_count} disabled"}
+    msg = f"  Metrics: {enabled_count} enabled, {disabled_count} disabled"
+    if configured_count:
+        msg += f", {configured_count} configured"
+    _log(stdout, msg + ".")
+    return {"Metrics": f"{enabled_count} enabled, {disabled_count} disabled, {configured_count} configured"}
 
 
 
@@ -284,32 +298,77 @@ def _apply_custom_fields(groups_data, stdout):
 
     group_count = 0
     field_count = 0
+    updated_count = 0
 
     for i, grp in enumerate(groups_data):
+        grp_defaults = {
+            "sort_order": grp.get("sort_order", i),
+            "admin_only": grp.get("admin_only", False),
+            "collapsed_by_default": grp.get("collapsed_by_default", False),
+        }
+        if "status" in grp:
+            grp_defaults["status"] = grp["status"]
+
         group, grp_created = CustomFieldGroup.objects.get_or_create(
             title=grp["title"],
-            defaults={
-                "sort_order": i,
-                "admin_only": grp.get("admin_only", False),
-            },
+            defaults=grp_defaults,
         )
         if grp_created:
             group_count += 1
+        else:
+            # Update group properties that are explicitly set in the config
+            changed = False
+            for attr in ("admin_only", "collapsed_by_default", "sort_order", "status"):
+                if attr in grp and getattr(group, attr) != grp[attr]:
+                    setattr(group, attr, grp[attr])
+                    changed = True
+            if changed:
+                group.save()
+                updated_count += 1
 
         for j, fld in enumerate(grp.get("fields", [])):
-            _, fld_created = CustomFieldDefinition.objects.get_or_create(
+            fld_defaults = {
+                "input_type": fld.get("input_type", "text"),
+                "is_required": fld.get("is_required", False),
+                "is_sensitive": fld.get("is_sensitive", False),
+                "options_json": fld.get("options", []),
+                "sort_order": fld.get("sort_order", j),
+                "front_desk_access": fld.get("front_desk_access", "none"),
+                "show_on_create": fld.get("show_on_create", False),
+                "is_dv_sensitive": fld.get("is_dv_sensitive", False),
+            }
+            if fld.get("placeholder"):
+                fld_defaults["placeholder"] = fld["placeholder"]
+            if "status" in fld:
+                fld_defaults["status"] = fld["status"]
+
+            field, fld_created = CustomFieldDefinition.objects.get_or_create(
                 group=group,
                 name=fld["name"],
-                defaults={
-                    "input_type": fld.get("input_type", "text"),
-                    "is_required": fld.get("is_required", False),
-                    "is_sensitive": fld.get("is_sensitive", False),
-                    "options_json": fld.get("options", []),
-                    "sort_order": j,
-                },
+                defaults=fld_defaults,
             )
             if fld_created:
                 field_count += 1
-
-    _log(stdout, f"  Custom fields: {group_count} groups, {field_count} fields.")
-    return {"Custom fields": f"{group_count} group(s), {field_count} field(s)"}
+            else:
+                # Update field properties that are explicitly set in the config
+                changed = False
+                for attr, config_key in (
+                    ("front_desk_access", "front_desk_access"),
+                    ("show_on_create", "show_on_create"),
+                    ("is_dv_sensitive", "is_dv_sensitive"),
+                    ("status", "status"),
+                    ("sort_order", "sort_order"),
+                    ("is_required", "is_required"),
+                    ("options_json", "options"),
+                ):
+                    if config_key in fld:
+                        val = fld[config_key]
+                        if getattr(field, attr) != val:
+                            setattr(field, attr, val)
+                            changed = True
+                if changed:
+                    field.save()
+                    updated_count += 1
+
+    _log(stdout, f"  Custom fields: {group_count} groups, {field_count} fields created, {updated_count} updated.")
+    return {"Custom fields": f"{group_count} group(s), {field_count} field(s) created, {updated_count} updated"}