admin/WerkoutAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Codebase hardening: 102 fixes across 35+ files

Browse Source 
Deep audit identified 106 findings; 102 fixed, 4 deferred. Covers 8 areas:

- Settings & deploy: env-gated DEBUG/SECRET_KEY, HTTPS headers, gunicorn, celery worker
- Auth (registered_user): password write_only, request.data fixes, transaction safety, proper HTTP status codes
- Workout app: IDOR protection, get_object_or_404, prefetch_related N+1 fixes, transaction.atomic
- Video/scripts: path traversal sanitization, HLS trigger guard, auth on cache wipe
- Models (exercise/equipment/muscle/superset): null-safe __str__, stable IDs, prefetch support
- Generator views: helper for registered_user lookup, logger.exception, bulk_update, transaction wrapping
- Generator core (rules/selector/generator): push-pull ratio, type affinity normalization, modality checks, side-pair exact match, word-boundary regex, equipment cache clearing
- Generator services (plan_builder/analyzer/normalizer): transaction.atomic, muscle cache, bulk_update, glutes classification fix

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-02-27 22:29:14 -06:00
parent 63b57a83ab
commit c80c66c2e5
58 changed files with 3363 additions and 1049 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
.env.example Normal file
View File

@@ -0,0 +1,25 @@
# Django core
DEBUG=false
SECRET_KEY=your-secret-key-here
# Allowed hosts (comma-separated)
ALLOWED_HOSTS=yourdomain.com
# CORS (comma-separated origins)
CORS_ALLOWED_ORIGINS=https://yourdomain.com
# Database (used when DATABASE_URL is not set)
DB_NAME=werkout
DB_USER=werkout
DB_PASSWORD=your-db-password
DB_HOST=db
DB_PORT=5432
# Database URL (overrides individual DB_* vars when set)
DATABASE_URL=postgres://user:password@db:5432/werkout
# Redis
REDIS_URL=redis://redis:6379
# HTTPS redirect (set to false if behind a reverse proxy that handles SSL)
SECURE_SSL_REDIRECT=true

6
docker-compose.yml
View File

@@ -25,6 +25,10 @@ services:
environment:
- DATABASE_URL=postgres://postgres:postgres@db:5432/werkout
- REDIS_URL=redis://redis:6379
- SECRET_KEY=${SECRET_KEY:-insecure-dev-secret-key-change-in-production}
- DEBUG=${DEBUG:-true}
- ALLOWED_HOSTS=${ALLOWED_HOSTS:-*}
- CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-}
depends_on:
db:
condition: service_healthy
@@ -43,6 +47,8 @@ services:
environment:
- DATABASE_URL=postgres://postgres:postgres@db:5432/werkout
- REDIS_URL=redis://redis:6379
- SECRET_KEY=${SECRET_KEY:-insecure-dev-secret-key-change-in-production}
- DEBUG=${DEBUG:-true}
depends_on:
- db
- redis

2
equipment/models.py
View File

@@ -10,7 +10,7 @@ class Equipment(models.Model):
name = models.CharField(null=True, blank=True, max_length=64)
def __str__(self):
return self.category + " : " + self.name
return f"{self.category or ''} : {self.name or ''}"
class WorkoutEquipment(models.Model):
created_at = models.DateTimeField(auto_now_add=True)

9
equipment/views.py
View File

@@ -2,7 +2,6 @@ from django.shortcuts import render
from .models import *
from .serializers import *
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
@@ -20,9 +19,9 @@ def all_equipment(request):
if 'all_equipment' in cache:
data = cache.get('all_equipment')
return Response(data=data, status=status.HTTP_200_OK)
users = Equipment.objects.all()
serializer = EquipmentSerializer(users, many=True)
equipment = Equipment.objects.all().select_related()
serializer = EquipmentSerializer(equipment, many=True)
data = serializer.data
cache.set('all_equipment', data, timeout=None)
return Response(data=data, status=status.HTTP_200_OK)
return Response(data=data, status=status.HTTP_200_OK)

3
exercise/models.py
View File

@@ -1,7 +1,6 @@
from django.db import models
from django.conf import settings
from django.core.validators import MinValueValidator, MaxValueValidator
from random import randrange
DIFFICULTY_CHOICES = [
@@ -49,7 +48,7 @@ class Exercise(models.Model):
equipment_required = models.CharField(null=True, blank=True, max_length=255)
muscle_groups = models.CharField(null=True, blank=True, max_length=255)
synonyms = models.CharField(null=True, blank=True, max_length=255)
estimated_rep_duration = models.FloatField(null=True, blank=True, max_length=255)
estimated_rep_duration = models.FloatField(null=True, blank=True)
video_override = models.CharField(null=True, blank=True, max_length=255)
# New fields for workout generation quality

23
exercise/serializers.py
View File

@@ -2,7 +2,6 @@ from rest_framework import serializers
from .models import *
from muscle.models import ExerciseMuscle
from equipment.models import WorkoutEquipment
from muscle.serializers import ExerciseMuscleSerializer
from equipment.serializers import WorkoutEquipmentSerializer
class ExerciseMuscleSerializer(serializers.ModelSerializer):
@@ -11,7 +10,7 @@ class ExerciseMuscleSerializer(serializers.ModelSerializer):
class Meta:
model = ExerciseMuscle
fields = '__all__'
def get_name(self, obj):
return obj.muscle.name
@@ -26,12 +25,14 @@ class ExerciseSerializer(serializers.ModelSerializer):
model = Exercise
fields = '__all__'
def get_muscles(self, obj):
objs = ExerciseMuscle.objects.filter(exercise=obj)
data = ExerciseMuscleSerializer(objs, many=True).data
return data
def get_equipment(self, obj):
objs = WorkoutEquipment.objects.filter(exercise=obj)
data = WorkoutEquipmentSerializer(objs, many=True).data
return data
def get_muscles(self, obj):
# Use prefetched data if available, avoiding N+1 queries
if hasattr(obj, '_prefetched_objects_cache') and 'exercise_muscle_exercise' in obj._prefetched_objects_cache:
return [{'muscle': em.muscle_id, 'name': em.muscle.name} for em in obj.exercise_muscle_exercise.all()]
return list(obj.exercise_muscle_exercise.values('muscle', name=models.F('muscle__name')))
def get_equipment(self, obj):
# Use prefetched data if available, avoiding N+1 queries
if hasattr(obj, '_prefetched_objects_cache') and 'workout_exercise_workout' in obj._prefetched_objects_cache:
return [{'equipment': we.equipment_id, 'name': we.equipment.name} for we in obj.workout_exercise_workout.all()]
return list(obj.workout_exercise_workout.values('equipment', name=models.F('equipment__name')))

12
exercise/views.py
View File

@@ -2,7 +2,6 @@ from django.shortcuts import render
from .models import *
from .serializers import *
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
@@ -20,9 +19,12 @@ def all_exercises(request):
if 'all_exercises' in cache:
data = cache.get('all_exercises')
return Response(data=data, status=status.HTTP_200_OK)
users = Exercise.objects.all()
serializer = ExerciseSerializer(users, many=True)
exercises = Exercise.objects.all().prefetch_related(
'exercise_muscle_exercise__muscle',
'workout_exercise_workout__equipment',
)
serializer = ExerciseSerializer(exercises, many=True)
data = serializer.data
cache.set('all_exercises', data, timeout=None)
return Response(data=data, status=status.HTTP_200_OK)
return Response(data=data, status=status.HTTP_200_OK)

18
generator/management/commands/populate_exercise_fields.py
View File

@@ -919,8 +919,8 @@ class Command(BaseCommand):
verbose = options['verbose']
strategy = options.get('classification_strategy', 'rules')
exercises = Exercise.objects.all()
total = exercises.count()
exercises = list(Exercise.objects.all())
total = len(exercises)
updated = 0
stats = {
'is_compound': {'True': 0, 'False': 0},
@@ -938,6 +938,10 @@ class Command(BaseCommand):
if ex.name:
name_to_exercise[ex.name] = ex
# Collect exercises to bulk_update instead of saving one at a time
exercises_to_update = []
fields_to_update = set()
for ex in exercises:
if strategy == 'regex':
from generator.management.commands.classify_exercises import classify_exercise
@@ -1003,7 +1007,9 @@ class Command(BaseCommand):
ex.stretch_position = stretch
if progression_target:
ex.progression_of = progression_target
ex.save()
exercises_to_update.append(ex)
for field, _, _ in changes:
fields_to_update.add(field)
updated += 1
if verbose:
prefix = '[DRY RUN] ' if dry_run else ''
@@ -1011,6 +1017,12 @@ class Command(BaseCommand):
for field, old, new in changes:
self.stdout.write(f' {field}: {old} -> {new}')
# Bulk update all modified exercises in batches
if exercises_to_update and not dry_run:
Exercise.objects.bulk_update(
exercises_to_update, list(fields_to_update), batch_size=500
)
# Fix #11: Correct is_weight=True on known non-weight exercises
NON_WEIGHT_OVERRIDES = ['wall sit', 'agility ladder', 'plank', 'dead hang', 'l sit']
weight_fixed = 0

8
generator/management/commands/recalculate_workout_times.py
View File

@@ -46,16 +46,18 @@ class Command(BaseCommand):
dry_run = options['dry_run']
rest_between_rounds = options['rest']
workouts = Workout.objects.all()
workouts = Workout.objects.prefetch_related(
'superset_workout__superset_exercises__exercise'
).all()
total = workouts.count()
updated = 0
for workout in workouts:
supersets = Superset.objects.filter(workout=workout).order_by('order')
supersets = workout.superset_workout.all().order_by('order')
workout_total_time = 0
for ss in supersets:
exercises = SupersetExercise.objects.filter(superset=ss)
exercises = ss.superset_exercises.all()
active_time = 0.0
for se in exercises:

126
generator/rules_engine.py
View File

@@ -6,6 +6,7 @@ workout_research.md. Used by the quality gates in WorkoutGenerator
and the check_rules_drift management command.
"""
import re
from dataclasses import dataclass, field
from typing import List, Optional, Dict, Any, Tuple
@@ -428,6 +429,9 @@ def _get_working_supersets(supersets: list) -> list:
def _count_push_pull(supersets: list) -> Tuple[int, int]:
"""Count push and pull exercises across working supersets.
Exercises with BOTH push AND pull patterns are counted as neutral
(neither push nor pull) to avoid double-counting.
Returns (push_count, pull_count).
"""
push_count = 0
@@ -439,9 +443,14 @@ def _count_push_pull(supersets: list) -> Tuple[int, int]:
continue
patterns = getattr(ex, 'movement_patterns', '') or ''
patterns_lower = patterns.lower()
if 'push' in patterns_lower:
is_push = 'push' in patterns_lower
is_pull = 'pull' in patterns_lower
if is_push and is_pull:
# Dual pattern — count as neutral to avoid double-counting
pass
elif is_push:
push_count += 1
if 'pull' in patterns_lower:
elif is_pull:
pull_count += 1
return push_count, pull_count
@@ -485,6 +494,31 @@ def _focus_key_for_entry(entry: dict) -> Optional[str]:
return None
def _is_recovery_entry(entry: dict) -> bool:
"""Return True when an entry is a recovery/stretch movement."""
ex = entry.get('exercise')
if ex is None:
return False
name = (getattr(ex, 'name', '') or '').lower()
# Use word boundary check to avoid over-matching (e.g. "Stretch Band Row"
# should not be flagged as recovery).
if re.search(r'\bstretch(ing|es|ed)?\b', name):
return True
patterns = (getattr(ex, 'movement_patterns', '') or '').lower()
recovery_tokens = (
'mobility - static',
'static stretch',
'cool down',
'cooldown',
'yoga',
'breathing',
'massage',
)
return any(token in patterns for token in recovery_tokens)
# ======================================================================
# Main validation function
# ======================================================================
@@ -608,7 +642,7 @@ def validate_workout(
for ss in working:
ex_count = len(ss.get('exercises', []))
# Allow 1 extra for sided pairs
if ex_count > high + 2:
if ex_count > high + 1:
violations.append(RuleViolation(
rule_id='superset_size',
severity='warning',
@@ -638,7 +672,7 @@ def validate_workout(
actual_value=ratio,
expected_range=(min_ratio, None),
))
elif push_count > 2 and pull_count == 0:
elif pull_count == 0 and push_count > 0:
violations.append(RuleViolation(
rule_id='push_pull_ratio',
severity='warning',
@@ -651,7 +685,41 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 5. Focus spread across working supersets
# 5. Working-set guardrails (no recovery movements, non-zero rest)
# ------------------------------------------------------------------
for ss in working:
ss_name = ss.get('name') or 'Working set'
rest_between_rounds = ss.get('rest_between_rounds')
if rest_between_rounds is None or rest_between_rounds <= 0:
violations.append(RuleViolation(
rule_id='working_rest_missing',
severity='warning',
message=(
f"{ss_name} is missing rest_between_rounds "
"(expected a positive value)."
),
actual_value=rest_between_rounds,
expected_range=(15, None),
))
recovery_names = []
for entry in ss.get('exercises', []):
if _is_recovery_entry(entry):
ex = entry.get('exercise')
recovery_names.append(getattr(ex, 'name', 'Unknown Exercise'))
if recovery_names:
violations.append(RuleViolation(
rule_id='working_contains_recovery',
severity='error',
message=(
f"{ss_name} contains recovery/stretch movement(s): "
f"{', '.join(sorted(set(recovery_names)))}."
),
actual_value=sorted(set(recovery_names)),
))
# ------------------------------------------------------------------
# 6. Focus spread across working supersets
# ------------------------------------------------------------------
if working:
for ss in working:
@@ -697,7 +765,7 @@ def validate_workout(
previous_focus = focus_keys
# ------------------------------------------------------------------
# 6. Compound before isolation ordering
# 7. Compound before isolation ordering
# ------------------------------------------------------------------
if UNIVERSAL_RULES['compound_before_isolation']:
if not _check_compound_before_isolation(supersets):
@@ -708,7 +776,7 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 7. Warmup check
# 8. Warmup check
# ------------------------------------------------------------------
if UNIVERSAL_RULES['warmup_mandatory']:
if not _has_warmup(supersets):
@@ -719,7 +787,7 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 8. Cooldown check
# 9. Cooldown check
# ------------------------------------------------------------------
if not _has_cooldown(supersets):
violations.append(RuleViolation(
@@ -729,7 +797,7 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 9. HIIT duration cap
# 10. HIIT duration cap
# ------------------------------------------------------------------
if wt_key == 'high_intensity_interval_training':
max_hiit_min = UNIVERSAL_RULES.get('max_hiit_duration_min', 30)
@@ -757,7 +825,7 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 10. Total exercise count cap
# 11. Total exercise count cap
# ------------------------------------------------------------------
max_exercises = wt_rules.get(
'max_exercises_per_session',
@@ -780,13 +848,23 @@ def validate_workout(
))
# ------------------------------------------------------------------
# 11. Workout type match percentage (refactored from _validate_workout_type_match)
# 12. Workout type match percentage (refactored from _validate_workout_type_match)
# ------------------------------------------------------------------
_STRENGTH_TYPES = {
'traditional_strength_training', 'functional_strength_training',
'hypertrophy',
}
_HIIT_TYPES = {'high_intensity_interval_training'}
_CARDIO_TYPES = {'cardio'}
_CORE_TYPES = {'core_training'}
_FLEXIBILITY_TYPES = {'flexibility'}
is_strength = wt_key in _STRENGTH_TYPES
is_hiit = wt_key in _HIIT_TYPES
is_cardio = wt_key in _CARDIO_TYPES
is_core = wt_key in _CORE_TYPES
is_flexibility = wt_key in _FLEXIBILITY_TYPES
if working:
total_ex = 0
matching_ex = 0
@@ -799,7 +877,33 @@ def validate_workout(
if is_strength:
if getattr(ex, 'is_weight', False) or getattr(ex, 'is_compound', False):
matching_ex += 1
elif is_hiit:
# HIIT: favor high HR, compound, or duration-capable exercises
hr = getattr(ex, 'hr_elevation_rating', None) or 0
if hr >= 5 or getattr(ex, 'is_compound', False) or getattr(ex, 'is_duration', False):
matching_ex += 1
elif is_cardio:
# Cardio: favor duration-capable or high-HR exercises
hr = getattr(ex, 'hr_elevation_rating', None) or 0
if getattr(ex, 'is_duration', False) or hr >= 5:
matching_ex += 1
elif is_core:
# Core: check if exercise targets core muscles
muscles = (getattr(ex, 'muscle_groups', '') or '').lower()
patterns = (getattr(ex, 'movement_patterns', '') or '').lower()
if any(tok in muscles for tok in ('core', 'abs', 'oblique')):
matching_ex += 1
elif 'core' in patterns or 'anti' in patterns:
matching_ex += 1
elif is_flexibility:
# Flexibility: favor duration-based, stretch/mobility exercises
patterns = (getattr(ex, 'movement_patterns', '') or '').lower()
if getattr(ex, 'is_duration', False) or any(
tok in patterns for tok in ('stretch', 'mobility', 'yoga', 'flexibility')
):
matching_ex += 1
else:
# Unknown type — count all as matching (no false negatives)
matching_ex += 1
if total_ex > 0:
match_pct = matching_ex / total_ex

6
generator/serializers.py
View File

@@ -335,7 +335,11 @@ class GeneratedWorkoutDetailSerializer(serializers.ModelSerializer):
def get_supersets(self, obj):
if obj.workout:
superset_qs = Superset.objects.filter(workout=obj.workout).order_by('order')
superset_qs = Superset.objects.filter(
workout=obj.workout
).prefetch_related(
'supersetexercise_set__exercise',
).order_by('order')
return SupersetSerializer(superset_qs, many=True).data
return []

253
generator/services/exercise_selector.py
View File

@@ -160,13 +160,16 @@ class ExerciseSelector:
self._exercise_profile_cache = {}
self.warnings = [] # Phase 13: generation warnings
self.progression_boost_ids = set() # IDs of exercises that are progressions of recently done ones
# Week-scoped state for cross-day dedup (NOT cleared by reset())
self.week_used_exercise_ids = set()
self.week_used_movement_families = Counter()
# ------------------------------------------------------------------
# Public API
# ------------------------------------------------------------------
def reset(self):
"""Reset used exercises for a new workout."""
"""Reset used exercises for a new workout (preserves week-scoped state)."""
self.used_exercise_ids = set()
self.used_exercise_names = set()
self.used_movement_patterns = Counter()
@@ -175,6 +178,49 @@ class ExerciseSelector:
self.last_working_similarity_profiles = []
self._exercise_profile_cache = {}
self.warnings = []
# Clear per-queryset caches so equipment/exclusion changes take effect
if hasattr(self, '_equipment_map_cache'):
del self._equipment_map_cache
if hasattr(self, '_bodyweight_ids_cache'):
del self._bodyweight_ids_cache
if hasattr(self, '_warned_small_pool'):
del self._warned_small_pool
if hasattr(self, '_warned_no_equipment'):
del self._warned_no_equipment
if hasattr(self, '_relaxed_hard_exclude_ids'):
del self._relaxed_hard_exclude_ids
if hasattr(self, '_injury_warnings_emitted'):
del self._injury_warnings_emitted
def reset_week(self):
"""Reset all state including week-scoped tracking. Call at start of a new week."""
self.reset()
self.week_used_exercise_ids = set()
self.week_used_movement_families = Counter()
def accumulate_week_state(self, exercise_ids, exercise_names):
"""Record a completed day's exercises into week-scoped tracking.
Parameters
----------
exercise_ids : set[int]
Primary keys of exercises used in the day's workout.
exercise_names : set[str]
Exercise names (used for family extraction).
"""
self.week_used_exercise_ids.update(exercise_ids)
for name in exercise_names:
for fam in extract_movement_families(name):
self.week_used_movement_families[fam] += 1
def _get_week_family_limit(self, family):
"""Max allowed uses of a movement family across the whole week.
Wider than per-workout limits: narrow families = 2/week, broad = 4/week.
"""
if family in NARROW_FAMILIES:
return 2
return 4
def select_exercises(
self,
@@ -184,6 +230,7 @@ class ExerciseSelector:
movement_pattern_preference=None,
prefer_weighted=False,
superset_position=None,
allow_cross_modality=False,
):
"""
Select *count* exercises matching the given criteria.
@@ -200,6 +247,10 @@ class ExerciseSelector:
Optional list of preferred movement patterns to favour.
prefer_weighted : bool
When True (R6), boost is_weight=True exercises in selection.
allow_cross_modality : bool
When True, don't hard-filter by modality — instead use soft
preference so duration-only exercises (carries, planks) can
land in rep-based supersets and vice versa.
Returns
-------
@@ -209,13 +260,19 @@ class ExerciseSelector:
return []
fitness_level = getattr(self.user_preference, 'fitness_level', None)
# When cross-modality is allowed, skip the hard modality filter
# so duration-only exercises can appear in rep supersets and vice versa.
modality_for_filter = None if allow_cross_modality else is_duration_based
preferred_modality = 'duration' if is_duration_based else 'reps'
qs = self._get_filtered_queryset(
muscle_groups=muscle_groups,
is_duration_based=is_duration_based,
is_duration_based=modality_for_filter,
fitness_level=fitness_level,
)
# Working supersets should not contain stretch/recovery exercises.
excluded_q = Q(name__icontains='stretch')
# Use regex word boundary to avoid over-matching (e.g. "Stretch Band Row"
# should NOT be excluded, but "Hamstring Stretch" should).
excluded_q = Q(name__iregex=r'\bstretch(ing|es|ed)?\b')
for pat in self.WORKING_EXCLUDED_PATTERNS:
excluded_q |= Q(movement_patterns__icontains=pat)
qs = qs.exclude(excluded_q)
@@ -258,6 +315,7 @@ class ExerciseSelector:
count,
superset_position=superset_position,
similarity_scope='working',
preferred_modality=preferred_modality if allow_cross_modality else None,
)
# Sort selected exercises by tier: primary first, then secondary, then accessory
@@ -288,14 +346,16 @@ class ExerciseSelector:
for missing_muscle in uncovered:
replacement_qs = self._get_filtered_queryset(
muscle_groups=[missing_muscle],
is_duration_based=is_duration_based,
is_duration_based=modality_for_filter,
fitness_level=fitness_level,
).exclude(pk__in={e.pk for e in selected})
# Validate modality: ensure replacement matches expected modality
if is_duration_based:
replacement_qs = replacement_qs.filter(is_duration=True)
elif is_duration_based is False:
replacement_qs = replacement_qs.filter(is_reps=True)
# (skip when cross-modality is allowed)
if not allow_cross_modality:
if is_duration_based:
replacement_qs = replacement_qs.filter(is_duration=True)
elif is_duration_based is False:
replacement_qs = replacement_qs.filter(is_reps=True)
replacement = list(replacement_qs[:1])
if replacement:
# Find last unswapped accessory
@@ -382,8 +442,6 @@ class ExerciseSelector:
is_duration_based=True,
fitness_level=fitness_level,
)
# Avoid duplicate-looking left/right variants in recovery sections.
qs = qs.filter(Q(side__isnull=True) | Q(side=''))
# Prefer exercises whose movement_patterns overlap with warmup keywords
warmup_q = Q()
@@ -420,7 +478,6 @@ class ExerciseSelector:
is_duration_based=True,
fitness_level=fitness_level,
).exclude(pk__in={e.pk for e in selected})
wide_qs = wide_qs.filter(Q(side__isnull=True) | Q(side=''))
# Apply same warmup safety exclusions
wide_qs = wide_qs.exclude(is_weight=True)
wide_qs = wide_qs.exclude(is_compound=True)
@@ -440,7 +497,8 @@ class ExerciseSelector:
self._track_families(selected)
selected = self._ensure_side_pair_integrity(selected, qs, count=count)
return self._trim_preserving_pairs(selected, count)
selected = self._trim_preserving_pairs(selected, count)
return self._order_side_pairs_adjacent(selected)
def select_cooldown_exercises(self, target_muscles, count=4):
"""
@@ -456,8 +514,6 @@ class ExerciseSelector:
is_duration_based=True,
fitness_level=fitness_level,
)
# Avoid duplicate-looking left/right variants in recovery sections.
qs = qs.filter(Q(side__isnull=True) | Q(side=''))
cooldown_q = Q()
for kw in self.COOLDOWN_PATTERNS:
@@ -489,7 +545,6 @@ class ExerciseSelector:
is_duration_based=True,
fitness_level=fitness_level,
).exclude(pk__in={e.pk for e in selected})
wide_qs = wide_qs.filter(Q(side__isnull=True) | Q(side=''))
# Apply same exclusions
wide_qs = wide_qs.exclude(exclude_q)
# R11: also apply weight filter on wide fallback
@@ -509,7 +564,8 @@ class ExerciseSelector:
self._track_families(selected)
selected = self._ensure_side_pair_integrity(selected, qs, count=count)
return self._trim_preserving_pairs(selected, count)
selected = self._trim_preserving_pairs(selected, count)
return self._order_side_pairs_adjacent(selected)
# ------------------------------------------------------------------
# Internal helpers
@@ -568,37 +624,31 @@ class ExerciseSelector:
qs = qs.exclude(name_exclude_q)
# ---- Hard exclude exercises from recent workouts (Phase 6) ----
# Adaptive: if pool would be too small, relax hard exclude to soft penalty
# Adaptive: if pool would be too small, relax hard exclude to soft penalty.
# Use a local merged set to avoid permanently polluting recently_used_ids.
if self.hard_exclude_ids:
test_qs = qs.exclude(pk__in=self.hard_exclude_ids)
if test_qs.count() >= 10:
qs = test_qs
else:
# Pool too small — convert hard exclude to soft penalty instead
self.recently_used_ids = self.recently_used_ids | self.hard_exclude_ids
if not hasattr(self, '_warned_small_pool'):
self.warnings.append(
'Exercise pool too small for full variety rotation — '
'relaxed recent exclusion to soft penalty.'
)
self._warned_small_pool = True
# Pool too small — treat hard excludes as soft penalty for this
# queryset only (don't mutate the original recently_used_ids).
if not hasattr(self, '_relaxed_hard_exclude_ids'):
self._relaxed_hard_exclude_ids = set(self.hard_exclude_ids)
if not hasattr(self, '_warned_small_pool'):
self.warnings.append(
'Exercise pool too small for full variety rotation — '
'relaxed recent exclusion to soft penalty.'
)
self._warned_small_pool = True
# ---- Filter by user's available equipment ----
available_equipment_ids = set(
self.user_preference.available_equipment.values_list('pk', flat=True)
)
if not available_equipment_ids:
# No equipment set: only allow bodyweight exercises (no WorkoutEquipment entries)
exercises_with_equipment = set(
WorkoutEquipment.objects.values_list('exercise_id', flat=True).distinct()
)
qs = qs.exclude(pk__in=exercises_with_equipment)
if not hasattr(self, '_warned_no_equipment'):
self.warnings.append(
'No equipment set — using bodyweight exercises only. '
'Update your equipment preferences for more variety.'
)
self._warned_no_equipment = True
# No equipment set in preferences — all exercises are available (no filtering).
pass
elif available_equipment_ids:
# Cache equipment map on instance to avoid rebuilding per call
if not hasattr(self, '_equipment_map_cache'):
@@ -895,6 +945,7 @@ class ExerciseSelector:
count,
superset_position=None,
similarity_scope=None,
preferred_modality=None,
):
"""
Pick up to *count* exercises using weighted random selection.
@@ -909,6 +960,10 @@ class ExerciseSelector:
superset_position: 'early', 'late', or None. When set, boosts
exercises based on their exercise_tier (primary for early,
accessory for late).
preferred_modality: 'reps' or 'duration' or None. When set,
exercises that don't match the preferred modality get 0.3x weight
(cross-modality penalty). Dual-modality exercises always get full weight.
"""
if count <= 0:
return []
@@ -932,12 +987,49 @@ class ExerciseSelector:
return base_w * 2
return base_w
def _apply_week_penalty(ex, base_w):
"""Soft-penalize exercises already used earlier in the week."""
w = base_w
if self.week_used_exercise_ids and ex.pk in self.week_used_exercise_ids:
w = max(1, w // 2)
if self.week_used_movement_families:
for fam in extract_movement_families(ex.name):
if self.week_used_movement_families.get(fam, 0) >= self._get_week_family_limit(fam):
w = max(1, w // 2)
break
return w
def _apply_modality_penalty(ex, base_w):
"""Soft-penalize exercises that don't match the preferred modality.
Dual-modality exercises (is_reps AND is_duration) get full weight.
Cross-modality exercises get 0.3x weight (minimum 1).
"""
if not preferred_modality:
return base_w
is_reps = getattr(ex, 'is_reps', False)
is_dur = getattr(ex, 'is_duration', False)
# Dual-modality: always full weight
if is_reps and is_dur:
return base_w
if preferred_modality == 'reps' and is_reps:
return base_w
if preferred_modality == 'duration' and is_dur:
return base_w
# Cross-modality: reduce to ~30% of base weight
return max(1, int(base_w * 0.3))
# Build effective soft-penalty set: recently_used + any relaxed hard excludes
_effective_recently_used = self.recently_used_ids
if hasattr(self, '_relaxed_hard_exclude_ids') and self._relaxed_hard_exclude_ids:
_effective_recently_used = self.recently_used_ids | self._relaxed_hard_exclude_ids
for ex in preferred_list:
w = weight_preferred
# Boost exercises that are progressions of recently completed exercises
if ex.pk in self.progression_boost_ids:
w = w * 2
if ex.pk in self.recently_used_ids:
if ex.pk in _effective_recently_used:
w = 1 # Reduce weight for recently used
# Penalize overused movement patterns for variety (Phase 11)
# Fixed: check ALL comma-separated patterns, use max count
@@ -953,12 +1045,16 @@ class ExerciseSelector:
w = 1
elif max_pat_count >= 2:
w = max(1, w - 1)
w = _apply_week_penalty(ex, w)
w = _apply_modality_penalty(ex, w)
w = _tier_boost(ex, w)
pool.extend([ex] * w)
for ex in other_list:
w = weight_other
if ex.pk in self.recently_used_ids:
if ex.pk in _effective_recently_used:
w = 1 # Already 1 but keep explicit
w = _apply_week_penalty(ex, w)
w = _apply_modality_penalty(ex, w)
w = _tier_boost(ex, w)
pool.extend([ex] * w)
@@ -1153,23 +1249,26 @@ class ExerciseSelector:
if not opposite_norm:
continue
# Find the matching partner by name similarity and opposite side
# Find the matching partner by exact base-name match and opposite side.
# Typically the name is identical except for side, e.g.
# "Single Arm Row Left" / "Single Arm Row Right"
base_name = ex.name
for side_word in ['Left', 'Right', 'left', 'right']:
base_name = base_name.replace(side_word, '').strip()
base_name = self._strip_side_tokens(ex.name)
partner = (
# Use strict matching: find candidates with opposite side,
# then filter in Python by exact base-name match to avoid
# substring false positives (e.g. "L Sit" matching "Wall Sit").
partner_candidates = (
Exercise.objects
.filter(
name__icontains=base_name,
)
.filter(self._side_values_q(opposite_norm))
.exclude(pk__in=self.used_exercise_ids)
.exclude(pk__in=paired_ids)
.first()
)
partner = None
for candidate in partner_candidates:
candidate_base = self._strip_side_tokens(candidate.name)
if base_name.lower() == candidate_base.lower():
partner = candidate
break
if partner and partner.pk not in paired_ids:
exercises_to_add.append(partner)
@@ -1184,12 +1283,11 @@ class ExerciseSelector:
# Check if any partner should follow this exercise
for partner in exercises_to_add:
if partner.pk not in added_ids:
# Check if partner is the pair for this exercise
# Check if partner is the pair for this exercise using exact base-name match
if ex.side and ex.side.strip():
base_name = ex.name
for side_word in ['Left', 'Right', 'left', 'right']:
base_name = base_name.replace(side_word, '').strip()
if base_name.lower() in partner.name.lower():
ex_base = self._strip_side_tokens(ex.name)
partner_base = self._strip_side_tokens(partner.name)
if ex_base.lower() == partner_base.lower():
final.append(partner)
added_ids.add(partner.pk)
@@ -1265,6 +1363,57 @@ class ExerciseSelector:
return result
def _order_side_pairs_adjacent(self, selected):
"""
Keep left/right variants adjacent in list order.
This is primarily for warm-up/cool-down UX so side-specific movements
render one after another instead of grouped by side.
"""
if len(selected) < 2:
return selected
side_map = {}
for ex in selected:
side_val = self._normalize_side_value(getattr(ex, 'side', ''))
if side_val not in ('left', 'right'):
continue
key = self._strip_side_tokens(getattr(ex, 'name', ''))
side_map.setdefault(key, {'left': [], 'right': []})
side_map[key][side_val].append(ex)
ordered = []
used_ids = set()
for ex in selected:
if ex.pk in used_ids:
continue
side_val = self._normalize_side_value(getattr(ex, 'side', ''))
if side_val in ('left', 'right'):
key = self._strip_side_tokens(getattr(ex, 'name', ''))
opposite = self._opposite_side(side_val)
opposite_ex = None
for candidate in side_map.get(key, {}).get(opposite, []):
if candidate.pk not in used_ids:
opposite_ex = candidate
break
if opposite_ex:
ordered.append(ex)
ordered.append(opposite_ex)
used_ids.add(ex.pk)
used_ids.add(opposite_ex.pk)
continue
ordered.append(ex)
used_ids.add(ex.pk)
for ex in selected:
if ex.pk not in used_ids:
ordered.append(ex)
used_ids.add(ex.pk)
return ordered
def _strip_side_tokens(self, name):
"""Normalize a name by removing left/right tokens."""
base = name or ''

16
generator/services/muscle_normalizer.py
View File

@@ -157,7 +157,7 @@ MUSCLE_GROUP_CATEGORIES: dict[str, list[str]] = {
'traps', 'forearms', 'rotator cuff',
],
'lower_push': [
'quads', 'calves', 'glutes', 'hip abductors', 'hip adductors',
'quads', 'calves', 'hip abductors', 'hip adductors',
],
'lower_pull': [
'hamstrings', 'glutes', 'lower back', 'hip flexors',
@@ -202,6 +202,9 @@ def normalize_muscle_name(name: Optional[str]) -> Optional[str]:
return key
_muscle_cache: dict[int, Set[str]] = {}
def get_muscles_for_exercise(exercise) -> Set[str]:
"""
Return the set of normalized muscle names for a given Exercise instance.
@@ -209,7 +212,12 @@ def get_muscles_for_exercise(exercise) -> Set[str]:
Uses the ExerciseMuscle join table (exercise.exercise_muscle_exercise).
Falls back to the comma-separated Exercise.muscle_groups field if no
ExerciseMuscle rows exist.
Results are cached per exercise ID to avoid repeated DB queries.
"""
if exercise.id in _muscle_cache:
return _muscle_cache[exercise.id]
from muscle.models import ExerciseMuscle
muscles: Set[str] = set()
@@ -229,9 +237,15 @@ def get_muscles_for_exercise(exercise) -> Set[str]:
if normalized:
muscles.add(normalized)
_muscle_cache[exercise.id] = muscles
return muscles
def clear_muscle_cache() -> None:
"""Clear the muscle cache (useful for testing or re-analysis)."""
_muscle_cache.clear()
def get_movement_patterns_for_exercise(exercise) -> List[str]:
"""
Parse the comma-separated movement_patterns CharField on Exercise and

139
generator/services/plan_builder.py
View File

@@ -1,5 +1,7 @@
import logging
from django.db import transaction
from workout.models import Workout
from superset.models import Superset, SupersetExercise
@@ -55,88 +57,87 @@ class PlanBuilder:
Workout
The fully-persisted Workout instance with all child objects.
"""
# ---- 1. Create the Workout ----
workout = Workout.objects.create(
name=workout_spec.get('name', 'Generated Workout'),
description=workout_spec.get('description', ''),
registered_user=self.registered_user,
)
workout.save()
workout_total_time = 0
superset_order = 1
# ---- 2. Create each Superset ----
for ss_spec in workout_spec.get('supersets', []):
ss_name = ss_spec.get('name', f'Set {superset_order}')
rounds = ss_spec.get('rounds', 1)
exercises = ss_spec.get('exercises', [])
superset = Superset.objects.create(
workout=workout,
name=ss_name,
rounds=rounds,
order=superset_order,
rest_between_rounds=ss_spec.get('rest_between_rounds', 45),
with transaction.atomic():
# ---- 1. Create the Workout ----
workout = Workout.objects.create(
name=workout_spec.get('name', 'Generated Workout'),
description=workout_spec.get('description', ''),
registered_user=self.registered_user,
)
superset.save()
superset_total_time = 0
workout_total_time = 0
superset_order = 1
# ---- 3. Create each SupersetExercise ----
for ex_spec in exercises:
exercise_obj = ex_spec.get('exercise')
if exercise_obj is None:
logger.warning(
"Skipping exercise entry with no exercise object in "
"superset '%s'", ss_name,
)
continue
# ---- 2. Create each Superset ----
for ss_spec in workout_spec.get('supersets', []):
ss_name = ss_spec.get('name', f'Set {superset_order}')
rounds = ss_spec.get('rounds', 1)
exercises = ss_spec.get('exercises', [])
order = ex_spec.get('order', 1)
superset_exercise = SupersetExercise.objects.create(
superset=superset,
exercise=exercise_obj,
order=order,
superset = Superset.objects.create(
workout=workout,
name=ss_name,
rounds=rounds,
order=superset_order,
rest_between_rounds=ss_spec.get('rest_between_rounds', 45),
)
# Assign optional fields exactly like add_workout does
if ex_spec.get('weight') is not None:
superset_exercise.weight = ex_spec['weight']
superset_total_time = 0
if ex_spec.get('reps') is not None:
superset_exercise.reps = ex_spec['reps']
rep_duration = exercise_obj.estimated_rep_duration or 3.0
superset_total_time += ex_spec['reps'] * rep_duration
# ---- 3. Create each SupersetExercise ----
for ex_spec in exercises:
exercise_obj = ex_spec.get('exercise')
if exercise_obj is None:
logger.warning(
"Skipping exercise entry with no exercise object in "
"superset '%s'", ss_name,
)
continue
if ex_spec.get('duration') is not None:
superset_exercise.duration = ex_spec['duration']
superset_total_time += ex_spec['duration']
order = ex_spec.get('order', 1)
superset_exercise.save()
superset_exercise = SupersetExercise.objects.create(
superset=superset,
exercise=exercise_obj,
order=order,
)
# ---- 4. Update superset estimated_time ----
# Store total time including all rounds and rest between rounds
rest_between_rounds = ss_spec.get('rest_between_rounds', 45)
rest_time = rest_between_rounds * max(0, rounds - 1)
superset.estimated_time = (superset_total_time * rounds) + rest_time
superset.save()
# Assign optional fields exactly like add_workout does
if ex_spec.get('weight') is not None:
superset_exercise.weight = ex_spec['weight']
# Accumulate into workout total (use the already-calculated superset time)
workout_total_time += superset.estimated_time
superset_order += 1
if ex_spec.get('reps') is not None:
superset_exercise.reps = ex_spec['reps']
rep_duration = exercise_obj.estimated_rep_duration or 3.0
superset_total_time += ex_spec['reps'] * rep_duration
# Add transition time between supersets
# (matches GENERATION_RULES['rest_between_supersets'] in workout_generator)
superset_count = superset_order - 1
if superset_count > 1:
rest_between_supersets = 30
workout_total_time += rest_between_supersets * (superset_count - 1)
if ex_spec.get('duration') is not None:
superset_exercise.duration = ex_spec['duration']
superset_total_time += ex_spec['duration']
# ---- 5. Update workout estimated_time ----
workout.estimated_time = workout_total_time
workout.save()
superset_exercise.save()
# ---- 4. Update superset estimated_time ----
# Store total time including all rounds and rest between rounds
rest_between_rounds = ss_spec.get('rest_between_rounds', 45)
rest_time = rest_between_rounds * max(0, rounds - 1)
superset.estimated_time = (superset_total_time * rounds) + rest_time
superset.save()
# Accumulate into workout total (use the already-calculated superset time)
workout_total_time += superset.estimated_time
superset_order += 1
# Add transition time between supersets
# (matches GENERATION_RULES['rest_between_supersets'] in workout_generator)
superset_count = superset_order - 1
if superset_count > 1:
rest_between_supersets = 30
workout_total_time += rest_between_supersets * (superset_count - 1)
# ---- 5. Update workout estimated_time ----
workout.estimated_time = workout_total_time
workout.save()
logger.info(
"Created workout '%s' (id=%s) with %d supersets, est. %ds",

33
generator/services/workout_analyzer.py
View File

@@ -27,6 +27,7 @@ from typing import Dict, List, Optional, Set, Tuple
import numpy as np
from django.db import transaction
from django.db.models import Count, Prefetch, Q
from exercise.models import Exercise
@@ -225,14 +226,15 @@ class WorkoutAnalyzer:
print(' Workout Analyzer - ML Pattern Extraction')
print('=' * 64)
self._clear_existing_patterns()
self._step1_populate_workout_types()
self._step2_extract_workout_data()
self._step3_extract_muscle_group_splits()
self._step4_extract_weekly_split_patterns()
self._step5_extract_workout_structure_rules()
self._step6_extract_movement_pattern_ordering()
self._step7_ensure_full_rule_coverage()
with transaction.atomic():
self._clear_existing_patterns()
self._step1_populate_workout_types()
self._step2_extract_workout_data()
self._step3_extract_muscle_group_splits()
self._step4_extract_weekly_split_patterns()
self._step5_extract_workout_structure_rules()
self._step6_extract_movement_pattern_ordering()
self._step7_ensure_full_rule_coverage()
print('\n' + '=' * 64)
print(' Analysis complete.')
@@ -1325,16 +1327,19 @@ class WorkoutAnalyzer:
},
}
# Prefetch all existing rules into an in-memory set to avoid
# N exists() queries (one per workout_type x section x goal combination).
existing_rules = set(
WorkoutStructureRule.objects.values_list(
'workout_type_id', 'section_type', 'goal_type'
)
)
created = 0
for wt in workout_types:
for section in all_sections:
for goal in all_goals:
exists = WorkoutStructureRule.objects.filter(
workout_type=wt,
section_type=section,
goal_type=goal,
).exists()
if not exists:
if (wt.pk, section, goal) not in existing_rules:
defaults = dict(section_defaults[section])
# Apply goal adjustments
base_params = {

6
generator/services/workout_generation/__init__.py Normal file
View File

@@ -0,0 +1,6 @@
"""Pure workout generation utilities.
These helpers are intentionally side-effect free so they can be tested
independently from Django models and service orchestration.
"""

39
generator/services/workout_generation/entry_rules.py Normal file
View File

@@ -0,0 +1,39 @@
import math
import random
def pick_reps_for_exercise(exercise, wt_params: dict, tier_ranges: dict, rng=random) -> int:
"""Pick reps from tier-specific range, then fallback to generic wt params."""
tier = (getattr(exercise, 'exercise_tier', None) or 'accessory').lower()
selected_range = tier_ranges.get(tier) or (wt_params['rep_min'], wt_params['rep_max'])
low, high = int(selected_range[0]), int(selected_range[1])
if low > high:
low, high = high, low
return rng.randint(low, high)
def apply_rep_volume_floor(entries: list[dict], rounds: int, min_volume: int) -> None:
"""Mutate entries in-place so reps*rounds meets the minimum volume floor."""
if rounds <= 0:
return
for entry in entries:
reps = entry.get('reps')
if reps and reps * rounds < min_volume:
entry['reps'] = max(reps, math.ceil(min_volume / rounds))
def working_rest_seconds(rest_override, default_rest: int, minimum_rest: int = 15) -> int:
"""Return guarded positive working rest in seconds."""
rest = rest_override or default_rest or 45
return max(minimum_rest, int(rest))
def sort_entries_by_hr(entries: list[dict], is_early_block: bool) -> None:
"""Sort entries by HR elevation and re-number order."""
entries.sort(
key=lambda e: getattr(e.get('exercise'), 'hr_elevation_rating', 5) or 5,
reverse=is_early_block,
)
for idx, entry in enumerate(entries, start=1):
entry['order'] = idx

41
generator/services/workout_generation/focus.py Normal file
View File

@@ -0,0 +1,41 @@
from typing import Optional
from generator.services.exercise_selector import extract_movement_families
def focus_key_for_exercise(exercise) -> Optional[str]:
"""Classify exercise into a coarse focus key used for variety checks."""
if exercise is None:
return None
families = sorted(extract_movement_families(getattr(exercise, 'name', '') or ''))
if families:
return families[0]
patterns = (getattr(exercise, 'movement_patterns', '') or '').lower()
for token in ('upper pull', 'upper push', 'hip hinge', 'squat', 'lunge', 'core', 'carry'):
if token in patterns:
return token
return None
def has_duplicate_focus(exercises: list) -> bool:
"""True when two exercises in one superset map to the same focus key."""
seen = set()
for ex in exercises or []:
key = focus_key_for_exercise(ex)
if not key:
continue
if key in seen:
return True
seen.add(key)
return False
def focus_keys_for_exercises(exercises: list) -> set:
"""Return non-empty focus keys for a list of exercises."""
keys = set()
for ex in exercises or []:
key = focus_key_for_exercise(ex)
if key:
keys.add(key)
return keys

53
generator/services/workout_generation/modality.py Normal file
View File

@@ -0,0 +1,53 @@
import math
import random
from typing import Optional
def clamp_duration_bias(duration_bias: float, duration_bias_range: Optional[tuple]) -> float:
"""Clamp duration bias to [0,1] or workout-type specific range."""
if not duration_bias_range:
return max(0.0, min(1.0, duration_bias))
low, high = duration_bias_range
return max(float(low), min(float(high), duration_bias))
def plan_superset_modalities(
*,
num_supersets: int,
duration_bias: float,
duration_bias_range: Optional[tuple],
is_strength_workout: bool,
rng=random,
) -> list[bool]:
"""Plan per-superset modality (True=duration, False=reps)."""
if num_supersets <= 0:
return []
if is_strength_workout:
return [False] * num_supersets
if duration_bias_range:
low, high = duration_bias_range
target_bias = (float(low) + float(high)) / 2.0
min_duration_sets = max(0, math.ceil(num_supersets * float(low)))
max_duration_sets = min(num_supersets, math.floor(num_supersets * float(high)))
else:
target_bias = max(0.0, min(1.0, duration_bias))
min_duration_sets = max(0, math.floor(num_supersets * max(0.0, target_bias - 0.15)))
max_duration_sets = min(num_supersets, math.ceil(num_supersets * min(1.0, target_bias + 0.15)))
duration_sets = int(round(num_supersets * target_bias))
duration_sets = max(min_duration_sets, min(max_duration_sets, duration_sets))
if num_supersets > 1 and duration_sets == num_supersets and max_duration_sets < num_supersets:
duration_sets = max_duration_sets
if num_supersets > 1 and duration_sets == 0 and min_duration_sets > 0:
duration_sets = min_duration_sets
modalities = [False] * num_supersets
if duration_sets > 0:
positions = list(range(num_supersets))
rng.shuffle(positions)
for idx in positions[:duration_sets]:
modalities[idx] = True
return modalities

26
generator/services/workout_generation/pattern_planning.py Normal file
View File

@@ -0,0 +1,26 @@
def working_position_label(ss_idx: int, num_supersets: int) -> str:
"""Return early/middle/late position label for a working superset index."""
if num_supersets <= 1 or ss_idx == 0:
return 'early'
if ss_idx >= num_supersets - 1:
return 'late'
return 'middle'
def merge_pattern_preferences(position_patterns, rule_patterns):
"""Combine positional and structure-rule pattern preferences."""
if rule_patterns and position_patterns:
overlap = [p for p in position_patterns if p in rule_patterns]
return overlap or rule_patterns[:3]
if rule_patterns:
return rule_patterns[:3]
return position_patterns
def rotated_muscle_subset(target_muscles: list[str], ss_idx: int) -> list[str]:
"""Rotate target muscle emphasis between supersets."""
if len(target_muscles) <= 1:
return target_muscles
start = ss_idx % len(target_muscles)
return target_muscles[start:] + target_muscles[:start]

14
generator/services/workout_generation/recovery.py Normal file
View File

@@ -0,0 +1,14 @@
def is_recovery_exercise(ex) -> bool:
"""True for warmup/cooldown-style recovery/stretch exercises."""
if ex is None:
return False
name = (getattr(ex, 'name', '') or '').lower()
patterns = (getattr(ex, 'movement_patterns', '') or '').lower()
if 'stretch' in name:
return True
blocked = (
'mobility - static', 'static stretch', 'yoga',
'cool down', 'cooldown', 'breathing', 'massage',
)
return any(token in patterns for token in blocked)

31
generator/services/workout_generation/scaling.py Normal file
View File

@@ -0,0 +1,31 @@
def apply_fitness_scaling(
params: dict,
*,
fitness_level: int,
scaling_config: dict,
min_reps: int,
min_reps_strength: int,
is_strength: bool = False,
) -> dict:
"""Scale workout params based on fitness level."""
out = dict(params)
level = fitness_level or 2
scaling = scaling_config.get(level, scaling_config[2])
rep_floor = min_reps_strength if is_strength else min_reps
out['rep_min'] = max(rep_floor, int(out['rep_min'] * scaling['rep_min_mult']))
out['rep_max'] = max(out['rep_min'], int(out['rep_max'] * scaling['rep_max_mult']))
rounds_min, rounds_max = out['rounds']
rounds_min = max(1, rounds_min + scaling['rounds_adj'])
rounds_max = max(rounds_min, rounds_max + scaling['rounds_adj'])
out['rounds'] = (rounds_min, rounds_max)
rest = out.get('rest_between_rounds', 45)
out['rest_between_rounds'] = max(15, rest + scaling['rest_adj'])
if level <= 1 and is_strength:
out['rep_min'] = max(5, out['rep_min'])
out['rep_max'] = max(out['rep_min'], out['rep_max'])
return out

68
generator/services/workout_generation/section_builders.py Normal file
View File

@@ -0,0 +1,68 @@
import random
from typing import Iterable, Optional
def section_exercise_count(section: str, fitness_level: int, rng=random) -> int:
"""Return section exercise count range by fitness level."""
level = fitness_level or 2
if section == 'warmup':
if level <= 1:
return rng.randint(5, 7)
if level >= 3:
return rng.randint(3, 5)
return rng.randint(4, 6)
if section == 'cooldown':
if level <= 1:
return rng.randint(4, 5)
if level >= 3:
return rng.randint(2, 3)
return rng.randint(3, 4)
raise ValueError(f'Unknown section: {section}')
def rounded_duration(
raw_duration: int,
*,
min_duration: int,
duration_multiple: int,
) -> int:
"""Round duration to configured multiple and clamp to minimum."""
return max(min_duration, round(raw_duration / duration_multiple) * duration_multiple)
def build_duration_entries(
exercises: Iterable,
*,
duration_min: int,
duration_max: int,
min_duration: int,
duration_multiple: int,
rng=random,
) -> list[dict]:
"""Build ordered duration entries from exercises."""
entries = []
for idx, ex in enumerate(exercises, start=1):
duration = rng.randint(duration_min, duration_max)
entries.append({
'exercise': ex,
'duration': rounded_duration(
duration,
min_duration=min_duration,
duration_multiple=duration_multiple,
),
'order': idx,
})
return entries
def build_section_superset(name: str, entries: list[dict]) -> Optional[dict]:
"""Build a single-round warmup/cooldown superset payload."""
if not entries:
return None
return {
'name': name,
'rounds': 1,
'rest_between_rounds': 0,
'exercises': entries,
}

635
generator/services/workout_generator.py
View File

File diff suppressed because it is too large Load Diff

63
generator/tests/test_exercise_family_dedup.py Normal file
View File

@@ -0,0 +1,63 @@
from django.contrib.auth.models import User
from django.test import TestCase
from exercise.models import Exercise
from generator.models import UserPreference
from generator.services.exercise_selector import (
ExerciseSelector,
extract_movement_families,
)
from registered_user.models import RegisteredUser
class TestExerciseFamilyDedup(TestCase):
def setUp(self):
django_user = User.objects.create_user(
username='family_dedup_user',
password='testpass123',
)
registered_user = RegisteredUser.objects.create(
user=django_user,
first_name='Family',
last_name='Dedup',
)
self.preference = UserPreference.objects.create(
registered_user=registered_user,
days_per_week=4,
fitness_level=2,
)
def test_high_pull_maps_to_clean_family(self):
clean_pull_families = extract_movement_families('Barbell Clean Pull')
high_pull_families = extract_movement_families('Barbell High Pull')
self.assertIn('clean', clean_pull_families)
self.assertIn('clean', high_pull_families)
def test_high_pull_blocked_when_clean_family_already_used(self):
high_pull = Exercise.objects.create(
name='Barbell High Pull',
movement_patterns='lower pull,lower pull - hip hinge',
muscle_groups='glutes,hamstrings,traps',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
exercise_tier='secondary',
complexity_rating=3,
difficulty_level='intermediate',
)
selector = ExerciseSelector(self.preference)
selector.used_movement_families['clean'] = 1
selected = selector._weighted_pick(
Exercise.objects.filter(pk=high_pull.pk),
Exercise.objects.none(),
count=1,
)
self.assertEqual(
selected,
[],
'High-pull variant should be blocked when clean family is already used.',
)

142
generator/tests/test_exercise_similarity_dedup.py Normal file
View File

@@ -0,0 +1,142 @@
from django.contrib.auth.models import User
from django.test import TestCase
from exercise.models import Exercise
from generator.models import UserPreference
from generator.services.exercise_selector import ExerciseSelector
from registered_user.models import RegisteredUser
class TestExerciseSimilarityDedup(TestCase):
def setUp(self):
django_user = User.objects.create_user(
username='similarity_dedup_user',
password='testpass123',
)
registered_user = RegisteredUser.objects.create(
user=django_user,
first_name='Similarity',
last_name='Dedup',
)
self.preference = UserPreference.objects.create(
registered_user=registered_user,
days_per_week=4,
fitness_level=2,
)
def test_hard_similarity_blocks_near_identical_working_exercise(self):
selector = ExerciseSelector(self.preference)
prior = Exercise.objects.create(
name='Posterior Chain Pull Alpha',
movement_patterns='lower pull, lower pull - hip hinge',
muscle_groups='glutes,hamstrings,traps',
equipment_required='barbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
candidate = Exercise.objects.create(
name='Posterior Chain Pull Beta',
movement_patterns='lower pull, lower pull - hip hinge',
muscle_groups='glutes,hamstrings,traps',
equipment_required='barbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
selector.used_working_similarity_profiles.append(
selector._build_similarity_profile(prior)
)
selected = selector._weighted_pick(
Exercise.objects.filter(pk=candidate.pk),
Exercise.objects.none(),
count=1,
similarity_scope='working',
)
self.assertEqual(
selected,
[],
'Near-identical exercise should be hard-blocked in same workout.',
)
def test_soft_similarity_blocks_adjacent_superset_repetition(self):
selector = ExerciseSelector(self.preference)
previous_set_ex = Exercise.objects.create(
name='Hip Hinge Pattern Alpha',
movement_patterns='lower pull, lower pull - hip hinge, core',
muscle_groups='glutes,hamstrings,core',
equipment_required='barbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
adjacent_candidate = Exercise.objects.create(
name='Hip Hinge Pattern Beta',
movement_patterns='lower pull - hip hinge, core',
muscle_groups='glutes,hamstrings,core',
equipment_required='barbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
selector.last_working_similarity_profiles = [
selector._build_similarity_profile(previous_set_ex)
]
selected = selector._weighted_pick(
Exercise.objects.filter(pk=adjacent_candidate.pk),
Exercise.objects.none(),
count=1,
similarity_scope='working',
)
self.assertEqual(
selected,
[],
'Very similar adjacent-set exercise should be soft-blocked.',
)
def test_dissimilar_exercise_is_allowed(self):
selector = ExerciseSelector(self.preference)
previous_set_ex = Exercise.objects.create(
name='Posterior Chain Pull Alpha',
movement_patterns='lower pull, lower pull - hip hinge, core',
muscle_groups='glutes,hamstrings,core',
equipment_required='barbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
different_candidate = Exercise.objects.create(
name='Horizontal Push Builder',
movement_patterns='upper push - horizontal, upper push',
muscle_groups='chest,triceps,deltoids',
equipment_required='dumbbell',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=True,
difficulty_level='intermediate',
)
selector.last_working_similarity_profiles = [
selector._build_similarity_profile(previous_set_ex)
]
selected = selector._weighted_pick(
Exercise.objects.filter(pk=different_candidate.pk),
Exercise.objects.none(),
count=1,
similarity_scope='working',
)
self.assertEqual(len(selected), 1)
self.assertEqual(selected[0].pk, different_candidate.pk)

103
generator/tests/test_modality_guardrails.py Normal file
View File

@@ -0,0 +1,103 @@
from django.contrib.auth.models import User
from django.test import TestCase
from exercise.models import Exercise
from generator.models import UserPreference
from generator.services.exercise_selector import ExerciseSelector
from registered_user.models import RegisteredUser
class TestModalityGuardrails(TestCase):
def setUp(self):
django_user = User.objects.create_user(
username='modality_guardrails_user',
password='testpass123',
)
registered_user = RegisteredUser.objects.create(
user=django_user,
first_name='Modality',
last_name='Guardrails',
)
self.preference = UserPreference.objects.create(
registered_user=registered_user,
days_per_week=4,
fitness_level=2,
)
def test_rep_mode_excludes_duration_only_exercises(self):
duration_only = Exercise.objects.create(
name="Dumbbell Waiter's Carry",
movement_patterns='core,core - carry',
muscle_groups='core,deltoids,upper back',
equipment_required='Dumbbell',
is_weight=True,
is_duration=True,
is_reps=False,
is_compound=True,
exercise_tier='secondary',
difficulty_level='intermediate',
complexity_rating=3,
)
reps_ex = Exercise.objects.create(
name='2 Kettlebell Clean and Press',
movement_patterns='upper push - vertical, upper push, lower pull',
muscle_groups='deltoids,triceps,glutes',
equipment_required='Kettlebell',
is_weight=True,
is_duration=False,
is_reps=True,
is_compound=True,
exercise_tier='secondary',
difficulty_level='intermediate',
complexity_rating=3,
)
selector = ExerciseSelector(self.preference)
picked = selector.select_exercises(
muscle_groups=[],
count=2,
is_duration_based=False,
)
picked_ids = {e.pk for e in picked}
self.assertIn(reps_ex.pk, picked_ids)
self.assertNotIn(duration_only.pk, picked_ids)
def test_working_selection_excludes_static_stretch_patterns(self):
static_stretch = Exercise.objects.create(
name='Supine Pec Stretch - T',
movement_patterns='mobility - static, static stretch, cool down',
muscle_groups='chest,shoulders',
equipment_required='None',
is_weight=False,
is_duration=True,
is_reps=False,
is_compound=False,
exercise_tier='accessory',
difficulty_level='beginner',
complexity_rating=1,
)
valid_reps = Exercise.objects.create(
name='Barbell Clean Pull',
movement_patterns='upper pull,hip hinge',
muscle_groups='upper back,hamstrings,glutes',
equipment_required='Barbell',
is_weight=True,
is_duration=False,
is_reps=True,
is_compound=True,
exercise_tier='primary',
difficulty_level='intermediate',
complexity_rating=3,
)
selector = ExerciseSelector(self.preference)
picked = selector.select_exercises(
muscle_groups=[],
count=2,
is_duration_based=False,
)
picked_ids = {e.pk for e in picked}
self.assertIn(valid_reps.pk, picked_ids)
self.assertNotIn(static_stretch.pk, picked_ids)

106
generator/tests/test_movement_enforcement.py
View File

@@ -61,6 +61,18 @@ class MovementEnforcementTestBase(TestCase):
superset_size_min=3,
superset_size_max=6,
)
cls.functional_type, _ = WorkoutType.objects.get_or_create(
name='functional_strength_training',
defaults={
'typical_rest_between_sets': 60,
'typical_intensity': 'high',
'rep_range_min': 6,
'rep_range_max': 12,
'duration_bias': 0.2,
'superset_size_min': 2,
'superset_size_max': 4,
},
)
cls.core_type = WorkoutType.objects.filter(name='core_training').first()
if cls.core_type is None:
cls.core_type = WorkoutType.objects.create(
@@ -184,6 +196,54 @@ class TestMovementPatternEnforcement(MovementEnforcementTestBase):
pref.delete()
def test_working_superset_filters_stretch_entries_and_keeps_positive_rest(self):
"""Working supersets should never keep static stretch entries."""
pref = self._make_preference()
gen = self._make_generator(pref)
valid = self._create_mock_exercise(
name='Barbell Clean Pull',
movement_patterns='upper pull,hip hinge',
is_duration=False,
is_reps=True,
is_weight=True,
is_compound=True,
)
stretch = self._create_mock_exercise(
name='Supine Pec Stretch - T',
movement_patterns='mobility - static, static stretch, cool down',
is_duration=True,
is_reps=False,
is_weight=False,
is_compound=False,
exercise_tier='accessory',
)
gen.exercise_selector.select_exercises.return_value = [valid, stretch]
gen.exercise_selector.balance_stretch_positions.return_value = [valid, stretch]
muscle_split = {
'muscles': ['chest', 'upper back'],
'split_type': 'upper',
'label': 'Upper',
}
wt_params = dict(WORKOUT_TYPE_DEFAULTS['functional strength'])
wt_params['num_supersets'] = (1, 1)
wt_params['exercises_per_superset'] = (2, 2)
wt_params['rounds'] = (4, 4)
supersets = gen._build_working_supersets(
muscle_split, self.functional_type, wt_params,
)
self.assertTrue(supersets, 'Expected at least one working superset.')
ss = supersets[0]
exercise_names = [e['exercise'].name for e in ss.get('exercises', [])]
self.assertIn('Barbell Clean Pull', exercise_names)
self.assertNotIn('Supine Pec Stretch - T', exercise_names)
self.assertGreater(ss.get('rest_between_rounds', 0), 0)
pref.delete()
def test_retries_when_superset_has_duplicate_focus(self):
"""Generator should retry when a working superset repeats focus family."""
pref = self._make_preference()
@@ -992,3 +1052,49 @@ class TestFinalConformance(MovementEnforcementTestBase):
self.assertIsInstance(workout, dict)
self.assertEqual(gen._build_working_supersets.call_count, 1)
pref.delete()
def test_side_pair_warning_filtered_when_final_workout_has_no_side_entries(self):
"""Do not surface side-pair warnings when final workout has no sided exercises."""
pref = self._make_preference()
gen = self._make_generator(pref)
gen._build_warmup = MagicMock(return_value=None)
gen._build_cooldown = MagicMock(return_value=None)
gen._check_quality_gates = MagicMock(return_value=[])
gen._adjust_to_time_target = MagicMock(side_effect=lambda spec, *_args, **_kwargs: spec)
ex = self._create_mock_exercise('Compound Lift', movement_patterns='upper pull')
ex.side = ''
gen._build_working_supersets = MagicMock(return_value=[
{
'name': 'Working Set 1',
'rounds': 3,
'rest_between_rounds': 45,
'modality': 'reps',
'exercises': [{'exercise': ex, 'reps': 8, 'order': 1}],
},
])
gen._get_final_conformance_violations = MagicMock(return_value=[])
gen.exercise_selector.warnings = [
'Added 2 missing opposite-side exercise partners.',
'Removed 1 unpaired side-specific exercises to enforce left/right pairing.',
'Could only find 3/5 exercises for deltoids.',
]
gen.generate_single_workout(
muscle_split={
'muscles': ['upper back'],
'split_type': 'pull',
'label': 'Pull Day',
},
workout_type=self.strength_type,
scheduled_date=date(2026, 3, 6),
)
self.assertTrue(
any('Could only find 3/5 exercises for deltoids.' in w for w in gen.warnings)
)
self.assertFalse(
any('opposite-side' in w.lower() or 'side-specific' in w.lower() for w in gen.warnings)
)
pref.delete()

60
generator/tests/test_rebalance_replacement_guard.py Normal file
View File

@@ -0,0 +1,60 @@
from django.contrib.auth.models import User
from django.test import TestCase
from exercise.models import Exercise
from generator.models import UserPreference
from generator.services.workout_generator import WorkoutGenerator
from registered_user.models import RegisteredUser
class TestRebalanceReplacementGuard(TestCase):
def setUp(self):
django_user = User.objects.create_user(
username='rebalance_guard_user',
password='testpass123',
)
registered_user = RegisteredUser.objects.create(
user=django_user,
first_name='Rebalance',
last_name='Guard',
)
self.preference = UserPreference.objects.create(
registered_user=registered_user,
days_per_week=4,
fitness_level=2,
)
def test_pull_replacement_prefers_non_sided_candidates(self):
sided_pull = Exercise.objects.create(
name='Single Arm Cable Row',
side='left_arm',
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=False,
difficulty_level='intermediate',
)
unsided_pull = Exercise.objects.create(
name='Chest Supported Row',
side='',
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
is_reps=True,
is_duration=False,
is_weight=True,
is_compound=False,
difficulty_level='intermediate',
)
generator = WorkoutGenerator(self.preference)
replacement = generator._select_pull_replacement(
target_muscles=[],
is_duration_based=False,
prefer_weighted=False,
)
self.assertIsNotNone(replacement)
self.assertEqual(replacement.pk, unsided_pull.pk)
self.assertNotEqual(replacement.pk, sided_pull.pk)

83
generator/tests/test_rules_engine.py
View File

@@ -548,6 +548,89 @@ class TestValidateWorkout(TestCase):
f"Expected superset focus repetition error, got {[v.rule_id for v in violations]}",
)
def test_working_set_rejects_recovery_stretch_movements(self):
stretch_ex = _make_exercise(
name='Supine Pec Stretch - T',
movement_patterns='mobility - static, mobility, cool down',
is_reps=False,
is_duration=True,
)
push_ex = _make_exercise(
name='Single-Arm Dumbbell Push Press',
movement_patterns='upper push - vertical, upper push',
is_reps=True,
is_duration=False,
is_compound=True,
is_weight=True,
exercise_tier='secondary',
)
workout_spec = {
'supersets': [
_make_superset(name='Warm Up', exercises=[
_make_entry(exercise=_make_exercise(is_reps=False), duration=30),
], rounds=1),
_make_superset(
name='Working Set 1',
exercises=[
_make_entry(exercise=push_ex, reps=8, order=1),
_make_entry(exercise=stretch_ex, duration=30, order=2),
],
rounds=4,
),
_make_superset(name='Cool Down', exercises=[
_make_entry(exercise=_make_exercise(is_reps=False), duration=30),
], rounds=1),
],
}
violations = validate_workout(
workout_spec, 'functional_strength_training', 'general_fitness',
)
stretch_errors = [
v for v in violations
if v.rule_id == 'working_contains_recovery' and v.severity == 'error'
]
self.assertTrue(stretch_errors, 'Expected recovery/stretch error in working set.')
def test_working_set_requires_positive_rest_between_rounds(self):
workout_spec = {
'supersets': [
_make_superset(name='Warm Up', exercises=[
_make_entry(exercise=_make_exercise(is_reps=False), duration=30),
], rounds=1),
{
'name': 'Working Set 1',
'rounds': 4,
'rest_between_rounds': 0,
'exercises': [
_make_entry(
exercise=_make_exercise(
name='Barbell Push Press',
movement_patterns='upper push',
is_compound=True,
is_weight=True,
exercise_tier='primary',
),
reps=5,
order=1,
),
],
},
_make_superset(name='Cool Down', exercises=[
_make_entry(exercise=_make_exercise(is_reps=False), duration=30),
], rounds=1),
],
}
violations = validate_workout(
workout_spec, 'functional_strength_training', 'general_fitness',
)
rest_warnings = [
v for v in violations
if v.rule_id == 'working_rest_missing' and v.severity == 'warning'
]
self.assertTrue(rest_warnings, 'Expected warning for missing/zero working rest.')
def test_adjacent_focus_repetition_info(self):
"""Adjacent working supersets with same focus profile should be advisory."""
pull_a = _make_exercise(name='Bicep Curl', movement_patterns='upper pull')

203
generator/tests/test_side_pair_integrity.py Normal file
View File

@@ -0,0 +1,203 @@
from django.contrib.auth.models import User
from django.test import TestCase
from exercise.models import Exercise
from generator.models import UserPreference
from generator.services.exercise_selector import ExerciseSelector
from registered_user.models import RegisteredUser
class TestSidePairIntegrity(TestCase):
def setUp(self):
django_user = User.objects.create_user(
username='side_pair_user',
password='testpass123',
)
registered_user = RegisteredUser.objects.create(
user=django_user,
first_name='Side',
last_name='Pair',
)
self.preference = UserPreference.objects.create(
registered_user=registered_user,
days_per_week=4,
fitness_level=2,
)
self.selector = ExerciseSelector(self.preference)
def test_orphan_left_is_removed_and_replaced(self):
left_only = Exercise.objects.create(
name='Single Arm Row Left',
side='Left',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
filler_a = Exercise.objects.create(
name='Chest Supported Row',
side='',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
filler_b = Exercise.objects.create(
name='Face Pull',
side='',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull, rear delt',
muscle_groups='upper back,deltoids',
difficulty_level='intermediate',
)
selected = [left_only]
base_qs = Exercise.objects.filter(pk__in=[left_only.pk, filler_a.pk, filler_b.pk])
enforced = self.selector._ensure_side_pair_integrity(selected, base_qs, count=1)
self.assertEqual(len(enforced), 1)
self.assertNotEqual(enforced[0].pk, left_only.pk)
self.assertIn(
enforced[0].pk,
{filler_a.pk, filler_b.pk},
'Orphan left-side movement should be replaced by a non-sided filler.',
)
def test_left_right_pair_is_preserved(self):
left_ex = Exercise.objects.create(
name='Single Arm Press Left',
side='Left',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper push - vertical, upper push',
muscle_groups='deltoids,triceps',
difficulty_level='intermediate',
)
right_ex = Exercise.objects.create(
name='Single Arm Press Right',
side='Right',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper push - vertical, upper push',
muscle_groups='deltoids,triceps',
difficulty_level='intermediate',
)
enforced = self.selector._ensure_side_pair_integrity(
[left_ex, right_ex],
Exercise.objects.filter(pk__in=[left_ex.pk, right_ex.pk]),
count=2,
)
enforced_ids = {ex.pk for ex in enforced}
self.assertEqual(enforced_ids, {left_ex.pk, right_ex.pk})
def test_left_arm_right_arm_pair_is_preserved(self):
left_ex = Exercise.objects.create(
name='Single Arm Row',
side='left_arm',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
right_ex = Exercise.objects.create(
name='Single Arm Row',
side='right_arm',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
paired = self.selector._pair_sided_exercises(
[left_ex],
Exercise.objects.filter(pk__in=[left_ex.pk, right_ex.pk]),
)
paired_ids = {ex.pk for ex in paired}
self.assertEqual(paired_ids, {left_ex.pk, right_ex.pk})
def test_orphan_left_arm_is_removed(self):
left_ex = Exercise.objects.create(
name='Single Arm Row',
side='left_arm',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
filler = Exercise.objects.create(
name='Inverted Row',
side='',
is_reps=True,
is_duration=False,
is_weight=False,
movement_patterns='upper pull - horizontal, upper pull',
muscle_groups='lats,upper back,biceps',
difficulty_level='intermediate',
)
enforced = self.selector._ensure_side_pair_integrity(
[left_ex],
Exercise.objects.filter(pk__in=[left_ex.pk, filler.pk]),
count=1,
)
self.assertEqual(len(enforced), 1)
self.assertEqual(enforced[0].pk, filler.pk)
def test_try_hard_fetch_adds_opposite_side_partner_from_global_db(self):
left_ex = Exercise.objects.create(
name='Single Arm Lateral Raise Left',
side='Left',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper push',
muscle_groups='deltoids',
difficulty_level='intermediate',
)
right_ex = Exercise.objects.create(
name='Single Arm Lateral Raise Right',
side='Right',
is_reps=True,
is_duration=False,
is_weight=True,
movement_patterns='upper push',
muscle_groups='deltoids',
difficulty_level='intermediate',
)
filler = Exercise.objects.create(
name='Shoulder Tap',
side='',
is_reps=True,
is_duration=False,
is_weight=False,
movement_patterns='upper push',
muscle_groups='deltoids,core',
difficulty_level='intermediate',
)
# base_qs intentionally does not include right_ex to validate global fallback.
base_qs = Exercise.objects.filter(pk__in=[left_ex.pk, filler.pk])
enforced = self.selector._ensure_side_pair_integrity(
[left_ex, filler],
base_qs,
count=2,
)
enforced_ids = {ex.pk for ex in enforced}
self.assertIn(left_ex.pk, enforced_ids)
self.assertIn(right_ex.pk, enforced_ids)
self.assertNotIn(filler.pk, enforced_ids)

102
generator/tests/test_warmup_selector.py
View File

@@ -85,8 +85,8 @@ class TestWarmupSelector(TestCase):
self.assertNotIn(weighted_press.pk, selected_ids)
self.assertNotIn(duration_push.pk, selected_ids)
def test_warmup_excludes_side_specific_variants(self):
left_variant = Exercise.objects.create(
def test_warmup_keeps_side_specific_variants_adjacent(self):
left_variant_a = Exercise.objects.create(
name='Side Lying T Stretch',
side='left_arm',
movement_patterns='dynamic stretch, mobility - dynamic, warm up',
@@ -99,7 +99,7 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
right_variant = Exercise.objects.create(
right_variant_a = Exercise.objects.create(
name='Side Lying T Stretch',
side='right_arm',
movement_patterns='dynamic stretch, mobility - dynamic, warm up',
@@ -112,9 +112,9 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
unsided_a = Exercise.objects.create(
name='Worlds Greatest Stretch',
side='',
left_variant_b = Exercise.objects.create(
name='Quadruped Adductor Stretch with Thoracic Rotation',
side='left_side',
movement_patterns='dynamic stretch, mobility - dynamic, warm up',
is_duration=True,
is_reps=False,
@@ -125,31 +125,47 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
unsided_b = Exercise.objects.create(
name='Hip Opener Flow',
side='',
movement_patterns='activation, warmup, cardio/locomotion',
right_variant_b = Exercise.objects.create(
name='Quadruped Adductor Stretch with Thoracic Rotation',
side='right_side',
movement_patterns='dynamic stretch, mobility - dynamic, warm up',
is_duration=True,
is_reps=False,
is_weight=False,
is_compound=False,
exercise_tier='accessory',
hr_elevation_rating=3,
complexity_rating=2,
hr_elevation_rating=2,
complexity_rating=1,
difficulty_level='beginner',
)
selector = ExerciseSelector(self.preference)
selected = selector.select_warmup_exercises(target_muscles=[], count=2)
selected_ids = {ex.pk for ex in selected}
selected = selector.select_warmup_exercises(target_muscles=[], count=4)
self.assertEqual(selected_ids, {unsided_a.pk, unsided_b.pk})
self.assertNotIn(left_variant.pk, selected_ids)
self.assertNotIn(right_variant.pk, selected_ids)
self.assertTrue(all(not (ex.side or '').strip() for ex in selected))
selected_ids = [ex.pk for ex in selected]
self.assertEqual(
set(selected_ids),
{left_variant_a.pk, right_variant_a.pk, left_variant_b.pk, right_variant_b.pk},
)
def test_cooldown_excludes_side_specific_variants(self):
left_variant = Exercise.objects.create(
side_pairs = {}
for idx, ex in enumerate(selected):
key = selector._strip_side_tokens(ex.name)
side_pairs.setdefault(key, []).append(idx)
self.assertEqual(len(side_pairs['side lying t stretch']), 2)
self.assertEqual(len(side_pairs['quadruped adductor stretch with thoracic rotation']), 2)
self.assertEqual(
side_pairs['side lying t stretch'][1],
side_pairs['side lying t stretch'][0] + 1,
)
self.assertEqual(
side_pairs['quadruped adductor stretch with thoracic rotation'][1],
side_pairs['quadruped adductor stretch with thoracic rotation'][0] + 1,
)
def test_cooldown_keeps_side_specific_variants_adjacent(self):
left_variant_a = Exercise.objects.create(
name="Matsyendra's Pose",
side='left_side',
movement_patterns='static stretch, cool down',
@@ -162,7 +178,7 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
right_variant = Exercise.objects.create(
right_variant_a = Exercise.objects.create(
name="Matsyendra's Pose",
side='right_side',
movement_patterns='static stretch, cool down',
@@ -175,9 +191,9 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
unsided_a = Exercise.objects.create(
name='Butterfly Stretch',
side='',
left_variant_b = Exercise.objects.create(
name='Miniband Reverse Clamshell',
side='left_leg',
movement_patterns='mobility - static, cooldown',
is_duration=True,
is_reps=False,
@@ -188,25 +204,41 @@ class TestWarmupSelector(TestCase):
complexity_rating=1,
difficulty_level='beginner',
)
unsided_b = Exercise.objects.create(
name='Hamstring Reach',
side='',
movement_patterns='static stretch, cool down',
right_variant_b = Exercise.objects.create(
name='Miniband Reverse Clamshell',
side='right_leg',
movement_patterns='mobility - static, cooldown',
is_duration=True,
is_reps=False,
is_weight=False,
is_compound=False,
exercise_tier='accessory',
hr_elevation_rating=2,
hr_elevation_rating=1,
complexity_rating=1,
difficulty_level='beginner',
)
selector = ExerciseSelector(self.preference)
selected = selector.select_cooldown_exercises(target_muscles=[], count=2)
selected_ids = {ex.pk for ex in selected}
selected = selector.select_cooldown_exercises(target_muscles=[], count=4)
self.assertEqual(selected_ids, {unsided_a.pk, unsided_b.pk})
self.assertNotIn(left_variant.pk, selected_ids)
self.assertNotIn(right_variant.pk, selected_ids)
self.assertTrue(all(not (ex.side or '').strip() for ex in selected))
selected_ids = [ex.pk for ex in selected]
self.assertEqual(
set(selected_ids),
{left_variant_a.pk, right_variant_a.pk, left_variant_b.pk, right_variant_b.pk},
)
side_pairs = {}
for idx, ex in enumerate(selected):
key = selector._strip_side_tokens(ex.name)
side_pairs.setdefault(key, []).append(idx)
self.assertEqual(len(side_pairs["matsyendra's pose"]), 2)
self.assertEqual(len(side_pairs['miniband reverse clamshell']), 2)
self.assertEqual(
side_pairs["matsyendra's pose"][1],
side_pairs["matsyendra's pose"][0] + 1,
)
self.assertEqual(
side_pairs['miniband reverse clamshell'][1],
side_pairs['miniband reverse clamshell'][0] + 1,
)

136
generator/tests/test_workout_generation_modules.py Normal file
View File

@@ -0,0 +1,136 @@
from django.test import SimpleTestCase
from generator.services.workout_generation.entry_rules import (
apply_rep_volume_floor,
pick_reps_for_exercise,
working_rest_seconds,
)
from generator.services.workout_generation.focus import (
focus_key_for_exercise,
has_duplicate_focus,
)
from generator.services.workout_generation.modality import (
clamp_duration_bias,
plan_superset_modalities,
)
from generator.services.workout_generation.pattern_planning import (
merge_pattern_preferences,
rotated_muscle_subset,
working_position_label,
)
from generator.services.workout_generation.recovery import is_recovery_exercise
from generator.services.workout_generation.scaling import apply_fitness_scaling
from generator.services.workout_generation.section_builders import (
build_duration_entries,
build_section_superset,
section_exercise_count,
)
class _Rng:
def __init__(self, randint_values=None):
self._randint_values = list(randint_values or [])
def randint(self, low, high):
if self._randint_values:
return self._randint_values.pop(0)
return low
def shuffle(self, arr):
# Deterministic for tests.
return None
class _Ex:
def __init__(self, **kwargs):
self.__dict__.update(kwargs)
class TestWorkoutGenerationModules(SimpleTestCase):
def test_section_count_and_duration_entries(self):
rng = _Rng([6, 27, 31])
self.assertEqual(section_exercise_count('warmup', 1, rng=rng), 6)
exercises = [_Ex(name='A'), _Ex(name='B')]
entries = build_duration_entries(
exercises,
duration_min=20,
duration_max=40,
min_duration=20,
duration_multiple=5,
rng=rng,
)
self.assertEqual(entries[0]['duration'], 25)
self.assertEqual(entries[1]['duration'], 30)
section = build_section_superset('Warm Up', entries)
self.assertEqual(section['name'], 'Warm Up')
self.assertEqual(section['rounds'], 1)
def test_scaling_and_rest_floor(self):
params = {
'rep_min': 4,
'rep_max': 10,
'rounds': (3, 4),
'rest_between_rounds': 60,
}
scaling = {
1: {'rep_min_mult': 1.1, 'rep_max_mult': 1.2, 'rounds_adj': -1, 'rest_adj': 15},
2: {'rep_min_mult': 1.0, 'rep_max_mult': 1.0, 'rounds_adj': 0, 'rest_adj': 0},
}
out = apply_fitness_scaling(
params,
fitness_level=1,
scaling_config=scaling,
min_reps=6,
min_reps_strength=1,
is_strength=True,
)
self.assertGreaterEqual(out['rep_min'], 5)
self.assertEqual(working_rest_seconds(-5, 0), 15)
def test_modality_helpers(self):
self.assertEqual(clamp_duration_bias(0.9, (0.2, 0.6)), 0.6)
modalities = plan_superset_modalities(
num_supersets=4,
duration_bias=0.5,
duration_bias_range=(0.25, 0.5),
is_strength_workout=False,
rng=_Rng(),
)
self.assertEqual(len(modalities), 4)
self.assertTrue(any(modalities))
def test_pattern_and_focus_helpers(self):
self.assertEqual(working_position_label(0, 3), 'early')
self.assertEqual(working_position_label(1, 3), 'middle')
self.assertEqual(working_position_label(2, 3), 'late')
self.assertEqual(
merge_pattern_preferences(['upper pull', 'core'], ['core', 'lunge']),
['core'],
)
self.assertEqual(
rotated_muscle_subset(['a', 'b', 'c'], 1),
['b', 'c', 'a'],
)
curl_a = _Ex(name='Alternating Bicep Curls', movement_patterns='upper pull')
curl_b = _Ex(name='Bicep Curls', movement_patterns='upper pull')
self.assertEqual(focus_key_for_exercise(curl_a), 'bicep_curl')
self.assertTrue(has_duplicate_focus([curl_a, curl_b]))
def test_recovery_and_rep_selection(self):
stretch = _Ex(name='Supine Pec Stretch - T', movement_patterns='mobility - static')
self.assertTrue(is_recovery_exercise(stretch))
ex = _Ex(exercise_tier='primary')
reps = pick_reps_for_exercise(
ex,
{'rep_min': 8, 'rep_max': 12},
{'primary': (3, 6)},
rng=_Rng([5]),
)
self.assertEqual(reps, 5)
entries = [{'reps': 3}, {'duration': 30}]
apply_rep_volume_floor(entries, rounds=3, min_volume=12)
self.assertEqual(entries[0]['reps'], 4)

374
generator/views.py
View File

@@ -1,6 +1,8 @@
import logging
import time
from datetime import datetime, timedelta
from django.db import transaction
from django.shortcuts import get_object_or_404
from rest_framework.decorators import (
api_view,
@@ -44,6 +46,19 @@ from .serializers import (
)
from exercise.serializers import ExerciseSerializer
logger = logging.getLogger(__name__)
def get_registered_user(request):
"""Get RegisteredUser for the authenticated user, or 404.
Caches the result on the request object to avoid repeated DB hits
when called multiple times in the same request cycle.
"""
if not hasattr(request, '_registered_user'):
request._registered_user = get_object_or_404(RegisteredUser, user=request.user)
return request._registered_user
# ============================================================
# Generation Rules
@@ -67,7 +82,7 @@ def generation_rules(request):
@permission_classes([IsAuthenticated])
def get_preferences(request):
"""Get (or auto-create) the UserPreference for the logged-in user."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
preference, _created = UserPreference.objects.get_or_create(
registered_user=registered_user,
)
@@ -80,7 +95,7 @@ def get_preferences(request):
@permission_classes([IsAuthenticated])
def update_preferences(request):
"""Update the logged-in user's preferences. Accepts equipment_ids, muscle_ids, workout_type_ids."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
preference, _created = UserPreference.objects.get_or_create(
registered_user=registered_user,
)
@@ -109,7 +124,7 @@ def generate_plan(request):
Generate a weekly workout plan.
Body: {"week_start_date": "YYYY-MM-DD"}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
week_start_date_str = request.data.get('week_start_date')
if not week_start_date_str:
@@ -191,8 +206,9 @@ def generate_plan(request):
generation_warnings = generator.warnings
except Exception as e:
logger.exception("Unexpected error in generate_plan")
return Response(
{'error': f'Plan generation failed: {str(e)}'},
{"error": "An unexpected error occurred. Please try again."},
status=status.HTTP_500_INTERNAL_SERVER_ERROR,
)
@@ -212,9 +228,11 @@ def generate_plan(request):
@permission_classes([IsAuthenticated])
def list_plans(request):
"""List all generated plans for the logged-in user, newest first."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
plans = GeneratedWeeklyPlan.objects.filter(
registered_user=registered_user,
).select_related(
'registered_user',
).prefetch_related(
'generated_workouts__workout_type',
'generated_workouts__workout',
@@ -228,9 +246,11 @@ def list_plans(request):
@permission_classes([IsAuthenticated])
def plan_detail(request, plan_id):
"""Get a single plan with all its generated workouts."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
plan = get_object_or_404(
GeneratedWeeklyPlan.objects.prefetch_related(
GeneratedWeeklyPlan.objects.select_related(
'registered_user',
).prefetch_related(
'generated_workouts__workout_type',
'generated_workouts__workout',
),
@@ -253,9 +273,9 @@ def accept_workout(request, workout_id):
Accept a generated workout.
Sets status to 'accepted' and creates a PlannedWorkout for the scheduled_date.
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
generated_workout = get_object_or_404(
GeneratedWorkout,
GeneratedWorkout.objects.select_related('workout', 'workout_type'),
pk=workout_id,
plan__registered_user=registered_user,
)
@@ -298,9 +318,9 @@ def reject_workout(request, workout_id):
Reject a generated workout with optional feedback.
Body: {"feedback": "..."}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
generated_workout = get_object_or_404(
GeneratedWorkout,
GeneratedWorkout.objects.select_related('workout', 'workout_type'),
pk=workout_id,
plan__registered_user=registered_user,
)
@@ -328,9 +348,9 @@ def rate_workout(request, workout_id):
Rate a generated workout 1-5 with optional feedback.
Body: {"rating": 5, "feedback": "..."}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
generated_workout = get_object_or_404(
GeneratedWorkout,
GeneratedWorkout.objects.select_related('workout', 'workout_type'),
pk=workout_id,
plan__registered_user=registered_user,
)
@@ -379,9 +399,9 @@ def regenerate_workout(request, workout_id):
Regenerate a single workout within an existing plan.
Deletes the old linked Workout (if any) and generates a fresh one for the same day/type.
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
generated_workout = get_object_or_404(
GeneratedWorkout,
GeneratedWorkout.objects.select_related('workout', 'workout_type', 'plan'),
pk=workout_id,
plan__registered_user=registered_user,
)
@@ -413,20 +433,15 @@ def regenerate_workout(request, workout_id):
generator = WorkoutGenerator(preference)
# Exclude exercises from sibling workouts in the same plan (Item #9)
sibling_workouts = GeneratedWorkout.objects.filter(
plan=generated_workout.plan,
is_rest_day=False,
workout__isnull=False,
).exclude(pk=generated_workout.pk)
sibling_exercise_ids = set()
for sibling in sibling_workouts:
if sibling.workout:
sibling_exercise_ids.update(
SupersetExercise.objects.filter(
superset__workout=sibling.workout
).values_list('exercise_id', flat=True)
)
# Exclude exercises from sibling workouts in the same plan (single query)
sibling_exercise_ids = set(
SupersetExercise.objects.filter(
superset__workout__generated_from__plan=generated_workout.plan,
superset__workout__generated_from__is_rest_day=False,
).exclude(
superset__workout__generated_from=generated_workout,
).values_list('exercise_id', flat=True)
)
if sibling_exercise_ids:
generator.exercise_selector.hard_exclude_ids.update(sibling_exercise_ids)
@@ -489,8 +504,9 @@ def regenerate_workout(request, workout_id):
cache.delete(f"plan{generated_workout.plan_id}")
except Exception as e:
logger.exception("Unexpected error in regenerate_workout")
return Response(
{'error': f'Regeneration failed: {str(e)}'},
{"error": "An unexpected error occurred. Please try again."},
status=status.HTTP_500_INTERNAL_SERVER_ERROR,
)
@@ -510,9 +526,9 @@ def delete_workout_day(request, workout_id):
Delete a generated workout day (converts it to a rest day).
Deletes the linked Workout object (cascading to supersets/exercises).
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
generated_workout = get_object_or_404(
GeneratedWorkout,
GeneratedWorkout.objects.select_related('workout'),
pk=workout_id,
plan__registered_user=registered_user,
)
@@ -545,7 +561,7 @@ def delete_workout_day(request, workout_id):
@permission_classes([IsAuthenticated])
def delete_superset(request, superset_id):
"""Delete a superset from a workout. Re-orders remaining supersets."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
superset = get_object_or_404(Superset, pk=superset_id)
# Verify ownership through the workout
@@ -565,11 +581,14 @@ def delete_superset(request, superset_id):
# Invalidate workout detail cache
cache.delete(f"wk{workout.id}")
# Re-order remaining supersets
remaining = Superset.objects.filter(workout=workout, order__gt=deleted_order).order_by('order')
# Re-order remaining supersets with bulk_update
remaining = list(
Superset.objects.filter(workout=workout, order__gt=deleted_order).order_by('order')
)
for ss in remaining:
ss.order -= 1
ss.save()
if remaining:
Superset.objects.bulk_update(remaining, ['order'])
return Response({'status': 'deleted'}, status=status.HTTP_200_OK)
@@ -579,7 +598,7 @@ def delete_superset(request, superset_id):
@permission_classes([IsAuthenticated])
def delete_superset_exercise(request, exercise_id):
"""Delete an exercise from a superset. Re-orders remaining exercises."""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
superset_exercise = get_object_or_404(SupersetExercise, pk=exercise_id)
# Verify ownership
@@ -600,11 +619,14 @@ def delete_superset_exercise(request, exercise_id):
# Invalidate workout detail cache
cache.delete(f"wk{workout.id}")
# Re-order remaining exercises
remaining = SupersetExercise.objects.filter(superset=superset, order__gt=deleted_order).order_by('order')
# Re-order remaining exercises with bulk_update
remaining = list(
SupersetExercise.objects.filter(superset=superset, order__gt=deleted_order).order_by('order')
)
for se in remaining:
se.order -= 1
se.save()
if remaining:
SupersetExercise.objects.bulk_update(remaining, ['order'])
# If the superset is now empty, delete it too
if SupersetExercise.objects.filter(superset=superset).count() == 0:
@@ -653,7 +675,7 @@ def swap_exercise(request, exercise_id):
Swap a SupersetExercise's exercise for a new one.
Body: {"new_exercise_id": 123}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
superset_exercise = get_object_or_404(SupersetExercise, pk=exercise_id)
# Verify ownership
@@ -734,7 +756,7 @@ def analysis_stats(request):
"""
muscle_splits = MuscleGroupSplit.objects.all()
weekly_patterns = WeeklySplitPattern.objects.all()
structure_rules = WorkoutStructureRule.objects.all()
structure_rules = WorkoutStructureRule.objects.select_related('workout_type').all()
movement_orders = MovementPatternOrder.objects.all()
data = {
@@ -778,29 +800,35 @@ def confirm_plan(request, plan_id):
"""
Batch-accept all workouts in a plan and create PlannedWorkout entries.
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
plan = get_object_or_404(
GeneratedWeeklyPlan,
pk=plan_id,
registered_user=registered_user,
)
workouts = GeneratedWorkout.objects.filter(plan=plan)
for gw in workouts:
if gw.is_rest_day or not gw.workout:
continue
gw.status = 'accepted'
gw.save()
workouts = GeneratedWorkout.objects.filter(plan=plan).select_related('workout')
PlannedWorkout.objects.filter(
registered_user=registered_user,
on_date=gw.scheduled_date,
).delete()
PlannedWorkout.objects.create(
workout=gw.workout,
registered_user=registered_user,
on_date=gw.scheduled_date,
)
with transaction.atomic():
workouts_to_update = []
for gw in workouts:
if gw.is_rest_day or not gw.workout:
continue
gw.status = 'accepted'
workouts_to_update.append(gw)
PlannedWorkout.objects.filter(
registered_user=registered_user,
on_date=gw.scheduled_date,
).delete()
PlannedWorkout.objects.create(
workout=gw.workout,
registered_user=registered_user,
on_date=gw.scheduled_date,
)
if workouts_to_update:
GeneratedWorkout.objects.bulk_update(workouts_to_update, ['status'])
serializer = GeneratedWeeklyPlanSerializer(plan)
return Response(serializer.data, status=status.HTTP_200_OK)
@@ -815,10 +843,10 @@ def confirm_plan(request, plan_id):
@permission_classes([IsAuthenticated])
def preview_plan(request):
"""
Generate a weekly plan preview. Returns JSON nothing is saved to DB.
Generate a weekly plan preview. Returns JSON -- nothing is saved to DB.
Body: {"week_start_date": "YYYY-MM-DD"}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
week_start_date_str = request.data.get('week_start_date')
if not week_start_date_str:
@@ -872,8 +900,9 @@ def preview_plan(request):
)
preview = generator.generate_weekly_preview(week_start_date)
except Exception as e:
logger.exception("Unexpected error in preview_plan")
return Response(
{'error': f'Preview generation failed: {str(e)}'},
{"error": "An unexpected error occurred. Please try again."},
status=status.HTTP_500_INTERNAL_SERVER_ERROR,
)
@@ -885,7 +914,7 @@ def preview_plan(request):
@permission_classes([IsAuthenticated])
def preview_day(request):
"""
Generate a single day preview. Returns JSON nothing is saved to DB.
Generate a single day preview. Returns JSON -- nothing is saved to DB.
Body: {
"target_muscles": ["chest", "shoulders"],
"focus_area": "Upper Push",
@@ -893,7 +922,7 @@ def preview_day(request):
"date": "2026-02-09"
}
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
date_str = request.data.get('date')
if not date_str:
@@ -954,26 +983,19 @@ def preview_day(request):
generator = WorkoutGenerator(preference)
# If plan_id is provided, exclude sibling workout exercises
# If plan_id is provided, exclude sibling workout exercises (single query)
if plan_id is not None:
try:
plan = GeneratedWeeklyPlan.objects.get(
pk=plan_id,
registered_user=registered_user,
)
sibling_workouts = GeneratedWorkout.objects.filter(
plan=plan,
is_rest_day=False,
workout__isnull=False,
sibling_exercise_ids = set(
SupersetExercise.objects.filter(
superset__workout__generated_from__plan=plan,
superset__workout__generated_from__is_rest_day=False,
).values_list('exercise_id', flat=True)
)
sibling_exercise_ids = set()
for sibling in sibling_workouts:
if sibling.workout:
sibling_exercise_ids.update(
SupersetExercise.objects.filter(
superset__workout=sibling.workout
).values_list('exercise_id', flat=True)
)
if sibling_exercise_ids:
generator.exercise_selector.hard_exclude_ids.update(sibling_exercise_ids)
except GeneratedWeeklyPlan.DoesNotExist:
@@ -987,8 +1009,9 @@ def preview_day(request):
if plan_id is not None:
day_preview['plan_id'] = plan_id
except Exception as e:
logger.exception("Unexpected error in preview_day")
return Response(
{'error': f'Day preview generation failed: {str(e)}'},
{"error": "An unexpected error occurred. Please try again."},
status=status.HTTP_500_INTERNAL_SERVER_ERROR,
)
@@ -1003,7 +1026,7 @@ def save_plan(request):
Save a preview plan to the database.
Body: the full preview JSON (same shape as preview_plan response).
"""
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_registered_user(request)
week_start_date_str = request.data.get('week_start_date')
days = request.data.get('days', [])
@@ -1057,105 +1080,130 @@ def save_plan(request):
),
}
plan = GeneratedWeeklyPlan.objects.create(
registered_user=registered_user,
week_start_date=week_start_date,
week_end_date=week_end_date,
status='completed',
preferences_snapshot=prefs_snapshot,
)
# Prefetch all exercise IDs referenced in the plan to avoid N+1 queries
all_exercise_ids = []
for day_data in days:
day_date_str = day_data.get('date')
scheduled_date = datetime.strptime(day_date_str, '%Y-%m-%d').date()
day_of_week = scheduled_date.weekday()
is_rest_day = day_data.get('is_rest_day', False)
if is_rest_day:
GeneratedWorkout.objects.create(
plan=plan,
workout=None,
workout_type=None,
scheduled_date=scheduled_date,
day_of_week=day_of_week,
is_rest_day=True,
status='accepted',
focus_area='Rest Day',
target_muscles=[],
)
if day_data.get('is_rest_day', False):
continue
workout_spec_data = day_data.get('workout_spec', {})
focus_area = day_data.get('focus_area', 'Workout')
target_muscles = day_data.get('target_muscles', [])
workout_type_id = day_data.get('workout_type_id')
workout_type = None
if workout_type_id:
workout_type = WorkoutType.objects.filter(pk=workout_type_id).first()
supersets_data = workout_spec_data.get('supersets', [])
orm_supersets = []
for ss_data in supersets_data:
exercises = []
for ss_data in workout_spec_data.get('supersets', []):
for ex_data in ss_data.get('exercises', []):
exercise_id = ex_data.get('exercise_id')
if not exercise_id:
continue
try:
exercise_obj = Exercise.objects.get(pk=exercise_id)
except Exercise.DoesNotExist:
continue
if exercise_id:
all_exercise_ids.append(exercise_id)
exercises.append({
'exercise': exercise_obj,
'reps': ex_data.get('reps'),
'duration': ex_data.get('duration'),
'weight': ex_data.get('weight'),
'order': ex_data.get('order', 1),
exercises_map = {
e.id: e for e in Exercise.objects.filter(id__in=all_exercise_ids)
}
# Prefetch all workout type IDs referenced in the plan
all_workout_type_ids = []
for day_data in days:
wt_id = day_data.get('workout_type_id')
if wt_id:
all_workout_type_ids.append(wt_id)
workout_types_map = {
wt.id: wt for wt in WorkoutType.objects.filter(id__in=all_workout_type_ids)
}
with transaction.atomic():
plan = GeneratedWeeklyPlan.objects.create(
registered_user=registered_user,
week_start_date=week_start_date,
week_end_date=week_end_date,
status='completed',
preferences_snapshot=prefs_snapshot,
)
for day_data in days:
day_date_str = day_data.get('date')
scheduled_date = datetime.strptime(day_date_str, '%Y-%m-%d').date()
day_of_week = scheduled_date.weekday()
is_rest_day = day_data.get('is_rest_day', False)
if is_rest_day:
GeneratedWorkout.objects.create(
plan=plan,
workout=None,
workout_type=None,
scheduled_date=scheduled_date,
day_of_week=day_of_week,
is_rest_day=True,
status='accepted',
focus_area='Rest Day',
target_muscles=[],
)
continue
workout_spec_data = day_data.get('workout_spec', {})
focus_area = day_data.get('focus_area', 'Workout')
target_muscles = day_data.get('target_muscles', [])
workout_type_id = day_data.get('workout_type_id')
workout_type = workout_types_map.get(workout_type_id) if workout_type_id else None
supersets_data = workout_spec_data.get('supersets', [])
orm_supersets = []
for ss_data in supersets_data:
exercises = []
for ex_data in ss_data.get('exercises', []):
exercise_id = ex_data.get('exercise_id')
if not exercise_id:
continue
exercise_obj = exercises_map.get(exercise_id)
if not exercise_obj:
continue
exercises.append({
'exercise': exercise_obj,
'reps': ex_data.get('reps'),
'duration': ex_data.get('duration'),
'weight': ex_data.get('weight'),
'order': ex_data.get('order', 1),
})
orm_supersets.append({
'name': ss_data.get('name', 'Set'),
'rounds': ss_data.get('rounds', 1),
'rest_between_rounds': ss_data.get('rest_between_rounds', 0),
'exercises': exercises,
})
orm_supersets.append({
'name': ss_data.get('name', 'Set'),
'rounds': ss_data.get('rounds', 1),
'rest_between_rounds': ss_data.get('rest_between_rounds', 0),
'exercises': exercises,
})
workout_spec = {
'name': workout_spec_data.get('name', f'{focus_area} Workout'),
'description': workout_spec_data.get('description', ''),
'supersets': orm_supersets,
}
workout_spec = {
'name': workout_spec_data.get('name', f'{focus_area} Workout'),
'description': workout_spec_data.get('description', ''),
'supersets': orm_supersets,
}
workout_obj = plan_builder.create_workout_from_spec(workout_spec)
workout_obj = plan_builder.create_workout_from_spec(workout_spec)
GeneratedWorkout.objects.create(
plan=plan,
workout=workout_obj,
workout_type=workout_type,
scheduled_date=scheduled_date,
day_of_week=day_of_week,
is_rest_day=False,
status='accepted',
focus_area=focus_area,
target_muscles=target_muscles,
)
GeneratedWorkout.objects.create(
plan=plan,
workout=workout_obj,
workout_type=workout_type,
scheduled_date=scheduled_date,
day_of_week=day_of_week,
is_rest_day=False,
status='accepted',
focus_area=focus_area,
target_muscles=target_muscles,
)
# Create/replace PlannedWorkout for this date
PlannedWorkout.objects.filter(
registered_user=registered_user,
on_date=scheduled_date,
).delete()
PlannedWorkout.objects.create(
workout=workout_obj,
registered_user=registered_user,
on_date=scheduled_date,
)
# Create/replace PlannedWorkout for this date
PlannedWorkout.objects.filter(
registered_user=registered_user,
on_date=scheduled_date,
).delete()
PlannedWorkout.objects.create(
workout=workout_obj,
registered_user=registered_user,
on_date=scheduled_date,
)
except Exception as e:
logger.exception("Unexpected error in save_plan")
return Response(
{'error': f'Save failed: {str(e)}'},
{"error": "An unexpected error occurred. Please try again."},
status=status.HTTP_500_INTERNAL_SERVER_ERROR,
)

482
hardening-report.md Normal file
View File

@@ -0,0 +1,482 @@
# Hardening Audit Report — Werkout API (Django/Python)
## Audit Sources
- 5 mapper agents (100% file coverage)
- 8 specialized domain auditors (parallel)
- 1 cross-cutting deep audit (parallel)
- Total source files: 75
---
## CRITICAL — Will crash or lose data (18 findings)
**1. werkout_api/settings.py:16** | DEBUG=True hardcoded, never disabled in production
- What: `DEBUG = True` set at module level. Production branch (when `DATABASE_URL` set) never overrides to `False` — the code is commented out (lines 142-157). `CORS_ALLOW_ALL_ORIGINS` on line 226 depends on DEBUG, so it's always `True`.
- Impact: Full stack traces, SQL queries, internal paths exposed to end users. CORS allows any origin with credentials.
- Source: Security, Config, Cross-cutting
**2. werkout_api/settings.py:160** | SECRET_KEY falls back to 'secret'
- What: `SECRET_KEY = os.environ.get("SECRET_KEY", 'secret')`. Neither `docker-compose.yml` nor any env file sets SECRET_KEY.
- Impact: Session cookies, CSRF tokens, password hashes use a publicly known key. Complete auth bypass.
- Source: Security, Config
**3. werkout_api/settings.py:226** | CORS allows all origins with credentials in production
- What: `CORS_ALLOW_ALL_ORIGINS = True if DEBUG else False` is always `True` (DEBUG never False). Combined with `CORS_ALLOW_CREDENTIALS = True` (line 231).
- Impact: Any website can make authenticated cross-origin requests and steal data.
- Source: Security, Config
**4. registered_user/serializers.py:31** | Password hash exposed in API responses
- What: `write_only_fields = ('password',)` is NOT a valid DRF Meta option. Correct: `extra_kwargs = {'password': {'write_only': True}}`. Password field is readable.
- Impact: Hashed password returned in registration responses. Enables offline brute-force.
- Source: Security, API, Cross-cutting
**5. registered_user/views.py:83-90** | update_registered_user uses request.POST — JSON requests wipe user data
- What: `request.POST.get(...)` only works for form-encoded data. JSON requests return `None` for all fields. Lines 88-90 set `first_name=None`, `email=None`, etc. and save.
- Impact: Any JSON profile update silently corrupts user data. Email set to None breaks login.
- Source: Security, Logic, Cross-cutting
**6. registered_user/views.py:108-114** | Password update broken for JSON clients, can lock out user
- What: `request.POST.get("new_password")` returns `None` for JSON. `set_password(None)` makes password uncheckable, permanently locking user out.
- Impact: Password endpoint non-functional for JSON clients. Potential permanent account lockout.
- Source: Security, Cross-cutting
**7. registered_user/serializers.py:46** | Registration creates RegisteredUser with non-existent phone_number field
- What: `RegisteredUser.objects.create(phone_number=self.context.get("phone_number"), ...)` — model has no `phone_number` field (removed in migration 0002).
- Impact: User registration crashes with TypeError if phone_number is passed in context.
- Source: Cross-cutting, Logic
**8. scripts/views.py:43-45** | Anonymous cache wipe endpoint — no authentication
- What: `clear_redis` view has no auth decorators. Active in `scripts/urls.py`. Any anonymous request wipes entire Redis cache.
- Impact: Denial of service — any internet user can flush all cached data at will.
- Source: Security
**9. video/views.py:50-59** | Path traversal vulnerability in hls_videos
- What: `video_name` and `video_type` from GET params concatenated directly into file paths without sanitization. `../../etc/passwd` sequences can access arbitrary files.
- Impact: Arbitrary file read on the server. Route commented out in urls.py but view exists.
- Source: Security
**10. video/views.py:74** | Celery task called with zero arguments but requires filename
- What: `create_hls_tasks.delay()` called with no args. Task signature `create_hls_tasks(filename)` requires one.
- Impact: Every call to `/videos/create_hls/` crashes the Celery worker with TypeError.
- Source: Celery, Cross-cutting
**11. supervisord.conf:13** | Production runs Django dev server (runserver) instead of WSGI
- What: `python manage.py runserver 0.0.0.0:8000` in production. `uwsgi.ini` exists but is unused.
- Impact: Single-threaded, no request timeouts, not designed for production. Memory leaks.
- Source: Config
**12. supervisord.conf** | No Celery worker process configured
- What: Only `django` and `nextjs` programs defined. No `[program:celery]` entry.
- Impact: All `.delay()` calls queue tasks in Redis that are never consumed. Entire async task system non-functional.
- Source: Celery, Config
**13. supervisord.conf:13** | Auto-migrate on every container start
- What: `python manage.py migrate` in startup command runs migrations automatically without review.
- Impact: Destructive migrations run silently. Race conditions if multiple containers start simultaneously.
- Source: Config
**14. docker-compose.yml:8-10,26** | Database credentials hardcoded as postgres/postgres
- What: `POSTGRES_USER=postgres`, `POSTGRES_PASSWORD=postgres` in compose file and DATABASE_URL. No `.env` override.
- Impact: Trivial unauthorized access if database port exposed. Credentials in git history permanently.
- Source: Security, Config
**15. AI/workouts.py + AI/cho/workouts.py** | 86K lines of PII data committed to git
- What: Two files totaling 86,000+ lines of user workout data from Future Fitness API with user IDs, S3 URLs, timestamps.
- Impact: PII permanently in git history. Potential GDPR/privacy liability.
- Source: Security, Config
**16. generator/views.py:1032-1160** | save_plan has no transaction wrapping
- What: Creates GeneratedWeeklyPlan, then loops creating Workout, Superset, SupersetExercise, GeneratedWorkout, PlannedWorkout objects. No `transaction.atomic()`.
- Impact: Mid-loop failure (e.g., date parsing) leaves orphaned plan records. Partially saved plans with missing days.
- Source: Data Integrity, Cross-cutting
**17. generator/views.py:789-803** | confirm_plan has no transaction wrapping
- What: Loops through generated workouts, saves status, deletes/creates PlannedWorkouts individually.
- Impact: Partial plan confirmation — some days accepted, others not, on any mid-loop error.
- Source: Data Integrity
**18. registered_user/serializers.py:34-51** | User + RegisteredUser creation has no transaction
- What: `User.objects.create()`, `set_password()`, `RegisteredUser.objects.create()`, `Token.objects.create()` — four DB ops with no `transaction.atomic()`.
- Impact: Orphaned User records if RegisteredUser creation fails. Ghost users block re-registration.
- Source: Data Integrity, Cross-cutting
---
## BUG — Incorrect behavior (28 findings)
**1. registered_user/views.py:30,47** | Validation errors return HTTP 500 instead of 400
- Impact: Clients can't distinguish server errors from bad input.
**2. registered_user/views.py:74** | Failed login returns 404 instead of 401
- Impact: Wrong HTTP semantics for auth failures.
**3. registered_user/models.py:20** | `__str__` concatenates nullable last_name — TypeError
- Impact: Admin, logging crash for users with null last_name.
**4. registered_user/admin.py:11** | Token.objects.get crashes if no token exists
- Impact: Admin list page crashes if any user lacks a Token.
**5. equipment/models.py:13** | `__str__` concatenates nullable category/name — TypeError
- Impact: Admin crashes for Equipment with null fields.
**6. muscle/models.py:11** | `__str__` returns None when name is null
- Impact: Violates `__str__` contract. Admin/template crashes.
**7. workout/views.py:45** | Workout.objects.get with no DoesNotExist handling
- Impact: Missing workouts return 500 instead of 404.
**8. workout/views.py:60,143,165** | Validation errors return HTTP 500 instead of 400
- Impact: Three views misreport client errors as server errors.
**9. workout/views.py:69** | GET endpoint returns 201 Created instead of 200
- Impact: Incorrect HTTP semantics for read operation.
**10. workout/views.py:76** | Unreachable None check — .get() raises exception, never returns None
- Impact: Dead code; actual DoesNotExist is unhandled (500 error).
**11. workout/views.py:124** | estimated_rep_duration None multiplication crashes
- What: `exercise["reps"] * exercise_obj.estimated_rep_duration` where field can be null. `int * None` = TypeError.
- Impact: Workout creation crashes mid-loop, orphaning partial records (no transaction).
**12. workout/serializers.py:37** | KeyError if 'notes' not in validated_data
- Impact: Completing a workout without notes crashes with 500.
**13. workout/serializers.py:40** | Wrong attribute name — health_kit UUID never persisted
- What: Sets `completed_workout.workout_uuid` but model field is `health_kit_workout_uuid`.
- Impact: HealthKit UUIDs silently discarded forever.
**14. workout/tasks.py:85** | estimated_rep_duration None multiplication in Celery task
- Impact: Bulk import crashes mid-way, leaving partial data.
**15. workout/tasks.py:73** | Exercise.objects.get with no DoesNotExist handling
- Impact: One missing exercise aborts entire import.
**16. workout/urls.py:14** | Duplicate URL name 'plan workout' on two paths
- Impact: `reverse('plan workout')` resolves to wrong URL.
**17. scripts/views.py:37** | NameError: MuscleGroup is not defined
- What: Catches `MuscleGroup.DoesNotExist` but only `Muscle` is imported.
- Impact: NameError crashes endpoint instead of catching intended exception.
**18. scripts/views.py:15** | equipment_required.split() crashes on None
- Impact: sync_equipment crashes for any exercise with null equipment_required.
**19. video/models.py:24** | save() missing *args in signature
- Impact: Callers passing positional args (force_insert) get TypeError.
**20. video/models.py:24-27** | HLS transcoding triggered on EVERY save, not just file changes
- Impact: Redundant expensive ffmpeg jobs on metadata-only edits.
**21. video/serializers.py:13** | video_file can be None — AttributeError
- Impact: Video listing crashes if any Video has no file.
**22. video/tasks.py:10** | Existence check uses wrong filename pattern — never matches
- Impact: Guard clause never short-circuits; re-encodes every time.
**23. generator/views.py:70** | RegisteredUser.objects.get repeated ~17 times with no DoesNotExist handling
- Impact: Any user without RegisteredUser gets unhandled 500 on every generator endpoint.
**24. superset/helpers.py:16** | Exercise.objects.get("First Up") with no error handling
- Impact: Workout detail crashes if "First Up" exercise is missing.
**25. superset/serializers.py:20** | get_unique_id returns random UUID per serialization
- Impact: Frontend can't use unique_id as stable key. Breaks diffing/caching.
**26. workout/models.py:51** | settings not imported — NameError on duration_audio()/weight_audio()
- What: Relies on `from exercise.models import *` transitive import of settings.
- Impact: NameError if transitive chain breaks.
**27. workout_generator.py:909** | None multiplication when duration is None
- Impact: Plan generation crashes if preferences have no duration set.
**28. workout_generator.py:802** | sum(c.difficulty) crashes if any difficulty is None
- Impact: Plan generation crashes for users with incomplete completion records.
---
## SILENT FAILURE — Error swallowed or ignored (5 findings)
**1. generator/views.py:193,491,874,989,1156** | Broad except Exception catches all errors, leaks str(e)
- Impact: Bugs masked. Internal details leaked to clients.
**2. superset/helpers.py:19-23** | In-memory mutations on Exercise ORM object never saved
- Impact: Changes silently lost. Risk of corrupting shared Exercise if accidentally saved.
**3. workout/helpers.py:41** | ser_data.mutable = True is a no-op
- Impact: No effect. Indicates confusion about data type.
**4. audit_exercise_data.py:168-170** | except Exception: pass silently swallows all errors
- Impact: Database errors during field checks silently ignored.
**5. workout/views.py:32** | Infinite cache with incomplete invalidation
- Impact: Generated workouts never appear in all_workouts until manual cache clear.
---
## RACE CONDITION — Concurrency issue (1 finding)
**1. registered_user/views.py:34** | Email uniqueness check is a race condition
- What: `User.objects.filter(email=email)` check followed by `serializer.save()`. No DB unique constraint visible.
- Impact: Concurrent registrations can create duplicate email accounts.
---
## LOGIC ERROR — Code doesn't match intent (12 findings)
**1. rules_engine.py:650** | Push/pull ratio check skipped when either count is zero
- What: Condition requires both counts > 0. A workout with 2 push, 0 pull passes silently.
- Impact: Unbalanced push-heavy workouts pass validation.
**2. rules_engine.py:858-860** | Workout type match is a no-op for non-strength types
- What: Non-strength branch unconditionally counts every exercise as matching (100% always).
- Impact: HIIT/cardio/core workouts can contain arbitrary exercises without violations.
**3. workout_generator.py:1459** | Workout type affinity matching NEVER works
- What: `SPLIT_TYPE_WORKOUT_AFFINITY` uses underscore names like `'traditional_strength_training'` but comparison uses `wt.name.strip().lower()` which yields space-separated names.
- Impact: All workout type assignments fall through to round-robin fallback. Push splits get assigned random types.
**4. workout_generator.py:2070** | Modality check counts exercise capability, not actual assignment
- What: Checks `ex.is_duration` (capability flag) not whether the entry was actually given duration.
- Impact: False modality calculations for dual-modality exercises.
**5. workout_generator.py:1404** | Diversify type count wrong on replacement
- What: Doesn't subtract from the removed type count when replacing, only adds to candidate count.
- Impact: Valid replacements rejected. Invalid ones accepted in edge cases.
**6. workout_generator.py:2898** | Final conformance treats all warnings as blocking
- What: `_is_blocking_final_violation` returns True for `severity in {'error', 'warning'}`.
- Impact: Workouts crash with ValueError for minor advisory issues (cooldown missing, duration bias slightly off).
**7. workout_generator.py:1209** | Recursive retry destroys cross-day dedup state
- What: Failed attempt's exercises already recorded in week state via `accumulate_week_state`. Retry with different exercises creates ghost entries.
- Impact: Later days in the week have artificially smaller exercise pools.
**8. entry_rules.py:19** | Volume floor can violate workout type rep ranges
- What: With `min_volume=12` and `rounds=1`, forces 12 reps. Strength (3-6 rep range) gets 12 reps.
- Impact: Strength workouts get inflated reps contradicting their character.
**9. rules_engine.py:441** | Push/pull counting double-counts dual-pattern exercises
- What: Exercise with `'upper push, upper pull'` counted in BOTH push AND pull totals.
- Impact: Inaccurate push:pull ratio calculations.
**10. exercise_selector.py:631** | No-equipment path restricts to bodyweight only (contradicts docs)
- What: MEMORY.md says "no equipment set = all exercises available." Code excludes all exercises with equipment entries.
- Impact: Users without equipment config get dramatically reduced pool.
**11. muscle_normalizer.py:163** | Glutes in both lower_push and lower_pull categories
- Impact: Glute-dominant workouts get incorrect split classification, cascading into wrong type assignments.
**12. exercise_selector.py:1274** | Substring partner matching causes false positives
- What: `if base_name.lower() in partner.name.lower()` — "Curl" matches "Barbell Curl Right", "Hammer Curl Right", etc.
- Impact: Wrong exercises paired as L/R counterparts.
---
## PERFORMANCE — Unnecessary cost (18 findings)
**1. exercise/serializers.py:30,35** | N+1 per exercise for muscles + equipment (~3400+ queries on cache miss)
- Impact: `/exercise/all/` cold cache: 1133 exercises × 3 queries each.
**2. workout/serializers.py:56-77** | Triple N+1 on WorkoutSerializer (~5000+ queries)
- Impact: `all_workouts` cache miss: 633 workouts × (muscles + equipment + exercise_count).
**3. superset/serializers.py:32** | N+1 per superset for exercises, cascading through ExerciseSerializer
- Impact: Each workout detail triggers O(supersets × exercises × 3) queries.
**4. workout/helpers.py:14-71** | Cascade of N+1 queries in exercise list builder
- Impact: ~80+ queries per workout detail (supersets + exercises + serializer chain).
**5. generator/serializers.py:338** | N+1 for supersets in GeneratedWorkoutDetailSerializer
- Impact: Plan detail views trigger dozens of cascading queries per day.
**6. generator/views.py:1106** | Exercise.objects.get in triple-nested loop in save_plan
- Impact: 5-day plan with 5 supersets × 3 exercises = 75 individual SELECT queries.
**7. muscle_normalizer.py:218** | ExerciseMuscle query per exercise in analyzer (~19,000 queries)
- Impact: `analyze_workouts` command fires ~19,000 queries for 633 workouts.
**8. workout_analyzer.py:1332-1337** | 120 exists() checks in _step7
- Impact: 8 types × 3 sections × 5 goals = 120 individual queries.
**9. recalculate_workout_times.py:53-58** | Triple-nested N+1 with no prefetch (~18,000 queries)
- Impact: Command takes orders of magnitude longer than necessary.
**10. exercise_selector.py:593,629** | M2M querysets not cached (excluded_exercises + available_equipment)
- Impact: 15-30 redundant identical queries per workout generation.
**11. populate_exercise_fields.py:1006** | Individual save() per exercise (1133 UPDATE queries)
- Impact: Command takes minutes instead of seconds. No bulk_update.
**12. plan_builder.py:64,82** | Redundant save() after create() on Workout and Superset
- Impact: 2 unnecessary DB writes per superset creation.
**13. Various views** | Infinite cache with no invalidation strategy
- What: equipment, exercise, muscle, workout, video views all use `cache.set(key, data, timeout=None)` with no invalidation.
- Impact: New/edited data never appears until manual cache clear or restart.
**14. workout/serializers.py:109** | Redundant re-fetch of registered_user
- Impact: Extra query per workout detail for no reason.
**15. generator/views.py:570-572,604-607** | N+1 save pattern for re-ordering after delete
- Impact: Up to N individual UPDATEs instead of 1 bulk_update.
**16. generator/views.py:423-429,964-976** | N+1 for sibling exercise exclusion
- Impact: N queries instead of 1 IN query for sibling workout exercises.
**17. generator/views.py:70** | RegisteredUser.objects.get repeated 17x with no caching
- Impact: 1 unnecessary query per API request across all generator endpoints.
**18. exercise_selector.py:1063** | Potentially large retry loop in _weighted_pick
- What: `max_attempts = len(pool) * 3` with weighted pools of 500+ entries = 1500+ iterations.
- Impact: CPU-bound stall risk in constrained pools.
---
## SECURITY — Vulnerability or exposure (6 additional findings)
**1. werkout_api/settings.py:140** | ALLOWED_HOSTS=['*'] in production
- Impact: HTTP Host header injection, cache poisoning, password reset URL manipulation.
**2. werkout_api/settings.py:1-231** | Missing all HTTPS/security hardening settings
- What: No SECURE_SSL_REDIRECT, SECURE_HSTS_SECONDS, SESSION_COOKIE_SECURE, CSRF_COOKIE_SECURE, etc.
- Impact: Cookies sent over plaintext HTTP. No HSTS protection.
**3. werkout_api/settings.py:31** | Django Debug Toolbar enabled unconditionally
- Impact: Exposes SQL queries, settings, request data at `/__debug__/` in production.
**4. workout/views.py:24-33** | all_workouts returns ALL users' workouts (IDOR)
- What: `Workout.objects.all()` with no ownership filter.
- Impact: Any authenticated user sees every user's workout data.
**5. workout/views.py:39-49** | workout_details has no ownership check (IDOR)
- What: Any authenticated user can view any workout by guessing IDs.
- Impact: Insecure Direct Object Reference.
**6. workout/views.py:170-172** | GET endpoint triggers data mutation — bulk import
- What: GET triggers Celery task importing workouts for hardcoded user IDs. Any authenticated user can trigger.
- Impact: Data corruption via idempotent-violating GET.
---
## DATA INTEGRITY — Database/model consistency issues (5 findings)
**1. workout/views.py:94-138** | add_workout has no transaction wrapping
- Impact: Partial Workout/Superset records on mid-loop failure.
**2. plan_builder.py:59-149** | create_workout_from_spec has no transaction wrapping
- Impact: Core builder used by all generation paths creates orphaned records on error.
**3. workout_analyzer.py:249-252** | _clear_existing_patterns deletes without transaction
- Impact: If analysis crashes mid-way, ML pattern tables are empty with no recovery.
**4. workout/tasks.py:11-101** | Bulk import has no transaction or idempotency
- Impact: Partial imports, duplicate records on re-run.
**5. workout/views.py:150** | datetime.now() without timezone in USE_TZ=True project
- Impact: Incorrect PlannedWorkout filtering near midnight due to timezone mismatch.
---
## MODERNIZATION — Legacy pattern to update (4 findings)
**1. Dockerfile:13** | Python 3.9.13 base image (EOL October 2025)
- Impact: No further security patches.
**2. requirements.txt** | All dependencies pinned to mid-2023 versions
- Impact: Django 4.2.2 has had multiple security releases since.
**3. supervisord.conf:24** | Next.js runs `next dev` in production
- Impact: No production optimizations, source maps exposed.
**4. Various models** | max_length on IntegerField/FloatField (no-op parameters)
- What: 10+ fields across superset, workout, exercise models use meaningless `max_length` on numeric fields.
- Impact: Misleading — suggests validation that doesn't exist.
---
## DEAD CODE / UNREACHABLE (4 findings)
**1. exercise/serializers.py:5** | Import shadowed by local class definition
- What: Imports `ExerciseMuscleSerializer` then redefines it locally.
**2. exercise/models.py:4** | `from random import randrange` — imported but never used
**3. audit_exercise_data.py:88-89** | Dead `.exclude()` clause — logically impossible condition
**4. workout/views.py:76** | Unreachable None check after `.get()`
---
## FRAGILE — Works now but will break easily (5 findings)
**1. exercise_selector.py:613** | Hard exclude to soft penalty conversion mutates instance state permanently
- What: `_warned_small_pool` guard uses `hasattr` which survives `reset()`.
- Impact: Once triggered, ALL subsequent selections treat hard-excluded exercises with soft penalty only.
**2. exercise_selector.py:645** | Equipment map cache survives reset() — stale data possible
- Impact: Low risk per-request but dangerous in long-running processes.
**3. workout_generator.py:1046** | Working superset detection relies on name prefix 'Working'
- Impact: Any naming inconsistency silently breaks trimming, padding, modality validation, compound ordering, rebalancing.
**4. workout/models.py:51** | settings import via wildcard chain from exercise.models
- Impact: Transitive dependency breaks if `*` re-export chain changes.
**5. exercise_selector.py:260** | Working set exclusion icontains 'stretch' catches valid exercises
- Impact: Exercises like "Stiff Leg Deadlift Stretch Position" incorrectly excluded from working sets.
---
## Summary
### Summary by Category
| Category | Count |
|----------|-------|
| Critical | 18 |
| Bug | 28 |
| Silent Failure | 5 |
| Race Condition | 1 |
| Logic Error | 12 |
| Performance | 18 |
| Security | 6 |
| Data Integrity | 5 |
| Modernization | 4 |
| Dead Code | 4 |
| Fragile | 5 |
| **Total** | **106** |
### Summary by Source
| Source | Findings |
|--------|----------|
| Security Auditor | 34 |
| Data Integrity/ORM Auditor | 64 |
| Logic Errors Auditor | 42 |
| Performance Auditor | 41 |
| Generator Logic Auditor | 22 |
| API Correctness Auditor | 43 |
| Celery/Async Auditor | 24 |
| Config/Deployment Auditor | 30 |
| Cross-cutting Deep Audit | 35 |
| *(after dedup)* | **106 unique** |
### Top 10 Priorities
1. **[CRITICAL] settings.py — DEBUG=True + SECRET_KEY='secret' + CORS wide open in production** — Three compounding security misconfigurations that enable session forgery, CSRF bypass, and full API data theft from any website.
2. **[CRITICAL] registered_user/views.py:83-90 — request.POST wipes user data on JSON update** — Any JSON profile update sets email, name, image all to None. Active, reachable endpoint.
3. **[CRITICAL] registered_user/serializers.py:31 — Password hash exposed in API** — Invalid DRF Meta option means hashed password is readable in registration responses.
4. **[CRITICAL] scripts/views.py:43 — Anonymous cache wipe** — Unauthenticated endpoint wipes entire Redis cache. Active route, no auth required.
5. **[CRITICAL] supervisord.conf — No Celery worker + dev server in production** — All async tasks (HLS transcoding, imports) silently queue and never execute. Django dev server handles all production traffic.
6. **[CRITICAL] generator/views.py — No transaction.atomic() on save_plan/confirm_plan** — Multi-object creation loops with no transaction wrapping leave orphaned records on any failure.
7. **[BUG] workout/serializers.py:40 — HealthKit UUID silently discarded** — Sets wrong attribute name (`workout_uuid` vs `health_kit_workout_uuid`). Data permanently lost.
8. **[BUG] workout/views.py:124 + tasks.py:85 — None multiplication on estimated_rep_duration** — Nullable field multiplied without null check. Crashes workout creation and bulk import.
9. **[LOGIC] workout_generator.py:1459 — Workout type affinity matching NEVER works** — Space vs underscore comparison means all type assignments fall through to random round-robin.
10. **[PERFORMANCE] Serializer N+1 queries — 5000+ queries on cache miss** — WorkoutSerializer, ExerciseSerializer, and SupersetSerializer each trigger per-object queries with no prefetching. Mitigated by infinite caching but devastating on any cache clear.

2
muscle/models.py
View File

@@ -8,7 +8,7 @@ class Muscle(models.Model):
name = models.CharField(null=True, blank=True, max_length=64)
def __str__(self):
return self.name
return self.name or "Unnamed"
class ExerciseMuscle(models.Model):
created_at = models.DateTimeField(auto_now_add=True)

7
muscle/views.py
View File

@@ -2,7 +2,6 @@ from django.shortcuts import render
from .models import *
from .serializers import *
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
@@ -21,8 +20,8 @@ def all_muscles(request):
data = cache.get('all_muscles')
return Response(data=data, status=status.HTTP_200_OK)
users = Muscle.objects.all()
serializer = MuscleSerializer(users, many=True)
muscles = Muscle.objects.all()
serializer = MuscleSerializer(muscles, many=True)
data = serializer.data
cache.set('all_muscles', data, timeout=None)
return Response(data=data, status=status.HTTP_200_OK)
return Response(data=data, status=status.HTTP_200_OK)

6
registered_user/admin.py
View File

@@ -8,4 +8,8 @@ class RegisteredUserAdmin(admin.ModelAdmin):
list_display = ("first_name", "last_name", "nick_name", "has_nsfw_toggle", "jwt_token")
def jwt_token(self, obj):
return Token.objects.get(user=obj.user).key
try:
token = Token.objects.get(user=obj.user)
return token.key
except Token.DoesNotExist:
return "No token"

2
registered_user/models.py
View File

@@ -17,4 +17,4 @@ class RegisteredUser(models.Model):
)
def __str__(self):
return self.first_name + " " + self.last_name + " : " + self.user.email
return f"{self.first_name or ''} {self.last_name or ''} : {self.user.email}"

35
registered_user/serializers.py
View File

@@ -2,6 +2,7 @@ from rest_framework import serializers
from .models import RegisteredUser
from django.contrib.auth.models import User
from rest_framework.authtoken.models import Token
from django.db import transaction
class RegisteredUserSerializer(serializers.ModelSerializer):
@@ -28,25 +29,25 @@ class CreateRegisteredUserThroughUserSerializer(serializers.ModelSerializer):
class Meta:
model = User
fields = ('id', 'password', 'email', 'first_name', 'last_name')
write_only_fields = ('password',)
extra_kwargs = {'password': {'write_only': True}}
read_only_fields = ('id',)
def create(self, validated_data):
user = User.objects.create(
username=validated_data['email'],
email=validated_data['email'],
first_name=validated_data['first_name'],
last_name=validated_data['last_name']
)
with transaction.atomic():
user = User.objects.create(
username=validated_data['email'],
email=validated_data['email'],
first_name=validated_data['first_name'],
last_name=validated_data['last_name']
)
user.set_password(validated_data['password'])
user.save()
user.set_password(validated_data['password'])
user.save()
reg_user = RegisteredUser.objects.create(
phone_number=self.context.get("phone_number"),
user=user,
first_name=validated_data['first_name'],
last_name=validated_data['last_name']
)
Token.objects.create(user=user)
return reg_user
reg_user = RegisteredUser.objects.create(
user=user,
first_name=validated_data['first_name'],
last_name=validated_data['last_name']
)
Token.objects.create(user=user)
return reg_user

49
registered_user/views.py
View File

@@ -11,6 +11,7 @@ from rest_framework.permissions import IsAuthenticated
from rest_framework.decorators import authentication_classes
from rest_framework.decorators import permission_classes
from django.shortcuts import get_object_or_404
from django.db import transaction
import json
@@ -22,31 +23,35 @@ def all_registered_users(request):
@api_view(['POST'])
@authentication_classes([])
def create_registered_user(request):
_serializer = CreateRegisteredUserSerializer(data=request.data)
if not _serializer.is_valid():
return Response(_serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
return Response(_serializer.errors, status=status.HTTP_400_BAD_REQUEST)
email = request.data["email"]
if User.objects.filter(email=email):
# Note: DB unique constraint on email is the real guard against race conditions
if User.objects.filter(email=email).exists():
return Response({"email": [ "Email in use" ] }, status=status.HTTP_409_CONFLICT)
serializer = CreateRegisteredUserThroughUserSerializer(data=request.data)
if serializer.is_valid():
new_registered_user = serializer.save()
with transaction.atomic():
new_registered_user = serializer.save()
serializer = RegisteredUserSerializer(new_registered_user, many=False)
token = Token.objects.get(user=new_registered_user.user).key
token = get_object_or_404(Token, user=new_registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['POST'])
@authentication_classes([])
def login_registered_user(request):
email = request.data.get("email", "").strip()
password = request.data.get("password", "")
@@ -69,31 +74,31 @@ def login_registered_user(request):
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
else:
return Response({"detail": "Invalid email or password"}, status=status.HTTP_404_NOT_FOUND)
return Response({"detail": "Invalid email or password"}, status=status.HTTP_401_UNAUTHORIZED)
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_registered_user(request):
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
email = request.data.get("email")
first_name = request.data.get("first_name")
last_name = request.data.get("last_name")
image = request.data.get("image")
email = request.POST.get("email")
first_name = request.POST.get("first_name")
last_name = request.POST.get("last_name")
image = request.POST.get("image")
registered_user.first_name = first_name
registered_user.last_name = last_name
registered_user.user.email = email
registered_user.image = image
registered_user.save()
registered_user.user.save()
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = Token.objects.get(user=registered_user.user).key
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
@@ -103,17 +108,17 @@ def update_registered_user(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def update_password(request):
current_password = request.POST.get("current_password")
new_password = request.POST.get("new_password")
current_password = request.data.get("current_password")
new_password = request.data.get("new_password")
user = request.user
success = user.check_password(current_password)
if success:
if success:
user.set_password(new_password)
user.save()
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = Token.objects.get(user=registered_user.user).key
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data
data["token"] = token
return Response(data,status=status.HTTP_200_OK)
@@ -124,7 +129,7 @@ def update_password(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def refresh(request):
registered_user = RegisteredUser.objects.get(user=request.user)
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = RegisteredUserSerializer(registered_user, many=False)
token = get_object_or_404(Token, user=registered_user.user).key
data = serializer.data

28
scripts/views.py
View File

@@ -2,45 +2,53 @@ from django.shortcuts import render
from exercise.models import Exercise
from muscle.models import Muscle, ExerciseMuscle
from equipment.models import Equipment, WorkoutEquipment
from rest_framework.decorators import api_view
from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated, IsAdminUser
from rest_framework.response import Response
from rest_framework import status
from django.core.cache import cache
# Create your views here.
@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def sync_equipment(request):
all_exercise = Exercise.objects.all()
for exercise in all_exercise:
all_equipment = exercise.equipment_required.split(',')
all_equipment = (exercise.equipment_required or '').split(',')
for equipment in all_equipment:
if len(equipment) > 0:
try:
equipment_obj = Equipment.objects.get(name=equipment.lower())
WorkoutEquipment.objects.create(exercise=exercise, equipment=equipment_obj).save()
WorkoutEquipment.objects.create(exercise=exercise, equipment=equipment_obj)
except Equipment.DoesNotExist:
pass
return Response(status=status.HTTP_200_OK)
@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def sync_muscle_groups(request):
all_exercise = Exercise.objects.all()
for exercise in all_exercise:
all_muscle_groups = exercise.muscle_groups.split(',')
all_muscle_groups = (exercise.muscle_groups or '').split(',')
for muscle_group in all_muscle_groups:
if len(muscle_group) > 0:
try:
muscle_obj = Muscle.objects.get(name=muscle_group.lower())
ExerciseMuscle.objects.create(exercise=exercise, muscle=muscle_obj).save()
except MuscleGroup.DoesNotExist:
ExerciseMuscle.objects.create(exercise=exercise, muscle=muscle_obj)
except Muscle.DoesNotExist:
pass
return Response(status=status.HTTP_200_OK)
@api_view(['GET'])
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated, IsAdminUser])
def clear_redis(request):
cache.clear()
return Response(status=status.HTTP_200_OK)
return Response(status=status.HTTP_200_OK)

25
superset/helpers.py
View File

@@ -12,15 +12,26 @@ def get_first_up_superset(workout):
return first_up_superset
def get_first_up_superset_exercise(superset):
try:
exercise = Exercise.objects.get(name="First Up")
except Exercise.DoesNotExist:
exercise = None
if exercise is None:
return None
first_up_superset_exercise = SupersetExercise()
first_up_superset_exercise.exercise = Exercise.objects.get(name="First Up")
first_up_superset_exercise.exercise = exercise
first_up_superset_exercise.duration = 15
first_up_superset_exercise.order = 1
first_up_superset_exercise.exercise.side = "Chill"
first_up_superset_exercise.exercise.joints_used = ""
first_up_superset_exercise.exercise.movement_patterns = ""
first_up_superset_exercise.exercise.equipment_required = ""
first_up_superset_exercise.exercise.muscle_groups = ""
# Build overrides as a dict instead of mutating the ORM object in memory
first_up_superset_exercise._display_overrides = {
'side': 'Chill',
'joints_used': '',
'movement_patterns': '',
'equipment_required': '',
'muscle_groups': '',
}
if superset is not None:
first_up_superset_exercise.superset = superset
return first_up_superset_exercise
return first_up_superset_exercise

14
superset/models.py
View File

@@ -14,9 +14,9 @@ class Superset(models.Model):
related_name='superset_workout'
)
rounds = models.IntegerField(max_length=3, blank=False, null=False)
order = models.IntegerField(max_length=3, blank=False, null=False)
estimated_time = models.FloatField(max_length=255, blank=True, null=True)
rounds = models.IntegerField(blank=False, null=False)
order = models.IntegerField(blank=False, null=False)
estimated_time = models.FloatField(blank=True, null=True)
rest_between_rounds = models.IntegerField(default=45, help_text='Rest between rounds in seconds')
def __str__(self):
@@ -39,10 +39,10 @@ class SupersetExercise(models.Model):
related_name='superset_exercises'
)
weight = models.IntegerField(null=True, blank=True, max_length=4)
reps = models.IntegerField(null=True, blank=True, max_length=4)
duration = models.IntegerField(null=True, blank=True, max_length=4)
order = models.IntegerField(max_length=3, blank=False, null=False)
weight = models.IntegerField(null=True, blank=True)
reps = models.IntegerField(null=True, blank=True)
duration = models.IntegerField(null=True, blank=True)
order = models.IntegerField(blank=False, null=False)
def __str__(self):
return self.superset.workout.name + " -- " + self.exercise.name

20
superset/serializers.py
View File

@@ -2,33 +2,33 @@ from rest_framework import serializers
from .models import *
from exercise.models import Exercise
from exercise.serializers import ExerciseSerializer
import uuid
class SupersetExerciseSerializer(serializers.ModelSerializer):
exercise = serializers.SerializerMethodField()
unique_id = serializers.SerializerMethodField()
class Meta:
model = SupersetExercise
fields = '__all__'
def get_exercise(self, obj):
def get_exercise(self, obj):
data = ExerciseSerializer(obj.exercise, many=False).data
return data
def get_unique_id(self, obj):
return str(uuid.uuid4())
def get_unique_id(self, obj):
return f"{obj.pk}-{obj.superset_id}" if hasattr(obj, 'superset_id') else str(obj.pk)
class SupersetSerializer(serializers.ModelSerializer):
exercises = serializers.SerializerMethodField()
class Meta:
model = Superset
fields = '__all__'
def get_exercises(self, obj):
if obj.pk is None:
return []
objs = SupersetExercise.objects.filter(superset=obj).order_by('order')
# Use prefetched data if available via superset_exercises related manager
objs = obj.superset_exercises.all().order_by('order')
data = SupersetExerciseSerializer(objs, many=True).data
return data

15
supervisord.conf
View File

@@ -10,10 +10,12 @@ serverurl=unix:///tmp/supervisor.sock
file=/tmp/supervisor.sock
[program:django]
command=sh -c "python manage.py migrate && python manage.py runserver 0.0.0.0:8000"
# To run migrations manually: docker compose exec web python manage.py migrate
command=gunicorn werkout_api.wsgi:application --bind 0.0.0.0:8000 --workers 3
directory=/code
autostart=true
autorestart=true
startsecs=10
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
@@ -28,3 +30,14 @@ stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
[program:celery]
command=celery -A werkout_api worker -l info
directory=/code
autostart=true
autorestart=true
startsecs=10
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0

42
video/models.py
View File

@@ -17,14 +17,26 @@ class Video(models.Model):
gender = models.PositiveSmallIntegerField(
choices=VIDEO_GENDER
)
def __str__(self):
return str(self.video_file)
def save(self, **kwargs):
super(Video, self).save(**kwargs)
filename = self.video_file.name
create_hls_tasks.delay(filename)
def save(self, *args, **kwargs):
is_new = self.pk is None
if self.pk:
try:
old = type(self).objects.get(pk=self.pk)
video_changed = old.video_file != self.video_file
except type(self).DoesNotExist:
video_changed = True
else:
video_changed = bool(self.video_file)
super(Video, self).save(*args, **kwargs)
if self.video_file and (is_new or video_changed):
filename = self.video_file.name
create_hls_tasks.delay(filename)
@@ -33,10 +45,22 @@ class ExerciseVideo(models.Model):
updated_at = models.DateTimeField(auto_now=True)
video_file = models.FileField(upload_to='videos/', null=True, verbose_name="")
def save(self, **kwargs):
super(ExerciseVideo, self).save(**kwargs)
filename = self.video_file.name
create_hls_tasks.delay(filename)
def save(self, *args, **kwargs):
is_new = self.pk is None
if self.pk:
try:
old = type(self).objects.get(pk=self.pk)
video_changed = old.video_file != self.video_file
except type(self).DoesNotExist:
video_changed = True
else:
video_changed = bool(self.video_file)
super(ExerciseVideo, self).save(*args, **kwargs)
if self.video_file and (is_new or video_changed):
filename = self.video_file.name
create_hls_tasks.delay(filename)
@receiver(pre_delete, sender=ExerciseVideo)
def delete_exercise_video(sender, instance, using, **kwargs):

6
video/serializers.py
View File

@@ -9,5 +9,7 @@ class VideoSerializer(serializers.ModelSerializer):
model = Video
fields = ('video_file', 'gender_value',)
def get_video_file(self, obj):
return '/media/' + obj.video_file.name + '_720p.m3u8'
def get_video_file(self, obj):
if not obj.video_file:
return None
return '/media/' + obj.video_file.name + '_720p.m3u8'

7
video/tasks.py
View File

@@ -7,7 +7,8 @@ from django.core.files.storage import default_storage
@shared_task()
def create_hls_tasks(filename):
end_location = str(settings.MEDIA_ROOT) + "/" + str(filename) +'.m3u8'
base_name = os.path.splitext(str(filename))[0]
end_location = str(settings.MEDIA_ROOT) + "/" + base_name + '.m3u8'
if not default_storage.exists(end_location):
media_location = str(settings.MEDIA_ROOT) + "/" + str(filename)
video = ffmpeg_streaming.input(media_location)
@@ -21,6 +22,6 @@ def create_hls_tasks(filename):
# first_video.get('height', "Unknown")
# )
# print(f"Dimensions: {dimensions[0]}x{dimensions[1]}") # f-string
hls.auto_generate_representations()
hls.output(end_location)
hls.output(end_location)

41
video/views.py
View File

@@ -3,7 +3,6 @@ from .serializers import *
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
from django.contrib.auth.models import User
@@ -48,17 +47,33 @@ def nsfw_videos(request):
@permission_classes([IsAuthenticated])
def hls_videos(request):
video_url = request.GET.get('video_name', '')
type = request.GET.get('video_type', '')
video_type = request.GET.get('video_type', '')
end_location = str(settings.MEDIA_ROOT) + '/hls/'+ video_url +'.m3u8'
end_file_name = '/media/hls/'+ video_url +'_720p.m3u8'
# Sanitize inputs to prevent path traversal
video_url = os.path.basename(video_url)
video_type = os.path.basename(video_type)
if not video_url or not video_type:
return Response({"error": "video_name and video_type are required"}, status=status.HTTP_400_BAD_REQUEST)
end_location = os.path.join(str(settings.MEDIA_ROOT), 'hls', video_url + '.m3u8')
end_file_name = '/media/hls/' + video_url + '_720p.m3u8'
# Verify the resolved path is within MEDIA_ROOT
if not os.path.realpath(end_location).startswith(os.path.realpath(str(settings.MEDIA_ROOT))):
return Response({"error": "Invalid path"}, status=status.HTTP_400_BAD_REQUEST)
if default_storage.exists(end_location):
return JsonResponse({'file_location': end_file_name})
media_location = os.path.join(settings.MEDIA_ROOT) + "/" + type + "/" + video_url
media_location = os.path.join(str(settings.MEDIA_ROOT), video_type, video_url)
# Verify media_location is within MEDIA_ROOT
if not os.path.realpath(media_location).startswith(os.path.realpath(str(settings.MEDIA_ROOT))):
return Response({"error": "Invalid path"}, status=status.HTTP_400_BAD_REQUEST)
video = ffmpeg_streaming.input(media_location)
hls = video.hls(Formats.h264())
#_720p = Representation(Size(1280, 720), Bitrate(2048 * 1024, 320 * 1024))
hls.auto_generate_representations()
@@ -67,9 +82,17 @@ def hls_videos(request):
# {{url}}/videos/hls_video?video_name=Recover_24.mp4&video_type=videos
return JsonResponse({'file_location': end_file_name})
@api_view(['GET'])
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def create_hls(request):
create_hls_tasks.delay()
return JsonResponse({'running': "running"})
filename = request.data.get('filename', '')
if not filename:
return Response({"error": "filename is required"}, status=status.HTTP_400_BAD_REQUEST)
# Sanitize to prevent path traversal
filename = os.path.basename(filename)
full_path = os.path.join(str(settings.MEDIA_ROOT), 'videos', filename)
if not os.path.realpath(full_path).startswith(os.path.realpath(str(settings.MEDIA_ROOT))):
return Response({"error": "Invalid path"}, status=status.HTTP_400_BAD_REQUEST)
create_hls_tasks.delay(os.path.join('videos', filename))
return JsonResponse({'running': "running"})

28
werkout-frontend/next.config.mjs
View File

@@ -21,14 +21,12 @@ const nextConfig = {
},
async rewrites() {
const djangoUrl = process.env.DJANGO_INTERNAL_URL || "http://localhost:8000";
// Helper: for each Django prefix, create two rewrites:
// 1. with trailing slash preserved
// 2. without trailing slash → add it (Django requires trailing slashes)
const djangoPrefixes = [
// Prefixes that have NO conflicting Next.js page routes
const safePrefixes = [
"media", "registered_user", "exercise", "muscle",
"equipment", "workout", "generator", "videos", "admin",
"equipment", "generator", "videos", "admin", "static",
];
return djangoPrefixes.flatMap((prefix) => [
const rules = safePrefixes.flatMap((prefix) => [
{
source: `/${prefix}/:path*/`,
destination: `${djangoUrl}/${prefix}/:path*/`,
@@ -38,6 +36,24 @@ const nextConfig = {
destination: `${djangoUrl}/${prefix}/:path*/`,
},
]);
// "workout" conflicts with Next.js page route /workout/[workoutId],
// so only rewrite specific Django sub-paths (not bare /workout/<id>).
const workoutApiPaths = [
"all", "complete", "completed", "create",
"planned_workouts", "plan_workout", "add_from_files",
];
for (const sub of workoutApiPaths) {
rules.push(
{ source: `/workout/${sub}/`, destination: `${djangoUrl}/workout/${sub}/` },
{ source: `/workout/${sub}`, destination: `${djangoUrl}/workout/${sub}/` },
);
}
// /workout/<id>/details/ — the <id> segment followed by "details"
rules.push(
{ source: "/workout/:id/details/", destination: `${djangoUrl}/workout/:id/details/` },
{ source: "/workout/:id/details", destination: `${djangoUrl}/workout/:id/details/` },
);
return rules;
},
};

201
werkout_api/settings.py
View File

@@ -9,13 +9,18 @@ BASE_DIR = Path(__file__).resolve().parent.parent
# Quick-start development settings - unsuitable for production
# See https://docs.djangoproject.com/en/4.1/howto/deployment/checklist/
# SECURITY WARNING: keep the secret key used in production secret!
# SECURITY WARNING: don't run with debug turned on in production!
DEBUG = True
DEBUG = os.environ.get("DEBUG", "").lower() == "true"
ALLOWED_HOSTS = []
# SECURITY WARNING: keep the secret key used in production secret!
SECRET_KEY = os.environ.get("SECRET_KEY")
if not DEBUG and (not SECRET_KEY or SECRET_KEY == "secret"):
from django.core.exceptions import ImproperlyConfigured
raise ImproperlyConfigured("SECRET_KEY environment variable is required in production (and must not be 'secret')")
if not SECRET_KEY:
SECRET_KEY = "insecure-dev-secret-key-change-in-production"
ALLOWED_HOSTS = os.environ.get("ALLOWED_HOSTS", "*").split(",")
# Application definition
@@ -28,7 +33,6 @@ INSTALLED_APPS = [
'django.contrib.messages',
'django.contrib.staticfiles',
'debug_toolbar',
'rest_framework',
'rest_framework.authtoken',
'import_export',
@@ -53,24 +57,17 @@ MIDDLEWARE = [
'corsheaders.middleware.CorsMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'debug_toolbar.middleware.DebugToolbarMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
ROOT_URLCONF = 'werkout_api.urls'
if DEBUG:
INSTALLED_APPS += ['debug_toolbar']
MIDDLEWARE += ['debug_toolbar.middleware.DebugToolbarMiddleware']
CACHES = {
"default": {
"BACKEND": "django_redis.cache.RedisCache",
"LOCATION": "redis://redis:6379/",
"OPTIONS": {
"CLIENT_CLASS": "django_redis.client.DefaultClient"
},
}
}
ROOT_URLCONF = 'werkout_api.urls'
TEMPLATES = [
{
@@ -94,6 +91,64 @@ WSGI_APPLICATION = 'werkout_api.wsgi.application'
# Database
# https://docs.djangoproject.com/en/4.1/ref/settings/#databases
if os.environ.get("DATABASE_URL"):
CSRF_TRUSTED_ORIGINS = ['https://*.werkout.fitness', 'https://*.treytartt.com']
# Parse the DATABASE_URL env var.
USER, PASSWORD, HOST, PORT, NAME = re.match("^postgres://(?P<username>.*?)\:(?P<password>.*?)\@(?P<host>.*?)\:(?P<port>\d+)\/(?P<db>.*?)$", os.environ.get("DATABASE_URL", "")).groups()
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': NAME,
'USER': USER,
'PASSWORD': PASSWORD,
'HOST': HOST,
'PORT': int(PORT),
}
}
CACHES = {
"default": {
"BACKEND": "django_redis.cache.RedisCache",
"LOCATION": [os.environ.get('REDIS_URL', 'redis://localhost:6379')],
"OPTIONS": {
"CLIENT_CLASS": "django_redis.client.DefaultClient"
},
}
}
CELERY_BROKER_URL = os.environ.get("REDIS_URL", "") + "/1"
CELERY_RESULT_BACKEND = os.environ.get("REDIS_URL", "") + "/1"
INTERNAL_IPS = [
"127.0.0.1",
]
else:
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': os.environ.get('DB_NAME', 'werkout'),
'USER': os.environ.get('DB_USER', 'werkout'),
'PASSWORD': os.environ.get('DB_PASSWORD', 'werkout'),
'HOST': os.environ.get('DB_HOST', 'db'),
'PORT': os.environ.get('DB_PORT', '5432'),
}
}
CACHES = {
"default": {
"BACKEND": "django.core.cache.backends.locmem.LocMemCache",
}
}
CELERY_BROKER_URL = "redis://redis:6379"
CELERY_RESULT_BACKEND = "redis://redis:6379"
INTERNAL_IPS = [
"127.0.0.1",
]
# Password validation
# https://docs.djangoproject.com/en/4.1/ref/settings/#auth-password-validators
@@ -135,97 +190,23 @@ STATIC_ROOT = os.path.join(BASE_DIR, 'static')
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(BASE_DIR, "media")
if os.environ.get("DATABASE_URL"):
ALLOWED_HOSTS = ['*']
# if os.environ.get("IS_DEV"):
# DEBUG = True
# PUSH_NOTIFICATIONS_SETTINGS = {
# "APNS_CERTIFICATE": "certs/dev/prod_aps.pem",
# "APNS_TOPIC": "io.brodkast.ios-Dev",
# "APNS_TEAM_ID": "JCU65VV9D9",
# "APNS_USE_SANDBOX": False
# }
# else:
# DEBUG = False
# PUSH_NOTIFICATIONS_SETTINGS = {
# "APNS_CERTIFICATE": "certs/prod/prod_aps.pem",
# "APNS_TOPIC": "io.brodkast.ios",
# "APNS_TEAM_ID": "JCU65VV9D9",
# "APNS_USE_SANDBOX": False
# }
CSRF_TRUSTED_ORIGINS = ['https://*.werkout.fitness', 'https://*.treytartt.com']
SECRET_KEY = os.environ.get("SECRET_KEY", 'secret')
# Parse the DATABASE_URL env var.
USER, PASSWORD, HOST, PORT, NAME = re.match("^postgres://(?P<username>.*?)\:(?P<password>.*?)\@(?P<host>.*?)\:(?P<port>\d+)\/(?P<db>.*?)$", os.environ.get("DATABASE_URL", "")).groups()
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.postgresql',
'NAME': NAME,
'USER': USER,
'PASSWORD': PASSWORD,
'HOST': HOST,
'PORT': int(PORT),
}
}
CACHES = {
"default": {
"BACKEND": "django_redis.cache.RedisCache",
"LOCATION": [os.environ.get('REDIS_URL', 'redis://localhost:6379')],
"OPTIONS": {
"CLIENT_CLASS": "django_redis.client.DefaultClient"
},
}
}
CELERY_BROKER_URL = os.environ.get("REDIS_URL", "") + "/1"
CELERY_RESULT_BACKEND = os.environ.get("REDIS_URL", "") + "/1"
INTERNAL_IPS = [
"127.0.0.1",
]
else:
DEBUG = True
ALLOWED_HOSTS = ['*']
SECRET_KEY = 'django-insecure-o_0sbr3lxcy#_r#imo4tl0cw*%@*__2a48dcd6hbp&u9b5dx=1'
DATABASES = {
'default': {
'ENGINE': 'django.db.backends.sqlite3',
'NAME': BASE_DIR / 'db.sqlite3',
}
}
CACHES = {
"default": {
"BACKEND": "django.core.cache.backends.locmem.LocMemCache",
}
}
CELERY_BROKER_URL = "redis://redis:6379"
CELERY_RESULT_BACKEND = "redis://redis:6379"
INTERNAL_IPS = [
"127.0.0.1",
]
# PUSH_NOTIFICATIONS_SETTINGS = {
# "APNS_CERTIFICATE": "certs/dev/dev_aps.pem",
# "APNS_TOPIC": "io.brodkast.ios-Dev",
# "APNS_TEAM_ID": "JCU65VV9D9",
# "APNS_USE_SANDBOX": True
# }
# CORS settings
CORS_ALLOW_ALL_ORIGINS = True if DEBUG else False
CORS_ALLOWED_ORIGINS = [
'http://localhost:3000',
'http://127.0.0.1:3000',
]
CORS_ALLOW_CREDENTIALS = True
if DEBUG:
CORS_ALLOW_ALL_ORIGINS = True
else:
CORS_ALLOW_ALL_ORIGINS = False
CORS_ALLOWED_ORIGINS = os.environ.get("CORS_ALLOWED_ORIGINS", "").split(",") if os.environ.get("CORS_ALLOWED_ORIGINS") else [
'http://localhost:3000',
'http://127.0.0.1:3000',
]
CORS_ALLOW_CREDENTIALS = True
# HTTPS security settings for production
if not DEBUG:
SECURE_SSL_REDIRECT = os.environ.get("SECURE_SSL_REDIRECT", "true").lower() == "true"
SECURE_HSTS_SECONDS = 31536000
SECURE_HSTS_INCLUDE_SUBDOMAINS = True
SECURE_HSTS_PRELOAD = True
SESSION_COOKIE_SECURE = True
CSRF_COOKIE_SECURE = True
SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")

12
workout/helpers.py
View File

@@ -30,10 +30,14 @@ def create_all_exercise_list_for_workout(workout):
data["audio_queues"] = audio_queues
all_superset_exercise.append(data)
supersets = Superset.objects.filter(workout=workout).order_by('order')
# Fix #17: N+1 - add prefetch_related to avoid per-superset queries
supersets = Superset.objects.filter(workout=workout).order_by('order').prefetch_related(
'supersetexercise_set__exercise'
)
order = 2
for superset_count, superset in enumerate(supersets):
supersetExercises = SupersetExercise.objects.filter(superset=superset).order_by('order')
# Use prefetched data instead of re-querying (N+1 fix)
supersetExercises = sorted(superset.supersetexercise_set.all(), key=lambda se: se.order)
for x in range(superset.rounds):
for exercise_idx, exercise in enumerate(supersetExercises):
exercise.order = order
@@ -68,7 +72,9 @@ def create_all_exercise_list_for_workout(workout):
elif len(supersets) > superset_count+1:
next_superset = supersets[superset_count+1]
next_supersetExercises = SupersetExercise.objects.filter(superset=next_superset).order_by('order').first()
# Use prefetched data instead of re-querying
next_superset_exercises = sorted(next_superset.supersetexercise_set.all(), key=lambda se: se.order)
next_supersetExercises = next_superset_exercises[0] if next_superset_exercises else None
next_up_data = {
"audio_url": next_supersetExercises.exercise.audio_url().lower(),

9
workout/models.py
View File

@@ -1,4 +1,5 @@
from django.db import models
from django.conf import settings
from exercise.models import *
from registered_user.models import RegisteredUser
@@ -21,7 +22,7 @@ class Workout(models.Model):
RegisteredUser,
on_delete=models.CASCADE
)
estimated_time = models.FloatField(max_length=255, blank=True, null=True)
estimated_time = models.FloatField(blank=True, null=True)
def __str__(self):
return str(self.id) + ": " + self.name + " - " + (self.description or "") + " - by: " + str(self.registered_user.first_name) + " - on: " + str(self.created_at)
@@ -39,9 +40,9 @@ class WorkoutExercise(models.Model):
on_delete=models.CASCADE,
related_name='workout_exercise_exercise'
)
weight = models.IntegerField(null=True, blank=True, max_length=4)
reps = models.IntegerField(null=True, blank=True, max_length=4)
duration = models.IntegerField(null=True, blank=True, max_length=4)
weight = models.IntegerField(null=True, blank=True)
reps = models.IntegerField(null=True, blank=True)
duration = models.IntegerField(null=True, blank=True)
def __str__(self):
return self.workout.name + " : " + self.exercise.name

56
workout/serializers.py
View File

@@ -34,11 +34,13 @@ class CompleteWorkoutSerializer(serializers.ModelSerializer):
difficulty=validated_data['difficulty'],
total_time=validated_data['total_time'],
workout_start_time=validated_data['workout_start_time'],
notes=validated_data['notes']
# Fix #5: KeyError 'notes' - use .get() with default
notes=validated_data.get('notes', '')
)
if "health_kit_workout_uuid" in validated_data:
completed_workout.workout_uuid = validated_data['health_kit_workout_uuid']
completed_workout.save()
# Fix #6: wrong attribute name - model field is health_kit_workout_uuid
completed_workout.health_kit_workout_uuid = validated_data['health_kit_workout_uuid']
completed_workout.save()
return completed_workout
class WorkoutSerializer(serializers.ModelSerializer):
@@ -53,25 +55,48 @@ class WorkoutSerializer(serializers.ModelSerializer):
fields = '__all__'
# depth = 1
def get_muscles(self, obj):
def get_muscles(self, obj):
# Fix #16: Use prefetched data when available, fall back to query
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
exercise_ids = []
for superset in obj.superset_set.all():
for se in superset.supersetexercise_set.all():
exercise_ids.append(se.exercise_id)
if not exercise_ids:
return []
muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercise_ids).values_list('muscle__name', flat=True)
return list(set(muscles_names))
superset_ids = Superset.objects.filter(workout=obj).values_list('id')
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercise_ids).values_list('muscle__name', flat=True)
return list(set(muscles_names))
# muscles_names = ExerciseMuscle.objects.filter(exercise__id__in=exercises).values_list('muscle__name', flat=True)
# return list(set(muscles_names))
def get_equipment(self, obj):
def get_equipment(self, obj):
# Fix #16: Use prefetched data when available, fall back to query
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
exercise_ids = []
for superset in obj.superset_set.all():
for se in superset.supersetexercise_set.all():
exercise_ids.append(se.exercise_id)
if not exercise_ids:
return []
equipment_names = WorkoutEquipment.objects.filter(exercise__id__in=exercise_ids).values_list('equipment__name', flat=True)
return list(set(equipment_names))
superset_ids = Superset.objects.filter(workout=obj).values_list('id')
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
exercise_ids = SupersetExercise.objects.filter(superset__id__in=superset_ids).values_list('exercise__id')
equipment_names = WorkoutEquipment.objects.filter(exercise__id__in=exercise_ids).values_list('equipment__name', flat=True)
return list(set(equipment_names))
def get_exercise_count(self, obj):
def get_exercise_count(self, obj):
# Fix #16: Use prefetched data when available, fall back to query
returnValue = 0
if hasattr(obj, '_prefetched_objects_cache') and 'superset_set' in obj._prefetched_objects_cache:
for superset in obj.superset_set.all():
exercise_count = len(superset.supersetexercise_set.all())
returnValue += (superset.rounds * exercise_count)
return returnValue
supersets = Superset.objects.filter(workout=obj)
for superset in supersets:
for superset in supersets:
exercise_count = SupersetExercise.objects.filter(superset=superset).count()
returnValue += (superset.rounds * exercise_count)
return returnValue
@@ -106,8 +131,7 @@ class WorkoutDetailSerializer(serializers.ModelSerializer):
return data
def get_registered_user(self, obj):
objs = RegisteredUser.objects.get(pk=obj.registered_user.pk)
data = GetRegisteredUserSerializer(objs, many=False).data
data = GetRegisteredUserSerializer(obj.registered_user, many=False).data
return data
class GetCompleteWorkoutSerializer(serializers.ModelSerializer):
@@ -142,5 +166,5 @@ class POSTPlannedWorkoutSerializer(serializers.ModelSerializer):
workout=validated_data['workout'],
on_date=validated_data['on_date']
)
planned_workout.save()
# Fix #18: removed redundant save() right after create()
return planned_workout

169
workout/tasks.py
View File

@@ -1,12 +1,16 @@
from celery import shared_task
import json
import os
import logging
from .models import *
from .serializers import *
from django.core.cache import cache
from django.db import transaction
from superset.models import Superset, SupersetExercise
from exercise.models import Exercise
logger = logging.getLogger(__name__)
@shared_task()
def add_from_files_tasks():
sample_urls = [{
@@ -16,86 +20,111 @@ def add_from_files_tasks():
"file": os.getcwd() + "/workout/cho_all_workouts.json",
"user_id": 6
}]
for sample_url in sample_urls:
with open(sample_url["file"]) as user_file:
file_contents = user_file.read()
parsed_json = json.loads(file_contents)
# Fix #7: wrap in try/except so DoesNotExist doesn't crash Celery task
try:
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"])
except RegisteredUser.DoesNotExist:
logger.error("RegisteredUser with id=%s does not exist, skipping file %s",
sample_url["user_id"], sample_url["file"])
continue
for item in parsed_json:
workout_name = item["name"]
workout_description = item["description"]
workout_created = item["created"]
workout_obj = Workout.objects.create(
registered_user = RegisteredUser.objects.get(pk=sample_url["user_id"]),
description = workout_description,
name = workout_name,
created_at = workout_created
)
workout_obj.save()
workout_obj.created_at = workout_created
workout_obj.save(update_fields=['created_at'])
workout_total_time = 0
supersets = item["supersets"]
superset_order = 1
for superset in supersets:
superset_name = superset["name"]
superset_rounds = superset["rounds"]
superset_obj = Superset.objects.create(
workout=workout_obj,
name=superset_name,
rounds=superset_rounds,
order=superset_order
)
superset_obj.save()
superset_order += 1
exercises = superset["exercises"]
exercise_order = 1
superset_total_time = 0
for exercise in exercises:
side = exercise["side"]
name = exercise["name"]
duration = exercise["duration"]
reps = exercise["reps"]
side = exercise["side"]
exercise_obj = None
if len(side) > 0:
exercise_obj = Exercise.objects.get(name=name, side=side)
else:
exercise_obj = Exercise.objects.get(name=name, side="")
supersetExercise = SupersetExercise.objects.create(
superset=superset_obj,
exercise=exercise_obj,
order=exercise_order
# Fix #11: wrap bulk operations in transaction.atomic()
try:
with transaction.atomic():
workout_obj = Workout.objects.create(
registered_user = registered_user,
description = workout_description,
name = workout_name,
created_at = workout_created
)
if reps != 0:
supersetExercise.reps = reps
superset_total_time += reps * exercise_obj.estimated_rep_duration
if reps == 0 and duration != 0:
supersetExercise.duration = duration
superset_total_time += exercise["duration"]
supersetExercise.save()
exercise_order += 1
# Fix #18: removed first redundant save() after create()
# Need the second save to override auto_now_add on created_at
workout_obj.created_at = workout_created
workout_obj.save(update_fields=['created_at'])
workout_total_time = 0
superset_obj.estimated_time = superset_total_time
superset_obj.save()
supersets = item["supersets"]
superset_order = 1
for superset in supersets:
superset_name = superset["name"]
superset_rounds = superset["rounds"]
workout_total_time += (superset_total_time * superset_rounds)
workout_obj.estimated_time = workout_total_time
workout_obj.save()
cache.delete('all_workouts')
superset_obj = Superset.objects.create(
workout=workout_obj,
name=superset_name,
rounds=superset_rounds,
order=superset_order
)
# Fix #18: removed redundant save() right after create()
superset_order += 1
exercises = superset["exercises"]
exercise_order = 1
superset_total_time = 0
for exercise in exercises:
side = exercise["side"]
name = exercise["name"]
duration = exercise["duration"]
reps = exercise["reps"]
side = exercise["side"]
# Fix #7: wrap Exercise.objects.get in try/except
try:
exercise_obj = None
if len(side) > 0:
exercise_obj = Exercise.objects.get(name=name, side=side)
else:
exercise_obj = Exercise.objects.get(name=name, side="")
except Exercise.DoesNotExist:
logger.error("Exercise '%s' (side='%s') does not exist, skipping",
name, side)
exercise_order += 1
continue
supersetExercise = SupersetExercise.objects.create(
superset=superset_obj,
exercise=exercise_obj,
order=exercise_order
)
if reps != 0:
supersetExercise.reps = reps
# Fix #4: None multiplication risk
superset_total_time += reps * (exercise_obj.estimated_rep_duration or 3.0)
if reps == 0 and duration != 0:
supersetExercise.duration = duration
superset_total_time += exercise["duration"]
supersetExercise.save()
exercise_order += 1
superset_obj.estimated_time = superset_total_time
superset_obj.save()
workout_total_time += (superset_total_time * superset_rounds)
workout_obj.estimated_time = workout_total_time
workout_obj.save()
except Exception:
logger.exception("Failed to import workout '%s' from %s",
workout_name, sample_url["file"])
continue
# Invalidate per-user cache keys for all imported users
for sample_url in sample_urls:
cache.delete('all_workouts_user_' + str(sample_url["user_id"]))

2
workout/urls.py
View File

@@ -11,5 +11,5 @@ urlpatterns = [
path('planned_workouts/', views.workouts_planned_by_logged_in_user, name='planned workout for user'),
path('plan_workout/', views.plan_workout, name='plan workout'),
path('add_from_files/', views.add_from_files, name='plan workout'),
path('add_from_files/', views.add_from_files, name='add_from_files'),
]

190
workout/views.py
View File

@@ -3,17 +3,18 @@ from .serializers import *
from django.shortcuts import render
from rest_framework.decorators import api_view
from rest_framework.decorators import api_view
from rest_framework.response import Response
from rest_framework import status
from django.contrib.auth.models import User
from django.contrib.auth import authenticate
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.permissions import IsAuthenticated, IsAdminUser
from rest_framework.decorators import authentication_classes
from rest_framework.decorators import permission_classes
from django.shortcuts import get_object_or_404
from datetime import datetime, timedelta
from django.utils import timezone
from datetime import timedelta
from django.db import transaction
from django.core.cache import cache
from .tasks import add_from_files_tasks
@@ -22,14 +23,25 @@ from .tasks import add_from_files_tasks
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def all_workouts(request):
if 'all_workouts' in cache:
data = cache.get('all_workouts')
# Fix #13: IDOR - filter workouts by the authenticated user
registered_user = get_object_or_404(RegisteredUser, user=request.user)
cache_name = 'all_workouts_user_' + str(registered_user.pk)
if cache_name in cache:
data = cache.get(cache_name)
return Response(data=data, status=status.HTTP_200_OK)
users = Workout.objects.all()
serializer = WorkoutSerializer(users, many=True)
# Fix #16: N+1 - add prefetch_related for exercises, muscles, and equipment
workouts = Workout.objects.filter(
registered_user=registered_user
).prefetch_related(
'superset_set__supersetexercise_set__exercise',
'superset_set__supersetexercise_set__exercise__muscles',
'superset_set__supersetexercise_set__exercise__equipment_required_list',
)
serializer = WorkoutSerializer(workouts, many=True)
data = serializer.data
cache.set('all_workouts', data, timeout=None)
cache.set(cache_name, data, timeout=None)
return Response(data=data, status=status.HTTP_200_OK)
@@ -37,12 +49,27 @@ def all_workouts(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def workout_details(request, workout_id):
cache_name = "wk"+str(workout_id)
# Fix #14: IDOR - verify the workout belongs to the requesting user
registered_user = get_object_or_404(RegisteredUser, user=request.user)
# Include user in cache key to prevent IDOR via cached data
cache_name = "wk" + str(workout_id) + "_user_" + str(registered_user.pk)
if cache_name in cache:
data = cache.get(cache_name)
return Response(data=data, status=status.HTTP_200_OK)
workout = Workout.objects.get(pk=workout_id)
# Fix #1: get_object_or_404 instead of Workout.objects.get
# Fix #14: also filter by registered_user for ownership check
# Fix #16: N+1 - add prefetch_related for exercises, muscles, and equipment
workout = get_object_or_404(
Workout.objects.prefetch_related(
'superset_set__supersetexercise_set__exercise',
'superset_set__supersetexercise_set__exercise__muscles',
'superset_set__supersetexercise_set__exercise__equipment_required_list',
),
pk=workout_id,
registered_user=registered_user
)
serializer = WorkoutDetailSerializer(workout, many=False)
data = serializer.data
cache.set(cache_name, data, timeout=300)
@@ -52,29 +79,32 @@ def workout_details(request, workout_id):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def complete_workout(request):
registered_user = RegisteredUser.objects.get(user=request.user)
# Fix #1: get_object_or_404
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = CompleteWorkoutSerializer(data=request.data, context = {"registered_user":registered_user.pk})
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
# Fix #2: validation errors return 400 not 500
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def workouts_completed_by_logged_in_user(request):
registered_user = RegisteredUser.objects.get(user=request.user)
# Fix #1: get_object_or_404
registered_user = get_object_or_404(RegisteredUser, user=request.user)
workouts = CompletedWorkout.objects.filter(registered_user=registered_user)
serializer = GetCompleteWorkoutSerializer(workouts, many=True)
return Response(serializer.data, status=status.HTTP_201_CREATED)
# Fix #3: GET returns 200 not 201
return Response(serializer.data, status=status.HTTP_200_OK)
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def add_workout(request):
registered_user = RegisteredUser.objects.get(user=request.user)
if registered_user is None:
return Response(status=status.HTTP_400_BAD_REQUEST)
# Fix #1: get_object_or_404
registered_user = get_object_or_404(RegisteredUser, user=request.user)
# exercise_data = dict(request.POST)["exercise_data"]
exercise_data = request.data["supersets"]
@@ -87,67 +117,75 @@ def add_workout(request):
serializer = POSTCompleteWorkoutSerializer(data=request.data)
if serializer.is_valid():
workout = serializer.save(registered_user=registered_user)
workout.save()
# Fix #10: wrap creation logic in transaction.atomic()
with transaction.atomic():
workout = serializer.save(registered_user=registered_user)
# Fix #18: removed redundant save() right after create()
workout_total_time = 0
for superset in exercise_data:
name = superset["name"]
rounds = superset["rounds"]
exercises = superset["exercises"]
superset_order = superset["order"]
superset = Superset.objects.create(
workout=workout,
name=name,
rounds=rounds,
order=superset_order
)
superset.save()
superset_total_time = 0
for exercise in exercises:
exercise_id = exercise["id"]
exercise_obj = Exercise.objects.get(pk=exercise_id)
order = exercise["order"]
workout_total_time = 0
for superset in exercise_data:
name = superset["name"]
rounds = superset["rounds"]
exercises = superset["exercises"]
superset_order = superset["order"]
supersetExercise = SupersetExercise.objects.create(
superset=superset,
exercise=exercise_obj,
order=order
superset = Superset.objects.create(
workout=workout,
name=name,
rounds=rounds,
order=superset_order
)
if "weight" in exercise:
supersetExercise.weight = exercise["weight"]
if "reps" in exercise:
supersetExercise.reps = exercise["reps"]
superset_total_time += exercise["reps"] * exercise_obj.estimated_rep_duration
if "duration" in exercise:
supersetExercise.duration = exercise["duration"]
superset_total_time += exercise["duration"]
# Fix #18: removed redundant save() right after create()
supersetExercise.save()
superset_total_time = 0
for exercise in exercises:
exercise_id = exercise["id"]
# Fix #1: get_object_or_404
exercise_obj = get_object_or_404(Exercise, pk=exercise_id)
order = exercise["order"]
superset.estimated_time = superset_total_time
superset.save()
supersetExercise = SupersetExercise.objects.create(
superset=superset,
exercise=exercise_obj,
order=order
)
workout_total_time += (superset_total_time * rounds)
if "weight" in exercise:
supersetExercise.weight = exercise["weight"]
if "reps" in exercise:
supersetExercise.reps = exercise["reps"]
# Fix #4: None multiplication risk
superset_total_time += exercise["reps"] * (exercise_obj.estimated_rep_duration or 3.0)
if "duration" in exercise:
supersetExercise.duration = exercise["duration"]
superset_total_time += exercise["duration"]
superset_order += 1
workout.estimated_time = workout_total_time
workout.save()
cache.delete('all_workouts')
supersetExercise.save()
superset.estimated_time = superset_total_time
superset.save()
workout_total_time += (superset_total_time * rounds)
superset_order += 1
workout.estimated_time = workout_total_time
workout.save()
# Fix #19: invalidate per-user cache key (matches all_workouts view)
cache.delete('all_workouts_user_' + str(registered_user.pk))
return Response(serializer.data, status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
# Fix #2: validation errors return 400 not 500
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['GET'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def workouts_planned_by_logged_in_user(request):
registered_user = RegisteredUser.objects.get(user=request.user)
workouts = PlannedWorkout.objects.filter(registered_user=registered_user, on_date__gte=datetime.now()- timedelta(days=1))
# Fix #1: get_object_or_404
registered_user = get_object_or_404(RegisteredUser, user=request.user)
# Fix #12: timezone.now() instead of datetime.now()
workouts = PlannedWorkout.objects.filter(registered_user=registered_user, on_date__gte=timezone.now()- timedelta(days=1))
serializer = PlannedWorkoutSerializer(workouts, many=True)
return Response(serializer.data, status=status.HTTP_200_OK)
@@ -155,19 +193,23 @@ def workouts_planned_by_logged_in_user(request):
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
def plan_workout(request):
registered_user = RegisteredUser.objects.get(user=request.user)
serializer = POSTPlannedWorkoutSerializer(data=request.data,
# Fix #1: get_object_or_404
registered_user = get_object_or_404(RegisteredUser, user=request.user)
serializer = POSTPlannedWorkoutSerializer(data=request.data,
context = {"registered_user":registered_user.pk})
if serializer.is_valid():
serializer.save()
return Response(serializer.data, status=status.HTTP_201_CREATED)
return Response(serializer.errors, status=status.HTTP_500_INTERNAL_SERVER_ERROR)
# Fix #2: validation errors return 400 not 500
return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
@api_view(['GET'])
# Fix #15: This GET endpoint triggers data mutation (importing from files).
# Changed to POST. This should be admin-only.
@api_view(['POST'])
@authentication_classes([TokenAuthentication])
@permission_classes([IsAuthenticated])
@permission_classes([IsAdminUser])
def add_from_files(request):
add_from_files_tasks.delay()
cache.delete('all_workouts')
return Response(status=status.HTTP_200_OK)
# Cache invalidation is handled in the task after import completes
return Response(status=status.HTTP_200_OK)