docs: Update docs + ensure core functionality

Author: CuriousLearner

CHANGELOG.rst

@@ -20,13 +20,21 @@ and this project adheres to `Semantic Versioning <https://semver.org/spec/v2.0.0
 **Changed**
 
 * Improved documentation structure and clarity
-* Refined compliance messaging - positions as compliance support tool
+* Contributing and changelog docs use RST include directives for single source of truth
+
+**Fixed**
+
+* ``ALLOW_CUSTOM_FUNCTIONS`` setting now properly controls validation
+* ``ENABLE_LOGGING`` setting now properly controls operation logging
+* ``VALIDATE_FUNCTIONS`` setting now properly controls function validation in management commands
+* API reference now documents only public-facing functions (``get_anon_setting``, ``validate_anon_extension``)
 
 **Removed**
 
 * ``database_role()`` context manager - unsafe arbitrary role switching
 * ``@database_role_required()`` decorator - potential security risk
 * Direct role manipulation utilities - use ``anonymized_data()`` instead
+* ``AUTO_APPLY_RULES`` setting - feature was never implemented, removed to avoid confusion
 
 0.1.0-alpha.1 - 2025-09-20
 --------------------------

CONTRIBUTING.rst

@@ -117,7 +117,7 @@ Before submitting a PR, ensure your code passes all quality checks:
    - Follow the existing code style
    - Add tests for new functionality
    - Update documentation as needed
-   - Add your changes to ``CHANGELOG.md`` under ``[Unreleased]``
+   - Add your changes to ``CHANGELOG.rst`` or ``docs/changelog.rst``
 
 3. **Test your changes**
 

README.md

@@ -105,7 +105,7 @@ def sensitive_report(request):
 ### Privacy & Compliance
 
 - **🔒 Privacy by Design** - Reduce risk of data exposure in non-production environments
-- **📋 Compliance Support** - Tool to help with data protection requirements (consult legal counsel for compliance certification)
+- **📋 Compliance Support** - Tool to help with data protection requirements
 - **🛡️ Data Minimization** - Limit exposure of sensitive data to development teams
 
 ## 🤔 Why Not Just...?

README.rst

@@ -134,7 +134,7 @@ Privacy & Compliance
 - **🔒 Privacy by Design** - Reduce risk of data exposure in
   non-production environments
 - **📋 Compliance Support** - Tool to help with data protection
-  requirements (consult legal counsel for compliance certification)
+  requirements
 - **🛡️ Data Minimization** - Limit exposure of sensitive data to
   development teams
 
@@ -169,11 +169,13 @@ automatic, middleware-based anonymization that just works.
        C --> D[Anonymized Views]
        D --> E[Masked Data]
 
-**Core Components:** - **Middleware** - Automatic anonymization for user
-groups - **Context Managers** - Manual anonymized data access -
-**Decorators** - View-level anonymization - **Admin Interface** - Rule
-management and monitoring - **Management Commands** - CLI operations and
-automation
+**Core Components:**
+
+- **Middleware** - Automatic anonymization for user groups
+- **Context Managers** - Manual anonymized data access
+- **Decorators** - View-level anonymization
+- **Admin Interface** - Rule management and monitoring
+- **Management Commands** - CLI operations and automation
 
 🛡️ Security Features
 --------------------

SECURITY.md

@@ -101,7 +101,6 @@ except Exception as e:
 # settings.py - Production configuration
 POSTGRES_ANON = {
     'ENABLED': True,
-    'AUTO_APPLY_RULES': False,        # Never auto-apply in production
     'VALIDATE_FUNCTIONS': True,       # Always validate functions
     'ALLOW_CUSTOM_FUNCTIONS': False,  # Restrict to anon namespace
     'ENABLE_LOGGING': True,           # Full audit trail
@@ -216,11 +215,10 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 ``` bash
 # Development
 export POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS=true
-export POSTGRES_ANON_AUTO_APPLY_RULES=true
 
 # Production
 export POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS=false
-export POSTGRES_ANON_AUTO_APPLY_RULES=false
+export POSTGRES_ANON_VALIDATE_FUNCTIONS=true
 ```
 
 **2. Access Control:**

django_postgres_anon/config.py

@@ -16,7 +16,6 @@ def get_setting(key: str, default=None):
     "MASKED_GROUPS": ["view_masked_data"],
     "ANONYMIZED_DATA_ROLE": "masked_reader",
     "ENABLED": False,
-    "AUTO_APPLY_RULES": False,
     "VALIDATE_FUNCTIONS": True,
     "ALLOW_CUSTOM_FUNCTIONS": False,
     "ENABLE_LOGGING": True,
@@ -28,7 +27,6 @@ def get_setting(key: str, default=None):
     "MASKED_GROUPS": "POSTGRES_ANON_MASKED_GROUPS",
     "ANONYMIZED_DATA_ROLE": "POSTGRES_ANON_ANONYMIZED_DATA_ROLE",
     "ENABLED": "POSTGRES_ANON_ENABLED",
-    "AUTO_APPLY_RULES": "POSTGRES_ANON_AUTO_APPLY_RULES",
     "VALIDATE_FUNCTIONS": "POSTGRES_ANON_VALIDATE_FUNCTIONS",
     "ALLOW_CUSTOM_FUNCTIONS": "POSTGRES_ANON_ALLOW_CUSTOM_FUNCTIONS",
     "ENABLE_LOGGING": "POSTGRES_ANON_ENABLE_LOGGING",
@@ -47,7 +45,7 @@ def get_anon_setting(key: str):
     if env_var and env_var in os.environ:
         env_value = os.environ[env_var]
         # Handle boolean conversion for known boolean settings
-        if key in ["ENABLED", "AUTO_APPLY_RULES", "VALIDATE_FUNCTIONS", "ALLOW_CUSTOM_FUNCTIONS", "ENABLE_LOGGING"]:
+        if key in ["ENABLED", "VALIDATE_FUNCTIONS", "ALLOW_CUSTOM_FUNCTIONS", "ENABLE_LOGGING"]:
             return _parse_env_bool(env_value)
         # Handle comma-separated groups
         if key == "MASKED_GROUPS":

django_postgres_anon/management/commands/anon_load_yaml.py

@@ -5,6 +5,7 @@
 import yaml
 from django.core.management.base import BaseCommand, CommandError
 
+from django_postgres_anon.config import get_anon_setting
 from django_postgres_anon.models import MaskingPreset, MaskingRule
 from django_postgres_anon.utils import create_operation_log, validate_function_syntax
 
@@ -154,8 +155,9 @@ def _validate_yaml_structure(self, rules_data, options):
                     )
                     continue
 
-                # Validate function syntax if enabled
-                if options["validate"]:
+                # Validate function syntax if enabled (command option or global setting)
+                should_validate = options["validate"] or get_anon_setting("VALIDATE_FUNCTIONS")
+                if should_validate:
                     if not validate_function_syntax(function_expr):
                         errors.append(f"Rule {i + 1}: Invalid function syntax: {function_expr}")
                         continue

django_postgres_anon/management/commands/anon_validate.py

@@ -2,6 +2,7 @@
 
 from django.core.management.base import BaseCommand, CommandError
 
+from django_postgres_anon.config import get_anon_setting
 from django_postgres_anon.models import MaskingLog, MaskingRule
 from django_postgres_anon.utils import (
     check_table_exists,
@@ -116,13 +117,16 @@ def _validate_rule(self, rule, options, fixes_applied):
             else:
                 self.stdout.write("    ✅ Table and column exist")
 
-        # Validate function syntax
-        if not validate_function_syntax(rule.function_expr):
-            error = f"Invalid function syntax: '{rule.function_expr}'"
-            errors.append(error)
-            self.stdout.write(f"    ❌ {error}")
+        # Validate function syntax if enabled
+        if get_anon_setting("VALIDATE_FUNCTIONS"):
+            if not validate_function_syntax(rule.function_expr):
+                error = f"Invalid function syntax: '{rule.function_expr}'"
+                errors.append(error)
+                self.stdout.write(f"    ❌ {error}")
+            else:
+                self.stdout.write("    ✅ Function syntax valid")
         else:
-            self.stdout.write("    ✅ Function syntax valid")
+            self.stdout.write("    ⚠️  Function validation disabled (VALIDATE_FUNCTIONS=False)")
 
         # Check for potential issues
         try:

django_postgres_anon/utils.py

@@ -4,6 +4,7 @@
 from django.conf import settings
 from django.db import DatabaseError, OperationalError, connection
 
+from django_postgres_anon.config import get_anon_setting
 from django_postgres_anon.constants import DEFAULT_POSTGRES_PORT
 
 logger = logging.getLogger(__name__)
@@ -53,8 +54,9 @@ def validate_function_syntax(function_expr: str) -> bool:
 
     function_expr = function_expr.strip()
 
-    # Must start with anon. namespace
-    if not function_expr.startswith("anon."):
+    # Must start with anon. namespace (unless ALLOW_CUSTOM_FUNCTIONS is enabled)
+    allow_custom = get_anon_setting("ALLOW_CUSTOM_FUNCTIONS")
+    if not allow_custom and not function_expr.startswith("anon."):
         return False
 
     # Must have parentheses
@@ -344,6 +346,10 @@ def create_operation_log(operation, user=None, **kwargs):
     """Standardized logging for all operations"""
     from django_postgres_anon.models import MaskingLog
 
+    # Check if logging is enabled
+    if not get_anon_setting("ENABLE_LOGGING"):
+        return None
+
     # Extract common fields
     details = kwargs.pop("details", {})
     success = kwargs.pop("success", True)

docs/changelog.rst

@@ -1,61 +1 @@
-Changelog
-=========
-
-All notable changes to this project will be documented in this file.
-
-The format is based on `Keep a Changelog <https://keepachangelog.com/en/1.0.0/>`_,
-and this project adheres to `Semantic Versioning <https://semver.org/spec/v2.0.0.html>`_.
-
-0.1.0b1 - 2025-01-XX
---------------------
-
-⚠️ **Beta Release** - Feature complete, ready for testing. API may still change before 1.0.
-
-**Added**
-
-* Multiple user groups support via ``MASKED_GROUPS`` configuration
-* Environment variable configuration following 12-factor principles
-* Comprehensive documentation with examples and deployment guides
-
-**Changed**
-
-* Improved documentation structure and clarity
-* Refined compliance messaging - positions as compliance support tool
-
-**Removed**
-
-* ``database_role()`` context manager - unsafe arbitrary role switching
-* ``@database_role_required()`` decorator - potential security risk
-* Direct role manipulation utilities - use ``anonymized_data()`` instead
-
-0.1.0-alpha.1 - 2025-09-20
---------------------------
-
-⚠️ **Alpha Release** - Initial preview release.
-
-**Core Features**
-
-* Django models: ``MaskingRule``, ``MaskingPreset``, ``MaskedRole``, ``MaskingLog``
-* Management commands: ``anon_init``, ``anon_apply``, ``anon_status``, ``anon_dump``, ``anon_validate``, ``anon_load_yaml``, ``anon_drop``, ``anon_fix_permissions``
-* Middleware (``AnonRoleMiddleware``) for automatic role switching based on user groups
-* Context managers (``anonymized_data``) for manual control
-* Decorators (``@use_anonymized_data``) for view-level anonymization
-* Class-based view mixins (``AnonymizedDataMixin``)
-* Django admin integration with bulk actions
-
-**Pre-built Presets**
-
-* Django Auth, E-commerce, Healthcare, Finance, Social Media, Education
-
-**Security**
-
-* SQL injection prevention with function validation
-* Role-based access control
-* Audit logging
-* Parameterized queries
-
-**Requirements**
-
-* Python 3.8+
-* Django 3.2+
-* PostgreSQL 12+ with Anonymizer extension
+.. include:: ../CHANGELOG.rst