From 4dc6f69a21805d8c82a2b79b0d696dfc8fec8715 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:33:46 +0000
Subject: [PATCH 01/61] Initial commit of Flask Talisman

---
 .flake8                         |   5 +
 .github/workflows/ci.yml        |  16 ++-
 .github/workflows/publish.yml   |  16 ++-
 README.md                       |  10 +-
 poetry.lock                     | 220 ++++++++++++++++++++++++++++++++
 pyproject.toml                  |  16 ++-
 tests/test_flask_talisman.py    |  97 ++++++++++++++
 tna_utilities/flask/talisman.py |  91 +++++++++++++
 8 files changed, 453 insertions(+), 18 deletions(-)
 create mode 100644 .flake8
 create mode 100644 poetry.lock
 create mode 100644 tests/test_flask_talisman.py
 create mode 100644 tna_utilities/flask/talisman.py

diff --git a/.flake8 b/.flake8
new file mode 100644
index 0000000..50dd9ac
--- /dev/null
+++ b/.flake8
@@ -0,0 +1,5 @@
+[flake8]
+ignore = E203, W503, E501
+exclude = venv*,__pycache__,dist,.git
+max-line-length = 88
+max-complexity = 12
\ No newline at end of file
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 30b7ff5..eff625f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,8 +27,12 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install dependencies
+        run: poetry install --with test
       - name: Run tests
-        run: python -m unittest discover tests
+        run: poetry run python -m unittest discover tests
 
   build:
     runs-on: ubuntu-latest
@@ -37,8 +41,10 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v5
       - name: Install build dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install build
+        run: python -m pip install --upgrade pip
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install dependencies
+        run: poetry install
       - name: Build package
-        run: python -m build
+        run: poetry build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 56a7c34..a90dae4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -31,8 +31,12 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install dependencies
+        run: poetry install --with test
       - name: Run tests
-        run: python -m unittest discover tests
+        run: poetry run python -m unittest discover tests
 
   deploy:
     runs-on: ubuntu-latest
@@ -49,10 +53,12 @@ jobs:
         with:
           python-version: "3.14"
       - name: Install build dependencies
-        run: |
-          python -m pip install --upgrade pip
-          pip install build
+        run: python -m pip install --upgrade pip
+      - name: Install Poetry
+        run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install dependencies
+        run: poetry install
       - name: Build package
-        run: python -m build
+        run: poetry build
       - name: Publish package to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
diff --git a/README.md b/README.md
index d61347b..c977cf3 100644
--- a/README.md
+++ b/README.md
@@ -25,9 +25,17 @@ pip install tna-utilities
 ## Developing
 
 ```sh
+# Install the test dependencies
+poetry install --with test
+
 # Run the tests
-python -m unittest discover tests
+poetry run python -m unittest discover tests
 
 # Format the code
 ./tasks/format.sh
+
+# Build the package
+python -m pip install --upgrade pip
+pip install build
+python -m build
 ```
diff --git a/poetry.lock b/poetry.lock
new file mode 100644
index 0000000..18034e1
--- /dev/null
+++ b/poetry.lock
@@ -0,0 +1,220 @@
+# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand.
+
+[[package]]
+name = "blinker"
+version = "1.9.0"
+description = "Fast, simple object-to-object and broadcast signaling"
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "blinker-1.9.0-py3-none-any.whl", hash = "sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc"},
+    {file = "blinker-1.9.0.tar.gz", hash = "sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf"},
+]
+
+[[package]]
+name = "click"
+version = "8.3.1"
+description = "Composable command line interface toolkit"
+optional = false
+python-versions = ">=3.10"
+groups = ["main", "test"]
+files = [
+    {file = "click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6"},
+    {file = "click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a"},
+]
+
+[package.dependencies]
+colorama = {version = "*", markers = "platform_system == \"Windows\""}
+
+[[package]]
+name = "colorama"
+version = "0.4.6"
+description = "Cross-platform colored terminal text."
+optional = false
+python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
+groups = ["main", "test"]
+markers = "platform_system == \"Windows\""
+files = [
+    {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
+    {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
+]
+
+[[package]]
+name = "flask"
+version = "3.1.3"
+description = "A simple framework for building complex web applications."
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "flask-3.1.3-py3-none-any.whl", hash = "sha256:f4bcbefc124291925f1a26446da31a5178f9483862233b23c0c96a20701f670c"},
+    {file = "flask-3.1.3.tar.gz", hash = "sha256:0ef0e52b8a9cd932855379197dd8f94047b359ca0a78695144304cb45f87c9eb"},
+]
+
+[package.dependencies]
+blinker = ">=1.9.0"
+click = ">=8.1.3"
+itsdangerous = ">=2.2.0"
+jinja2 = ">=3.1.2"
+markupsafe = ">=2.1.1"
+werkzeug = ">=3.1.0"
+
+[package.extras]
+async = ["asgiref (>=3.2)"]
+dotenv = ["python-dotenv"]
+
+[[package]]
+name = "itsdangerous"
+version = "2.2.0"
+description = "Safely pass data to untrusted environments and back."
+optional = false
+python-versions = ">=3.8"
+groups = ["main", "test"]
+files = [
+    {file = "itsdangerous-2.2.0-py3-none-any.whl", hash = "sha256:c6242fc49e35958c8b15141343aa660db5fc54d4f13a1db01a3f5891b98700ef"},
+    {file = "itsdangerous-2.2.0.tar.gz", hash = "sha256:e0050c0b7da1eea53ffaf149c0cfbb5c6e2e2b69c4bef22c81fa6eb73e5f6173"},
+]
+
+[[package]]
+name = "jinja2"
+version = "3.1.6"
+description = "A very fast and expressive template engine."
+optional = false
+python-versions = ">=3.7"
+groups = ["main", "test"]
+files = [
+    {file = "jinja2-3.1.6-py3-none-any.whl", hash = "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"},
+    {file = "jinja2-3.1.6.tar.gz", hash = "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d"},
+]
+
+[package.dependencies]
+MarkupSafe = ">=2.0"
+
+[package.extras]
+i18n = ["Babel (>=2.7)"]
+
+[[package]]
+name = "markupsafe"
+version = "3.0.3"
+description = "Safely add untrusted strings to HTML/XML markup."
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "markupsafe-3.0.3-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:2f981d352f04553a7171b8e44369f2af4055f888dfb147d55e42d29e29e74559"},
+    {file = "markupsafe-3.0.3-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:e1c1493fb6e50ab01d20a22826e57520f1284df32f2d8601fdd90b6304601419"},
+    {file = "markupsafe-3.0.3-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:1ba88449deb3de88bd40044603fafffb7bc2b055d626a330323a9ed736661695"},
+    {file = "markupsafe-3.0.3-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:f42d0984e947b8adf7dd6dde396e720934d12c506ce84eea8476409563607591"},
+    {file = "markupsafe-3.0.3-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:c0c0b3ade1c0b13b936d7970b1d37a57acde9199dc2aecc4c336773e1d86049c"},
+    {file = "markupsafe-3.0.3-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:0303439a41979d9e74d18ff5e2dd8c43ed6c6001fd40e5bf2e43f7bd9bbc523f"},
+    {file = "markupsafe-3.0.3-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:d2ee202e79d8ed691ceebae8e0486bd9a2cd4794cec4824e1c99b6f5009502f6"},
+    {file = "markupsafe-3.0.3-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:177b5253b2834fe3678cb4a5f0059808258584c559193998be2601324fdeafb1"},
+    {file = "markupsafe-3.0.3-cp310-cp310-win32.whl", hash = "sha256:2a15a08b17dd94c53a1da0438822d70ebcd13f8c3a95abe3a9ef9f11a94830aa"},
+    {file = "markupsafe-3.0.3-cp310-cp310-win_amd64.whl", hash = "sha256:c4ffb7ebf07cfe8931028e3e4c85f0357459a3f9f9490886198848f4fa002ec8"},
+    {file = "markupsafe-3.0.3-cp310-cp310-win_arm64.whl", hash = "sha256:e2103a929dfa2fcaf9bb4e7c091983a49c9ac3b19c9061b6d5427dd7d14d81a1"},
+    {file = "markupsafe-3.0.3-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:1cc7ea17a6824959616c525620e387f6dd30fec8cb44f649e31712db02123dad"},
+    {file = "markupsafe-3.0.3-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:4bd4cd07944443f5a265608cc6aab442e4f74dff8088b0dfc8238647b8f6ae9a"},
+    {file = "markupsafe-3.0.3-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6b5420a1d9450023228968e7e6a9ce57f65d148ab56d2313fcd589eee96a7a50"},
+    {file = "markupsafe-3.0.3-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0bf2a864d67e76e5c9a34dc26ec616a66b9888e25e7b9460e1c76d3293bd9dbf"},
+    {file = "markupsafe-3.0.3-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:bc51efed119bc9cfdf792cdeaa4d67e8f6fcccab66ed4bfdd6bde3e59bfcbb2f"},
+    {file = "markupsafe-3.0.3-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:068f375c472b3e7acbe2d5318dea141359e6900156b5b2ba06a30b169086b91a"},
+    {file = "markupsafe-3.0.3-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:7be7b61bb172e1ed687f1754f8e7484f1c8019780f6f6b0786e76bb01c2ae115"},
+    {file = "markupsafe-3.0.3-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:f9e130248f4462aaa8e2552d547f36ddadbeaa573879158d721bbd33dfe4743a"},
+    {file = "markupsafe-3.0.3-cp311-cp311-win32.whl", hash = "sha256:0db14f5dafddbb6d9208827849fad01f1a2609380add406671a26386cdf15a19"},
+    {file = "markupsafe-3.0.3-cp311-cp311-win_amd64.whl", hash = "sha256:de8a88e63464af587c950061a5e6a67d3632e36df62b986892331d4620a35c01"},
+    {file = "markupsafe-3.0.3-cp311-cp311-win_arm64.whl", hash = "sha256:3b562dd9e9ea93f13d53989d23a7e775fdfd1066c33494ff43f5418bc8c58a5c"},
+    {file = "markupsafe-3.0.3-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:d53197da72cc091b024dd97249dfc7794d6a56530370992a5e1a08983ad9230e"},
+    {file = "markupsafe-3.0.3-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:1872df69a4de6aead3491198eaf13810b565bdbeec3ae2dc8780f14458ec73ce"},
+    {file = "markupsafe-3.0.3-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3a7e8ae81ae39e62a41ec302f972ba6ae23a5c5396c8e60113e9066ef893da0d"},
+    {file = "markupsafe-3.0.3-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:d6dd0be5b5b189d31db7cda48b91d7e0a9795f31430b7f271219ab30f1d3ac9d"},
+    {file = "markupsafe-3.0.3-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:94c6f0bb423f739146aec64595853541634bde58b2135f27f61c1ffd1cd4d16a"},
+    {file = "markupsafe-3.0.3-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:be8813b57049a7dc738189df53d69395eba14fb99345e0a5994914a3864c8a4b"},
+    {file = "markupsafe-3.0.3-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:83891d0e9fb81a825d9a6d61e3f07550ca70a076484292a70fde82c4b807286f"},
+    {file = "markupsafe-3.0.3-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:77f0643abe7495da77fb436f50f8dab76dbc6e5fd25d39589a0f1fe6548bfa2b"},
+    {file = "markupsafe-3.0.3-cp312-cp312-win32.whl", hash = "sha256:d88b440e37a16e651bda4c7c2b930eb586fd15ca7406cb39e211fcff3bf3017d"},
+    {file = "markupsafe-3.0.3-cp312-cp312-win_amd64.whl", hash = "sha256:26a5784ded40c9e318cfc2bdb30fe164bdb8665ded9cd64d500a34fb42067b1c"},
+    {file = "markupsafe-3.0.3-cp312-cp312-win_arm64.whl", hash = "sha256:35add3b638a5d900e807944a078b51922212fb3dedb01633a8defc4b01a3c85f"},
+    {file = "markupsafe-3.0.3-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:e1cf1972137e83c5d4c136c43ced9ac51d0e124706ee1c8aa8532c1287fa8795"},
+    {file = "markupsafe-3.0.3-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:116bb52f642a37c115f517494ea5feb03889e04df47eeff5b130b1808ce7c219"},
+    {file = "markupsafe-3.0.3-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:133a43e73a802c5562be9bbcd03d090aa5a1fe899db609c29e8c8d815c5f6de6"},
+    {file = "markupsafe-3.0.3-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:ccfcd093f13f0f0b7fdd0f198b90053bf7b2f02a3927a30e63f3ccc9df56b676"},
+    {file = "markupsafe-3.0.3-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:509fa21c6deb7a7a273d629cf5ec029bc209d1a51178615ddf718f5918992ab9"},
+    {file = "markupsafe-3.0.3-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:a4afe79fb3de0b7097d81da19090f4df4f8d3a2b3adaa8764138aac2e44f3af1"},
+    {file = "markupsafe-3.0.3-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:795e7751525cae078558e679d646ae45574b47ed6e7771863fcc079a6171a0fc"},
+    {file = "markupsafe-3.0.3-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:8485f406a96febb5140bfeca44a73e3ce5116b2501ac54fe953e488fb1d03b12"},
+    {file = "markupsafe-3.0.3-cp313-cp313-win32.whl", hash = "sha256:bdd37121970bfd8be76c5fb069c7751683bdf373db1ed6c010162b2a130248ed"},
+    {file = "markupsafe-3.0.3-cp313-cp313-win_amd64.whl", hash = "sha256:9a1abfdc021a164803f4d485104931fb8f8c1efd55bc6b748d2f5774e78b62c5"},
+    {file = "markupsafe-3.0.3-cp313-cp313-win_arm64.whl", hash = "sha256:7e68f88e5b8799aa49c85cd116c932a1ac15caaa3f5db09087854d218359e485"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:218551f6df4868a8d527e3062d0fb968682fe92054e89978594c28e642c43a73"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:3524b778fe5cfb3452a09d31e7b5adefeea8c5be1d43c4f810ba09f2ceb29d37"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:4e885a3d1efa2eadc93c894a21770e4bc67899e3543680313b09f139e149ab19"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:8709b08f4a89aa7586de0aadc8da56180242ee0ada3999749b183aa23df95025"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:b8512a91625c9b3da6f127803b166b629725e68af71f8184ae7e7d54686a56d6"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:9b79b7a16f7fedff2495d684f2b59b0457c3b493778c9eed31111be64d58279f"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-musllinux_1_2_riscv64.whl", hash = "sha256:12c63dfb4a98206f045aa9563db46507995f7ef6d83b2f68eda65c307c6829eb"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:8f71bc33915be5186016f675cd83a1e08523649b0e33efdb898db577ef5bb009"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-win32.whl", hash = "sha256:69c0b73548bc525c8cb9a251cddf1931d1db4d2258e9599c28c07ef3580ef354"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-win_amd64.whl", hash = "sha256:1b4b79e8ebf6b55351f0d91fe80f893b4743f104bff22e90697db1590e47a218"},
+    {file = "markupsafe-3.0.3-cp313-cp313t-win_arm64.whl", hash = "sha256:ad2cf8aa28b8c020ab2fc8287b0f823d0a7d8630784c31e9ee5edea20f406287"},
+    {file = "markupsafe-3.0.3-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:eaa9599de571d72e2daf60164784109f19978b327a3910d3e9de8c97b5b70cfe"},
+    {file = "markupsafe-3.0.3-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:c47a551199eb8eb2121d4f0f15ae0f923d31350ab9280078d1e5f12b249e0026"},
+    {file = "markupsafe-3.0.3-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:f34c41761022dd093b4b6896d4810782ffbabe30f2d443ff5f083e0cbbb8c737"},
+    {file = "markupsafe-3.0.3-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:457a69a9577064c05a97c41f4e65148652db078a3a509039e64d3467b9e7ef97"},
+    {file = "markupsafe-3.0.3-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:e8afc3f2ccfa24215f8cb28dcf43f0113ac3c37c2f0f0806d8c70e4228c5cf4d"},
+    {file = "markupsafe-3.0.3-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:ec15a59cf5af7be74194f7ab02d0f59a62bdcf1a537677ce67a2537c9b87fcda"},
+    {file = "markupsafe-3.0.3-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:0eb9ff8191e8498cca014656ae6b8d61f39da5f95b488805da4bb029cccbfbaf"},
+    {file = "markupsafe-3.0.3-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:2713baf880df847f2bece4230d4d094280f4e67b1e813eec43b4c0e144a34ffe"},
+    {file = "markupsafe-3.0.3-cp314-cp314-win32.whl", hash = "sha256:729586769a26dbceff69f7a7dbbf59ab6572b99d94576a5592625d5b411576b9"},
+    {file = "markupsafe-3.0.3-cp314-cp314-win_amd64.whl", hash = "sha256:bdc919ead48f234740ad807933cdf545180bfbe9342c2bb451556db2ed958581"},
+    {file = "markupsafe-3.0.3-cp314-cp314-win_arm64.whl", hash = "sha256:5a7d5dc5140555cf21a6fefbdbf8723f06fcd2f63ef108f2854de715e4422cb4"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:1353ef0c1b138e1907ae78e2f6c63ff67501122006b0f9abad68fda5f4ffc6ab"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-macosx_11_0_arm64.whl", hash = "sha256:1085e7fbddd3be5f89cc898938f42c0b3c711fdcb37d75221de2666af647c175"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:1b52b4fb9df4eb9ae465f8d0c228a00624de2334f216f178a995ccdcf82c4634"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:fed51ac40f757d41b7c48425901843666a6677e3e8eb0abcff09e4ba6e664f50"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:f190daf01f13c72eac4efd5c430a8de82489d9cff23c364c3ea822545032993e"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:e56b7d45a839a697b5eb268c82a71bd8c7f6c94d6fd50c3d577fa39a9f1409f5"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-musllinux_1_2_riscv64.whl", hash = "sha256:f3e98bb3798ead92273dc0e5fd0f31ade220f59a266ffd8a4f6065e0a3ce0523"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:5678211cb9333a6468fb8d8be0305520aa073f50d17f089b5b4b477ea6e67fdc"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-win32.whl", hash = "sha256:915c04ba3851909ce68ccc2b8e2cd691618c4dc4c4232fb7982bca3f41fd8c3d"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-win_amd64.whl", hash = "sha256:4faffd047e07c38848ce017e8725090413cd80cbc23d86e55c587bf979e579c9"},
+    {file = "markupsafe-3.0.3-cp314-cp314t-win_arm64.whl", hash = "sha256:32001d6a8fc98c8cb5c947787c5d08b0a50663d139f1305bac5885d98d9b40fa"},
+    {file = "markupsafe-3.0.3-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:15d939a21d546304880945ca1ecb8a039db6b4dc49b2c5a400387cdae6a62e26"},
+    {file = "markupsafe-3.0.3-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f71a396b3bf33ecaa1626c255855702aca4d3d9fea5e051b41ac59a9c1c41edc"},
+    {file = "markupsafe-3.0.3-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0f4b68347f8c5eab4a13419215bdfd7f8c9b19f2b25520968adfad23eb0ce60c"},
+    {file = "markupsafe-3.0.3-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:e8fc20152abba6b83724d7ff268c249fa196d8259ff481f3b1476383f8f24e42"},
+    {file = "markupsafe-3.0.3-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:949b8d66bc381ee8b007cd945914c721d9aba8e27f71959d750a46f7c282b20b"},
+    {file = "markupsafe-3.0.3-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:3537e01efc9d4dccdf77221fb1cb3b8e1a38d5428920e0657ce299b20324d758"},
+    {file = "markupsafe-3.0.3-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:591ae9f2a647529ca990bc681daebdd52c8791ff06c2bfa05b65163e28102ef2"},
+    {file = "markupsafe-3.0.3-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:a320721ab5a1aba0a233739394eb907f8c8da5c98c9181d1161e77a0c8e36f2d"},
+    {file = "markupsafe-3.0.3-cp39-cp39-win32.whl", hash = "sha256:df2449253ef108a379b8b5d6b43f4b1a8e81a061d6537becd5582fba5f9196d7"},
+    {file = "markupsafe-3.0.3-cp39-cp39-win_amd64.whl", hash = "sha256:7c3fb7d25180895632e5d3148dbdc29ea38ccb7fd210aa27acbd1201a1902c6e"},
+    {file = "markupsafe-3.0.3-cp39-cp39-win_arm64.whl", hash = "sha256:38664109c14ffc9e7437e86b4dceb442b0096dfe3541d7864d9cbe1da4cf36c8"},
+    {file = "markupsafe-3.0.3.tar.gz", hash = "sha256:722695808f4b6457b320fdc131280796bdceb04ab50fe1795cd540799ebe1698"},
+]
+
+[[package]]
+name = "werkzeug"
+version = "3.1.6"
+description = "The comprehensive WSGI web application library."
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "werkzeug-3.1.6-py3-none-any.whl", hash = "sha256:7ddf3357bb9564e407607f988f683d72038551200c704012bb9a4c523d42f131"},
+    {file = "werkzeug-3.1.6.tar.gz", hash = "sha256:210c6bede5a420a913956b4791a7f4d6843a43b6fcee4dfa08a65e93007d0d25"},
+]
+
+[package.dependencies]
+markupsafe = ">=2.1.1"
+
+[package.extras]
+watchdog = ["watchdog (>=2.3)"]
+
+[extras]
+flask = ["Flask"]
+
+[metadata]
+lock-version = "2.1"
+python-versions = ">=3.10"
+content-hash = "3bbfc9ff9479a94ddad419f3170b896c4ee8837e20968a993970cb12df9e8461"
diff --git a/pyproject.toml b/pyproject.toml
index c57ae9c..5a43d56 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -22,16 +22,18 @@ classifiers = [
   "Programming Language :: Python :: 3.14",
 ]
 
+[project.optional-dependencies]
+flask = ["Flask"]
+
+[tool.poetry.group.test]
+optional = true
+
+[tool.poetry.group.test.dependencies]
+Flask = "^3"
+
 [project.urls]
 Homepage = "https://pypi.org/project/tna-utilities/"
 Documentation = "https://nationalarchives.github.io/python-utilities/"
 Repository = "https://github.com/nationalarchives/python-utilities"
 "Bug Tracker" = "https://github.com/nationalarchives/python-utilities/issues"
 Changelog = "https://github.com/nationalarchives/python-utilities/blob/main/CHANGELOG.md"
-
-[build-system]
-requires = ["hatchling >= 1.26"]
-build-backend = "hatchling.build"
-
-[tool.hatch.build.targets.sdist]
-exclude = ["docs*", "tasks*", "tests*"]
diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
new file mode 100644
index 0000000..151c924
--- /dev/null
+++ b/tests/test_flask_talisman.py
@@ -0,0 +1,97 @@
+import unittest
+
+from flask import Flask, session
+from tna_utilities.flask.talisman import TnaFlaskTalisman
+
+
+class TestFlaskTalisman(unittest.TestCase):
+    def setUp(self):
+        self.app = Flask(__name__)
+        self.app.config["SECRET_KEY"] = "my_secret_key"
+        self.app.config["SESSION_COOKIE_SECURE"] = False
+        self.app.config["SESSION_COOKIE_HTTPONLY"] = False
+        self.app.config["SESSION_COOKIE_SAMESITE"] = None
+
+        @self.app.route("/")
+        def index():
+            session["test"] = "12345"
+            return "OK"
+
+        self.test_client = self.app.test_client()
+
+    def test_naked_app(self):
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertNotIn("Content-Security-Policy", rv.headers)
+
+        self.assertNotIn("X-Frame-Options", rv.headers)
+        self.assertNotIn("X-Permitted-Cross-Domain-Policies", rv.headers)
+        self.assertNotIn("Cross-Origin-Embedder-Policy", rv.headers)
+        self.assertNotIn("Cross-Origin-Opener-Policy", rv.headers)
+        self.assertNotIn("Cross-Origin-Resource-Policy", rv.headers)
+
+        self.assertIn("Set-Cookie", rv.headers)
+        self.assertIn("session=", rv.headers["Set-Cookie"])
+        self.assertNotIn("Secure", rv.headers["Set-Cookie"])
+        self.assertNotIn("HttpOnly", rv.headers["Set-Cookie"])
+        self.assertNotIn("SameSite", rv.headers["Set-Cookie"])
+
+    def test_default_talisman_app(self):
+        TnaFlaskTalisman(self.app)
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertIn("Content-Security-Policy", rv.headers)
+        self.assertEqual(
+            "default-src 'self'; object-src 'none';",
+            rv.headers["Content-Security-Policy"],
+        )
+
+        self.assertIn("X-Frame-Options", rv.headers)
+        self.assertEqual("DENY", rv.headers["X-Frame-Options"])
+        self.assertIn("X-Permitted-Cross-Domain-Policies", rv.headers)
+        self.assertEqual("none", rv.headers["X-Permitted-Cross-Domain-Policies"])
+        self.assertIn("Cross-Origin-Embedder-Policy", rv.headers)
+        self.assertEqual("unsafe-none", rv.headers["Cross-Origin-Embedder-Policy"])
+        self.assertIn("Cross-Origin-Opener-Policy", rv.headers)
+        self.assertEqual("same-origin", rv.headers["Cross-Origin-Opener-Policy"])
+        self.assertIn("Cross-Origin-Resource-Policy", rv.headers)
+        self.assertEqual("same-origin", rv.headers["Cross-Origin-Resource-Policy"])
+
+        self.assertIn("Set-Cookie", rv.headers)
+        self.assertIn("session=", rv.headers["Set-Cookie"])
+        self.assertIn(" Secure", rv.headers["Set-Cookie"])
+        self.assertIn(" HttpOnly", rv.headers["Set-Cookie"])
+        self.assertIn(" SameSite=Lax", rv.headers["Set-Cookie"])
+
+    def test_talisman_app_google(self):
+        TnaFlaskTalisman(self.app, allow_google_content_security_policy=True)
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertIn("Content-Security-Policy", rv.headers)
+        self.assertIn(
+            "default-src 'self' *.gstatic.com;", rv.headers["Content-Security-Policy"]
+        )
+        self.assertIn(
+            "script-src 'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+        self.assertIn(
+            "style-src 'self' ajax.googleapis.com fonts.googleapis.com *.gstatic.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+        self.assertIn(
+            "frame-src 'self' www.google.com www.youtube.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+        self.assertIn(
+            "font-src 'self' themes.googleusercontent.com *.gstatic.com;",
+            rv.headers["Content-Security-Policy"],
+        )
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
new file mode 100644
index 0000000..9f5d7c9
--- /dev/null
+++ b/tna_utilities/flask/talisman.py
@@ -0,0 +1,91 @@
+from ..security import CspGenerator, security_headers
+
+GOOGLE_CSP_POLICY = {
+    "default-src": [CspGenerator.SELF, "*.gstatic.com"],
+    # Fonts from fonts.google.com
+    "font-src": [CspGenerator.SELF, "themes.googleusercontent.com", "*.gstatic.com"],
+    # <iframe> based embedding for Maps and Youtube
+    "frame-src": [CspGenerator.SELF, "www.google.com", "www.youtube.com"],
+    # Assorted Google-hosted Libraries/APIs
+    "script-src": [
+        CspGenerator.SELF,
+        "ajax.googleapis.com",
+        "*.googleanalytics.com",
+        "*.google-analytics.com",
+    ],
+    # Used by generated code from http://www.google.com/fonts
+    "style-src": [
+        CspGenerator.SELF,
+        "ajax.googleapis.com",
+        "fonts.googleapis.com",
+        "*.gstatic.com",
+    ],
+}
+
+
+class TnaFlaskTalisman(object):
+    def __init__(self, app=None, **kwargs):
+        if app is not None:
+            self.app = app
+            self.init_app(**kwargs)
+
+    def init_app(
+        self,
+        content_security_policy: dict = {},
+        allow_google_content_security_policy: bool = False,
+        referrer_policy: str = "strict-origin-when-cross-origin",
+    ):
+        self.app.config["SESSION_COOKIE_SECURE"] = True
+        self.app.config["SESSION_COOKIE_HTTPONLY"] = True
+        self.app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
+
+        @self.app.after_request
+        def apply_extra_headers(response):
+            response.headers["Content-Security-Policy"] = self.csp(
+                content_security_policy, allow_google_content_security_policy
+            )
+            response.headers.update(security_headers())
+            response.headers["Referrer-Policy"] = referrer_policy
+            return response
+
+    def csp(
+        self,
+        content_security_policy: dict,
+        allow_google_content_security_policy: bool = False,
+    ):
+        csp = CspGenerator()
+
+        csp.base_uri(content_security_policy.get("base-uri", ""))
+        csp.child_src(content_security_policy.get("child-src", ""))
+        csp.connect_src(content_security_policy.get("connect-src", ""))
+        csp.font_src(content_security_policy.get("font-src", ""))
+        csp.form_action(content_security_policy.get("form-action", ""))
+        csp.frame_ancestors(content_security_policy.get("frame-ancestors", ""))
+        csp.frame_src(content_security_policy.get("frame-src", ""))
+        csp.img_src(content_security_policy.get("img-src", ""))
+        csp.manifest_src(content_security_policy.get("manifest-src", ""))
+        csp.media_src(content_security_policy.get("media-src", ""))
+        csp.object_src(content_security_policy.get("object-src", ""))
+        csp.prefetch_src(content_security_policy.get("prefetch-src", ""))
+        csp.report_uri(content_security_policy.get("report-uri", ""))
+        csp.report_to(content_security_policy.get("report-to", ""))
+        csp.script_src(content_security_policy.get("script-src", ""))
+        csp.script_src_attr(content_security_policy.get("script-src-attr", ""))
+        csp.script_src_elem(content_security_policy.get("script-src-elem", ""))
+        csp.style_src(content_security_policy.get("style-src", ""))
+        csp.style_src_attr(content_security_policy.get("style-src-attr", ""))
+        csp.style_src_elem(content_security_policy.get("style-src-elem", ""))
+        csp.worker_src(content_security_policy.get("worker-src", ""))
+        if "sandbox" in content_security_policy:
+            csp.sandbox(content_security_policy["sandbox"])
+        if content_security_policy.get("require-trusted-types-for", False):
+            csp.require_trusted_types_for()
+
+        if allow_google_content_security_policy:
+            csp.add_directive("default-src", *GOOGLE_CSP_POLICY["default-src"])
+            csp.add_directive("font-src", *GOOGLE_CSP_POLICY["font-src"])
+            csp.add_directive("frame-src", *GOOGLE_CSP_POLICY["frame-src"])
+            csp.add_directive("script-src", *GOOGLE_CSP_POLICY["script-src"])
+            csp.add_directive("style-src", *GOOGLE_CSP_POLICY["style-src"])
+
+        return csp.get_csp()

From 86c6693f908bcd5f9411e8c17d617f5bc7ecf2ab Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:38:23 +0000
Subject: [PATCH 02/61] Enhance CI workflows to install Poetry conditionally
 for Linux/Mac and Windows

---
 .github/workflows/ci.yml      | 7 ++++++-
 .github/workflows/publish.yml | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index eff625f..090e561 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,8 +27,13 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry
+      - name: Install Poetry (Linux/Mac)
+        if: runner.os != 'windows-latest'
         run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install Poetry (Windows)
+        if: runner.os == 'windows-latest'
+        run: |
+          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a90dae4..21bf89a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -31,8 +31,13 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry
+      - name: Install Poetry (Linux/Mac)
+        if: runner.os != 'windows-latest'
         run: curl -sSL https://install.python-poetry.org | python -
+      - name: Install Poetry (Windows)
+        if: runner.os == 'windows-latest'
+        run: |
+          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From 6bfb7506ed7298c279d99600fd4d6c06540a5737 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:38:30 +0000
Subject: [PATCH 03/61] Refactor CspGenerator to use OrderedDict for directive
 storage

---
 tna_utilities/security.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index 9b9f7c1..77ffdc4 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -1,3 +1,6 @@
+from collections import OrderedDict
+
+
 class CspGenerator:
     """
     A utility class for generating a Content Security Policy (CSP) header value.
@@ -34,9 +37,11 @@ def __init__(
         self.default_src = [src for src in self.default_src if src]
         if not self.default_src:
             self.default_src = [self.SELF]
-        self.directives: dict[str, list[str]] = {
-            "default-src": self.default_src,
-        }
+        self.directives: OrderedDict[str, list[str]] = OrderedDict(
+            {
+                "default-src": self.default_src,
+            }
+        )
         if not allow_objects:
             self.directives["object-src"] = [self.NONE]
 

From fe83aaff59de7b5cdac9c0710e4df393d4733e39 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:40:42 +0000
Subject: [PATCH 04/61] Fix conditional checks for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/publish.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 090e561..f4f3c1d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,10 +28,10 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
-        if: runner.os != 'windows-latest'
+        if: ${{ matrix.os != 'windows-latest' }}
         run: curl -sSL https://install.python-poetry.org | python -
       - name: Install Poetry (Windows)
-        if: runner.os == 'windows-latest'
+        if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 21bf89a..79d3d5c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -32,10 +32,10 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
-        if: runner.os != 'windows-latest'
+        if: ${{ matrix.os != 'windows-latest' }}
         run: curl -sSL https://install.python-poetry.org | python -
       - name: Install Poetry (Windows)
-        if: runner.os == 'windows-latest'
+        if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
       - name: Install dependencies

From ad29a0a4f75d4330e46bf1b847225efb6c0b8bb8 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:47:02 +0000
Subject: [PATCH 05/61] Add PATH update for Poetry installation on Windows in
 CI workflows

---
 .github/workflows/ci.yml      | 1 +
 .github/workflows/publish.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f4f3c1d..3196378 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,6 +34,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
+          set PATH=%PATH%;%APPDATA%\Python\Scripts
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 79d3d5c..5aa90db 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,6 +38,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
+          set PATH=%PATH%;%APPDATA%\Python\Scripts
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From fb6c7ed933379522b63fa740d13b2e788fcd385f Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 12:58:14 +0000
Subject: [PATCH 06/61] Fix Windows PATH update for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 4 +++-
 .github/workflows/publish.yml | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3196378..3145c07 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          set PATH=%PATH%;%APPDATA%\Python\Scripts
+          set PATH=%PATH%;"%APPDATA%\Python\Scripts"
+      - name: Show Python version
+        run: python --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5aa90db..f36efd0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,7 +38,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          set PATH=%PATH%;%APPDATA%\Python\Scripts
+          set PATH=%PATH%;"%APPDATA%\Python\Scripts"
+      - name: Show Python version
+        run: python --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From 32b03b80f9553efba6fac70725234ffef292c578 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:01:04 +0000
Subject: [PATCH 07/61] Fix Windows PATH update for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 6 +++---
 .github/workflows/publish.yml | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3145c07..648eabd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,9 +34,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          set PATH=%PATH%;"%APPDATA%\Python\Scripts"
-      - name: Show Python version
-        run: python --version
+          echo 'if (-not (Get-Command poetry -ErrorAction Ignore)) { $env:Path += ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts" }' | Out-File -Append $PROFILE
+      - name: Show Poetry version
+        run: poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f36efd0..ca96bcf 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,9 +38,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          set PATH=%PATH%;"%APPDATA%\Python\Scripts"
-      - name: Show Python version
-        run: python --version
+          echo 'if (-not (Get-Command poetry -ErrorAction Ignore)) { $env:Path += ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts" }' | Out-File -Append $PROFILE
+      - name: Show Poetry version
+        run: poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From 7f645326deb81c4d039b403d8074f741748012ab Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:03:50 +0000
Subject: [PATCH 08/61] Fix Windows PATH update for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/publish.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 648eabd..f972abd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo 'if (-not (Get-Command poetry -ErrorAction Ignore)) { $env:Path += ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts" }' | Out-File -Append $PROFILE
+          [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ca96bcf..2209b10 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,7 +38,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo 'if (-not (Get-Command poetry -ErrorAction Ignore)) { $env:Path += ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts" }' | Out-File -Append $PROFILE
+          [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 7744cc078300fd431aead40982195dde42d30ec7 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:06:11 +0000
Subject: [PATCH 09/61] Add PATH echo statements for Windows Poetry
 installation in CI workflows

---
 .github/workflows/ci.yml      | 2 ++
 .github/workflows/publish.yml | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f972abd..d92775d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
+          echo $PATH
           [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
+          echo $PATH
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 2209b10..cacafc9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,7 +38,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
+          echo $PATH
           [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
+          echo $PATH
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From da16a22357c39f711d1744c9751c3ea65ed9beb2 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:11:50 +0000
Subject: [PATCH 10/61] Fix Windows PATH echo statements in CI workflows

---
 .github/workflows/ci.yml      | 4 ++--
 .github/workflows/publish.yml | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d92775d..305c21c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,9 +34,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo $PATH
+          echo %PATH%
           [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
-          echo $PATH
+          echo %PATH%
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index cacafc9..5573400 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,9 +38,9 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo $PATH
+          echo %PATH%
           [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
-          echo $PATH
+          echo %PATH%
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 363502b065471c7438b1c23774623f259bc22447 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:16:16 +0000
Subject: [PATCH 11/61] Simplify Windows Poetry installation by updating PATH
 using setx command

---
 .github/workflows/ci.yml      | 4 +---
 .github/workflows/publish.yml | 4 +---
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 305c21c..6782728 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,9 +34,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo %PATH%
-          [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
-          echo %PATH%
+          setx /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 5573400..12e7a51 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,9 +38,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo %PATH%
-          [Environment]::SetEnvironmentVariable("Path", [Environment]::GetEnvironmentVariable("Path", "User") + ";C:\Users\runneradmin\AppData\Roaming\Python\Scripts", "User")
-          echo %PATH%
+          setx /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 4c0e1102df21ac0e3b2e129c7d96b4a9ed0f9aa5 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:17:40 +0000
Subject: [PATCH 12/61] Fix Windows Poetry installation command in CI workflows

---
 .github/workflows/ci.yml      | 3 ++-
 .github/workflows/publish.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6782728..35afdb7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,8 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          setx /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          SETX /?
+          SETX /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 12e7a51..79d3223 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,7 +38,8 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          setx /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          SETX /?
+          SETX /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 06b7297b28240b8a2a4ba1c3874c3a3a55224f1b Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:21:11 +0000
Subject: [PATCH 13/61] Fix Windows PATH update for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 3 +--
 .github/workflows/publish.yml | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 35afdb7..fedd551 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,8 +34,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          SETX /?
-          SETX /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 79d3223..f143932 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,8 +38,7 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          SETX /?
-          SETX /M "%path%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 423d6bc23895f6c5e1920098b5bd4e3d76bb5c35 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:24:08 +0000
Subject: [PATCH 14/61] Fix Windows PATH update for Poetry installation in CI
 workflows

---
 .github/workflows/ci.yml      | 3 ++-
 .github/workflows/publish.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fedd551..03a73e6 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,7 +34,8 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
+          set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index f143932..6d06452 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -38,7 +38,8 @@ jobs:
         if: ${{ matrix.os == 'windows-latest' }}
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts"
+          # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
+          set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 42d1c27652bc90d16cfcc11a876285e2616d23c6 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:36:01 +0000
Subject: [PATCH 15/61] Update Windows Poetry installation to use GITHUB_PATH
 for PATH updates

---
 .github/workflows/ci.yml      | 3 ++-
 .github/workflows/publish.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 03a73e6..7709408 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -35,7 +35,8 @@ jobs:
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
-          set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6d06452..58cab79 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -39,7 +39,8 @@ jobs:
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
-          set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From de94616a6ead2d7784183ad3c074788fd8064a42 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:38:35 +0000
Subject: [PATCH 16/61] Enhance Windows Poetry installation in CI workflows by
 adding environment variable echoes for debugging

---
 .github/workflows/ci.yml      | 7 ++++++-
 .github/workflows/publish.yml | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7709408..f3c400c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,9 +36,14 @@ jobs:
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
           # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          echo $HOME
+          echo $GITHUB_PATH
           echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
       - name: Show Poetry version
-        run: poetry --version
+        run: |
+          echo $HOME
+          echo $GITHUB_PATH
+          poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 58cab79..199221c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -40,9 +40,14 @@ jobs:
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
           # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
+          echo $HOME
+          echo $GITHUB_PATH
           echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
       - name: Show Poetry version
-        run: poetry --version
+        run: |
+          echo $HOME
+          echo $GITHUB_PATH
+          poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From b574330dae7a0201d7afed3c5f73985559037116 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:43:19 +0000
Subject: [PATCH 17/61] Refactor Windows Poetry installation in CI workflows to
 use Out-File for GITHUB_PATH updates

---
 .github/workflows/ci.yml      | 7 ++++---
 .github/workflows/publish.yml | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f3c400c..3a5c7d7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,9 +36,10 @@ jobs:
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
           # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
-          echo $HOME
-          echo $GITHUB_PATH
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
+          # echo $HOME
+          # echo $GITHUB_PATH
+          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
       - name: Show Poetry version
         run: |
           echo $HOME
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 199221c..61389b2 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -40,9 +40,10 @@ jobs:
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
           # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
-          echo $HOME
-          echo $GITHUB_PATH
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
+          # echo $HOME
+          # echo $GITHUB_PATH
+          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
       - name: Show Poetry version
         run: |
           echo $HOME

From 35f0445d420bfde290cf126fd27504a743cbcc59 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:49:53 +0000
Subject: [PATCH 18/61] Refactor Poetry installation steps in CI workflows to
 use runner.os for OS checks

---
 .github/workflows/ci.yml      | 7 ++++---
 .github/workflows/publish.yml | 7 ++++---
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3a5c7d7..67a579f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,10 +28,10 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
-        if: ${{ matrix.os != 'windows-latest' }}
+        if: runner.os != 'Windows'
         run: curl -sSL https://install.python-poetry.org | python -
       - name: Install Poetry (Windows)
-        if: ${{ matrix.os == 'windows-latest' }}
+        if: runner.os == 'Windows'
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
@@ -39,7 +39,8 @@ jobs:
           # echo $HOME
           # echo $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
       - name: Show Poetry version
         run: |
           echo $HOME
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 61389b2..469eacc 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -32,10 +32,10 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
-        if: ${{ matrix.os != 'windows-latest' }}
+        if: runner.os != 'Windows'
         run: curl -sSL https://install.python-poetry.org | python -
       - name: Install Poetry (Windows)
-        if: ${{ matrix.os == 'windows-latest' }}
+        if: runner.os == 'Windows'
         run: |
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
@@ -43,7 +43,8 @@ jobs:
           # echo $HOME
           # echo $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
       - name: Show Poetry version
         run: |
           echo $HOME

From 08227b8da7874b557ab92d55fbba02d82bd984c2 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:53:21 +0000
Subject: [PATCH 19/61] Fix Windows Poetry installation in CI workflows to
 correctly append to GITHUB_PATH

---
 .github/workflows/ci.yml      | 3 ++-
 .github/workflows/publish.yml | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 67a579f..a577cf5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -40,7 +40,8 @@ jobs:
           # echo $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
+          # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
       - name: Show Poetry version
         run: |
           echo $HOME
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 469eacc..0859905 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -44,7 +44,8 @@ jobs:
           # echo $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
+          # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
+          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
       - name: Show Poetry version
         run: |
           echo $HOME

From 203168e78af843fcaf5c67d47733492cf201ad58 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 13:58:07 +0000
Subject: [PATCH 20/61] Update Windows Poetry installation in CI workflows to
 echo PATH for debugging

---
 .github/workflows/ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a577cf5..1badd63 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -42,6 +42,9 @@ jobs:
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
           # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
           echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
+          echo PATH
+          echo %PATH%
+          echo $PATH
       - name: Show Poetry version
         run: |
           echo $HOME

From 37e3242d475bcd557f919ef2d9dcca9d6a9a70bd Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:01:59 +0000
Subject: [PATCH 21/61] Add debug echo for script name in Windows Poetry
 installation step

---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1badd63..8331702 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -45,6 +45,7 @@ jobs:
           echo PATH
           echo %PATH%
           echo $PATH
+          echo $0
       - name: Show Poetry version
         run: |
           echo $HOME

From ed86c0af7aa7ee6072960791a18a0125fa74efb2 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:05:19 +0000
Subject: [PATCH 22/61] Update Windows Poetry installation in CI workflows to
 use HOME variable for GITHUB_PATH

---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8331702..ddfaf47 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,12 +36,12 @@ jobs:
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
           # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
-          # echo $HOME
+          echo $HOME
           # echo $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
           # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
+          echo "$HOME\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
           echo PATH
           echo %PATH%
           echo $PATH

From fdd90d9efdfa9c7042983af455b5be99b25de9cf Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:09:06 +0000
Subject: [PATCH 23/61] Refactor Windows Poetry installation step for improved
 debugging and clarity

---
 .github/workflows/ci.yml | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ddfaf47..c418002 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -41,16 +41,16 @@ jobs:
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
           # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
           # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
-          echo "$HOME\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
-          echo PATH
-          echo %PATH%
-          echo $PATH
-          echo $0
-      - name: Show Poetry version
+          # echo "$HOME\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
+          # echo "$((Get-Item .).FullName)/swigwin-4.0.1" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
+          echo "$HOME/AppData/Roaming/Python/Scripts/poetry" >> "$GITHUB_PATH"
+      - name: DEBUG WINDOWS
+        if: runner.os == 'Windows'
         run: |
-          echo $HOME
-          echo $GITHUB_PATH
-          poetry --version
+          ls -alh $HOME/AppData/Roaming/Python/Scripts/poetry
+          ls -alh $HOME\AppData\Roaming\Python\Scripts\poetry
+      - name: Show Poetry version
+        run: poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests

From 4e97a96be958c778df26f4ed16121cd6a655a135 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:11:25 +0000
Subject: [PATCH 24/61] Update Python setup action to v6 in CI workflows and
 add .python-version file

---
 .github/workflows/ci.yml      | 9 +++++----
 .github/workflows/publish.yml | 4 ++--
 .python-version               | 1 +
 3 files changed, 8 insertions(+), 6 deletions(-)
 create mode 100644 .python-version

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c418002..df6ca2e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
@@ -47,8 +47,9 @@ jobs:
       - name: DEBUG WINDOWS
         if: runner.os == 'Windows'
         run: |
-          ls -alh $HOME/AppData/Roaming/Python/Scripts/poetry
-          ls -alh $HOME\AppData\Roaming\Python\Scripts\poetry
+          pwd
+          ls $HOME/AppData/Roaming/Python/Scripts/poetry
+          ls $HOME\AppData\Roaming\Python\Scripts\poetry
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies
@@ -61,7 +62,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
       - name: Install build dependencies
         run: python -m pip install --upgrade pip
       - name: Install Poetry
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0859905..375c4d0 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry (Linux/Mac)
@@ -67,7 +67,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.14"
       - name: Install build dependencies
diff --git a/.python-version b/.python-version
new file mode 100644
index 0000000..3767b4b
--- /dev/null
+++ b/.python-version
@@ -0,0 +1 @@
+3.14
\ No newline at end of file

From 594e0c79cec906263639d26a8743a157aaaac385 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:17:37 +0000
Subject: [PATCH 25/61] Refactor Windows Poetry installation step for improved
 debugging and clarity

---
 .github/workflows/ci.yml | 21 +++++++++------------
 1 file changed, 9 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index df6ca2e..9269038 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,26 +30,23 @@ jobs:
       - name: Install Poetry (Linux/Mac)
         if: runner.os != 'Windows'
         run: curl -sSL https://install.python-poetry.org | python -
+      - name: DEBUG DIRECTORIES
+        run: |
+          pwd
+          echo ${{ github.workspace }}
       - name: Install Poetry (Windows)
         if: runner.os == 'Windows'
         run: |
+          POETRY_HOME=${{ github.workspace }}/poetry
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
-          # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
-          echo $HOME
-          # echo $GITHUB_PATH
-          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
-          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
-          # echo "$HOME\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
-          # echo "$((Get-Item .).FullName)/swigwin-4.0.1" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          echo "$HOME/AppData/Roaming/Python/Scripts/poetry" >> "$GITHUB_PATH"
+          echo "$POETRY_HOME" >> "$GITHUB_PATH"
       - name: DEBUG WINDOWS
         if: runner.os == 'Windows'
         run: |
           pwd
-          ls $HOME/AppData/Roaming/Python/Scripts/poetry
-          ls $HOME\AppData\Roaming\Python\Scripts\poetry
+          echo $POETRY_HOME
+          ls $POETRY_HOME
+          ls ${{ github.workspace }}
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From b6e6d2968c5ef2e37207486bb02311a4e2d8cea5 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:19:18 +0000
Subject: [PATCH 26/61] Fix Windows Poetry installation path separator in CI
 workflow

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9269038..fd8027b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Install Poetry (Windows)
         if: runner.os == 'Windows'
         run: |
-          POETRY_HOME=${{ github.workspace }}/poetry
+          POETRY_HOME=${{ github.workspace }}\poetry
           (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           echo "$POETRY_HOME" >> "$GITHUB_PATH"
       - name: DEBUG WINDOWS

From d9ebbe600d3677ffb62c4d92a59cf5271f3389cb Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:20:41 +0000
Subject: [PATCH 27/61] Refactor Windows Poetry installation step to set
 POETRY_HOME inline

---
 .github/workflows/ci.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fd8027b..7e0b5c5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,9 +37,8 @@ jobs:
       - name: Install Poetry (Windows)
         if: runner.os == 'Windows'
         run: |
-          POETRY_HOME=${{ github.workspace }}\poetry
-          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo "$POETRY_HOME" >> "$GITHUB_PATH"
+          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | POETRY_HOME=${{ github.workspace }}\poetry py -
+          echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
       - name: DEBUG WINDOWS
         if: runner.os == 'Windows'
         run: |

From de98080df27ed864b92daadedb779a814a62d794 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:23:02 +0000
Subject: [PATCH 28/61] Fix Windows Poetry installation step to correctly set
 POETRY_HOME variable

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7e0b5c5..3198872 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,7 @@ jobs:
       - name: Install Poetry (Windows)
         if: runner.os == 'Windows'
         run: |
-          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | POETRY_HOME=${{ github.workspace }}\poetry py -
+          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | POETRY_HOME="${{ github.workspace }}\poetry" py -
           echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
       - name: DEBUG WINDOWS
         if: runner.os == 'Windows'

From 543bf35439912fb28aaf53f8230c1a0787690033 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:25:23 +0000
Subject: [PATCH 29/61] Fix Windows Poetry installation step to set POETRY_HOME
 correctly

---
 .github/workflows/ci.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3198872..baba65c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -37,7 +37,8 @@ jobs:
       - name: Install Poetry (Windows)
         if: runner.os == 'Windows'
         run: |
-          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | POETRY_HOME="${{ github.workspace }}\poetry" py -
+          $env:POETRY_HOME = '${{ github.workspace }}\poetry'
+          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
           echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
       - name: DEBUG WINDOWS
         if: runner.os == 'Windows'

From 4fd834331f543d336959d8f4c2c03c5bdeab1702 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:27:07 +0000
Subject: [PATCH 30/61] Refactor CI workflow to install Poetry using pipx and
 remove Windows-specific installation steps

---
 .github/workflows/ci.yml | 38 ++++++++++++++++++--------------------
 1 file changed, 18 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index baba65c..5a338c5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,26 +27,24 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry (Linux/Mac)
-        if: runner.os != 'Windows'
-        run: curl -sSL https://install.python-poetry.org | python -
-      - name: DEBUG DIRECTORIES
-        run: |
-          pwd
-          echo ${{ github.workspace }}
-      - name: Install Poetry (Windows)
-        if: runner.os == 'Windows'
-        run: |
-          $env:POETRY_HOME = '${{ github.workspace }}\poetry'
-          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
-      - name: DEBUG WINDOWS
-        if: runner.os == 'Windows'
-        run: |
-          pwd
-          echo $POETRY_HOME
-          ls $POETRY_HOME
-          ls ${{ github.workspace }}
+      - name: Install Poetry (pipx) 
+        run: pipx install poetry
+      # - name: Install Poetry (Linux/Mac)
+      #   if: runner.os != 'Windows'
+      #   run: curl -sSL https://install.python-poetry.org | python -
+      # - name: Install Poetry (Windows)
+      #   if: runner.os == 'Windows'
+      #   run: |
+      #     $env:POETRY_HOME = '${{ github.workspace }}\poetry'
+      #     (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
+      #     echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
+      # - name: DEBUG WINDOWS
+      #   if: runner.os == 'Windows'
+      #   run: |
+      #     pwd
+      #     echo $POETRY_HOME
+      #     ls $POETRY_HOME
+      #     ls ${{ github.workspace }}
       - name: Show Poetry version
         run: poetry --version
       - name: Install dependencies

From 7527ada18831f07bf34a301c9c033a54a7783496 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:28:02 +0000
Subject: [PATCH 31/61] Fix formatting in CI workflow for Poetry installation
 step

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5a338c5..27856a4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,7 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry (pipx) 
+      - name: Install Poetry (pipx)
         run: pipx install poetry
       # - name: Install Poetry (Linux/Mac)
       #   if: runner.os != 'Windows'

From c4f4f43fb693caa3cf3ca511e0d6ed03efb48737 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:29:32 +0000
Subject: [PATCH 32/61] Refactor CI workflows to install Poetry using pipx and
 remove platform-specific installation steps

---
 .github/workflows/ci.yml      | 30 +++++++-----------------------
 .github/workflows/publish.yml | 26 +++++---------------------
 2 files changed, 12 insertions(+), 44 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 27856a4..84cd7bb 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,26 +27,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry (pipx)
-        run: pipx install poetry
-      # - name: Install Poetry (Linux/Mac)
-      #   if: runner.os != 'Windows'
-      #   run: curl -sSL https://install.python-poetry.org | python -
-      # - name: Install Poetry (Windows)
-      #   if: runner.os == 'Windows'
-      #   run: |
-      #     $env:POETRY_HOME = '${{ github.workspace }}\poetry'
-      #     (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-      #     echo "${{ github.workspace }}\poetry" >> "$GITHUB_PATH"
-      # - name: DEBUG WINDOWS
-      #   if: runner.os == 'Windows'
-      #   run: |
-      #     pwd
-      #     echo $POETRY_HOME
-      #     ls $POETRY_HOME
-      #     ls ${{ github.workspace }}
-      - name: Show Poetry version
-        run: poetry --version
+      - name: Install Poetry
+        run: |
+          pipx install poetry
+          poetry --version
       - name: Install dependencies
         run: poetry install --with test
       - name: Run tests
@@ -58,10 +42,10 @@ jobs:
       - uses: actions/checkout@v6
       - name: Set up Python
         uses: actions/setup-python@v6
-      - name: Install build dependencies
-        run: python -m pip install --upgrade pip
       - name: Install Poetry
-        run: curl -sSL https://install.python-poetry.org | python -
+        run: |
+          pipx install poetry
+          poetry --version
       - name: Install dependencies
         run: poetry install
       - name: Build package
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 375c4d0..0c9b71c 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -31,25 +31,9 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python-version }}
-      - name: Install Poetry (Linux/Mac)
-        if: runner.os != 'Windows'
-        run: curl -sSL https://install.python-poetry.org | python -
-      - name: Install Poetry (Windows)
-        if: runner.os == 'Windows'
-        run: |
-          (Invoke-WebRequest -Uri https://install.python-poetry.org -UseBasicParsing).Content | py -
-          # SETX /M PATH "%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry"
-          # set PATH=%PATH%;C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry
-          # echo $HOME
-          # echo $GITHUB_PATH
-          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> $GITHUB_PATH
-          # echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-          # echo C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry >> %GITHUB_PATH%
-          echo "C:\Users\runneradmin\AppData\Roaming\Python\Scripts\poetry" >> "$GITHUB_PATH"
-      - name: Show Poetry version
+      - name: Install Poetry
         run: |
-          echo $HOME
-          echo $GITHUB_PATH
+          pipx install poetry
           poetry --version
       - name: Install dependencies
         run: poetry install --with test
@@ -70,10 +54,10 @@ jobs:
         uses: actions/setup-python@v6
         with:
           python-version: "3.14"
-      - name: Install build dependencies
-        run: python -m pip install --upgrade pip
       - name: Install Poetry
-        run: curl -sSL https://install.python-poetry.org | python -
+        run: |
+          pipx install poetry
+          poetry --version
       - name: Install dependencies
         run: poetry install
       - name: Build package

From 422099fd554ba1aeccb6e9204fa748e734d9c9bf Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:31:52 +0000
Subject: [PATCH 33/61] Update CI workflows to install Poetry using pipx and
 exclude test dependencies

---
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/publish.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 84cd7bb..3cabe3d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,6 +47,6 @@ jobs:
           pipx install poetry
           poetry --version
       - name: Install dependencies
-        run: poetry install
+        run: poetry install --without test
       - name: Build package
         run: poetry build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 0c9b71c..658adad 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -59,7 +59,7 @@ jobs:
           pipx install poetry
           poetry --version
       - name: Install dependencies
-        run: poetry install
+        run: poetry install --without test
       - name: Build package
         run: poetry build
       - name: Publish package to PyPI

From 1def8b27dfefec4b9df0e3d78c2d7479154ab9aa Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:55:15 +0000
Subject: [PATCH 34/61] Update project version to 1.4.0-0 and enhance Flask
 utilities installation in README

---
 .github/workflows/publish.yml |  4 +---
 README.md                     |  4 ++++
 pyproject.toml                | 18 +++++++++++-------
 3 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 658adad..6ba3fdb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -52,8 +52,6 @@ jobs:
       - uses: actions/checkout@v6
       - name: Set up Python
         uses: actions/setup-python@v6
-        with:
-          python-version: "3.14"
       - name: Install Poetry
         run: |
           pipx install poetry
@@ -63,4 +61,4 @@ jobs:
       - name: Build package
         run: poetry build
       - name: Publish package to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        run: poetry publish
diff --git a/README.md b/README.md
index c977cf3..a133bab 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,10 @@ poetry add tna-utilities
 
 # Install with pip
 pip install tna-utilities
+
+# Install with extra Flask utilities
+poetry add tna-utilities[flask]
+pip install tna-utilities[flask]
 ```
 
 ## Developing
diff --git a/pyproject.toml b/pyproject.toml
index 5a43d56..f844eb8 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "tna-utilities"
-version = "1.3.0"
+version = "1.4.0-0"
 requires-python = ">=3.10"
 authors = [
   {name = "Andrew Hosgood", email = "andrew.hosgood@nationalarchives.gov.uk"},
@@ -25,15 +25,19 @@ classifiers = [
 [project.optional-dependencies]
 flask = ["Flask"]
 
-[tool.poetry.group.test]
-optional = true
-
-[tool.poetry.group.test.dependencies]
-Flask = "^3"
-
 [project.urls]
 Homepage = "https://pypi.org/project/tna-utilities/"
 Documentation = "https://nationalarchives.github.io/python-utilities/"
 Repository = "https://github.com/nationalarchives/python-utilities"
 "Bug Tracker" = "https://github.com/nationalarchives/python-utilities/issues"
 Changelog = "https://github.com/nationalarchives/python-utilities/blob/main/CHANGELOG.md"
+
+[tool.poetry.group.test]
+optional = true
+
+[tool.poetry.group.test.dependencies]
+Flask = "^3"
+
+[build-system]
+requires = ["poetry-core>=2.0.0,<3.0.0"]
+build-backend = "poetry.core.masonry.api"

From 3e0eca725b2519f16a85f34c5eb0bea2d6f0ab02 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 14:55:32 +0000
Subject: [PATCH 35/61] Refactor CI workflows to install Poetry with pipx and
 update dependency installation to use --only-root

---
 .github/workflows/ci.yml      | 2 +-
 .github/workflows/publish.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3cabe3d..a262384 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -47,6 +47,6 @@ jobs:
           pipx install poetry
           poetry --version
       - name: Install dependencies
-        run: poetry install --without test
+        run: poetry install --only-root
       - name: Build package
         run: poetry build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6ba3fdb..8a1073f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -57,7 +57,7 @@ jobs:
           pipx install poetry
           poetry --version
       - name: Install dependencies
-        run: poetry install --without test
+        run: poetry install --only-root
       - name: Build package
         run: poetry build
       - name: Publish package to PyPI

From ebbe44f258ba2650c920ca1665c633b056ba113f Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 15:21:16 +0000
Subject: [PATCH 36/61] Update poetry.lock

---
 poetry.lock | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 18034e1..7761cd2 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 2.2.1 and should not be changed by hand.
+# This file is automatically @generated by Poetry 2.3.2 and should not be changed by hand.
 
 [[package]]
 name = "blinker"
@@ -11,6 +11,7 @@ files = [
     {file = "blinker-1.9.0-py3-none-any.whl", hash = "sha256:ba0efaa9080b619ff2f3459d1d500c57bddea4a6b424b60a91141db6fd2f08bc"},
     {file = "blinker-1.9.0.tar.gz", hash = "sha256:b4ce2265a7abece45e7cc896e98dbebe6cead56bcf805a3d23136d145f5445bf"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [[package]]
 name = "click"
@@ -23,6 +24,7 @@ files = [
     {file = "click-8.3.1-py3-none-any.whl", hash = "sha256:981153a64e25f12d547d3426c367a4857371575ee7ad18df2a6183ab0545b2a6"},
     {file = "click-8.3.1.tar.gz", hash = "sha256:12ff4785d337a1bb490bb7e9c2b1ee5da3112e94a8622f26a6c77f5d2fc6842a"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [package.dependencies]
 colorama = {version = "*", markers = "platform_system == \"Windows\""}
@@ -34,11 +36,11 @@ description = "Cross-platform colored terminal text."
 optional = false
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7"
 groups = ["main", "test"]
-markers = "platform_system == \"Windows\""
 files = [
     {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"},
     {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"},
 ]
+markers = {main = "extra == \"flask\" and platform_system == \"Windows\"", test = "platform_system == \"Windows\""}
 
 [[package]]
 name = "flask"
@@ -51,6 +53,7 @@ files = [
     {file = "flask-3.1.3-py3-none-any.whl", hash = "sha256:f4bcbefc124291925f1a26446da31a5178f9483862233b23c0c96a20701f670c"},
     {file = "flask-3.1.3.tar.gz", hash = "sha256:0ef0e52b8a9cd932855379197dd8f94047b359ca0a78695144304cb45f87c9eb"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [package.dependencies]
 blinker = ">=1.9.0"
@@ -75,6 +78,7 @@ files = [
     {file = "itsdangerous-2.2.0-py3-none-any.whl", hash = "sha256:c6242fc49e35958c8b15141343aa660db5fc54d4f13a1db01a3f5891b98700ef"},
     {file = "itsdangerous-2.2.0.tar.gz", hash = "sha256:e0050c0b7da1eea53ffaf149c0cfbb5c6e2e2b69c4bef22c81fa6eb73e5f6173"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [[package]]
 name = "jinja2"
@@ -87,6 +91,7 @@ files = [
     {file = "jinja2-3.1.6-py3-none-any.whl", hash = "sha256:85ece4451f492d0c13c5dd7c13a64681a86afae63a5f347908daf103ce6d2f67"},
     {file = "jinja2-3.1.6.tar.gz", hash = "sha256:0137fb05990d35f1275a587e9aee6d56da821fc83491a0fb838183be43f66d6d"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [package.dependencies]
 MarkupSafe = ">=2.0"
@@ -192,6 +197,7 @@ files = [
     {file = "markupsafe-3.0.3-cp39-cp39-win_arm64.whl", hash = "sha256:38664109c14ffc9e7437e86b4dceb442b0096dfe3541d7864d9cbe1da4cf36c8"},
     {file = "markupsafe-3.0.3.tar.gz", hash = "sha256:722695808f4b6457b320fdc131280796bdceb04ab50fe1795cd540799ebe1698"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [[package]]
 name = "werkzeug"
@@ -204,6 +210,7 @@ files = [
     {file = "werkzeug-3.1.6-py3-none-any.whl", hash = "sha256:7ddf3357bb9564e407607f988f683d72038551200c704012bb9a4c523d42f131"},
     {file = "werkzeug-3.1.6.tar.gz", hash = "sha256:210c6bede5a420a913956b4791a7f4d6843a43b6fcee4dfa08a65e93007d0d25"},
 ]
+markers = {main = "extra == \"flask\""}
 
 [package.dependencies]
 markupsafe = ">=2.1.1"

From b16c81ad0a56b6c20a84b4317017ded26ba9636c Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 27 Feb 2026 16:13:29 +0000
Subject: [PATCH 37/61] Add Flask Talisman module and update security headers

- Introduced Flask Talisman module with examples in documentation.
- Updated security headers function to include additional headers and renamed it.
- Refactored tests to accommodate changes in Talisman and security headers.
- Enhanced changelog and documentation for clarity on new features.
---
 CHANGELOG.md                    |  2 ++
 docs/dates-and-times.md         |  2 +-
 docs/flask.md                   | 17 ++++++++++
 docs/index.md                   |  4 +++
 docs/number.md                  |  4 +--
 docs/security.md                | 16 +++++----
 tests/test_flask_talisman.py    | 43 ++++++++++++++++++++++---
 tests/test_security.py          | 34 +++++++++++---------
 tna_utilities/flask/talisman.py | 54 ++++++++++++++++++++++++-------
 tna_utilities/security.py       | 57 ++++++++++++++++++++-------------
 10 files changed, 169 insertions(+), 64 deletions(-)
 create mode 100644 docs/flask.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d3b9861..a867a73 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,10 +10,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - CSP directives are appended by default with the option to be overwritten
+- Flask Talisman module added ``
 
 ### Changed
 
 - Added a default of `object-src 'none'` to the `CspGenerator`
+- Renamed `security_headers` function to `common_security_headers`
 
 ### Deprecated
 
diff --git a/docs/dates-and-times.md b/docs/dates-and-times.md
index c6b9bdf..9c83cad 100644
--- a/docs/dates-and-times.md
+++ b/docs/dates-and-times.md
@@ -134,7 +134,7 @@ print(pretty_datetime_range(datetime.datetime(2000, 1, 1, 12, 30, 0), None))
 
 Formats a datetime into a human-readable delta.
 
-Added in `v1.2.0`.
+> Added in `v1.2.0`.
 
 ### Arguments
 
diff --git a/docs/flask.md b/docs/flask.md
new file mode 100644
index 0000000..851bada
--- /dev/null
+++ b/docs/flask.md
@@ -0,0 +1,17 @@
+# Flask
+
+> Added in `v1.4.0`.
+
+## `Talisman`
+
+A stripped-down and opinionated reproduction of [wntrblm/flask-talisman](https://github.com/wntrblm/flask-talisman) which is a fork of [GoogleCloudPlatform/flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman).
+
+### Examples
+
+```python
+from flask import Flask
+from tna_utilities.flask.talisman import Talisman
+
+app = Flask(__name__)
+Talisman(app)
+```
diff --git a/docs/index.md b/docs/index.md
index b7aeeea..00b611c 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -6,4 +6,8 @@
 - [Strings](./string.md)
 - [URLs](./url.md)
 
+## Optional modules
+
+- [Flask](./flask.md)
+
 [Read the changelog](https://github.com/nationalarchives/python-utilities/blob/main/CHANGELOG.md).
diff --git a/docs/number.md b/docs/number.md
index e5e36d2..a303b8e 100644
--- a/docs/number.md
+++ b/docs/number.md
@@ -1,6 +1,6 @@
 # Number
 
-Added in `v1.2.0`.
+> Added in `v1.2.0`.
 
 ## `numberish()`
 
@@ -33,7 +33,7 @@ print(numberish(1337, simple_units=True, prefix_text="~"))
 
 ## `pretty_file_size()`
 
-Added in `v1.3.0`.
+> Added in `v1.3.0`.
 
 Formats file size to a human-readable string.
 
diff --git a/docs/security.md b/docs/security.md
index 5bdb025..3197b13 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -1,6 +1,6 @@
 # Security
 
-Added in `v1.3.0`.
+> Added in `v1.3.0`.
 
 ## `CspGenerator`
 
@@ -29,7 +29,9 @@ generator.get_csp()
 # default-src 'self'; script-src 'self' example.com; style-src 'self' example.com another.net; object-src example.com; worker-src 'none';
 ```
 
-## `security_headers`
+## `common_security_headers`
+
+> Renamed from `security_headers` in `v1.4.0`.
 
 Get a dictionary of common security headers.
 
@@ -37,11 +39,12 @@ Get a dictionary of common security headers.
 
 | Argument                            | Description                                                   | Default       |
 | ----------------------------------- | ------------------------------------------------------------- | ------------- |
-| `x_frame_options`                   | The option for the `X-Frame-Options` header                   | `DENY`        |
-| `x_permitted_cross_domain_policies` | The option for the `X-Permitted-Cross-Domain-Policies` header | `none`        |
 | `cross_origin_embedder_policy`      | The option for the `Cross-Origin-Embedder-Policy` header      | `unsafe-none` |
 | `cross_origin_opener_policy`        | The option for the `Cross-Origin-Opener-Policy` header        | `same-origin` |
 | `cross_origin_resource_policy`      | The option for the `Cross-Origin-Resource-Policy` header      | `same-origin` |
+| `x_content_type_options`            | The option for the `X-Content-Type-Options` header            | `no-sniff`    |
+| `x_frame_options`                   | The option for the `X-Frame-Options` header                   | `DENY`        |
+| `x_permitted_cross_domain_policies` | The option for the `X-Permitted-Cross-Domain-Policies` header | `none`        |
 
 ### Example
 
@@ -50,10 +53,11 @@ from tna_utilities.security import security_headers
 
 print(security_headers())
 # {
-#   "X-Frame-Options": "DENY",
-#   "X-Permitted-Cross-Domain-Policies": "none",
 #   "Cross-Origin-Embedder-Policy": "unsafe-none",
 #   "Cross-Origin-Opener-Policy": "same-origin",
 #   "Cross-Origin-Resource-Policy": "same-origin",
+#   "X-Permitted-Cross-Domain-Policies": "none",
+#   "X-Content-Type-Options": "no-sniff",
+#   "X-Frame-Options": "DENY",
 # }
 ```
diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index 151c924..6f46ca2 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -1,10 +1,10 @@
 import unittest
 
 from flask import Flask, session
-from tna_utilities.flask.talisman import TnaFlaskTalisman
+from tna_utilities.flask.talisman import Talisman
 
 
-class TestFlaskTalisman(unittest.TestCase):
+class TestTalisman(unittest.TestCase):
     def setUp(self):
         self.app = Flask(__name__)
         self.app.config["SECRET_KEY"] = "my_secret_key"
@@ -39,7 +39,7 @@ def test_naked_app(self):
         self.assertNotIn("SameSite", rv.headers["Set-Cookie"])
 
     def test_default_talisman_app(self):
-        TnaFlaskTalisman(self.app)
+        Talisman(self.app, force_https=False)
 
         rv = self.test_client.get("/")
 
@@ -64,12 +64,12 @@ def test_default_talisman_app(self):
 
         self.assertIn("Set-Cookie", rv.headers)
         self.assertIn("session=", rv.headers["Set-Cookie"])
-        self.assertIn(" Secure", rv.headers["Set-Cookie"])
+        self.assertNotIn(" Secure", rv.headers["Set-Cookie"])  # force_https is False
         self.assertIn(" HttpOnly", rv.headers["Set-Cookie"])
         self.assertIn(" SameSite=Lax", rv.headers["Set-Cookie"])
 
     def test_talisman_app_google(self):
-        TnaFlaskTalisman(self.app, allow_google_content_security_policy=True)
+        Talisman(self.app, force_https=False, allow_google_content_security_policy=True)
 
         rv = self.test_client.get("/")
 
@@ -95,3 +95,36 @@ def test_talisman_app_google(self):
             "font-src 'self' themes.googleusercontent.com *.gstatic.com;",
             rv.headers["Content-Security-Policy"],
         )
+
+    def test_talisman_force_https(self):
+        Talisman(self.app)
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 302)
+
+        self.assertIn("Location", rv.headers)
+        self.assertEqual(
+            "https://localhost/",
+            rv.headers["Location"],
+        )
+
+        rv = self.test_client.get("/", follow_redirects=True)
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertIn("Set-Cookie", rv.headers)
+        self.assertIn(" Secure", rv.headers["Set-Cookie"])
+
+    def test_talisman_force_https_permanent(self):
+        Talisman(self.app, force_https_permanent=True)
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 301)
+
+        self.assertIn("Location", rv.headers)
+        self.assertEqual(
+            "https://localhost/",
+            rv.headers["Location"],
+        )
diff --git a/tests/test_security.py b/tests/test_security.py
index edd3978..74f16e3 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -1,6 +1,6 @@
 import unittest
 
-from tna_utilities.security import CspGenerator, security_headers
+from tna_utilities.security import CspGenerator, common_security_headers
 
 
 class TestSecurityCSP(unittest.TestCase):
@@ -277,54 +277,58 @@ def test_add_sandbox_invalid_value(self):
         self.assertIn("sandbox;", generator.get_csp())
 
 
-class TestSecurityHeaders(unittest.TestCase):
+class TestCommonSecurityHeaders(unittest.TestCase):
     def test_security_headers_default(self):
-        headers = security_headers()
+        headers = common_security_headers()
         self.assertDictEqual(
             headers,
             {
-                "X-Frame-Options": "DENY",
-                "X-Permitted-Cross-Domain-Policies": "none",
                 "Cross-Origin-Embedder-Policy": "unsafe-none",
                 "Cross-Origin-Opener-Policy": "same-origin",
                 "Cross-Origin-Resource-Policy": "same-origin",
+                "X-Content-Type-Options": "nosniff",
+                "X-Frame-Options": "DENY",
+                "X-Permitted-Cross-Domain-Policies": "none",
             },
         )
 
     def test_security_headers_invalid(self):
-        headers = security_headers(
-            x_frame_options=None,
-            x_permitted_cross_domain_policies="True",
+        headers = common_security_headers(
             cross_origin_embedder_policy="0",
             cross_origin_opener_policy="None",
             cross_origin_resource_policy="",
+            x_content_type_options="[]",
+            x_frame_options="()",
+            x_permitted_cross_domain_policies="True",
         )
         self.assertDictEqual(
             headers,
             {
-                "X-Frame-Options": "DENY",
-                "X-Permitted-Cross-Domain-Policies": "none",
                 "Cross-Origin-Embedder-Policy": "unsafe-none",
                 "Cross-Origin-Opener-Policy": "same-origin",
                 "Cross-Origin-Resource-Policy": "same-origin",
+                "X-Content-Type-Options": "nosniff",
+                "X-Frame-Options": "DENY",
+                "X-Permitted-Cross-Domain-Policies": "none",
             },
         )
 
     def test_security_headers_custom(self):
-        headers = security_headers(
-            x_frame_options="SAMEORIGIN",
-            x_permitted_cross_domain_policies="all",
+        headers = common_security_headers(
             cross_origin_embedder_policy="require-corp",
             cross_origin_opener_policy="noopener-allow-popups",
             cross_origin_resource_policy="cross-origin",
+            x_content_type_options=None,
+            x_frame_options="SAMEORIGIN",
+            x_permitted_cross_domain_policies="all",
         )
         self.assertDictEqual(
             headers,
             {
-                "X-Frame-Options": "SAMEORIGIN",
-                "X-Permitted-Cross-Domain-Policies": "all",
                 "Cross-Origin-Embedder-Policy": "require-corp",
                 "Cross-Origin-Opener-Policy": "noopener-allow-popups",
                 "Cross-Origin-Resource-Policy": "cross-origin",
+                "X-Frame-Options": "SAMEORIGIN",
+                "X-Permitted-Cross-Domain-Policies": "all",
             },
         )
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 9f5d7c9..501bf96 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -1,4 +1,6 @@
-from ..security import CspGenerator, security_headers
+import flask
+
+from ..security import CspGenerator, common_security_headers
 
 GOOGLE_CSP_POLICY = {
     "default-src": [CspGenerator.SELF, "*.gstatic.com"],
@@ -23,7 +25,7 @@
 }
 
 
-class TnaFlaskTalisman(object):
+class Talisman(object):
     def __init__(self, app=None, **kwargs):
         if app is not None:
             self.app = app
@@ -33,22 +35,50 @@ def init_app(
         self,
         content_security_policy: dict = {},
         allow_google_content_security_policy: bool = False,
+        security_headers: dict = {},
         referrer_policy: str = "strict-origin-when-cross-origin",
+        force_https: bool = True,
+        force_https_permanent: bool = False,
     ):
-        self.app.config["SESSION_COOKIE_SECURE"] = True
+        self.app.config["SESSION_COOKIE_SECURE"] = force_https and not self.app.debug
         self.app.config["SESSION_COOKIE_HTTPONLY"] = True
         self.app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
 
-        @self.app.after_request
-        def apply_extra_headers(response):
-            response.headers["Content-Security-Policy"] = self.csp(
-                content_security_policy, allow_google_content_security_policy
-            )
-            response.headers.update(security_headers())
-            response.headers["Referrer-Policy"] = referrer_policy
-            return response
+        self.content_security_policy = content_security_policy
+        self.allow_google_content_security_policy = allow_google_content_security_policy
+        self.security_headers = security_headers
+        self.referrer_policy = referrer_policy
+        self.force_https = force_https
+        self.force_https_permanent = force_https_permanent
+
+        self.app.before_request(self._force_https_redirect)
+        self.app.after_request(self._apply_extra_headers)
+
+    def _force_https_redirect(self):
+        criteria = [
+            self.app.debug,
+            flask.request.is_secure,
+            flask.request.headers.get("X-Forwarded-Proto", "http") == "https",
+        ]
+
+        if self.force_https and not any(criteria):
+            if flask.request.url.startswith("http://"):
+                url = flask.request.url.replace("http://", "https://", 1)
+                code = 302
+                if self.force_https_permanent:
+                    code = 301
+                r = flask.redirect(url, code=code)
+                return r
+
+    def _apply_extra_headers(self, response):
+        response.headers["Content-Security-Policy"] = self._csp(
+            self.content_security_policy, self.allow_google_content_security_policy
+        )
+        response.headers.update(common_security_headers(**self.security_headers))
+        response.headers["Referrer-Policy"] = self.referrer_policy
+        return response
 
-    def csp(
+    def _csp(
         self,
         content_security_policy: dict,
         allow_google_content_security_policy: bool = False,
diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index 77ffdc4..19ce3a3 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -423,37 +423,19 @@ def get_csp(self) -> str:
         return "; ".join(parts) + ";"
 
 
-def security_headers(
+def common_security_headers(
     x_frame_options: str | None = None,
     x_permitted_cross_domain_policies: str | None = None,
     cross_origin_embedder_policy: str | None = None,
     cross_origin_opener_policy: str | None = None,
     cross_origin_resource_policy: str | None = None,
+    x_content_type_options: str | None = "nosniff",
 ) -> dict[str, str]:
     """
     Get a dictionary of common security headers.
     """
 
     headers = [
-        {
-            "header": "X-Frame-Options",
-            "values": ["DENY", "SAMEORIGIN"],
-            "default": "DENY",
-            "value": x_frame_options,
-        },
-        {
-            "header": "X-Permitted-Cross-Domain-Policies",
-            "values": [
-                "none",
-                "master-only",
-                "by-content-type",
-                "by-ftp-filename",
-                "all",
-                "none-this-response",
-            ],
-            "default": "none",
-            "value": x_permitted_cross_domain_policies,
-        },
         {
             "header": "Cross-Origin-Embedder-Policy",
             "values": ["unsafe-none", "require-corp", "credentialless"],
@@ -477,13 +459,42 @@ def security_headers(
             "default": "same-origin",
             "value": cross_origin_resource_policy,
         },
+        {
+            "header": "X-Content-Type-Options",
+            "values": [None, "nosniff"],
+            "default": "nosniff",
+            "value": x_content_type_options,
+        },
+        {
+            "header": "X-Frame-Options",
+            "values": ["DENY", "SAMEORIGIN"],
+            "default": "DENY",
+            "value": x_frame_options,
+        },
+        {
+            "header": "X-Permitted-Cross-Domain-Policies",
+            "values": [
+                "none",
+                "master-only",
+                "by-content-type",
+                "by-ftp-filename",
+                "all",
+                "none-this-response",
+            ],
+            "default": "none",
+            "value": x_permitted_cross_domain_policies,
+        },
     ]
 
-    return {
+    headers_dict = {
         header["header"]: (
             header["value"]
-            if header["value"] is not None and header["value"] in header["values"]
-            else header["default"]
+            if header["value"] in header["values"]
+            else (header["default"] or "")
         )
         for header in headers
     }
+
+    return {
+        header: value for header, value in headers_dict.items() if value is not None
+    }

From 91e29666cf845ea7622d9e2c4f1fe044e3f61bbb Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 2 Mar 2026 10:04:15 +0000
Subject: [PATCH 38/61] Refactor CspGenerator methods and update tests to use
 new method names

---
 CHANGELOG.md                    |   3 +-
 docs/security.md                |   2 +-
 tests/test_security.py          | 136 +++++++++++++++++---------------
 tna_utilities/flask/talisman.py |  12 +--
 tna_utilities/security.py       |  35 +++++---
 5 files changed, 108 insertions(+), 80 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a867a73..4845a64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,12 +10,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
 - CSP directives are appended by default with the option to be overwritten
-- Flask Talisman module added ``
+- Flask Talisman module added `tna_utilities.flask.talisman`
 
 ### Changed
 
 - Added a default of `object-src 'none'` to the `CspGenerator`
 - Renamed `security_headers` function to `common_security_headers`
+- Updated `CspGenerator.get_csp()` method to `CspGenerator.to_string()`
 
 ### Deprecated
 
diff --git a/docs/security.md b/docs/security.md
index 3197b13..a9ab5d4 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -25,7 +25,7 @@ generator.object_src("example.com", omit_self=True)
 # Disallow a directive
 generator.disallow("worker-src")
 
-generator.get_csp()
+generator.to_string()
 # default-src 'self'; script-src 'self' example.com; style-src 'self' example.com another.net; object-src example.com; worker-src 'none';
 ```
 
diff --git a/tests/test_security.py b/tests/test_security.py
index 74f16e3..f5e2af2 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -12,50 +12,60 @@ def __init__(self, *args, **kwargs):
 
     def test_init(self):
         generator = CspGenerator()
-        self.assertEqual(generator.get_csp(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
+
+    def test_init_str_output(self):
+        generator = CspGenerator()
+        self.assertEqual(str(generator), "default-src 'self'; object-src 'none';")
+
+    def test_init_dict_output(self):
+        generator = CspGenerator()
+        self.assertEqual(
+            generator.to_dict(), {"default-src": ["'self'"], "object-src": ["'none'"]}
+        )
 
     def test_init_none(self):
         generator = CspGenerator(CspGenerator.NONE)
-        self.assertEqual(generator.get_csp(), "default-src 'none'; object-src 'none';")
+        self.assertEqual(generator.to_string(), "default-src 'none'; object-src 'none';")
 
     def test_init_list(self):
         generator = CspGenerator([CspGenerator.NONE, self.test_domain])
         self.assertEqual(
-            generator.get_csp(),
+            generator.to_string(),
             f"default-src 'none' {self.test_domain}; object-src 'none';",
         )
 
     def test_init_empty_string(self):
         generator = CspGenerator("")
-        self.assertEqual(generator.get_csp(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
 
     def test_init_list_of_empty_strings(self):
         generator = CspGenerator([""])
-        self.assertEqual(generator.get_csp(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
 
     def test_init_allow_objects(self):
         generator = CspGenerator([""], allow_objects=True)
-        self.assertEqual(generator.get_csp(), "default-src 'self';")
+        self.assertEqual(generator.to_string(), "default-src 'self';")
 
     def test_add_directive(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'self' {self.test_domain};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'self' {self.test_domain};", generator.to_string())
 
     def test_add_directive_none(self):
         generator = CspGenerator()
         generator.script_src(CspGenerator.NONE)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("script-src 'none';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("script-src 'none';", generator.to_string())
 
     def test_add_directive_multiple(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain, self.test_domain_2)
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_duplicates(self):
@@ -63,19 +73,19 @@ def test_add_directive_duplicates(self):
         generator.script_src(
             self.test_domain, self.test_domain_2, self.test_domain, self.test_domain
         )
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_list(self):
         generator = CspGenerator()
         generator.script_src([self.test_domain, self.test_domain_2])
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_mixed_types(self):
@@ -89,73 +99,73 @@ def test_add_directive_mixed_types(self):
             f"{self.test_domain_2} {test_domain_3}",
             [test_domain_4, f"{test_domain_5} {test_domain_6}"],
         )
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2} {test_domain_3} {test_domain_4} {test_domain_5} {test_domain_6};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_space_separated_list(self):
         generator = CspGenerator()
         generator.script_src(f"{self.test_domain} {self.test_domain_2}")
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_empty(self):
         generator = CspGenerator()
         generator.script_src()
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertNotIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_directive_duplicated_self(self):
         generator = CspGenerator()
         generator.script_src(CspGenerator.SELF)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertNotIn("script-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertNotIn("script-src 'self';", generator.to_string())
 
     def test_add_directive_existing_self(self):
         generator = CspGenerator()
         generator.script_src([CspGenerator.SELF, self.test_domain])
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'self' {self.test_domain};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'self' {self.test_domain};", generator.to_string())
 
     def test_add_directive_existing_none(self):
         generator = CspGenerator()
         generator.script_src([CspGenerator.NONE, self.test_domain])
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'none' {self.test_domain};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'none' {self.test_domain};", generator.to_string())
 
     def test_add_directive_omit_self(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain, omit_self=True)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src {self.test_domain};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src {self.test_domain};", generator.to_string())
 
     def test_add_directive_list_omit_self(self):
         generator = CspGenerator()
         generator.script_src([self.test_domain, self.test_domain_2], omit_self=True)
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
-            f"script-src {self.test_domain} {self.test_domain_2};", generator.get_csp()
+            f"script-src {self.test_domain} {self.test_domain_2};", generator.to_string()
         )
 
     def test_add_directive_omit_self_existing_none(self):
         generator = CspGenerator()
         generator.script_src([CspGenerator.NONE, self.test_domain], omit_self=True)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'none' {self.test_domain};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'none' {self.test_domain};", generator.to_string())
 
     def test_add_disallow_directive(self):
         generator = CspGenerator()
         generator.disallow("script-src")
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("script-src 'none';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("script-src 'none';", generator.to_string())
 
     def test_add_directive_chained(self):
         generator = CspGenerator()
@@ -165,33 +175,33 @@ def test_add_multiple_directives(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain)
         generator.style_src(self.test_domain_2)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'self' {self.test_domain};", generator.get_csp())
-        self.assertIn(f"style-src 'self' {self.test_domain_2};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'self' {self.test_domain};", generator.to_string())
+        self.assertIn(f"style-src 'self' {self.test_domain_2};", generator.to_string())
 
     def test_add_multiple_same_directives(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain)
         generator.script_src(self.test_domain_2)
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
             f"script-src 'self' {self.test_domain} {self.test_domain_2};",
-            generator.get_csp(),
+            generator.to_string(),
         )
 
     def test_add_multiple_same_directives_replace(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain)
         generator.script_src(self.test_domain_2, replace=True)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"script-src 'self' {self.test_domain_2};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"script-src 'self' {self.test_domain_2};", generator.to_string())
 
     def test_add_custom_directive(self):
         generator = CspGenerator()
         generator.custom_src("custom-directive", self.test_domain)
-        self.assertIn("default-src 'self';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
-            f"custom-directive 'self' {self.test_domain};", generator.get_csp()
+            f"custom-directive 'self' {self.test_domain};", generator.to_string()
         )
 
     def test_add_directive_sources(self):
@@ -221,60 +231,60 @@ def test_add_directive_sources(self):
         for directive, method in directives:
             generator = CspGenerator()
             getattr(generator, method)(self.test_domain)
-            self.assertIn("default-src 'self';", generator.get_csp())
+            self.assertIn("default-src 'self';", generator.to_string())
             self.assertIn(
-                f"{directive} 'self' {self.test_domain};", generator.get_csp()
+                f"{directive} 'self' {self.test_domain};", generator.to_string()
             )
 
     def test_add_report_uri(self):
         generator = CspGenerator()
         report_uri = "https://report.example.com"
         generator.report_uri(report_uri)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"report-uri {report_uri};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"report-uri {report_uri};", generator.to_string())
 
     def test_add_empty_report_uri(self):
         generator = CspGenerator()
         generator.report_uri("")
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertNotIn("report-uri", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertNotIn("report-uri", generator.to_string())
 
     def test_add_report_to(self):
         generator = CspGenerator()
         report_endpoint_name = "csp_report_endpoint"
         generator.report_to(report_endpoint_name)
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn(f"report-to {report_endpoint_name};", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn(f"report-to {report_endpoint_name};", generator.to_string())
 
     def test_add_empty_report_to(self):
         generator = CspGenerator()
         generator.report_to("")
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertNotIn("report-to", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertNotIn("report-to", generator.to_string())
 
     def test_add_require_trusted_types_for(self):
         generator = CspGenerator()
         generator.require_trusted_types_for()
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("require-trusted-types-for 'script';", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("require-trusted-types-for 'script';", generator.to_string())
 
     def test_add_sandbox(self):
         generator = CspGenerator()
         generator.sandbox()
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("sandbox;", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("sandbox;", generator.to_string())
 
     def test_add_sandbox_value(self):
         generator = CspGenerator()
         generator.sandbox("allow-scripts")
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("sandbox allow-scripts;", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("sandbox allow-scripts;", generator.to_string())
 
     def test_add_sandbox_invalid_value(self):
         generator = CspGenerator()
         generator.sandbox("pizza")
-        self.assertIn("default-src 'self';", generator.get_csp())
-        self.assertIn("sandbox;", generator.get_csp())
+        self.assertIn("default-src 'self';", generator.to_string())
+        self.assertIn("sandbox;", generator.to_string())
 
 
 class TestCommonSecurityHeaders(unittest.TestCase):
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 501bf96..79e14ed 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -112,10 +112,10 @@ def _csp(
             csp.require_trusted_types_for()
 
         if allow_google_content_security_policy:
-            csp.add_directive("default-src", *GOOGLE_CSP_POLICY["default-src"])
-            csp.add_directive("font-src", *GOOGLE_CSP_POLICY["font-src"])
-            csp.add_directive("frame-src", *GOOGLE_CSP_POLICY["frame-src"])
-            csp.add_directive("script-src", *GOOGLE_CSP_POLICY["script-src"])
-            csp.add_directive("style-src", *GOOGLE_CSP_POLICY["style-src"])
+            csp.default_src(*GOOGLE_CSP_POLICY["default-src"])
+            csp.font_src(*GOOGLE_CSP_POLICY["font-src"])
+            csp.frame_src(*GOOGLE_CSP_POLICY["frame-src"])
+            csp.script_src(*GOOGLE_CSP_POLICY["script-src"])
+            csp.style_src(*GOOGLE_CSP_POLICY["style-src"])
 
-        return csp.get_csp()
+        return csp.to_string()
diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index 19ce3a3..8a78da7 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -28,18 +28,18 @@ class CspGenerator:
     def __init__(
         self, default_src: str | list[str] | None = None, allow_objects=False
     ) -> None:
-        self.default_src: list[str] = []
+        self.default_src_sources: list[str] = []
         if default_src:
             if isinstance(default_src, list):
-                self.default_src.extend(default_src)
+                self.default_src_sources.extend(default_src)
             else:
-                self.default_src.append(default_src)
-        self.default_src = [src for src in self.default_src if src]
-        if not self.default_src:
-            self.default_src = [self.SELF]
+                self.default_src_sources.append(default_src)
+        self.default_src_sources = [src for src in self.default_src_sources if src]
+        if not self.default_src_sources:
+            self.default_src_sources = [self.SELF]
         self.directives: OrderedDict[str, list[str]] = OrderedDict(
             {
-                "default-src": self.default_src,
+                "default-src": self.default_src_sources,
             }
         )
         if not allow_objects:
@@ -82,7 +82,7 @@ def add_directive(
             return self
 
         # If the values are the same as the default-src, we don't add the directive for simplicity and to avoid redundancy
-        if processed_values == self.default_src:
+        if processed_values == self.default_src_sources:
             return self
 
         # Unless omit_self is True, add 'self' when either it or 'none' is not specified in the sources
@@ -151,6 +151,17 @@ def connect_src(
             "connect-src", *sources, omit_self=omit_self, replace=replace
         )
 
+    def default_src(
+        self, *sources: str | list[str], omit_self=False, replace=False
+    ) -> "CspGenerator":
+        """
+        Add a default-src directive.
+        """
+
+        return self.add_directive(
+            "default-src", *sources, omit_self=omit_self, replace=replace
+        )
+
     def font_src(
         self, *sources: str | list[str], omit_self=False, replace=False
     ) -> "CspGenerator":
@@ -409,7 +420,7 @@ def custom_src(
             directive_name, *sources, omit_self=omit_self, replace=replace
         )
 
-    def get_csp(self) -> str:
+    def to_string(self) -> str:
         """
         Get the complete CSP as a string.
         """
@@ -422,6 +433,12 @@ def get_csp(self) -> str:
             parts.append(directive_str)
         return "; ".join(parts) + ";"
 
+    def __str__(self) -> str:
+        return self.to_string()
+
+    def to_dict(self) -> dict[str, list[str]]:
+        return dict(self.directives)
+
 
 def common_security_headers(
     x_frame_options: str | None = None,

From bf96bb4539d713bab83b2c491eaf9e20e95dda97 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 2 Mar 2026 10:33:06 +0000
Subject: [PATCH 39/61] Formatting

---
 tests/test_security.py | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/tests/test_security.py b/tests/test_security.py
index f5e2af2..5c839ba 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -12,7 +12,9 @@ def __init__(self, *args, **kwargs):
 
     def test_init(self):
         generator = CspGenerator()
-        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(
+            generator.to_string(), "default-src 'self'; object-src 'none';"
+        )
 
     def test_init_str_output(self):
         generator = CspGenerator()
@@ -26,7 +28,9 @@ def test_init_dict_output(self):
 
     def test_init_none(self):
         generator = CspGenerator(CspGenerator.NONE)
-        self.assertEqual(generator.to_string(), "default-src 'none'; object-src 'none';")
+        self.assertEqual(
+            generator.to_string(), "default-src 'none'; object-src 'none';"
+        )
 
     def test_init_list(self):
         generator = CspGenerator([CspGenerator.NONE, self.test_domain])
@@ -37,11 +41,15 @@ def test_init_list(self):
 
     def test_init_empty_string(self):
         generator = CspGenerator("")
-        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(
+            generator.to_string(), "default-src 'self'; object-src 'none';"
+        )
 
     def test_init_list_of_empty_strings(self):
         generator = CspGenerator([""])
-        self.assertEqual(generator.to_string(), "default-src 'self'; object-src 'none';")
+        self.assertEqual(
+            generator.to_string(), "default-src 'self'; object-src 'none';"
+        )
 
     def test_init_allow_objects(self):
         generator = CspGenerator([""], allow_objects=True)
@@ -152,7 +160,8 @@ def test_add_directive_list_omit_self(self):
         generator.script_src([self.test_domain, self.test_domain_2], omit_self=True)
         self.assertIn("default-src 'self';", generator.to_string())
         self.assertIn(
-            f"script-src {self.test_domain} {self.test_domain_2};", generator.to_string()
+            f"script-src {self.test_domain} {self.test_domain_2};",
+            generator.to_string(),
         )
 
     def test_add_directive_omit_self_existing_none(self):

From e208cb5fe795e82c8cffef6548336bf3d84c5904 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 2 Mar 2026 11:55:03 +0000
Subject: [PATCH 40/61] Add detailed docstrings to Talisman and CspGenerator
 classes and their methods

---
 tna_utilities/flask/talisman.py | 31 +++++++++++++++++++++++++++++++
 tna_utilities/security.py       | 19 ++++++++++++++-----
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 79e14ed..6906ba3 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -26,6 +26,14 @@
 
 
 class Talisman(object):
+    """
+    A stripped-down and opinionated reproduction of [wntrblm/flask-talisman](https://github.com/wntrblm/flask-talisman) which is a fork of [GoogleCloudPlatform/flask-talisman](https://github.com/GoogleCloudPlatform/flask-talisman).
+
+    Neither GoogleCloudPlatform/flask-talisman nor wntrblm/flask-talisman appears to be actively maintained.
+
+    :param app: The Flask application instance to which the Talisman extension should be applied.
+    """
+
     def __init__(self, app=None, **kwargs):
         if app is not None:
             self.app = app
@@ -40,6 +48,17 @@ def init_app(
         force_https: bool = True,
         force_https_permanent: bool = False,
     ):
+        """
+        Initialises the Talisman extension for the Flask app.
+
+        :param content_security_policy: A dictionary defining the Content Security Policy directives and their values.
+        :param allow_google_content_security_policy: If True, includes Google's recommended Content Security Policy directives in addition to the custom directives specified in content_security_policy.
+        :param security_headers: A dictionary of additional security headers to apply to responses, where the keys are header names and the values are header values.
+        :param referrer_policy: The Referrer-Policy header value to apply to responses. Defaults to "strict-origin-when-cross-origin".
+        :param force_https: If True, forces incoming requests to be redirected to HTTPS if they are not already secure and the application is not in debug mode. Defaults to True.
+        :param force_https_permanent: If True, uses a permanent redirect (HTTP 301) when forcing HTTPS, otherwise uses a temporary redirect (HTTP 302). Defaults to False.
+        """
+
         self.app.config["SESSION_COOKIE_SECURE"] = force_https and not self.app.debug
         self.app.config["SESSION_COOKIE_HTTPONLY"] = True
         self.app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
@@ -55,6 +74,10 @@ def init_app(
         self.app.after_request(self._apply_extra_headers)
 
     def _force_https_redirect(self):
+        """
+        Redirects incoming requests to HTTPS if the request is not secure and the application is not in debug mode.
+        """
+
         criteria = [
             self.app.debug,
             flask.request.is_secure,
@@ -71,6 +94,10 @@ def _force_https_redirect(self):
                 return r
 
     def _apply_extra_headers(self, response):
+        """
+        Applies the configured security headers to the response.
+        """
+
         response.headers["Content-Security-Policy"] = self._csp(
             self.content_security_policy, self.allow_google_content_security_policy
         )
@@ -83,6 +110,10 @@ def _csp(
         content_security_policy: dict,
         allow_google_content_security_policy: bool = False,
     ):
+        """
+        Generates a Content-Security-Policy header value based on the provided content security policy configuration and the option to include Google's recommended content security policy directives.
+        """
+
         csp = CspGenerator()
 
         csp.base_uri(content_security_policy.get("base-uri", ""))
diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index 8a78da7..ea12cd0 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -15,11 +15,8 @@ class CspGenerator:
            .connect_src(["'self'", "https://api.example.com"]) \
            .font_src("'self'")
 
-    The ``default_src`` argument to ``__init__`` controls the initial
-    ``default-src`` directive. If it is omitted, a default of ``'self'`` is
-    used. Helper methods such as ``base_uri``, ``child_src``, ``connect_src``,
-    and ``font_src`` delegate to :meth:`add_directive` to add or override
-    specific CSP directives.
+    :param default_src: The sources for the default-src directive, which serves as a fallback for any directives that are not explicitly set. This can be a string or a list of strings. If not provided, it defaults to "'self'".
+    :param allow_objects: If True, allows the use of the object-src directive with a default value of "'self'". If False (the default), disallows the use of the object-src directive by setting it to "'none'".
     """
 
     NONE: str = "'none'"
@@ -72,6 +69,11 @@ def add_directive(
     ) -> "CspGenerator":
         """
         Add a directive.
+
+        :param directive: The name of the directive to add (e.g. "script-src").
+        :param values: The sources for the directive, which can be strings or lists of strings. If a string contains spaces, it will be split into multiple sources.
+        :param omit_self: If True, the 'self' source will not be automatically added if it is not included in the provided sources. Defaults to False.
+        :param replace: If True, the directive will be replaced if it already exists. If False (the default), the new sources will be added to the existing directive, ensuring no duplicates. If the existing directive is set to "'none'", it will be replaced regardless of the value of replace.
         """
 
         # Flatten the values into a single list of strings, splitting any strings that contain spaces into multiple sources
@@ -450,6 +452,13 @@ def common_security_headers(
 ) -> dict[str, str]:
     """
     Get a dictionary of common security headers.
+
+    :param x_frame_options: The value for the X-Frame-Options header. Valid values are "DENY" and "SAMEORIGIN". If not provided, it defaults to "DENY".
+    :param x_permitted_cross_domain_policies: The value for the X-Permitted-Cross-Domain-Policies header. Valid values are "none", "master-only", "by-content-type", "by-ftp-filename", "all", and "none-this-response". If not provided, it defaults to "none".
+    :param cross_origin_embedder_policy: The value for the Cross-Origin-Embedder-Policy header. Valid values are "unsafe-none", "require-corp", and "credentialless". If not provided, it defaults to "unsafe-none".
+    :param cross_origin_opener_policy: The value for the Cross-Origin-Opener-Policy header. Valid values are "same-origin", "same-origin-allow-popups", "unsafe-none", and "noopener-allow-popups". If not provided, it defaults to "same-origin".
+    :param cross_origin_resource_policy: The value for the Cross-Origin-Resource-Policy header. Valid values are "same-origin", "same-site", and "cross-origin". If not provided, it defaults to "same-origin".
+    :param x_content_type_options: The value for the X-Content-Type-Options header. Valid values are None and "nosniff". If not provided, it defaults to "nosniff".
     """
 
     headers = [

From 71eefcd09d9a0dafcb9737e43ac50e447e7fec78 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 2 Mar 2026 13:14:33 +0000
Subject: [PATCH 41/61] Update GitHub Actions workflows: Adjust permissions and
 upgrade action versions

---
 .github/workflows/deploy-docs.yml | 6 +++---
 .github/workflows/publish.yml     | 1 +
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
index 08abe87..0ddb227 100644
--- a/.github/workflows/deploy-docs.yml
+++ b/.github/workflows/deploy-docs.yml
@@ -10,7 +10,7 @@ on:
 
 permissions:
   contents: read
-  actions: read
+  # actions: read
   pages: write
   id-token: write
 
@@ -31,9 +31,9 @@ jobs:
       - name: Build documentation
         run: docker run -v ${PWD}:/docs squidfunk/mkdocs-material build
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@v4
         with:
           path: site
       - name: Deploy to GitHub Pages
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8a1073f..bcacdd3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -47,6 +47,7 @@ jobs:
       - test
     environment: pypi
     permissions:
+      contents: read
       id-token: write
     steps:
       - uses: actions/checkout@v6

From ae4105a11a3437441c1d8ad20a5813cb94d995ff Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Tue, 3 Mar 2026 10:31:13 +0000
Subject: [PATCH 42/61] Fix docstring typos in CspGenerator class for img-src
 and object-src directives

---
 tna_utilities/security.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index ea12cd0..64f2475 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -212,7 +212,7 @@ def img_src(
         self, *sources: str | list[str], omit_self=False, replace=False
     ) -> "CspGenerator":
         """
-        Add a img-src directive.
+        Add an img-src directive.
         """
 
         return self.add_directive(
@@ -245,7 +245,7 @@ def object_src(
         self, *sources: str | list[str], omit_self=False, replace=False
     ) -> "CspGenerator":
         """
-        Add a object-src directive.
+        Add an object-src directive.
         """
 
         return self.add_directive(

From 464acc1d53e3fb48cf8df0c83db53f29e1f54a19 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Tue, 3 Mar 2026 10:34:19 +0000
Subject: [PATCH 43/61] Fix typo in index.md: change "Strings" to "String"

---
 docs/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/index.md b/docs/index.md
index 00b611c..dbd1a83 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -3,7 +3,7 @@
 - [Currency](./currency.md)
 - [Dates and times](./dates-and-times.md)
 - [Security](./security.md)
-- [Strings](./string.md)
+- [String](./string.md)
 - [URLs](./url.md)
 
 ## Optional modules

From 3256c5014fab7cc37bf9076b49144c0bf4f182da Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 4 Mar 2026 11:27:48 +0000
Subject: [PATCH 44/61] Refactor CSP handling: remove deprecated
 X-Frame-Options, enhance CspGenerator with new directives, and update tests
 accordingly

---
 CHANGELOG.md                    |  4 ++
 docs/security.md                |  2 -
 tests/test_flask_talisman.py    | 17 ++++----
 tests/test_security.py          | 77 ++++++++++++++++++++++++++-------
 tna_utilities/flask/talisman.py | 20 ++++-----
 tna_utilities/security.py       | 47 ++++++++++++--------
 6 files changed, 111 insertions(+), 56 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4845a64..d9b2686 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,11 +17,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added a default of `object-src 'none'` to the `CspGenerator`
 - Renamed `security_headers` function to `common_security_headers`
 - Updated `CspGenerator.get_csp()` method to `CspGenerator.to_string()`
+- Moved the simplification step of generating a CSP string to the `to_string()` method
+- By default, disallow `frame-ancestors` and `child-src` in CSP
 
 ### Deprecated
 
 ### Removed
 
+- Removed support for deprecated `X-Frame-Options` header in `common_security_headers`
+
 ### Fixed
 
 - Handle empty lists for initialisation of `CspGenerator`
diff --git a/docs/security.md b/docs/security.md
index a9ab5d4..cde16a9 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -43,7 +43,6 @@ Get a dictionary of common security headers.
 | `cross_origin_opener_policy`        | The option for the `Cross-Origin-Opener-Policy` header        | `same-origin` |
 | `cross_origin_resource_policy`      | The option for the `Cross-Origin-Resource-Policy` header      | `same-origin` |
 | `x_content_type_options`            | The option for the `X-Content-Type-Options` header            | `no-sniff`    |
-| `x_frame_options`                   | The option for the `X-Frame-Options` header                   | `DENY`        |
 | `x_permitted_cross_domain_policies` | The option for the `X-Permitted-Cross-Domain-Policies` header | `none`        |
 
 ### Example
@@ -58,6 +57,5 @@ print(security_headers())
 #   "Cross-Origin-Resource-Policy": "same-origin",
 #   "X-Permitted-Cross-Domain-Policies": "none",
 #   "X-Content-Type-Options": "no-sniff",
-#   "X-Frame-Options": "DENY",
 # }
 ```
diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index 6f46ca2..ef0093f 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -26,7 +26,6 @@ def test_naked_app(self):
 
         self.assertNotIn("Content-Security-Policy", rv.headers)
 
-        self.assertNotIn("X-Frame-Options", rv.headers)
         self.assertNotIn("X-Permitted-Cross-Domain-Policies", rv.headers)
         self.assertNotIn("Cross-Origin-Embedder-Policy", rv.headers)
         self.assertNotIn("Cross-Origin-Opener-Policy", rv.headers)
@@ -47,12 +46,10 @@ def test_default_talisman_app(self):
 
         self.assertIn("Content-Security-Policy", rv.headers)
         self.assertEqual(
-            "default-src 'self'; object-src 'none';",
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
             rv.headers["Content-Security-Policy"],
         )
 
-        self.assertIn("X-Frame-Options", rv.headers)
-        self.assertEqual("DENY", rv.headers["X-Frame-Options"])
         self.assertIn("X-Permitted-Cross-Domain-Policies", rv.headers)
         self.assertEqual("none", rv.headers["X-Permitted-Cross-Domain-Policies"])
         self.assertIn("Cross-Origin-Embedder-Policy", rv.headers)
@@ -76,23 +73,25 @@ def test_talisman_app_google(self):
         self.assertEqual(rv.status_code, 200)
 
         self.assertIn("Content-Security-Policy", rv.headers)
+        self.assertIn("default-src 'self';", rv.headers["Content-Security-Policy"])
         self.assertIn(
-            "default-src 'self' *.gstatic.com;", rv.headers["Content-Security-Policy"]
+            "frame-src 'self' www.google.com www.youtube.com;",
+            rv.headers["Content-Security-Policy"],
         )
         self.assertIn(
-            "script-src 'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.com;",
+            "font-src 'self' *.gstatic.com;",
             rv.headers["Content-Security-Policy"],
         )
         self.assertIn(
-            "style-src 'self' ajax.googleapis.com fonts.googleapis.com *.gstatic.com;",
+            "img-src 'self' img.youtube.com;",
             rv.headers["Content-Security-Policy"],
         )
         self.assertIn(
-            "frame-src 'self' www.google.com www.youtube.com;",
+            "script-src 'self' ajax.googleapis.com *.googleanalytics.com *.google-analytics.com www.youtube.com;",
             rv.headers["Content-Security-Policy"],
         )
         self.assertIn(
-            "font-src 'self' themes.googleusercontent.com *.gstatic.com;",
+            "style-src 'self' ajax.googleapis.com fonts.googleapis.com *.gstatic.com;",
             rv.headers["Content-Security-Policy"],
         )
 
diff --git a/tests/test_security.py b/tests/test_security.py
index 5c839ba..834c7d6 100644
--- a/tests/test_security.py
+++ b/tests/test_security.py
@@ -13,48 +13,92 @@ def __init__(self, *args, **kwargs):
     def test_init(self):
         generator = CspGenerator()
         self.assertEqual(
-            generator.to_string(), "default-src 'self'; object-src 'none';"
+            generator.to_string(),
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
         )
 
     def test_init_str_output(self):
         generator = CspGenerator()
-        self.assertEqual(str(generator), "default-src 'self'; object-src 'none';")
+        self.assertEqual(
+            str(generator),
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
+        )
 
     def test_init_dict_output(self):
         generator = CspGenerator()
         self.assertEqual(
-            generator.to_dict(), {"default-src": ["'self'"], "object-src": ["'none'"]}
+            generator.to_dict(),
+            {
+                "default-src": ["'self'"],
+                "object-src": ["'none'"],
+                "frame-ancestors": ["'none'"],
+                "child-src": ["'none'"],
+            },
         )
 
     def test_init_none(self):
         generator = CspGenerator(CspGenerator.NONE)
         self.assertEqual(
-            generator.to_string(), "default-src 'none'; object-src 'none';"
+            generator.to_string(),
+            "default-src 'none'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
         )
 
     def test_init_list(self):
         generator = CspGenerator([CspGenerator.NONE, self.test_domain])
         self.assertEqual(
             generator.to_string(),
-            f"default-src 'none' {self.test_domain}; object-src 'none';",
+            f"default-src 'none' {self.test_domain}; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
         )
 
     def test_init_empty_string(self):
         generator = CspGenerator("")
         self.assertEqual(
-            generator.to_string(), "default-src 'self'; object-src 'none';"
+            generator.to_string(),
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
         )
 
     def test_init_list_of_empty_strings(self):
         generator = CspGenerator([""])
         self.assertEqual(
-            generator.to_string(), "default-src 'self'; object-src 'none';"
+            generator.to_string(),
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none'; child-src 'none';",
         )
 
     def test_init_allow_objects(self):
         generator = CspGenerator([""], allow_objects=True)
+        self.assertEqual(
+            generator.to_string(),
+            "default-src 'self'; frame-ancestors 'none'; child-src 'none';",
+        )
+
+    def test_init_allow_iframe_embedding(self):
+        generator = CspGenerator([""], allow_iframe_embedding=True)
+        self.assertEqual(
+            generator.to_string(),
+            "default-src 'self'; object-src 'none'; child-src 'none';",
+        )
+
+    def test_init_allow_children(self):
+        generator = CspGenerator([""], allow_children=True)
+        self.assertEqual(
+            generator.to_string(),
+            "default-src 'self'; object-src 'none'; frame-ancestors 'none';",
+        )
+
+    def test_init_allow_all_optional(self):
+        generator = CspGenerator(
+            [""], allow_objects=True, allow_iframe_embedding=True, allow_children=True
+        )
         self.assertEqual(generator.to_string(), "default-src 'self';")
 
+    def test_init_overwrite_default_disallows(self):
+        generator = CspGenerator(CspGenerator.NONE)
+        generator.object_src(self.test_domain, omit_self=True)
+        self.assertEqual(
+            generator.to_string(),
+            f"default-src 'none'; object-src {self.test_domain}; frame-ancestors 'none'; child-src 'none';",
+        )
+
     def test_add_directive(self):
         generator = CspGenerator()
         generator.script_src(self.test_domain)
@@ -131,11 +175,19 @@ def test_add_directive_empty(self):
             generator.to_string(),
         )
 
-    def test_add_directive_duplicated_self(self):
+    def test_no_simplify_duplicated_directives(self):
         generator = CspGenerator()
         generator.script_src(CspGenerator.SELF)
-        self.assertIn("default-src 'self';", generator.to_string())
-        self.assertNotIn("script-src 'self';", generator.to_string())
+        csp = generator.to_string()
+        self.assertIn("default-src 'self';", csp)
+        self.assertIn("script-src 'self';", csp)
+
+    def test_simplify_duplicated_directives(self):
+        generator = CspGenerator()
+        generator.script_src(CspGenerator.SELF)
+        csp = generator.to_string(simplify=True)
+        self.assertIn("default-src 'self';", csp)
+        self.assertNotIn("script-src", csp)
 
     def test_add_directive_existing_self(self):
         generator = CspGenerator()
@@ -306,7 +358,6 @@ def test_security_headers_default(self):
                 "Cross-Origin-Opener-Policy": "same-origin",
                 "Cross-Origin-Resource-Policy": "same-origin",
                 "X-Content-Type-Options": "nosniff",
-                "X-Frame-Options": "DENY",
                 "X-Permitted-Cross-Domain-Policies": "none",
             },
         )
@@ -317,7 +368,6 @@ def test_security_headers_invalid(self):
             cross_origin_opener_policy="None",
             cross_origin_resource_policy="",
             x_content_type_options="[]",
-            x_frame_options="()",
             x_permitted_cross_domain_policies="True",
         )
         self.assertDictEqual(
@@ -327,7 +377,6 @@ def test_security_headers_invalid(self):
                 "Cross-Origin-Opener-Policy": "same-origin",
                 "Cross-Origin-Resource-Policy": "same-origin",
                 "X-Content-Type-Options": "nosniff",
-                "X-Frame-Options": "DENY",
                 "X-Permitted-Cross-Domain-Policies": "none",
             },
         )
@@ -338,7 +387,6 @@ def test_security_headers_custom(self):
             cross_origin_opener_policy="noopener-allow-popups",
             cross_origin_resource_policy="cross-origin",
             x_content_type_options=None,
-            x_frame_options="SAMEORIGIN",
             x_permitted_cross_domain_policies="all",
         )
         self.assertDictEqual(
@@ -347,7 +395,6 @@ def test_security_headers_custom(self):
                 "Cross-Origin-Embedder-Policy": "require-corp",
                 "Cross-Origin-Opener-Policy": "noopener-allow-popups",
                 "Cross-Origin-Resource-Policy": "cross-origin",
-                "X-Frame-Options": "SAMEORIGIN",
                 "X-Permitted-Cross-Domain-Policies": "all",
             },
         )
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 6906ba3..ada27e1 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -3,21 +3,22 @@
 from ..security import CspGenerator, common_security_headers
 
 GOOGLE_CSP_POLICY = {
-    "default-src": [CspGenerator.SELF, "*.gstatic.com"],
+    # "default-src": ["*.gstatic.com"],
     # Fonts from fonts.google.com
-    "font-src": [CspGenerator.SELF, "themes.googleusercontent.com", "*.gstatic.com"],
+    "font-src": ["*.gstatic.com"],
     # <iframe> based embedding for Maps and Youtube
-    "frame-src": [CspGenerator.SELF, "www.google.com", "www.youtube.com"],
+    "frame-src": ["www.google.com", "www.youtube.com"],
+    # YouTube video thumbnails
+    "img-src": ["img.youtube.com"],
     # Assorted Google-hosted Libraries/APIs
     "script-src": [
-        CspGenerator.SELF,
         "ajax.googleapis.com",
         "*.googleanalytics.com",
         "*.google-analytics.com",
+        "www.youtube.com",
     ],
-    # Used by generated code from http://www.google.com/fonts
+    # Google Fonts stylesheets and YouTube embedded player styles
     "style-src": [
-        CspGenerator.SELF,
         "ajax.googleapis.com",
         "fonts.googleapis.com",
         "*.gstatic.com",
@@ -143,10 +144,7 @@ def _csp(
             csp.require_trusted_types_for()
 
         if allow_google_content_security_policy:
-            csp.default_src(*GOOGLE_CSP_POLICY["default-src"])
-            csp.font_src(*GOOGLE_CSP_POLICY["font-src"])
-            csp.frame_src(*GOOGLE_CSP_POLICY["frame-src"])
-            csp.script_src(*GOOGLE_CSP_POLICY["script-src"])
-            csp.style_src(*GOOGLE_CSP_POLICY["style-src"])
+            for x, y in GOOGLE_CSP_POLICY.items():
+                csp.add_directive(x, *y)
 
         return csp.to_string()
diff --git a/tna_utilities/security.py b/tna_utilities/security.py
index 64f2475..4cc3d0e 100644
--- a/tna_utilities/security.py
+++ b/tna_utilities/security.py
@@ -19,11 +19,20 @@ class CspGenerator:
     :param allow_objects: If True, allows the use of the object-src directive with a default value of "'self'". If False (the default), disallows the use of the object-src directive by setting it to "'none'".
     """
 
-    NONE: str = "'none'"
-    SELF: str = "'self'"
+    NONE = "'none'"
+    SELF = "'self'"
+    STRICT_DYNAMIC = "'strict-dynamic'"
+    UNSAFE_EVAL = "'unsafe-eval'"
+    UNSAFE_HASHES = "'unsafe-hashes'"
+    UNSAFE_INLINE = "'unsafe-inline'"
+    WASM_UNSAFE_EVAL = "'wasm-unsafe-eval'"
 
     def __init__(
-        self, default_src: str | list[str] | None = None, allow_objects=False
+        self,
+        default_src: str | list[str] | None = None,
+        allow_objects=False,
+        allow_iframe_embedding=False,
+        allow_children=False,
     ) -> None:
         self.default_src_sources: list[str] = []
         if default_src:
@@ -40,7 +49,11 @@ def __init__(
             }
         )
         if not allow_objects:
-            self.directives["object-src"] = [self.NONE]
+            self.disallow("object-src")
+        if not allow_iframe_embedding:
+            self.disallow("frame-ancestors")
+        if not allow_children:
+            self.disallow("child-src")
 
     def _process_sources(self, *values: str | list[str]) -> list[str]:
         """
@@ -83,10 +96,6 @@ def add_directive(
         if not processed_values:
             return self
 
-        # If the values are the same as the default-src, we don't add the directive for simplicity and to avoid redundancy
-        if processed_values == self.default_src_sources:
-            return self
-
         # Unless omit_self is True, add 'self' when either it or 'none' is not specified in the sources
         if (
             not omit_self
@@ -422,13 +431,21 @@ def custom_src(
             directive_name, *sources, omit_self=omit_self, replace=replace
         )
 
-    def to_string(self) -> str:
+    def to_string(self, simplify=False) -> str:
         """
         Get the complete CSP as a string.
         """
 
-        parts: list[str] = []
-        for directive, sources in self.directives.items():
+        directives = self.directives.copy()
+        if simplify:
+            default_src = self.directives.get("default-src")
+            directives = {
+                k: v
+                for k, v in directives.items()
+                if k == "default-src" or v != default_src
+            }
+        parts = []
+        for directive, sources in directives.items():
             directive_str = directive
             if sources:
                 directive_str += " " + " ".join(sources)
@@ -443,7 +460,6 @@ def to_dict(self) -> dict[str, list[str]]:
 
 
 def common_security_headers(
-    x_frame_options: str | None = None,
     x_permitted_cross_domain_policies: str | None = None,
     cross_origin_embedder_policy: str | None = None,
     cross_origin_opener_policy: str | None = None,
@@ -453,7 +469,6 @@ def common_security_headers(
     """
     Get a dictionary of common security headers.
 
-    :param x_frame_options: The value for the X-Frame-Options header. Valid values are "DENY" and "SAMEORIGIN". If not provided, it defaults to "DENY".
     :param x_permitted_cross_domain_policies: The value for the X-Permitted-Cross-Domain-Policies header. Valid values are "none", "master-only", "by-content-type", "by-ftp-filename", "all", and "none-this-response". If not provided, it defaults to "none".
     :param cross_origin_embedder_policy: The value for the Cross-Origin-Embedder-Policy header. Valid values are "unsafe-none", "require-corp", and "credentialless". If not provided, it defaults to "unsafe-none".
     :param cross_origin_opener_policy: The value for the Cross-Origin-Opener-Policy header. Valid values are "same-origin", "same-origin-allow-popups", "unsafe-none", and "noopener-allow-popups". If not provided, it defaults to "same-origin".
@@ -491,12 +506,6 @@ def common_security_headers(
             "default": "nosniff",
             "value": x_content_type_options,
         },
-        {
-            "header": "X-Frame-Options",
-            "values": ["DENY", "SAMEORIGIN"],
-            "default": "DENY",
-            "value": x_frame_options,
-        },
         {
             "header": "X-Permitted-Cross-Domain-Policies",
             "values": [

From 5e0ee99c929e2f8bed7f5a48479ea76aa263744e Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 4 Mar 2026 16:02:40 +0000
Subject: [PATCH 45/61] Potential fix for pull request finding 'Explicit
 returns mixed with implicit (fall through) returns'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 tna_utilities/flask/talisman.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index ada27e1..22b43f2 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -94,6 +94,8 @@ def _force_https_redirect(self):
                 r = flask.redirect(url, code=code)
                 return r
 
+        return None
+
     def _apply_extra_headers(self, response):
         """
         Applies the configured security headers to the response.

From 3075e93459c717c6512ed8c67fd8b3c7a0486695 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 4 Mar 2026 16:35:12 +0000
Subject: [PATCH 46/61] Refactor HTTPS redirection: replace string manipulation
 with urlparse for improved URL handling

---
 tna_utilities/flask/talisman.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index ada27e1..6f09762 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -1,3 +1,5 @@
+from urllib.parse import urlparse, urlunparse
+
 import flask
 
 from ..security import CspGenerator, common_security_headers
@@ -87,11 +89,13 @@ def _force_https_redirect(self):
 
         if self.force_https and not any(criteria):
             if flask.request.url.startswith("http://"):
-                url = flask.request.url.replace("http://", "https://", 1)
+                parsed = urlparse(flask.request.url)
+                secure_parsed = parsed._replace(scheme="https", fragment="")
+                target = urlunparse(secure_parsed)
                 code = 302
                 if self.force_https_permanent:
                     code = 301
-                r = flask.redirect(url, code=code)
+                r = flask.redirect(target, code=code)
                 return r
 
     def _apply_extra_headers(self, response):

From 15a5f7fd47d6cc568a19690d2e683c1e613323e9 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 4 Mar 2026 16:40:44 +0000
Subject: [PATCH 47/61] Update HTTPS redirection tests to validate query
 parameters and fragments in URLs

---
 tests/test_flask_talisman.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index ef0093f..176c219 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -98,13 +98,13 @@ def test_talisman_app_google(self):
     def test_talisman_force_https(self):
         Talisman(self.app)
 
-        rv = self.test_client.get("/")
+        rv = self.test_client.get("http://localhost/foobar?test=1#abc")
 
         self.assertEqual(rv.status_code, 302)
 
         self.assertIn("Location", rv.headers)
         self.assertEqual(
-            "https://localhost/",
+            "https://localhost/foobar?test=1",
             rv.headers["Location"],
         )
 
@@ -118,12 +118,12 @@ def test_talisman_force_https(self):
     def test_talisman_force_https_permanent(self):
         Talisman(self.app, force_https_permanent=True)
 
-        rv = self.test_client.get("/")
+        rv = self.test_client.get("http://localhost/foobar?test=1#abc")
 
         self.assertEqual(rv.status_code, 301)
 
         self.assertIn("Location", rv.headers)
         self.assertEqual(
-            "https://localhost/",
+            "https://localhost/foobar?test=1",
             rv.headers["Location"],
         )

From 3ab23abf37a58127173dcbb7b372978783128369 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 4 Mar 2026 16:43:43 +0000
Subject: [PATCH 48/61] Formatting

---
 tests/test_flask_talisman.py | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index 176c219..d15bdde 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -99,9 +99,7 @@ def test_talisman_force_https(self):
         Talisman(self.app)
 
         rv = self.test_client.get("http://localhost/foobar?test=1#abc")
-
         self.assertEqual(rv.status_code, 302)
-
         self.assertIn("Location", rv.headers)
         self.assertEqual(
             "https://localhost/foobar?test=1",
@@ -109,9 +107,7 @@ def test_talisman_force_https(self):
         )
 
         rv = self.test_client.get("/", follow_redirects=True)
-
         self.assertEqual(rv.status_code, 200)
-
         self.assertIn("Set-Cookie", rv.headers)
         self.assertIn(" Secure", rv.headers["Set-Cookie"])
 
@@ -119,9 +115,7 @@ def test_talisman_force_https_permanent(self):
         Talisman(self.app, force_https_permanent=True)
 
         rv = self.test_client.get("http://localhost/foobar?test=1#abc")
-
         self.assertEqual(rv.status_code, 301)
-
         self.assertIn("Location", rv.headers)
         self.assertEqual(
             "https://localhost/foobar?test=1",

From 173b7985cb37607a27763bc7852fe21ef3deb530 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 6 Mar 2026 12:17:56 +0000
Subject: [PATCH 49/61] Refactor CI and publish workflows to use script files
 for formatting, testing, and building

---
 .github/workflows/ci.yml      | 22 +++++++---------------
 .github/workflows/publish.yml | 22 +++++++---------------
 README.md                     |  7 ++-----
 tasks/build.sh                |  4 ++++
 tasks/checkformat.sh          |  3 +++
 tasks/format.sh               |  1 -
 tasks/test.sh                 |  4 ++++
 7 files changed, 27 insertions(+), 36 deletions(-)
 create mode 100755 tasks/build.sh
 create mode 100755 tasks/checkformat.sh
 create mode 100755 tasks/test.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a262384..fc78d1a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Check formatting
-        run: docker run --rm -v "$(pwd)":/app/ ghcr.io/nationalarchives/tna-python-dev:latest checkformat
+        run: ./tasks/checkformat.sh
 
   test:
     strategy:
@@ -28,13 +28,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry
-        run: |
-          pipx install poetry
-          poetry --version
-      - name: Install dependencies
-        run: poetry install --with test
-      - name: Run tests
-        run: poetry run python -m unittest discover tests
+        run: pipx install poetry
+      - name: Install dependencies and run tests
+        run: ./tasks/test.sh
 
   build:
     runs-on: ubuntu-latest
@@ -43,10 +39,6 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6
       - name: Install Poetry
-        run: |
-          pipx install poetry
-          poetry --version
-      - name: Install dependencies
-        run: poetry install --only-root
-      - name: Build package
-        run: poetry build
+        run: pipx install poetry
+      - name: Install dependencies and build package
+        run: ./tasks/build.sh
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index bcacdd3..a3eb7ad 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Check formatting
-        run: docker run --rm -v "$(pwd)":/app/ ghcr.io/nationalarchives/tna-python-dev:latest checkformat
+        run: ./tasks/checkformat.sh
 
   test:
     permissions:
@@ -32,13 +32,9 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install Poetry
-        run: |
-          pipx install poetry
-          poetry --version
-      - name: Install dependencies
-        run: poetry install --with test
-      - name: Run tests
-        run: poetry run python -m unittest discover tests
+        run: pipx install poetry
+      - name: Install dependencies and run tests
+        run: ./tasks/test.sh
 
   deploy:
     runs-on: ubuntu-latest
@@ -54,12 +50,8 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v6
       - name: Install Poetry
-        run: |
-          pipx install poetry
-          poetry --version
-      - name: Install dependencies
-        run: poetry install --only-root
-      - name: Build package
-        run: poetry build
+        run: pipx install poetry
+      - name: Install dependencies and build package
+        run: ./tasks/build.sh
       - name: Publish package to PyPI
         run: poetry publish
diff --git a/README.md b/README.md
index a133bab..770ded2 100644
--- a/README.md
+++ b/README.md
@@ -29,11 +29,8 @@ pip install tna-utilities[flask]
 ## Developing
 
 ```sh
-# Install the test dependencies
-poetry install --with test
-
-# Run the tests
-poetry run python -m unittest discover tests
+# Install the test dependencies and run the tests
+./tasks/test.sh
 
 # Format the code
 ./tasks/format.sh
diff --git a/tasks/build.sh b/tasks/build.sh
new file mode 100755
index 0000000..ce0b037
--- /dev/null
+++ b/tasks/build.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+poetry install --only-root
+poetry build
diff --git a/tasks/checkformat.sh b/tasks/checkformat.sh
new file mode 100755
index 0000000..63db9d9
--- /dev/null
+++ b/tasks/checkformat.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run --rm -v "$(pwd)":/app/ ghcr.io/nationalarchives/tna-python-dev:preview checkformat
diff --git a/tasks/format.sh b/tasks/format.sh
index bc1913d..dbbedf0 100755
--- a/tasks/format.sh
+++ b/tasks/format.sh
@@ -1,4 +1,3 @@
 #!/bin/bash
 
 docker run --rm -v "$(pwd)":/app/ ghcr.io/nationalarchives/tna-python-dev:preview format
-npx prettier --write .
diff --git a/tasks/test.sh b/tasks/test.sh
new file mode 100755
index 0000000..bedd6fb
--- /dev/null
+++ b/tasks/test.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+poetry install --with test
+poetry run python -m unittest discover tests

From e581dc744a15faadd2376862f53da9159ee4e9ef Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 6 Mar 2026 12:24:27 +0000
Subject: [PATCH 50/61] Update CI workflows to use Poetry for dependency
 installation and testing

---
 .github/workflows/ci.yml      | 4 +++-
 .github/workflows/publish.yml | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index fc78d1a..b5ec861 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -30,7 +30,9 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and run tests
-        run: ./tasks/test.sh
+        run: |
+          poetry install --with test
+          poetry run python -m unittest discover tests
 
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a3eb7ad..476d039 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -34,7 +34,9 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and run tests
-        run: ./tasks/test.sh
+        run: |
+          poetry install --with test
+          poetry run python -m unittest discover tests
 
   deploy:
     runs-on: ubuntu-latest

From ce12716351a5c8c71eff03a74d355bd0167c1698 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 6 Mar 2026 12:27:15 +0000
Subject: [PATCH 51/61] Update CI workflows to use bash for script execution

---
 .github/workflows/ci.yml      | 8 +++-----
 .github/workflows/publish.yml | 8 +++-----
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b5ec861..ad7ba23 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Check formatting
-        run: ./tasks/checkformat.sh
+        run: bash ./tasks/checkformat.sh
 
   test:
     strategy:
@@ -30,9 +30,7 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and run tests
-        run: |
-          poetry install --with test
-          poetry run python -m unittest discover tests
+        run: bash ./tasks/test.sh
 
   build:
     runs-on: ubuntu-latest
@@ -43,4 +41,4 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and build package
-        run: ./tasks/build.sh
+        run: bash ./tasks/build.sh
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 476d039..9afbd45 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - name: Check formatting
-        run: ./tasks/checkformat.sh
+        run: bash ./tasks/checkformat.sh
 
   test:
     permissions:
@@ -34,9 +34,7 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and run tests
-        run: |
-          poetry install --with test
-          poetry run python -m unittest discover tests
+        run: bash ./tasks/test.sh
 
   deploy:
     runs-on: ubuntu-latest
@@ -54,6 +52,6 @@ jobs:
       - name: Install Poetry
         run: pipx install poetry
       - name: Install dependencies and build package
-        run: ./tasks/build.sh
+        run: bash ./tasks/build.sh
       - name: Publish package to PyPI
         run: poetry publish

From 6f64506053e1163a94c7e473351cd60d965fcbc5 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Fri, 6 Mar 2026 12:49:38 +0000
Subject: [PATCH 52/61] Add custom Content Security Policy tests for Talisman
 integration

---
 tests/test_flask_talisman.py    | 49 +++++++++++++++++++++++++++++++++
 tna_utilities/flask/talisman.py |  2 +-
 2 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/tests/test_flask_talisman.py b/tests/test_flask_talisman.py
index d15bdde..11efc25 100644
--- a/tests/test_flask_talisman.py
+++ b/tests/test_flask_talisman.py
@@ -95,6 +95,55 @@ def test_talisman_app_google(self):
             rv.headers["Content-Security-Policy"],
         )
 
+    def test_talisman_app_custom_csp(self):
+        Talisman(
+            self.app,
+            force_https=False,
+            content_security_policy={
+                "default-src": ["'self'", "example.com"],
+                "img-src": ["'self'", "img.example.com"],
+            },
+        )
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertIn("Content-Security-Policy", rv.headers)
+        self.assertIn(
+            "default-src 'self' example.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+        self.assertIn(
+            "img-src 'self' img.example.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+
+    def test_talisman_app_custom_csp_with_google(self):
+        Talisman(
+            self.app,
+            force_https=False,
+            content_security_policy={
+                "default-src": ["'self'", "example.com"],
+                "img-src": ["'self'", "img.example.com"],
+            },
+            allow_google_content_security_policy=True,
+        )
+
+        rv = self.test_client.get("/")
+
+        self.assertEqual(rv.status_code, 200)
+
+        self.assertIn("Content-Security-Policy", rv.headers)
+        self.assertIn(
+            "default-src 'self' example.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+        self.assertIn(
+            "img-src 'self' img.example.com img.youtube.com;",
+            rv.headers["Content-Security-Policy"],
+        )
+
     def test_talisman_force_https(self):
         Talisman(self.app)
 
diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index ef6db98..07b7a7b 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -121,7 +121,7 @@ def _csp(
         Generates a Content-Security-Policy header value based on the provided content security policy configuration and the option to include Google's recommended content security policy directives.
         """
 
-        csp = CspGenerator()
+        csp = CspGenerator(default_src=content_security_policy.get("default-src", ""))
 
         csp.base_uri(content_security_policy.get("base-uri", ""))
         csp.child_src(content_security_policy.get("child-src", ""))

From 99edbdc5dba1adbd67e9269ca9cc50292ff5bfb1 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 08:54:05 +0000
Subject: [PATCH 53/61] Update README.md

---
 README.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 770ded2..f390e35 100644
--- a/README.md
+++ b/README.md
@@ -36,7 +36,5 @@ pip install tna-utilities[flask]
 ./tasks/format.sh
 
 # Build the package
-python -m pip install --upgrade pip
-pip install build
-python -m build
+./tasks/build.sh
 ```

From 160f2da9bf30f3a6b14b0c4eb335cd8f93996ac5 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 08:54:41 +0000
Subject: [PATCH 54/61] Update Talisman configuration to use update method for
 session cookie settings and add permanent session lifetime

---
 tna_utilities/flask/talisman.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tna_utilities/flask/talisman.py b/tna_utilities/flask/talisman.py
index 07b7a7b..3d4f2b2 100644
--- a/tna_utilities/flask/talisman.py
+++ b/tna_utilities/flask/talisman.py
@@ -62,9 +62,12 @@ def init_app(
         :param force_https_permanent: If True, uses a permanent redirect (HTTP 301) when forcing HTTPS, otherwise uses a temporary redirect (HTTP 302). Defaults to False.
         """
 
-        self.app.config["SESSION_COOKIE_SECURE"] = force_https and not self.app.debug
-        self.app.config["SESSION_COOKIE_HTTPONLY"] = True
-        self.app.config["SESSION_COOKIE_SAMESITE"] = "Lax"
+        self.app.config.update(
+            SESSION_COOKIE_SECURE=force_https and not self.app.debug,
+            SESSION_COOKIE_HTTPONLY=True,
+            SESSION_COOKIE_SAMESITE="Lax",
+            PERMANENT_SESSION_LIFETIME=86400,  # 1 day
+        )
 
         self.content_security_policy = content_security_policy
         self.allow_google_content_security_policy = allow_google_content_security_policy

From 13e53d7113fd6a4a5a35aca4b3f6aee46cb9ab47 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 09:27:00 +0000
Subject: [PATCH 55/61] WIP: First draft API client

---
 docs/api.md          |   5 ++
 tests/test_api.py    |  36 +++++++++++++
 tna_utilities/api.py | 121 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 162 insertions(+)
 create mode 100644 docs/api.md
 create mode 100644 tests/test_api.py
 create mode 100644 tna_utilities/api.py

diff --git a/docs/api.md b/docs/api.md
new file mode 100644
index 0000000..62fea93
--- /dev/null
+++ b/docs/api.md
@@ -0,0 +1,5 @@
+# API
+
+## `SimpleJsonApiClient`
+
+TODO
diff --git a/tests/test_api.py b/tests/test_api.py
new file mode 100644
index 0000000..b04d51f
--- /dev/null
+++ b/tests/test_api.py
@@ -0,0 +1,36 @@
+import unittest
+from unittest import mock
+import requests
+
+from tna_utilities.api import ResourceForbidden, ResourceNotFound, SimpleJsonApiClient
+
+
+
+def mocked_get_requests(*args, **kwargs):
+    class MockResponse:
+        def __init__(self, json_data, status_code):
+            self.json_data = json_data
+            self.status_code = status_code
+
+        def json(self):
+            return self.json_data
+
+    if args[0] == 'http://mockapi.com/test':
+        return MockResponse({"key1": "value1"}, 200)
+
+    return MockResponse(None, 404)
+
+
+
+class TestSimpleJsonApiClient(unittest.TestCase):
+    @mock.patch('requests.get', side_effect=mocked_get_requests)
+    def test_happy(self, mock_get):
+        client = SimpleJsonApiClient("http://mockapi.com/")
+        response = client.get("/test")
+        assert response == {"key1": "value1"}
+        self.assertEqual(type(response), dict)
+        self.assertDictEqual(response, {"key1": "value1"})
+        self.assertIn(mock.call('http://mockapi.com/test'), mock_get.call_args_list)
+        self.assertEqual(len(mock_get.call_args_list), 1)
+
+
diff --git a/tna_utilities/api.py b/tna_utilities/api.py
new file mode 100644
index 0000000..3b5b56f
--- /dev/null
+++ b/tna_utilities/api.py
@@ -0,0 +1,121 @@
+import requests
+from requests import JSONDecodeError, Response, Timeout, TooManyRedirects, codes
+
+
+class ResourceNotFound(Exception):
+    pass
+
+
+class ResourceForbidden(Exception):
+    pass
+
+
+class SimpleJsonApiClient:
+    """
+    A simple JSON API client that provides basic functionality for making GET requests to a specified API endpoint.
+
+    It allows for the addition of custom headers and parameters, and handles common HTTP response codes, including 200 (OK), 400 (Bad Request), 403 (Forbidden), and 404 (Not Found).
+
+    The client also includes error handling for connection issues, timeouts, and non-JSON responses.
+
+    :param api_url: The base URL of the API.
+    :param defaultHeaders: Optional dictionary of default headers to include in every request.
+    :param defaultParams: Optional dictionary of default parameters to include in every request.
+    """
+
+    def __init__(
+        self, api_url: str, defaultHeaders: dict = {}, defaultParams: dict = {}
+    ):
+        self.api_url: str = api_url.rstrip("/")
+        self.headers: dict = (
+            {
+                "Cache-Control": "no-cache",
+                "Accept": "application/json",
+            }
+            if defaultHeaders
+            else defaultHeaders
+        )
+        self.params: dict = defaultParams
+
+    def add_parameter(self, key: str, value):
+        """
+        Add a single parameter to the request.
+        """
+
+        self.params[key] = value
+
+    def add_parameters(self, params: dict):
+        """
+        Add multiple parameters to the request.
+        """
+
+        self.params = self.params | params
+
+    def add_header(self, key: str, value):
+        """
+        Add a single header to the request.
+        """
+
+        self.headers[key] = value
+
+    def add_headers(self, headers: dict):
+        """
+        Add multiple headers to the request.
+        """
+
+        self.headers = self.headers | headers
+
+    def get(self, path: str = "/"):
+        """
+        Make a GET request to the specified path of the API endpoint.
+        """
+
+        return self.call("GET", path)
+
+    def post(self, path: str = "/"):
+        """
+        Make a POST request to the specified path of the API endpoint.
+        """
+
+        return self.call("POST", path)
+
+    def call(self, method: str, path: str = "/"):
+        """
+        Internal method to make an API call using the specified HTTP method and path.
+        """
+
+        url = f"{self.api_url}/{path.lstrip('/')}"
+        try:
+            response = requests.request(
+                method,
+                url,
+                params=self.params,
+                headers=self.headers,
+            )
+        except ConnectionError:
+            raise Exception("A connection error occured")
+        except Timeout:
+            raise Exception("The request timed out")
+        except TooManyRedirects:
+            raise Exception("Too many redirects")
+        except Exception as e:
+            raise Exception(e)
+        return self._handle_response(response)
+
+    def _handle_response(self, response: Response):
+        """
+        Handle the API response, checking for common HTTP status codes and returning the JSON content if the request was successful.
+        """
+
+        if response.status_code == codes.ok:
+            try:
+                return response.json()
+            except JSONDecodeError:
+                raise Exception("Non-JSON response provided")
+        if response.status_code == 400:
+            raise Exception("Bad request")
+        if response.status_code == 403:
+            raise ResourceForbidden("Forbidden")
+        if response.status_code == 404:
+            raise ResourceNotFound("Resource not found")
+        raise Exception("Request failed")

From 8276640acb0c1c0b029d95ec815ff28b134a6c6a Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 09:42:02 +0000
Subject: [PATCH 56/61] Add basic API test

---
 poetry.lock       | 192 +++++++++++++++++++++++++++++++++++++++++++++-
 pyproject.toml    |   4 +
 tests/test_api.py |  24 +++---
 3 files changed, 206 insertions(+), 14 deletions(-)

diff --git a/poetry.lock b/poetry.lock
index 7761cd2..c163133 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -13,6 +13,141 @@ files = [
 ]
 markers = {main = "extra == \"flask\""}
 
+[[package]]
+name = "certifi"
+version = "2026.2.25"
+description = "Python package for providing Mozilla's CA Bundle."
+optional = false
+python-versions = ">=3.7"
+groups = ["main", "test"]
+files = [
+    {file = "certifi-2026.2.25-py3-none-any.whl", hash = "sha256:027692e4402ad994f1c42e52a4997a9763c646b73e4096e4d5d6db8af1d6f0fa"},
+    {file = "certifi-2026.2.25.tar.gz", hash = "sha256:e887ab5cee78ea814d3472169153c2d12cd43b14bd03329a39a9c6e2e80bfba7"},
+]
+
+[[package]]
+name = "charset-normalizer"
+version = "3.4.5"
+description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet."
+optional = false
+python-versions = ">=3.7"
+groups = ["main", "test"]
+files = [
+    {file = "charset_normalizer-3.4.5-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:4167a621a9a1a986c73777dbc15d4b5eac8ac5c10393374109a343d4013ec765"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:3f64c6bf8f32f9133b668c7f7a7cbdbc453412bc95ecdbd157f3b1e377a92990"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:568e3c34b58422075a1b49575a6abc616d9751b4d61b23f712e12ebb78fe47b2"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:036c079aa08a6a592b82487f97c60b439428320ed1b2ea0b3912e99d30c77765"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:340810d34ef83af92148e96e3e44cb2d3f910d2bf95e5618a5c467d9f102231d"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux_2_31_armv7l.whl", hash = "sha256:cd2d0f0ec9aa977a27731a3209ebbcacebebaf41f902bd453a928bfd281cf7f8"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:0b362bcd27819f9c07cbf23db4e0e8cd4b44c5ecd900c2ff907b2b92274a7412"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:77be992288f720306ab4108fe5c74797de327f3248368dfc7e1a916d6ed9e5a2"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_armv7l.whl", hash = "sha256:8b78d8a609a4b82c273257ee9d631ded7fac0d875bdcdccc109f3ee8328cfcb1"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:ba20bdf69bd127f66d0174d6f2a93e69045e0b4036dc1ca78e091bcc765830c4"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_riscv64.whl", hash = "sha256:76a9d0de4d0eab387822e7b35d8f89367dd237c72e82ab42b9f7bf5e15ada00f"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:8fff79bf5978c693c9b1a4d71e4a94fddfb5fe744eb062a318e15f4a2f63a550"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:c7e84e0c0005e3bdc1a9211cd4e62c78ba80bc37b2365ef4410cd2007a9047f2"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-win32.whl", hash = "sha256:58ad8270cfa5d4bef1bc85bd387217e14ff154d6630e976c6f56f9a040757475"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-win_amd64.whl", hash = "sha256:02a9d1b01c1e12c27883b0c9349e0bcd9ae92e727ff1a277207e1a262b1cbf05"},
+    {file = "charset_normalizer-3.4.5-cp310-cp310-win_arm64.whl", hash = "sha256:039215608ac7b358c4da0191d10fc76868567fbf276d54c14721bdedeb6de064"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:610f72c0ee565dfb8ae1241b666119582fdbfe7c0975c175be719f940e110694"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:60d68e820af339df4ae8358c7a2e7596badeb61e544438e489035f9fbf3246a5"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:10b473fc8dca1c3ad8559985794815f06ca3fc71942c969129070f2c3cdf7281"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d4eb8ac7469b2a5d64b5b8c04f84d8bf3ad340f4514b98523805cbf46e3b3923"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:5bcb3227c3d9aaf73eaaab1db7ccd80a8995c509ee9941e2aae060ca6e4e5d81"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux_2_31_armv7l.whl", hash = "sha256:75ee9c1cce2911581a70a3c0919d8bccf5b1cbc9b0e5171400ec736b4b569497"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:1d1401945cb77787dbd3af2446ff2d75912327c4c3a1526ab7955ecf8600687c"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:0a45e504f5e1be0bd385935a8e1507c442349ca36f511a47057a71c9d1d6ea9e"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_armv7l.whl", hash = "sha256:e09f671a54ce70b79a1fc1dc6da3072b7ef7251fadb894ed92d9aa8218465a5f"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:d01de5e768328646e6a3fa9e562706f8f6641708c115c62588aef2b941a4f88e"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_riscv64.whl", hash = "sha256:131716d6786ad5e3dc542f5cc6f397ba3339dc0fb87f87ac30e550e8987756af"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:1a374cc0b88aa710e8865dc1bd6edb3743c59f27830f0293ab101e4cf3ce9f85"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:d31f0d1671e1534e395f9eb84a68e0fb670e1edb1fe819a9d7f564ae3bc4e53f"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-win32.whl", hash = "sha256:cace89841c0599d736d3d74a27bc5821288bb47c5441923277afc6059d7fbcb4"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-win_amd64.whl", hash = "sha256:f8102ae93c0bc863b1d41ea0f4499c20a83229f52ed870850892df555187154a"},
+    {file = "charset_normalizer-3.4.5-cp311-cp311-win_arm64.whl", hash = "sha256:ed98364e1c262cf5f9363c3eca8c2df37024f52a8fa1180a3610014f26eac51c"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:ed97c282ee4f994ef814042423a529df9497e3c666dca19be1d4cd1129dc7ade"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:0294916d6ccf2d069727d65973c3a1ca477d68708db25fd758dd28b0827cff54"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:dc57a0baa3eeedd99fafaef7511b5a6ef4581494e8168ee086031744e2679467"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:ed1a9a204f317ef879b32f9af507d47e49cd5e7f8e8d5d96358c98373314fc60"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:7ad83b8f9379176c841f8865884f3514d905bcd2a9a3b210eaa446e7d2223e4d"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux_2_31_armv7l.whl", hash = "sha256:a118e2e0b5ae6b0120d5efa5f866e58f2bb826067a646431da4d6a2bdae7950e"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:754f96058e61a5e22e91483f823e07df16416ce76afa4ebf306f8e1d1296d43f"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:0c300cefd9b0970381a46394902cd18eaf2aa00163f999590ace991989dcd0fc"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_armv7l.whl", hash = "sha256:c108f8619e504140569ee7de3f97d234f0fbae338a7f9f360455071ef9855a95"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:d1028de43596a315e2720a9849ee79007ab742c06ad8b45a50db8cdb7ed4a82a"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_riscv64.whl", hash = "sha256:19092dde50335accf365cce21998a1c6dd8eafd42c7b226eb54b2747cdce2fac"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:4354e401eb6dab9aed3c7b4030514328a6c748d05e1c3e19175008ca7de84fb1"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:a68766a3c58fde7f9aaa22b3786276f62ab2f594efb02d0a1421b6282e852e98"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-win32.whl", hash = "sha256:1827734a5b308b65ac54e86a618de66f935a4f63a8a462ff1e19a6788d6c2262"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-win_amd64.whl", hash = "sha256:728c6a963dfab66ef865f49286e45239384249672cd598576765acc2a640a636"},
+    {file = "charset_normalizer-3.4.5-cp312-cp312-win_arm64.whl", hash = "sha256:75dfd1afe0b1647449e852f4fb428195a7ed0588947218f7ba929f6538487f02"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:ac59c15e3f1465f722607800c68713f9fbc2f672b9eb649fe831da4019ae9b23"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:165c7b21d19365464e8f70e5ce5e12524c58b48c78c1f5a57524603c1ab003f8"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:28269983f25a4da0425743d0d257a2d6921ea7d9b83599d4039486ec5b9f911d"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d27ce22ec453564770d29d03a9506d449efbb9fa13c00842262b2f6801c48cce"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0625665e4ebdddb553ab185de5db7054393af8879fb0c87bd5690d14379d6819"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux_2_31_armv7l.whl", hash = "sha256:c23eb3263356d94858655b3e63f85ac5d50970c6e8febcdde7830209139cc37d"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:e6302ca4ae283deb0af68d2fbf467474b8b6aedcd3dab4db187e07f94c109763"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:e51ae7d81c825761d941962450f50d041db028b7278e7b08930b4541b3e45cb9"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_armv7l.whl", hash = "sha256:597d10dec876923e5c59e48dbd366e852eacb2b806029491d307daea6b917d7c"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:5cffde4032a197bd3b42fd0b9509ec60fb70918d6970e4cc773f20fc9180ca67"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_riscv64.whl", hash = "sha256:2da4eedcb6338e2321e831a0165759c0c620e37f8cd044a263ff67493be8ffb3"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:65a126fb4b070d05340a84fc709dd9e7c75d9b063b610ece8a60197a291d0adf"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:c7a80a9242963416bd81f99349d5f3fce1843c303bd404f204918b6d75a75fd6"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-win32.whl", hash = "sha256:f1d725b754e967e648046f00c4facc42d414840f5ccc670c5670f59f83693e4f"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-win_amd64.whl", hash = "sha256:e37bd100d2c5d3ba35db9c7c5ba5a9228cbcffe5c4778dc824b164e5257813d7"},
+    {file = "charset_normalizer-3.4.5-cp313-cp313-win_arm64.whl", hash = "sha256:93b3b2cc5cf1b8743660ce77a4f45f3f6d1172068207c1defc779a36eea6bb36"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-macosx_10_15_universal2.whl", hash = "sha256:8197abe5ca1ffb7d91e78360f915eef5addff270f8a71c1fc5be24a56f3e4873"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:a2aecdb364b8a1802afdc7f9327d55dad5366bc97d8502d0f5854e50712dbc5f"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:a66aa5022bf81ab4b1bebfb009db4fd68e0c6d4307a1ce5ef6a26e5878dfc9e4"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:d77f97e515688bd615c1d1f795d540f32542d514242067adcb8ef532504cb9ee"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:01a1ed54b953303ca7e310fafe0fe347aab348bd81834a0bcd602eb538f89d66"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux_2_31_armv7l.whl", hash = "sha256:b2d37d78297b39a9eb9eb92c0f6df98c706467282055419df141389b23f93362"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:e71bbb595973622b817c042bd943c3f3667e9c9983ce3d205f973f486fec98a7"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:4cd966c2559f501c6fd69294d082c2934c8dd4719deb32c22961a5ac6db0df1d"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_armv7l.whl", hash = "sha256:d5e52d127045d6ae01a1e821acfad2f3a1866c54d0e837828538fabe8d9d1bd6"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_ppc64le.whl", hash = "sha256:30a2b1a48478c3428d047ed9690d57c23038dac838a87ad624c85c0a78ebeb39"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_riscv64.whl", hash = "sha256:d8ed79b8f6372ca4254955005830fd61c1ccdd8c0fac6603e2c145c61dd95db6"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_s390x.whl", hash = "sha256:c5af897b45fa606b12464ccbe0014bbf8c09191e0a66aab6aa9d5cf6e77e0c94"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:1088345bcc93c58d8d8f3d783eca4a6e7a7752bbff26c3eee7e73c597c191c2e"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-win32.whl", hash = "sha256:ee57b926940ba00bca7ba7041e665cc956e55ef482f851b9b65acb20d867e7a2"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-win_amd64.whl", hash = "sha256:4481e6da1830c8a1cc0b746b47f603b653dadb690bcd851d039ffaefe70533aa"},
+    {file = "charset_normalizer-3.4.5-cp314-cp314-win_arm64.whl", hash = "sha256:97ab7787092eb9b50fb47fa04f24c75b768a606af1bcba1957f07f128a7219e4"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:e22d1059b951e7ae7c20ef6b06afd10fb95e3c41bf3c4fbc874dba113321c193"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:afca7f78067dd27c2b848f1b234623d26b87529296c6c5652168cc1954f2f3b2"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:ec56a2266f32bc06ed3c3e2a8f58417ce02f7e0356edc89786e52db13c593c98"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:2b970382e4a36bed897c19f310f31d7d13489c11b4f468ddfba42d41cddfb918"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:573ef5814c4b7c0d59a7710aa920eaaaef383bd71626aa420fba27b5cab92e8d"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux_2_31_armv7l.whl", hash = "sha256:50bcbca6603c06a1dcc7b056ed45c37715fb5d2768feb3bcd37d2313c587a5b9"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:1f2da5cbb9becfcd607757a169e38fb82aa5fd86fae6653dea716e7b613fe2cf"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:fc1c64934b8faf7584924143eb9db4770bbdb16659626e1a1a4d9efbcb68d947"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_armv7l.whl", hash = "sha256:ae8b03427410731469c4033934cf473426faff3e04b69d2dfb64a4281a3719f8"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:b3e71afc578b98512bfe7bdb822dd6bc57d4b0093b4b6e5487c1e96ad4ace242"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_riscv64.whl", hash = "sha256:4b8551b6e6531e156db71193771c93bda78ffc4d1e6372517fe58ad3b91e4659"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:65b3c403a5b6b8034b655e7385de4f72b7b244869a22b32d4030b99a60593eca"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:8ce11cd4d62d11166f2b441e30ace226c19a3899a7cf0796f668fba49a9fb123"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-win32.whl", hash = "sha256:66dee73039277eb35380d1b82cccc69cc82b13a66f9f4a18da32d573acf02b7c"},
+    {file = "charset_normalizer-3.4.5-cp38-cp38-win_amd64.whl", hash = "sha256:d29dd9c016f2078b43d0c357511e87eee5b05108f3dd603423cb389b89813969"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:259cd1ca995ad525f638e131dbcc2353a586564c038fc548a3fe450a91882139"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:8a28afb04baa55abf26df544e3e5c6534245d3daa5178bc4a8eeb48202060d0e"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux2014_ppc64le.manylinux_2_17_ppc64le.manylinux_2_28_ppc64le.whl", hash = "sha256:ff95a9283de8a457e6b12989de3f9f5193430f375d64297d323a615ea52cbdb3"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux2014_s390x.manylinux_2_17_s390x.manylinux_2_28_s390x.whl", hash = "sha256:708c7acde173eedd4bfa4028484426ba689d2103b28588c513b9db2cd5ecde9c"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:aa92ec1102eaff840ccd1021478af176a831f1bccb08e526ce844b7ddda85c22"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux_2_31_armv7l.whl", hash = "sha256:5fea359734b140d0d6741189fea5478c6091b54ffc69d7ce119e0a05637d8c99"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-manylinux_2_31_riscv64.manylinux_2_39_riscv64.whl", hash = "sha256:e545b51da9f9af5c67815ca0eb40676c0f016d0b0381c86f20451e35696c5f95"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:30987f4a8ed169983f93e1be8ffeea5214a779e27ed0b059835c7afe96550ad7"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_armv7l.whl", hash = "sha256:149ec69866c3d6c2fb6f758dbc014ecb09f30b35a5ca90b6a8a2d4e54e18fdfe"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:530beedcec9b6e027e7a4b6ce26eed36678aa39e17da85e6e03d7bd9e8e9d7c9"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_riscv64.whl", hash = "sha256:14498a429321de554b140013142abe7608f9d8ccc04d7baf2ad60498374aefa2"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:2820a98460c83663dd8ec015d9ddfd1e4879f12e06bb7d0500f044fb477d2770"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:aa2f963b4da26daf46231d9b9e0e2c9408a751f8f0d0f44d2de56d3caf51d294"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-win32.whl", hash = "sha256:82cc7c2ad42faec8b574351f8bc2a0c049043893853317bd9bb309f5aba6cb5a"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-win_amd64.whl", hash = "sha256:92263f7eca2f4af326cd20de8d16728d2602f7cfea02e790dcde9d83c365d7cc"},
+    {file = "charset_normalizer-3.4.5-cp39-cp39-win_arm64.whl", hash = "sha256:014837af6fabf57121b6254fa8ade10dceabc3528b27b721a64bbc7b8b1d4eb4"},
+    {file = "charset_normalizer-3.4.5-py3-none-any.whl", hash = "sha256:9db5e3fcdcee89a78c04dffb3fe33c79f77bd741a624946db2591c81b2fc85b0"},
+    {file = "charset_normalizer-3.4.5.tar.gz", hash = "sha256:95adae7b6c42a6c5b5b559b1a99149f090a57128155daeea91732c8d970d8644"},
+]
+
 [[package]]
 name = "click"
 version = "8.3.1"
@@ -67,6 +202,21 @@ werkzeug = ">=3.1.0"
 async = ["asgiref (>=3.2)"]
 dotenv = ["python-dotenv"]
 
+[[package]]
+name = "idna"
+version = "3.11"
+description = "Internationalized Domain Names in Applications (IDNA)"
+optional = false
+python-versions = ">=3.8"
+groups = ["main", "test"]
+files = [
+    {file = "idna-3.11-py3-none-any.whl", hash = "sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea"},
+    {file = "idna-3.11.tar.gz", hash = "sha256:795dafcc9c04ed0c1fb032c2aa73654d8e8c5023a7df64a53f39190ada629902"},
+]
+
+[package.extras]
+all = ["flake8 (>=7.1.1)", "mypy (>=1.11.2)", "pytest (>=8.3.2)", "ruff (>=0.6.2)"]
+
 [[package]]
 name = "itsdangerous"
 version = "2.2.0"
@@ -199,6 +349,46 @@ files = [
 ]
 markers = {main = "extra == \"flask\""}
 
+[[package]]
+name = "requests"
+version = "2.32.5"
+description = "Python HTTP for Humans."
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "requests-2.32.5-py3-none-any.whl", hash = "sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6"},
+    {file = "requests-2.32.5.tar.gz", hash = "sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf"},
+]
+
+[package.dependencies]
+certifi = ">=2017.4.17"
+charset_normalizer = ">=2,<4"
+idna = ">=2.5,<4"
+urllib3 = ">=1.21.1,<3"
+
+[package.extras]
+socks = ["PySocks (>=1.5.6,!=1.5.7)"]
+use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"]
+
+[[package]]
+name = "urllib3"
+version = "2.6.3"
+description = "HTTP library with thread-safe connection pooling, file post, and more."
+optional = false
+python-versions = ">=3.9"
+groups = ["main", "test"]
+files = [
+    {file = "urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4"},
+    {file = "urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed"},
+]
+
+[package.extras]
+brotli = ["brotli (>=1.2.0) ; platform_python_implementation == \"CPython\"", "brotlicffi (>=1.2.0.0) ; platform_python_implementation != \"CPython\""]
+h2 = ["h2 (>=4,<5)"]
+socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"]
+zstd = ["backports-zstd (>=1.0.0) ; python_version < \"3.14\""]
+
 [[package]]
 name = "werkzeug"
 version = "3.1.6"
@@ -224,4 +414,4 @@ flask = ["Flask"]
 [metadata]
 lock-version = "2.1"
 python-versions = ">=3.10"
-content-hash = "3bbfc9ff9479a94ddad419f3170b896c4ee8837e20968a993970cb12df9e8461"
+content-hash = "d0c134217c2131332f080e588b12b145475a6310e56ea95557085cea31204757"
diff --git a/pyproject.toml b/pyproject.toml
index f844eb8..97087b5 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -21,6 +21,9 @@ classifiers = [
   "Programming Language :: Python :: 3.13",
   "Programming Language :: Python :: 3.14",
 ]
+dependencies = [
+  "requests"
+]
 
 [project.optional-dependencies]
 flask = ["Flask"]
@@ -37,6 +40,7 @@ optional = true
 
 [tool.poetry.group.test.dependencies]
 Flask = "^3"
+requests = "^2"
 
 [build-system]
 requires = ["poetry-core>=2.0.0,<3.0.0"]
diff --git a/tests/test_api.py b/tests/test_api.py
index b04d51f..109c639 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,12 +1,10 @@
 import unittest
 from unittest import mock
-import requests
 
 from tna_utilities.api import ResourceForbidden, ResourceNotFound, SimpleJsonApiClient
 
 
-
-def mocked_get_requests(*args, **kwargs):
+def mocked_requests(*args, **kwargs):
     class MockResponse:
         def __init__(self, json_data, status_code):
             self.json_data = json_data
@@ -15,22 +13,22 @@ def __init__(self, json_data, status_code):
         def json(self):
             return self.json_data
 
-    if args[0] == 'http://mockapi.com/test':
-        return MockResponse({"key1": "value1"}, 200)
+    if args[0].upper() == "GET":
+        if args[1] == "http://mockapi.com/happy":
+            return MockResponse({"foo": "bar"}, 200)
 
     return MockResponse(None, 404)
 
 
-
 class TestSimpleJsonApiClient(unittest.TestCase):
-    @mock.patch('requests.get', side_effect=mocked_get_requests)
+    @mock.patch("requests.request", side_effect=mocked_requests)
     def test_happy(self, mock_get):
         client = SimpleJsonApiClient("http://mockapi.com/")
-        response = client.get("/test")
-        assert response == {"key1": "value1"}
+        response = client.get("/happy")
         self.assertEqual(type(response), dict)
-        self.assertDictEqual(response, {"key1": "value1"})
-        self.assertIn(mock.call('http://mockapi.com/test'), mock_get.call_args_list)
+        self.assertDictEqual(response, {"foo": "bar"})
+        self.assertIn(
+            mock.call("GET", "http://mockapi.com/happy", params={}, headers={}),
+            mock_get.call_args_list,
+        )
         self.assertEqual(len(mock_get.call_args_list), 1)
-
-

From a1d4d54255f1a6011cac16f63bfc44b6cedefa85 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 10:13:34 +0000
Subject: [PATCH 57/61] Enhance API client tests with additional error handling
 cases

---
 tests/test_api.py | 44 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 38 insertions(+), 6 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 109c639..de83b42 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -6,9 +6,10 @@
 
 def mocked_requests(*args, **kwargs):
     class MockResponse:
-        def __init__(self, json_data, status_code):
+        def __init__(self, json_data, status_code, headers={}):
             self.json_data = json_data
             self.status_code = status_code
+            self.headers = headers
 
         def json(self):
             return self.json_data
@@ -16,6 +17,12 @@ def json(self):
     if args[0].upper() == "GET":
         if args[1] == "http://mockapi.com/happy":
             return MockResponse({"foo": "bar"}, 200)
+        elif args[1] == "http://mockapi.com/badrequest":
+            return MockResponse(None, 400)
+        elif args[1] == "http://mockapi.com/forbidden":
+            return MockResponse(None, 403)
+        elif args[1] == "http://mockapi.com/servererror":
+            return MockResponse(None, 500)
 
     return MockResponse(None, 404)
 
@@ -27,8 +34,33 @@ def test_happy(self, mock_get):
         response = client.get("/happy")
         self.assertEqual(type(response), dict)
         self.assertDictEqual(response, {"foo": "bar"})
-        self.assertIn(
-            mock.call("GET", "http://mockapi.com/happy", params={}, headers={}),
-            mock_get.call_args_list,
-        )
-        self.assertEqual(len(mock_get.call_args_list), 1)
+        # called_mock_get_urls = [call.args[1] for call in mock_get.call_args_list if call.args[0].upper() == "GET"]
+        # self.assertIn(
+        #     "http://mockapi.com/happy",
+        #     called_mock_get_urls,
+        # )
+        # self.assertEqual(len(called_mock_get_urls), 1)
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_bad_request(self, mock_get):
+        client = SimpleJsonApiClient("http://mockapi.com/")
+        with self.assertRaises(Exception):
+            client.get("/badrequest")
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_not_found(self, mock_get):
+        client = SimpleJsonApiClient("http://mockapi.com/")
+        with self.assertRaises(ResourceNotFound):
+            client.get("/notfound")
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_resource_forbidden(self, mock_get):
+        client = SimpleJsonApiClient("http://mockapi.com/")
+        with self.assertRaises(ResourceForbidden):
+            client.get("/forbidden")
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_other_exception(self, mock_get):
+        client = SimpleJsonApiClient("http://mockapi.com/")
+        with self.assertRaises(Exception):
+            client.get("/servererror")

From 29366085277f1ee415de0c87f8273499e5624297 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 10:26:53 +0000
Subject: [PATCH 58/61] Potential fix for pull request finding 'Module is
 imported with 'import' and 'import from''

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 tests/test_api.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index de83b42..de7ca14 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,5 +1,4 @@
-import unittest
-from unittest import mock
+from unittest import TestCase, mock
 
 from tna_utilities.api import ResourceForbidden, ResourceNotFound, SimpleJsonApiClient
 
@@ -27,7 +26,7 @@ def json(self):
     return MockResponse(None, 404)
 
 
-class TestSimpleJsonApiClient(unittest.TestCase):
+class TestSimpleJsonApiClient(TestCase):
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_happy(self, mock_get):
         client = SimpleJsonApiClient("http://mockapi.com/")

From 4c65cb7375a5676674d0e843d72f8842ccded2ec Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Mon, 9 Mar 2026 10:29:41 +0000
Subject: [PATCH 59/61] Refactor test_api.py to use a constant for
 MOCK_API_BASE_URL

---
 tests/test_api.py | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index de7ca14..2f39e79 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -2,6 +2,8 @@
 
 from tna_utilities.api import ResourceForbidden, ResourceNotFound, SimpleJsonApiClient
 
+MOCK_API_BASE_URL = "http://mockapi.com/"
+
 
 def mocked_requests(*args, **kwargs):
     class MockResponse:
@@ -14,13 +16,13 @@ def json(self):
             return self.json_data
 
     if args[0].upper() == "GET":
-        if args[1] == "http://mockapi.com/happy":
+        if args[1] == f"{MOCK_API_BASE_URL}happy":
             return MockResponse({"foo": "bar"}, 200)
-        elif args[1] == "http://mockapi.com/badrequest":
+        elif args[1] == f"{MOCK_API_BASE_URL}badrequest":
             return MockResponse(None, 400)
-        elif args[1] == "http://mockapi.com/forbidden":
+        elif args[1] == f"{MOCK_API_BASE_URL}forbidden":
             return MockResponse(None, 403)
-        elif args[1] == "http://mockapi.com/servererror":
+        elif args[1] == f"{MOCK_API_BASE_URL}servererror":
             return MockResponse(None, 500)
 
     return MockResponse(None, 404)
@@ -29,37 +31,37 @@ def json(self):
 class TestSimpleJsonApiClient(TestCase):
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_happy(self, mock_get):
-        client = SimpleJsonApiClient("http://mockapi.com/")
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         response = client.get("/happy")
         self.assertEqual(type(response), dict)
         self.assertDictEqual(response, {"foo": "bar"})
         # called_mock_get_urls = [call.args[1] for call in mock_get.call_args_list if call.args[0].upper() == "GET"]
         # self.assertIn(
-        #     "http://mockapi.com/happy",
+        #     f"{MOCK_API_BASE_URL}happy",
         #     called_mock_get_urls,
         # )
         # self.assertEqual(len(called_mock_get_urls), 1)
 
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_bad_request(self, mock_get):
-        client = SimpleJsonApiClient("http://mockapi.com/")
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(Exception):
             client.get("/badrequest")
 
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_not_found(self, mock_get):
-        client = SimpleJsonApiClient("http://mockapi.com/")
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(ResourceNotFound):
             client.get("/notfound")
 
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_resource_forbidden(self, mock_get):
-        client = SimpleJsonApiClient("http://mockapi.com/")
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(ResourceForbidden):
             client.get("/forbidden")
 
     @mock.patch("requests.request", side_effect=mocked_requests)
     def test_other_exception(self, mock_get):
-        client = SimpleJsonApiClient("http://mockapi.com/")
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(Exception):
             client.get("/servererror")

From 495790cffcc28746620eaca252d41931aee5be88 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 11 Mar 2026 15:27:04 +0000
Subject: [PATCH 60/61] Enhance SimpleJsonApiClient to support POST requests
 with data and JSON payloads; update tests for new functionality

---
 tests/test_api.py    | 38 +++++++++++++++++++++++++++++++++-----
 tna_utilities/api.py | 14 +++++++++++---
 2 files changed, 44 insertions(+), 8 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index 2f39e79..b863eed 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -1,3 +1,4 @@
+import json
 from unittest import TestCase, mock
 
 from tna_utilities.api import ResourceForbidden, ResourceNotFound, SimpleJsonApiClient
@@ -12,20 +13,33 @@ def __init__(self, json_data, status_code, headers={}):
             self.status_code = status_code
             self.headers = headers
 
+    class MockResponseGet(MockResponse):
+        def __init__(self, json_data, status_code, headers={}):
+            super().__init__(json_data, status_code, headers)
+
         def json(self):
             return self.json_data
 
+    class MockResponsePost(MockResponse):
+        def __init__(self, json_data, status_code, headers={}, data=None, json=None):
+            super().__init__(json_data, status_code, headers)
+            self.data = data
+            self.json = json
+
     if args[0].upper() == "GET":
         if args[1] == f"{MOCK_API_BASE_URL}happy":
-            return MockResponse({"foo": "bar"}, 200)
+            return MockResponseGet({"foo": "bar"}, 200)
         elif args[1] == f"{MOCK_API_BASE_URL}badrequest":
-            return MockResponse(None, 400)
+            return MockResponseGet(None, 400)
         elif args[1] == f"{MOCK_API_BASE_URL}forbidden":
-            return MockResponse(None, 403)
+            return MockResponseGet(None, 403)
         elif args[1] == f"{MOCK_API_BASE_URL}servererror":
-            return MockResponse(None, 500)
+            return MockResponseGet(None, 500)
+    elif args[0].upper() == "POST":
+        if args[1] == f"{MOCK_API_BASE_URL}post":
+            return MockResponseGet({"foo": "bar"}, 200)
 
-    return MockResponse(None, 404)
+    return MockResponsePost(None, 404)
 
 
 class TestSimpleJsonApiClient(TestCase):
@@ -65,3 +79,17 @@ def test_other_exception(self, mock_get):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(Exception):
             client.get("/servererror")
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_post(self, mock_get):
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
+        response = client.post("/post", data={"foo": "bar"})
+        self.assertEqual(type(response), dict)
+        self.assertDictEqual(response, {"foo": "bar"})
+
+    @mock.patch("requests.request", side_effect=mocked_requests)
+    def test_post_json(self, mock_get):
+        client = SimpleJsonApiClient(MOCK_API_BASE_URL)
+        response = client.post("/post", json=json.dumps({"foo": "bar"}))
+        self.assertEqual(type(response), dict)
+        self.assertDictEqual(response, {"foo": "bar"})
diff --git a/tna_utilities/api.py b/tna_utilities/api.py
index 3b5b56f..95b4fc8 100644
--- a/tna_utilities/api.py
+++ b/tna_utilities/api.py
@@ -72,14 +72,20 @@ def get(self, path: str = "/"):
 
         return self.call("GET", path)
 
-    def post(self, path: str = "/"):
+    def post(self, path: str = "/", data: dict | None = None, json: dict | None = None):
         """
         Make a POST request to the specified path of the API endpoint.
         """
 
-        return self.call("POST", path)
+        return self.call("POST", path, data=data, json=json)
 
-    def call(self, method: str, path: str = "/"):
+    def call(
+        self,
+        method: str,
+        path: str = "/",
+        data: dict | None = None,
+        json: dict | None = None,
+    ):
         """
         Internal method to make an API call using the specified HTTP method and path.
         """
@@ -91,6 +97,8 @@ def call(self, method: str, path: str = "/"):
                 url,
                 params=self.params,
                 headers=self.headers,
+                data=data,
+                json=json,
             )
         except ConnectionError:
             raise Exception("A connection error occured")

From 0a49fc3836d61dfa93a0fa52b38bf59b1bf65a57 Mon Sep 17 00:00:00 2001
From: Andrew Hosgood <andrew.hosgood@nationalarchives.gov.uk>
Date: Wed, 11 Mar 2026 15:50:32 +0000
Subject: [PATCH 61/61] Refactor API client methods to improve error handling
 and response management for GET and POST requests

---
 tests/test_api.py    | 99 ++++++++++++++++++++++++++------------------
 tna_utilities/api.py | 37 +++++++++--------
 2 files changed, 79 insertions(+), 57 deletions(-)

diff --git a/tests/test_api.py b/tests/test_api.py
index b863eed..5b8d661 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -6,90 +6,109 @@
 MOCK_API_BASE_URL = "http://mockapi.com/"
 
 
-def mocked_requests(*args, **kwargs):
+def mocked_requests_get(*args, **kwargs):
     class MockResponse:
-        def __init__(self, json_data, status_code, headers={}):
+        def __init__(
+            self, json_data: dict | None, status_code: int, headers: dict = {}
+        ):
             self.json_data = json_data
             self.status_code = status_code
             self.headers = headers
 
-    class MockResponseGet(MockResponse):
-        def __init__(self, json_data, status_code, headers={}):
-            super().__init__(json_data, status_code, headers)
-
         def json(self):
             return self.json_data
 
-    class MockResponsePost(MockResponse):
-        def __init__(self, json_data, status_code, headers={}, data=None, json=None):
-            super().__init__(json_data, status_code, headers)
+    if args[0] == f"{MOCK_API_BASE_URL}happy":
+        return MockResponse({"foo": "bar"}, 200)
+    elif args[0] == f"{MOCK_API_BASE_URL}badrequest":
+        return MockResponse(None, 400)
+    elif args[0] == f"{MOCK_API_BASE_URL}forbidden":
+        return MockResponse(None, 403)
+    elif args[0] == f"{MOCK_API_BASE_URL}servererror":
+        return MockResponse(None, 500)
+
+    return MockResponse(None, 404)
+
+
+def mocked_requests_post(*args, **kwargs):
+    class MockResponse:
+        def __init__(
+            self,
+            json_data: dict | None,
+            status_code: int,
+            headers: dict = {},
+            data: dict | None = None,
+            json: dict | None = None,
+        ):
+            self.status_code = status_code
+            self.headers = headers
             self.data = data
-            self.json = json
+            self.json_data = json_data
+
+        def json(self):
+            return self.json_data
 
-    if args[0].upper() == "GET":
-        if args[1] == f"{MOCK_API_BASE_URL}happy":
-            return MockResponseGet({"foo": "bar"}, 200)
-        elif args[1] == f"{MOCK_API_BASE_URL}badrequest":
-            return MockResponseGet(None, 400)
-        elif args[1] == f"{MOCK_API_BASE_URL}forbidden":
-            return MockResponseGet(None, 403)
-        elif args[1] == f"{MOCK_API_BASE_URL}servererror":
-            return MockResponseGet(None, 500)
-    elif args[0].upper() == "POST":
-        if args[1] == f"{MOCK_API_BASE_URL}post":
-            return MockResponseGet({"foo": "bar"}, 200)
+    if args[0] == f"{MOCK_API_BASE_URL}post":
+        return MockResponse({"response": "success"}, 200)
 
-    return MockResponsePost(None, 404)
+    return MockResponse(None, 404)
 
 
 class TestSimpleJsonApiClient(TestCase):
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_happy(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_happy(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         response = client.get("/happy")
         self.assertEqual(type(response), dict)
         self.assertDictEqual(response, {"foo": "bar"})
-        # called_mock_get_urls = [call.args[1] for call in mock_get.call_args_list if call.args[0].upper() == "GET"]
+        # called_mock_get_urls = [call.args[0] for call in mock_get.call_args_list]
         # self.assertIn(
         #     f"{MOCK_API_BASE_URL}happy",
         #     called_mock_get_urls,
         # )
         # self.assertEqual(len(called_mock_get_urls), 1)
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_bad_request(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_bad_request(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(Exception):
             client.get("/badrequest")
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_not_found(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_not_found(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(ResourceNotFound):
             client.get("/notfound")
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_resource_forbidden(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_resource_forbidden(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(ResourceForbidden):
             client.get("/forbidden")
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_other_exception(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_other_exception(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         with self.assertRaises(Exception):
             client.get("/servererror")
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_post(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_post(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         response = client.post("/post", data={"foo": "bar"})
         self.assertEqual(type(response), dict)
-        self.assertDictEqual(response, {"foo": "bar"})
+        self.assertDictEqual(response, {"response": "success"})
 
-    @mock.patch("requests.request", side_effect=mocked_requests)
-    def test_post_json(self, mock_get):
+    @mock.patch("requests.get", side_effect=mocked_requests_get)
+    @mock.patch("requests.post", side_effect=mocked_requests_post)
+    def test_post_json(self, mock_get, mock_post):
         client = SimpleJsonApiClient(MOCK_API_BASE_URL)
         response = client.post("/post", json=json.dumps({"foo": "bar"}))
         self.assertEqual(type(response), dict)
-        self.assertDictEqual(response, {"foo": "bar"})
+        self.assertDictEqual(response, {"response": "success"})
diff --git a/tna_utilities/api.py b/tna_utilities/api.py
index 95b4fc8..f791c9e 100644
--- a/tna_utilities/api.py
+++ b/tna_utilities/api.py
@@ -70,30 +70,33 @@ def get(self, path: str = "/"):
         Make a GET request to the specified path of the API endpoint.
         """
 
-        return self.call("GET", path)
-
-    def post(self, path: str = "/", data: dict | None = None, json: dict | None = None):
-        """
-        Make a POST request to the specified path of the API endpoint.
-        """
-
-        return self.call("POST", path, data=data, json=json)
+        url = f"{self.api_url}/{path.lstrip('/')}"
+        try:
+            response = requests.get(
+                url,
+                params=self.params,
+                headers=self.headers,
+            )
+        except ConnectionError:
+            raise Exception("A connection error occured")
+        except Timeout:
+            raise Exception("The request timed out")
+        except TooManyRedirects:
+            raise Exception("Too many redirects")
+        except Exception as e:
+            raise Exception(e)
+        return self._handle_response(response)
 
-    def call(
-        self,
-        method: str,
-        path: str = "/",
-        data: dict | None = None,
-        json: dict | None = None,
+    def post(
+        self, path: str = "/", data: dict | None = None, json: dict | str | None = None
     ):
         """
-        Internal method to make an API call using the specified HTTP method and path.
+        Make a POST request to the specified path of the API endpoint.
         """
 
         url = f"{self.api_url}/{path.lstrip('/')}"
         try:
-            response = requests.request(
-                method,
+            response = requests.post(
                 url,
                 params=self.params,
                 headers=self.headers,