Refactor: eliminate core↔health circular dependency, split monoliths

Phase 1 — AircraftViewSet action registry + health mixin:
- core/action_registry.py: permission routing registry; plugins register
  via register_owner/pilot/read_pilot_write_owner_actions()
- health/aircraft_actions.py: HealthAircraftActionsMixin with all 20
  @action methods moved out of AircraftViewSet; registers permissions
  at module load time so AircraftViewSet.get_permissions() stays generic
- health/serializer_mixins.py: AirworthinessMixin moved from core
- core/serializers.py: import AirworthinessMixin from health
- core/sharing.py: validate_share_token() helper extracted
- health/views_public.py: PublicAircraftSummaryAPI + PublicLogbookEntriesAPI
  moved from core; core now has zero module-level health imports except
  the two intentional bridge imports

Phase 2 — Split core/views.py (2168 lines) → core/views/ package:
- aircraft.py, auth_views.py, public_views.py, import_export_views.py,
  template_views.py, logbook_import_view.py, notes_events.py,
  user_views.py, invitations.py
- __init__.py re-exports all public names for backwards compatibility

Phase 3 — Split aircraft_detail.html (6123 lines) → parent + 10 includes:
- core/templates/includes/detail_{overview,components,logbook,squawks,
  compliance,records,consumables,documents,roles,flights}.html
- Parent template reduced to ~262 lines (header + tab nav + {% include %})

Phase 4 — Per-app URL registration lists + shared router:
- core/urls.py: ROUTER_REGISTRATIONS (5 core routes)
- health/urls.py: ROUTER_REGISTRATIONS (15 health routes)
- simple_aircraft_manager/urls.py: single loop replaces 20 inline calls

All 719 tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: marbindrakon

CLAUDE.md

@@ -170,7 +170,7 @@ Backfill ownership: `python manage.py assign_owners --user <username> --all`
 
 Feature flag: `OIDC_ENABLED` env var (default `false`). Library: `mozilla-django-oidc`.
 
-Backends (when enabled): `CustomOIDCAuthenticationBackend` (OIDC first) + `ModelBackend` (fallback — local/admin accounts always work). Username strategy: `preferred_username` → email local part → `sub`. Auto-creates/syncs users on login. Logout (`core.views.custom_logout`) handles both RP-initiated OIDC logout and Django session logout.
+Backends (when enabled): `CustomOIDCAuthenticationBackend` (OIDC first) + `ModelBackend` (fallback — local/admin accounts always work). Username strategy: `preferred_username` → email local part → `sub`. Auto-creates/syncs users on login. Logout (`core.views.auth_views.custom_logout`) handles both RP-initiated OIDC logout and Django session logout.
 
 Key files: `core/oidc.py`, `core/context_processors.py` (exposes `OIDC_ENABLED` to templates).
 
@@ -242,7 +242,10 @@ Documents have `collection` FK set or `collection=null` (uncollected). Both retu
 | Event logging | `core/events.py` (`log_event`) |
 | EventLoggingMixin + AircraftScopedMixin | `core/mixins.py` |
 | Permission classes | `core/permissions.py` |
-| Public sharing views | `core/views.py` |
+| Public sharing views | `health/views_public.py` |
+| Views package | `core/views/` (`aircraft.py`, `auth_views.py`, `public_views.py`, `import_export_views.py`, etc.) |
+| Token validation helper | `core/sharing.py` (`validate_share_token`) |
+| Action permission registry | `core/action_registry.py` |
 | Public base template | `core/templates/base_public.html` |
 | Logbook import | `health/logbook_import.py` |
 | OIDC backend | `core/oidc.py` |

core/action_registry.py

@@ -0,0 +1,35 @@
+# Action permission routing registry.
+# Each mixin registers its actions at module load time.
+# AircraftViewSet.get_permissions() consults the registry.
+
+from core.permissions import IsAircraftOwnerOrAdmin, IsAircraftPilotOrAbove
+from rest_framework.permissions import SAFE_METHODS
+
+_OWNER_ACTIONS = set()          # require IsAircraftOwnerOrAdmin always
+_PILOT_ACTIONS = set()          # require IsAircraftPilotOrAbove always
+_READ_PILOT_WRITE_OWNER = set() # GET → pilot, POST/DELETE → owner
+
+
+def register_owner_actions(*actions):
+    _OWNER_ACTIONS.update(actions)
+
+
+def register_pilot_actions(*actions):
+    _PILOT_ACTIONS.update(actions)
+
+
+def register_read_pilot_write_owner(*actions):
+    _READ_PILOT_WRITE_OWNER.update(actions)
+
+
+def get_action_permissions(action_name, http_method=None):
+    """Returns (found: bool, permission_classes: list | None)."""
+    if action_name in _OWNER_ACTIONS:
+        return True, [IsAircraftOwnerOrAdmin()]
+    if action_name in _PILOT_ACTIONS:
+        return True, [IsAircraftPilotOrAbove()]
+    if action_name in _READ_PILOT_WRITE_OWNER:
+        if http_method and http_method in SAFE_METHODS:
+            return True, [IsAircraftPilotOrAbove()]
+        return True, [IsAircraftOwnerOrAdmin()]
+    return False, None

core/serializers.py

@@ -2,12 +2,7 @@
 from django.urls import reverse
 
 from .models import Aircraft, AircraftNote, AircraftEvent, AircraftRole, AircraftShareToken, InvitationCode, InvitationCodeAircraftRole, InvitationCodeRedemption
-from health.services import calculate_airworthiness
-
-
-class AirworthinessMixin:
-    def get_airworthiness(self, obj):
-        return calculate_airworthiness(obj).to_dict()
+from health.serializer_mixins import AirworthinessMixin
 
 
 class UserRoleMixin:

core/sharing.py

@@ -0,0 +1,19 @@
+"""Shared token validation helper used by public views."""
+from django.http import JsonResponse
+from django.utils import timezone
+
+from core.models import AircraftShareToken
+
+
+def validate_share_token(share_token):
+    """
+    Validate a share token UUID.
+    Returns (token_obj, None) on success or (None, error_json_response) on failure.
+    """
+    try:
+        token_obj = AircraftShareToken.objects.select_related('aircraft').get(token=share_token)
+    except AircraftShareToken.DoesNotExist:
+        return None, JsonResponse({'error': 'Not found'}, status=404)
+    if token_obj.expires_at and token_obj.expires_at < timezone.now():
+        return None, JsonResponse({'error': 'Not found'}, status=404)
+    return token_obj, None