From b1e5cbd47e2b8957f0b7648a51968a910501ba1c Mon Sep 17 00:00:00 2001 From: Bu5hm4nn Date: Wed, 25 Mar 2026 10:29:50 +0100 Subject: [PATCH] docs: close turnstile roadmap items --- AGENTS.md | 2 +- README.md | 31 +++++++++++++++++++ docs/roadmap/ROADMAP.yaml | 18 ++++++----- .../SEC-001-turnstile-captcha.yaml | 8 ++++- .../SEC-001A-turnstile-config.yaml | 8 ++++- 5 files changed, 56 insertions(+), 11 deletions(-) rename docs/roadmap/{backlog => done}/SEC-001-turnstile-captcha.yaml (75%) rename docs/roadmap/{backlog => done}/SEC-001A-turnstile-config.yaml (63%) diff --git a/AGENTS.md b/AGENTS.md index 347d056..8d56c71 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -41,7 +41,7 @@ - Review first, then integrate. 9. **Review the backlog after each sprint.** - - After each completed sprint or merged feature slice, review `docs/ROADMAP.md`. + - After each completed sprint or merged feature slice, review `docs/roadmap/ROADMAP.yaml` and the per-task YAML files. - Add any new backlog items uncovered during implementation, testing, review, or deployment. - Reorder priorities and update dependencies based on new knowledge. - Capture follow-up work explicitly instead of relying on memory or chat context. diff --git a/README.md b/README.md index f8b2787..879a282 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,37 @@ docker run -p 8000:8000 vault-dash docker-compose up -d ``` +### Turnstile configuration + +Workspace creation on the public welcome page is protected by Cloudflare Turnstile. + +Local and test environments may use Cloudflare's published test keys: + +```bash +TURNSTILE_SITE_KEY=1x00000000000000000000AA +TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA +``` + +Negative-path testing can use the always-fail/blocked test keys: + +```bash +TURNSTILE_SITE_KEY=2x00000000000000000000AB +TURNSTILE_SECRET_KEY=2x0000000000000000000000000000000AA +``` + +Production must provide real keys via environment variables: + +```bash +TURNSTILE_SITE_KEY=... +TURNSTILE_SECRET_KEY=... +``` + +In Forgejo deployment: +- `vars.TURNSTILE_SITE_KEY` provides the public site key +- `secrets.TURNSTILE_SECRET_KEY` provides the server-side secret key + +Browser tests run with `APP_ENV=test` and the Turnstile test keys. + ## Architecture ``` diff --git a/docs/roadmap/ROADMAP.yaml b/docs/roadmap/ROADMAP.yaml index 22e3bb4..c883d5d 100644 --- a/docs/roadmap/ROADMAP.yaml +++ b/docs/roadmap/ROADMAP.yaml @@ -1,5 +1,5 @@ version: 1 -updated_at: 2026-03-24 +updated_at: 2026-03-25 structure: backlog_dir: docs/roadmap/backlog in_progress_dir: docs/roadmap/in-progress @@ -7,12 +7,10 @@ structure: blocked_dir: docs/roadmap/blocked cancelled_dir: docs/roadmap/cancelled notes: - - ROADMAP.md is now a human-readable compatibility index. + - The roadmap source of truth is this index plus the per-task YAML files in the status folders. - One task lives in one YAML file and changes state by moving between status folders. - Priority ordering is maintained here so agents can parse one short file first. priority_queue: - - SEC-001 - - SEC-001A - CORE-001D - BT-003B - PORT-003 @@ -20,17 +18,19 @@ priority_queue: - BT-001C - EXEC-001 - EXEC-002 + - DATA-002A + - DATA-001A + - OPS-001 + - BT-003 recently_completed: + - SEC-001 + - SEC-001A - CORE-001A - CORE-001B - CORE-001C - PORT-004 - - BT-001A - - BT-003A states: backlog: - - SEC-001 - - SEC-001A - DATA-002A - DATA-001A - OPS-001 @@ -51,6 +51,8 @@ states: - PORT-001A - PORT-002 - PORT-004 + - SEC-001 + - SEC-001A - EXEC-001A - BT-001 - BT-001A diff --git a/docs/roadmap/backlog/SEC-001-turnstile-captcha.yaml b/docs/roadmap/done/SEC-001-turnstile-captcha.yaml similarity index 75% rename from docs/roadmap/backlog/SEC-001-turnstile-captcha.yaml rename to docs/roadmap/done/SEC-001-turnstile-captcha.yaml index 156d907..9d60ff1 100644 --- a/docs/roadmap/backlog/SEC-001-turnstile-captcha.yaml +++ b/docs/roadmap/done/SEC-001-turnstile-captcha.yaml @@ -1,6 +1,6 @@ id: SEC-001 title: Turnstile CAPTCHA for Public Workspace Bootstrap -status: backlog +status: done priority: P0 effort: M depends_on: @@ -24,3 +24,9 @@ technical_notes: - Keep verification in a focused server-side seam such as app/services/turnstile.py. - Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage. - This story exists because the app is now publicly reachable at https://lombard.uncloud.tech. +completed_notes: + - Added server-side Turnstile verification seam in app/services/turnstile.py. + - Changed workspace bootstrap to POST-only and redirected failures to /?captcha_error=1. + - Added welcome-page Turnstile widget markup and retry UX. + - Preserved a safe compatibility redirect for legacy GET /workspaces/bootstrap -> /. + - Added browser and route tests covering protected bootstrap flow and invalid fake workspace paths. diff --git a/docs/roadmap/backlog/SEC-001A-turnstile-config.yaml b/docs/roadmap/done/SEC-001A-turnstile-config.yaml similarity index 63% rename from docs/roadmap/backlog/SEC-001A-turnstile-config.yaml rename to docs/roadmap/done/SEC-001A-turnstile-config.yaml index 8dfa204..1897fd2 100644 --- a/docs/roadmap/backlog/SEC-001A-turnstile-config.yaml +++ b/docs/roadmap/done/SEC-001A-turnstile-config.yaml @@ -1,6 +1,6 @@ id: SEC-001A title: Turnstile Config, Test Keys, and Deployment Wiring -status: backlog +status: done priority: P0 effort: S depends_on: @@ -21,3 +21,9 @@ acceptance_criteria: technical_notes: - Secret key must remain server-side only. - Prefer explicit settings validation over silent fallback in production. +completed_notes: + - Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported. + - Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly. + - Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY. + - docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime. + - README and .env.example now document local/test keys, fail-path keys, and production wiring.