bu5hm4nn/vault-dash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: close turnstile roadmap items

Browse Source
This commit is contained in:
Bu5hm4nn
2026-03-25 10:29:50 +01:00
parent 40f7e74a1b
commit b1e5cbd47e
5 changed files with 56 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/roadmap/backlog/SEC-001-turnstile-captcha.yaml
View File

@@ -1,26 +0,0 @@
id: SEC-001
title: Turnstile CAPTCHA for Public Workspace Bootstrap
status: backlog
priority: P0
effort: M
depends_on:
- PORT-004
tags:
- security
- public-exposure
- workspace
summary: >
Require Cloudflare Turnstile verification before creating a workspace from the
public welcome page on lombard.uncloud.tech.
acceptance_criteria:
- Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
- Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
- Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
- UI shows a clear user-facing retry path when CAPTCHA verification fails.
- Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
- Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
technical_notes:
- Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
- Keep verification in a focused server-side seam such as app/services/turnstile.py.
- Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
- This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.

23
docs/roadmap/backlog/SEC-001A-turnstile-config.yaml
View File

@@ -1,23 +0,0 @@
id: SEC-001A
title: Turnstile Config, Test Keys, and Deployment Wiring
status: backlog
priority: P0
effort: S
depends_on:
- SEC-001
tags:
- security
- config
- deploy
summary: >
Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
and production deployment.
acceptance_criteria:
- App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
- Local/dev defaults can use Cloudflare's documented Turnstile test keys.
- Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
- Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
- Docs explain local vs production key usage and browser-test setup.
technical_notes:
- Secret key must remain server-side only.
- Prefer explicit settings validation over silent fallback in production.