docs: close turnstile roadmap items

docs/roadmap/done/SEC-001-turnstile-captcha.yaml

@@ -0,0 +1,32 @@
+id: SEC-001
+title: Turnstile CAPTCHA for Public Workspace Bootstrap
+status: done
+priority: P0
+effort: M
+depends_on:
+  - PORT-004
+tags:
+  - security
+  - public-exposure
+  - workspace
+summary: >
+  Require Cloudflare Turnstile verification before creating a workspace from the
+  public welcome page on lombard.uncloud.tech.
+acceptance_criteria:
+  - Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
+  - Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
+  - Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
+  - UI shows a clear user-facing retry path when CAPTCHA verification fails.
+  - Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
+  - Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
+technical_notes:
+  - Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
+  - Keep verification in a focused server-side seam such as app/services/turnstile.py.
+  - Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
+  - This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
+completed_notes:
+  - Added server-side Turnstile verification seam in app/services/turnstile.py.
+  - Changed workspace bootstrap to POST-only and redirected failures to /?captcha_error=1.
+  - Added welcome-page Turnstile widget markup and retry UX.
+  - Preserved a safe compatibility redirect for legacy GET /workspaces/bootstrap -> /.
+  - Added browser and route tests covering protected bootstrap flow and invalid fake workspace paths.

docs/roadmap/done/SEC-001A-turnstile-config.yaml

@@ -0,0 +1,29 @@
+id: SEC-001A
+title: Turnstile Config, Test Keys, and Deployment Wiring
+status: done
+priority: P0
+effort: S
+depends_on:
+  - SEC-001
+tags:
+  - security
+  - config
+  - deploy
+summary: >
+  Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
+  and production deployment.
+acceptance_criteria:
+  - App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
+  - Local/dev defaults can use Cloudflare's documented Turnstile test keys.
+  - Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
+  - Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
+  - Docs explain local vs production key usage and browser-test setup.
+technical_notes:
+  - Secret key must remain server-side only.
+  - Prefer explicit settings validation over silent fallback in production.
+completed_notes:
+  - Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported.
+  - Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly.
+  - Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY.
+  - docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime.
+  - README and .env.example now document local/test keys, fail-path keys, and production wiring.