docs: close turnstile roadmap items

docs/roadmap/done/SEC-001-turnstile-captcha.yaml

@@ -0,0 +1,32 @@
+id: SEC-001
+title: Turnstile CAPTCHA for Public Workspace Bootstrap
+status: done
+priority: P0
+effort: M
+depends_on:
+  - PORT-004
+tags:
+  - security
+  - public-exposure
+  - workspace
+summary: >
+  Require Cloudflare Turnstile verification before creating a workspace from the
+  public welcome page on lombard.uncloud.tech.
+acceptance_criteria:
+  - Welcome/bootstrap flow at / and /workspaces/bootstrap requires valid Turnstile verification before creating a workspace.
+  - Workspace creation fails closed when the Turnstile token is missing, invalid, expired, or verification cannot be completed.
+  - Existing users with a valid workspace cookie visiting / are redirected to their workspace without solving CAPTCHA again.
+  - UI shows a clear user-facing retry path when CAPTCHA verification fails.
+  - Server-side verification uses TURNSTILE_SECRET_KEY and does not trust client-side success alone.
+  - Browser test covers protected bootstrap flow using Cloudflare Turnstile test keys in local/dev mode.
+technical_notes:
+  - Use Cloudflare Turnstile only on the welcome/bootstrap flow, not on normal workspace navigation.
+  - Keep verification in a focused server-side seam such as app/services/turnstile.py.
+  - Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
+  - This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
+completed_notes:
+  - Added server-side Turnstile verification seam in app/services/turnstile.py.
+  - Changed workspace bootstrap to POST-only and redirected failures to /?captcha_error=1.
+  - Added welcome-page Turnstile widget markup and retry UX.
+  - Preserved a safe compatibility redirect for legacy GET /workspaces/bootstrap -> /.
+  - Added browser and route tests covering protected bootstrap flow and invalid fake workspace paths.