docs: close turnstile roadmap items

2026-03-25 10:29:50 +01:00
parent 40f7e74a1b
commit b1e5cbd47e
5 changed files with 56 additions and 11 deletions
--- a/docs/roadmap/done/SEC-001A-turnstile-config.yaml
+++ b/docs/roadmap/done/SEC-001A-turnstile-config.yaml
@@ -0,0 +1,29 @@
+id: SEC-001A
+title: Turnstile Config, Test Keys, and Deployment Wiring
+status: done
+priority: P0
+effort: S
+depends_on:
+  - SEC-001
+tags:
+  - security
+  - config
+  - deploy
+summary: >
+  Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
+  and production deployment.
+acceptance_criteria:
+  - App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
+  - Local/dev defaults can use Cloudflare's documented Turnstile test keys.
+  - Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
+  - Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
+  - Docs explain local vs production key usage and browser-test setup.
+technical_notes:
+  - Secret key must remain server-side only.
+  - Prefer explicit settings validation over silent fallback in production.
+completed_notes:
+  - Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported.
+  - Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly.
+  - Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY.
+  - docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime.
+  - README and .env.example now document local/test keys, fail-path keys, and production wiring.