docs: close turnstile roadmap items
This commit is contained in:
Bu5hm4nn
@@ -41,7 +41,7 @@
|
|||||||
- Review first, then integrate.
|
- Review first, then integrate.
|
||||||
|
|
||||||
9. **Review the backlog after each sprint.**
|
9. **Review the backlog after each sprint.**
|
||||||
- After each completed sprint or merged feature slice, review `docs/ROADMAP.md`.
|
- After each completed sprint or merged feature slice, review `docs/roadmap/ROADMAP.yaml` and the per-task YAML files.
|
||||||
- Add any new backlog items uncovered during implementation, testing, review, or deployment.
|
- Add any new backlog items uncovered during implementation, testing, review, or deployment.
|
||||||
- Reorder priorities and update dependencies based on new knowledge.
|
- Reorder priorities and update dependencies based on new knowledge.
|
||||||
- Capture follow-up work explicitly instead of relying on memory or chat context.
|
- Capture follow-up work explicitly instead of relying on memory or chat context.
|
||||||
|
|||||||
31
README.md
31
README.md
@@ -42,6 +42,37 @@ docker run -p 8000:8000 vault-dash
|
|||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Turnstile configuration
|
||||||
|
|
||||||
|
Workspace creation on the public welcome page is protected by Cloudflare Turnstile.
|
||||||
|
|
||||||
|
Local and test environments may use Cloudflare's published test keys:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
TURNSTILE_SITE_KEY=1x00000000000000000000AA
|
||||||
|
TURNSTILE_SECRET_KEY=1x0000000000000000000000000000000AA
|
||||||
|
```
|
||||||
|
|
||||||
|
Negative-path testing can use the always-fail/blocked test keys:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
TURNSTILE_SITE_KEY=2x00000000000000000000AB
|
||||||
|
TURNSTILE_SECRET_KEY=2x0000000000000000000000000000000AA
|
||||||
|
```
|
||||||
|
|
||||||
|
Production must provide real keys via environment variables:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
TURNSTILE_SITE_KEY=...
|
||||||
|
TURNSTILE_SECRET_KEY=...
|
||||||
|
```
|
||||||
|
|
||||||
|
In Forgejo deployment:
|
||||||
|
- `vars.TURNSTILE_SITE_KEY` provides the public site key
|
||||||
|
- `secrets.TURNSTILE_SECRET_KEY` provides the server-side secret key
|
||||||
|
|
||||||
|
Browser tests run with `APP_ENV=test` and the Turnstile test keys.
|
||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
version: 1
|
version: 1
|
||||||
updated_at: 2026-03-24
|
updated_at: 2026-03-25
|
||||||
structure:
|
structure:
|
||||||
backlog_dir: docs/roadmap/backlog
|
backlog_dir: docs/roadmap/backlog
|
||||||
in_progress_dir: docs/roadmap/in-progress
|
in_progress_dir: docs/roadmap/in-progress
|
||||||
@@ -7,12 +7,10 @@ structure:
|
|||||||
blocked_dir: docs/roadmap/blocked
|
blocked_dir: docs/roadmap/blocked
|
||||||
cancelled_dir: docs/roadmap/cancelled
|
cancelled_dir: docs/roadmap/cancelled
|
||||||
notes:
|
notes:
|
||||||
- ROADMAP.md is now a human-readable compatibility index.
|
- The roadmap source of truth is this index plus the per-task YAML files in the status folders.
|
||||||
- One task lives in one YAML file and changes state by moving between status folders.
|
- One task lives in one YAML file and changes state by moving between status folders.
|
||||||
- Priority ordering is maintained here so agents can parse one short file first.
|
- Priority ordering is maintained here so agents can parse one short file first.
|
||||||
priority_queue:
|
priority_queue:
|
||||||
- SEC-001
|
|
||||||
- SEC-001A
|
|
||||||
- CORE-001D
|
- CORE-001D
|
||||||
- BT-003B
|
- BT-003B
|
||||||
- PORT-003
|
- PORT-003
|
||||||
@@ -20,17 +18,19 @@ priority_queue:
|
|||||||
- BT-001C
|
- BT-001C
|
||||||
- EXEC-001
|
- EXEC-001
|
||||||
- EXEC-002
|
- EXEC-002
|
||||||
|
- DATA-002A
|
||||||
|
- DATA-001A
|
||||||
|
- OPS-001
|
||||||
|
- BT-003
|
||||||
recently_completed:
|
recently_completed:
|
||||||
|
- SEC-001
|
||||||
|
- SEC-001A
|
||||||
- CORE-001A
|
- CORE-001A
|
||||||
- CORE-001B
|
- CORE-001B
|
||||||
- CORE-001C
|
- CORE-001C
|
||||||
- PORT-004
|
- PORT-004
|
||||||
- BT-001A
|
|
||||||
- BT-003A
|
|
||||||
states:
|
states:
|
||||||
backlog:
|
backlog:
|
||||||
- SEC-001
|
|
||||||
- SEC-001A
|
|
||||||
- DATA-002A
|
- DATA-002A
|
||||||
- DATA-001A
|
- DATA-001A
|
||||||
- OPS-001
|
- OPS-001
|
||||||
@@ -51,6 +51,8 @@ states:
|
|||||||
- PORT-001A
|
- PORT-001A
|
||||||
- PORT-002
|
- PORT-002
|
||||||
- PORT-004
|
- PORT-004
|
||||||
|
- SEC-001
|
||||||
|
- SEC-001A
|
||||||
- EXEC-001A
|
- EXEC-001A
|
||||||
- BT-001
|
- BT-001
|
||||||
- BT-001A
|
- BT-001A
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
id: SEC-001
|
id: SEC-001
|
||||||
title: Turnstile CAPTCHA for Public Workspace Bootstrap
|
title: Turnstile CAPTCHA for Public Workspace Bootstrap
|
||||||
status: backlog
|
status: done
|
||||||
priority: P0
|
priority: P0
|
||||||
effort: M
|
effort: M
|
||||||
depends_on:
|
depends_on:
|
||||||
@@ -24,3 +24,9 @@ technical_notes:
|
|||||||
- Keep verification in a focused server-side seam such as app/services/turnstile.py.
|
- Keep verification in a focused server-side seam such as app/services/turnstile.py.
|
||||||
- Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
|
- Use Cloudflare's published Turnstile test keys for deterministic local/browser coverage.
|
||||||
- This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
|
- This story exists because the app is now publicly reachable at https://lombard.uncloud.tech.
|
||||||
|
completed_notes:
|
||||||
|
- Added server-side Turnstile verification seam in app/services/turnstile.py.
|
||||||
|
- Changed workspace bootstrap to POST-only and redirected failures to /?captcha_error=1.
|
||||||
|
- Added welcome-page Turnstile widget markup and retry UX.
|
||||||
|
- Preserved a safe compatibility redirect for legacy GET /workspaces/bootstrap -> /.
|
||||||
|
- Added browser and route tests covering protected bootstrap flow and invalid fake workspace paths.
|
||||||
@@ -1,6 +1,6 @@
|
|||||||
id: SEC-001A
|
id: SEC-001A
|
||||||
title: Turnstile Config, Test Keys, and Deployment Wiring
|
title: Turnstile Config, Test Keys, and Deployment Wiring
|
||||||
status: backlog
|
status: done
|
||||||
priority: P0
|
priority: P0
|
||||||
effort: S
|
effort: S
|
||||||
depends_on:
|
depends_on:
|
||||||
@@ -21,3 +21,9 @@ acceptance_criteria:
|
|||||||
technical_notes:
|
technical_notes:
|
||||||
- Secret key must remain server-side only.
|
- Secret key must remain server-side only.
|
||||||
- Prefer explicit settings validation over silent fallback in production.
|
- Prefer explicit settings validation over silent fallback in production.
|
||||||
|
completed_notes:
|
||||||
|
- Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported.
|
||||||
|
- Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly.
|
||||||
|
- Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY.
|
||||||
|
- docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime.
|
||||||
|
- README and .env.example now document local/test keys, fail-path keys, and production wiring.
|
||||||
Reference in New Issue
Block a user