id: SEC-001A
title: Turnstile Config, Test Keys, and Deployment Wiring
status: done
priority: P0
effort: S
depends_on:
  - SEC-001
tags:
  - security
  - config
  - deploy
summary: >
  Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
  and production deployment.
acceptance_criteria:
  - App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
  - Local/dev defaults can use Cloudflare's documented Turnstile test keys.
  - Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
  - Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
  - Docs explain local vs production key usage and browser-test setup.
technical_notes:
  - Secret key must remain server-side only.
  - Prefer explicit settings validation over silent fallback in production.
completed_notes:
  - Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported.
  - Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly.
  - Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY.
  - docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime.
  - README and .env.example now document local/test keys, fail-path keys, and production wiring.