id: SEC-001A
title: Turnstile Config, Test Keys, and Deployment Wiring
status: backlog
priority: P0
effort: S
depends_on:
  - SEC-001
tags:
  - security
  - config
  - deploy
summary: >
  Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
  and production deployment.
acceptance_criteria:
  - App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
  - Local/dev defaults can use Cloudflare's documented Turnstile test keys.
  - Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
  - Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
  - Docs explain local vs production key usage and browser-test setup.
technical_notes:
  - Secret key must remain server-side only.
  - Prefer explicit settings validation over silent fallback in production.