30 lines
1.4 KiB
YAML
30 lines
1.4 KiB
YAML
id: SEC-001A
|
|
title: Turnstile Config, Test Keys, and Deployment Wiring
|
|
status: done
|
|
priority: P0
|
|
effort: S
|
|
depends_on:
|
|
- SEC-001
|
|
tags:
|
|
- security
|
|
- config
|
|
- deploy
|
|
summary: >
|
|
Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
|
|
and production deployment.
|
|
acceptance_criteria:
|
|
- App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
|
|
- Local/dev defaults can use Cloudflare's documented Turnstile test keys.
|
|
- Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
|
|
- Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
|
|
- Docs explain local vs production key usage and browser-test setup.
|
|
technical_notes:
|
|
- Secret key must remain server-side only.
|
|
- Prefer explicit settings validation over silent fallback in production.
|
|
completed_notes:
|
|
- Environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY are supported.
|
|
- Development/test defaults use Cloudflare Turnstile test keys; non-dev/test missing keys fail loudly.
|
|
- Forgejo deploy workflow now passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY.
|
|
- docker-compose.deploy.yml and scripts/deploy-forgejo.sh pass Turnstile settings through to runtime.
|
|
- README and .env.example now document local/test keys, fail-path keys, and production wiring.
|