24 lines
910 B
YAML
24 lines
910 B
YAML
id: SEC-001A
|
|
title: Turnstile Config, Test Keys, and Deployment Wiring
|
|
status: backlog
|
|
priority: P0
|
|
effort: S
|
|
depends_on:
|
|
- SEC-001
|
|
tags:
|
|
- security
|
|
- config
|
|
- deploy
|
|
summary: >
|
|
Wire Cloudflare Turnstile configuration cleanly across local dev, tests, CI,
|
|
and production deployment.
|
|
acceptance_criteria:
|
|
- App config supports environment-driven TURNSTILE_SITE_KEY and TURNSTILE_SECRET_KEY.
|
|
- Local/dev defaults can use Cloudflare's documented Turnstile test keys.
|
|
- Forgejo deploy/runtime path passes vars.TURNSTILE_SITE_KEY and secrets.TURNSTILE_SECRET_KEY into the app environment.
|
|
- Missing production keys fail loudly in public/prod mode rather than silently disabling CAPTCHA.
|
|
- Docs explain local vs production key usage and browser-test setup.
|
|
technical_notes:
|
|
- Secret key must remain server-side only.
|
|
- Prefer explicit settings validation over silent fallback in production.
|