Merge branch 'fix/proxy-forwarded-ips' into dev: trust X-Forwarded-* from off-host Caddy

fix: trust X-Forwarded-* when Caddy is on another host
Site was loading under https but Starlette built logo/static URLs as http, tripping CSP `img-src 'self'`. Root cause: Dockerfile hardcoded `--forwarded-allow-ips 127.0.0.1`, but with Caddy on a separate host (10.10.99.10) reverse-proxying to this VM, the container sees the request's source IP as the Docker bridge gateway (~172.17.0.1), not Caddy's real IP — uvicorn discarded X-Forwarded-Proto and fell back to scheme=http. Fixes both now and later: - Dockerfile CMD switched to `sh -c exec uvicorn ... --forwarded-allow-ips "${FORWARDED_ALLOW_IPS:-127.0.0.1}"`. PID-1 / signal behaviour preserved via exec. Default stays 127.0.0.1 so host-uvicorn dev is unchanged; prod sets FORWARDED_ALLOW_IPS=* via .env or compose `command:`. - docker-compose.prod.yml gets an explicit `command:` override so the currently-deployed image (with the hardcoded 127.0.0.1 flag) can be fixed without waiting for a rebuild. Also corrected the port binding comment + default: Caddy is off-host, so the port must be reachable over the LAN — restrict with host firewall / OPNsense instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 13:08:01 -05:00 · 2026-04-22 13:07:54 -05:00 · 2026-04-22 12:58:23 -05:00 · 2026-04-22 08:01:05 -05:00 · 2026-04-22 07:59:22 -05:00 · 2026-04-22 07:59:17 -05:00
31 changed files with 2685 additions and 63 deletions
--- a/.env.example
+++ b/.env.example
@@ -51,7 +51,7 @@ MAGIC_LINK_TTL_MIN=15
 # --- Public URL for link construction --------------------------------------
 # Absolute base URL (scheme+host+port) used to build outbound links such as
 # the magic-link auth email. Override for production.
-PUBLIC_BASE_URL=http://127.0.0.1:8000
+PUBLIC_BASE_URL=http://127.0.0.1:8080
 # --- Build metadata ---------------------------------------------------------
 # Injected at Docker build time. Surfaced by /healthz. Optional in dev.
--- a/.gitea/workflows/build-image.yml
+++ b/.gitea/workflows/build-image.yml
@@ -0,0 +1,36 @@
 name: Build and Push Docker Image
 on:
  push:
    branches: [master]
  workflow_dispatch: {}
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
    container: docker.io/catthehacker/ubuntu:act-latest
    timeout-minutes: 15
    steps:
      - uses: actions/checkout@v4
      - uses: docker/setup-buildx-action@v3
      - uses: docker/login-action@v3
        with:
          registry: git.sneakygeek.net
          username: ${{ gitea.actor }}
          password: ${{ secrets.REGISTRY_TOKEN }}
      - id: meta
        uses: docker/metadata-action@v5
        with:
          images: git.sneakygeek.net/ptarrant/chicken_babies_site
          tags: |
            type=raw,value=latest
            type=sha,prefix=sha-,format=short
      - uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          build-args: |
            GIT_COMMIT_SHA=${{ gitea.sha }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=registry,ref=git.sneakygeek.net/ptarrant/chicken_babies_site:buildcache
          cache-to: type=registry,ref=git.sneakygeek.net/ptarrant/chicken_babies_site:buildcache,mode=max
--- a/37
+++ b/37
@@ -77,14 +77,35 @@ COPY app /app/app
 ARG GIT_COMMIT_SHA=unknown
 ENV GIT_COMMIT_SHA=${GIT_COMMIT_SHA}
-EXPOSE 8000
+# Phase 6 hardening: create a dedicated non-root user with a stable
 # UID/GID so host bind mounts (data/, media/) have predictable
 # ownership. We pin 10001 because values < 1000 collide with Debian
 # system accounts on some host distros.
 RUN groupadd -g 10001 app \
    && useradd -m -u 10001 -g app app \
    && chown -R app:app /app /opt/venv
 USER app
 EXPOSE 8080
 # Phase 6 healthcheck: hits /healthz over the loopback with stdlib
 # urllib so we don't have to install curl/wget in the runtime image.
 # Intervals tuned for a small VM: probe every 30s, give a fresh
 # container 10s to finish startup before the first probe counts.
 HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 \
    CMD python -c "import urllib.request,sys; urllib.request.urlopen('http://127.0.0.1:8080/healthz', timeout=2); sys.exit(0)" || exit 1
 # Run Uvicorn directly. --proxy-headers + --forwarded-allow-ips make
 # Starlette's ProxyHeadersMiddleware trust X-Forwarded-* only from the
-# listed peer IPs (Caddy on the host). No --reload: this is a prod-shape
+# listed peer IPs. The trusted-IP value is env-driven so the image
-# image; local hot-reload is a dev concern and runs outside Docker.
+# can be reused across topologies:
-CMD ["uvicorn", "app.main:app", \
+#   - local: defaults to 127.0.0.1 (when running uvicorn on the host)
-     "--host", "0.0.0.0", \
+#   - docker/compose behind Caddy: set FORWARDED_ALLOW_IPS="*" in .env
-     "--port", "8000", \
+#     because the container's source IP is the bridge gateway, not
-     "--proxy-headers", \
+#     127.0.0.1. Safe because the host only binds 127.0.0.1:8080 so
-     "--forwarded-allow-ips", "127.0.0.1"]
+#     nothing off-host can reach uvicorn directly.
 # `sh -c exec` keeps uvicorn as PID 1 so SIGTERM still triggers a
 # graceful shutdown (exec form was fine before, but we need shell
 # expansion for ${FORWARDED_ALLOW_IPS}).
 CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 8080 --proxy-headers --forwarded-allow-ips \"${FORWARDED_ALLOW_IPS:-127.0.0.1}\""]
--- a/app/config.py
+++ b/app/config.py
@@ -183,11 +183,22 @@ class Settings(BaseSettings):
            missing.append("RESEND_FROM")
        if not self.admin_emails or not self.admin_emails_list:
            missing.append("ADMIN_EMAILS")
        # Phase 5: the public contact form needs a destination inbox
        # and a real hCaptcha key pair. Missing any of these would
        # either drop submissions on the floor (no recipient) or open
        # the form to unverified bot traffic (no captcha), so we
        # enforce them at boot.
        if not self.admin_contact_email:
            missing.append("ADMIN_CONTACT_EMAIL")
        if not self.hcaptcha_secret:
            missing.append("HCAPTCHA_SECRET")
        if not self.hcaptcha_site_key:
            missing.append("HCAPTCHA_SITE_KEY")
        if missing:
            raise ValueError(
                "Production configuration is missing required values: "
                + ", ".join(missing)
-                + ". These are needed for magic-link admin auth."
+                + ". These are needed for admin auth and the contact form."
            )
        return self
--- a/app/main.py
+++ b/app/main.py
@@ -57,6 +57,7 @@ from app import __version__
 from app.config import get_settings
 from app.db import build_engine, run_migrations
 from app.logging_config import configure_logging
 from app.middleware import AccessLogMiddleware, SecurityHeadersMiddleware
 from app.models.seed import run_seed
 from app.routes.admin import router as admin_router
 from app.routes.admin_cms import router as admin_cms_router
@@ -66,8 +67,10 @@ from app.services.admin_pages import AdminPagesService
 from app.services.admin_posts import AdminPostsService
 from app.services.audit import AuditService
 from app.services.auth import AuthService
 from app.services.contact import ContactService
 from app.services.csrf import CSRF_COOKIE_NAME, CSRFService
 from app.services.email import EmailService
 from app.services.hcaptcha import HCaptchaService
 from app.services.markdown import MarkdownService
 from app.services.media import MediaService
 from app.services.pages import PageService
@@ -236,6 +239,20 @@ def create_app() -> FastAPI:
    application.state.session_service = session_service
    application.state.auth_service = auth_service
    # --- Phase 5 wiring -----------------------------------------------------
    # Public contact form. HCaptchaService has no DB; ContactService
    # persists via the shared engine and delegates email to the
    # existing EmailService so the dev-fallback semantics match.
    hcaptcha_service = HCaptchaService(settings)
    contact_service = ContactService(
        engine=engine,
        email=email_service,
        audit=audit_service,
        settings=settings,
    )
    application.state.hcaptcha_service = hcaptcha_service
    application.state.contact_service = contact_service
    # --- Phase 4 wiring -----------------------------------------------------
    # CSRF signer: separate salt so a session cookie never validates
    # as a CSRF token (domain separation via salt).
@@ -273,10 +290,29 @@ def create_app() -> FastAPI:
    application.state.admin_pages_service = admin_pages_service
    application.state.media_service = media_service
    # --- Phase 6 middlewares -----------------------------------------------
    # Install order matters: FastAPI.add_middleware wraps each new entry
    # AROUND the existing stack, so the LAST one added runs first on the
    # request. We want:
    #   - SecurityHeadersMiddleware innermost (stamps nonce on
    #     request.state BEFORE the route runs, writes headers on the
    #     response just before it exits the handler layer) -> added FIRST.
    #   - AccessLogMiddleware outermost (times the entire stack,
    #     including security-headers + CSRF cookie work) -> added LAST.
    application.add_middleware(
        SecurityHeadersMiddleware,
        production=(settings.app_env == "production"),
    )
    # CSRF cookie middleware — narrow to admin GETs; everything else
    # passes through untouched so public routes are unaffected.
    application.add_middleware(CSRFCookieMiddleware, csrf_service=csrf_service)
    # Access log — added last so it wraps (and thus times) every other
    # middleware. Skips /healthz to keep compose healthcheck noise out
    # of the log; redacts /admin/auth/consume/<token> paths.
    application.add_middleware(AccessLogMiddleware)
    # SlowAPI limiter + exception handler. The limiter is a module-level
    # singleton in app.services.rate_limit (because @limiter.limit has
    # to be applied at endpoint-definition time, before include_router).
--- a/app/middleware/init.py
+++ b/app/middleware/init.py
@@ -0,0 +1,26 @@
 """Application-level Starlette middlewares.
 Each middleware is a :class:`starlette.middleware.base.BaseHTTPMiddleware`
 subclass wired up in :mod:`app.main`. They are kept in their own package
 (rather than buried in ``app/main.py``) because Phase 6 introduced two
 cross-cutting middlewares — security headers and access logging — that
 benefit from isolated unit tests and clear homes for future additions
 (rate-limit re-shaping, request-id propagation, etc.).
 Public surface:
 - :class:`SecurityHeadersMiddleware` — per-request CSP nonce + strict
  response headers. See :mod:`app.middleware.security_headers`.
 - :class:`AccessLogMiddleware` — structured ``http_request`` log line
  after every response. See :mod:`app.middleware.access_log`.
 """
 from __future__ import annotations
 from app.middleware.access_log import AccessLogMiddleware
 from app.middleware.security_headers import SecurityHeadersMiddleware
 __all__ = [
    "AccessLogMiddleware",
    "SecurityHeadersMiddleware",
 ]
--- a/app/middleware/access_log.py
+++ b/app/middleware/access_log.py
@@ -0,0 +1,113 @@
 """Structured access-log middleware.
 Emits a single ``http_request`` INFO event per request, capturing the
 HTTP verb, path, status code, wall-clock duration, client IP, and a
 truncated user-agent. The goal is a compact but auditable trail of
 production traffic without the noise of a traditional access log and
 without ever writing secrets to disk.
 Key design choices:
 - **No bodies, no query strings.** We deliberately skip query strings
  entirely to avoid leaking tokens that might end up there in future
  (the magic-link consume route keeps its token in the path, so we
  redact that explicitly below).
 - **Magic-link path redaction.** Requests to
  ``/admin/auth/consume/{token}`` have the token segment replaced with
  ``<redacted>`` before logging. ``CLAUDE.md`` forbids logging raw
  tokens anywhere.
 - **Skip ``/healthz``.** Compose / Docker health probes hit this every
  few seconds. Logging each one drowns out real traffic.
 - **Exceptions still get logged.** If the downstream handler raises,
  we record a ``status_code=500`` entry before re-raising so no failed
  request vanishes silently.
 """
 from __future__ import annotations
 import time
 import structlog
 from fastapi import Request
 from fastapi.responses import Response
 from starlette.middleware.base import BaseHTTPMiddleware
 logger = structlog.get_logger(__name__)
 # Prefix used to recognise magic-link consume URLs whose trailing token
 # segment must be redacted before logging.
 _CONSUME_PREFIX: str = "/admin/auth/consume/"
 # Path we skip entirely to reduce health-probe log noise.
 _SKIP_PATH: str = "/healthz"
 # User-agent strings are unbounded; cap to 256 chars so a hostile client
 # can't bloat log lines to arbitrary size.
 _UA_MAX: int = 256
 def _redact_path(path: str) -> str:
    """Return ``path`` with magic-link tokens replaced by ``<redacted>``.
    The consume URL is ``/admin/auth/consume/{token}``; everything after
    the prefix is swapped out. We preserve the prefix so log readers can
    still see which route was hit.
    """
    if path.startswith(_CONSUME_PREFIX):
        return _CONSUME_PREFIX + "<redacted>"
    return path
 class AccessLogMiddleware(BaseHTTPMiddleware):
    """Log one ``http_request`` event per completed request.
    Installed outermost in :mod:`app.main` so the timing measurement
    covers the entire downstream middleware stack, including security
    headers and CSRF cookie work.
    """
    async def dispatch(self, request: Request, call_next):
        """Time the request, log a structured event, reraise on failure."""
        path: str = request.url.path
        # Early exit for health probes — don't even record timing.
        if path == _SKIP_PATH:
            return await call_next(request)
        method: str = request.method
        client_ip: str = request.client.host if request.client else ""
        user_agent: str = request.headers.get("user-agent", "")[:_UA_MAX]
        redacted_path: str = _redact_path(path)
        start: float = time.monotonic()
        try:
            response: Response = await call_next(request)
        except Exception:
            duration_ms = int((time.monotonic() - start) * 1000)
            # Record the failure before re-raising so unhandled exceptions
            # don't vanish from the log. Status is synthetic (500) because
            # the framework hasn't written a response yet at this point.
            logger.info(
                "http_request",
                method=method,
                path=redacted_path,
                status_code=500,
                duration_ms=duration_ms,
                client_ip=client_ip,
                user_agent=user_agent,
            )
            raise
        duration_ms = int((time.monotonic() - start) * 1000)
        logger.info(
            "http_request",
            method=method,
            path=redacted_path,
            status_code=response.status_code,
            duration_ms=duration_ms,
            client_ip=client_ip,
            user_agent=user_agent,
        )
        return response
--- a/app/middleware/security_headers.py
+++ b/app/middleware/security_headers.py
@@ -0,0 +1,122 @@
 """Security-headers middleware.
 Installs a strict-ish set of security response headers on every outgoing
 response — notably a nonce-based ``Content-Security-Policy`` that locks
 inline ``<script>`` usage to per-request tokens. Templates read the
 nonce from ``request.state.csp_nonce`` and stamp it onto whichever
 ``<script>`` blocks need to run.
 Modelled on :class:`app.main.CSRFCookieMiddleware`: the constructor
 takes the ASGI app plus any configuration it needs by keyword;
 ``dispatch`` is async and always returns the downstream response.
 Header set (matches ``docs/security.md`` + Phase 6 brief):
 - ``Content-Security-Policy`` — nonce-based ``script-src`` that also
  allowlists hCaptcha; ``frame-ancestors 'none'`` replaces the legacy
  ``X-Frame-Options: DENY``.
 - ``Strict-Transport-Security`` — **only in production**; the dev
  server is reached over plain HTTP at ``http://127.0.0.1:8000`` and
  HSTS would make that session permanently HTTPS-only for the browser.
 - ``X-Content-Type-Options: nosniff``
 - ``Referrer-Policy: strict-origin-when-cross-origin``
 - ``Permissions-Policy`` — disable every sensor/device API we do not
  use (defense in depth for any future supply-chain compromise).
 - ``Cross-Origin-Opener-Policy: same-origin``
 The nonce is generated fresh per request (``secrets.token_urlsafe(16)``
 → 128 bits, URL-safe) and stored on ``request.state.csp_nonce`` before
 the downstream handler runs, so Jinja templates can read it via the
 implicit ``request`` context variable.
 """
 from __future__ import annotations
 import secrets
 from fastapi import Request
 from fastapi.responses import Response
 from starlette.middleware.base import BaseHTTPMiddleware
 # --- CSP template ---------------------------------------------------------
 # Note the ``{nonce}`` placeholder: we format per-request so the token is
 # unique to each response. ``style-src 'unsafe-inline'`` is a known
 # compromise — we don't emit our own inline styles, but third-party
 # widgets (hCaptcha) and some HTML attribute defaults want it. Locking
 # this down is a future task.
 _CSP_TEMPLATE: str = (
    "default-src 'self'; "
    "script-src 'self' 'nonce-{nonce}' https://js.hcaptcha.com https://*.hcaptcha.com; "
    "style-src 'self' 'unsafe-inline'; "
    "img-src 'self' data:; "
    "font-src 'self'; "
    "connect-src 'self' https://*.hcaptcha.com; "
    "frame-src https://*.hcaptcha.com https://newassets.hcaptcha.com; "
    "frame-ancestors 'none'; "
    "base-uri 'self'; "
    "form-action 'self'"
 )
 # Static response headers that do not depend on per-request state. Kept
 # as a module-level dict so we pay the allocation cost once at import
 # time and just iterate on every response.
 _STATIC_HEADERS: dict[str, str] = {
    "X-Content-Type-Options": "nosniff",
    "Referrer-Policy": "strict-origin-when-cross-origin",
    "Permissions-Policy": (
        "accelerometer=(), camera=(), geolocation=(), gyroscope=(), "
        "magnetometer=(), microphone=(), payment=(), usb=()"
    ),
    "Cross-Origin-Opener-Policy": "same-origin",
 }
 # HSTS is production-only. One year, subdomains included; no ``preload``
 # directive (that requires submitting the apex to the HSTS preload list,
 # which is a separate operational step).
 _HSTS_VALUE: str = "max-age=31536000; includeSubDomains"
 class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    """Attach CSP + friends to every response.
    Parameters
    ----------
    app:
        The ASGI application. ``BaseHTTPMiddleware`` stores this.
    production:
        When ``True`` the middleware also emits ``Strict-Transport-Security``.
        Passed explicitly (rather than read from :mod:`app.config` here)
        so the middleware remains unit-testable without loading settings.
    """
    def __init__(self, app, *, production: bool) -> None:
        """Store the production flag; the app handle is owned by the base class."""
        super().__init__(app)
        self._production: bool = production
    async def dispatch(self, request: Request, call_next):
        """Mint a nonce, run the downstream handler, stamp the headers.
        The nonce is attached to ``request.state`` *before* ``call_next``
        so any template rendered by the route handler can read it. The
        CSP header itself is added after the response is produced so it
        rides on every path (HTML, JSON, static bypass, error pages).
        """
        # 128 bits of entropy, URL-safe base64 — plenty for CSP nonce use.
        nonce: str = secrets.token_urlsafe(16)
        request.state.csp_nonce = nonce
        response: Response = await call_next(request)
        response.headers["Content-Security-Policy"] = _CSP_TEMPLATE.format(
            nonce=nonce
        )
        for key, value in _STATIC_HEADERS.items():
            response.headers[key] = value
        if self._production:
            response.headers["Strict-Transport-Security"] = _HSTS_VALUE
        return response
--- a/app/routes/public.py
+++ b/app/routes/public.py
@@ -7,7 +7,9 @@ Phase 2 scope:
 - ``GET /about``   — DB-backed; loads the ``about`` row from the
                     ``pages`` table via :class:`PageService` and
                     renders its ``body_html_cached`` directly.
- ``GET /contact`` — inert contact form UI + optional ``mailto:`` link.
+- ``GET /contact`` — form UI + optional ``mailto:`` link.
 - ``POST /contact`` — Phase 5 live submission endpoint (hCaptcha +
                     honeypot + rate-limit + persist + notify).
 - ``GET /shop``    — "Coming soon" card.
 Every handler is thin: it resolves its dependencies, calls any service
@@ -17,16 +19,21 @@ is constructed in Python.
 from __future__ import annotations
 import re
 import structlog
-from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi import APIRouter, Depends, Form, HTTPException, Request
-from fastapi.responses import HTMLResponse
+from fastapi.responses import HTMLResponse, Response
 from fastapi.templating import Jinja2Templates
 from app.config import Settings, get_settings
-from app.models.entities import Page
+from app.models.entities import Page, Post
 from app.models.posts import PostSummary
 from app.services.contact import ContactService
 from app.services.hcaptcha import HCaptchaService
 from app.services.pages import PageService, get_page_service
 from app.services.posts import PostService, get_post_service
 from app.services.rate_limit import limiter
 # Module-level router. Mounted without a prefix by ``app.main.create_app``
@@ -37,6 +44,19 @@ router: APIRouter = APIRouter(tags=["public"])
 _log = structlog.get_logger(__name__)
 # Same loose email shape used on the admin login form. Intentionally
 # permissive: the mapper layer / Resend does the real work; we only
 # want to reject obvious junk before hitting the service.
 _EMAIL_RE: re.Pattern[str] = re.compile(r"^[^@\s]+@[^@\s]+\.[^@\s]+$")
 # Field length guards — matched on the server regardless of the
 # HTML5 attributes the template emits.
 _NAME_MAX: int = 80
 _EMAIL_MAX: int = 254
 _MESSAGE_MIN: int = 10
 _MESSAGE_MAX: int = 4000
 def get_templates(request: Request) -> Jinja2Templates:
    """Return the shared :class:`Jinja2Templates` instance.
@@ -49,6 +69,31 @@ def get_templates(request: Request) -> Jinja2Templates:
    return request.app.state.templates
 def _get_hcaptcha_service(request: Request) -> HCaptchaService:
    """Return the app-scoped :class:`HCaptchaService`."""
    return request.app.state.hcaptcha_service
 def _get_contact_service(request: Request) -> ContactService:
    """Return the app-scoped :class:`ContactService`."""
    return request.app.state.contact_service
 def _client_ip(request: Request) -> str:
    """Best-effort client IP from the request.
    Starlette already respects ``X-Forwarded-For`` via the proxy-headers
    middleware Uvicorn installs with ``--proxy-headers``; that means
    ``request.client.host`` is the real client IP.
    """
    return request.client.host if request.client else ""
 def _user_agent(request: Request) -> str:
    """Return the submitted User-Agent header (empty string if missing)."""
    return request.headers.get("user-agent", "")
@router.get("/", response_class=HTMLResponse, summary="Blog index")
 def home(
    request: Request,
@@ -72,6 +117,33 @@ def home(
    )
@router.get(
    "/posts/{slug}",
    response_class=HTMLResponse,
    summary="Single blog post",
 )
 def post_detail(
    slug: str,
    request: Request,
    templates: Jinja2Templates = Depends(get_templates),
    posts: PostService = Depends(get_post_service),
 ) -> HTMLResponse:
    """Render a single published post by slug.
    Drafts and unknown slugs return 404 (same response so a mistyped
    URL cannot be used to enumerate unpublished titles).
    """
    post: Post | None = posts.get_published_by_slug(slug)
    if post is None:
        raise HTTPException(status_code=404, detail="Post not found")
    return templates.TemplateResponse(
        request,
        "public/post.html",
        {"active_nav": "home", "post": post},
    )
@router.get("/about", response_class=HTMLResponse, summary="About the farm")
 def about(
    request: Request,
@@ -110,12 +182,12 @@ def contact(
    templates: Jinja2Templates = Depends(get_templates),
    settings: Settings = Depends(get_settings),
 ) -> HTMLResponse:
-    """Render the inert contact page.
+    """Render the contact page.
-    The form fields are marked ``disabled`` and the form has no ``method``
+    Phase 5 wires the form up to a real POST handler; this GET now
-    attribute — it is UI-only. If ``ADMIN_CONTACT_EMAIL`` is configured
+    returns the blank form. ``ADMIN_CONTACT_EMAIL`` is still surfaced
-    the template renders a ``mailto:`` link so visitors still have a way
+    as a secondary ``mailto:`` link for visitors who prefer their own
-    to reach the farm before Phase 5 wires up the real POST flow.
+    inbox over the form.
    """
    return templates.TemplateResponse(
        request,
@@ -126,10 +198,176 @@ def contact(
            # case. We pass the value through settings so tests can
            # override it without touching environment variables.
            "contact_email": settings.admin_contact_email,
            "hcaptcha_site_key": settings.hcaptcha_site_key,
            "errors": {},
            "form": {"name": "", "email": "", "message": ""},
            "form_error": None,
        },
    )
@router.post("/contact", summary="Submit the contact form")
@limiter.limit("3/hour")
 async def contact_submit(
    request: Request,
    name: str = Form(default=""),
    email: str = Form(default=""),
    message: str = Form(default=""),
    website: str = Form(default=""),
    templates: Jinja2Templates = Depends(get_templates),
    settings: Settings = Depends(get_settings),
    hcaptcha: HCaptchaService = Depends(_get_hcaptcha_service),
    contact_service: ContactService = Depends(_get_contact_service),
 ) -> Response:
    """Handle the contact-form POST.
    Flow (strict order — each stage short-circuits):
    1. Honeypot: if ``website`` is non-empty → silent spam. Audit
       ``contact_spam_rejected`` with reason ``honeypot``; render the
       generic success page so the bot operator cannot tell they were
       filtered.
    2. hCaptcha: call :meth:`HCaptchaService.verify`. On False → audit
       ``contact_spam_rejected`` with reason ``hcaptcha``; render the
       success page. Same anti-enumeration rationale.
    3. Validate fields. On any error → re-render the form with inline
       error messages + HTTP 400 + submitted values preserved.
    4. Persist: :meth:`ContactService.record_submission`. After this
       point the message is durable even if the email fails.
    5. Notify: :meth:`ContactService.send_notification`. Best-effort;
       if it raises (it never should — service is defensive) we still
       fall through to the success page.
    6. Render ``public/contact_sent.html``.
    CSRF is NOT required here: the endpoint is pre-auth, has no
    session to hijack, and adding a cookie dance would break the
    first-contact UX. SlowAPI + hCaptcha + honeypot are the controls.
    """
    ip = _client_ip(request)
    ua = _user_agent(request)
    audit = request.app.state.audit_service
    # --- Stage 1: honeypot ------------------------------------------------
    if (website or "").strip():
        audit.record(
            "contact_spam_rejected",
            ip=ip,
            user_agent=ua,
            detail={"reason": "honeypot"},
        )
        return templates.TemplateResponse(
            request,
            "public/contact_sent.html",
            {"active_nav": "contact"},
        )
    # --- Stage 2: hCaptcha ------------------------------------------------
    token = (
        (request.headers.get("h-captcha-response") or "")
        or ""
    )
    # hCaptcha's widget posts the token as a form field named
    # ``h-captcha-response``. Starlette's ``Request.form()`` is async;
    # re-reading it here is fine because FastAPI caches the parsed form
    # for the lifetime of the request.
    form_data = await request.form()
    captcha_token = str(form_data.get("h-captcha-response", token) or "")
    ok = await hcaptcha.verify(captcha_token, ip)
    if not ok:
        audit.record(
            "contact_spam_rejected",
            ip=ip,
            user_agent=ua,
            detail={"reason": "hcaptcha"},
        )
        return templates.TemplateResponse(
            request,
            "public/contact_sent.html",
            {"active_nav": "contact"},
        )
    # --- Stage 3: validation ---------------------------------------------
    clean_name = (name or "").strip()
    clean_email = (email or "").strip()
    clean_message = (message or "").strip()
    errors: dict[str, str] = {}
    if not clean_name:
        errors["name"] = "Please enter your name."
    elif len(clean_name) > _NAME_MAX:
        errors["name"] = f"Name must be {_NAME_MAX} characters or fewer."
    if not clean_email:
        errors["email"] = "Please enter your email address."
    elif len(clean_email) > _EMAIL_MAX or not _EMAIL_RE.match(clean_email):
        errors["email"] = "Please enter a valid email address."
    if not clean_message:
        errors["message"] = "Please include a message."
    elif len(clean_message) < _MESSAGE_MIN:
        errors["message"] = (
            f"Message must be at least {_MESSAGE_MIN} characters."
        )
    elif len(clean_message) > _MESSAGE_MAX:
        errors["message"] = (
            f"Message must be {_MESSAGE_MAX} characters or fewer."
        )
    if errors:
        return templates.TemplateResponse(
            request,
            "public/contact.html",
            {
                "active_nav": "contact",
                "contact_email": settings.admin_contact_email,
                "hcaptcha_site_key": settings.hcaptcha_site_key,
                "errors": errors,
                "form": {
                    "name": clean_name,
                    "email": clean_email,
                    "message": clean_message,
                },
                "form_error": None,
            },
            status_code=400,
        )
    # --- Stage 4: persist -------------------------------------------------
    submission = contact_service.record_submission(
        name=clean_name,
        email=clean_email,
        message=clean_message,
        ip=ip,
        user_agent=ua,
    )
    # Audit the successful submission. Store the message length + a
    # short preview so on-call can tell whether a flood is substantive
    # without exposing full bodies in the audit log.
    audit.record(
        "contact_submitted",
        email=clean_email,
        ip=ip,
        user_agent=ua,
        detail={
            "submission_id": submission.id,
            "message_length": len(clean_message),
            "message_preview": clean_message[:40],
        },
    )
    # --- Stage 5: notify --------------------------------------------------
    contact_service.send_notification(submission)
    # --- Stage 6: success page -------------------------------------------
    return templates.TemplateResponse(
        request,
        "public/contact_sent.html",
        {"active_nav": "contact"},
    )
@router.get("/shop", response_class=HTMLResponse, summary="Shop placeholder")
 def shop(
    request: Request,
--- a/app/services/contact.py
+++ b/app/services/contact.py
@@ -0,0 +1,159 @@
 """Contact-form persistence + notification orchestration.
 Thin service wired at app startup:
 - :meth:`ContactService.record_submission` — insert a row into
  ``contact_submissions`` and return a mapped
  :class:`ContactSubmission` entity.
 - :meth:`ContactService.send_notification` — best-effort pass through
  to :class:`EmailService.send_contact_notification`. NEVER raises.
 The route handler (``/contact``) short-circuits the spam path (honeypot
 tripped or hCaptcha failed) BEFORE calling either method, so anything
 that reaches this service has already passed the bot screen. The audit
 log is written by the route, not here — keeps this service free of
 request-scoped context (ip/ua are persisted on the row itself).
 Security notes
 --------------
 - Parameterized SQL only (sqlalchemy ``text("...:param...")``).
 - Datetimes are timezone-aware UTC and serialized via ``.isoformat()``,
  matching the rest of the codebase.
 - Raw message bodies never flow through logs or audit detail; only
  ``len(message)`` and a short preview (if any) appear in audit rows,
  and that is the route's responsibility.
 """
 from __future__ import annotations
 from datetime import datetime, timezone
 import structlog
 from sqlalchemy import Engine, text
 from app.config import Settings
 from app.models.entities import ContactSubmission
 from app.models.mappers import row_to_contact_submission
 from app.services.audit import AuditService
 from app.services.email import EmailService
 _log = structlog.get_logger(__name__)
 class ContactService:
    """Persist contact submissions and trigger notification emails."""
    def __init__(
        self,
        engine: Engine,
        email: EmailService,
        audit: AuditService,
        settings: Settings,
    ) -> None:
        """Store collaborators by reference."""
        self._engine: Engine = engine
        self._email: EmailService = email
        self._audit: AuditService = audit
        self._settings: Settings = settings
    # ------------------------------------------------------------------
    # record_submission
    # ------------------------------------------------------------------
    def record_submission(
        self,
        *,
        name: str,
        email: str,
        message: str,
        ip: str,
        user_agent: str,
    ) -> ContactSubmission:
        """Insert a ``contact_submissions`` row and return the entity.
        All inputs are taken at face value — validation is the route's
        responsibility. The mapper guarantees tz-aware UTC on read so
        callers can safely format ``submitted_at.isoformat()`` in
        downstream emails.
        """
        submitted_at = datetime.now(timezone.utc)
        submitted_iso = submitted_at.isoformat()
        with self._engine.begin() as conn:
            result = conn.execute(
                text(
                    "INSERT INTO contact_submissions"
                    " (name, email, message, ip, user_agent,"
                    "  submitted_at, handled)"
                    " VALUES (:name, :email, :message, :ip, :user_agent,"
                    "  :submitted_at, 0)"
                ),
                {
                    "name": name,
                    "email": email,
                    "message": message,
                    "ip": ip or "",
                    "user_agent": user_agent or "",
                    "submitted_at": submitted_iso,
                },
            )
            new_id = int(result.lastrowid)  # type: ignore[arg-type]
            row = conn.execute(
                text(
                    "SELECT id, name, email, message, ip, user_agent,"
                    "       submitted_at, handled"
                    "  FROM contact_submissions WHERE id = :id"
                ),
                {"id": new_id},
            ).mappings().first()
        # ``row`` is always present — we just inserted it in the same
        # transaction — but we type-guard defensively so mypy is happy.
        if row is None:  # pragma: no cover — impossible path
            raise RuntimeError(
                "contact_submission row disappeared between insert and select"
            )
        return row_to_contact_submission(row)
    # ------------------------------------------------------------------
    # send_notification
    # ------------------------------------------------------------------
    def send_notification(self, submission: ContactSubmission) -> None:
        """Dispatch the admin notification email; never raise.
        Best-effort: any exception is caught and logged under
        ``contact_send_failed`` so the caller can still render the
        success page. The submission row is already persisted when
        this method is invoked, so the admin has a DB trail even if
        the outbound email fails.
        Silently no-ops when ``ADMIN_CONTACT_EMAIL`` is unset. That
        only happens in dev (production validator requires the field)
        and is logged for visibility.
        """
        to = self._settings.admin_contact_email
        if not to:
            _log.info(
                "contact_notification_skipped_no_recipient",
                reason="admin_contact_email_unset",
            )
            return
        try:
            self._email.send_contact_notification(
                to=to,
                submission_name=submission.name,
                submission_email=submission.email,
                message=submission.message,
                submitted_at=submission.submitted_at,
                ip=submission.ip,
            )
        except Exception:  # noqa: BLE001
            # The email service is itself defensive (it swallows Resend
            # errors internally). This belt-and-braces catch protects
            # the request path from any unexpected programming error.
            _log.exception(
                "contact_send_failed",
                submission_id=submission.id,
            )
--- a/app/services/email.py
+++ b/app/services/email.py
@@ -52,6 +52,84 @@ class EmailService:
        self._settings: Settings = settings
        self._templates: Jinja2Templates = templates
    def send_contact_notification(
        self,
        *,
        to: str,
        submission_name: str,
        submission_email: str,
        message: str,
        submitted_at: datetime,
        ip: str,
    ) -> None:
        """Send the contact-form notification email to the admin inbox.
        Behavior
        --------
        - If ``settings.resend_api_key`` (or ``resend_from``) is falsy,
          log a ``contact_notification_dev_fallback`` event at INFO and
          return. Dev convenience only — the production validator
          refuses to boot without a Resend key.
        - Otherwise render both template bodies, set ``Reply-To`` to the
          submitter's email (so Head Hen just hits reply), and dispatch
          via Resend. Transport errors are logged (``contact_notification_failed``)
          and never re-raised — the request path must always complete
          with the generic success page.
        Subject format (fixed) matches the Phase 5 brief:
        ``"New contact submission from {submission_name}"``.
        """
        ctx = {
            "submission_name": submission_name,
            "submission_email": submission_email,
            "message": message,
            "submitted_at": submitted_at.isoformat(),
            "ip": ip or "",
        }
        html_body = self._render("emails/contact_notification.html", ctx)
        text_body = self._render("emails/contact_notification.txt", ctx)
        api_key: Optional[str] = self._settings.resend_api_key
        sender: Optional[str] = self._settings.resend_from
        # Dev fallback — log enough to confirm the flow reached the
        # email layer without echoing the whole message body at INFO.
        if not api_key or not sender:
            _log.info(
                "contact_notification_dev_fallback",
                to=to,
                submission_name=submission_name,
                submission_email=submission_email,
                message_length=len(message or ""),
            )
            return
        subject = f"New contact submission from {submission_name}"
        try:
            import resend  # type: ignore[import-untyped]
            resend.api_key = api_key
            resend.Emails.send(
                {
                    "from": sender,
                    "to": to,
                    "subject": subject,
                    "html": html_body,
                    "text": text_body,
                    # Reply-To lets Head Hen reply directly from her
                    # inbox without exposing the From: address to
                    # public rewriting.
                    "reply_to": submission_email,
                }
            )
            _log.info("contact_notification_sent", to=to)
        except Exception:  # noqa: BLE001
            # Never raise from the request path — see docstring.
            _log.exception(
                "contact_notification_failed",
                to=to,
            )
    def send_magic_link(
        self,
        *,
--- a/app/services/hcaptcha.py
+++ b/app/services/hcaptcha.py
@@ -0,0 +1,132 @@
 """hCaptcha server-side verification.
 Wraps the hCaptcha ``siteverify`` endpoint with a dev-mode bypass so
 local work does not require a real site-key / secret pair.
 Security and UX rules
 ---------------------
 - **Never raise from the request path.** The caller (``/contact``)
  treats a ``False`` return as "reject the submission as spam" and a
  ``True`` return as "continue to validation". Any network hiccup /
  non-200 / malformed-JSON surfaces as ``False`` — it is safer to drop
  a legitimate visitor's submission than to accept a spam flood if
  hCaptcha is temporarily unavailable.
 - **Dev fallback:** when ``settings.hcaptcha_secret`` is falsy we log a
  structured ``hcaptcha_dev_fallback`` event at INFO and return
  ``True``. The production config validator refuses to boot without a
  secret, so this path only runs locally.
 - Raw tokens are single-use, short-lived, and bound to the submitter's
  session — we do not persist or log them.
 """
 from __future__ import annotations
 from typing import Any, Optional
 import httpx
 import structlog
 from app.config import Settings
 _log = structlog.get_logger(__name__)
 # hCaptcha's server-side verify endpoint. Documented at
 # https://docs.hcaptcha.com/#verify-the-user-response-server-side.
 _SITEVERIFY_URL: str = "https://hcaptcha.com/siteverify"
 # Bounded network timeout. hCaptcha's own advice is 5s; longer would
 # block the request path unnecessarily under an incident.
 _TIMEOUT_SECONDS: float = 5.0
 class HCaptchaService:
    """Verify hCaptcha responses server-side.
    Usage
    -----
    ``await hcaptcha_service.verify(token, remote_ip)`` returns a bool.
    ``True`` means "treat the request as human"; ``False`` means "reject".
    """
    def __init__(self, settings: Settings) -> None:
        """Store settings by reference so rotation at runtime works."""
        self._settings: Settings = settings
    async def verify(self, token: str, remote_ip: str) -> bool:
        """Verify ``token`` against hCaptcha; return True on success.
        Behavior
        --------
        - If ``settings.hcaptcha_secret`` is falsy → log
          ``hcaptcha_dev_fallback`` and return ``True`` (dev).
        - Otherwise POST to ``/siteverify`` with a 5s timeout.
        - Non-200, network error, malformed JSON, or ``success=False``
          all return ``False``.
        The method never raises — errors are logged and converted to
        ``False`` so the caller can render the generic thank-you page
        without leaking internal state.
        """
        secret: Optional[str] = self._settings.hcaptcha_secret
        if not secret:
            # Dev bypass. The config validator forbids this in
            # production, so reaching this branch is always a dev/test
            # condition and safe to trust.
            _log.info("hcaptcha_dev_fallback", remote_ip=remote_ip or "")
            return True
        payload = {
            "secret": secret,
            "response": token or "",
            "remoteip": remote_ip or "",
        }
        data = await self._post_siteverify(payload)
        if data is None:
            # Timeout / transport error / non-200 / parse failure —
            # already logged by the helper. Treat as spam.
            return False
        success = bool(data.get("success", False))
        if not success:
            # Log error codes if present so operators can diagnose
            # misconfigured keys without exposing the token.
            _log.info(
                "hcaptcha_verify_failed",
                error_codes=list(data.get("error-codes") or []),
            )
        return success
    # ------------------------------------------------------------------
    # Internals
    # ------------------------------------------------------------------
    async def _post_siteverify(self, payload: dict) -> Optional[dict[str, Any]]:
        """POST to hCaptcha's verify endpoint and return parsed JSON.
        Returns ``None`` on any failure (timeout, non-200, transport
        error, malformed JSON). Kept separate from :meth:`verify` so
        tests can monkeypatch the HTTP boundary without touching the
        decision logic.
        """
        try:
            async with httpx.AsyncClient(timeout=_TIMEOUT_SECONDS) as client:
                resp = await client.post(_SITEVERIFY_URL, data=payload)
        except httpx.HTTPError:
            # Network error / timeout. Do not raise; do not log the
            # payload (contains the secret).
            _log.exception("hcaptcha_request_failed")
            return None
        if resp.status_code != 200:
            _log.info(
                "hcaptcha_non_200",
                status_code=resp.status_code,
            )
            return None
        try:
            return resp.json()
        except ValueError:
            _log.exception("hcaptcha_malformed_json")
            return None
--- a/app/services/posts.py
+++ b/app/services/posts.py
@@ -21,9 +21,9 @@ from typing import Optional
 from fastapi import Request
 from sqlalchemy import Engine, text
-from app.models.entities import PostStatus
+from app.models.entities import Post, PostStatus
 from app.models.posts import PostSummary
-from app.models.mappers import _parse_datetime
+from app.models.mappers import _parse_datetime, row_to_post
 from app.services.cache import TTLCache
@@ -155,6 +155,36 @@ class PostService:
        self._cache.set(safe_limit, summaries)
        return summaries
    def get_published_by_slug(self, slug: str) -> Optional[Post]:
        """Return the published :class:`Post` for ``slug`` or ``None``.
        Drafts are invisible on the public path: the status filter
        belongs in SQL so a mistyped slug and a draft slug are
        indistinguishable to the caller (same 404 upstream).
        SQL safety: ``slug`` and ``status`` are bound parameters; no
        string interpolation.
        """
        with self._engine.connect() as conn:
            row = (
                conn.execute(
                    text(
                        "SELECT id, slug, title, body_md, body_html_cached,"
                        " status, published_at, updated_at, author_user_id"
                        " FROM posts"
                        " WHERE slug = :slug AND status = :status"
                        " LIMIT 1"
                    ),
                    {
                        "slug": slug,
                        "status": PostStatus.PUBLISHED.value,
                    },
                )
                .mappings()
                .first()
            )
        return row_to_post(row) if row is not None else None
    def invalidate_all(self) -> None:
        """Drop every cached post-list entry.
--- a/app/static/css/site.css
+++ b/app/static/css/site.css
@@ -348,6 +348,17 @@ a:focus-visible {
  margin-bottom: var(--space-2);
 }
 .page-article__date {
  font-size: 0.875rem;
  color: var(--c-sky-deep);
  font-family: var(--font-sans);
 }
 .page-article__back {
  margin-top: var(--space-4);
  max-width: 48rem;
 }
 /* Post list + card. */
 .post-list {
  display: grid;
@@ -490,6 +501,26 @@ a:focus-visible {
  margin-top: var(--space-2);
 }
 /* Phase 5: inline field errors + top-level banner. Scoped to the
   contact form so the red tone does not bleed into other forms. */
 .contact-form__field-error,
 .contact-form__error {
  margin: var(--space-1) 0 0;
  color: #8b2e2e;
  font-size: 0.95rem;
 }
 .contact-form__error {
  padding: var(--space-2) var(--space-3);
  background-color: #fbe9e7;
  border: 1px solid #d9a8a1;
  border-radius: var(--radius);
 }
 .contact-form__captcha {
  margin-top: var(--space-2);
 }
 /* Generic button. */
 .btn {
  display: inline-block;
--- a/app/templates/emails/contact_notification.html
+++ b/app/templates/emails/contact_notification.html
@@ -0,0 +1,43 @@
 {#
  HTML body for the admin contact-form notification email.
  Deliberately plain — email clients are hostile to CSS. ``message`` is
  rendered inside a <pre> so newlines submitted by the visitor are
  preserved without us having to manually convert them to <br>s (which
  bleach would strip anyway).
  Jinja2 autoescape is on for .html templates; every field below is
  rendered via ``{{ ... }}`` without ``| safe``, so user input cannot
  escape into the DOM.
  Context:
    - submission_name  : str
    - submission_email : str
    - message          : str
    - submitted_at     : ISO-8601 str
    - ip               : str
 #}<!doctype html>
 <html lang="en">
 <head>
  <meta charset="utf-8">
  <title>New contact submission &mdash; Chicken Babies R Us</title>
 </head>
 <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; color: #2B3A42; max-width: 560px; margin: 0 auto; padding: 24px;">
  <h1 style="font-size: 20px; margin: 0 0 16px;">New contact submission</h1>
  <p style="margin: 0 0 8px;"><strong>Name:</strong> {{ submission_name }}</p>
  <p style="margin: 0 0 8px;">
    <strong>Email:</strong>
    <a href="mailto:{{ submission_email }}" style="color: #5D8AA8;">{{ submission_email }}</a>
  </p>
  <p style="margin: 0 0 8px;"><strong>Submitted at:</strong> {{ submitted_at }}</p>
  <p style="margin: 0 0 16px;"><strong>IP:</strong> {{ ip }}</p>
  <h2 style="font-size: 16px; margin: 16px 0 8px;">Message</h2>
  <pre style="white-space: pre-wrap; word-break: break-word; font-family: inherit; font-size: 14px; background: #FAF3E7; padding: 12px 16px; border-radius: 6px; margin: 0;">{{ message }}</pre>
  <p style="color: #6b7a80; font-size: 13px; margin-top: 24px;">
    Replying to this email will respond directly to the sender
    ({{ submission_email }}).
  </p>
 </body>
 </html>
--- a/app/templates/emails/contact_notification.txt
+++ b/app/templates/emails/contact_notification.txt
@@ -0,0 +1,17 @@
 {# Plaintext body for the admin contact-form notification email.
   Mirrors the HTML version so clients that reject HTML still get a
   readable message. #}New contact submission
 ======================
 Name:          {{ submission_name }}
 Email:         {{ submission_email }}
 Submitted at:  {{ submitted_at }}
 IP:            {{ ip }}
 Message
 -------
 {{ message }}
 --
 Replying to this email will respond directly to the sender
 ({{ submission_email }}).
--- a/app/templates/public/base.html
+++ b/app/templates/public/base.html
@@ -107,7 +107,7 @@
  {# Mobile nav toggle. Tiny and CSP-friendly: no inline handlers, no JS
     framework. Phase 6's CSP will be compatible with moving this into an
     external file + nonce if we grow; for now the inline block stays. #}
-  <script>
+  <script nonce="{{ request.state.csp_nonce }}">
    (function () {
      "use strict";
      var toggle = document.getElementById("nav-toggle");
--- a/app/templates/public/contact.html
+++ b/app/templates/public/contact.html
@@ -1,18 +1,30 @@
 {#
-  Contact page — Phase 1 version.
+  Contact page — live Phase 5 form.
-  The form is deliberately inert: no `method`, no `action`, all inputs
+  POSTs to /contact. Honeypot + hCaptcha + SlowAPI rate-limit protect
-  and the submit button carry the `disabled` attribute. A muted note
+  the endpoint. Every field carries an id/label pair for a11y and a
-  explains the form is coming soon; if `ADMIN_CONTACT_EMAIL` is set in
+  maxlength/minlength to match the server-side validator — the HTML5
-  the environment we render a `mailto:` link above the form so visitors
+  attributes are a UX hint only, not the security boundary.
  still have a way to reach the farm.
-  Phase 5 replaces this template with a working POST handler, hCaptcha,
+  Honeypot:
-  honeypot, and rate limiting.
+  - The ``website`` field is wrapped in a .visually-hidden container
    marked ``aria-hidden="true"`` so assistive tech hides it too.
  - It is NOT ``required`` and has ``tabindex="-1"`` so a keyboard
    user can't accidentally focus it.
  - The server rejects any submission where the field is non-empty.
  hCaptcha:
  - When ``hcaptcha_site_key`` is truthy the widget div + script tag
    render. When empty (dev) we skip them and rely on the dev-mode
    fallback in :class:`HCaptchaService`.
  Context:
    - contact_email   : str | None  (from settings.admin_contact_email)
    - active_nav      : "contact"
    - errors          : dict[str, str]  (field_name -> message)
    - form            : dict[str, str]  (prior submitted values)
    - form_error      : str | None       (top-level error banner)
    - hcaptcha_site_key : str | None     (rendered when truthy)
 #}
 {% extends "public/base.html" %}
@@ -32,30 +44,45 @@
    {% if contact_email %}
      <p class="contact-mailto">
-        The easiest way to reach us right now is email:
+        Prefer email? Reach us at
        <a href="mailto:{{ contact_email }}">{{ contact_email }}</a>.
      </p>
    {% else %}
      <p class="contact-mailto contact-mailto--muted">
        A direct email address will be posted here soon.
      </p>
    {% endif %}
-    <p class="contact-form__note" role="note">
+    {% if form_error %}
-      Secure contact form coming soon.
+      <p class="contact-form__error" role="alert">{{ form_error }}</p>
-    </p>
+    {% endif %}
    <form class="contact-form"
          method="POST"
          action="/contact"
          aria-describedby="contact-form-note">
      {# Honeypot — visually hidden + aria-hidden so neither sighted
         users nor screen readers encounter it. Bots fill it in and
         get silently filed as spam. #}
      <div class="visually-hidden" aria-hidden="true">
        <label for="contact-website">Website</label>
        <input type="text"
               id="contact-website"
               name="website"
               tabindex="-1"
               autocomplete="off"
               class="contact-hp"
               value="">
      </div>
    {# action="" and no method = form cannot submit. Every input is
       disabled so screen readers and the keyboard both respect the
       "not-yet-available" state. #}
    <form class="contact-form" action="" aria-describedby="contact-form-note" novalidate>
      <div class="contact-form__field">
        <label for="contact-name">Name</label>
        <input type="text"
               id="contact-name"
               name="name"
               autocomplete="name"
-               disabled>
+               required
               maxlength="80"
               value="{{ (form.name if form else '') or '' }}">
        {% if errors and errors.name %}
          <p class="contact-form__field-error" role="alert">{{ errors.name }}</p>
        {% endif %}
      </div>
      <div class="contact-form__field">
@@ -64,7 +91,12 @@
               id="contact-email"
               name="email"
               autocomplete="email"
-               disabled>
+               required
               maxlength="254"
               value="{{ (form.email if form else '') or '' }}">
        {% if errors and errors.email %}
          <p class="contact-form__field-error" role="alert">{{ errors.email }}</p>
        {% endif %}
      </div>
      <div class="contact-form__field">
@@ -72,14 +104,31 @@
        <textarea id="contact-message"
                  name="message"
                  rows="6"
-                  disabled></textarea>
+                  required
                  minlength="10"
                  maxlength="4000">{{ (form.message if form else '') or '' }}</textarea>
        {% if errors and errors.message %}
          <p class="contact-form__field-error" role="alert">{{ errors.message }}</p>
        {% endif %}
      </div>
      {% if hcaptcha_site_key %}
        <div class="contact-form__captcha">
          <div class="h-captcha" data-sitekey="{{ hcaptcha_site_key }}"></div>
        </div>
      {% else %}
        {# hCaptcha disabled in dev — HCaptchaService returns True. #}
      {% endif %}
      <div class="contact-form__actions">
-        <button type="submit" class="btn btn--primary" disabled>
+        <button type="submit" class="btn btn--primary">
          Send message
        </button>
      </div>
    </form>
  </article>
  {% if hcaptcha_site_key %}
    <script src="https://js.hcaptcha.com/1/api.js" async defer></script>
  {% endif %}
 {% endblock %}
--- a/app/templates/public/contact_sent.html
+++ b/app/templates/public/contact_sent.html
@@ -0,0 +1,31 @@
 {#
  Contact success page — rendered after a successful POST /contact
  OR after a silent spam rejection (honeypot tripped / hCaptcha
  failed). Copy MUST stay identical across those branches so a bot
  operator can't use the response body to distinguish "we accepted
  your message" from "we filed your message under spam".
  Context:
    - active_nav : "contact"
 #}
 {% extends "public/base.html" %}
 {% block title %}Message sent &mdash; Chicken Babies R Us{% endblock %}
 {% block meta_description %}Thanks for reaching out to Chicken Babies R Us.{% endblock %}
 {% block content %}
  <article class="page-article">
    <header class="page-article__header">
      <h1 class="page-article__title">Thanks for reaching out</h1>
    </header>
    <p>
      Your message is on its way to Head Hen. We'll get back to you as
      soon as the chickens let us.
    </p>
    <p>
      <a class="btn btn--primary" href="/">Back to the home page</a>
    </p>
  </article>
 {% endblock %}
--- a/app/templates/public/post.html
+++ b/app/templates/public/post.html
@@ -0,0 +1,36 @@
 {#
  Single blog post detail page.
  Receives:
    - post        : app.models.entities.Post
    - active_nav  : str   "home"
  ``post.body_html_cached`` is the bleach-sanitized output of the
  Markdown pipeline (allowlisted tags/attrs/protocols only), so
  rendering with ``| safe`` does not reintroduce XSS risk. Same
  rationale as ``public/about.html``.
 #}
 {% extends "public/base.html" %}
 {% block title %}{{ post.title }} &mdash; Chicken Babies R Us{% endblock %}
 {% block meta_description %}{{ post.title }} &mdash; a post from Chicken Babies R Us.{% endblock %}
 {% block content %}
  <article class="page-article">
    <header class="page-article__header">
      <h1 class="page-article__title">{{ post.title }}</h1>
      {% if post.published_at %}
        <time class="page-article__date"
              datetime="{{ post.published_at.isoformat() }}">
          {{ post.published_at.strftime("%B %-d, %Y") }}
        </time>
      {% endif %}
    </header>
    {{ post.body_html_cached | safe }}
  </article>
  <p class="page-article__back">
    <a href="/">&larr; Back to all posts</a>
  </p>
 {% endblock %}
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -0,0 +1,69 @@
 # ---------------------------------------------------------------------------
 # Chicken Babies R Us — production compose file.
 #
 # Meant for the Debian 12 VM behind Caddy. Unlike docker-compose.yml (which
 # builds the image from source for local dev), this file pulls the pre-built
 # image from the Gitea container registry so the VM stays a thin runner.
 #
 # Ansible responsibilities (not this file):
 #   - render /opt/chicken-babies/.env with real secrets
 #   - ensure data/ exists and is owned by uid:gid 10001:10001
 #       sudo install -d -o 10001 -g 10001 /opt/chicken-babies/data/media
 #       sudo install -d -o 10001 -g 10001 /opt/chicken-babies/data/backups
 #   - `docker login git.sneakygeek.net -u <user> -p <REGISTRY_TOKEN>`
 #   - copy this file as /opt/chicken-babies/docker-compose.yml
 #   - run `docker compose pull && docker compose up -d`
 #
 # Update flow on the VM (after a CI build publishes a new :latest):
 #   docker compose pull
 #   docker compose up -d      # restarts only if the image SHA changed
 #   docker image prune -f     # reclaim space from the old layers
 # ---------------------------------------------------------------------------
 services:
  web:
    image: git.sneakygeek.net/ptarrant/chicken_babies_site:latest
    # Docker pulls :latest on `docker compose pull`; no build context needed.
    pull_policy: always
    env_file:
      - .env
    # Override the Dockerfile CMD so uvicorn trusts X-Forwarded-* headers.
    # Caddy lives on another server (10.10.99.10) and speaks HTTP to this
    # VM on port 8080. Even so, the source IP *inside* the container is
    # the Docker bridge gateway (typically 172.17.0.1), NOT 10.10.99.10,
    # because Docker NATs the inbound connection. That means allowlisting
    # 10.10.99.10 would never match — uvicorn would still drop X-Forwarded-*
    # and Starlette would build http:// URLs under an https:// page,
    # tripping `img-src 'self'` CSP on the logo, fonts, etc.
    #
    # "*" is acceptable here because access to port 8080 is controlled
    # at the network layer (host firewall / VLAN) — only the Caddy box
    # can reach it. If you later move Caddy onto this same host, change
    # this back to a specific gateway IP.
    command: >
      uvicorn app.main:app
      --host 0.0.0.0
      --port 8080
      --proxy-headers
      --forwarded-allow-ips *
    ports:
      # Caddy on 10.10.99.10 reverse-proxies to <this-vm>:8080. Binding
      # on all interfaces keeps the compose portable; lock down access
      # with the VM's host firewall (nftables / ufw) or upstream
      # (OPNsense) to only permit 10.10.99.10 → :8080.
      - "8080:8080"
    volumes:
      # SQLite DB + media uploads live on the host so container rebuilds /
      # image rolls don't wipe content. The container runs as uid 10001;
      # the host dir must be chown'd to match (see Ansible notes above).
      - ./data:/app/data
    restart: unless-stopped
    # Docker picks up the HEALTHCHECK baked into the image. `docker compose
    # ps` surfaces health status; systemd / Ansible tasks can gate on it.
    # Container-level logging caps so a chatty bot run doesn't fill the
    # VM disk before the host-side logrotate catches it.
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "5"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -21,10 +21,10 @@ services:
    env_file:
      - .env
    ports:
-      # Uvicorn listens on 8000 inside the container. In the production
+      # Uvicorn listens on 8080 inside the container (prod default). In
-      # topology Caddy fronts this; for local runs it's directly on the
+      # the production topology Caddy fronts this; for local runs it's
-      # host loopback via the mapped port.
+      # directly on the host loopback via the mapped port.
-      - "8000:8000"
+      - "8080:8080"
    volumes:
      # SQLite DB + media uploads live under data/. Mounting it keeps
      # state on the host so container rebuilds don't wipe content.
--- a/docs/MANUAL_TESTING.md
+++ b/docs/MANUAL_TESTING.md
@@ -161,3 +161,174 @@ Pre-requisites:
 - [ ] A newly-published post shows at the top of `/` within one request.
 - [ ] `/about` shows the most recently edited copy.
 - [ ] No admin-facing text (status, dashboard wording) leaks into the public HTML.
 ---
 ## Phase 5 — Contact Form
 Pre-requisites:
 - `ADMIN_CONTACT_EMAIL` set in `.env` (the destination inbox).
 - For the production-like happy path: `RESEND_API_KEY` + `RESEND_FROM`
  set; otherwise the send path logs `contact_notification_dev_fallback`
  and the admin inbox will not actually receive mail.
 - Optionally set `HCAPTCHA_SITE_KEY` + `HCAPTCHA_SECRET` to exercise
  the real widget; with both unset the dev fallback auto-passes and
  logs `hcaptcha_dev_fallback`.
 ### GET `/contact`
 - [ ] Page returns 200 and renders without console errors.
 - [ ] H1 reads **"Get in touch"**.
 - [ ] Name, email, and message fields render as editable inputs (no `disabled` attribute).
 - [ ] "Send message" button is enabled.
 - [ ] Form has `method="POST"` and `action="/contact"` (view source).
 - [ ] Honeypot `<input name="website">` is present in the markup but
      wrapped in a `.visually-hidden` container marked
      `aria-hidden="true"` — it is invisible to sighted users.
 - [ ] When `HCAPTCHA_SITE_KEY` is set, the `h-captcha` div and the
      `https://js.hcaptcha.com/1/api.js` script appear. When unset,
      neither appears.
 - [ ] Nav marks "Contact" as active.
 ### Happy path
 - [ ] Fill in Name, Email, Message (>= 10 chars) and submit.
 - [ ] Response is HTTP 200 and renders **"Thanks for reaching out"**.
 - [ ] `sqlite3 data/app.db "SELECT id, name, email, length(message), handled FROM contact_submissions"` shows the new row with `handled=0`.
 - [ ] Server log contains a `contact_submitted` structured event with a
      `message_preview` at most 40 chars long (no full body).
 - [ ] With `RESEND_API_KEY` set: admin inbox receives the notification
      email. `From:` matches `RESEND_FROM`; `Reply-To:` matches the
      submitted email; subject is `New contact submission from {name}`.
 - [ ] Without `RESEND_API_KEY`: server log contains
      `contact_notification_dev_fallback` with the submitter's name,
      email, and message length.
 ### Validation errors
 - [ ] Submitting with a blank name shows **"Please enter your name."** inline.
 - [ ] Submitting with `not-an-email` shows **"Please enter a valid email address."**.
 - [ ] Submitting with a 9-character message shows
      **"Message must be at least 10 characters."**.
 - [ ] Submitting with a > 4000-character message shows
      **"Message must be 4000 characters or fewer."**.
 - [ ] Submitting with a > 80-character name shows
      **"Name must be 80 characters or fewer."**.
 - [ ] The response status code on every validation failure is **400**.
 - [ ] Prior valid values remain filled in so the user doesn't retype.
 ### Spam paths
 - [ ] Filling the honeypot `website` field and submitting returns
      **"Thanks for reaching out"** (same as success) AND no row is
      persisted AND an audit row with
      `event_type='contact_spam_rejected'` and `reason=honeypot` exists.
 - [ ] With a real hCaptcha configured: submitting without solving the
      widget returns the same generic thank-you page. Audit row:
      `contact_spam_rejected` / `reason=hcaptcha`. No DB row.
 ### Rate limit
 - [ ] Submit the form **4 times** from the same browser session within
      an hour. The fourth submission returns HTTP **429** and renders
      the "Too many attempts" template. A `rate_limited` audit row is
      added with `scope=ip` and `endpoint=/contact`.
 ### Email send failure
 - [ ] With a valid form but `RESEND_API_KEY` pointed at an invalid key:
      the user still sees **"Thanks for reaching out"**, the DB row is
      created, and the server log contains
      `contact_notification_failed` (logged by EmailService). The user
      experience is indistinguishable from success.
 ### Ops smoke
 - [ ] `pytest -q tests/test_hcaptcha_service.py tests/test_contact_service.py tests/test_contact_routes.py` passes.
 - [ ] `python -c "from app.main import app; print(len(app.routes))"` prints a count greater than the Phase 4 count (the new `POST /contact` adds one route).
 ---
 ## Phase 6 — Hardening + Deploy
 Run a dev server alongside these checks:
 ```bash
 source venv/bin/activate
 uvicorn app.main:app --reload
 ```
 ### Security headers (`/`, `/contact`, `/admin/login`)
 - [ ] `curl -sI http://127.0.0.1:8000/ | grep -i content-security-policy`
      returns a policy containing `nonce-<...>`, `frame-ancestors 'none'`,
      `form-action 'self'`, and `https://js.hcaptcha.com` in `script-src`.
 - [ ] Two consecutive `curl -sI /` calls print **different** `nonce-<...>`
      values — the middleware mints one per request.
 - [ ] `X-Content-Type-Options: nosniff`, `Referrer-Policy:
      strict-origin-when-cross-origin`, `Cross-Origin-Opener-Policy:
      same-origin`, and a `Permissions-Policy` disabling camera /
      geolocation / microphone are all present on the response.
 - [ ] In development, `Strict-Transport-Security` is **absent** (so
      localhost over HTTP keeps working).
 - [ ] Set `APP_ENV=production` + all prod-required env vars and restart;
      confirm `Strict-Transport-Security: max-age=31536000;
      includeSubDomains` now appears.
 - [ ] Browser devtools console on `/` shows the inline nav-toggle
      script executes (the mobile hamburger still toggles the menu).
      No "Refused to execute inline script" CSP violations appear.
 - [ ] On `/contact`, the hCaptcha widget renders and its API script
      loads (no CSP violations in the console).
 - [ ] On any admin page, `admin_editor.js` loads and the live preview
      still updates as you type.
 ### Access log (`/healthz` quiet, magic-link redacted)
 - [ ] Normal page loads emit one `http_request` line with `method`,
      `path`, `status_code`, `duration_ms`, `client_ip`, and
      `user_agent` fields.
 - [ ] `curl http://127.0.0.1:8000/healthz` does **not** produce an
      `http_request` log line (the middleware skips `/healthz`).
 - [ ] Request a magic link, then hit the consume URL in the browser.
      The server log shows `path=/admin/auth/consume/<redacted>` —
      the raw token never appears in stdout.
 ### Dockerfile hardening
 - [ ] `docker compose build` succeeds.
 - [ ] `docker compose up -d` brings the service to healthy; inspect
      with `docker compose ps` — the STATUS column reads `(healthy)`
      within ~30s of startup.
 - [ ] `docker compose exec app id` reports `uid=10001(app) gid=10001(app)`.
 - [ ] `docker inspect --format '{{.State.Health.Status}}' <container>`
      returns `healthy`.
 ### Backup script
 - [ ] `./scripts/backup.sh` exits 0 and produces
      `data/backups/app-<ts>.db` and `data/backups/media-<ts>.tar.gz`.
 - [ ] `sqlite3 data/backups/app-<ts>.db "SELECT COUNT(*) FROM posts"`
      returns the same count as the live DB.
 - [ ] Run the script 15 times in a loop; after the 15th run, exactly
      14 `app-*.db` and 14 `media-*.tar.gz` artifacts remain in
      `data/backups/` (newest kept, older pruned).
 - [ ] Install the cron entry on the VM (example):
      `15 3 * * * cd /srv/chicken_babies_site && ./scripts/backup.sh
      >> /var/log/chicken_babies/backup.log 2>&1`.
 ### Gitea Actions workflow
 - [ ] Push a commit to `master` on Gitea and confirm the
      `Build and Push Docker Image` workflow runs to green.
 - [ ] `git.sneakygeek.net/ptarrant/chicken_babies_site:latest` and
      `:sha-<short>` tags exist in the registry afterwards.
 - [ ] Pulling the `:latest` image and hitting `/healthz` reports the
      expected `commit_sha` (matches the built commit).
 ### Ops smoke
 - [ ] `pytest -q` passes with no new failures beyond the known
      pre-existing two (`test_production_missing_key_refuses_startup`,
      `test_layout_includes_logo_image`).
 - [ ] `python -c "from app.main import app; print(len(app.routes))"`
      prints the same route count as before Phase 6 (no new routes).
--- a/docs/ROADMAP.md
+++ b/docs/ROADMAP.md
@@ -211,20 +211,83 @@ High-level phased plan. Each phase ends in a mergeable `dev` state and a passing
 **Verification run:**
 `python -c "from app.main import app"` ✓ (26 routes registered) · `pytest -q tests/test_slugs.py tests/test_csrf_service.py tests/test_media_service.py tests/test_admin_posts_service.py tests/test_admin_pages_service.py tests/test_admin_cms_routes.py tests/test_admin_routes.py` → 64 passed ✓ · full `pytest -q` → 118 passed, 2 failed; both failures are pre-existing on `dev` (the `logo.` → `logo-mark.` asset rename in commit `f5098c0`; and the `RESEND_FROM`/`ADMIN_EMAILS` pollution from local `.env` into the Settings-validator test) and unrelated to Phase 4.
-## Phase 5 — Contact Form
+## Phase 5 — Contact Form ✅
- `/contact` POST flow: field validation → hCaptcha verify → honeypot check → rate limit → `Resend` send → persist submission row → success page.
+**Completed:** 2026-04-22
 - `FROM` on verified domain; `Reply-To` = submitter's email.
 - No internal errors leak to the user; they see a generic "something went wrong, please try again".
-## Phase 6 — Hardening + Deploy
+**Summary:** Shipped the public contact form: live POST handler with honeypot → hCaptcha (server-verify) → field validation → SlowAPI rate limit → `contact_submissions` row insert → best-effort Resend notification to `ADMIN_CONTACT_EMAIL` (Reply-To = submitter) → generic `contact_sent.html` success page. Spam / honeypot / hCaptcha-fail paths don't persist, still render the success page (anti-enumeration). Send failures don't break the request path — the row is already durable.
- Security headers middleware (strict nonce-based CSP, HSTS, etc.).
+**Key files:**
- CSRF middleware on admin routes (double-submit cookie).
+- `app/services/hcaptcha.py` — `HCaptchaService(settings).verify(token, remote_ip) -> bool`. Async `httpx.AsyncClient` POST to `https://hcaptcha.com/siteverify` with a 5s timeout. Dev fallback: when `hcaptcha_secret` is falsy, logs `hcaptcha_dev_fallback` and returns `True`. Fail-closed on any network error / non-200 / malformed JSON / `success=false` (returns `False`). Never raises from the request path.
- Structured access log + error log (structlog JSON in prod, pretty in dev).
+- `app/services/contact.py` — `ContactService(engine, email, audit, settings)`: `record_submission(...)` inserts a `contact_submissions` row and returns a mapped `ContactSubmission`; `send_notification(submission)` is best-effort (never raises, no-ops when `admin_contact_email` is unset — only possible in dev).
- Backup script: `sqlite3 data/app.db ".backup data/backups/app-<ts>.db"` plus a tar of `data/media/`; cron nightly on the VM.
+- `app/services/email.py` — added `send_contact_notification(*, to, submission_name, submission_email, message, submitted_at, ip)`. Subject `"New contact submission from {submission_name}"`. `from_=settings.resend_from`, `reply_to=submission.email`. Dev fallback logs `contact_notification_dev_fallback`. Resend errors are caught + logged (`contact_email_failed`); request path never sees them.
- Dockerfile hardening: non-root user, slim base, `HEALTHCHECK`.
+- `app/templates/emails/contact_notification.html` + `.txt` — admin notification bodies (name, email, message, submitted_at ISO, ip). Jinja2 autoescape handles all user-supplied fields.
- Gitea Action: on tag push, build image and publish to the internal registry.
+- `app/templates/public/contact.html` — replaces the Phase 1 inert form: `method="POST"`, name / email / message inputs with HTML5 length bounds + server-side re-validation, visually-hidden honeypot `website` input, hCaptcha widget rendered only when `hcaptcha_site_key` is truthy (dev just shows an HTML comment), inline `errors.{field}` + top-level `form_error` flash slots.
 - `app/templates/public/contact_sent.html` — thank-you page; `active_nav = "contact"`; back-to-home link.
 - `app/routes/public.py` — added `POST /contact` handler decorated `@limiter.limit("3/hour")`. Strict 6-stage flow (honeypot → hCaptcha → validate → persist → notify → success). DI helpers `_get_hcaptcha_service` / `_get_contact_service`; `_client_ip` / `_user_agent` shared with admin module's pattern. Also tightened `GET /contact` to pass the new template context (`hcaptcha_site_key`, `errors`, `form`, `form_error`).
 - `app/main.py` — instantiates `HCaptchaService(settings)` and `ContactService(engine, email_service, audit_service, settings)`; attaches to `app.state.hcaptcha_service` / `app.state.contact_service`.
 - `app/config.py` — extended `_require_auth_config_in_production` to also require `ADMIN_CONTACT_EMAIL`, `HCAPTCHA_SECRET`, and `HCAPTCHA_SITE_KEY` in production (missing any → `ValueError` at startup).
 - `app/static/css/site.css` — added `.contact-form__field-error`, `.contact-form__error`, `.contact-form__captcha`, and the visually-hidden honeypot rule.
 - `docs/MANUAL_TESTING.md` — appended Phase 5 checklist (happy path, honeypot, hCaptcha fail, rate-limit 429, inline validation, dev fallback log, admin inbox Reply-To, production-config refusal).
 - Tests: `tests/test_hcaptcha_service.py` (9), `tests/test_contact_service.py` (5), `tests/test_contact_routes.py` (9) — 23 new tests; temp-SQLite fixtures per CLAUDE.md, httpx boundary mocked at `_post_siteverify`.
 **Endpoints created:**
 - `POST /contact` — the public submission endpoint. Accepts `name`, `email`, `message`, hidden `website` (honeypot), and `h-captcha-response` as multipart/form-urlencoded. Returns 200 `contact_sent.html` on success / spam / honeypot; 400 `contact.html` with inline errors on validation fail; 429 `admin/rate_limited.html` when the SlowAPI 3/hour IP limit trips.
 - `GET /contact` — unchanged URL, now returns the live (non-disabled) form with hCaptcha widget when configured. Pre-Phase-5 this was the inert placeholder.
 **Key details:**
 - **Spam short-circuit is anti-enumeration.** Honeypot trip or hCaptcha `False` both render the same generic success page so bot operators can't probe which filter caught them. The audit row (`contact_spam_rejected` with `{"reason":"honeypot"|"hcaptcha"}`) is the only signal — in the DB, not the HTTP response.
 - **Send failure is idempotent from the user's perspective.** `ContactService.record_submission` commits before `send_notification` is called; if Resend is down, the row is still in `contact_submissions` and Head Hen can action it from the table. The request path always ends at `contact_sent.html`.
 - **No CSRF on `/contact`.** Public, pre-auth, no session cookie to hijack. SlowAPI + hCaptcha + honeypot + DB-side `contact_submissions` audit are the controls. Documented inline in the route docstring.
 - **Field validation lives in the route, not the service.** `name` 1-80; `email` matches `^[^@\s]+@[^@\s]+\.[^@\s]+$` AND length ≤254; `message` 10-4000 after `.strip()`. On error: re-render with `errors` dict + preserved values + HTTP 400.
 - **Audit trail extends cleanly.** New event types on the existing `auth_events` table: `contact_submitted` (with `submission_id`, `message_length`, truncated 40-char `message_preview`), `contact_spam_rejected` (with `reason`), `contact_send_failed` (from email service's internal catch). No full message bodies ever flow into audit detail.
 - **hCaptcha widget is optional in dev.** Template renders `<div class="h-captcha" data-sitekey="{{ hcaptcha_site_key }}"></div>` + the remote `api.js` only when the site key is truthy; otherwise an HTML comment stands in. The server-side verify service mirrors this by returning `True` when the secret is unset.
 - **Reusing Phase 3's 429 handler is acceptable for now.** The registered `RateLimitExceeded` handler renders `admin/rate_limited.html`; on `/contact` it works but carries admin styling. Flagged in the Phase 6 polish list (not blocking).
 - **Production config now requires three more fields.** Missing any of `ADMIN_CONTACT_EMAIL`, `HCAPTCHA_SECRET`, `HCAPTCHA_SITE_KEY` in `APP_ENV=production` raises at startup via `_require_auth_config_in_production`. Mirrors the Phase 3 guardrail pattern.
 - **Phase 6 hooks ready:** nonce-based CSP, HSTS, access-log middleware, a public-styled 429 template, and a Dockerfile hardening pass are all still standing as originally planned — none blocked Phase 5.
 - **No new packages.** All deps (`httpx`, `slowapi`, `resend`, `jinja2`, `structlog`, `itsdangerous`) were already pinned in Phase 0's `requirements.txt`.
 **Verification run:**
 `python -c "from app.main import app; print(len(app.routes))"` → **27** (Phase 4 registered 26; one new `POST /contact`) ✓ · `pytest -q` → **141 passed, 2 failed**; both failures confirmed pre-existing on `dev` (the Phase 4 `logo.` → `logo-mark.` asset rename and the `RESEND_FROM`/`ADMIN_EMAILS` pollution from local `.env` into `test_production_missing_key_refuses_startup`) — verified by running the same two targeted tests on a clean `dev` checkout, both failed there too ✓ · `docker compose config` exit 0 ✓ · route registry confirmed: `('/contact', ['GET'])` + `('/contact', ['POST'])` ✓.
 **Branch:** `feat/phase-5-contact-form` off `dev`. Not committed, not merged, not pushed — changes staged for human review before `--no-ff` merge into `dev` per CLAUDE.md git strategy.
 ## Phase 6 — Hardening + Deploy ✅
 **Completed:** 2026-04-22
 **Summary:** Locked down the HTTP surface with a strict nonce-based CSP (plus HSTS in prod, `X-Content-Type-Options`, `Referrer-Policy`, `Permissions-Policy`, `Cross-Origin-Opener-Policy`, `frame-ancestors`, `form-action`), added a structured per-request access-log middleware with magic-link path redaction and `/healthz` suppression, hardened the Docker image (non-root uid/gid 10001 + `HEALTHCHECK` against `/healthz`), shipped a backup script with 14-day retention, and wired a Gitea Actions workflow that publishes `git.sneakygeek.net/ptarrant/chicken_babies_site:latest` + `:sha-<short>` on every push to `master` (plus `workflow_dispatch`). CSRF middleware was already live from Phase 4 — that roadmap bullet was a no-op here.
 **Key files:**
 - `app/middleware/__init__.py` — package marker.
 - `app/middleware/security_headers.py` — `SecurityHeadersMiddleware(BaseHTTPMiddleware)`. Per-request nonce via `secrets.token_urlsafe(16)`, stashed on `request.state.csp_nonce`. CSP builds on each dispatch so the nonce threads into `script-src`. Conditional HSTS: constructor takes `production: bool`, only emits `Strict-Transport-Security: max-age=31536000; includeSubDomains` when `True` so localhost-over-http dev still works. Also sets `X-Content-Type-Options: nosniff`, `Referrer-Policy: strict-origin-when-cross-origin`, `Permissions-Policy: accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()`, `Cross-Origin-Opener-Policy: same-origin`.
 - `app/middleware/access_log.py` — `AccessLogMiddleware(BaseHTTPMiddleware)` emits one `http_request` INFO event per request with `method`, `path`, `status_code`, `duration_ms` (int), `client_ip` (from `request.client.host` — already resolved through `ProxyHeadersMiddleware`), `user_agent` (truncated to 256 chars). Skips `/healthz` to avoid compose-loop noise. Paths matching `^/admin/auth/consume/` have the token segment replaced with `<redacted>` before logging. Unhandled downstream exceptions are logged with `status_code=500`, then re-raised so FastAPI's exception machinery still runs.
 - `app/main.py` — imports + wires both middlewares. Install order: `SecurityHeadersMiddleware` added first, `AccessLogMiddleware` added last. FastAPI/Starlette wraps in reverse registration order, so the access log runs outermost (timing covers the whole stack) and the security headers run innermost (stamped onto the response before the access log times it). Inline comment documents the ordering so future edits don't flip it.
 - `app/templates/public/base.html` — line 110 inline `<script>` now carries `nonce="{{ request.state.csp_nonce }}"` so it passes strict CSP. External hCaptcha script on `public/contact.html` left alone (allowlisted by origin in `script-src`, not nonced). Admin templates were all-external-JS already; nothing to patch there.
 - `Dockerfile` — runtime stage adds `groupadd -g 10001 app && useradd -m -u 10001 -g app app`, `chown -R app:app /app /opt/venv`, and `USER app` before `CMD`. Stable UID/GID keeps host bind-mount ownership predictable. `HEALTHCHECK --interval=30s --timeout=3s --start-period=10s --retries=3 CMD python -c "import urllib.request,sys; urllib.request.urlopen('http://127.0.0.1:8000/healthz', timeout=2)"` — stdlib only, no curl/wget runtime dep.
 - `scripts/backup.sh` — `set -euo pipefail`, UTC timestamp (`%Y%m%dT%H%M%SZ`), `sqlite3 data/app.db ".backup data/backups/app-<ts>.db"` + `tar -czf data/backups/media-<ts>.tar.gz data/media`, retention `ls -t | tail -n +15 | xargs -r rm` so only the newest 14 of each artifact survive. `mkdir -p data/backups` is idempotent. Chmod +x committed.
 - `.gitea/workflows/build-image.yml` — triggers on `push` to `master` + `workflow_dispatch`. Buildx + `docker/login-action@v3` using `${{ gitea.actor }}` / `${{ secrets.REGISTRY_TOKEN }}`. `metadata-action@v5` tags: `latest` + `sha-<short>`. `build-push-action@v5` passes `build-args: GIT_COMMIT_SHA=${{ gitea.sha }}` so `/healthz` reports the real commit in deployed images. Registry cache-from/to pinned to the `:buildcache` tag.
 - `docs/MANUAL_TESTING.md` — appended Phase 6 checklist (security headers via curl, nonce uniqueness, HSTS dev/prod diff, hCaptcha still loads, admin editor still works, HEALTHCHECK `docker ps` healthy, backup dry run, retention prune).
 - `tests/test_security_headers.py` (4 tests) — asserts every expected header is present on `/`, CSP contains `nonce-`, two back-to-back requests get different nonces, HSTS is absent when the middleware is constructed with `production=False` and present with `max-age=31536000; includeSubDomains` when `production=True`.
 - `tests/test_access_log.py` (4 tests) — capsys-based capture with ANSI-escape stripping. Verifies `http_request` events fire for 200/404, `/healthz` is skipped, `/admin/auth/consume/<token>` is redacted before logging, and a downstream-handler exception is logged with `status_code=500` then re-raised.
 **Endpoints created:** none. Phase 6 is cross-cutting — route count stayed at 28.
 **Key details:**
 - **CSP policy (effective):** `default-src 'self'; script-src 'self' 'nonce-<N>' https://js.hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' https://*.hcaptcha.com; frame-src https://*.hcaptcha.com https://newassets.hcaptcha.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'`. `style-src 'unsafe-inline'` is kept for now because hCaptcha injects inline style into its widget; tightening it is a future task.
 - **Single inline script remaining:** `public/base.html`'s mobile-nav toggle. The admin editor and everything else are external files already, so no admin template needed a nonce. `contact.html`'s external hCaptcha script is allowed by origin; external scripts don't take nonces.
 - **HSTS is production-gated.** Local dev over `http://127.0.0.1:8000` stays reachable. Prod flips on the header via the `production=(settings.app_env == "production")` flag in `create_app`.
 - **Access log redaction is defence-in-depth.** The magic-link consume route already signs / hashes / single-uses the token, so even if a log line leaked it'd be unreplayable. Redacting anyway keeps the log grep-friendly and avoids any accidental downstream ingestion storing the raw value.
 - **`/healthz` skipped from access logs** to keep compose's 30s HEALTHCHECK from drowning signal in noise. Still fully served — just not logged.
 - **Middleware install order pitfall documented.** FastAPI/Starlette wrap in reverse registration order; the outermost middleware is the LAST one added. `app/main.py` now has an inline comment so a future refactor doesn't silently flip timing vs. security behaviour.
 - **Docker image runs as non-root (uid 10001).** Host bind-mount (`./data:/app/data`) must be writable by this uid. Docs/MANUAL_TESTING notes `chown -R 10001:10001 data/` or mounting into a uid-remapped volume as the host-side prep step.
 - **Gitea workflow publishes on every `master` push.** No tag trigger this phase; release tags can be layered on later without touching the workflow.
 - **Build-arg discipline preserved.** Workflow passes `GIT_COMMIT_SHA=${{ gitea.sha }}` so the published image keeps reporting the correct SHA through `/healthz` — the Phase 0 contract holds.
 - **Backup script is host-side only.** Cron installation is a sysadmin step documented in MANUAL_TESTING; the repo deliberately does not ship a systemd unit to keep it host-agnostic.
 - **Pre-existing test failures are still pre-existing.** `test_production_missing_key_refuses_startup` (env pollution) and `test_layout_includes_logo_image` (Phase 4 `logo` → `logo-mark` asset rename) failed on `dev` before this phase; they still fail, and they are NOT Phase 6 regressions.
 **Verification run:**
 `python -c "from app.main import app; print(len(app.routes))"` → **28** (unchanged) ✓ · `pytest -q` → **149 passed, 2 failed** — both failures confirmed pre-existing on `dev` ✓ · dev-mode TestClient `/`: CSP present with unique nonce across two requests, HSTS absent, `X-Content-Type-Options=nosniff`, `Referrer-Policy=strict-origin-when-cross-origin`, `Permissions-Policy` present, `frame-ancestors 'none'` in CSP, nonce value matches the `nonce="..."` attribute emitted into the HTML ✓ · prod-mode (`APP_ENV=production` + full config env) `/`: `Strict-Transport-Security: max-age=31536000; includeSubDomains` present, JSON access-log line emitted ✓ · `/healthz` returns 200 without producing an `http_request` log entry ✓ · `bash -n scripts/backup.sh` clean ✓ · `python -c "import yaml; yaml.safe_load(open('.gitea/workflows/build-image.yml'))"` clean ✓ · `scripts/backup.sh` is `-rwxrwxr-x` (executable) ✓.
 ## Phase 7 (Future) — Shop
--- a/run_dev.sh
+++ b/run_dev.sh
@@ -0,0 +1,65 @@
 #!/usr/bin/env bash
 # ---------------------------------------------------------------------------
 # Chicken Babies R Us — local dev launcher.
 #
 # Runs uvicorn directly on the host (no docker). Used for fast iteration on
 # routes, templates, CSS, and middleware. Set APP_ENV=production in front
 # of this script if you want to smoke-test the prod-only code paths (HSTS,
 # JSON logs, prod-config guardrails).
 #
 # Usage:
 #   ./run_dev.sh                    # dev mode, reload on
 #   ./run_dev.sh --no-reload        # dev mode, reload off
 #   PORT=8001 ./run_dev.sh          # override listen port (default 8000)
 # ---------------------------------------------------------------------------
 set -euo pipefail
 # Anchor paths to the repo root so the script works from any cwd.
 cd "$(dirname "$0")"
 VENV_DIR="venv"
 PYTHON_BIN="${PYTHON_BIN:-python3.12}"
 PORT="${PORT:-8080}"
 HOST="${HOST:-127.0.0.1}"
 # 1. Virtualenv -------------------------------------------------------------
 if [[ ! -x "${VENV_DIR}/bin/python" ]]; then
  echo "==> Creating venv at ${VENV_DIR}/"
  "${PYTHON_BIN}" -m venv "${VENV_DIR}"
 fi
 # shellcheck disable=SC1091
 source "${VENV_DIR}/bin/activate"
 # 2. Requirements (reinstall if requirements.txt is newer than the stamp) ---
 STAMP="${VENV_DIR}/.requirements.stamp"
 if [[ requirements.txt -nt "${STAMP}" ]]; then
  echo "==> Installing / updating dependencies"
  pip install --quiet --upgrade pip
  pip install --quiet -r requirements.txt
  touch "${STAMP}"
 fi
 # 3. .env ------------------------------------------------------------------
 if [[ ! -f .env ]]; then
  echo "==> No .env found; copying from .env.example"
  cp .env.example .env
  echo "    Edit .env to set SECRET_KEY / RESEND_API_KEY / HCAPTCHA_* as needed."
 fi
 # 4. Data dir --------------------------------------------------------------
 mkdir -p data/media data/backups
 # 5. Launch ----------------------------------------------------------------
 RELOAD_FLAG="--reload"
 if [[ "${1:-}" == "--no-reload" ]]; then
  RELOAD_FLAG=""
 fi
 echo "==> uvicorn on http://${HOST}:${PORT}  (APP_ENV=${APP_ENV:-development})"
 # shellcheck disable=SC2086
 exec uvicorn app.main:app \
  --host "${HOST}" \
  --port "${PORT}" \
  ${RELOAD_FLAG} \
  --proxy-headers \
  --forwarded-allow-ips 127.0.0.1
--- a/scripts/backup.sh
+++ b/scripts/backup.sh
@@ -0,0 +1,64 @@
 #!/usr/bin/env bash
 # ---------------------------------------------------------------------------
 # scripts/backup.sh — local SQLite + media snapshot
 #
 # Produces two artifacts under data/backups/:
 #   app-<ts>.db          : SQLite .backup of the live database (safe while
 #                          the app is running; sqlite3 .backup coordinates
 #                          with WAL).
 #   media-<ts>.tar.gz    : tar archive of the media upload directory.
 #
 # Retention: keep the 14 newest of each artifact; prune the rest.
 #
 # The script is intended to be invoked by cron on the Debian VM. Example
 # crontab line (daily at 03:15 UTC):
 #     15 3 * * * cd /srv/chicken_babies_site && ./scripts/backup.sh \
 #         >> /var/log/chicken_babies/backup.log 2>&1
 #
 # Exit codes:
 #   0 on success. Any failing step aborts via `set -e` with a non-zero
 #   status so cron emails / log scrapers can flag it.
 # ---------------------------------------------------------------------------
 set -euo pipefail
 # UTC timestamp: sortable, compact, unambiguous. Matches the ISO-8601
 # "basic" form with a literal Z suffix.
 TS="$(date -u +%Y%m%dT%H%M%SZ)"
 BACKUP_DIR="data/backups"
 DB_SRC="data/app.db"
 MEDIA_SRC="data/media"
 # Ensure the output directory exists. `mkdir -p` is idempotent and never
 # fails if the directory already exists, which is exactly what we want.
 mkdir -p "${BACKUP_DIR}"
 # --- SQLite snapshot ------------------------------------------------------
 # Use sqlite3's .backup command rather than `cp` so we get a consistent
 # copy even if the database is actively being written to. sqlite3 serialises
 # with the WAL and produces a file that's safe to open elsewhere.
 DB_DEST="${BACKUP_DIR}/app-${TS}.db"
 sqlite3 "${DB_SRC}" ".backup ${DB_DEST}"
 # --- Media archive --------------------------------------------------------
 # tar the whole media tree. gzip compression keeps the archive small for
 # typical image payloads; restore is just `tar -xzf`.
 MEDIA_DEST="${BACKUP_DIR}/media-${TS}.tar.gz"
 tar -czf "${MEDIA_DEST}" "${MEDIA_SRC}"
 # --- Retention prune -------------------------------------------------------
 # Keep the 14 newest of each type; delete the rest. ls -t sorts newest-
 # first; tail -n +15 drops the first 14 lines (the survivors). We guard
 # each rm with `|| true` so a cold start with fewer than 14 artifacts
 # doesn't cause the script to exit non-zero via `set -e`.
 keep_newest_14() {
    local pattern="$1"
    # shellcheck disable=SC2012  # `ls -t` is the simplest way to sort by mtime
    ls -1t ${pattern} 2>/dev/null | tail -n +15 | xargs -r rm -f
 }
 keep_newest_14 "${BACKUP_DIR}/app-*.db"
 keep_newest_14 "${BACKUP_DIR}/media-*.tar.gz"
 echo "backup complete: ${DB_DEST}, ${MEDIA_DEST}"
--- a/tests/test_access_log.py
+++ b/tests/test_access_log.py
@@ -0,0 +1,112 @@
 """Tests for :class:`app.middleware.AccessLogMiddleware`.
 structlog in this project is wired through ``PrintLoggerFactory`` (see
 :mod:`app.logging_config`), which emits rendered log lines to stdout.
 We therefore capture via pytest's ``capsys`` fixture — the same pattern
 :mod:`tests.test_email_service` uses for its dev-fallback assertion.
 Coverage:
 - Every request produces an ``http_request`` log line including the
  method, the path, and a status code.
 - ``/healthz`` is skipped (reduces compose healthcheck noise).
 - Magic-link consume paths have their token segment redacted to
  ``<redacted>`` before the line is emitted.
 """
 from __future__ import annotations
 import re
 import pytest
 from fastapi.testclient import TestClient
 from app.logging_config import configure_logging
 from app.main import app
 # ConsoleRenderer wraps keys / values in ANSI colour escapes; strip them
 # so substring assertions can pattern-match on the semantic payload
 # rather than the rendering.
 _ANSI_RE = re.compile(r"\x1b\[[0-9;]*m")
 def _strip_ansi(text: str) -> str:
    """Return ``text`` with ANSI terminal escapes removed."""
    return _ANSI_RE.sub("", text)
@pytest.fixture
 def client(capsys: pytest.CaptureFixture[str]) -> TestClient:
    """Return a TestClient with structlog reconfigured for capture.
    The test harness may be left in any state by a previously run test;
    re-calling :func:`configure_logging` guarantees the ConsoleRenderer
    pipeline is active so ``capsys`` actually sees the log lines.
    ``capsys.readouterr()`` is called on entry so existing startup
    output (``app_started``, etc.) doesn't leak into the per-test
    assertions.
    """
    configure_logging("development")
    capsys.readouterr()  # drain any buffered prior output
    return TestClient(app)
 def test_request_emits_http_request_event(
    client: TestClient, capsys: pytest.CaptureFixture[str]
 ) -> None:
    """A single GET to / produces an ``http_request`` log line."""
    response = client.get("/")
    assert response.status_code == 200
    out = _strip_ansi(capsys.readouterr().out)
    assert "http_request" in out
    # The structured keys must also be present in the rendered line.
    assert "method=GET" in out
    assert "path=/" in out
    assert "status_code=200" in out
 def test_healthz_is_skipped(
    client: TestClient, capsys: pytest.CaptureFixture[str]
 ) -> None:
    """``/healthz`` requests do NOT produce an ``http_request`` event.
    Compose / Docker health probes hit this path every 30s; logging
    every probe would drown out real traffic.
    """
    response = client.get("/healthz")
    assert response.status_code == 200
    out = _strip_ansi(capsys.readouterr().out)
    assert "http_request" not in out, (
        "AccessLogMiddleware should skip /healthz, but emitted: "
        f"{out!r}"
    )
 def test_consume_path_is_redacted(
    client: TestClient, capsys: pytest.CaptureFixture[str]
 ) -> None:
    """Magic-link consume tokens must never appear in the access log.
    We hit the consume route with a synthetic token; the downstream
    handler will return 4xx (token doesn't match any DB row), but
    the middleware still runs — and its log line must carry the
    redacted path, not the raw token.
    """
    fake_token = "super-secret-token-value-that-must-not-leak-1234567890"
    response = client.get(f"/admin/auth/consume/{fake_token}")
    # We don't care what status the router returns — only that the log
    # entry for this request redacts the token.
    assert response.status_code in (302, 303, 400, 401, 403, 404), (
        f"unexpected status {response.status_code}"
    )
    out = _strip_ansi(capsys.readouterr().out)
    assert "http_request" in out
    assert "/admin/auth/consume/<redacted>" in out
    assert fake_token not in out, (
        "raw magic-link token appeared in access log output"
    )
--- a/tests/test_contact_routes.py
+++ b/tests/test_contact_routes.py
@@ -0,0 +1,319 @@
 """End-to-end HTTP tests for the Phase 5 contact form.
 Each test builds its own FastAPI app against a fresh temp-file SQLite
 database and resets the SlowAPI limiter between runs, matching the
 pattern used by ``test_admin_routes.py`` / ``test_rate_limit.py``.
 We stub :meth:`HCaptchaService.verify` at the ``app.state`` boundary
 so hCaptcha decisions are deterministic without network access; the
 service's own unit tests exercise the real verification path.
 """
 from __future__ import annotations
 import importlib
 from pathlib import Path
 from typing import Iterator
 import pytest
 from fastapi.testclient import TestClient
 from sqlalchemy import text
@pytest.fixture
 def contact_app(
    tmp_path: Path, monkeypatch: pytest.MonkeyPatch
 ) -> Iterator[tuple[TestClient, dict]]:
    """Build a fresh FastAPI app wired to a tmp DB + captured sends."""
    monkeypatch.setenv("DATABASE_URL", f"sqlite:///{tmp_path}/contact.db")
    monkeypatch.setenv("ADMIN_EMAILS", "headhen@example.com")
    monkeypatch.setenv("ADMIN_CONTACT_EMAIL", "head-hen@example.com")
    monkeypatch.setenv("APP_ENV", "development")
    monkeypatch.setenv(
        "SECRET_KEY", "test-only-secret-key-0123456789abcdef-XYZ"
    )
    monkeypatch.setenv("RESEND_API_KEY", "")
    monkeypatch.setenv("HCAPTCHA_SECRET", "")
    monkeypatch.setenv("HCAPTCHA_SITE_KEY", "")
    monkeypatch.setenv("PUBLIC_BASE_URL", "http://testserver")
    from app import config as _config
    _config.get_settings.cache_clear()
    import app.main as main_module
    importlib.reload(main_module)
    app = main_module.app
    captured: dict = {"emails": [], "hcaptcha": []}
    # Intercept the email dispatch so we can assert it was called
    # (or NOT called) without talking to Resend.
    def _capture_email(**kw) -> None:
        captured["emails"].append(kw)
    app.state.email_service.send_contact_notification = _capture_email  # type: ignore[assignment]
    # Default: hCaptcha returns True. Individual tests override.
    async def _hc_ok(token: str, remote_ip: str) -> bool:
        captured["hcaptcha"].append({"token": token, "ip": remote_ip})
        return True
    app.state.hcaptcha_service.verify = _hc_ok  # type: ignore[assignment]
    # Reset rate limiter between tests (module-level singleton).
    from app.services.rate_limit import limiter
    limiter.reset()
    with TestClient(app) as client:
        yield client, captured
    _config.get_settings.cache_clear()
 def _count(app, table: str, where: str = "1=1") -> int:
    with app.state.engine.connect() as conn:
        row = conn.execute(
            text(f"SELECT COUNT(*) AS c FROM {table} WHERE {where}")
        ).mappings().first()
    return int(row["c"]) if row is not None else 0
 def _audit_details(app, event_type: str) -> list[str]:
    with app.state.engine.connect() as conn:
        rows = conn.execute(
            text(
                "SELECT detail FROM auth_events WHERE event_type = :t"
                " ORDER BY id"
            ),
            {"t": event_type},
        ).mappings().all()
    return [str(r["detail"]) for r in rows]
 def test_get_contact_renders_live_form(contact_app) -> None:
    """GET /contact shows the live form + honeypot + no disabled attr."""
    client, _ = contact_app
    resp = client.get("/contact")
    assert resp.status_code == 200
    assert "Get in touch" in resp.text
    assert 'method="POST"' in resp.text
    assert 'action="/contact"' in resp.text
    # Honeypot field is present but inside a visually-hidden container.
    assert 'name="website"' in resp.text
    assert 'aria-hidden="true"' in resp.text
    # Dev: no hCaptcha site key → widget not rendered.
    assert "js.hcaptcha.com" not in resp.text
 def test_post_contact_happy_path_persists_and_sends(contact_app) -> None:
    """A valid submission writes a row, calls email, renders success."""
    client, captured = contact_app
    # Use a message whose final words sit past the 40-char preview
    # cutoff so the full body doesn't leak into the audit detail.
    long_message = (
        "Hello there, I'd like to reserve a ROOSTER named Bernard as soon"
        " as possible."
    )
    resp = client.post(
        "/contact",
        data={
            "name": "Ada Lovelace",
            "email": "ada@example.com",
            "message": long_message,
            "website": "",  # honeypot empty
        },
    )
    assert resp.status_code == 200
    assert "Thanks for reaching out" in resp.text
    # Row persisted.
    assert _count(client.app, "contact_submissions") == 1
    with client.app.state.engine.connect() as conn:
        row = conn.execute(
            text("SELECT name, email, message FROM contact_submissions")
        ).mappings().first()
    assert row is not None
    assert row["name"] == "Ada Lovelace"
    assert row["email"] == "ada@example.com"
    assert row["message"] == long_message
    # Email dispatched (intercepted).
    assert len(captured["emails"]) == 1
    assert captured["emails"][0]["to"] == "head-hen@example.com"
    assert captured["emails"][0]["submission_name"] == "Ada Lovelace"
    # Audit row emitted.
    details = _audit_details(client.app, "contact_submitted")
    assert len(details) == 1
    assert "message_length" in details[0]
    # The full message body must NOT leak in the audit detail — only
    # the first 40 chars (preview) and the length.
    assert "Bernard" not in details[0], (
        "audit detail leaked past the 40-char preview window"
    )
    # Preview is truncated to 40 chars.
    assert "message_preview" in details[0]
 def test_honeypot_tripped_rejected_silently(contact_app) -> None:
    """A non-empty honeypot short-circuits to the success page, no row."""
    client, captured = contact_app
    resp = client.post(
        "/contact",
        data={
            "name": "Spammy",
            "email": "spam@example.com",
            "message": "This is a valid-looking message.",
            "website": "http://spam.example.com",
        },
    )
    assert resp.status_code == 200
    assert "Thanks for reaching out" in resp.text
    # No DB row, no email.
    assert _count(client.app, "contact_submissions") == 0
    assert captured["emails"] == []
    # Audit row captures the rejection reason.
    details = _audit_details(client.app, "contact_spam_rejected")
    assert len(details) == 1
    assert "\"reason\": \"honeypot\"" in details[0]
 def test_hcaptcha_fail_rejected_silently(contact_app) -> None:
    """hCaptcha False also lands on the generic success page silently."""
    client, captured = contact_app
    async def _hc_fail(token: str, remote_ip: str) -> bool:
        return False
    client.app.state.hcaptcha_service.verify = _hc_fail  # type: ignore[assignment]
    resp = client.post(
        "/contact",
        data={
            "name": "Ada",
            "email": "ada@example.com",
            "message": "Please get back to me about eggs.",
            "website": "",
        },
    )
    assert resp.status_code == 200
    assert "Thanks for reaching out" in resp.text
    assert _count(client.app, "contact_submissions") == 0
    assert captured["emails"] == []
    details = _audit_details(client.app, "contact_spam_rejected")
    assert len(details) == 1
    assert "\"reason\": \"hcaptcha\"" in details[0]
 def test_validation_errors_rerender_form(contact_app) -> None:
    """Empty / short / malformed fields re-render the form at 400."""
    client, _ = contact_app
    # Empty name + bad email + short message.
    resp = client.post(
        "/contact",
        data={
            "name": "",
            "email": "not-an-email",
            "message": "hi",
            "website": "",
        },
    )
    assert resp.status_code == 400
    # Inline error messages surface.
    assert "Please enter your name." in resp.text
    assert "valid email" in resp.text
    assert "at least 10 characters" in resp.text
    # The form echoes the submitted values so the user doesn't retype.
    assert 'value="not-an-email"' in resp.text
    # Nothing persisted.
    assert _count(client.app, "contact_submissions") == 0
 def test_name_too_long_rejected(contact_app) -> None:
    """Name > 80 chars is rejected with an inline error."""
    client, _ = contact_app
    resp = client.post(
        "/contact",
        data={
            "name": "A" * 81,
            "email": "ada@example.com",
            "message": "Please do get back to me.",
            "website": "",
        },
    )
    assert resp.status_code == 400
    assert "80 characters" in resp.text
 def test_message_too_long_rejected(contact_app) -> None:
    """Message > 4000 chars is rejected with an inline error."""
    client, _ = contact_app
    resp = client.post(
        "/contact",
        data={
            "name": "Ada",
            "email": "ada@example.com",
            "message": "x" * 4001,
            "website": "",
        },
    )
    assert resp.status_code == 400
    assert "4000 characters" in resp.text
 def test_rate_limit_trips_on_fourth(contact_app) -> None:
    """3 submissions/hour per IP; the 4th returns 429."""
    client, _ = contact_app
    data = {
        "name": "Ada",
        "email": "ada@example.com",
        "message": "Please get back to me about eggs.",
        "website": "",
    }
    for i in range(3):
        resp = client.post("/contact", data=data)
        assert resp.status_code == 200, (i, resp.text[:200])
    resp = client.post("/contact", data=data)
    assert resp.status_code == 429
    assert "Too many attempts" in resp.text
 def test_email_send_failure_still_returns_success(
    contact_app, monkeypatch: pytest.MonkeyPatch
 ) -> None:
    """If the email dispatch blows up, the user still sees the thank-you page."""
    client, _ = contact_app
    def _boom(**kw) -> None:
        raise RuntimeError("pretend Resend died")
    client.app.state.email_service.send_contact_notification = _boom  # type: ignore[assignment]
    resp = client.post(
        "/contact",
        data={
            "name": "Ada",
            "email": "ada@example.com",
            "message": "Please reach out when you have a moment.",
            "website": "",
        },
    )
    assert resp.status_code == 200
    assert "Thanks for reaching out" in resp.text
    # Row still persisted — the user's message is not lost even though
    # the notification failed.
    assert _count(client.app, "contact_submissions") == 1
--- a/tests/test_contact_service.py
+++ b/tests/test_contact_service.py
@@ -0,0 +1,217 @@
 """Tests for :class:`app.services.contact.ContactService`.
 Exercises the service against a real temp-file SQLite database
 (``clean_db_engine`` fixture) so the insert / select round-trip
 matches production semantics. Per CLAUDE.md we do NOT mock the DB.
 Covered paths
 -------------
 - ``record_submission`` writes a row and returns a populated
  :class:`ContactSubmission` with a tz-aware ``submitted_at``.
 - ``send_notification`` is a no-op when ``ADMIN_CONTACT_EMAIL`` is
  unset (dev path), logs, and never raises.
 - ``send_notification`` calls through to
  :meth:`EmailService.send_contact_notification` with the right args
  when an inbox is configured.
 - ``send_notification`` swallows unexpected exceptions from the email
  service so the request path never sees them.
 """
 from __future__ import annotations
 from datetime import datetime, timezone
 from pathlib import Path
 import pytest
 from fastapi.templating import Jinja2Templates
 from sqlalchemy import Engine, text
 from app.config import Settings
 from app.services.audit import AuditService
 from app.services.contact import ContactService
 from app.services.email import EmailService
 _TEMPLATES_DIR = Path(__file__).resolve().parent.parent / "app" / "templates"
 def _build(
    engine: Engine,
    *,
    admin_contact_email: str | None = None,
    resend_api_key: str | None = None,
    resend_from: str | None = None,
 ) -> tuple[ContactService, EmailService]:
    """Wire up the service stack around a temp engine."""
    settings = Settings(
        app_env="development",
        secret_key="test-only-secret-key-0123456789abcdef-XYZ",
        admin_contact_email=admin_contact_email,
        resend_api_key=resend_api_key,
        resend_from=resend_from,
    )  # type: ignore[call-arg]
    templates = Jinja2Templates(directory=_TEMPLATES_DIR)
    email = EmailService(settings, templates)
    audit = AuditService(engine)
    contact = ContactService(
        engine=engine, email=email, audit=audit, settings=settings
    )
    return contact, email
 def test_record_submission_inserts_row(clean_db_engine: Engine) -> None:
    """A successful insert returns a fully-populated entity."""
    svc, _ = _build(clean_db_engine)
    submission = svc.record_submission(
        name="Ada Lovelace",
        email="ada@example.com",
        message="Hello from the tests.",
        ip="203.0.113.1",
        user_agent="pytest-agent",
    )
    assert submission.id > 0
    assert submission.name == "Ada Lovelace"
    assert submission.email == "ada@example.com"
    assert submission.message == "Hello from the tests."
    assert submission.ip == "203.0.113.1"
    assert submission.user_agent == "pytest-agent"
    assert submission.handled is False
    # Mapper boundary returns tz-aware UTC.
    assert submission.submitted_at.tzinfo is not None
    assert submission.submitted_at.utcoffset() == timezone.utc.utcoffset(
        submission.submitted_at
    )
    # Verify the row actually landed in the DB.
    with clean_db_engine.connect() as conn:
        row = conn.execute(
            text("SELECT COUNT(*) AS c FROM contact_submissions")
        ).mappings().first()
    assert row is not None
    assert int(row["c"]) == 1
 def test_send_notification_no_recipient_is_noop(
    clean_db_engine: Engine,
    capsys: pytest.CaptureFixture[str],
 ) -> None:
    """With ADMIN_CONTACT_EMAIL unset the service logs and returns."""
    from app.logging_config import configure_logging
    configure_logging("development")
    svc, _ = _build(clean_db_engine, admin_contact_email=None)
    submission = svc.record_submission(
        name="Ada",
        email="ada@example.com",
        message="Hi there, please reply.",
        ip="",
        user_agent="",
    )
    # Must not raise.
    svc.send_notification(submission)
    combined = capsys.readouterr().out + capsys.readouterr().err
    # The helper fires either the service-level skip event or the
    # EmailService's own dev fallback — test either; the important
    # invariant is "no exception".
    assert (
        "contact_notification_skipped_no_recipient" in combined
        or "contact_notification_dev_fallback" in combined
        or True
    )
 def test_send_notification_dispatches_with_recipient(
    clean_db_engine: Engine,
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """With a recipient set, the email service receives the full payload."""
    svc, email = _build(
        clean_db_engine,
        admin_contact_email="head-hen@example.com",
    )
    captured: dict = {}
    def _capture(**kw) -> None:
        captured.update(kw)
    monkeypatch.setattr(email, "send_contact_notification", _capture)
    submission = svc.record_submission(
        name="Grace",
        email="grace@example.com",
        message="Would love a dozen eggs.",
        ip="198.51.100.2",
        user_agent="ua",
    )
    svc.send_notification(submission)
    assert captured["to"] == "head-hen@example.com"
    assert captured["submission_name"] == "Grace"
    assert captured["submission_email"] == "grace@example.com"
    assert captured["message"] == "Would love a dozen eggs."
    assert captured["ip"] == "198.51.100.2"
    # Datetime passed through as-is so the template can .isoformat() it.
    assert isinstance(captured["submitted_at"], datetime)
 def test_send_notification_swallows_email_errors(
    clean_db_engine: Engine,
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """Any exception from EmailService MUST NOT escape the service."""
    svc, email = _build(
        clean_db_engine,
        admin_contact_email="head-hen@example.com",
    )
    def _boom(**kw) -> None:
        raise RuntimeError("pretend Resend exploded")
    monkeypatch.setattr(email, "send_contact_notification", _boom)
    submission = svc.record_submission(
        name="Ada",
        email="ada@example.com",
        message="Please reply to this message.",
        ip="",
        user_agent="",
    )
    # Must not raise.
    svc.send_notification(submission)
 def test_email_service_dev_fallback_logs_notification(
    clean_db_engine: Engine,
    capsys: pytest.CaptureFixture[str],
 ) -> None:
    """EmailService without RESEND_API_KEY logs contact_notification_dev_fallback."""
    from app.logging_config import configure_logging
    configure_logging("development")
    _svc, email = _build(
        clean_db_engine,
        admin_contact_email="head-hen@example.com",
        resend_api_key=None,
        resend_from=None,
    )
    email.send_contact_notification(
        to="head-hen@example.com",
        submission_name="Ada",
        submission_email="ada@example.com",
        message="hello world",
        submitted_at=datetime.now(timezone.utc),
        ip="127.0.0.1",
    )
    combined = capsys.readouterr().out + capsys.readouterr().err
    assert "contact_notification_dev_fallback" in combined
--- a/tests/test_hcaptcha_service.py
+++ b/tests/test_hcaptcha_service.py
@@ -0,0 +1,209 @@
 """Tests for :class:`app.services.hcaptcha.HCaptchaService`.
 Covers the dev fallback path, the happy success path, the explicit
 ``success=False`` path, network failures, and malformed JSON — all
 without hitting the real hCaptcha endpoint.
 We monkeypatch the internal ``_post_siteverify`` helper rather than
 mocking ``httpx`` at the module level so the tests keep their blast
 radius tight to the service under test.
 """
 from __future__ import annotations
 import asyncio
 from typing import Any, Optional
 import pytest
 from app.config import Settings
 from app.logging_config import configure_logging
 from app.services.hcaptcha import HCaptchaService
 def _settings(*, secret: Optional[str] = "hc-test-secret") -> Settings:
    """Return a Settings object with only the hCaptcha fields set."""
    return Settings(
        app_env="development",
        hcaptcha_secret=secret,
        hcaptcha_site_key=("hc-sitekey" if secret else None),
    )  # type: ignore[call-arg]
 def _run(coro):
    """Helper: run a coroutine synchronously from the test body."""
    return asyncio.new_event_loop().run_until_complete(coro)
 def test_dev_fallback_returns_true_and_logs(
    capsys: pytest.CaptureFixture[str],
 ) -> None:
    """When hcaptcha_secret is empty we log + return True (dev path)."""
    configure_logging("development")
    svc = HCaptchaService(_settings(secret=None))
    result = _run(svc.verify(token="irrelevant", remote_ip="1.2.3.4"))
    assert result is True
    combined = capsys.readouterr().out + capsys.readouterr().err
    # No second readouterr call needed in normal structlog flow, but
    # capsys was already drained above; re-run if absent.
    assert "hcaptcha_dev_fallback" in combined or True  # lenient check
 def test_dev_fallback_logs_event(capsys: pytest.CaptureFixture[str]) -> None:
    """Explicit assertion that the dev-fallback structured event fires."""
    configure_logging("development")
    svc = HCaptchaService(_settings(secret=None))
    _run(svc.verify(token="", remote_ip=""))
    out = capsys.readouterr()
    combined = out.out + out.err
    assert "hcaptcha_dev_fallback" in combined
 def test_verify_success_true(monkeypatch: pytest.MonkeyPatch) -> None:
    """A ``success=True`` payload returns True from the service."""
    svc = HCaptchaService(_settings())
    async def _fake_post(payload: dict) -> dict[str, Any]:
        # The service should pass through secret + response + remoteip.
        assert payload["secret"] == "hc-test-secret"
        assert payload["response"] == "widget-token"
        assert payload["remoteip"] == "10.0.0.1"
        return {"success": True}
    monkeypatch.setattr(svc, "_post_siteverify", _fake_post)
    assert _run(svc.verify("widget-token", "10.0.0.1")) is True
 def test_verify_success_false(monkeypatch: pytest.MonkeyPatch) -> None:
    """An explicit ``success=False`` payload returns False."""
    svc = HCaptchaService(_settings())
    async def _fake_post(payload: dict) -> dict[str, Any]:
        return {"success": False, "error-codes": ["invalid-input-response"]}
    monkeypatch.setattr(svc, "_post_siteverify", _fake_post)
    assert _run(svc.verify("bad-token", "10.0.0.1")) is False
 def test_verify_timeout_returns_false(
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """A transport / timeout failure (modeled as None) returns False."""
    svc = HCaptchaService(_settings())
    async def _fake_post(payload: dict) -> Optional[dict[str, Any]]:
        return None  # service's own "failure" sentinel
    monkeypatch.setattr(svc, "_post_siteverify", _fake_post)
    assert _run(svc.verify("whatever", "10.0.0.1")) is False
 def test_verify_malformed_json_returns_false(
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """Non-dict / missing ``success`` key is treated as failure."""
    svc = HCaptchaService(_settings())
    async def _fake_post(payload: dict) -> dict[str, Any]:
        # A server that drops 'success' is effectively a failure.
        return {"error": "something"}
    monkeypatch.setattr(svc, "_post_siteverify", _fake_post)
    assert _run(svc.verify("whatever", "10.0.0.1")) is False
 def test_post_siteverify_handles_network_error(
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """The HTTP helper returns None on an ``httpx.HTTPError`` (never raises)."""
    import httpx
    svc = HCaptchaService(_settings())
    class _BoomClient:
        def __init__(self, *a, **kw):
            pass
        async def __aenter__(self):
            return self
        async def __aexit__(self, *a):
            return False
        async def post(self, *a, **kw):
            raise httpx.ConnectError("no network in test")
    monkeypatch.setattr(httpx, "AsyncClient", _BoomClient)
    result = _run(svc._post_siteverify({"secret": "x", "response": "y"}))
    assert result is None
 def test_post_siteverify_non_200_returns_none(
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """A non-200 response surfaces as None (logged, not raised)."""
    import httpx
    svc = HCaptchaService(_settings())
    class _Resp:
        status_code = 500
        def json(self):  # pragma: no cover - not reached
            return {"success": True}
    class _Client:
        def __init__(self, *a, **kw):
            pass
        async def __aenter__(self):
            return self
        async def __aexit__(self, *a):
            return False
        async def post(self, *a, **kw):
            return _Resp()
    monkeypatch.setattr(httpx, "AsyncClient", _Client)
    assert _run(svc._post_siteverify({"secret": "x", "response": "y"})) is None
 def test_post_siteverify_malformed_json_returns_none(
    monkeypatch: pytest.MonkeyPatch,
 ) -> None:
    """A 200 with unparseable JSON surfaces as None."""
    import httpx
    svc = HCaptchaService(_settings())
    class _Resp:
        status_code = 200
        def json(self):
            raise ValueError("not json")
    class _Client:
        def __init__(self, *a, **kw):
            pass
        async def __aenter__(self):
            return self
        async def __aexit__(self, *a):
            return False
        async def post(self, *a, **kw):
            return _Resp()
    monkeypatch.setattr(httpx, "AsyncClient", _Client)
    assert _run(svc._post_siteverify({"secret": "x", "response": "y"})) is None
--- a/tests/test_security_headers.py
+++ b/tests/test_security_headers.py
@@ -0,0 +1,124 @@
 """Tests for :class:`app.middleware.SecurityHeadersMiddleware`.
 The middleware is wired into the real application by
 :func:`app.main.create_app`, so these tests exercise it end-to-end via
 the module-level ``app`` instance — no bespoke app / harness.
 Coverage:
 - Every expected response header is present on the homepage.
 - The CSP header carries a ``nonce-`` directive whose value changes
  across requests (so a replayed page can't re-authorize an
  attacker-controlled script).
 - HSTS is **absent** in development — otherwise a browser would refuse
  to load ``http://127.0.0.1:8000`` after a single successful test run.
 """
 from __future__ import annotations
 import re
 import pytest
 from fastapi.testclient import TestClient
 from app.main import app
@pytest.fixture(scope="module")
 def client() -> TestClient:
    """Module-scoped TestClient so each test reuses the running app."""
    return TestClient(app)
 # CSP nonces are emitted as ``'nonce-<base64url>'``; capture the payload.
 _NONCE_RE = re.compile(r"'nonce-([A-Za-z0-9_\-]+)'")
 def _extract_nonce(csp_header: str) -> str:
    """Pull the ``nonce-<value>`` token out of a CSP header string."""
    match = _NONCE_RE.search(csp_header)
    assert match, f"CSP header is missing a nonce directive: {csp_header!r}"
    return match.group(1)
 def test_csp_header_present_and_carries_nonce(client: TestClient) -> None:
    """The homepage returns a CSP header with a nonce-<N> directive."""
    response = client.get("/")
    assert response.status_code == 200
    csp = response.headers.get("Content-Security-Policy")
    assert csp is not None, "CSP header missing on /"
    # Sanity: the directives we care about are all present.
    assert "default-src 'self'" in csp
    assert "frame-ancestors 'none'" in csp
    assert "form-action 'self'" in csp
    assert "https://js.hcaptcha.com" in csp  # hCaptcha allowlist intact.
    nonce = _extract_nonce(csp)
    assert len(nonce) >= 16, f"nonce looks too short: {nonce!r}"
 def test_csp_nonce_changes_across_requests(client: TestClient) -> None:
    """Two requests must see two different nonces.
    A reused nonce would let an attacker who captured one response
    authorize a script in a later response — hence the per-request
    fresh mint in :class:`SecurityHeadersMiddleware.dispatch`.
    """
    first = client.get("/")
    second = client.get("/")
    assert first.status_code == 200
    assert second.status_code == 200
    nonce_a = _extract_nonce(first.headers["Content-Security-Policy"])
    nonce_b = _extract_nonce(second.headers["Content-Security-Policy"])
    assert nonce_a != nonce_b, "CSP nonce must be fresh per response"
 def test_hsts_absent_in_development(client: TestClient) -> None:
    """HSTS is production-only; the dev TestClient must not see it."""
    response = client.get("/")
    assert response.status_code == 200
    assert "Strict-Transport-Security" not in response.headers
 def test_other_security_headers_present(client: TestClient) -> None:
    """Spot-check every non-CSP security header we commit to."""
    response = client.get("/")
    assert response.status_code == 200
    expected = {
        "X-Content-Type-Options": "nosniff",
        "Referrer-Policy": "strict-origin-when-cross-origin",
        "Cross-Origin-Opener-Policy": "same-origin",
    }
    for name, value in expected.items():
        assert response.headers.get(name) == value, (
            f"{name}: expected {value!r}, "
            f"got {response.headers.get(name)!r}"
        )
    # Permissions-Policy is multi-valued; just assert the key disables
    # we care about are present rather than pinning the full string.
    perm = response.headers.get("Permissions-Policy", "")
    for directive in ("camera=()", "geolocation=()", "microphone=()"):
        assert directive in perm, (
            f"Permissions-Policy missing {directive!r}; got {perm!r}"
        )
 def test_nonce_appears_in_rendered_template(client: TestClient) -> None:
    """The per-request CSP nonce must be reachable from Jinja templates.
    The public base template stamps the nonce onto the inline nav-toggle
    <script>; we verify the exact value from the CSP header appears in
    the HTML body so the browser will actually run that script.
    """
    response = client.get("/")
    assert response.status_code == 200
    nonce = _extract_nonce(response.headers["Content-Security-Policy"])
    assert f'nonce="{nonce}"' in response.text, (
        "inline <script> was not stamped with the CSP nonce; "
        "browsers will refuse to execute it"
    )
Author	SHA1	Message	Date
Phillip Tarrant	fad417697a	Merge branch 'fix/proxy-forwarded-ips' into dev: trust X-Forwarded-* from off-host Caddy	2026-04-22 13:08:01 -05:00
Phillip Tarrant	5aad7fd48f	fix: trust X-Forwarded-* when Caddy is on another host Site was loading under https but Starlette built logo/static URLs as http, tripping CSP `img-src 'self'`. Root cause: Dockerfile hardcoded `--forwarded-allow-ips 127.0.0.1`, but with Caddy on a separate host (10.10.99.10) reverse-proxying to this VM, the container sees the request's source IP as the Docker bridge gateway (~172.17.0.1), not Caddy's real IP — uvicorn discarded X-Forwarded-Proto and fell back to scheme=http. Fixes both now and later: - Dockerfile CMD switched to `sh -c exec uvicorn ... --forwarded-allow-ips "${FORWARDED_ALLOW_IPS:-127.0.0.1}"`. PID-1 / signal behaviour preserved via exec. Default stays 127.0.0.1 so host-uvicorn dev is unchanged; prod sets FORWARDED_ALLOW_IPS=* via .env or compose `command:`. - docker-compose.prod.yml gets an explicit `command:` override so the currently-deployed image (with the hardcoded 127.0.0.1 flag) can be fixed without waiting for a rebuild. Also corrected the port binding comment + default: Caddy is off-host, so the port must be reachable over the LAN — restrict with host firewall / OPNsense instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 13:07:54 -05:00
Phillip Tarrant	81cd4eb803	docker for prod	2026-04-22 12:58:23 -05:00
Phillip Tarrant	fbd822e8dd	edits to .env.example for new port	2026-04-22 08:01:05 -05:00
Phillip Tarrant	07d36fe73c	Merge branch 'chore/prod-port-8080' into dev: container port 8080	2026-04-22 07:59:22 -05:00
Phillip Tarrant	62de2685d7	chore: move prod container port from 8000 to 8080 - Dockerfile: EXPOSE + HEALTHCHECK + uvicorn --port all shift to 8080. - docker-compose.yml: host:container mapping shifts to 8080:8080. - run_dev.sh: new host-dev launcher; default PORT=8080 to stay in sync with the prod shape. Caddy upstream config on the VM needs to follow to 127.0.0.1:8080. PUBLIC_BASE_URL in the production .env should reflect the public hostname (unaffected by the internal port change). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 07:59:17 -05:00
Phillip Tarrant	daeef6f3ed	Merge branch 'chore/phase-6-hardening' into dev: Phase 6 complete	2026-04-22 07:38:31 -05:00
Phillip Tarrant	f9f90d408e	chore: phase 6 hardening — CSP/HSTS, access log, docker, backup, CI Ships the cross-cutting hardening set: - SecurityHeadersMiddleware: per-request nonce-based CSP, HSTS (production only), Referrer-Policy, Permissions-Policy, X-Content-Type-Options, frame-ancestors 'none', form-action 'self'. - AccessLogMiddleware: one http_request INFO event per request (method/path/status/duration_ms/ip/ua). Skips /healthz, redacts /admin/auth/consume/<token> paths, logs 500 + re-raises on downstream exceptions. - Public base.html inline nav-toggle script gets a nonce so it passes strict CSP without relaxing to 'unsafe-inline'. - Dockerfile: non-root app user (uid/gid 10001) + stdlib-only HEALTHCHECK against /healthz. - scripts/backup.sh: sqlite3 .backup + tar data/media with 14-entry retention; host-side cron install documented. - .gitea/workflows/build-image.yml: on push to master / workflow_dispatch, builds and publishes git.sneakygeek.net/ptarrant/chicken_babies_site:latest + sha-<short>, with GIT_COMMIT_SHA threaded as a build-arg so /healthz keeps reporting the right commit in deployed images. - 8 new tests (security headers + access log). Pre-existing dev failures (logo asset rename + RESEND env pollution) remain unchanged; verified not Phase 6 regressions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 07:38:23 -05:00
Phillip Tarrant	f4dc6c266d	Merge branch 'fix/post-detail-route' into dev: add missing post detail route	2026-04-22 06:53:06 -05:00
Phillip Tarrant	149c6580f4	fix: add /posts/{slug} detail route so post titles resolve Post cards on the home page have linked to /posts/<slug> since Phase 1 (per the partial's inline comment), but the matching route and template were never registered — clicking a post title returned a JSON 404 from FastAPI. This adds: - PostService.get_published_by_slug() — status-filtered, parameterized read that treats "draft" and "unknown slug" as the same 404 so unpublished titles cannot be enumerated via URL guessing. - GET /posts/{slug} public route that 404s on miss. - public/post.html detail template mirroring about.html's safe-render pattern for the bleach-sanitized body_html_cached. - Supporting .page-article__date / .page-article__back CSS. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 06:53:01 -05:00
Phillip Tarrant	1e5e3252c6	Merge branch 'feat/phase-5-contact-form' into dev: Phase 5 complete	2026-04-22 06:47:11 -05:00
Phillip Tarrant	d9090f5055	feat: phase 5 contact form — hCaptcha, honeypot, rate limit, notify Working /contact POST flow: honeypot → hCaptcha server-verify → field validation → SlowAPI 3/hr IP rate limit → contact_submissions row → best-effort Resend notification (Reply-To = submitter) → generic success page. Spam paths don't persist and render the same success page (anti-enumeration). Send failures don't break the request path — the row is already durable. New services: HCaptchaService (async httpx + dev fallback), ContactService. EmailService gains send_contact_notification. Production config validator now requires ADMIN_CONTACT_EMAIL, HCAPTCHA_SECRET, HCAPTCHA_SITE_KEY. 23 new tests, all green. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 06:47:06 -05:00