# Turnstile CAPTCHA widget protecting the quote submission form.
# Provides a site_key (public, embedded in the UI) and secret_key
# (private, used by the API to verify tokens server-side).
resource "cloudflare_turnstile_widget" "submit" {
  # The Cloudflare account to create the widget in.
  account_id = var.cloudflare_account_id

  name = "quotesdb-submit"

  # "managed" mode: Turnstile decides whether to show a visible challenge.
  mode = "managed"

  # Restrict the widget to the production domain.
  domains = [var.domain]
}

output "turnstile_site_key" {
  description = "Turnstile site key — safe to embed in the UI."
  value       = cloudflare_turnstile_widget.submit.id
}

output "turnstile_secret_key" {
  description = "Turnstile secret key — inject into Workers via wrangler secret."
  value       = cloudflare_turnstile_widget.submit.secret
  sensitive   = true
}