Split compose dev/prod and relax contact form friction.

Use compose.dev.yaml and compose.prod.yaml with fixed Go cache mounts, block sudo make dev, build Air outside app/tmp for rootless Docker, soften English spam checks, and simplify contact error copy.

Co-authored-by: Cursor <cursoragent@cursor.com>

app/internal/contactcheck/english.go

@@ -12,6 +12,9 @@ const (
 	minMessageRunes = 20
 	maxMessageRunes = 8000
 	maxNameRunes    = 120
+
+	// Reject non-English only when the detector is fairly confident.
+	englishRejectConfidence = 0.80
 )
 
 var (
@@ -38,13 +41,15 @@ func ValidateEnglish(name, message string) error {
 	combined := strings.TrimSpace(name) + "\n\n" + msg
 	info := whatlanggo.Detect(combined)
 
+	// Block clearly non-Latin scripts (CJK, Cyrillic, etc.).
 	if info.Script != nil && info.Script != unicode.Latin {
 		return ErrNotEnglish
 	}
-	if info.Lang != whatlanggo.Eng {
+	// Allow uncertain detection; block only confident non-English.
+	if info.Lang != whatlanggo.Eng && info.IsReliable() {
 		return ErrNotEnglish
 	}
-	if !info.IsReliable() && info.Confidence < 0.55 {
+	if info.Lang != whatlanggo.Eng && info.Confidence >= englishRejectConfidence {
 		return ErrNotEnglish
 	}
 	return nil

app/internal/contactcheck/english_test.go

@@ -0,0 +1,29 @@
+package contactcheck
+
+import "testing"
+
+func TestValidateEnglish_acceptsPlainEnglish(t *testing.T) {
+	if err := ValidateEnglish("Jimmy", "Hello, I need help with an LED install."); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestValidateEnglish_acceptsTechnicalEnglish(t *testing.T) {
+	msg := "Need a quote for 50m WS2812 strip + ESP32 controller in Auckland."
+	if err := ValidateEnglish("Alex", msg); err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+}
+
+func TestValidateEnglish_rejectsNonLatinScript(t *testing.T) {
+	msg := "これは日本語のテストメッセージです。十分な長さがあります。"
+	if err := ValidateEnglish("Jimmy", msg); err != ErrNotEnglish {
+		t.Fatalf("got %v, want ErrNotEnglish", err)
+	}
+}
+
+func TestValidateEnglish_rejectsTooShort(t *testing.T) {
+	if err := ValidateEnglish("Jimmy", "Hi there"); err != ErrTooShort {
+		t.Fatalf("got %v, want ErrTooShort", err)
+	}
+}

app/internal/contactcheck/form.go

@@ -9,17 +9,18 @@ import (
 const HoneypotField = "website"
 
 // MinFormFillDuration is the minimum time between showing the form and submit.
-const MinFormFillDuration = 3 * time.Second
+const MinFormFillDuration = 5 * time.Second
 
 // SpamHoneypot reports whether the honeypot was filled (likely spam).
 func SpamHoneypot(value string) bool {
 	return strings.TrimSpace(value) != ""
 }
 
-// FormFilledTooFast reports whether the form was submitted before seenUnix (0 = never seen).
+// FormFilledTooFast reports whether the form was submitted before seenUnix.
+// Missing timing data (seenUnix <= 0) is allowed — honeypot and rate limits still apply.
 func FormFilledTooFast(seenUnix int64, now time.Time) bool {
 	if seenUnix <= 0 {
-		return true
+		return false
 	}
 	return now.Sub(time.Unix(seenUnix, 0)) < MinFormFillDuration
 }

app/internal/contactcheck/form_test.go

@@ -18,8 +18,8 @@ func TestFormFilledTooFast(t *testing.T) {
 	now := time.Unix(1_000_000, 0)
 	seen := now.Add(-MinFormFillDuration).Unix()
 
-	if !FormFilledTooFast(0, now) {
-		t.Error("missing seen time should be too fast")
+	if FormFilledTooFast(0, now) {
+		t.Error("missing seen time should be allowed")
 	}
 	if !FormFilledTooFast(seen+1, now) {
 		t.Error("submit before min duration should be too fast")