| name | astro-forms |
| description | Form infrastructure for Astro. Zod validation, email, rate limiting, Turnstile, GDPR, Sheets. FAIL = no conversion. |
Astro Forms Skill
Form infrastructure. Backend only. UI is separate.
Purpose
Server-side form handling. Validation, email, storage, spam protection.
Output
form_ready: true
data_contract: [lead_id, source_page, timestamp, gdpr_consent]
post_submit_flow: [email, thank_you, analytics]
conversion_verdict: PASS | WARN | FAIL
Primary Conversion Declaration
One form per page is THE conversion.
primary_conversion:
type: form
id: "contact-form"
page: "/contact"
All other forms are secondary (newsletter, etc.).
Page Exclusion Rules
| Page Type | Forms Allowed |
|---|
| landing | ✅ Primary only |
| service | ✅ Primary only |
| calculator | ❌ Use calculator skill |
| thank-you | ❌ Forbidden |
| 404 | ❌ Forbidden |
Form on forbidden page = FAIL.
Data Integrity Contract
Every submission MUST contain:
data_contract:
required:
- lead_id
- source_page
- timestamp
- gdpr_consent
- ip_hash
optional:
- utm_source
- utm_medium
- utm_campaign
Missing required field = submission invalid.
Post-Submit Flow Contract
All three MUST happen:
post_submit_flow:
1_confirmation_email: required
2_thank_you_redirect: required
3_analytics_event: required
| Step | What | FAIL if |
|---|
| Email | Confirmation to customer | Not sent |
| Thank You | Redirect to /thank-you | No redirect |
| Analytics | GTM event fired | No event |
Any missing = FAIL.
Progressive Disclosure
Personal data only AFTER value established.
| Step | Can Ask |
|---|
| 1 | Service type, location |
| 2 | Details, preferences |
| 3+ | Name, email, phone |
Email on step 1 = WARN. GDPR and CRO critical.
Core Features
| Feature | Implementation |
|---|
| Validation | Zod server-side |
| Email | Resend → Brevo fallback |
| Rate limit | Cloudflare KV |
| CAPTCHA | Turnstile (invisible) |
| Storage | Google Sheets |
| Spam | Honeypot + time-check |
| GDPR | Required checkbox + timestamp |
Spam Protection (All Required)
spam_protection:
honeypot: true
time_check: 3000ms
turnstile: true
rate_limit: 5/hour/ip
Any missing = WARN.
GDPR Consent
gdpr:
checkbox_required: true
timestamp_stored: true
text: "Elfogadom az adatvédelmi szabályzatot"
link: "/privacy-policy"
Missing checkbox or timestamp = FAIL.
Conversion Verdict
conversion_verdict: PASS | WARN | FAIL
issues: []
| Condition | Verdict |
|---|
| Form on forbidden page | FAIL |
| Missing data contract field | FAIL |
| Post-submit flow incomplete | FAIL |
| GDPR missing | FAIL |
| Spam protection incomplete | WARN |
| Email on step 1 | WARN |
| All pass | PASS |
FAIL States
| Condition |
|---|
| Form on thank-you page |
| Missing lead_id/timestamp |
| No confirmation email |
| No thank-you redirect |
| No GTM event |
| GDPR checkbox missing |
WARN States
| Condition |
|---|
| Honeypot missing |
| Time-check missing |
| Personal data on step 1 |
| Rate limiting not configured |
Environment Variables
RESEND_API_KEY=re_xxxxx
BREVO_API_KEY=xkeysib-xxxxx
GOOGLE_SHEETS_WEBHOOK_URL=https://...
TURNSTILE_SITE_KEY=0x...
TURNSTILE_SECRET_KEY=0x...
References
Definition of Done