feat(core): add test_accounts_captcha for staging CAPTCHA bypass

[k9ert]

Summary

• Adds test_accounts_captcha config option to allow specific phone numbers to bypass CAPTCHA validation
• Enables automated agents to authenticate on staging without solving Geetest challenges

Related blink-mobile PR: blinkbitcoin/blink-mobile#3588

Why This Is Important

Currently, there's no difference between production and staging CAPTCHA requirements. Automated agents (e.g., for testing, monitoring, or CI) cannot authenticate via phone because they cannot solve Geetest CAPTCHA challenges. This blocks agent-based workflows on staging environments.

How It Works

1. New config option test_accounts_captcha - an array of phone numbers that skip CAPTCHA validation
2. When requestPhoneCodeWithCaptcha is called, it checks if the phone is in the list
3. If matched, CAPTCHA validation is skipped entirely; otherwise normal Geetest validation proceeds
4. All other checks (rate limits, SMS sending) still apply

Phone in test_accounts_captcha? 
  → YES: Skip CAPTCHA, proceed to rate limits & SMS
  → NO:  Validate CAPTCHA first, then rate limits & SMS

How To Use

Add phone numbers to your staging config (e.g., custom.yaml):

test_accounts_captcha:
  - phone: "+1234567890"
  - phone: "+1987654321"

Agents call /auth/phone/code with dummy CAPTCHA values:

{
  "phone": "+1234567890",
  "challengeCode": "bypass",
  "validationCode": "bypass",
  "secCode": "bypass",
  "channel": "sms"
}

Note: CAPTCHA params are still required by the API schema—just pass any string values.

Security Considerations

• Production should keep this list empty — only populate in staging/dev
• Does NOT bypass SMS verification — agents still need valid phone or should combine with test_accounts for full bypass
• Rate limits still apply

Test plan

• Build passes (pnpm build in core/api)
• Verify phone in test_accounts_captcha can request code without valid CAPTCHA
• Verify phone NOT in list still requires valid CAPTCHA

🤖 Generated with Claude Code

[Copilot]

Pull request overview

This PR introduces a new test_accounts_captcha configuration option to allow specific phone numbers to bypass CAPTCHA validation during authentication on staging environments. This enables automated agents to authenticate without solving Geetest challenges, while maintaining all other security checks like rate limiting and SMS verification.

Changes:

• Adds test_accounts_captcha configuration schema and getter function to support phone number-based CAPTCHA bypass
• Modifies requestPhoneCodeWithCaptcha to skip Geetest validation for phones in the bypass list
• Sets default empty array in galoy.yaml to ensure production safety by default

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
core/api/src/config/schema.types.d.ts	Adds type definition for test_accounts_captcha as array of phone objects
core/api/src/config/schema.ts	Defines JSON schema for test_accounts_captcha configuration with validation rules
core/api/src/config/yaml.ts	Implements getTestAccountsCaptcha getter to extract phone numbers from config
core/api/src/app/authentication/request-code.ts	Adds conditional CAPTCHA bypass logic for phones in test_accounts_captcha list
core/api/galoy.yaml	Sets empty default array ensuring no phones bypass CAPTCHA by default

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[k9ert]

Mobile companion PR: blinkbitcoin/blink-mobile#3588

[k9ert]

Addressed Copilot review feedback:

• Added logging when CAPTCHA validation is skipped (info log + tracing attributes)
• Added unit tests for test_accounts_captcha config

[Copilot]

Pull request overview

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[k9ert]

Copilot review comments addressed in commit 0aaec67:

1. Logging/tracing - Added baseLogger.info and addAttributesToCurrentSpan when CAPTCHA validation is skipped
2. Test coverage - Added unit tests in test/unit/app/auth/test-accounts-captcha.ts
3. Behavioral tests - Tests verify config loading and phone matching behavior

[Copilot]

Pull request overview

Copilot reviewed 11 out of 13 changed files in this pull request and generated no new comments.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[grimen]

LGTM