xt26: honeypot to block bot form spam into Orbit

[jonpither]

Why

Bots have been POSTing gibberish registrations straight to the public
/.netlify/functions/xt26-register endpoint — gibberish names/company,
dot-stuffed throwaway gmail addresses — which the function forwarded
into Orbit as prospect rows (🎉 …gibberish… signed up via the website!
pings in #orbit, ~8 junk rows as of 2026-05-21).

The Orbit API token isn't browser-exposed — it lives in this function's
env — so the function endpoint itself is the gate, not the token.

What

Two-layer honeypot:

1. Form (src/components/ContactUsForm.tsx) — a hidden, off-screen
   website input. Off-screen (not display:none, which sophisticated
   bots skip) and removed from the tab order, so a human never sees or
   focuses it and it stays empty; a bot that auto-fills every input
   trips it.
2. Netlify function (netlify/functions/xt26-register.ts) — silently
   drops any submission where website is non-empty: returns 200 OK
   and does not forward to Orbit, so the bot can't detect the trap
   (a 4xx would let it tune around it).

Orbit's POST /api/people carries the same check as a backstop
(already merged to juxt/orbit main, commit 6b69678).

Notes

• 29 additive lines, no existing code paths touched.
• Non-breaking: real submissions don't fill website, so humans are
  unaffected.
• After merge + Netlify deploy, watch the 🎉 …signed up Slack pings
  for a day or two to confirm the spam stops.

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for juxt-website ready!

Name	Link
🔨 Latest commit	de7c094
🔍 Latest deploy log	https://app.netlify.com/projects/juxt-website/deploys/6a10239161abbd000818729b
😎 Deploy Preview	https://deploy-preview-260--juxt-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.