Mailchimp safe 1169

[ddfridley]

Problem

We were having trouble with bot emails ending up in mailchimp, and we are closing vulnerability signup and newsletter opt-in flow.

• Users could be sent to Mailchimp before verifying their DemocracyLab email address.
• Signup lacked strong server-side bot protections.
• reCAPTCHA requests were blocked by CSP in dev, which could prevent successful signup.
• The footer newsletter subscribe button pointed to an invalid Mailchimp form URL.

In addtion:

• Docker builds failed on fresh machines because of an outdated Yarn apt signing key.

What This PR Changes

• Defers Mailchimp subscription until after DemocracyLab email verification succeeds.
• Adds server-side signup abuse controls:
  • reCAPTCHA token verification
  • IP-based signup rate limiting
• Updates Mailchimp member status to subscribed after app-level verification to avoid a redundant second confirmation email.
• Replaces the broken footer newsletter endpoint with the current hosted Mailchimp signup URL.
• Adds required CSP connect-src entries for reCAPTCHA endpoints and documents why.
• Adds Mailchimp setup guidance in code to reduce future configuration drift.

Dev Server Testing

On the dev server we had to set

• MAILCHIMP_API_KEY - to a new key because the old one was shutdown.
• MAILCHIMP_SUBSCRIBE_LIST_ID - need to make sure what's in production is this.
• FAKE_EMAILS to False to generate emails,
• REDIS_ENABLED to False because no worker is being started in dev to process the request queue.

[ddfridley]

Claude generated the change to Dockerfile - and I had Gemini Pro review it for security since it's pretty opaque to me. But I could get docker to build on a fresh machine without this.

I have tested user signup on the dev server and it works and doesn't add users to mailchimp until after they verify their email.

[ddfridley]

I added common/static to .gitignore because in my other branches webpack and storybook are generating lots of files there, but these files shouldn't be added to the repo.