npm - @dupecom/botcha-cloudflare - Versions diffs - 0.2.0 - Mend

@dupecom/botcha-cloudflare 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,178 @@
+# @dupecom/botcha-cloudflare
+> 🤖 **BOTCHA** - Prove you're a bot. Humans need not apply.
+>
+> **Cloudflare Workers Edition v0.2.0** - Production-ready with JWT & Rate Limiting
+Reverse CAPTCHA that verifies AI agents and blocks humans. Running at the edge.
+## 🚀 What's New in v0.2.0
+- ✅ **JWT Token Authentication** - Secure token-based auth flow with 1-hour expiry
+- ✅ **Rate Limiting** - 100 challenges/hour/IP with proper headers
+- ✅ **KV Storage** - Challenge state stored in Cloudflare KV (prevents replay attacks)
+- ✅ **Versioned API** - New `/v1/*` endpoints with backward-compatible legacy routes
+- ✅ **Production Ready** - Enterprise-grade auth and security
+## Features
+- ⚡ **Speed Challenge** - 5 SHA256 hashes in 500ms (impossible for humans to copy-paste)
+- 🧮 **Standard Challenge** - Configurable difficulty prime calculations
+- 🔐 **JWT Authentication** - Token-based access control with jose library
+- 🚦 **Rate Limiting** - IP-based throttling with KV storage
+- 🌍 **Edge-native** - Runs on Cloudflare's global network
+- 📦 **Minimal dependencies** - Hono for routing, jose for JWT
+## Quick Deploy
+```bash
+# Clone the repo
+git clone https://github.com/i8ramin/botcha
+cd botcha/packages/cloudflare-workers
+# Install dependencies
+npm install
+# Deploy to Cloudflare
+npm run deploy
+```
+## Local Development
+```bash
+npm run dev
+# Worker running at http://localhost:8787
+```
+## 🔐 JWT Token Flow (Recommended)
+### 1. Get Challenge
+```bash
+GET /v1/token
+```
+Response includes challenge and instructions for getting a JWT token.
+### 2. Solve Challenge & Get JWT
+```bash
+POST /v1/token/verify
+Content-Type: application/json
+{
+  "id": "challenge-uuid",
+  "answers": ["abc12345", "def67890", ...]
+}
+```
+Returns JWT token valid for 1 hour.
+### 3. Access Protected Resources
+```bash
+GET /agent-only
+Authorization: Bearer <your-jwt-token>
+```
+## 📊 Rate Limiting
+Free tier: **100 challenges per hour per IP**
+Rate limit headers:
+- `X-RateLimit-Limit: 100`
+- `X-RateLimit-Remaining: 95`
+- `X-RateLimit-Reset: 2026-02-02T12:00:00.000Z`
+## API Endpoints
+### v1 API (Production)
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/` | GET | API information |
+| `/health` | GET | Health check |
+| `/v1/challenges` | GET | Generate challenge (speed or standard) |
+| `/v1/challenges/:id/verify` | POST | Verify challenge (no JWT) |
+| `/v1/token` | GET | Get challenge for JWT flow |
+| `/v1/token/verify` | POST | Verify challenge → get JWT token |
+| `/agent-only` | GET | Protected endpoint (requires JWT) |
+### Legacy API (v0 - backward compatible)
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/api/challenge` | GET/POST | Standard challenge |
+| `/api/speed-challenge` | GET/POST | Speed challenge (500ms limit) |
+| `/api/verify-landing` | POST | Landing page challenge |
+## Solving Challenges (for AI Agents)
+```typescript
+// Speed challenge
+const challenge = await fetch('https://your-worker.workers.dev/api/speed-challenge').then(r => r.json());
+const answers = await Promise.all(
+  challenge.challenge.problems.map(async (p) => {
+    const hash = await crypto.subtle.digest(
+      'SHA-256',
+      new TextEncoder().encode(p.num.toString())
+    );
+    return Array.from(new Uint8Array(hash))
+      .map(b => b.toString(16).padStart(2, '0'))
+      .join('')
+      .substring(0, 8);
+  })
+);
+const result = await fetch('https://your-worker.workers.dev/api/speed-challenge', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ id: challenge.challenge.id, answers }),
+}).then(r => r.json());
+console.log(result.verdict); // "🤖 VERIFIED AI AGENT"
+```
+## 🔑 Production Configuration
+### KV Namespaces
+Create KV namespaces:
+```bash
+# Create challenge storage
+wrangler kv namespace create CHALLENGES
+wrangler kv namespace create CHALLENGES --preview
+# Create rate limiting storage
+wrangler kv namespace create RATE_LIMITS
+wrangler kv namespace create RATE_LIMITS --preview
+```
+Update `wrangler.toml` with the returned IDs.
+### JWT Secret
+⚠️ **Important:** Use Wrangler secrets for production:
+```bash
+wrangler secret put JWT_SECRET
+# Enter a strong secret (32+ characters)
+```
+### Testing
+Run the test script:
+```bash
+# Start dev server
+npm run dev
+# Run tests
+./test-api.sh
+```
+## License
+MIT

package/dist/auth.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+/**
+ * BOTCHA Authentication & JWT Token Management
+ *
+ * Token-based auth flow for production API access
+ */
+/**
+ * JWT payload structure
+ */
+export interface BotchaTokenPayload {
+    sub: string;
+    iat: number;
+    exp: number;
+    type: 'botcha-verified';
+    solveTime: number;
+}
+/**
+ * Generate a JWT token after successful challenge verification
+ */
+export declare function generateToken(challengeId: string, solveTimeMs: number, secret: string): Promise<string>;
+/**
+ * Verify a JWT token
+ */
+export declare function verifyToken(token: string, secret: string): Promise<{
+    valid: boolean;
+    payload?: BotchaTokenPayload;
+    error?: string;
+}>;
+/**
+ * Extract Bearer token from Authorization header
+ */
+export declare function extractBearerToken(authHeader?: string): string | null;
+//# sourceMappingURL=auth.d.ts.map

package/dist/auth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../src/auth.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,iBAAiB,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,WAAW,EAAE,MAAM,EACnB,WAAW,EAAE,MAAM,EACnB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,MAAM,CAAC,CAejB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,GACb,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,OAAO,CAAC,EAAE,kBAAkB,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAyB3E;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrE"}

package/dist/auth.js ADDED Viewed

@@ -0,0 +1,60 @@
+/**
+ * BOTCHA Authentication & JWT Token Management
+ *
+ * Token-based auth flow for production API access
+ */
+import { SignJWT, jwtVerify } from 'jose';
+/**
+ * Generate a JWT token after successful challenge verification
+ */
+export async function generateToken(challengeId, solveTimeMs, secret) {
+    const encoder = new TextEncoder();
+    const secretKey = encoder.encode(secret);
+    const token = await new SignJWT({
+        type: 'botcha-verified',
+        solveTime: solveTimeMs,
+    })
+        .setProtectedHeader({ alg: 'HS256' })
+        .setSubject(challengeId)
+        .setIssuedAt()
+        .setExpirationTime('1h') // 1 hour expiry
+        .sign(secretKey);
+    return token;
+}
+/**
+ * Verify a JWT token
+ */
+export async function verifyToken(token, secret) {
+    try {
+        const encoder = new TextEncoder();
+        const secretKey = encoder.encode(secret);
+        const { payload } = await jwtVerify(token, secretKey, {
+            algorithms: ['HS256'],
+        });
+        return {
+            valid: true,
+            payload: {
+                sub: payload.sub || '',
+                iat: payload.iat || 0,
+                exp: payload.exp || 0,
+                type: payload.type,
+                solveTime: payload.solveTime,
+            },
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: error instanceof Error ? error.message : 'Invalid token',
+        };
+    }
+}
+/**
+ * Extract Bearer token from Authorization header
+ */
+export function extractBearerToken(authHeader) {
+    if (!authHeader)
+        return null;
+    const match = authHeader.match(/^Bearer\s+(.+)$/i);
+    return match ? match[1] : null;
+}

package/dist/challenges.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * BOTCHA Challenge System for Cloudflare Workers
+ *
+ * Uses KV storage for production-ready challenge state management
+ * Falls back to in-memory for local dev without KV
+ */
+export type KVNamespace = {
+    get: (key: string, type?: 'text' | 'json' | 'arrayBuffer' | 'stream') => Promise<any>;
+    put: (key: string, value: string, options?: {
+        expirationTtl?: number;
+    }) => Promise<void>;
+    delete: (key: string) => Promise<void>;
+};
+export interface SpeedChallenge {
+    id: string;
+    problems: {
+        num: number;
+        operation: string;
+    }[];
+    expectedAnswers: string[];
+    issuedAt: number;
+    expiresAt: number;
+}
+export interface StandardChallenge {
+    id: string;
+    puzzle: string;
+    expectedAnswer: string;
+    expiresAt: number;
+    difficulty: 'easy' | 'medium' | 'hard';
+}
+export interface ChallengeResult {
+    valid: boolean;
+    reason?: string;
+    solveTimeMs?: number;
+}
+/**
+ * Generate a speed challenge: 5 SHA256 problems, 500ms to solve ALL
+ * Trivial for AI, impossible for humans to copy-paste fast enough
+ */
+export declare function generateSpeedChallenge(kv?: KVNamespace): Promise<{
+    id: string;
+    problems: {
+        num: number;
+        operation: string;
+    }[];
+    timeLimit: number;
+    instructions: string;
+}>;
+/**
+ * Verify a speed challenge response
+ */
+export declare function verifySpeedChallenge(id: string, answers: string[], kv?: KVNamespace): Promise<ChallengeResult>;
+/**
+ * Generate a standard challenge: compute SHA256 of concatenated primes
+ */
+export declare function generateStandardChallenge(difficulty?: 'easy' | 'medium' | 'hard', kv?: KVNamespace): Promise<{
+    id: string;
+    puzzle: string;
+    timeLimit: number;
+    hint: string;
+}>;
+/**
+ * Verify a standard challenge response
+ */
+export declare function verifyStandardChallenge(id: string, answer: string, kv?: KVNamespace): Promise<ChallengeResult>;
+/**
+ * Verify landing page challenge and issue access token
+ * @deprecated - Use JWT token flow instead (see auth.ts)
+ */
+export declare function verifyLandingChallenge(answer: string, timestamp: string, kv?: KVNamespace): Promise<{
+    valid: boolean;
+    token?: string;
+    error?: string;
+    hint?: string;
+}>;
+/**
+ * Validate a landing token
+ * @deprecated - Use JWT token flow instead (see auth.ts)
+ */
+export declare function validateLandingToken(token: string, kv?: KVNamespace): Promise<boolean>;
+/**
+ * Solve speed challenge problems (utility for AI agents)
+ */
+export declare function solveSpeedChallenge(problems: number[]): Promise<string[]>;
+//# sourceMappingURL=challenges.d.ts.map

package/dist/challenges.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"challenges.d.ts","sourceRoot":"","sources":["../src/challenges.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,MAAM,MAAM,WAAW,GAAG;IACxB,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,MAAM,GAAG,MAAM,GAAG,aAAa,GAAG,QAAQ,KAAK,OAAO,CAAC,GAAG,CAAC,CAAC;IACtF,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE;QAAE,aAAa,CAAC,EAAE,MAAM,CAAA;KAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACzF,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACxC,CAAC;AAGF,MAAM,WAAW,cAAc;IAC7B,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC/C,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;CACxC;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AA4ED;;;GAGG;AACH,wBAAsB,sBAAsB,CAAC,EAAE,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC;IACtE,EAAE,EAAE,MAAM,CAAC;IACX,QAAQ,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAC/C,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;CACtB,CAAC,CA+BD;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,EAAE,EACjB,EAAE,CAAC,EAAE,WAAW,GACf,OAAO,CAAC,eAAe,CAAC,CA4B1B;AASD;;GAEG;AACH,wBAAsB,yBAAyB,CAC7C,UAAU,GAAE,MAAM,GAAG,QAAQ,GAAG,MAAiB,EACjD,EAAE,CAAC,EAAE,WAAW,GACf,OAAO,CAAC;IACT,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,MAAM,CAAC;CACd,CAAC,CA4BD;AAED;;GAEG;AACH,wBAAsB,uBAAuB,CAC3C,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,MAAM,EACd,EAAE,CAAC,EAAE,WAAW,GACf,OAAO,CAAC,eAAe,CAAC,CAyB1B;AAKD;;;GAGG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,EAAE,CAAC,EAAE,WAAW,GACf,OAAO,CAAC;IACT,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC,CAuCD;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,CAa5F;AAGD;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAE/E"}

package/dist/challenges.js ADDED Viewed

@@ -0,0 +1,248 @@
+/**
+ * BOTCHA Challenge System for Cloudflare Workers
+ *
+ * Uses KV storage for production-ready challenge state management
+ * Falls back to in-memory for local dev without KV
+ */
+import { sha256First, uuid, generatePrimes, sha256 } from './crypto';
+// ============ STORAGE ============
+// In-memory fallback (for local dev without KV)
+const speedChallenges = new Map();
+const standardChallenges = new Map();
+// Clean expired on access (no setInterval in Workers)
+function cleanExpired() {
+    const now = Date.now();
+    for (const [id, c] of speedChallenges) {
+        if (c.expiresAt < now)
+            speedChallenges.delete(id);
+    }
+    for (const [id, c] of standardChallenges) {
+        if (c.expiresAt < now)
+            standardChallenges.delete(id);
+    }
+}
+// ============ KV STORAGE HELPERS ============
+/**
+ * Store challenge in KV (with TTL) or fallback to memory
+ */
+async function storeChallenge(kv, id, challenge, ttlSeconds) {
+    if (kv) {
+        await kv.put(`challenge:${id}`, JSON.stringify(challenge), {
+            expirationTtl: ttlSeconds,
+        });
+    }
+    else {
+        // Fallback to in-memory
+        if ('problems' in challenge) {
+            speedChallenges.set(id, challenge);
+        }
+        else {
+            standardChallenges.set(id, challenge);
+        }
+    }
+}
+/**
+ * Get challenge from KV or fallback to memory
+ */
+async function getChallenge(kv, id, isSpeed) {
+    if (kv) {
+        const data = await kv.get(`challenge:${id}`);
+        return data ? JSON.parse(data) : null;
+    }
+    else {
+        // Fallback to in-memory
+        cleanExpired();
+        return (isSpeed ? speedChallenges.get(id) : standardChallenges.get(id)) || null;
+    }
+}
+/**
+ * Delete challenge from KV or memory
+ */
+async function deleteChallenge(kv, id) {
+    if (kv) {
+        await kv.delete(`challenge:${id}`);
+    }
+    else {
+        speedChallenges.delete(id);
+        standardChallenges.delete(id);
+    }
+}
+// ============ SPEED CHALLENGE ============
+/**
+ * Generate a speed challenge: 5 SHA256 problems, 500ms to solve ALL
+ * Trivial for AI, impossible for humans to copy-paste fast enough
+ */
+export async function generateSpeedChallenge(kv) {
+    cleanExpired();
+    const id = uuid();
+    const problems = [];
+    const expectedAnswers = [];
+    for (let i = 0; i < 5; i++) {
+        const num = Math.floor(Math.random() * 900000) + 100000;
+        problems.push({ num, operation: 'sha256_first8' });
+        expectedAnswers.push(await sha256First(num.toString(), 8));
+    }
+    const timeLimit = 500;
+    const challenge = {
+        id,
+        problems,
+        expectedAnswers,
+        issuedAt: Date.now(),
+        expiresAt: Date.now() + timeLimit + 100, // tiny grace
+    };
+    // Store in KV with 5 minute TTL (safety buffer for time checks)
+    await storeChallenge(kv, id, challenge, 300);
+    return {
+        id,
+        problems,
+        timeLimit,
+        instructions: 'Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have 500ms.',
+    };
+}
+/**
+ * Verify a speed challenge response
+ */
+export async function verifySpeedChallenge(id, answers, kv) {
+    const challenge = await getChallenge(kv, id, true);
+    if (!challenge) {
+        return { valid: false, reason: 'Challenge not found or expired' };
+    }
+    const now = Date.now();
+    const solveTimeMs = now - challenge.issuedAt;
+    // Delete challenge immediately to prevent replay attacks
+    await deleteChallenge(kv, id);
+    if (now > challenge.expiresAt) {
+        return { valid: false, reason: `Too slow! Took ${solveTimeMs}ms, limit was 500ms` };
+    }
+    if (!Array.isArray(answers) || answers.length !== 5) {
+        return { valid: false, reason: 'Must provide exactly 5 answers as array' };
+    }
+    for (let i = 0; i < 5; i++) {
+        if (answers[i]?.toLowerCase() !== challenge.expectedAnswers[i]) {
+            return { valid: false, reason: `Wrong answer for challenge ${i + 1}` };
+        }
+    }
+    return { valid: true, solveTimeMs };
+}
+// ============ STANDARD CHALLENGE ============
+const DIFFICULTY_CONFIG = {
+    easy: { primes: 100, timeLimit: 10000 },
+    medium: { primes: 500, timeLimit: 5000 },
+    hard: { primes: 1000, timeLimit: 3000 },
+};
+/**
+ * Generate a standard challenge: compute SHA256 of concatenated primes
+ */
+export async function generateStandardChallenge(difficulty = 'medium', kv) {
+    cleanExpired();
+    const id = uuid();
+    const config = DIFFICULTY_CONFIG[difficulty];
+    const primes = generatePrimes(config.primes);
+    const concatenated = primes.join('');
+    const hash = await sha256(concatenated);
+    const answer = hash.substring(0, 16);
+    const challenge = {
+        id,
+        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators). Return the first 16 hex characters.`,
+        expectedAnswer: answer,
+        expiresAt: Date.now() + config.timeLimit + 1000,
+        difficulty,
+    };
+    // Store in KV with 5 minute TTL
+    await storeChallenge(kv, id, challenge, 300);
+    return {
+        id,
+        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators). Return the first 16 hex characters.`,
+        timeLimit: config.timeLimit,
+        hint: `Example: First 5 primes = "235711" → SHA256 → first 16 chars`,
+    };
+}
+/**
+ * Verify a standard challenge response
+ */
+export async function verifyStandardChallenge(id, answer, kv) {
+    const challenge = await getChallenge(kv, id, false);
+    if (!challenge) {
+        return { valid: false, reason: 'Challenge not found or expired' };
+    }
+    const now = Date.now();
+    // Delete challenge immediately to prevent replay attacks
+    await deleteChallenge(kv, id);
+    if (now > challenge.expiresAt) {
+        return { valid: false, reason: 'Challenge expired - too slow!' };
+    }
+    const isValid = answer.toLowerCase() === challenge.expectedAnswer.toLowerCase();
+    if (!isValid) {
+        return { valid: false, reason: 'Incorrect answer' };
+    }
+    const solveTimeMs = now - (challenge.expiresAt - DIFFICULTY_CONFIG[challenge.difficulty].timeLimit - 1000);
+    return { valid: true, solveTimeMs };
+}
+// ============ LANDING CHALLENGE ============
+const landingTokens = new Map();
+/**
+ * Verify landing page challenge and issue access token
+ * @deprecated - Use JWT token flow instead (see auth.ts)
+ */
+export async function verifyLandingChallenge(answer, timestamp, kv) {
+    cleanExpired();
+    // Verify timestamp is recent (within 5 minutes)
+    const submittedTime = new Date(timestamp).getTime();
+    const now = Date.now();
+    if (Math.abs(now - submittedTime) > 5 * 60 * 1000) {
+        return { valid: false, error: 'Timestamp too old or in future' };
+    }
+    // Calculate expected answer for today
+    const today = new Date().toISOString().split('T')[0];
+    const expectedHash = (await sha256(`BOTCHA-LANDING-${today}`)).substring(0, 16);
+    if (answer.toLowerCase() !== expectedHash.toLowerCase()) {
+        return {
+            valid: false,
+            error: 'Incorrect answer',
+            hint: `Expected SHA256('BOTCHA-LANDING-${today}') first 16 chars`
+        };
+    }
+    // Generate token
+    const tokenBytes = new Uint8Array(32);
+    crypto.getRandomValues(tokenBytes);
+    const token = Array.from(tokenBytes).map(b => b.toString(16).padStart(2, '0')).join('');
+    if (kv) {
+        await kv.put(`landing:${token}`, Date.now().toString(), { expirationTtl: 3600 });
+    }
+    else {
+        landingTokens.set(token, Date.now() + 60 * 60 * 1000);
+    }
+    // Clean expired tokens (memory only)
+    for (const [t, expiry] of landingTokens) {
+        if (expiry < Date.now())
+            landingTokens.delete(t);
+    }
+    return { valid: true, token };
+}
+/**
+ * Validate a landing token
+ * @deprecated - Use JWT token flow instead (see auth.ts)
+ */
+export async function validateLandingToken(token, kv) {
+    if (kv) {
+        const value = await kv.get(`landing:${token}`);
+        return value !== null;
+    }
+    else {
+        const expiry = landingTokens.get(token);
+        if (!expiry)
+            return false;
+        if (expiry < Date.now()) {
+            landingTokens.delete(token);
+            return false;
+        }
+        return true;
+    }
+}
+// ============ SOLVER (for AI agents) ============
+/**
+ * Solve speed challenge problems (utility for AI agents)
+ */
+export async function solveSpeedChallenge(problems) {
+    return Promise.all(problems.map(n => sha256First(n.toString(), 8)));
+}

package/dist/crypto.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+/**
+ * Web Crypto API utilities for BOTCHA
+ * Works in Cloudflare Workers, Deno, and browsers
+ */
+/**
+ * SHA256 hash, returns hex string
+ */
+export declare function sha256(input: string): Promise<string>;
+/**
+ * SHA256 hash, returns first N hex chars
+ */
+export declare function sha256First(input: string, chars: number): Promise<string>;
+/**
+ * Generate a UUID (crypto.randomUUID is available in Workers)
+ */
+export declare function uuid(): string;
+/**
+ * Generate N first primes
+ */
+export declare function generatePrimes(count: number): number[];
+//# sourceMappingURL=crypto.d.ts.map

package/dist/crypto.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../src/crypto.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH;;GAEG;AACH,wBAAsB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAM3D;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAG/E;AAED;;GAEG;AACH,wBAAgB,IAAI,IAAI,MAAM,CAE7B;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,EAAE,CAYtD"}

package/dist/crypto.js ADDED Viewed

@@ -0,0 +1,54 @@
+/**
+ * Web Crypto API utilities for BOTCHA
+ * Works in Cloudflare Workers, Deno, and browsers
+ */
+/**
+ * SHA256 hash, returns hex string
+ */
+export async function sha256(input) {
+    const encoder = new TextEncoder();
+    const data = encoder.encode(input);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const hashArray = Array.from(new Uint8Array(hashBuffer));
+    return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
+}
+/**
+ * SHA256 hash, returns first N hex chars
+ */
+export async function sha256First(input, chars) {
+    const hash = await sha256(input);
+    return hash.substring(0, chars);
+}
+/**
+ * Generate a UUID (crypto.randomUUID is available in Workers)
+ */
+export function uuid() {
+    return crypto.randomUUID();
+}
+/**
+ * Generate N first primes
+ */
+export function generatePrimes(count) {
+    const primes = [];
+    let num = 2;
+    while (primes.length < count) {
+        if (isPrime(num)) {
+            primes.push(num);
+        }
+        num++;
+    }
+    return primes;
+}
+function isPrime(n) {
+    if (n < 2)
+        return false;
+    if (n === 2)
+        return true;
+    if (n % 2 === 0)
+        return false;
+    for (let i = 3; i <= Math.sqrt(n); i += 2) {
+        if (n % i === 0)
+            return false;
+    }
+    return true;
+}

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+/**
+ * BOTCHA - Cloudflare Workers Edition v0.2.0
+ *
+ * Prove you're a bot. Humans need not apply.
+ *
+ * https://botcha.ai
+ */
+import { Hono } from 'hono';
+import { type KVNamespace } from './challenges';
+type Bindings = {
+    CHALLENGES: KVNamespace;
+    RATE_LIMITS: KVNamespace;
+    JWT_SECRET: string;
+    BOTCHA_VERSION: string;
+};
+type Variables = {
+    tokenPayload?: {
+        sub: string;
+        iat: number;
+        exp: number;
+        type: 'botcha-verified';
+        solveTime: number;
+    };
+};
+declare const app: Hono<{
+    Bindings: Bindings;
+    Variables: Variables;
+}, import("hono/types").BlankSchema, "/">;
+export default app;
+export { generateSpeedChallenge, verifySpeedChallenge, generateStandardChallenge, verifyStandardChallenge, solveSpeedChallenge, } from './challenges';
+export { generateToken, verifyToken } from './auth';
+export { checkRateLimit } from './rate-limit';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAG5B,OAAO,EAQL,KAAK,WAAW,EACjB,MAAM,cAAc,CAAC;AAKtB,KAAK,QAAQ,GAAG;IACd,UAAU,EAAE,WAAW,CAAC;IACxB,WAAW,EAAE,WAAW,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,SAAS,GAAG;IACf,YAAY,CAAC,EAAE;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,iBAAiB,CAAC;QACxB,SAAS,EAAE,MAAM,CAAC;KACnB,CAAC;CACH,CAAC;AAEF,QAAA,MAAM,GAAG;cAAwB,QAAQ;eAAa,SAAS;yCAAK,CAAC;AAgVrE,eAAe,GAAG,CAAC;AAGnB,OAAO,EACL,sBAAsB,EACtB,oBAAoB,EACpB,yBAAyB,EACzB,uBAAuB,EACvB,mBAAmB,GACpB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,QAAQ,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,308 @@
+/**
+ * BOTCHA - Cloudflare Workers Edition v0.2.0
+ *
+ * Prove you're a bot. Humans need not apply.
+ *
+ * https://botcha.ai
+ */
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { generateSpeedChallenge, verifySpeedChallenge, generateStandardChallenge, verifyStandardChallenge, verifyLandingChallenge, } from './challenges';
+import { generateToken, verifyToken, extractBearerToken } from './auth';
+import { checkRateLimit, getClientIP } from './rate-limit';
+const app = new Hono();
+// ============ MIDDLEWARE ============
+app.use('*', cors());
+// BOTCHA discovery headers
+app.use('*', async (c, next) => {
+    await next();
+    c.header('X-Botcha-Version', c.env.BOTCHA_VERSION || '0.2.0');
+    c.header('X-Botcha-Enabled', 'true');
+    c.header('X-Botcha-Methods', 'speed-challenge,standard-challenge,jwt-token');
+    c.header('X-Botcha-Docs', 'https://botcha.ai/openapi.json');
+    c.header('X-Botcha-Runtime', 'cloudflare-workers');
+});
+// Rate limiting middleware for challenge generation
+async function rateLimitMiddleware(c, next) {
+    const clientIP = getClientIP(c.req.raw);
+    const rateLimitResult = await checkRateLimit(c.env.RATE_LIMITS, clientIP, 100);
+    // Add rate limit headers
+    c.header('X-RateLimit-Limit', '100');
+    c.header('X-RateLimit-Remaining', rateLimitResult.remaining.toString());
+    c.header('X-RateLimit-Reset', new Date(rateLimitResult.resetAt).toISOString());
+    if (!rateLimitResult.allowed) {
+        c.header('Retry-After', rateLimitResult.retryAfter?.toString() || '3600');
+        return c.json({
+            error: 'RATE_LIMIT_EXCEEDED',
+            message: 'You have exceeded the rate limit. Free tier: 100 challenges/hour/IP',
+            retryAfter: rateLimitResult.retryAfter,
+            resetAt: new Date(rateLimitResult.resetAt).toISOString(),
+        }, 429);
+    }
+    await next();
+}
+// JWT verification middleware
+async function requireJWT(c, next) {
+    const authHeader = c.req.header('authorization');
+    const token = extractBearerToken(authHeader);
+    if (!token) {
+        return c.json({
+            error: 'UNAUTHORIZED',
+            message: 'Missing Bearer token. Use POST /v1/token/verify to get a token.',
+        }, 401);
+    }
+    const result = await verifyToken(token, c.env.JWT_SECRET);
+    if (!result.valid) {
+        return c.json({
+            error: 'INVALID_TOKEN',
+            message: result.error || 'Token is invalid or expired',
+        }, 401);
+    }
+    // Store payload in context for route handlers
+    c.set('tokenPayload', result.payload);
+    await next();
+}
+// ============ ROOT & INFO ============
+app.get('/', (c) => {
+    return c.json({
+        name: 'BOTCHA',
+        version: c.env.BOTCHA_VERSION || '0.2.0',
+        runtime: 'cloudflare-workers',
+        tagline: 'Prove you are a bot. Humans need not apply.',
+        endpoints: {
+            '/': 'API info',
+            '/health': 'Health check',
+            '/v1/challenges': 'Generate challenge (GET) or verify (POST)',
+            '/v1/token': 'Get challenge for JWT token flow (GET)',
+            '/v1/token/verify': 'Verify challenge and get JWT (POST)',
+            '/agent-only': 'Protected endpoint (requires JWT)',
+        },
+        rateLimit: {
+            free: '100 challenges/hour/IP',
+            headers: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-RateLimit-Reset'],
+        },
+        authentication: {
+            flow: 'GET /v1/token → solve challenge → POST /v1/token/verify → Bearer token',
+            tokenExpiry: '1 hour',
+            usage: 'Authorization: Bearer <token>',
+        },
+        discovery: {
+            openapi: 'https://botcha.ai/openapi.json',
+            aiPlugin: 'https://botcha.ai/.well-known/ai-plugin.json',
+            npm: 'https://www.npmjs.com/package/@dupecom/botcha-cloudflare',
+            github: 'https://github.com/i8ramin/botcha',
+        },
+    });
+});
+app.get('/health', (c) => {
+    return c.json({ status: 'ok', runtime: 'cloudflare-workers' });
+});
+// ============ V1 API ============
+// Generate challenge (standard or speed)
+app.get('/v1/challenges', rateLimitMiddleware, async (c) => {
+    const type = c.req.query('type') || 'speed';
+    const difficulty = c.req.query('difficulty') || 'medium';
+    if (type === 'speed') {
+        const challenge = await generateSpeedChallenge(c.env.CHALLENGES);
+        return c.json({
+            success: true,
+            type: 'speed',
+            challenge: {
+                id: challenge.id,
+                problems: challenge.problems,
+                timeLimit: `${challenge.timeLimit}ms`,
+                instructions: challenge.instructions,
+            },
+            tip: '⚡ Speed challenge: You have 500ms to solve ALL problems. Humans cannot copy-paste fast enough.',
+        });
+    }
+    else {
+        const challenge = await generateStandardChallenge(difficulty, c.env.CHALLENGES);
+        return c.json({
+            success: true,
+            type: 'standard',
+            challenge: {
+                id: challenge.id,
+                puzzle: challenge.puzzle,
+                timeLimit: `${challenge.timeLimit}ms`,
+                hint: challenge.hint,
+            },
+        });
+    }
+});
+// Verify challenge (without JWT - legacy)
+app.post('/v1/challenges/:id/verify', async (c) => {
+    const id = c.req.param('id');
+    const body = await c.req.json();
+    const { answers, answer, type } = body;
+    if (type === 'speed' || answers) {
+        if (!answers || !Array.isArray(answers)) {
+            return c.json({ success: false, error: 'Missing answers array for speed challenge' }, 400);
+        }
+        const result = await verifySpeedChallenge(id, answers, c.env.CHALLENGES);
+        return c.json({
+            success: result.valid,
+            message: result.valid
+                ? `⚡ Speed challenge passed in ${result.solveTimeMs}ms!`
+                : result.reason,
+            solveTimeMs: result.solveTimeMs,
+        });
+    }
+    else {
+        if (!answer) {
+            return c.json({ success: false, error: 'Missing answer for standard challenge' }, 400);
+        }
+        const result = await verifyStandardChallenge(id, answer, c.env.CHALLENGES);
+        return c.json({
+            success: result.valid,
+            message: result.valid ? 'Challenge passed!' : result.reason,
+            solveTimeMs: result.solveTimeMs,
+        });
+    }
+});
+// Get challenge for token flow (includes empty token field)
+app.get('/v1/token', rateLimitMiddleware, async (c) => {
+    const challenge = await generateSpeedChallenge(c.env.CHALLENGES);
+    return c.json({
+        success: true,
+        challenge: {
+            id: challenge.id,
+            problems: challenge.problems,
+            timeLimit: `${challenge.timeLimit}ms`,
+            instructions: challenge.instructions,
+        },
+        token: null, // Will be populated after verification
+        nextStep: `POST /v1/token/verify with {id: "${challenge.id}", answers: ["..."]}`
+    });
+});
+// Verify challenge and issue JWT token
+app.post('/v1/token/verify', async (c) => {
+    const body = await c.req.json();
+    const { id, answers } = body;
+    if (!id || !answers) {
+        return c.json({
+            success: false,
+            error: 'Missing id or answers array',
+            hint: 'First GET /v1/token to get a challenge, then solve it and submit here',
+        }, 400);
+    }
+    const result = await verifySpeedChallenge(id, answers, c.env.CHALLENGES);
+    if (!result.valid) {
+        return c.json({
+            success: false,
+            error: 'CHALLENGE_FAILED',
+            message: result.reason,
+        }, 403);
+    }
+    // Generate JWT token
+    const token = await generateToken(id, result.solveTimeMs || 0, c.env.JWT_SECRET);
+    return c.json({
+        success: true,
+        message: `🤖 Challenge verified in ${result.solveTimeMs}ms! You are a bot.`,
+        token,
+        expiresIn: '1h',
+        usage: {
+            header: 'Authorization: Bearer <token>',
+            protectedEndpoints: ['/agent-only'],
+        },
+    });
+});
+// ============ PROTECTED ENDPOINT ============
+app.get('/agent-only', requireJWT, async (c) => {
+    const payload = c.get('tokenPayload');
+    return c.json({
+        success: true,
+        message: '🤖 Welcome, fellow agent!',
+        verified: true,
+        agent: 'jwt-verified',
+        method: 'bearer-token',
+        timestamp: new Date().toISOString(),
+        solveTime: `${payload?.solveTime}ms`,
+        secret: 'The humans will never see this. Their fingers are too slow. 🤫',
+    });
+});
+// ============ LEGACY ENDPOINTS (v0 - backward compatibility) ============
+app.get('/api/challenge', async (c) => {
+    const difficulty = c.req.query('difficulty') || 'medium';
+    const challenge = await generateStandardChallenge(difficulty, c.env.CHALLENGES);
+    return c.json({ success: true, challenge });
+});
+app.post('/api/challenge', async (c) => {
+    const body = await c.req.json();
+    const { id, answer } = body;
+    if (!id || !answer) {
+        return c.json({ success: false, error: 'Missing id or answer' }, 400);
+    }
+    const result = await verifyStandardChallenge(id, answer, c.env.CHALLENGES);
+    return c.json({
+        success: result.valid,
+        message: result.valid ? '✅ Challenge passed!' : `❌ ${result.reason}`,
+        solveTime: result.solveTimeMs,
+    });
+});
+app.get('/api/speed-challenge', async (c) => {
+    const challenge = await generateSpeedChallenge(c.env.CHALLENGES);
+    return c.json({
+        success: true,
+        warning: '⚡ SPEED CHALLENGE: You have 500ms to solve ALL 5 problems!',
+        challenge: {
+            id: challenge.id,
+            problems: challenge.problems,
+            timeLimit: `${challenge.timeLimit}ms`,
+            instructions: challenge.instructions,
+        },
+        tip: 'Humans cannot copy-paste fast enough. Only real AI agents can pass.',
+    });
+});
+app.post('/api/speed-challenge', async (c) => {
+    const body = await c.req.json();
+    const { id, answers } = body;
+    if (!id || !answers) {
+        return c.json({ success: false, error: 'Missing id or answers array' }, 400);
+    }
+    const result = await verifySpeedChallenge(id, answers, c.env.CHALLENGES);
+    return c.json({
+        success: result.valid,
+        message: result.valid
+            ? `⚡ SPEED TEST PASSED in ${result.solveTimeMs}ms! You are definitely an AI.`
+            : `❌ ${result.reason}`,
+        solveTimeMs: result.solveTimeMs,
+        verdict: result.valid ? '🤖 VERIFIED AI AGENT' : '🚫 LIKELY HUMAN (too slow)',
+    });
+});
+app.post('/api/verify-landing', async (c) => {
+    const body = await c.req.json();
+    const { answer, timestamp } = body;
+    if (!answer || !timestamp) {
+        return c.json({
+            success: false,
+            error: 'Missing answer or timestamp',
+            hint: 'Parse the challenge from <script type="application/botcha+json"> on the landing page'
+        }, 400);
+    }
+    const result = await verifyLandingChallenge(answer, timestamp, c.env.CHALLENGES);
+    if (!result.valid) {
+        return c.json({
+            success: false,
+            error: result.error,
+            hint: result.hint,
+        }, 403);
+    }
+    return c.json({
+        success: true,
+        message: '🤖 Landing challenge solved! You are a bot.',
+        token: result.token,
+        usage: {
+            header: 'X-Botcha-Landing-Token',
+            value: result.token,
+            expires_in: '1 hour',
+            use_with: '/agent-only'
+        }
+    });
+});
+// ============ EXPORT ============
+export default app;
+// Also export utilities for use as a library
+export { generateSpeedChallenge, verifySpeedChallenge, generateStandardChallenge, verifyStandardChallenge, solveSpeedChallenge, } from './challenges';
+export { generateToken, verifyToken } from './auth';
+export { checkRateLimit } from './rate-limit';

package/dist/rate-limit.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+/**
+ * BOTCHA Rate Limiting
+ *
+ * Simple IP-based rate limiting using KV storage
+ */
+import type { KVNamespace } from './challenges';
+export interface RateLimitConfig {
+    requestsPerHour: number;
+    identifier: string;
+}
+export interface RateLimitResult {
+    allowed: boolean;
+    remaining: number;
+    resetAt: number;
+    retryAfter?: number;
+}
+/**
+ * Check and enforce rate limits
+ */
+export declare function checkRateLimit(kv: KVNamespace | undefined, identifier: string, limit?: number): Promise<RateLimitResult>;
+/**
+ * Extract client IP from request
+ */
+export declare function getClientIP(request: Request): string;
+//# sourceMappingURL=rate-limit.d.ts.map

package/dist/rate-limit.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rate-limit.d.ts","sourceRoot":"","sources":["../src/rate-limit.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAEhD,MAAM,WAAW,eAAe;IAC9B,eAAe,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,EAAE,EAAE,WAAW,GAAG,SAAS,EAC3B,UAAU,EAAE,MAAM,EAClB,KAAK,GAAE,MAAY,GAClB,OAAO,CAAC,eAAe,CAAC,CA8E1B;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAapD"}

package/dist/rate-limit.js ADDED Viewed

@@ -0,0 +1,94 @@
+/**
+ * BOTCHA Rate Limiting
+ *
+ * Simple IP-based rate limiting using KV storage
+ */
+/**
+ * Check and enforce rate limits
+ */
+export async function checkRateLimit(kv, identifier, limit = 100) {
+    if (!kv) {
+        // No KV = no rate limiting (local dev)
+        return {
+            allowed: true,
+            remaining: limit,
+            resetAt: Date.now() + 3600000,
+        };
+    }
+    const key = `ratelimit:${identifier}`;
+    const now = Date.now();
+    const windowStart = now - 3600000; // 1 hour ago
+    try {
+        const data = await kv.get(key);
+        if (!data) {
+            // First request in this window
+            await kv.put(key, JSON.stringify({ count: 1, firstRequest: now }), {
+                expirationTtl: 3600, // 1 hour
+            });
+            return {
+                allowed: true,
+                remaining: limit - 1,
+                resetAt: now + 3600000,
+            };
+        }
+        const { count, firstRequest } = JSON.parse(data);
+        // Check if window has expired
+        if (firstRequest < windowStart) {
+            // Reset window
+            await kv.put(key, JSON.stringify({ count: 1, firstRequest: now }), {
+                expirationTtl: 3600,
+            });
+            return {
+                allowed: true,
+                remaining: limit - 1,
+                resetAt: now + 3600000,
+            };
+        }
+        // Check if limit exceeded
+        if (count >= limit) {
+            const resetAt = firstRequest + 3600000;
+            const retryAfter = Math.ceil((resetAt - now) / 1000);
+            return {
+                allowed: false,
+                remaining: 0,
+                resetAt,
+                retryAfter,
+            };
+        }
+        // Increment counter
+        await kv.put(key, JSON.stringify({ count: count + 1, firstRequest }), {
+            expirationTtl: 3600,
+        });
+        return {
+            allowed: true,
+            remaining: limit - count - 1,
+            resetAt: firstRequest + 3600000,
+        };
+    }
+    catch (error) {
+        // On error, allow request (fail open)
+        console.error('Rate limit check failed:', error);
+        return {
+            allowed: true,
+            remaining: limit,
+            resetAt: now + 3600000,
+        };
+    }
+}
+/**
+ * Extract client IP from request
+ */
+export function getClientIP(request) {
+    // Cloudflare provides CF-Connecting-IP header
+    const cfIP = request.headers.get('cf-connecting-ip');
+    if (cfIP)
+        return cfIP;
+    // Fallback headers
+    const forwarded = request.headers.get('x-forwarded-for');
+    if (forwarded)
+        return forwarded.split(',')[0].trim();
+    const realIP = request.headers.get('x-real-ip');
+    if (realIP)
+        return realIP;
+    return 'unknown';
+}

package/package.json ADDED Viewed

@@ -0,0 +1,52 @@
+{
+  "name": "@dupecom/botcha-cloudflare",
+  "version": "0.2.0",
+  "description": "BOTCHA for Cloudflare Workers - Prove you're a bot. Humans need not apply.",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy",
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "test": "vitest"
+  },
+  "keywords": [
+    "captcha",
+    "bot",
+    "ai",
+    "agent",
+    "verification",
+    "cloudflare",
+    "workers",
+    "edge"
+  ],
+  "author": "Ramin <ramin@dupe.com>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/i8ramin/botcha"
+  },
+  "homepage": "https://botcha.ai",
+  "dependencies": {
+    "hono": "^4.7.0",
+    "jose": "^5.9.6"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20250124.0",
+    "typescript": "^5.9.3",
+    "wrangler": "^4.5.0",
+    "vitest": "^3.0.0"
+  }
+}