@dupecom/botcha-cloudflare 0.3.3 → 0.9.0

package/dist/challenges.js

@@ -69,10 +69,10 @@ async function deleteChallenge(kv, id) {
 }
 // ============ SPEED CHALLENGE ============
 /**
- * Generate a speed challenge: 5 SHA256 problems, 500ms to solve ALL
+ * Generate a speed challenge: 5 SHA256 problems, RTT-aware timeout
  * Trivial for AI, impossible for humans to copy-paste fast enough
  */
-export async function generateSpeedChallenge(kv) {
+export async function generateSpeedChallenge(kv, clientTimestamp, app_id) {
     cleanExpired();
     const id = uuid();
     const problems = [];
@@ -82,25 +82,57 @@ export async function generateSpeedChallenge(kv) {
         problems.push({ num, operation: 'sha256_first8' });
         expectedAnswers.push(await sha256First(num.toString(), 8));
     }
-    const timeLimit = 500;
+    // RTT-aware timeout calculation
+    const baseTimeLimit = 500; // Base computation time for AI agents
+    const MAX_RTT_MS = 5000; // Cap RTT to prevent timestamp spoofing (5s max)
+    const MAX_TIMESTAMP_AGE_MS = 30000; // Reject timestamps older than 30s
+    const now = Date.now();
+    let rttMs = 0;
+    let adjustedTimeLimit = baseTimeLimit;
+    let rttInfo = undefined;
+    if (clientTimestamp && clientTimestamp > 0) {
+        // Reject timestamps in the future or too far in the past (anti-spoofing)
+        const age = now - clientTimestamp;
+        if (age >= 0 && age <= MAX_TIMESTAMP_AGE_MS) {
+            // Calculate RTT from client timestamp, capped to prevent abuse
+            rttMs = Math.min(age, MAX_RTT_MS);
+            // Adjust timeout: base + (2 * RTT) + 100ms buffer
+            // The 2x RTT accounts for request + response network time
+            adjustedTimeLimit = Math.max(baseTimeLimit, baseTimeLimit + (2 * rttMs) + 100);
+            rttInfo = {
+                measuredRtt: rttMs,
+                adjustedTimeout: adjustedTimeLimit,
+                explanation: `RTT: ${rttMs}ms → Timeout: ${baseTimeLimit}ms + (2×${rttMs}ms) + 100ms = ${adjustedTimeLimit}ms`,
+            };
+        }
+        // else: invalid timestamp silently ignored, use base timeout
+    }
     const challenge = {
         id,
         problems,
         expectedAnswers,
-        issuedAt: Date.now(),
-        expiresAt: Date.now() + timeLimit + 100, // tiny grace
+        issuedAt: now,
+        expiresAt: now + adjustedTimeLimit + 50, // Small server-side grace period
+        baseTimeLimit,
+        adjustedTimeLimit,
+        rttMs,
+        app_id,
     };
     // Store in KV with 5 minute TTL (safety buffer for time checks)
     await storeChallenge(kv, id, challenge, 300);
+    const instructions = rttMs > 0
+        ? `Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have ${adjustedTimeLimit}ms (adjusted for your ${rttMs}ms network latency).`
+        : 'Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have 500ms.';
     return {
         id,
         problems,
-        timeLimit,
-        instructions: 'Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have 500ms.',
+        timeLimit: adjustedTimeLimit,
+        instructions,
+        rttInfo,
     };
 }
 /**
- * Verify a speed challenge response
+ * Verify a speed challenge response with RTT-aware timeout
  */
 export async function verifySpeedChallenge(id, answers, kv) {
     const challenge = await getChallenge(kv, id, true);
@@ -111,8 +143,21 @@ export async function verifySpeedChallenge(id, answers, kv) {
     const solveTimeMs = now - challenge.issuedAt;
     // Delete challenge immediately to prevent replay attacks
     await deleteChallenge(kv, id);
+    // Use the challenge's adjusted timeout, fallback to base if not available
+    const timeLimit = challenge.adjustedTimeLimit || challenge.baseTimeLimit || 500;
     if (now > challenge.expiresAt) {
-        return { valid: false, reason: `Too slow! Took ${solveTimeMs}ms, limit was 500ms` };
+        const rttExplanation = challenge.rttMs
+            ? ` (RTT-adjusted: ${challenge.rttMs}ms network + ${challenge.baseTimeLimit}ms compute = ${timeLimit}ms limit)`
+            : '';
+        return {
+            valid: false,
+            reason: `Too slow! Took ${solveTimeMs}ms, limit was ${timeLimit}ms${rttExplanation}`,
+            rttInfo: challenge.rttMs ? {
+                measuredRtt: challenge.rttMs,
+                adjustedTimeout: timeLimit,
+                actualTime: solveTimeMs,
+            } : undefined,
+        };
     }
     if (!Array.isArray(answers) || answers.length !== 5) {
         return { valid: false, reason: 'Must provide exactly 5 answers as array' };
@@ -122,7 +167,16 @@ export async function verifySpeedChallenge(id, answers, kv) {
             return { valid: false, reason: `Wrong answer for challenge ${i + 1}` };
         }
     }
-    return { valid: true, solveTimeMs };
+    return {
+        valid: true,
+        solveTimeMs,
+        app_id: challenge.app_id,
+        rttInfo: challenge.rttMs ? {
+            measuredRtt: challenge.rttMs,
+            adjustedTimeout: timeLimit,
+            actualTime: solveTimeMs,
+        } : undefined,
+    };
 }
 // ============ STANDARD CHALLENGE ============
 const DIFFICULTY_CONFIG = {
@@ -133,28 +187,31 @@ const DIFFICULTY_CONFIG = {
 /**
  * Generate a standard challenge: compute SHA256 of concatenated primes
  */
-export async function generateStandardChallenge(difficulty = 'medium', kv) {
+export async function generateStandardChallenge(difficulty = 'medium', kv, app_id) {
     cleanExpired();
     const id = uuid();
     const config = DIFFICULTY_CONFIG[difficulty];
+    // Random salt makes each challenge unique — precomputed lookup tables won't work
+    const salt = uuid().replace(/-/g, '').substring(0, 16);
     const primes = generatePrimes(config.primes);
-    const concatenated = primes.join('');
+    const concatenated = primes.join('') + salt;
     const hash = await sha256(concatenated);
     const answer = hash.substring(0, 16);
     const challenge = {
         id,
-        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators). Return the first 16 hex characters.`,
+        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators) followed by the salt "${salt}". Return the first 16 hex characters.`,
         expectedAnswer: answer,
         expiresAt: Date.now() + config.timeLimit + 1000,
         difficulty,
+        app_id,
     };
     // Store in KV with 5 minute TTL
     await storeChallenge(kv, id, challenge, 300);
     return {
         id,
-        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators). Return the first 16 hex characters.`,
+        puzzle: `Compute SHA256 of the first ${config.primes} prime numbers concatenated (no separators) followed by the salt "${salt}". Return the first 16 hex characters.`,
         timeLimit: config.timeLimit,
-        hint: `Example: First 5 primes = "235711" → SHA256 → first 16 chars`,
+        hint: `Example: First 5 primes + salt = "235711${salt}" → SHA256 → first 16 chars`,
     };
 }
 /**
@@ -186,20 +243,22 @@ const landingTokens = new Map();
  */
 export async function verifyLandingChallenge(answer, timestamp, kv) {
     cleanExpired();
-    // Verify timestamp is recent (within 5 minutes)
+    // Verify timestamp is recent (within 2 minutes — tighter window for security)
     const submittedTime = new Date(timestamp).getTime();
     const now = Date.now();
-    if (Math.abs(now - submittedTime) > 5 * 60 * 1000) {
-        return { valid: false, error: 'Timestamp too old or in future' };
+    if (Number.isNaN(submittedTime) || Math.abs(now - submittedTime) > 2 * 60 * 1000) {
+        return { valid: false, error: 'Timestamp expired or invalid. Request a fresh challenge.' };
     }
-    // Calculate expected answer for today
+    // Per-request nonce: include the timestamp in the hash input so answers are unique per request
+    // This prevents answer sharing — each timestamp produces a different expected answer
     const today = new Date().toISOString().split('T')[0];
-    const expectedHash = (await sha256(`BOTCHA-LANDING-${today}`)).substring(0, 16);
+    const expectedHash = (await sha256(`BOTCHA-LANDING-${today}-${timestamp}`)).substring(0, 16);
     if (answer.toLowerCase() !== expectedHash.toLowerCase()) {
         return {
             valid: false,
             error: 'Incorrect answer',
-            hint: `Expected SHA256('BOTCHA-LANDING-${today}') first 16 chars`
+            // Don't leak the formula — only give a generic hint
+            hint: 'Parse the challenge from <script type="application/botcha+json"> on the landing page and compute the answer.',
         };
     }
     // Generate token
@@ -249,149 +308,490 @@ export async function solveSpeedChallenge(problems) {
 // ============ REASONING CHALLENGE ============
 // In-memory storage for reasoning challenges
 const reasoningChallenges = new Map();
-// Question bank - LLMs can answer these, simple scripts cannot
-const QUESTION_BANK = [
-    // Analogies
-    {
-        id: 'analogy-1',
-        question: 'Complete the analogy: Book is to library as car is to ___',
-        category: 'analogy',
-        acceptedAnswers: ['garage', 'parking lot', 'dealership', 'parking garage', 'lot'],
-    },
-    {
-        id: 'analogy-2',
-        question: 'Complete the analogy: Painter is to brush as writer is to ___',
-        category: 'analogy',
-        acceptedAnswers: ['pen', 'pencil', 'keyboard', 'typewriter', 'quill'],
-    },
-    {
-        id: 'analogy-3',
-        question: 'Complete the analogy: Fish is to water as bird is to ___',
-        category: 'analogy',
-        acceptedAnswers: ['air', 'sky', 'atmosphere'],
-    },
-    {
-        id: 'analogy-4',
-        question: 'Complete the analogy: Eye is to see as ear is to ___',
-        category: 'analogy',
-        acceptedAnswers: ['hear', 'listen', 'hearing', 'listening'],
-    },
-    // Wordplay
-    {
-        id: 'wordplay-1',
+// ============ PARAMETERIZED QUESTION GENERATORS ============
+// These generate unique questions each time, so a static lookup table won't work.
+function randInt(min, max) {
+    return Math.floor(Math.random() * (max - min + 1)) + min;
+}
+function pickRandom(arr) {
+    return arr[Math.floor(Math.random() * arr.length)];
+}
+// --- Math generators (randomized numbers each time) ---
+function genMathAdd() {
+    const a = randInt(100, 999);
+    const b = randInt(100, 999);
+    return {
+        id: `math-add-${uuid().substring(0, 8)}`,
+        question: `What is ${a} + ${b}?`,
+        category: 'math',
+        acceptedAnswers: [(a + b).toString()],
+    };
+}
+function genMathMultiply() {
+    const a = randInt(12, 99);
+    const b = randInt(12, 99);
+    return {
+        id: `math-mul-${uuid().substring(0, 8)}`,
+        question: `What is ${a} × ${b}?`,
+        category: 'math',
+        acceptedAnswers: [(a * b).toString()],
+    };
+}
+function genMathModulo() {
+    const a = randInt(50, 999);
+    const b = randInt(3, 19);
+    return {
+        id: `math-mod-${uuid().substring(0, 8)}`,
+        question: `What is ${a} % ${b} (modulo)?`,
+        category: 'math',
+        acceptedAnswers: [(a % b).toString()],
+    };
+}
+function genMathSheep() {
+    const total = randInt(15, 50);
+    const remaining = randInt(3, total - 2);
+    return {
+        id: `math-sheep-${uuid().substring(0, 8)}`,
+        question: `A farmer has ${total} sheep. All but ${remaining} run away. How many sheep does he have left? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [remaining.toString()],
+    };
+}
+function genMathDoubling() {
+    const days = randInt(20, 60);
+    return {
+        id: `math-double-${uuid().substring(0, 8)}`,
+        question: `A patch of lily pads doubles in size every day. If it takes ${days} days to cover the entire lake, how many days to cover half? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [(days - 1).toString()],
+    };
+}
+function genMathMachines() {
+    const n = pickRandom([5, 7, 8, 10, 12]);
+    const m = randInt(50, 200);
+    return {
+        id: `math-machines-${uuid().substring(0, 8)}`,
+        question: `If it takes ${n} machines ${n} minutes to make ${n} widgets, how many minutes would it take ${m} machines to make ${m} widgets? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [n.toString()],
+    };
+}
+// --- Code generators (randomized values) ---
+function genCodeModulo() {
+    const a = randInt(20, 200);
+    const b = randInt(3, 15);
+    return {
+        id: `code-mod-${uuid().substring(0, 8)}`,
+        question: `In most programming languages, what does ${a} % ${b} evaluate to?`,
+        category: 'code',
+        acceptedAnswers: [(a % b).toString()],
+    };
+}
+function genCodeBitwise() {
+    const a = randInt(1, 31);
+    const b = randInt(1, 31);
+    const op = pickRandom(['&', '|', '^']);
+    const opName = op === '&' ? 'AND' : op === '|' ? 'OR' : 'XOR';
+    let answer;
+    if (op === '&')
+        answer = a & b;
+    else if (op === '|')
+        answer = a | b;
+    else
+        answer = a ^ b;
+    return {
+        id: `code-bit-${uuid().substring(0, 8)}`,
+        question: `What is ${a} ${op} ${b} (bitwise ${opName})? Answer with just the number.`,
+        category: 'code',
+        acceptedAnswers: [answer.toString()],
+    };
+}
+function genCodeStringLen() {
+    // Generate random alphanumeric strings of varying lengths (3-20 chars)
+    // This creates effectively infinite answer space (18 possible lengths × countless string combinations)
+    const length = randInt(3, 20);
+    const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
+    let word = '';
+    for (let i = 0; i < length; i++) {
+        word += chars[Math.floor(Math.random() * chars.length)];
+    }
+    return {
+        id: `code-strlen-${uuid().substring(0, 8)}`,
+        question: `What is the length of the string "${word}"? Answer with just the number.`,
+        category: 'code',
+        acceptedAnswers: [word.length.toString()],
+    };
+}
+// --- Logic generators (randomized names/items) ---
+function genLogicSyllogism() {
+    const groups = [
+        ['Bloops', 'Razzies', 'Lazzies'],
+        ['Florps', 'Zinkies', 'Mopples'],
+        ['Grunts', 'Tazzles', 'Wibbles'],
+        ['Plonks', 'Snazzles', 'Krinkles'],
+        ['Dweems', 'Fozzits', 'Glimmers'],
+    ];
+    const [a, b, c] = pickRandom(groups);
+    return {
+        id: `logic-syl-${uuid().substring(0, 8)}`,
+        question: `If all ${a} are ${b} and all ${b} are ${c}, are all ${a} definitely ${c}? Answer yes or no.`,
+        category: 'logic',
+        acceptedAnswers: ['yes'],
+    };
+}
+function genLogicNegation() {
+    const total = randInt(20, 100);
+    const keep = randInt(3, total - 5);
+    return {
+        id: `logic-neg-${uuid().substring(0, 8)}`,
+        question: `There are ${total} marbles in a bag. You remove all but ${keep}. How many marbles are left in the bag? Answer with just the number.`,
+        category: 'logic',
+        acceptedAnswers: [keep.toString()],
+    };
+}
+function genLogicSequence() {
+    const start = randInt(2, 20);
+    const step = randInt(2, 8);
+    const seq = [start, start + step, start + 2 * step, start + 3 * step];
+    return {
+        id: `logic-seq-${uuid().substring(0, 8)}`,
+        question: `What comes next in the sequence: ${seq.join(', ')}, ___? Answer with just the number.`,
+        category: 'logic',
+        acceptedAnswers: [(start + 4 * step).toString()],
+    };
+}
+// --- Wordplay / static (with randomized IDs so lookup by ID fails) ---
+const WORDPLAY_GENERATORS = [
+    // Connection riddles (original + new)
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What single word connects: apple, Newton, gravity?',
         category: 'wordplay',
         acceptedAnswers: ['tree', 'fall', 'falling'],
-    },
-    {
-        id: 'wordplay-2',
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What single word connects: key, piano, computer?',
         category: 'wordplay',
         acceptedAnswers: ['keyboard', 'board', 'keys'],
-    },
-    {
-        id: 'wordplay-3',
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What single word connects: river, money, blood?',
         category: 'wordplay',
         acceptedAnswers: ['bank', 'flow', 'stream'],
-    },
-    {
-        id: 'wordplay-4',
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What word can precede: light, house, shine?',
         category: 'wordplay',
         acceptedAnswers: ['sun', 'moon'],
-    },
-    // Logic
-    {
-        id: 'logic-1',
-        question: 'If all Bloops are Razzies and all Razzies are Lazzies, are all Bloops definitely Lazzies? Answer yes or no.',
-        category: 'logic',
-        acceptedAnswers: ['yes'],
-    },
-    {
-        id: 'logic-2',
-        question: 'If some Widgets are Gadgets, and all Gadgets are blue, can some Widgets be blue? Answer yes or no.',
-        category: 'logic',
-        acceptedAnswers: ['yes'],
-    },
-    {
-        id: 'logic-3',
-        question: 'I have a bee in my hand. What do I have in my eye? (Think about the saying)',
-        category: 'logic',
-        acceptedAnswers: ['beauty', 'beholder'],
-    },
-    {
-        id: 'logic-4',
-        question: 'A farmer has 17 sheep. All but 9 run away. How many sheep does he have left?',
-        category: 'logic',
-        acceptedAnswers: ['9', 'nine'],
-    },
-    // Math
-    {
-        id: 'math-1',
-        question: 'A bat and ball cost $1.10 total. The bat costs $1.00 more than the ball. How much does the ball cost in cents?',
-        category: 'math',
-        acceptedAnswers: ['5', '5 cents', 'five', 'five cents', '0.05', '$0.05'],
-    },
-    {
-        id: 'math-2',
-        question: 'If it takes 5 machines 5 minutes to make 5 widgets, how many minutes would it take 100 machines to make 100 widgets?',
-        category: 'math',
-        acceptedAnswers: ['5', 'five', '5 minutes', 'five minutes'],
-    },
-    {
-        id: 'math-3',
-        question: 'In a lake, there is a patch of lily pads. Every day, the patch doubles in size. If it takes 48 days for the patch to cover the entire lake, how many days would it take for the patch to cover half of the lake?',
-        category: 'math',
-        acceptedAnswers: ['47', 'forty-seven', 'forty seven', '47 days'],
-    },
-    // Code
-    {
-        id: 'code-1',
-        question: 'What is wrong with this code: if (x = 5) { doSomething(); }',
-        category: 'code',
-        acceptedAnswers: ['assignment', 'single equals', '= instead of ==', 'should be ==', 'should be ===', 'equality', 'comparison'],
-    },
-    {
-        id: 'code-2',
-        question: 'In most programming languages, what does the modulo operator % return for 17 % 5?',
-        category: 'code',
-        acceptedAnswers: ['2', 'two'],
-    },
-    {
-        id: 'code-3',
-        question: 'What data structure uses LIFO (Last In, First Out)?',
-        category: 'code',
-        acceptedAnswers: ['stack', 'a stack'],
-    },
-    // Common sense
-    {
-        id: 'sense-1',
-        question: 'If you are running a race and you pass the person in second place, what place are you in now?',
-        category: 'common-sense',
-        acceptedAnswers: ['second', '2nd', '2', 'two'],
-    },
-    {
-        id: 'sense-2',
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What single word connects: fire, ice, boxing?',
+        category: 'wordplay',
+        acceptedAnswers: ['ring', 'fight', 'match'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What single word connects: music, radio, ocean?',
+        category: 'wordplay',
+        acceptedAnswers: ['wave', 'waves', 'frequency'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What word follows: high, middle, private?',
+        category: 'wordplay',
+        acceptedAnswers: ['school'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What word connects: sleeping, travel, time?',
+        category: 'wordplay',
+        acceptedAnswers: ['bag'],
+    }),
+    // Common sense riddles (original + new)
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What gets wetter the more it dries?',
         category: 'common-sense',
         acceptedAnswers: ['towel', 'a towel', 'cloth', 'rag'],
-    },
-    {
-        id: 'sense-3',
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
         question: 'What can you catch but not throw?',
         category: 'common-sense',
         acceptedAnswers: ['cold', 'a cold', 'breath', 'your breath', 'feelings', 'disease'],
-    },
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has keys but no locks, space but no room, and you can enter but not go inside?',
+        category: 'common-sense',
+        acceptedAnswers: ['keyboard', 'a keyboard'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What runs but never walks, has a mouth but never talks?',
+        category: 'common-sense',
+        acceptedAnswers: ['river', 'a river', 'stream'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has hands but cannot clap?',
+        category: 'common-sense',
+        acceptedAnswers: ['clock', 'a clock', 'watch'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has a head and tail but no body?',
+        category: 'common-sense',
+        acceptedAnswers: ['coin', 'a coin'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What goes up but never comes down?',
+        category: 'common-sense',
+        acceptedAnswers: ['age', 'your age'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has teeth but cannot bite?',
+        category: 'common-sense',
+        acceptedAnswers: ['comb', 'a comb', 'saw', 'zipper', 'gear'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What can fill a room but takes up no space?',
+        category: 'common-sense',
+        acceptedAnswers: ['light', 'air', 'sound', 'darkness'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has a neck but no head?',
+        category: 'common-sense',
+        acceptedAnswers: ['bottle', 'a bottle'],
+    }),
+    // Analogies (original + new)
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Fish is to water as bird is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['air', 'sky', 'atmosphere'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Eye is to see as ear is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['hear', 'listen', 'hearing', 'listening'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Painter is to brush as writer is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['pen', 'pencil', 'keyboard', 'typewriter', 'quill'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Hot is to cold as day is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['night'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Doctor is to patient as teacher is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['student', 'students', 'pupil'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Wheel is to car as sail is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['boat', 'ship', 'sailboat'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Chef is to kitchen as scientist is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['laboratory', 'lab'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Bark is to dog as meow is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['cat'],
+    }),
+    // Anagrams
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Rearrange the letters in "listen" to make another common word.',
+        category: 'wordplay',
+        acceptedAnswers: ['silent', 'enlist'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Rearrange the letters in "earth" to make another common word.',
+        category: 'wordplay',
+        acceptedAnswers: ['heart', 'hater'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Rearrange the letters in "stream" to make another word meaning "leader".',
+        category: 'wordplay',
+        acceptedAnswers: ['master'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Rearrange the letters in "stop" to make containers.',
+        category: 'wordplay',
+        acceptedAnswers: ['pots', 'spot', 'tops'],
+    }),
+    // Code/CS riddles
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What data structure uses LIFO (Last In, First Out)?',
+        category: 'code',
+        acceptedAnswers: ['stack', 'a stack'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What data structure uses FIFO (First In, First Out)?',
+        category: 'code',
+        acceptedAnswers: ['queue', 'a queue'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'In programming, what comes after "if" and "else if"?',
+        category: 'code',
+        acceptedAnswers: ['else'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What is the opposite of "true" in boolean logic?',
+        category: 'code',
+        acceptedAnswers: ['false'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What keyword is used to define a function in JavaScript?',
+        category: 'code',
+        acceptedAnswers: ['function', 'const', 'let', 'var', 'async'],
+    }),
+    // Word puzzles
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What 5-letter word becomes shorter when you add two letters to it?',
+        category: 'wordplay',
+        acceptedAnswers: ['short', 'shorter'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What word starts with "e" and ends with "e" but only has one letter in it?',
+        category: 'wordplay',
+        acceptedAnswers: ['envelope'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What begins with T, ends with T, and has T in it?',
+        category: 'wordplay',
+        acceptedAnswers: ['teapot', 'a teapot'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Remove one letter from "startling" to create a new word. What is it?',
+        category: 'wordplay',
+        acceptedAnswers: ['starting', 'starling'],
+    }),
+    // Math/Logic wordplay
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'How many months have 28 days?',
+        category: 'logic',
+        acceptedAnswers: ['12', 'twelve', 'all', 'all of them'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'If you have one, you want to share it. If you share it, you no longer have it. What is it?',
+        category: 'logic',
+        acceptedAnswers: ['secret', 'a secret'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What occurs once in a minute, twice in a moment, but never in a thousand years?',
+        category: 'wordplay',
+        acceptedAnswers: ['m', 'the letter m'],
+    }),
+    // Technology wordplay
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has a screen, keyboard, and mouse but is not alive?',
+        category: 'common-sense',
+        acceptedAnswers: ['computer', 'a computer', 'pc', 'laptop'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What connects computers worldwide but has no physical form?',
+        category: 'common-sense',
+        acceptedAnswers: ['internet', 'the internet', 'web', 'network'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What do you call a group of 8 bits?',
+        category: 'code',
+        acceptedAnswers: ['byte', 'a byte'],
+    }),
+    // Nature/Science wordplay
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What falls but never breaks, and breaks but never falls?',
+        category: 'wordplay',
+        acceptedAnswers: ['night and day', 'nightfall and daybreak', 'night falls day breaks'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has roots that nobody sees, taller than trees, up up it goes, yet never grows?',
+        category: 'common-sense',
+        acceptedAnswers: ['mountain', 'a mountain', 'mountains'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What travels around the world but stays in one corner?',
+        category: 'common-sense',
+        acceptedAnswers: ['stamp', 'a stamp', 'postage stamp'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'Complete the analogy: Bee is to hive as human is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['house', 'home', 'city', 'building'],
+    }),
+    () => ({
+        id: `wp-${uuid().substring(0, 8)}`,
+        question: 'What has four fingers and a thumb but is not alive?',
+        category: 'common-sense',
+        acceptedAnswers: ['glove', 'a glove'],
+    }),
 ];
+// All generators, weighted toward parameterized (harder to game)
+const QUESTION_GENERATORS = [
+    genMathAdd, genMathMultiply, genMathModulo, genMathSheep, genMathDoubling, genMathMachines,
+    genCodeModulo, genCodeBitwise, genCodeStringLen,
+    genLogicSyllogism, genLogicNegation, genLogicSequence,
+    ...WORDPLAY_GENERATORS,
+];
+// Generate fresh question bank (unique every call)
+function generateQuestionBank() {
+    return QUESTION_GENERATORS.map(gen => gen());
+}
 /**
  * Generate a reasoning challenge: 3 random questions requiring LLM capabilities
  */
-export async function generateReasoningChallenge(kv) {
+export async function generateReasoningChallenge(kv, app_id) {
     cleanExpired();
     const id = uuid();
     // Pick 3 random questions from different categories
-    const shuffled = [...QUESTION_BANK].sort(() => Math.random() - 0.5);
+    const freshBank = generateQuestionBank();
+    const shuffled = freshBank.sort(() => Math.random() - 0.5);
     const selectedCategories = new Set();
     const selectedQuestions = [];
     for (const q of shuffled) {
@@ -423,6 +823,7 @@ export async function generateReasoningChallenge(kv) {
         expectedAnswers,
         issuedAt: Date.now(),
         expiresAt: Date.now() + timeLimit + 5000,
+        app_id,
     };
     // Store in KV or memory
     if (kv) {
@@ -533,18 +934,19 @@ const hybridChallenges = new Map();
 /**
  * Generate a hybrid challenge: speed + reasoning combined
  */
-export async function generateHybridChallenge(kv) {
+export async function generateHybridChallenge(kv, clientTimestamp, app_id) {
     cleanExpired();
     const id = uuid();
-    // Generate both sub-challenges
-    const speedChallenge = await generateSpeedChallenge(kv);
-    const reasoningChallenge = await generateReasoningChallenge(kv);
+    // Generate both sub-challenges (speed with RTT awareness)
+    const speedChallenge = await generateSpeedChallenge(kv, clientTimestamp, app_id);
+    const reasoningChallenge = await generateReasoningChallenge(kv, app_id);
     const hybrid = {
         id,
         speedChallengeId: speedChallenge.id,
         reasoningChallengeId: reasoningChallenge.id,
         issuedAt: Date.now(),
         expiresAt: Date.now() + 35000,
+        app_id,
     };
     // Store in KV or memory
     if (kv) {
@@ -553,6 +955,9 @@ export async function generateHybridChallenge(kv) {
     else {
         hybridChallenges.set(id, hybrid);
     }
+    const instructions = speedChallenge.rttInfo
+        ? `Solve ALL speed problems (SHA256) in <${speedChallenge.timeLimit}ms (RTT-adjusted) AND answer ALL reasoning questions. Submit both together.`
+        : 'Solve ALL speed problems (SHA256) in <500ms AND answer ALL reasoning questions. Submit both together.';
     return {
         id,
         speed: {
@@ -563,7 +968,8 @@ export async function generateHybridChallenge(kv) {
             questions: reasoningChallenge.questions,
             timeLimit: reasoningChallenge.timeLimit,
         },
-        instructions: 'Solve ALL speed problems (SHA256) in <500ms AND answer ALL reasoning questions. Submit both together.',
+        instructions,
+        rttInfo: speedChallenge.rttInfo,
     };
 }
 /**