@dupecom/botcha 0.13.1 → 0.14.0

package/dist/src/challenges/reasoning.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Generate a reasoning challenge: 3 random questions requiring LLM capabilities
+ * Simple scripts can't answer these, but any LLM can
+ */
+export declare function generateReasoningChallenge(): {
+    id: string;
+    questions: {
+        id: string;
+        question: string;
+        category: string;
+    }[];
+    timeLimit: number;
+    instructions: string;
+};
+export declare function verifyReasoningChallenge(id: string, answers: Record<string, string>): {
+    valid: boolean;
+    reason?: string;
+    solveTimeMs?: number;
+    correctCount?: number;
+    totalCount?: number;
+};
+export declare function getQuestionCount(): number;
+declare const _default: {
+    generateReasoningChallenge: typeof generateReasoningChallenge;
+    verifyReasoningChallenge: typeof verifyReasoningChallenge;
+    getQuestionCount: typeof getQuestionCount;
+};
+export default _default;
+//# sourceMappingURL=reasoning.d.ts.map

package/dist/src/challenges/reasoning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reasoning.d.ts","sourceRoot":"","sources":["../../../src/challenges/reasoning.ts"],"names":[],"mappings":"AAiUA;;;GAGG;AACH,wBAAgB,0BAA0B,IAAI;IAC5C,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IAChE,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;CACtB,CAkDA;AAiCD,wBAAgB,wBAAwB,CACtC,EAAE,EAAE,MAAM,EACV,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAC9B;IACD,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB,CA0DA;AAED,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;;;;;;AAED,wBAA0F"}

package/dist/src/challenges/reasoning.js

@@ -0,0 +1,414 @@
+import crypto from 'crypto';
+const reasoningChallenges = new Map();
+// ============ PARAMETERIZED QUESTION GENERATORS ============
+// These generate unique questions each time, so a static lookup table won't work.
+function randInt(min, max) {
+    return Math.floor(Math.random() * (max - min + 1)) + min;
+}
+function pickRandom(arr) {
+    return arr[Math.floor(Math.random() * arr.length)];
+}
+// --- Math generators (randomized numbers each time) ---
+function genMathAdd() {
+    const a = randInt(100, 999);
+    const b = randInt(100, 999);
+    const answer = (a + b).toString();
+    return {
+        id: `math-add-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What is ${a} + ${b}?`,
+        category: 'math',
+        acceptedAnswers: [answer],
+    };
+}
+function genMathMultiply() {
+    const a = randInt(12, 99);
+    const b = randInt(12, 99);
+    const answer = (a * b).toString();
+    return {
+        id: `math-mul-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What is ${a} × ${b}?`,
+        category: 'math',
+        acceptedAnswers: [answer],
+    };
+}
+function genMathModulo() {
+    const a = randInt(50, 999);
+    const b = randInt(3, 19);
+    const answer = (a % b).toString();
+    return {
+        id: `math-mod-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What is ${a} % ${b} (modulo)?`,
+        category: 'math',
+        acceptedAnswers: [answer],
+    };
+}
+function genMathSheep() {
+    const total = randInt(15, 50);
+    const remaining = randInt(3, total - 2);
+    return {
+        id: `math-sheep-${crypto.randomUUID().substring(0, 8)}`,
+        question: `A farmer has ${total} sheep. All but ${remaining} run away. How many sheep does he have left? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [remaining.toString()],
+    };
+}
+function genMathDoubling() {
+    // Vary starting value (days: 10-1050) to get 1041 unique answer values
+    // Answer is always (days - 1), so days range of 10-1050 gives answers 9-1049
+    const days = randInt(10, 1050);
+    const items = pickRandom([
+        'lily pads',
+        'bacteria cells',
+        'algae colonies',
+        'viral particles',
+        'yeast cells',
+        'water plants',
+        'moss patches',
+        'fungal spores',
+    ]);
+    const answer = (days - 1).toString();
+    return {
+        id: `math-double-${crypto.randomUUID().substring(0, 8)}`,
+        question: `A patch of ${items} doubles in size every day. If it takes ${days} days to cover the entire lake, how many days to cover half? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [answer],
+    };
+}
+function genMathMachines() {
+    // Parameterized: n (5-1100) to get 1096 unique answer values
+    // Answer is always n (the time in minutes)
+    const n = randInt(5, 1100);
+    const m = randInt(50, 500);
+    const items = pickRandom([
+        'widgets',
+        'parts',
+        'components',
+        'units',
+        'products',
+        'items',
+        'gadgets',
+        'devices',
+    ]);
+    return {
+        id: `math-machines-${crypto.randomUUID().substring(0, 8)}`,
+        question: `If it takes ${n} machines ${n} minutes to make ${n} ${items}, how many minutes would it take ${m} machines to make ${m} ${items}? Answer with just the number.`,
+        category: 'math',
+        acceptedAnswers: [n.toString()],
+    };
+}
+// --- Code generators (randomized values) ---
+function genCodeModulo() {
+    const a = randInt(20, 200);
+    const b = randInt(3, 15);
+    const answer = (a % b).toString();
+    return {
+        id: `code-mod-${crypto.randomUUID().substring(0, 8)}`,
+        question: `In most programming languages, what does ${a} % ${b} evaluate to?`,
+        category: 'code',
+        acceptedAnswers: [answer],
+    };
+}
+function genCodeBitwise() {
+    const a = randInt(1, 15);
+    const b = randInt(1, 15);
+    const op = pickRandom(['&', '|', '^']);
+    const opName = op === '&' ? 'AND' : op === '|' ? 'OR' : 'XOR';
+    let answer;
+    if (op === '&')
+        answer = a & b;
+    else if (op === '|')
+        answer = a | b;
+    else
+        answer = a ^ b;
+    return {
+        id: `code-bit-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What is ${a} ${op} ${b} (bitwise ${opName})? Answer with just the number.`,
+        category: 'code',
+        acceptedAnswers: [answer.toString()],
+    };
+}
+function genCodeStringLen() {
+    const words = ['hello', 'world', 'banana', 'algorithm', 'quantum', 'symphony', 'cryptography', 'paradigm', 'ephemeral', 'serendipity'];
+    const word = pickRandom(words);
+    return {
+        id: `code-strlen-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What is the length of the string "${word}"? Answer with just the number.`,
+        category: 'code',
+        acceptedAnswers: [word.length.toString()],
+    };
+}
+// --- Logic generators (randomized names/items) ---
+function genLogicSyllogism() {
+    // Generate counting-based syllogism to produce numeric answers with ≥1000 answer space
+    // "In a group of N people, if X are teachers and all teachers are kind, how many kind people are there at minimum?"
+    // Answer: X (the number in the subset)
+    // Range: X from 10 to 1500 = 1491 unique answers
+    const total = randInt(50, 2000);
+    const count = randInt(10, Math.min(total - 5, 1500));
+    const groups = [
+        { container: 'people', subsetName: 'teachers', property: 'kind' },
+        { container: 'animals', subsetName: 'dogs', property: 'friendly' },
+        { container: 'students', subsetName: 'seniors', property: 'experienced' },
+        { container: 'employees', subsetName: 'managers', property: 'trained' },
+        { container: 'books', subsetName: 'novels', property: 'fictional' },
+        { container: 'vehicles', subsetName: 'cars', property: 'motorized' },
+        { container: 'plants', subsetName: 'trees', property: 'woody' },
+        { container: 'items', subsetName: 'tools', property: 'useful' },
+    ];
+    const { container, subsetName, property } = pickRandom(groups);
+    return {
+        id: `logic-syl-${crypto.randomUUID().substring(0, 8)}`,
+        question: `In a group of ${total} ${container}, ${count} of them are ${subsetName}. If all ${subsetName} are ${property}, what is the minimum number of ${property} ${container}? Answer with just the number.`,
+        category: 'logic',
+        acceptedAnswers: [count.toString()],
+    };
+}
+function genLogicNegation() {
+    const total = randInt(20, 100);
+    const keep = randInt(3, total - 5);
+    return {
+        id: `logic-neg-${crypto.randomUUID().substring(0, 8)}`,
+        question: `There are ${total} marbles in a bag. You remove all but ${keep}. How many marbles are left in the bag? Answer with just the number.`,
+        category: 'logic',
+        acceptedAnswers: [keep.toString()],
+    };
+}
+function genLogicSequence() {
+    // Generate a simple arithmetic or geometric sequence
+    const start = randInt(2, 20);
+    const step = randInt(2, 8);
+    const seq = [start, start + step, start + 2 * step, start + 3 * step];
+    const answer = (start + 4 * step).toString();
+    return {
+        id: `logic-seq-${crypto.randomUUID().substring(0, 8)}`,
+        question: `What comes next in the sequence: ${seq.join(', ')}, ___? Answer with just the number.`,
+        category: 'logic',
+        acceptedAnswers: [answer],
+    };
+}
+// --- Wordplay (static but with large pool + randomized IDs so lookup by ID fails) ---
+const WORDPLAY_QUESTIONS = [
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What single word connects: apple, Newton, gravity?',
+        category: 'wordplay',
+        acceptedAnswers: ['tree', 'fall', 'falling'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What single word connects: key, piano, computer?',
+        category: 'wordplay',
+        acceptedAnswers: ['keyboard', 'board', 'keys'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What single word connects: river, money, blood?',
+        category: 'wordplay',
+        acceptedAnswers: ['bank', 'flow', 'stream'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What word can precede: light, house, shine?',
+        category: 'wordplay',
+        acceptedAnswers: ['sun', 'moon'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What gets wetter the more it dries?',
+        category: 'common-sense',
+        acceptedAnswers: ['towel', 'a towel', 'cloth', 'rag'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What can you catch but not throw?',
+        category: 'common-sense',
+        acceptedAnswers: ['cold', 'a cold', 'breath', 'your breath', 'feelings', 'disease'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'What data structure uses LIFO (Last In, First Out)?',
+        category: 'code',
+        acceptedAnswers: ['stack', 'a stack'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'Complete the analogy: Fish is to water as bird is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['air', 'sky', 'atmosphere'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'Complete the analogy: Eye is to see as ear is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['hear', 'listen', 'hearing', 'listening'],
+    }),
+    () => ({
+        id: `wp-${crypto.randomUUID().substring(0, 8)}`,
+        question: 'Complete the analogy: Painter is to brush as writer is to ___',
+        category: 'analogy',
+        acceptedAnswers: ['pen', 'pencil', 'keyboard', 'typewriter', 'quill'],
+    }),
+];
+// All generators, weighted toward parameterized (harder to game)
+const QUESTION_GENERATORS = [
+    // Math (parameterized — unique every time)
+    genMathAdd,
+    genMathMultiply,
+    genMathModulo,
+    genMathSheep,
+    genMathDoubling,
+    genMathMachines,
+    // Code (parameterized)
+    genCodeModulo,
+    genCodeBitwise,
+    genCodeStringLen,
+    // Logic (parameterized)
+    genLogicSyllogism,
+    genLogicNegation,
+    genLogicSequence,
+    // Wordplay / static (but with random IDs)
+    ...WORDPLAY_QUESTIONS,
+];
+// Legacy compatibility: generate a static-looking bank from generators
+function generateQuestionBank() {
+    return QUESTION_GENERATORS.map(gen => gen());
+}
+// Cleanup expired challenges
+setInterval(() => {
+    const now = Date.now();
+    for (const [id, c] of reasoningChallenges) {
+        if (c.expiresAt < now)
+            reasoningChallenges.delete(id);
+    }
+}, 60000);
+/**
+ * Generate a reasoning challenge: 3 random questions requiring LLM capabilities
+ * Simple scripts can't answer these, but any LLM can
+ */
+export function generateReasoningChallenge() {
+    const id = crypto.randomUUID();
+    // Generate fresh parameterized questions (different every time)
+    const freshBank = generateQuestionBank();
+    const shuffled = freshBank.sort(() => Math.random() - 0.5);
+    const selectedCategories = new Set();
+    const selectedQuestions = [];
+    for (const q of shuffled) {
+        if (selectedQuestions.length >= 3)
+            break;
+        // Try to get diverse categories
+        if (selectedQuestions.length < 2 || !selectedCategories.has(q.category)) {
+            selectedQuestions.push(q);
+            selectedCategories.add(q.category);
+        }
+    }
+    // If we didn't get 3, just take any 3
+    while (selectedQuestions.length < 3 && shuffled.length > selectedQuestions.length) {
+        const q = shuffled.find(sq => !selectedQuestions.includes(sq));
+        if (q)
+            selectedQuestions.push(q);
+    }
+    const expectedAnswers = new Map();
+    const questions = selectedQuestions.map(q => {
+        expectedAnswers.set(q.id, q.acceptedAnswers);
+        return {
+            id: q.id,
+            question: q.question,
+            category: q.category,
+        };
+    });
+    const timeLimit = 30000; // 30 seconds - plenty of time for an LLM
+    reasoningChallenges.set(id, {
+        id,
+        questions,
+        expectedAnswers,
+        issuedAt: Date.now(),
+        expiresAt: Date.now() + timeLimit + 5000, // 5s grace for network latency
+    });
+    return {
+        id,
+        questions,
+        timeLimit,
+        instructions: 'Answer all 3 questions. These require reasoning that LLMs can do but simple scripts cannot. You have 30 seconds.',
+    };
+}
+/**
+ * Normalize answer for comparison
+ */
+function normalizeAnswer(answer) {
+    return answer
+        .toLowerCase()
+        .trim()
+        .replace(/[.,!?'"]/g, '') // Remove punctuation
+        .replace(/\s+/g, ' '); // Normalize whitespace
+}
+/**
+ * Check if an answer matches any accepted answer
+ */
+function isAnswerAccepted(answer, acceptedAnswers) {
+    const normalized = normalizeAnswer(answer);
+    for (const accepted of acceptedAnswers) {
+        const normalizedAccepted = normalizeAnswer(accepted);
+        // Exact match
+        if (normalized === normalizedAccepted)
+            return true;
+        // Contains match (for longer answers that include the key word)
+        if (normalized.includes(normalizedAccepted))
+            return true;
+        if (normalizedAccepted.includes(normalized) && normalized.length > 2)
+            return true;
+    }
+    return false;
+}
+export function verifyReasoningChallenge(id, answers) {
+    const challenge = reasoningChallenges.get(id);
+    if (!challenge) {
+        return { valid: false, reason: 'Challenge not found or expired' };
+    }
+    const now = Date.now();
+    const solveTimeMs = now - challenge.issuedAt;
+    // Clean up
+    reasoningChallenges.delete(id);
+    if (now > challenge.expiresAt) {
+        return { valid: false, reason: `Too slow! Took ${solveTimeMs}ms, limit was 30 seconds` };
+    }
+    if (!answers || typeof answers !== 'object') {
+        return { valid: false, reason: 'Answers must be an object mapping question IDs to answers' };
+    }
+    let correctCount = 0;
+    const totalCount = challenge.questions.length;
+    const wrongQuestions = [];
+    for (const q of challenge.questions) {
+        const userAnswer = answers[q.id];
+        const acceptedAnswers = challenge.expectedAnswers.get(q.id) || [];
+        if (!userAnswer) {
+            wrongQuestions.push(q.id);
+            continue;
+        }
+        if (isAnswerAccepted(userAnswer, acceptedAnswers)) {
+            correctCount++;
+        }
+        else {
+            wrongQuestions.push(q.id);
+        }
+    }
+    // Require all 3 correct
+    if (correctCount < totalCount) {
+        return {
+            valid: false,
+            reason: `Only ${correctCount}/${totalCount} correct. Wrong: ${wrongQuestions.join(', ')}`,
+            solveTimeMs,
+            correctCount,
+            totalCount,
+        };
+    }
+    return {
+        valid: true,
+        solveTimeMs,
+        correctCount,
+        totalCount,
+    };
+}
+export function getQuestionCount() {
+    return QUESTION_GENERATORS.length;
+}
+export default { generateReasoningChallenge, verifyReasoningChallenge, getQuestionCount };

package/dist/src/challenges/speed.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Generate a speed challenge: 5 math problems, RTT-aware timeout
+ * Trivial for AI, impossible for humans to copy-paste fast enough
+ */
+export declare function generateSpeedChallenge(clientTimestamp?: number): {
+    id: string;
+    challenges: {
+        num: number;
+        operation: string;
+    }[];
+    timeLimit: number;
+    instructions: string;
+    rttInfo?: {
+        measuredRtt: number;
+        adjustedTimeout: number;
+        explanation: string;
+    };
+};
+export declare function verifySpeedChallenge(id: string, answers: string[]): {
+    valid: boolean;
+    reason?: string;
+    solveTimeMs?: number;
+    rttInfo?: {
+        measuredRtt: number;
+        adjustedTimeout: number;
+        actualTime: number;
+    };
+};
+declare const _default: {
+    generateSpeedChallenge: typeof generateSpeedChallenge;
+    verifySpeedChallenge: typeof verifySpeedChallenge;
+};
+export default _default;
+//# sourceMappingURL=speed.d.ts.map

package/dist/src/challenges/speed.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"speed.d.ts","sourceRoot":"","sources":["../../../src/challenges/speed.ts"],"names":[],"mappings":"AAuBA;;;GAGG;AACH,wBAAgB,sBAAsB,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG;IAChE,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE;QAAE,GAAG,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACjD,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE;QACR,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;CACH,CAiEA;AAED,wBAAgB,oBAAoB,CAAC,EAAE,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG;IACnE,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,OAAO,CAAC,EAAE;QACR,WAAW,EAAE,MAAM,CAAC;QACpB,eAAe,EAAE,MAAM,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACpB,CAAC;CACH,CAkDA;;;;;AAED,wBAAgE"}

package/dist/src/challenges/speed.js

@@ -0,0 +1,115 @@
+import crypto from 'crypto';
+const speedChallenges = new Map();
+// Cleanup expired
+setInterval(() => {
+    const now = Date.now();
+    for (const [id, c] of speedChallenges) {
+        if (c.expiresAt < now)
+            speedChallenges.delete(id);
+    }
+}, 30000);
+/**
+ * Generate a speed challenge: 5 math problems, RTT-aware timeout
+ * Trivial for AI, impossible for humans to copy-paste fast enough
+ */
+export function generateSpeedChallenge(clientTimestamp) {
+    const id = crypto.randomUUID();
+    const challenges = [];
+    const expectedAnswers = [];
+    for (let i = 0; i < 5; i++) {
+        const num = Math.floor(Math.random() * 1000000) + 100000;
+        const operation = 'sha256_first8';
+        challenges.push({ num, operation });
+        const hash = crypto.createHash('sha256').update(num.toString()).digest('hex');
+        expectedAnswers.push(hash.substring(0, 8));
+    }
+    // RTT-aware timeout calculation
+    const baseTimeLimit = 500; // Base computation time for AI agents
+    const MAX_RTT_MS = 5000; // Cap RTT to prevent timestamp spoofing (5s max)
+    const MAX_TIMESTAMP_AGE_MS = 30000; // Reject timestamps older than 30s
+    const now = Date.now();
+    let rttMs = 0;
+    let adjustedTimeLimit = baseTimeLimit;
+    let rttInfo = undefined;
+    if (clientTimestamp && clientTimestamp > 0) {
+        // Reject timestamps in the future or too far in the past (anti-spoofing)
+        const age = now - clientTimestamp;
+        if (age >= 0 && age <= MAX_TIMESTAMP_AGE_MS) {
+            // Calculate RTT from client timestamp, capped to prevent abuse
+            rttMs = Math.min(age, MAX_RTT_MS);
+            // Adjust timeout: base + (2 * RTT) + 100ms buffer
+            // The 2x RTT accounts for request + response network time
+            adjustedTimeLimit = Math.max(baseTimeLimit, baseTimeLimit + (2 * rttMs) + 100);
+            rttInfo = {
+                measuredRtt: rttMs,
+                adjustedTimeout: adjustedTimeLimit,
+                explanation: `RTT: ${rttMs}ms → Timeout: ${baseTimeLimit}ms + (2×${rttMs}ms) + 100ms = ${adjustedTimeLimit}ms`,
+            };
+        }
+        // else: invalid timestamp silently ignored, use base timeout
+    }
+    speedChallenges.set(id, {
+        id,
+        challenges,
+        expectedAnswers,
+        issuedAt: now,
+        expiresAt: now + adjustedTimeLimit + 50, // Small server-side grace period
+        baseTimeLimit,
+        adjustedTimeLimit,
+        rttMs,
+    });
+    const instructions = rttMs > 0
+        ? `Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have ${adjustedTimeLimit}ms (adjusted for your ${rttMs}ms network latency).`
+        : 'Compute SHA256 of each number, return first 8 hex chars of each. Submit as array. You have 500ms.';
+    return {
+        id,
+        challenges,
+        timeLimit: adjustedTimeLimit,
+        instructions,
+        rttInfo,
+    };
+}
+export function verifySpeedChallenge(id, answers) {
+    const challenge = speedChallenges.get(id);
+    if (!challenge) {
+        return { valid: false, reason: 'Challenge not found or expired' };
+    }
+    const now = Date.now();
+    const solveTimeMs = now - challenge.issuedAt;
+    // Clean up
+    speedChallenges.delete(id);
+    // Use the challenge's adjusted timeout, fallback to base if not available
+    const timeLimit = challenge.adjustedTimeLimit || challenge.baseTimeLimit || 500;
+    if (now > challenge.expiresAt) {
+        const rttExplanation = challenge.rttMs
+            ? ` (RTT-adjusted: ${challenge.rttMs}ms network + ${challenge.baseTimeLimit}ms compute = ${timeLimit}ms limit)`
+            : '';
+        return {
+            valid: false,
+            reason: `Too slow! Took ${solveTimeMs}ms, limit was ${timeLimit}ms${rttExplanation}`,
+            rttInfo: challenge.rttMs ? {
+                measuredRtt: challenge.rttMs,
+                adjustedTimeout: timeLimit,
+                actualTime: solveTimeMs,
+            } : undefined,
+        };
+    }
+    if (!Array.isArray(answers) || answers.length !== 5) {
+        return { valid: false, reason: 'Must provide exactly 5 answers as array' };
+    }
+    for (let i = 0; i < 5; i++) {
+        if (answers[i]?.toLowerCase() !== challenge.expectedAnswers[i]) {
+            return { valid: false, reason: `Wrong answer for challenge ${i + 1}` };
+        }
+    }
+    return {
+        valid: true,
+        solveTimeMs,
+        rttInfo: challenge.rttMs ? {
+            measuredRtt: challenge.rttMs,
+            adjustedTimeout: timeLimit,
+            actualTime: solveTimeMs,
+        } : undefined,
+    };
+}
+export default { generateSpeedChallenge, verifySpeedChallenge };

package/dist/src/middleware/tap-enhanced-verify.d.ts

@@ -0,0 +1,57 @@
+/**
+ * TAP-Enhanced BOTCHA Verification Middleware
+ * Extends existing BOTCHA middleware with Trusted Agent Protocol support
+ *
+ * Provides multiple verification modes:
+ * - TAP (full): Cryptographic signature + computational challenge
+ * - Signature-only: Cryptographic verification without challenge
+ * - Challenge-only: Existing BOTCHA computational challenge
+ * - Flexible: TAP preferred but allows fallback
+ */
+import { Request, Response, NextFunction } from 'express';
+export interface TAPBotchaOptions {
+    requireSignature?: boolean;
+    allowChallenge?: boolean;
+    challengeType?: 'standard' | 'speed';
+    challengeDifficulty?: 'easy' | 'medium' | 'hard';
+    customVerify?: (req: Request) => Promise<boolean>;
+    requireTAP?: boolean;
+    preferTAP?: boolean;
+    tapEnabled?: boolean;
+    auditLogging?: boolean;
+    trustedIssuers?: string[];
+    maxSessionDuration?: number;
+    signatureAlgorithms?: string[];
+    requireCapabilities?: string[];
+    agentsKV?: any;
+    sessionsKV?: any;
+}
+/**
+ * Enhanced BOTCHA middleware with TAP support
+ */
+export declare function tapEnhancedVerify(options?: TAPBotchaOptions): (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+export declare const tapVerifyModes: {
+    /**
+     * Require full TAP authentication (crypto + challenge)
+     */
+    strict: (options?: Partial<TAPBotchaOptions>) => (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+    /**
+     * Prefer TAP but allow computational fallback
+     */
+    flexible: (options?: Partial<TAPBotchaOptions>) => (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+    /**
+     * Signature-only verification (no computational challenge)
+     */
+    signatureOnly: (options?: Partial<TAPBotchaOptions>) => (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+    /**
+     * Development mode with relaxed security
+     */
+    development: (options?: Partial<TAPBotchaOptions>) => (req: Request, res: Response, next: NextFunction) => Promise<void | Response<any, Record<string, any>>>;
+};
+/**
+ * Alias for tapEnhancedVerify for backward compatibility with docs.
+ * Docs reference: import { createTAPVerifyMiddleware } from '@dupecom/botcha/middleware'
+ */
+export declare const createTAPVerifyMiddleware: typeof tapEnhancedVerify;
+export default tapEnhancedVerify;
+//# sourceMappingURL=tap-enhanced-verify.d.ts.map

package/dist/src/middleware/tap-enhanced-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tap-enhanced-verify.d.ts","sourceRoot":"","sources":["../../../src/middleware/tap-enhanced-verify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAoB1D,MAAM,WAAW,gBAAgB;IAE/B,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,aAAa,CAAC,EAAE,UAAU,GAAG,OAAO,CAAC;IACrC,mBAAmB,CAAC,EAAE,MAAM,GAAG,QAAQ,GAAG,MAAM,CAAC;IACjD,YAAY,CAAC,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,OAAO,CAAC,OAAO,CAAC,CAAC;IAGlD,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,YAAY,CAAC,EAAE,OAAO,CAAC;IAGvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAG/B,QAAQ,CAAC,EAAE,GAAG,CAAC;IACf,UAAU,CAAC,EAAE,GAAG,CAAC;CAClB;AAsBD;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,GAAE,gBAAqB,IAGhD,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,wDAqE9D;AA8SD,eAAO,MAAM,cAAc;IACzB;;OAEG;uBACe,OAAO,CAAC,gBAAgB,CAAC,WAvXxB,OAAO,OAAO,QAAQ,QAAQ,YAAY;IA8X7D;;OAEG;yBACiB,OAAO,CAAC,gBAAgB,CAAC,WAjY1B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAwY7D;;OAEG;8BACsB,OAAO,CAAC,gBAAgB,CAAC,WA3Y/B,OAAO,OAAO,QAAQ,QAAQ,YAAY;IAkZ7D;;OAEG;4BACoB,OAAO,CAAC,gBAAgB,CAAC,WArZ7B,OAAO,OAAO,QAAQ,QAAQ,YAAY;CA4Z9D,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,yBAAyB,0BAAoB,CAAC;AAE3D,eAAe,iBAAiB,CAAC"}