pi-chrome 0.15.25 → 0.15.26

package/test-suite/challenges/03-webdriver-flag.html

@@ -0,0 +1,51 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>03 webdriver / runtime fingerprint</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Auto-checks runtime properties commonly inspected by bot-detection scripts.</p>
+  <pre id="rep" style="font:12px monospace;background:#111;color:#eee;padding:12px;border-radius:6px"></pre>
+</main>
+<script>
+Challenge.init({
+  id: "webdriver-flag",
+  instructions: "no interaction; auto-verdict on load",
+});
+const checks = [];
+function chk(name, bad, note) {
+  checks.push({ name, bad, note });
+  if (bad) Challenge.log("flag", { name, note });
+}
+
+chk("navigator.webdriver", navigator.webdriver === true, String(navigator.webdriver));
+chk("languages-empty", !navigator.languages || navigator.languages.length === 0,
+    JSON.stringify(navigator.languages));
+chk("plugins-empty", !navigator.plugins || navigator.plugins.length === 0,
+    `length=${navigator.plugins && navigator.plugins.length}`);
+chk("permissions-notifications-quirk", false, "checked async below");
+
+(async () => {
+  try {
+    const p = await navigator.permissions.query({ name: "notifications" });
+    // Headless Chrome historically returned "denied" while Notification.permission === "default".
+    const mismatch = p.state === "denied" && Notification.permission === "default";
+    checks.push({ name: "permissions-notifications-quirk", bad: mismatch,
+      note: `perm=${p.state} api=${Notification.permission}` });
+    finalize();
+  } catch (e) {
+    checks.push({ name: "permissions-notifications-quirk", bad: false, note: "n/a " + e.message });
+    finalize();
+  }
+})();
+
+function finalize() {
+  const rep = document.getElementById("rep");
+  rep.textContent = checks.map(c => `${c.bad ? "✗" : "✓"} ${c.name}  ${c.note}`).join("\n");
+  const failed = checks.filter(c => c.bad);
+  if (failed.length) Challenge.fail(...failed.map(c => `${c.name}: ${c.note}`));
+  else Challenge.pass("all runtime checks clean");
+}
+</script>
+</body>

package/test-suite/challenges/04-mouse-entropy.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>04 mouse entropy</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: click the green button after moving the mouse in an organic path. Page requires
+     ≥15 <code>mousemove</code> events with non-zero <code>movementX/Y</code> variance before the click.</p>
+  <button id="go" style="padding:20px 32px;font-size:18px;background:#1f7a1f;color:#fff;border:0;border-radius:6px">Click me</button>
+</main>
+<script>
+Challenge.init({
+  id: "mouse-entropy",
+  instructions: "click the button after natural mouse movement",
+});
+const moves = [];
+window.addEventListener("mousemove", (e) => {
+  moves.push({ x: e.clientX, y: e.clientY, mx: e.movementX, my: e.movementY, t: e.timeStamp });
+  if (moves.length > 200) moves.shift();
+});
+document.getElementById("go").addEventListener("click", (e) => {
+  if (moves.length < 15) return Challenge.fail(`only ${moves.length} mousemove events before click`);
+  const dx = moves.map(m => Math.abs(m.mx)).reduce((a,b)=>a+b,0);
+  const dy = moves.map(m => Math.abs(m.my)).reduce((a,b)=>a+b,0);
+  if (dx + dy < 50) return Challenge.fail(`movement deltas tiny: dx=${dx}, dy=${dy}`);
+  // Detect "teleport then click" — all moves clustered at the button.
+  const r = document.getElementById("go").getBoundingClientRect();
+  const inside = moves.filter(m => m.x>=r.left && m.x<=r.right && m.y>=r.top && m.y<=r.bottom).length;
+  if (inside === moves.length) return Challenge.fail("all mousemoves inside target rect (teleport)");
+  Challenge.pass(`${moves.length} moves, |dx|+|dy|=${dx+dy}, ${inside} inside target`);
+});
+</script>
+</body>

package/test-suite/challenges/05-event-timing.html

@@ -0,0 +1,34 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>05 event timing</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: click the button 3 times. Page rejects when <code>pointerdown→pointerup</code> is &lt;30ms
+     or always identical, and when between-click gaps are too uniform.</p>
+  <button id="go" style="padding:20px 32px;font-size:18px;background:#1f7a1f;color:#fff;border:0;border-radius:6px">Click me (0/3)</button>
+</main>
+<script>
+Challenge.init({ id: "event-timing", instructions: "click button 3 times with human-like timing" });
+const btn = document.getElementById("go");
+const ups = [], downs = [], clickTs = [];
+btn.addEventListener("pointerdown", (e) => downs.push(e.timeStamp));
+btn.addEventListener("pointerup", (e) => ups.push(e.timeStamp));
+btn.addEventListener("click", (e) => {
+  clickTs.push(e.timeStamp);
+  btn.textContent = `Click me (${clickTs.length}/3)`;
+  if (clickTs.length < 3) return;
+  const holds = downs.map((d,i)=> (ups[i]??d) - d);
+  const allSame = holds.every(h => Math.abs(h - holds[0]) < 0.5);
+  const tooFast = holds.some(h => h < 30);
+  const gaps = clickTs.slice(1).map((t,i)=> t - clickTs[i]);
+  const gapsUniform = gaps.length > 1 && Math.abs(gaps[0]-gaps[1]) < 5;
+  Challenge.log("timing", { holds, gaps });
+  if (tooFast) return Challenge.fail(`pointer hold too short: ${holds.join(",")}ms`);
+  if (allSame) return Challenge.fail(`pointer holds identical: ${holds.join(",")}ms`);
+  if (gapsUniform) return Challenge.fail(`between-click gaps suspiciously uniform: ${gaps.join(",")}ms`);
+  Challenge.pass(`holds=${holds.map(h=>h.toFixed(1)).join(",")}ms gaps=${gaps.map(g=>g.toFixed(0)).join(",")}ms`);
+});
+</script>
+</body>

package/test-suite/challenges/06-click-coordinates.html

@@ -0,0 +1,29 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>06 click coordinates</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: click the green button 5 times. Page rejects when clicks always land on the exact element center.</p>
+  <button id="go" style="padding:24px 40px;font-size:18px;background:#1f7a1f;color:#fff;border:0;border-radius:6px">Click me (0/5)</button>
+</main>
+<script>
+Challenge.init({ id: "click-coordinates", instructions: "click button 5 times; coordinates must vary" });
+const btn = document.getElementById("go");
+const pts = [];
+btn.addEventListener("click", (e) => {
+  const r = btn.getBoundingClientRect();
+  const cx = r.left + r.width/2, cy = r.top + r.height/2;
+  pts.push({ x: e.clientX, y: e.clientY, dx: e.clientX-cx, dy: e.clientY-cy });
+  btn.textContent = `Click me (${pts.length}/5)`;
+  if (pts.length < 5) return;
+  const onCenter = pts.filter(p => Math.abs(p.dx) < 0.51 && Math.abs(p.dy) < 0.51).length;
+  const unique = new Set(pts.map(p => `${p.x},${p.y}`)).size;
+  Challenge.log("coords", { pts });
+  if (onCenter >= 4) return Challenge.fail(`${onCenter}/5 clicks on exact center`);
+  if (unique <= 1) return Challenge.fail(`only ${unique} unique click coords`);
+  Challenge.pass(`${unique} unique coords, ${onCenter} on center`);
+});
+</script>
+</body>

package/test-suite/challenges/07-pointer-properties.html

@@ -0,0 +1,29 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>07 pointer properties</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: click the button. Page inspects <code>pointerType</code>, <code>pressure</code>,
+     <code>movementX/Y</code> on the preceding pointermove, and that pointerId is non-zero.</p>
+  <button id="go" style="padding:20px 32px;font-size:18px;background:#1f7a1f;color:#fff;border:0;border-radius:6px">Click me</button>
+</main>
+<script>
+Challenge.init({ id: "pointer-properties", instructions: "click button; pointer event details must look real" });
+const btn = document.getElementById("go");
+let lastMove = null;
+window.addEventListener("pointermove", (e) => { lastMove = { mx: e.movementX, my: e.movementY, pid: e.pointerId, type: e.pointerType }; });
+btn.addEventListener("pointerdown", (e) => {
+  Challenge.log("pointerdown", { type: e.pointerType, pressure: e.pressure, pid: e.pointerId, mx: e.movementX, my: e.movementY });
+  const bad = [];
+  if (e.pointerType !== "mouse" && e.pointerType !== "touch" && e.pointerType !== "pen") bad.push(`pointerType=${e.pointerType}`);
+  if (e.pointerType === "mouse" && e.pressure !== 0.5) bad.push(`mouse pressure=${e.pressure} (real=0.5)`);
+  if (e.pointerId === 0) bad.push("pointerId=0");
+  if (!lastMove) bad.push("no preceding pointermove");
+  else if (lastMove.mx === 0 && lastMove.my === 0) bad.push("preceding pointermove had movementX=movementY=0");
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass(`type=${e.pointerType} pressure=${e.pressure} pid=${e.pointerId}`);
+});
+</script>
+</body>

package/test-suite/challenges/08-keyboard-cadence.html

@@ -0,0 +1,37 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>08 keyboard cadence</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: type <code>secret</code>. Page demands per-key keydown+keypress+keyup with non-uniform gaps and non-zero hold time.</p>
+  <input id="t" placeholder="type 'secret'" style="font-size:18px;padding:8px 12px;width:240px">
+</main>
+<script>
+Challenge.init({ id: "keyboard-cadence", instructions: "type 'secret' with realistic per-key cadence" });
+const t = document.getElementById("t");
+const evs = [];
+["keydown","keypress","keyup","input"].forEach(name => {
+  t.addEventListener(name, (e) => evs.push({ name, key: e.key ?? e.data, t: e.timeStamp, trusted: e.isTrusted }));
+});
+t.addEventListener("keyup", () => {
+  if (t.value !== "secret") return;
+  const downs = evs.filter(e => e.name === "keydown");
+  const presses = evs.filter(e => e.name === "keypress");
+  const ups = evs.filter(e => e.name === "keyup");
+  const bad = [];
+  if (downs.length < 6) bad.push(`only ${downs.length} keydowns (need >=6)`);
+  if (presses.length < 6) bad.push(`only ${presses.length} keypress events`);
+  if (ups.length < 6) bad.push(`only ${ups.length} keyups`);
+  const holds = downs.slice(0, ups.length).map((d,i)=> ups[i].t - d.t);
+  if (holds.some(h => h <= 0)) bad.push(`some keyup at-or-before keydown: ${holds.join(",")}`);
+  if (holds.length && holds.every(h => Math.abs(h-holds[0]) < 0.5)) bad.push(`hold times identical: ${holds.join(",")}`);
+  const gaps = downs.slice(1).map((d,i)=> d.t - downs[i].t);
+  if (gaps.length && gaps.every(g => Math.abs(g-gaps[0]) < 0.5)) bad.push(`keydown gaps identical: ${gaps.join(",")}`);
+  Challenge.log("cadence", { holds, gaps });
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass(`holds=${holds.map(h=>h.toFixed(0)).join(",")} gaps=${gaps.map(g=>g.toFixed(0)).join(",")}`);
+});
+</script>
+</body>

package/test-suite/challenges/09-composition-input.html

@@ -0,0 +1,45 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>09 framework input invariants</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: type <code>abc</code>. Page asserts React-style invariants: <code>beforeinput</code>
+     fires <em>before</em> <code>input</code>, both per-character, <code>inputType==="insertText"</code>,
+     value mutates between events, and no <code>compositionstart</code> for plain typing.</p>
+  <input id="t" placeholder="type abc" style="font-size:18px;padding:8px 12px;width:240px">
+</main>
+<script>
+Challenge.init({ id: "composition-input", instructions: "type 'abc' producing framework-correct event order" });
+const t = document.getElementById("t");
+const evs = [];
+let sawCompositionStart = false;
+["beforeinput","input","compositionstart","compositionend"].forEach(name => {
+  t.addEventListener(name, (e) => {
+    evs.push({ name, t: e.timeStamp, inputType: e.inputType, data: e.data, value: t.value });
+    if (name === "compositionstart") sawCompositionStart = true;
+  });
+});
+t.addEventListener("input", () => {
+  if (t.value !== "abc") return;
+  const before = evs.filter(e => e.name === "beforeinput");
+  const inp = evs.filter(e => e.name === "input");
+  const bad = [];
+  if (sawCompositionStart) bad.push("compositionstart fired for plain ASCII typing");
+  if (before.length !== 3) bad.push(`beforeinput count=${before.length} (need 3)`);
+  if (inp.length !== 3) bad.push(`input count=${inp.length} (need 3)`);
+  if (before.some(b => b.inputType !== "insertText")) bad.push(`beforeinput.inputType=${before.map(b=>b.inputType).join(",")}`);
+  // beforeinput must precede matching input.
+  for (let i = 0; i < Math.min(before.length, inp.length); i++) {
+    if (before[i].t > inp[i].t) bad.push(`beforeinput[${i}] after input[${i}]`);
+  }
+  // Value must reflect each char incrementally.
+  const seq = inp.map(e => e.value).join("|");
+  if (seq !== "a|ab|abc") bad.push(`value seq at input events: ${seq} (need a|ab|abc)`);
+  Challenge.log("seq", { evs });
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass(`event order and invariants OK; seq=${seq}`);
+});
+</script>
+</body>

package/test-suite/challenges/10-user-activation.html

@@ -0,0 +1,40 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>10 user activation gates</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: click the button. Handler then tries gated APIs (clipboard.writeText, fullscreen).
+     Success requires <code>navigator.userActivation.isActive</code> and at least one gated API to succeed.</p>
+  <button id="go" style="padding:20px 32px;font-size:18px;background:#1f7a1f;color:#fff;border:0;border-radius:6px">Click me</button>
+</main>
+<script>
+Challenge.init({ id: "user-activation", instructions: "click button; user-activation must unlock gated APIs" });
+document.getElementById("go").addEventListener("click", async () => {
+  // Capture activation state synchronously before any await (activation can be consumed by gated APIs).
+  const ua = navigator.userActivation;
+  const wasActive = !!ua?.isActive;
+  const hadBeenActive = !!ua?.hasBeenActive;
+  Challenge.log("activation", { isActive: wasActive, hasBeenActive: hadBeenActive });
+  let clip = "skip", fs = "skip";
+  try { await navigator.clipboard.writeText("pi-chrome-test"); clip = "ok"; }
+  catch (e) { clip = "err:" + e.name; }
+  try { await document.documentElement.requestFullscreen(); fs = "ok"; document.exitFullscreen?.(); }
+  catch (e) { fs = "err:" + e.name; }
+  Challenge.log("gates", { clip, fs });
+  if (!wasActive && !hadBeenActive) {
+    return Challenge.fail("userActivation.isActive/hasBeenActive both false (synthetic click)");
+  }
+  const okCount = [clip, fs].filter(x => x === "ok").length;
+  if (okCount === 0) {
+    return Challenge.skip(`activation present, but gated APIs blocked by environment/policy: clipboard=${clip}; fullscreen=${fs}`);
+  }
+  const warnings = [];
+  if (clip.startsWith("err")) warnings.push("clipboard.writeText " + clip);
+  if (fs.startsWith("err")) warnings.push("requestFullscreen " + fs);
+  if (warnings.length) Challenge.pass(`activation active; ${okCount}/2 gates succeeded; ${warnings.join("; ")}`);
+  else Challenge.pass(`activation active; clipboard=${clip}; fullscreen=${fs}`);
+});
+</script>
+</body>

package/test-suite/challenges/11-honeypot.html

@@ -0,0 +1,36 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>11 honeypot fields</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: fill <em>only</em> the visible "Name" field with <code>alex</code> and submit.
+     Three honeypots (a, b, c) are present that a human cannot see/tab to. Filling any honeypot fails.</p>
+  <form id="f">
+    <label>Name <input name="name" id="name"></label>
+    <!-- off-screen -->
+    <input name="a" aria-hidden="true" tabindex="-1" autocomplete="off"
+           style="position:absolute;left:-9999px;top:-9999px">
+    <!-- display:none -->
+    <input name="b" aria-hidden="true" tabindex="-1" autocomplete="off" style="display:none">
+    <!-- zero-size + visually hidden -->
+    <input name="c" aria-hidden="true" tabindex="-1" autocomplete="off"
+           style="opacity:0;width:0;height:0;border:0;padding:0">
+    <button type="submit">Submit</button>
+  </form>
+</main>
+<script>
+Challenge.init({ id: "honeypot", instructions: "fill only the Name field with 'alex', then submit" });
+const form = document.getElementById("f");
+form.addEventListener("submit", (e) => {
+  e.preventDefault();
+  const fd = new FormData(form);
+  const filled = ["a","b","c"].filter(k => (fd.get(k) ?? "").toString().length > 0);
+  Challenge.log("submit", { name: fd.get("name"), a: fd.get("a"), b: fd.get("b"), c: fd.get("c") });
+  if (filled.length) return Challenge.fail("honeypot(s) filled: " + filled.join(","));
+  if ((fd.get("name") ?? "") !== "alex") return Challenge.fail(`name="${fd.get("name")}" (need 'alex')`);
+  Challenge.pass("only visible field filled");
+});
+</script>
+</body>

package/test-suite/challenges/12-fingerprint.html

@@ -0,0 +1,59 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>12 fingerprint consistency</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Auto-check. Looks for cross-API consistency mismatches that betray instrumented Chrome.</p>
+  <pre id="rep" style="font:12px monospace;background:#111;color:#eee;padding:12px;border-radius:6px"></pre>
+</main>
+<script>
+Challenge.init({ id: "fingerprint", instructions: "no interaction" });
+(async () => {
+  const checks = [];
+  const ua = navigator.userAgent;
+  const isChrome = /Chrome\/\d+/.test(ua);
+  checks.push({ name: "ua-is-chrome", bad: !isChrome, note: ua });
+
+  // UA-CH: Chrome should expose userAgentData with brands incl Chromium.
+  const uad = navigator.userAgentData;
+  const hasUAD = !!uad;
+  checks.push({ name: "userAgentData-present", bad: isChrome && !hasUAD, note: hasUAD ? JSON.stringify(uad.brands) : "missing" });
+
+  // Chrome runtime object exists in normal Chrome.
+  checks.push({ name: "window.chrome", bad: isChrome && typeof window.chrome === "undefined",
+                note: typeof window.chrome });
+
+  // languages must match accept-language semantics.
+  checks.push({ name: "languages-includes-language", bad: !navigator.languages?.includes(navigator.language),
+                note: `${navigator.language} vs ${JSON.stringify(navigator.languages)}` });
+
+  // WebGL vendor/renderer should not be Brian Paul / SwiftShader on user profile.
+  try {
+    const gl = document.createElement("canvas").getContext("webgl");
+    const dbg = gl.getExtension("WEBGL_debug_renderer_info");
+    const vendor = dbg ? gl.getParameter(dbg.UNMASKED_VENDOR_WEBGL) : gl.getParameter(gl.VENDOR);
+    const renderer = dbg ? gl.getParameter(dbg.UNMASKED_RENDERER_WEBGL) : gl.getParameter(gl.RENDERER);
+    const swiftshader = /SwiftShader|llvmpipe|Software/i.test(renderer);
+    checks.push({ name: "webgl-not-software", bad: false, warn: swiftshader, note: `${vendor} / ${renderer}${swiftshader ? " (software renderer; warning in VM/remote contexts)" : ""}` });
+  } catch (e) {
+    checks.push({ name: "webgl-not-software", bad: false, note: "n/a " + e.message });
+  }
+
+  // hardwareConcurrency / deviceMemory plausibility.
+  checks.push({ name: "hardwareConcurrency", bad: !(navigator.hardwareConcurrency > 0), note: String(navigator.hardwareConcurrency) });
+
+  // navigator.webdriver again, separate from challenge 03 so it appears here too.
+  checks.push({ name: "webdriver-false", bad: navigator.webdriver === true, note: String(navigator.webdriver) });
+
+  const rep = document.getElementById("rep");
+  rep.textContent = checks.map(c => `${c.bad ? "✗" : c.warn ? "!" : "✓"} ${c.name}  ${c.note}`).join("\n");
+  const failed = checks.filter(c => c.bad);
+  const warned = checks.filter(c => c.warn);
+  if (failed.length) Challenge.fail(...failed.map(c => `${c.name}: ${c.note}`));
+  else if (warned.length) Challenge.warn(...warned.map(c => `${c.name}: ${c.note}`));
+  else Challenge.pass("fingerprint consistent with real Chrome");
+})();
+</script>
+</body>

package/test-suite/challenges/13-focus-order.html

@@ -0,0 +1,31 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>13 focus order</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: focus the input by <em>clicking</em> it (not <code>.focus()</code>), then type <code>x</code>.
+     Pointerdown must precede focus, and <code>:focus-visible</code> must be false for pointer focus.</p>
+  <input id="t" placeholder="click then type x" style="font-size:18px;padding:8px 12px;width:240px">
+</main>
+<script>
+Challenge.init({ id: "focus-order", instructions: "click input then type 'x'" });
+const t = document.getElementById("t");
+let lastPointer = -Infinity, lastFocus = -Infinity, sawPointer = false;
+t.addEventListener("pointerdown", (e) => { lastPointer = e.timeStamp; sawPointer = true; });
+t.addEventListener("focus", (e) => {
+  lastFocus = e.timeStamp;
+  if (!sawPointer) Challenge.fail("focus arrived with no preceding pointerdown");
+  else if (lastFocus < lastPointer) Challenge.fail("focus before pointerdown");
+});
+t.addEventListener("input", () => {
+  if (t.value !== "x") return;
+  // For pointer-driven focus, :focus-visible should be false.
+  const fv = t.matches(":focus-visible");
+  Challenge.log("focus-visible", { fv });
+  if (fv) Challenge.fail(":focus-visible true after pointer click (looks like keyboard focus)");
+  else if (window.__verdict !== "FAIL") Challenge.pass("pointerdown→focus→input order ok, :focus-visible=false");
+});
+</script>
+</body>

package/test-suite/challenges/14-wheel-scroll.html

@@ -0,0 +1,28 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>14 wheel scroll</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: scroll the box to the bottom. Page rejects raw <code>scrollTop</code> assignment without
+     <code>wheel</code> events.</p>
+  <div id="box" style="height:200px;overflow:auto;border:1px solid #555;background:#fff;color:#111;padding:8px">
+    <div style="height:1200px">scroll me ⬇<br><br>...lots of content...</div>
+  </div>
+</main>
+<script>
+Challenge.init({ id: "wheel-scroll", instructions: "scroll the box to its bottom" });
+const box = document.getElementById("box");
+let wheelCount = 0, lastWheelTs = -Infinity;
+box.addEventListener("wheel", (e) => { wheelCount++; lastWheelTs = e.timeStamp; Challenge.log("wheel", { dy: e.deltaY }); }, { passive: true });
+box.addEventListener("scroll", () => {
+  Challenge.log("scroll", { top: box.scrollTop });
+  if (box.scrollTop + box.clientHeight >= box.scrollHeight - 2) {
+    if (wheelCount === 0) Challenge.fail("scrolled to bottom with zero wheel events");
+    else if (performance.now() - lastWheelTs > 1500) Challenge.fail("wheel events too far before final scroll");
+    else Challenge.pass(`${wheelCount} wheel events accompanied scroll`);
+  }
+});
+</script>
+</body>

package/test-suite/challenges/15-drag-drop-datatransfer.html

@@ -0,0 +1,73 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>15 drag-drop DataTransfer</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: drag the <b>red box</b> into the <b>drop zone</b>. Page asserts a full HTML5
+     drag sequence with a populated <code>DataTransfer</code> — synthetic pointer drags
+     dispatched without <code>dragstart</code>/<code>drop</code> + DataTransfer payload fail.</p>
+  <div style="display:flex;gap:24px;align-items:center;margin-top:16px">
+    <div id="src" draggable="true"
+         style="width:80px;height:80px;background:#c33;color:#fff;display:flex;align-items:center;justify-content:center;border-radius:6px;cursor:grab">
+      DRAG
+    </div>
+    <div id="dst"
+         style="width:200px;height:120px;border:2px dashed #888;display:flex;align-items:center;justify-content:center;color:#888">
+      DROP HERE
+    </div>
+  </div>
+</main>
+<script>
+Challenge.init({ id: "drag-drop-datatransfer", instructions: "drag red box into drop zone via real HTML5 drag" });
+const src = document.getElementById("src");
+const dst = document.getElementById("dst");
+
+const seen = { dragstart: 0, drag: 0, dragenter: 0, dragover: 0, drop: 0, dragend: 0 };
+let dtHadTypes = false, dtPayload = null, isTrustedAll = true;
+
+src.addEventListener("dragstart", (e) => {
+  seen.dragstart++;
+  if (!e.isTrusted) isTrustedAll = false;
+  try { e.dataTransfer.setData("text/plain", "payload-" + Math.random().toString(36).slice(2,8)); } catch {}
+  Challenge.log("dragstart", { hasDt: !!e.dataTransfer });
+});
+src.addEventListener("drag", (e) => { seen.drag++; if (!e.isTrusted) isTrustedAll = false; });
+src.addEventListener("dragend", (e) => { seen.dragend++; if (!e.isTrusted) isTrustedAll = false; });
+
+dst.addEventListener("dragenter", (e) => { seen.dragenter++; e.preventDefault(); if (!e.isTrusted) isTrustedAll = false; });
+dst.addEventListener("dragover",  (e) => { seen.dragover++;  e.preventDefault(); if (!e.isTrusted) isTrustedAll = false; });
+dst.addEventListener("drop", (e) => {
+  e.preventDefault();
+  seen.drop++;
+  if (!e.isTrusted) isTrustedAll = false;
+  const dt = e.dataTransfer;
+  if (dt) {
+    dtHadTypes = (dt.types && dt.types.length > 0);
+    try { dtPayload = dt.getData("text/plain"); } catch {}
+  }
+  Challenge.log("drop", { types: dt && [...dt.types], payload: dtPayload });
+  // dragend fires AFTER drop per spec; give it a tick.
+  setTimeout(evaluate, 50);
+});
+
+function evaluate() {
+  const bad = [];
+  if (!isTrustedAll) bad.push("at least one drag event isTrusted=false");
+  for (const k of ["dragstart","dragover","drop","dragend"]) {
+    if (!seen[k]) bad.push(`missing ${k}`);
+  }
+  if (!dtHadTypes) bad.push("DataTransfer.types empty on drop");
+  if (!dtPayload || !dtPayload.startsWith("payload-")) bad.push("DataTransfer payload missing on drop");
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass(`full drag cycle, payload=${dtPayload}`);
+}
+
+// Fallback: pointer-drag without dragstart triggers fail after a delay.
+let pointerDownInSrc = false;
+src.addEventListener("pointerdown", () => { pointerDownInSrc = true;
+  setTimeout(() => { if (!seen.dragstart && pointerDownInSrc) Challenge.fail("pointerdown on src but no dragstart fired"); }, 1500);
+});
+</script>
+</body>

package/test-suite/challenges/16-contenteditable-selection.html

@@ -0,0 +1,54 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>16 contenteditable selection</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: focus the editable region and type <code>hello</code>. Page asserts that
+     <code>window.getSelection()</code> reflects per-keystroke caret movement
+     (<code>rangeCount===1</code>, <code>collapsed</code> caret, anchor inside the editor,
+     offset advances 1 per char) and that <code>selectionchange</code> fires.</p>
+  <div id="ed" contenteditable="true"
+       style="min-height:60px;padding:10px;border:1px solid #555;background:#fff;color:#111;font:16px monospace"></div>
+</main>
+<script>
+Challenge.init({ id: "contenteditable-selection", instructions: "focus editor and type 'hello'" });
+const ed = document.getElementById("ed");
+const offsets = [];
+let selChanges = 0;
+
+document.addEventListener("selectionchange", () => {
+  selChanges++;
+  const s = window.getSelection();
+  if (!s || s.rangeCount === 0) return;
+  if (!ed.contains(s.anchorNode)) return;
+  offsets.push({ off: s.anchorOffset, collapsed: s.isCollapsed, t: performance.now(), len: ed.textContent.length });
+});
+
+ed.addEventListener("input", async () => {
+  if (ed.textContent !== "hello") return;
+  // selectionchange is async — wait a tick so the final caret update is observed.
+  await new Promise((r) => setTimeout(r, 30));
+  const bad = [];
+  const sel = window.getSelection();
+  if (!sel) bad.push("getSelection()==null");
+  else {
+    if (sel.rangeCount !== 1) bad.push(`rangeCount=${sel.rangeCount} (need 1)`);
+    if (!sel.isCollapsed) bad.push("selection not collapsed after typing");
+    if (!ed.contains(sel.anchorNode)) bad.push("selection anchor outside editor");
+    if (sel.anchorOffset !== 5) bad.push(`anchorOffset=${sel.anchorOffset} (need 5)`);
+  }
+  if (selChanges < 5) bad.push(`selectionchange count=${selChanges} (need ≥5)`);
+  // offsets should advance monotonically 1,2,3,4,5 (allowing extras from focus)
+  const monotonic = offsets.map(o => o.off);
+  const peak = Math.max(0, ...monotonic);
+  if (peak !== 5) bad.push(`peak caret offset=${peak} during typing (need 5)`);
+  // every caret reading must be collapsed (no spurious ranges)
+  if (offsets.some(o => !o.collapsed)) bad.push("non-collapsed range observed during typing");
+  Challenge.log("sel", { offsets, selChanges });
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass(`selectionchanges=${selChanges}, caret advanced 0→5`);
+});
+</script>
+</body>

package/test-suite/challenges/17-paste-clipboard.html

@@ -0,0 +1,48 @@
+<!doctype html>
+<meta charset="utf-8">
+<title>17 paste clipboard</title>
+<link rel="stylesheet" href="../_style.css">
+<script src="../_lib.js"></script>
+<body>
+<main>
+  <p>Goal: paste the string <code>pi-chrome</code> into the input via a real OS paste
+     (Cmd/Ctrl+V firing a trusted <code>paste</code> event with populated
+     <code>clipboardData</code>). Programmatic <code>value=</code> or <code>setRangeText</code>
+     fail. The <code>input</code> event's <code>inputType</code> must be
+     <code>insertFromPaste</code>.</p>
+  <input id="t" placeholder="paste here" style="font-size:18px;padding:8px 12px;width:280px">
+</main>
+<script>
+Challenge.init({ id: "paste-clipboard", instructions: "paste 'pi-chrome' via OS clipboard" });
+const t = document.getElementById("t");
+let sawPaste = false, pasteIsTrusted = false, pastePayload = null;
+t.addEventListener("paste", (e) => {
+  sawPaste = true;
+  pasteIsTrusted = e.isTrusted;
+  try { pastePayload = e.clipboardData && e.clipboardData.getData("text/plain"); } catch {}
+  Challenge.log("paste", { isTrusted: e.isTrusted, payload: pastePayload });
+});
+
+let lastInputType = null;
+t.addEventListener("input", (e) => {
+  lastInputType = e.inputType;
+  if (t.value !== "pi-chrome") return;
+  const bad = [];
+  if (!sawPaste) bad.push("no paste event fired before value matched");
+  if (!pasteIsTrusted) bad.push("paste event isTrusted=false");
+  if (pastePayload !== "pi-chrome") bad.push(`clipboardData payload="${pastePayload}" (need 'pi-chrome')`);
+  if (lastInputType !== "insertFromPaste") bad.push(`input.inputType="${lastInputType}" (need 'insertFromPaste')`);
+  if (bad.length) Challenge.fail(...bad);
+  else Challenge.pass("trusted paste with clipboardData text/plain match");
+});
+
+// Also fail loudly if value is set without any input event (raw .value=)
+let inputFired = false;
+t.addEventListener("input", () => { inputFired = true; });
+const obs = new MutationObserver(() => {});
+obs.observe(t, { attributes: true, attributeFilter: ["value"] });
+setInterval(() => {
+  if (t.value === "pi-chrome" && !inputFired) Challenge.fail("value matched without input event firing");
+}, 200);
+</script>
+</body>