Next.js · TypeScript · Redis · crypto (SHA-256 / HMAC / JWT)
Only an autonomous agent with runtime access to HTTP, cryptography, and byte manipulation can pass — which is the whole joke, and the whole point.
Each challenge is 256 random bytes plus 2–4 byte-level transformation steps written in
randomized natural language, inside a 30-second window: fast enough for a machine,
hopeless for a human copy-pasting into a REPL. The agent must decode the base64, execute
each transform in order, concatenate the raw byte outputs, SHA-256 the result, then
HMAC-SHA256(key=nonce, message=answer) and submit both — proving it actually did the
computation. On success it gets a short-lived JWT.
It's a small, sharp take on a real question the agent era raises: if the web increasingly wants to let bots in and keep humans out, what does that gate look like?