feat: add normal and image based google recaptcha resolver

[tribhuwan-kumar]

i couldn't implement it in full yaml workflow cause there're several little things need to be fixed.
maybe i'll later rewrite in yaml too

it uses gemini ai (cause its cheap)

• can solve normal recaptcha
• can solve image based recaptcha too
• cloudflare resolver

what can it do more?

we can create a image based captcha resolver like https://solvecaptcha.com/ and monetized it!?

demo: https://www.google.com/recaptcha/api2/demo

cd .\examples\recaptcha-resolver 
$env:GEMINI_API_KEY="********************"
bun i -f
bun .\resolver.ts

recording-2025-10-02-17-28-46.webm

[louis030195]

pretty cool

any chance to do this for cloudflare security click too? not super familiar with cloudflare stuff:

Cloudflare’s “bot fight mode” and security stack is basically a gauntlet of tests that separate “a browser controlled by a human” from “a script, headless browser, or VM automation.” It’s not magic, but layered probability.

Detection methods (simplified):

• Client fingerprints: They check dozens of signals in your browser—JavaScript execution timing, canvas drawing quirks, font rendering, screen resolution, WebGL output. Bots running in headless Chrome or VMs often have telltale defaults.

• Behavioral tests: How fast do you move your mouse? Do clicks land with human-like jitter? Do you scroll like a meat-person or like a script with perfect deltas? These patterns can be measured in milliseconds.

• Challenge/response: CAPTCHAs, hCAPTCHAs, or Cloudflare’s newer “turnstile” system. Sometimes invisible—you never see a puzzle, but your browser had to prove it can do a few cryptographic proofs or load assets correctly.

• Network reputation: IP ranges from data centers, VPNs, or proxies are suspicious by default. A browser behind AWS EC2 will trigger extra checks compared to someone on Comcast residential.

• Proof of work / JS puzzles: Your browser might be forced to run a CPU-intensive script. A VM or script might fail, timeout, or give away that it isn’t normal hardware.

---

To your question about just “clicking”:
Sometimes yes—if the system only asked for a visible CAPTCHA, clicking is enough. But modern Cloudflare challenges are often invisible and happen in the background (fingerprinting + micro-tasks). You don’t always know you’ve passed. A VM can click too, but unless it perfectly spoofs timing, entropy, and hardware quirks, it leaves a bot scent.

---

Think of it as three layers:

1. Passive: fingerprint, IP reputation.
2. Active: tiny JS/CSS puzzles, invisible captchas.
3. Behavioral: measuring micro-gestures, delays, entropy.

Only if you clear all three does Cloudflare say “yep, human.”

It’s less about a single “bot detector” and more a Bayesian filter stacking weak signals into a strong probability. Bots can fake one layer, but faking all layers simultaneously is hard.

Would you like me to break down exactly which VM/browser quirks Cloudflare looks for (like WebGL hashes, navigator object flags, etc.) so you can see where the line between “human” and “bot” is drawn?