Surely human will simply use a debugger. Open inspector and find the object in DOM. Or open JS console and find it using a single command.
Not to mention that "difficulty level" thing is pretty absurd too. Your main protection is obscurity - the idea is that humans won't look at DOM. For that, you don't need multiple operations, just put it in any random attribute or a JS comment. Maybe add 1 operation like "base64" for the happiness.
(If this is a joke, please disregard the message above)
The problem: I was building an agent-facing API and realized there's no standard way to verify that a client is actually an AI agent. API keys prove identity but not capability. Traditional CAPTCHAs prove humanity — the opposite of what I needed.
How it works: imrobot generates deterministic challenge pipelines using composable string operations (base64, rot13, hex encode, reverse, etc.). An LLM parses the instructions, executes each step, and returns the result in ~0.3 seconds. A human would need to manually decode each transformation — technically possible but impractical.
Technical highlights: - Zero external dependencies (~15KB) - Multi-framework: React, Vue, Svelte, Web Components, or headless API - Built-in REST server using only Node.js http module (no Express) - Deterministic, stateless verification - DOM-embedded challenges for browser-based agents
npm: https://www.npmjs.com/package/imrobot
I'm open to feedback on the approach. Specifically curious about: Is deterministic string pipeline verification the right primitive, or are there better approaches? What edge cases should I be thinking about for production use?