Harden ALTCHA: raise cost and add expiration

cost 100 → 50000: was solvable in milliseconds by a bot, now takes
~1-2s in a real browser, making mass automation impractical.

expiresAt 10min: embeds expiry in the HMAC-signed challenge so the
server rejects replayed tokens without needing to store seen challenges.

ALTCHA_HMAC_KEY must be set to a strong secret in production.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

main-site/server.js

@@ -106,7 +106,8 @@ apiRouter.get('/altcha', async (req, res) => {
     try {
         const challenge = await createChallenge({
             algorithm: 'SHA-256',
-            cost: 100,
+            cost: 50000,
+            expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
             deriveKey: altchaSha.deriveKey,
             hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production',
         });