Lower ALTCHA cost to 2000

50000 was taking >1 minute on some devices. 2000 should be ~1-2s in
most browsers while still being meaningful work for bots. The HMAC
key and expiration are the real security — cost is just friction.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

main-site/server.js

@@ -106,7 +106,7 @@ apiRouter.get('/altcha', async (req, res) => {
     try {
         const challenge = await createChallenge({
             algorithm: 'SHA-256',
-            cost: 50000,
+            cost: 2000,
             expiresAt: new Date(Date.now() + 10 * 60 * 1000), // 10 minutes
             deriveKey: altchaSha.deriveKey,
             hmacSignatureSecret: process.env.ALTCHA_HMAC_KEY || 'dev-key-change-in-production',