feat: add json_Object and json_Encode template funcs

Bump github.com/valyala/fasthttp from 1.69.0 to 1.70.0

.github/workflows/lint.yaml

@@ -24,4 +24,4 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.11.2
+          version: v2.11.4

README.md

@@ -26,10 +26,11 @@ Sarin is designed for efficient HTTP load testing with minimal resource consumpt
 | ---------------------------------------------------------- | ------------------------------- |
 | High-performance with low memory footprint                 | Detailed response body analysis |
 | Long-running duration/count based tests                    | Extensive response statistics   |
-| Dynamic requests via 320+ template functions               | Web UI or complex TUI           |
+| Dynamic requests via 340+ template functions               | Web UI or complex TUI           |
 | Request scripting with Lua and JavaScript                  | Distributed load testing        |
 | Multiple proxy protocols<br>(HTTP, HTTPS, SOCKS5, SOCKS5H) | HTTP/2, HTTP/3, WebSocket, gRPC |
-| Flexible config (CLI, ENV, YAML)                           | Plugins / extensions ecosystem  |
+| Captcha solving<br>(2Captcha, Anti-Captcha, CapSolver)     | Plugins / extensions ecosystem  |
+| Flexible config (CLI, ENV, YAML)                           |                                 |
 
 ## Installation
 

Taskfile.yaml

@@ -3,7 +3,7 @@ version: "3"
 
 vars:
   BIN_DIR: ./bin
-  GOLANGCI_LINT_VERSION: v2.11.2
+  GOLANGCI_LINT_VERSION: v2.11.4
   GOLANGCI: "{{.BIN_DIR}}/golangci-lint-{{.GOLANGCI_LINT_VERSION}}"
 
 tasks:

benchmark/README.md

@@ -1,42 +0,0 @@
-# Benchmark
-
-Compares [sarin](https://github.com/aykhans/sarin), [wrk](https://github.com/wg/wrk), and [bombardier](https://github.com/codesenberg/bombardier) against a minimal C HTTP server using epoll.
-
-## Requirements
-
-- `sarin`, `wrk`, `bombardier` in PATH
-- `gcc`
-
-## Usage
-
-```bash
-./benchmark/run.sh
-```
-
-Configuration is at the top of `run.sh`:
-
-```bash
-DURATION="30s"
-CONNECTIONS=(50 100 200)
-ITERATIONS=3
-```
-
-## Structure
-
-```
-benchmark/
-  run.sh          - benchmark script
-  server/
-    server.c      - C epoll HTTP server (returns "ok")
-  results/        - output directory (auto-created)
-```
-
-## Output
-
-Each run produces per-tool files:
-
-- `*.out` - tool stdout (throughput, latency)
-- `*.time` - `/usr/bin/time -v` output (peak memory, CPU time)
-- `*_resources.csv` - sampled CPU/memory during run
-
-A summary table is printed at the end with requests/sec, total requests, elapsed time, and peak memory.

benchmark/run.sh

@@ -1,335 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# ─── Configuration ───────────────────────────────────────────────────────────
-SERVER_PORT=8080
-SERVER_URL="http://127.0.0.1:${SERVER_PORT}/"
-DURATION="30s"
-CONNECTIONS=(50 100 200)
-ITERATIONS=3
-WARMUP_DURATION="5s"
-RESULTS_DIR="benchmark/results/$(date +%Y%m%d_%H%M%S)"
-
-# ─── Colors ──────────────────────────────────────────────────────────────────
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-CYAN='\033[0;36m'
-BOLD='\033[1m'
-NC='\033[0m'
-
-log()  { echo -e "${GREEN}[+]${NC} $*"; }
-warn() { echo -e "${YELLOW}[!]${NC} $*"; }
-err()  { echo -e "${RED}[✗]${NC} $*" >&2; }
-header() { echo -e "\n${BOLD}${CYAN}═══ $* ═══${NC}\n"; }
-
-# ─── Dependency checks ──────────────────────────────────────────────────────
-check_deps() {
-    local missing=()
-    for cmd in wrk bombardier sarin gcc; do
-        if ! command -v "$cmd" &>/dev/null; then
-            missing+=("$cmd")
-        fi
-    done
-    if [[ ${#missing[@]} -gt 0 ]]; then
-        err "Missing dependencies: ${missing[*]}"
-        echo "Install them before running this benchmark."
-        exit 1
-    fi
-    log "All dependencies found"
-}
-
-# ─── Build & manage the C server ────────────────────────────────────────────
-build_server() {
-    header "Building C HTTP server"
-    gcc -O3 -o benchmark/server/bench-server benchmark/server/server.c
-    log "Server built successfully"
-}
-
-start_server() {
-    log "Starting server on port ${SERVER_PORT}..."
-    benchmark/server/bench-server &
-    SERVER_PID=$!
-    sleep 1
-
-    if ! kill -0 "$SERVER_PID" 2>/dev/null; then
-        err "Server failed to start"
-        exit 1
-    fi
-    log "Server running (PID: ${SERVER_PID})"
-}
-
-stop_server() {
-    if [[ -n "${SERVER_PID:-}" ]] && kill -0 "$SERVER_PID" 2>/dev/null; then
-        kill "$SERVER_PID" 2>/dev/null || true
-        wait "$SERVER_PID" 2>/dev/null || true
-        log "Server stopped"
-    fi
-}
-
-trap stop_server EXIT
-
-# ─── Resource monitoring ────────────────────────────────────────────────────
-start_monitor() {
-    local tool_name=$1
-    local conns=$2
-    local iter=$3
-    local monitor_file="${RESULTS_DIR}/${tool_name}_c${conns}_i${iter}_resources.csv"
-
-    echo "timestamp,cpu%,mem_kb" > "$monitor_file"
-
-    (
-        while true; do
-            # Find the PID of the tool by name (exclude monitor itself)
-            local pid
-            pid=$(pgrep -x "$tool_name" 2>/dev/null | head -1) || true
-            if [[ -n "$pid" ]]; then
-                local stats
-                stats=$(ps -p "$pid" -o %cpu=,%mem=,rss= 2>/dev/null) || true
-                if [[ -n "$stats" ]]; then
-                    local cpu mem_kb
-                    cpu=$(echo "$stats" | awk '{print $1}')
-                    mem_kb=$(echo "$stats" | awk '{print $3}')
-                    echo "$(date +%s),$cpu,$mem_kb" >> "$monitor_file"
-                fi
-            fi
-            sleep 0.5
-        done
-    ) &
-    MONITOR_PID=$!
-}
-
-stop_monitor() {
-    if [[ -n "${MONITOR_PID:-}" ]] && kill -0 "$MONITOR_PID" 2>/dev/null; then
-        kill "$MONITOR_PID" 2>/dev/null || true
-        wait "$MONITOR_PID" 2>/dev/null || true
-    fi
-}
-
-# ─── Benchmark runners ─────────────────────────────────────────────────────
-run_wrk() {
-    local conns=$1
-    local dur=$2
-    local out_file=$3
-    local threads=$((conns < 10 ? conns : 10))
-
-    /usr/bin/time -v wrk -t"${threads}" -c"${conns}" -d"${dur}" "${SERVER_URL}" \
-        2>"${out_file}.time" | tee "${out_file}.out"
-}
-
-run_bombardier() {
-    local conns=$1
-    local dur=$2
-    local out_file=$3
-
-    /usr/bin/time -v bombardier -c "${conns}" -d "${dur}" --print result "${SERVER_URL}" \
-        2>"${out_file}.time" | tee "${out_file}.out"
-}
-
-run_sarin() {
-    local conns=$1
-    local dur=$2
-    local out_file=$3
-
-    /usr/bin/time -v sarin -U "${SERVER_URL}" -c "${conns}" -d "${dur}" -q \
-        2>"${out_file}.time" | tee "${out_file}.out"
-}
-
-# ─── Warmup ──────────────────────────────────────────────────────────────────
-warmup() {
-    header "Warming up server"
-    wrk -t4 -c50 -d"${WARMUP_DURATION}" "${SERVER_URL}" > /dev/null 2>&1
-    log "Warmup complete"
-    sleep 2
-}
-
-# ─── Extract peak memory from /usr/bin/time -v output ────────────────────────
-extract_peak_mem() {
-    local time_file=$1
-    grep "Maximum resident set size" "$time_file" 2>/dev/null | awk '{print $NF}' || echo "N/A"
-}
-
-# ─── Extract total requests from tool output ─────────────────────────────────
-extract_requests() {
-    local tool=$1
-    local out_file=$2
-
-    case "$tool" in
-        wrk)
-            # wrk: "312513 requests in 2.10s, ..."
-            grep "requests in" "$out_file" 2>/dev/null | awk '{print $1}' || echo "N/A"
-            ;;
-        bombardier)
-            # bombardier: "1xx - 0, 2xx - 100000, 3xx - 0, 4xx - 0, 5xx - 0"
-            # Sum all HTTP code counts
-            grep -E "^\s+1xx" "$out_file" 2>/dev/null | \
-                awk -F'[,-]' '{sum=0; for(i=1;i<=NF;i++){gsub(/[^0-9]/,"",$i); if($i+0>0) sum+=$i} print sum}' || echo "N/A"
-            ;;
-        sarin)
-            # sarin table: "│ Total │ 1556177 │ ..."
-            grep -i "total" "$out_file" 2>/dev/null | awk -F'│' '{gsub(/[[:space:]]/, "", $3); print $3}' || echo "N/A"
-            ;;
-    esac
-}
-
-extract_elapsed() {
-    local time_file=$1
-    grep "wall clock" "$time_file" 2>/dev/null | awk '{print $NF}' || echo "N/A"
-}
-
-extract_rps() {
-    local tool=$1
-    local out_file=$2
-
-    case "$tool" in
-        wrk)
-            # wrk: "Requests/sec:  12345.67"
-            grep "Requests/sec" "$out_file" 2>/dev/null | awk '{print $2}' || echo "N/A"
-            ;;
-        bombardier)
-            # bombardier: "Reqs/sec  12345.67  ..."
-            grep -i "reqs/sec" "$out_file" 2>/dev/null | awk '{print $2}' || echo "N/A"
-            ;;
-        sarin)
-            # sarin doesn't output rps - calculate from total requests and duration
-            local total
-            total=$(extract_requests "sarin" "$out_file")
-            if [[ "$total" != "N/A" && -n "$total" ]]; then
-                local dur_secs
-                dur_secs=$(echo "$DURATION" | sed 's/s$//')
-                awk "BEGIN {printf \"%.2f\", $total / $dur_secs}"
-            else
-                echo "N/A"
-            fi
-            ;;
-    esac
-}
-
-# ─── Print comparison table ──────────────────────────────────────────────────
-print_table() {
-    local title=$1
-    local extract_fn=$2
-    shift 2
-    local columns=("$@")
-
-    echo -e "${BOLD}${title}:${NC}"
-    printf "%-12s" ""
-    for col in "${columns[@]}"; do
-        printf "%-18s" "$col"
-    done
-    echo ""
-
-    local tools=("wrk" "bombardier" "sarin")
-    for tool in "${tools[@]}"; do
-        printf "%-12s" "$tool"
-        for col in "${columns[@]}"; do
-            local val
-            val=$($extract_fn "$tool" "$col")
-            printf "%-18s" "${val}"
-        done
-        echo ""
-    done
-    echo ""
-}
-
-# ─── Main ────────────────────────────────────────────────────────────────────
-main() {
-    header "HTTP Load Testing Tool Benchmark"
-    echo "Tools:       wrk, bombardier, sarin"
-    echo "Duration:    ${DURATION} per run"
-    echo "Connections: ${CONNECTIONS[*]}"
-    echo "Iterations:  ${ITERATIONS} per configuration"
-    echo ""
-
-    check_deps
-
-    mkdir -p "${RESULTS_DIR}"
-    log "Results will be saved to ${RESULTS_DIR}/"
-
-    build_server
-    start_server
-    warmup
-
-    local tools=("wrk" "bombardier" "sarin")
-
-    for conns in "${CONNECTIONS[@]}"; do
-        header "Testing with ${conns} connections"
-
-        for tool in "${tools[@]}"; do
-            echo -e "${BOLD}--- ${tool} (${conns} connections) ---${NC}"
-
-            for iter in $(seq 1 "$ITERATIONS"); do
-                local out_file="${RESULTS_DIR}/${tool}_c${conns}_i${iter}"
-                echo -n "  Run ${iter}/${ITERATIONS}... "
-
-                start_monitor "$tool" "$conns" "$iter"
-
-                case "$tool" in
-                    wrk)         run_wrk "$conns" "$DURATION" "$out_file" > /dev/null 2>&1 ;;
-                    bombardier)  run_bombardier "$conns" "$DURATION" "$out_file" > /dev/null 2>&1 ;;
-                    sarin)       run_sarin "$conns" "$DURATION" "$out_file" > /dev/null 2>&1 ;;
-                esac
-
-                stop_monitor
-
-                local peak_mem rps elapsed
-                peak_mem=$(extract_peak_mem "${out_file}.time")
-                rps=$(extract_rps "$tool" "${out_file}.out")
-                elapsed=$(extract_elapsed "${out_file}.time")
-                echo -e "done (elapsed: ${elapsed}, rps: ${rps}, peak mem: ${peak_mem} KB)"
-
-                sleep 2
-            done
-            echo ""
-        done
-    done
-
-    # ─── Summary ─────────────────────────────────────────────────────────
-    header "Summary"
-    echo "Raw results saved to: ${RESULTS_DIR}/"
-    echo ""
-    echo "Files per run:"
-    echo "  *.out       - tool stdout (throughput, latency stats)"
-    echo "  *.time      - /usr/bin/time output (peak memory, CPU time)"
-    echo "  *_resources.csv - sampled CPU/memory during run"
-    echo ""
-
-    local columns=()
-    for conns in "${CONNECTIONS[@]}"; do
-        columns+=("c=${conns}")
-    done
-
-    _get_rps() {
-        local c=${2#c=}
-        extract_rps "$1" "${RESULTS_DIR}/${1}_c${c}_i${ITERATIONS}.out"
-    }
-
-    _get_total() {
-        local c=${2#c=}
-        extract_requests "$1" "${RESULTS_DIR}/${1}_c${c}_i${ITERATIONS}.out"
-    }
-
-    _get_mem() {
-        local c=${2#c=}
-        extract_peak_mem "${RESULTS_DIR}/${1}_c${c}_i${ITERATIONS}.time"
-    }
-
-    _get_elapsed() {
-        local c=${2#c=}
-        extract_elapsed "${RESULTS_DIR}/${1}_c${c}_i${ITERATIONS}.time"
-    }
-
-    print_table "Requests/sec" _get_rps "${columns[@]}"
-    print_table "Total Requests" _get_total "${columns[@]}"
-    print_table "Elapsed Time" _get_elapsed "${columns[@]}"
-    print_table "Peak Memory (KB)" _get_mem "${columns[@]}"
-
-    log "Benchmark complete!"
-    echo ""
-    echo "To inspect individual results:"
-    echo "  cat ${RESULTS_DIR}/wrk_c200_i1.out"
-    echo "  cat ${RESULTS_DIR}/sarin_c200_i1.out"
-    echo "  cat ${RESULTS_DIR}/bombardier_c200_i1.out"
-}
-
-main "$@"

benchmark/server/server.c

@@ -1,114 +0,0 @@
-#include <errno.h>
-#include <fcntl.h>
-#include <netinet/in.h>
-#include <netinet/tcp.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/epoll.h>
-#include <sys/socket.h>
-#include <unistd.h>
-
-#define PORT 8080
-#define MAX_EVENTS 1024
-#define BUF_SIZE 4096
-
-static const char RESPONSE[] =
-    "HTTP/1.1 200 OK\r\n"
-    "Content-Length: 2\r\n"
-    "Content-Type: text/plain\r\n"
-    "Connection: keep-alive\r\n"
-    "\r\n"
-    "ok";
-
-static const int RESPONSE_LEN = sizeof(RESPONSE) - 1;
-
-static void set_nonblocking(int fd) {
-    int flags = fcntl(fd, F_GETFL, 0);
-    fcntl(fd, F_SETFL, flags | O_NONBLOCK);
-}
-
-int main(void) {
-    signal(SIGPIPE, SIG_IGN);
-
-    int server_fd = socket(AF_INET, SOCK_STREAM, 0);
-    if (server_fd < 0) {
-        perror("socket");
-        return 1;
-    }
-
-    int opt = 1;
-    setsockopt(server_fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt));
-    setsockopt(server_fd, SOL_SOCKET, SO_REUSEPORT, &opt, sizeof(opt));
-    setsockopt(server_fd, IPPROTO_TCP, TCP_NODELAY, &opt, sizeof(opt));
-
-    struct sockaddr_in addr = {
-        .sin_family = AF_INET,
-        .sin_port = htons(PORT),
-        .sin_addr.s_addr = htonl(INADDR_LOOPBACK),
-    };
-
-    if (bind(server_fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
-        perror("bind");
-        return 1;
-    }
-
-    if (listen(server_fd, SOMAXCONN) < 0) {
-        perror("listen");
-        return 1;
-    }
-
-    set_nonblocking(server_fd);
-
-    int epoll_fd = epoll_create1(0);
-    struct epoll_event ev = {.events = EPOLLIN, .data.fd = server_fd};
-    epoll_ctl(epoll_fd, EPOLL_CTL_ADD, server_fd, &ev);
-
-    struct epoll_event events[MAX_EVENTS];
-    char buf[BUF_SIZE];
-
-    fprintf(stderr, "Listening on http://127.0.0.1:%d\n", PORT);
-
-    for (;;) {
-        int n = epoll_wait(epoll_fd, events, MAX_EVENTS, -1);
-        for (int i = 0; i < n; i++) {
-            if (events[i].data.fd == server_fd) {
-                /* Accept all pending connections */
-                for (;;) {
-                    int client_fd = accept(server_fd, NULL, NULL);
-                    if (client_fd < 0) {
-                        if (errno == EAGAIN || errno == EWOULDBLOCK)
-                            break;
-                        continue;
-                    }
-                    set_nonblocking(client_fd);
-                    int tcp_opt = 1;
-                    setsockopt(client_fd, IPPROTO_TCP, TCP_NODELAY, &tcp_opt, sizeof(tcp_opt));
-                    struct epoll_event cev = {.events = EPOLLIN | EPOLLET, .data.fd = client_fd};
-                    epoll_ctl(epoll_fd, EPOLL_CTL_ADD, client_fd, &cev);
-                }
-            } else {
-                int fd = events[i].data.fd;
-                /* Read all available data and respond to each request */
-                for (;;) {
-                    ssize_t nread = read(fd, buf, BUF_SIZE);
-                    if (nread <= 0) {
-                        if (nread == 0 || (errno != EAGAIN && errno != EWOULDBLOCK)) {
-                            close(fd);
-                        }
-                        break;
-                    }
-                    if (write(fd, RESPONSE, RESPONSE_LEN) < 0) {
-                        close(fd);
-                        break;
-                    }
-                }
-            }
-        }
-    }
-
-    close(server_fd);
-    close(epoll_fd);
-    return 0;
-}

cmd/cli/main.go

@@ -14,7 +14,7 @@ import (
 )
 
 func main() {
-	ctx, cancel := context.WithCancel(context.Background()) //nolint:gosec // G118: cancel is called in listenForTermination goroutine
+	ctx, cancel := context.WithCancel(context.Background())
 	go listenForTermination(func() { cancel() })
 
 	combinedConfig := config.ReadAllConfigs()

docs/examples.md

@@ -8,6 +8,7 @@ This guide provides practical examples for common Sarin use cases.
 - [Request-Based vs Duration-Based Tests](#request-based-vs-duration-based-tests)
 - [Headers, Cookies, and Parameters](#headers-cookies-and-parameters)
 - [Dynamic Requests with Templating](#dynamic-requests-with-templating)
+- [Solving Captchas](#solving-captchas)
 - [Request Bodies](#request-bodies)
 - [File Uploads](#file-uploads)
 - [Using Proxies](#using-proxies)
@@ -371,7 +372,29 @@ body: '{"ip": "{{ fakeit_IPv4Address }}", "timestamp": "{{ fakeit_Date }}", "act
 
 </details>
 
-> For the complete list of 320+ template functions, see the **[Templating Guide](templating.md)**.
+> For the complete list of 340+ template functions, see the **[Templating Guide](templating.md)**.
+
+## Solving Captchas
+
+Sarin can solve captchas through third-party services and embed the resulting token into the request. Three services are supported via dedicated template functions: **2Captcha**, **Anti-Captcha**, and **CapSolver**.
+
+**Solve a reCAPTCHA v2 and submit the token in the request body:**
+
+```sh
+sarin -U https://example.com/login -M POST -r 1 \
+  -B '{"g-recaptcha-response": "{{ twocaptcha_RecaptchaV2 "YOUR_API_KEY" "SITE_KEY" "https://example.com/login" }}"}'
+```
+
+**Reuse a single solved token across multiple requests via `values`:**
+
+```sh
+sarin -U https://example.com/api -M POST -r 5 \
+  -V 'TOKEN={{ anticaptcha_Turnstile "YOUR_API_KEY" "SITE_KEY" "https://example.com/api" }}' \
+  -H "X-Turnstile-Token: {{ .Values.TOKEN }}" \
+  -B '{"token": "{{ .Values.TOKEN }}"}'
+```
+
+> See the **[Templating Guide](templating.md#captcha-functions)** for the full list of captcha functions and per-service support.
 
 ## Request Bodies
 

docs/templating.md

@@ -4,16 +4,23 @@ Sarin supports Go templates in URL paths, methods, bodies, headers, params, cook
 
 > **Note:** Templating in URL host and scheme is not supported. Only the path portion of the URL can contain templates.
 
+> **Note:** Template rendering happens before the request is sent. The request timeout (`-T` / `timeout`) only governs the HTTP request itself and starts _after_ templates have finished rendering, so slow template functions (e.g. captcha solvers, remote `file_Read`) cannot cause a request timeout no matter how long they take.
+
 ## Table of Contents
 
 - [Using Values](#using-values)
 - [General Functions](#general-functions)
     - [String Functions](#string-functions)
     - [Collection Functions](#collection-functions)
+    - [JSON Functions](#json-functions)
     - [Time Functions](#time-functions)
     - [Crypto Functions](#crypto-functions)
     - [Body Functions](#body-functions)
     - [File Functions](#file-functions)
+- [Captcha Functions](#captcha-functions)
+    - [2Captcha](#2captcha)
+    - [Anti-Captcha](#anti-captcha)
+    - [CapSolver](#capsolver)
 - [Fake Data Functions](#fake-data-functions)
     - [File](#file)
     - [ID](#id)
@@ -111,6 +118,33 @@ sarin -U http://example.com/users \
 | `slice_Int(values ...int)`               | Create int slice                              | `{{ slice_Int 1 2 3 }}`                                  |
 | `slice_Uint(values ...uint)`             | Create uint slice                             | `{{ slice_Uint 1 2 3 }}`                                 |
 
+### JSON Functions
+
+Build JSON payloads programmatically without manual quoting or escaping. `json_Object` is the ergonomic shortcut for flat objects; `json_Encode` marshals any value (slice, map, etc.) to a JSON string.
+
+| Function                    | Description                                                                                            | Example                                               |
+| --------------------------- | ------------------------------------------------------------------------------------------------------ | ----------------------------------------------------- |
+| `json_Object(pairs ...any)` | Build an object from interleaved key-value pairs and return it as a JSON string. Keys must be strings. | `{{ json_Object "name" "Alice" "age" 30 }}`           |
+| `json_Encode(v any)`        | Marshal any value (slice, map, etc.) to a JSON string.                                                 | `{{ json_Encode (slice_Str "a" "b") }}` → `["a","b"]` |
+
+**Examples:**
+
+```yaml
+# Flat object with fake data
+body: '{{ json_Object "name" (fakeit_FirstName) "email" (fakeit_Email) }}'
+
+# Embed a solved captcha token
+body: '{{ json_Object "g-recaptcha-response" (twocaptcha_RecaptchaV2 "API_KEY" "SITE_KEY" "https://example.com") }}'
+
+# Encode a slice as a JSON array
+body: '{{ json_Encode (slice_Str "a" "b" "c") }}'
+
+# Encode a string dictionary (map[string]string)
+body: '{{ json_Encode (dict_Str "key1" "value1" "key2" "value2") }}'
+```
+
+> **Note:** Object keys are serialized in alphabetical order (Go's `encoding/json` default), not insertion order. For API payloads this is almost always fine because JSON key order is semantically irrelevant.
+
 ### Time Functions
 
 | Function                 | Description                                 | Example                                                                         |
@@ -196,6 +230,95 @@ values: "FILE_DATA={{ file_Base64 \"/path/to/file.bin\" }}"
 body: '{"data": "{{ .Values.FILE_DATA }}"}'
 ```
 
+## Captcha Functions
+
+Captcha functions solve a captcha challenge through a third-party solving service and return the resulting token, which can then be embedded directly into a request. They are intended for load testing endpoints protected by reCAPTCHA, hCaptcha, or Cloudflare Turnstile.
+
+The functions are organized by service: `twocaptcha_*`, `anticaptcha_*`, and `capsolver_*`. Each accepts the API key as the first argument so no global configuration is required — bring your own key and use any of the supported services per template.
+
+> **Important — performance and cost:**
+>
+> - **Each call is slow.** Solving typically takes ~5–60 seconds because the function blocks the template render until the third-party service returns a token. Internally the solver polls every 1s and gives up after 120s.
+> - **Each call costs money.** Every successful solve is billed by the captcha service (typically $0.001–$0.003 per solve). For high-volume tests, your captcha bill grows linearly with request count.
+
+**Common parameters across all captcha functions:**
+
+- `apiKey` - Your API key for the chosen captcha solving service
+- `siteKey` - The captcha sitekey extracted from the target page (e.g. the `data-sitekey` attribute on a reCAPTCHA, hCaptcha, or Turnstile element)
+- `pageURL` - The URL of the page where the captcha is hosted
+
+### 2Captcha
+
+Functions for the [2Captcha](https://2captcha.com) service. Note: 2Captcha **does not currently support hCaptcha** through their API.
+
+| Function                                                                 | Description                                                               |
+| ------------------------------------------------------------------------ | ------------------------------------------------------------------------- |
+| `twocaptcha_RecaptchaV2(apiKey, siteKey, pageURL string)`                | Solve a Google reCAPTCHA v2 challenge                                     |
+| `twocaptcha_RecaptchaV3(apiKey, siteKey, pageURL, pageAction string)`    | Solve a Google reCAPTCHA v3 challenge. Pass `""` for `pageAction` to omit |
+| `twocaptcha_Turnstile(apiKey, siteKey, pageURL string, cData ...string)` | Solve a Cloudflare Turnstile challenge. Optional `cData` argument         |
+
+### Anti-Captcha
+
+Functions for the [Anti-Captcha](https://anti-captcha.com) service. This is currently the only service that supports all four captcha types end-to-end.
+
+| Function                                                                  | Description                                                                                                           |
+| ------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------- |
+| `anticaptcha_RecaptchaV2(apiKey, siteKey, pageURL string)`                | Solve a Google reCAPTCHA v2 challenge                                                                                 |
+| `anticaptcha_RecaptchaV3(apiKey, siteKey, pageURL, pageAction string)`    | Solve a Google reCAPTCHA v3 challenge. `minScore` is hardcoded to `0.3` (Anti-Captcha rejects the request without it) |
+| `anticaptcha_HCaptcha(apiKey, siteKey, pageURL string)`                   | Solve an hCaptcha challenge                                                                                           |
+| `anticaptcha_Turnstile(apiKey, siteKey, pageURL string, cData ...string)` | Solve a Cloudflare Turnstile challenge. Optional `cData` argument                                                     |
+
+### CapSolver
+
+Functions for the [CapSolver](https://capsolver.com) service. Note: CapSolver no longer supports hCaptcha.
+
+| Function                                                                | Description                                                               |
+| ----------------------------------------------------------------------- | ------------------------------------------------------------------------- |
+| `capsolver_RecaptchaV2(apiKey, siteKey, pageURL string)`                | Solve a Google reCAPTCHA v2 challenge                                     |
+| `capsolver_RecaptchaV3(apiKey, siteKey, pageURL, pageAction string)`    | Solve a Google reCAPTCHA v3 challenge. Pass `""` for `pageAction` to omit |
+| `capsolver_Turnstile(apiKey, siteKey, pageURL string, cData ...string)` | Solve a Cloudflare Turnstile challenge. Optional `cData` argument         |
+
+**Examples:**
+
+```yaml
+# reCAPTCHA v2 in a JSON body via 2Captcha
+method: POST
+url: https://example.com/login
+body: |
+    {
+      "username": "test",
+      "g-recaptcha-response": "{{ twocaptcha_RecaptchaV2 "YOUR_API_KEY" "6LfD3PIb..." "https://example.com/login" }}"
+    }
+```
+
+```yaml
+# Turnstile via Anti-Captcha with cData
+method: POST
+url: https://example.com/submit
+body: |
+    {
+      "cf-turnstile-response": "{{ anticaptcha_Turnstile "YOUR_API_KEY" "0x4AAAAAAA..." "https://example.com/submit" "session-cdata" }}"
+    }
+```
+
+```yaml
+# hCaptcha via Anti-Captcha (the only service that still supports it)
+method: POST
+url: https://example.com/protected
+body: |
+    {
+      "h-captcha-response": "{{ anticaptcha_HCaptcha "YOUR_API_KEY" "338af34c-..." "https://example.com/protected" }}"
+    }
+```
+
+```yaml
+# Share a single solved token across body and headers via values
+values: 'TOKEN={{ capsolver_Turnstile "YOUR_API_KEY" "0x4AAAAAAA..." "https://example.com" }}'
+headers:
+    X-Turnstile-Token: "{{ .Values.TOKEN }}"
+body: '{"token": "{{ .Values.TOKEN }}"}'
+```
+
 ## Fake Data Functions
 
 These functions are powered by [gofakeit](https://github.com/brianvoe/gofakeit) library.

go.mod

@@ -6,42 +6,41 @@ require (
 	github.com/brianvoe/gofakeit/v7 v7.14.1
 	github.com/charmbracelet/bubbles v1.0.0
 	github.com/charmbracelet/bubbletea v1.3.10
-	github.com/charmbracelet/glamour v0.10.0
+	github.com/charmbracelet/glamour v1.0.0
 	github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834
 	github.com/charmbracelet/x/term v0.2.2
-	github.com/dop251/goja v0.0.0-20260106131823-651366fbe6e3
+	github.com/dop251/goja v0.0.0-20260311135729-065cd970411c
 	github.com/joho/godotenv v1.5.1
-	github.com/valyala/fasthttp v1.69.0
-	github.com/yuin/gopher-lua v1.1.1
+	github.com/valyala/fasthttp v1.70.0
+	github.com/yuin/gopher-lua v1.1.2
 	go.aykhans.me/utils v1.0.7
-	go.yaml.in/yaml/v4 v4.0.0-rc.3
+	go.yaml.in/yaml/v4 v4.0.0-rc.4
 	golang.org/x/net v0.52.0
 )
 
 require (
-	github.com/alecthomas/chroma/v2 v2.21.1 // indirect
-	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/alecthomas/chroma/v2 v2.23.1 // indirect
+	github.com/andybalholm/brotli v1.2.1 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
-	github.com/charmbracelet/colorprofile v0.4.1 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
 	github.com/charmbracelet/harmonica v0.2.0 // indirect
 	github.com/charmbracelet/x/ansi v0.11.6 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
-	github.com/charmbracelet/x/exp/slice v0.0.0-20260109001716-2fbdffcb221f // indirect
-	github.com/clipperhouse/displaywidth v0.9.0 // indirect
-	github.com/clipperhouse/stringish v0.1.1 // indirect
-	github.com/clipperhouse/uax29/v2 v2.5.0 // indirect
+	github.com/charmbracelet/x/exp/slice v0.0.0-20260329003944-7eda8903d971 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
-	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
-	github.com/google/pprof v0.0.0-20230207041349-798e818bf904 // indirect
+	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
+	github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc // indirect
 	github.com/gorilla/css v1.0.1 // indirect
-	github.com/klauspost/compress v1.18.2 // indirect
-	github.com/lucasb-eyer/go-colorful v1.3.0 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.21 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
@@ -51,7 +50,7 @@ require (
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/yuin/goldmark v1.7.16 // indirect
+	github.com/yuin/goldmark v1.8.2 // indirect
 	github.com/yuin/goldmark-emoji v1.0.6 // indirect
 	golang.org/x/sys v0.42.0 // indirect
 	golang.org/x/term v0.41.0 // indirect

go.sum

@@ -2,12 +2,12 @@ github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
 github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
-github.com/alecthomas/chroma/v2 v2.21.1 h1:FaSDrp6N+3pphkNKU6HPCiYLgm8dbe5UXIXcoBhZSWA=
-github.com/alecthomas/chroma/v2 v2.21.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
+github.com/alecthomas/chroma/v2 v2.23.1 h1:nv2AVZdTyClGbVQkIzlDm/rnhk1E9bU9nXwmZ/Vk/iY=
+github.com/alecthomas/chroma/v2 v2.23.1/go.mod h1:NqVhfBR0lte5Ouh3DcthuUCTUpDC9cxBOfyMbMQPs3o=
 github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
 github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
-github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
-github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
+github.com/andybalholm/brotli v1.2.1 h1:R+f5xP285VArJDRgowrfb9DqL18yVK0gKAW/F+eTWro=
+github.com/andybalholm/brotli v1.2.1/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
@@ -20,10 +20,10 @@ github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5f
 github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
 github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
 github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
-github.com/charmbracelet/colorprofile v0.4.1 h1:a1lO03qTrSIRaK8c3JRxJDZOvhvIeSco3ej+ngLk1kk=
-github.com/charmbracelet/colorprofile v0.4.1/go.mod h1:U1d9Dljmdf9DLegaJ0nGZNJvoXAhayhmidOdcBwAvKk=
-github.com/charmbracelet/glamour v0.10.0 h1:MtZvfwsYCx8jEPFJm3rIBFIMZUfUJ765oX8V6kXldcY=
-github.com/charmbracelet/glamour v0.10.0/go.mod h1:f+uf+I/ChNmqo087elLnVdCiVgjSKWuXa/l6NU2ndYk=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
+github.com/charmbracelet/glamour v1.0.0 h1:AWMLOVFHTsysl4WV8T8QgkQ0s/ZNZo7CiE4WKhk8l08=
+github.com/charmbracelet/glamour v1.0.0/go.mod h1:DSdohgOBkMr2ZQNhw4LZxSGpx3SvpeujNoXrQyH2hxo=
 github.com/charmbracelet/harmonica v0.2.0 h1:8NxJWRWg/bzKqqEaaeFNipOu77YR5t8aSwG4pgaUBiQ=
 github.com/charmbracelet/harmonica v0.2.0/go.mod h1:KSri/1RMQOZLbw7AHqgcBycp8pgJnQMYYT8QZRqZ1Ao=
 github.com/charmbracelet/lipgloss v1.1.1-0.20250404203927-76690c660834 h1:ZR7e0ro+SZZiIZD7msJyA+NjkCNNavuiPBLgerbOziE=
@@ -34,45 +34,43 @@ github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMx
 github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91 h1:payRxjMjKgx2PaCWLZ4p3ro9y97+TVLZNaRZgJwSVDQ=
 github.com/charmbracelet/x/exp/golden v0.0.0-20241011142426-46044092ad91/go.mod h1:wDlXFlCrmJ8J+swcL/MnGUuYnqgQdW9rhSD61oNMb6U=
-github.com/charmbracelet/x/exp/slice v0.0.0-20260109001716-2fbdffcb221f h1:kvAY8ffwhFuxWqtVI6+9E5vmgTApG96hswFLXJfsxHI=
-github.com/charmbracelet/x/exp/slice v0.0.0-20260109001716-2fbdffcb221f/go.mod h1:vqEfX6xzqW1pKKZUUiFOKg0OQ7bCh54Q2vR/tserrRA=
+github.com/charmbracelet/x/exp/slice v0.0.0-20260329003944-7eda8903d971 h1:wae/9jUCdhUiuyCcOzZZ+vJEB7uJx+IvtTnpCqcW1ZQ=
+github.com/charmbracelet/x/exp/slice v0.0.0-20260329003944-7eda8903d971/go.mod h1:vqEfX6xzqW1pKKZUUiFOKg0OQ7bCh54Q2vR/tserrRA=
 github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
 github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
-github.com/clipperhouse/displaywidth v0.9.0 h1:Qb4KOhYwRiN3viMv1v/3cTBlz3AcAZX3+y9OLhMtAtA=
-github.com/clipperhouse/displaywidth v0.9.0/go.mod h1:aCAAqTlh4GIVkhQnJpbL0T/WfcrJXHcj8C0yjYcjOZA=
-github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
-github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
-github.com/clipperhouse/uax29/v2 v2.5.0 h1:x7T0T4eTHDONxFJsL94uKNKPHrclyFI0lm7+w94cO8U=
-github.com/clipperhouse/uax29/v2 v2.5.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
+github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
+github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dlclark/regexp2 v1.11.5 h1:Q/sSnsKerHeCkc/jSTNq1oCm7KiVgUMZRDUoRu0JQZQ=
 github.com/dlclark/regexp2 v1.11.5/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8=
-github.com/dop251/goja v0.0.0-20260106131823-651366fbe6e3 h1:bVp3yUzvSAJzu9GqID+Z96P+eu5TKnIMJSV4QaZMauM=
-github.com/dop251/goja v0.0.0-20260106131823-651366fbe6e3/go.mod h1:MxLav0peU43GgvwVgNbLAj1s/bSGboKkhuULvq/7hx4=
+github.com/dop251/goja v0.0.0-20260311135729-065cd970411c h1:OcLmPfx1T1RmZVHHFwWMPaZDdRf0DBMZOFMVWJa7Pdk=
+github.com/dop251/goja v0.0.0-20260311135729-065cd970411c/go.mod h1:MxLav0peU43GgvwVgNbLAj1s/bSGboKkhuULvq/7hx4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
-github.com/go-sourcemap/sourcemap v2.1.3+incompatible h1:W1iEw64niKVGogNgBN3ePyLFfuisuzeidWPMPWmECqU=
-github.com/go-sourcemap/sourcemap v2.1.3+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
-github.com/google/pprof v0.0.0-20230207041349-798e818bf904 h1:4/hN5RUoecvl+RmJRE2YxKWtnnQls6rQjjW5oV7qg2U=
-github.com/google/pprof v0.0.0-20230207041349-798e818bf904/go.mod h1:uglQLonpP8qtYCYyzA+8c/9qtqgA3qsXGYqCPKARAFg=
+github.com/go-sourcemap/sourcemap v2.1.4+incompatible h1:a+iTbH5auLKxaNwQFg0B+TCYl6lbukKPc7b5x0n1s6Q=
+github.com/go-sourcemap/sourcemap v2.1.4+incompatible/go.mod h1:F8jJfvm2KbVjc5NqelyYJmf/v5J0dwNLS2mL4sNA1Jg=
+github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc h1:VBbFa1lDYWEeV5FZKUiYKYT0VxCp9twUmmaq9eb8sXw=
+github.com/google/pprof v0.0.0-20260302011040-a15ffb7f9dcc/go.mod h1:MxpfABSjhmINe3F1It9d+8exIHFvUqtLIRCdOGNXqiI=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
 github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
-github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
-github.com/lucasb-eyer/go-colorful v1.3.0 h1:2/yBRLdWBZKrf7gB40FoiKfAWYQ0lqNcbuQwVHXptag=
-github.com/lucasb-eyer/go-colorful v1.3.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
+github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
+github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
-github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
-github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w=
+github.com/mattn/go-runewidth v0.0.21/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/microcosm-cc/bluemonday v1.0.27 h1:MpEUotklkwCSLeH+Qdx1VJgNqLlpY2KXwXFM08ygZfk=
 github.com/microcosm-cc/bluemonday v1.0.27/go.mod h1:jFi9vgW+H7c3V0lb6nR74Ib/DIB5OBs92Dimizgw2cA=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
@@ -93,22 +91,22 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
-github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI=
-github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
+github.com/valyala/fasthttp v1.70.0 h1:LAhMGcWk13QZWm85+eg8ZBNbrq5mnkWFGbHMUJHIdXA=
+github.com/valyala/fasthttp v1.70.0/go.mod h1:oDZEHHkJ/Buyklg6uURmYs19442zFSnCIfX3j1FY3pE=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
 github.com/xyproto/randomstring v1.0.5/go.mod h1:rgmS5DeNXLivK7YprL0pY+lTuhNQW3iGxZ18UQApw/E=
-github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
-github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
+github.com/yuin/goldmark v1.8.2 h1:kEGpgqJXdgbkhcOgBxkC0X0PmoPG1ZyoZ117rDVp4zE=
+github.com/yuin/goldmark v1.8.2/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-emoji v1.0.6 h1:QWfF2FYaXwL74tfGOW5izeiZepUDroDJfWubQI9HTHs=
 github.com/yuin/goldmark-emoji v1.0.6/go.mod h1:ukxJDKFpdFb5x0a5HqbdlcKtebh086iJpI31LTKmWuA=
-github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M=
-github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw=
+github.com/yuin/gopher-lua v1.1.2 h1:yF/FjE3hD65tBbt0VXLE13HWS9h34fdzJmrWRXwobGA=
+github.com/yuin/gopher-lua v1.1.2/go.mod h1:7aRmXIWl37SqRf0koeyylBEzJ+aPt8A+mmkQ4f1ntR8=
 go.aykhans.me/utils v1.0.7 h1:ClHXHlWmkjfFlD7+w5BQY29lKCEztxY/yCf543x4hZw=
 go.aykhans.me/utils v1.0.7/go.mod h1:0Jz8GlZLN35cCHLOLx39sazWwEe33bF6SYlSeqzEXoI=
-go.yaml.in/yaml/v4 v4.0.0-rc.3 h1:3h1fjsh1CTAPjW7q/EMe+C8shx5d8ctzZTrLcs/j8Go=
-go.yaml.in/yaml/v4 v4.0.0-rc.3/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
+go.yaml.in/yaml/v4 v4.0.0-rc.4 h1:UP4+v6fFrBIb1l934bDl//mmnoIZEDK0idg1+AIvX5U=
+go.yaml.in/yaml/v4 v4.0.0-rc.4/go.mod h1:aZqd9kCMsGL7AuUv/m/PvWLdg5sjJsZ4oHDEnfPPfY0=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
 golang.org/x/net v0.52.0 h1:He/TN1l0e4mmR3QqHMT2Xab3Aj3L9qjbhRm78/6jrW0=

internal/sarin/captcha.go

@@ -0,0 +1,396 @@
+package sarin
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+	"time"
+
+	"go.aykhans.me/sarin/internal/types"
+)
+
+const (
+	captchaPollInterval = 1 * time.Second
+	captchaTimeout      = 120 * time.Second
+)
+
+var captchaHTTPClient = &http.Client{Timeout: captchaTimeout}
+
+// solveCaptcha creates a task on the given captcha service and polls until it is solved,
+// returning the extracted token from the solution object.
+//
+// baseURL is the service API base (e.g. "https://api.2captcha.com").
+// task is the task payload the service expects (type + service-specific fields).
+// solutionKey is the field name in the solution object that holds the token.
+// taskIDIsString controls whether taskId is sent back as a string (CapSolver UUIDs)
+// or a JSON number (2Captcha, Anti-Captcha).
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func solveCaptcha(baseURL, apiKey string, task map[string]any, solutionKey string, taskIDIsString bool) (string, error) {
+	if apiKey == "" {
+		return "", types.ErrCaptchaKeyEmpty
+	}
+
+	taskID, err := captchaCreateTask(baseURL, apiKey, task)
+	if err != nil {
+		return "", err
+	}
+	return captchaPollResult(baseURL, apiKey, taskID, solutionKey, taskIDIsString)
+}
+
+// captchaCreateTask submits a task to the captcha service and returns the assigned taskId.
+// The taskId is normalized to a string: numeric IDs are preserved via json.RawMessage,
+// and quoted string IDs (CapSolver UUIDs) have their surrounding quotes stripped.
+//
+// It can return the following errors:
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+func captchaCreateTask(baseURL, apiKey string, task map[string]any) (string, error) {
+	body := map[string]any{
+		"clientKey": apiKey,
+		"task":      task,
+	}
+
+	data, err := json.Marshal(body)
+	if err != nil {
+		return "", types.NewCaptchaRequestError("createTask", err)
+	}
+
+	resp, err := captchaHTTPClient.Post(
+		baseURL+"/createTask",
+		"application/json",
+		bytes.NewReader(data),
+	)
+	if err != nil {
+		return "", types.NewCaptchaRequestError("createTask", err)
+	}
+	defer resp.Body.Close() //nolint:errcheck
+
+	var result struct {
+		ErrorID          int             `json:"errorId"`
+		ErrorCode        string          `json:"errorCode"`
+		ErrorDescription string          `json:"errorDescription"`
+		TaskID           json.RawMessage `json:"taskId"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", types.NewCaptchaRequestError("createTask", err)
+	}
+
+	if result.ErrorID != 0 {
+		return "", types.NewCaptchaAPIError("createTask", result.ErrorCode, result.ErrorDescription)
+	}
+
+	// taskId may be a JSON number (2captcha, anti-captcha) or a quoted string (capsolver UUIDs).
+	// Strip surrounding quotes if present so we always work with the underlying value.
+	taskID := strings.Trim(string(result.TaskID), `"`)
+	if taskID == "" {
+		return "", types.NewCaptchaAPIError("createTask", "EMPTY_TASK_ID", "service returned a successful response with no taskId")
+	}
+	return taskID, nil
+}
+
+// captchaPollResult polls the getTaskResult endpoint at captchaPollInterval until the task
+// is solved, an error is returned by the service, or the overall captchaTimeout is hit.
+//
+// It can return the following errors:
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaSolutionKeyError
+func captchaPollResult(baseURL, apiKey, taskID, solutionKey string, taskIDIsString bool) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), captchaTimeout)
+	defer cancel()
+
+	ticker := time.NewTicker(captchaPollInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return "", types.NewCaptchaTimeoutError(taskID)
+		case <-ticker.C:
+			token, err := captchaGetTaskResult(baseURL, apiKey, taskID, solutionKey, taskIDIsString)
+			if errors.Is(err, types.ErrCaptchaProcessing) {
+				continue
+			}
+			if err != nil {
+				return "", err
+			}
+			return token, nil
+		}
+	}
+}
+
+// captchaGetTaskResult fetches a single task result from the captcha service.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaProcessing
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaSolutionKeyError
+func captchaGetTaskResult(baseURL, apiKey, taskID, solutionKey string, taskIDIsString bool) (string, error) {
+	var bodyMap map[string]any
+	if taskIDIsString {
+		bodyMap = map[string]any{"clientKey": apiKey, "taskId": taskID}
+	} else {
+		bodyMap = map[string]any{"clientKey": apiKey, "taskId": json.Number(taskID)}
+	}
+
+	data, err := json.Marshal(bodyMap)
+	if err != nil {
+		return "", types.NewCaptchaRequestError("getTaskResult", err)
+	}
+
+	resp, err := captchaHTTPClient.Post(
+		baseURL+"/getTaskResult",
+		"application/json",
+		bytes.NewReader(data),
+	)
+	if err != nil {
+		return "", types.NewCaptchaRequestError("getTaskResult", err)
+	}
+	defer resp.Body.Close() //nolint:errcheck
+
+	var result struct {
+		ErrorID          int            `json:"errorId"`
+		ErrorCode        string         `json:"errorCode"`
+		ErrorDescription string         `json:"errorDescription"`
+		Status           string         `json:"status"`
+		Solution         map[string]any `json:"solution"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		return "", types.NewCaptchaRequestError("getTaskResult", err)
+	}
+
+	if result.ErrorID != 0 {
+		return "", types.NewCaptchaAPIError("getTaskResult", result.ErrorCode, result.ErrorDescription)
+	}
+
+	if result.Status == "processing" || result.Status == "idle" {
+		return "", types.ErrCaptchaProcessing
+	}
+
+	token, ok := result.Solution[solutionKey]
+	if !ok {
+		return "", types.NewCaptchaSolutionKeyError(solutionKey)
+	}
+	tokenStr, ok := token.(string)
+	if !ok {
+		return "", types.NewCaptchaSolutionKeyError(solutionKey)
+	}
+
+	return tokenStr, nil
+}
+
+// ======================================== 2Captcha ========================================
+
+const twoCaptchaBaseURL = "https://api.2captcha.com"
+
+// twoCaptchaSolveRecaptchaV2 solves a Google reCAPTCHA v2 challenge via 2Captcha.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func twoCaptchaSolveRecaptchaV2(apiKey, websiteURL, websiteKey string) (string, error) {
+	return solveCaptcha(twoCaptchaBaseURL, apiKey, map[string]any{
+		"type":       "RecaptchaV2TaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}, "gRecaptchaResponse", false)
+}
+
+// twoCaptchaSolveRecaptchaV3 solves a Google reCAPTCHA v3 challenge via 2Captcha.
+// pageAction may be empty.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func twoCaptchaSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction string) (string, error) {
+	task := map[string]any{
+		"type":       "RecaptchaV3TaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}
+	if pageAction != "" {
+		task["pageAction"] = pageAction
+	}
+	return solveCaptcha(twoCaptchaBaseURL, apiKey, task, "gRecaptchaResponse", false)
+}
+
+// twoCaptchaSolveTurnstile solves a Cloudflare Turnstile challenge via 2Captcha.
+// cData may be empty.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func twoCaptchaSolveTurnstile(apiKey, websiteURL, websiteKey, cData string) (string, error) {
+	task := map[string]any{
+		"type":       "TurnstileTaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}
+	if cData != "" {
+		task["data"] = cData
+	}
+	return solveCaptcha(twoCaptchaBaseURL, apiKey, task, "token", false)
+}
+
+// ======================================== Anti-Captcha ========================================
+
+const antiCaptchaBaseURL = "https://api.anti-captcha.com"
+
+// antiCaptchaSolveRecaptchaV2 solves a Google reCAPTCHA v2 challenge via Anti-Captcha.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func antiCaptchaSolveRecaptchaV2(apiKey, websiteURL, websiteKey string) (string, error) {
+	return solveCaptcha(antiCaptchaBaseURL, apiKey, map[string]any{
+		"type":       "RecaptchaV2TaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}, "gRecaptchaResponse", false)
+}
+
+// antiCaptchaSolveRecaptchaV3 solves a Google reCAPTCHA v3 challenge via Anti-Captcha.
+// pageAction may be empty. minScore is hardcoded to 0.3 (the loosest threshold) because
+// Anti-Captcha rejects the request without it.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func antiCaptchaSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction string) (string, error) {
+	task := map[string]any{
+		"type":       "RecaptchaV3TaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+		"minScore":   0.3,
+	}
+	if pageAction != "" {
+		task["pageAction"] = pageAction
+	}
+	return solveCaptcha(antiCaptchaBaseURL, apiKey, task, "gRecaptchaResponse", false)
+}
+
+// antiCaptchaSolveHCaptcha solves an hCaptcha challenge via Anti-Captcha.
+// Anti-Captcha returns hCaptcha tokens under "gRecaptchaResponse" (not "token").
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func antiCaptchaSolveHCaptcha(apiKey, websiteURL, websiteKey string) (string, error) {
+	return solveCaptcha(antiCaptchaBaseURL, apiKey, map[string]any{
+		"type":       "HCaptchaTaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}, "gRecaptchaResponse", false)
+}
+
+// antiCaptchaSolveTurnstile solves a Cloudflare Turnstile challenge via Anti-Captcha.
+// cData may be empty.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func antiCaptchaSolveTurnstile(apiKey, websiteURL, websiteKey, cData string) (string, error) {
+	task := map[string]any{
+		"type":       "TurnstileTaskProxyless",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}
+	if cData != "" {
+		task["cData"] = cData
+	}
+	return solveCaptcha(antiCaptchaBaseURL, apiKey, task, "token", false)
+}
+
+// ======================================== CapSolver ========================================
+
+const capSolverBaseURL = "https://api.capsolver.com"
+
+// capSolverSolveRecaptchaV2 solves a Google reCAPTCHA v2 challenge via CapSolver.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func capSolverSolveRecaptchaV2(apiKey, websiteURL, websiteKey string) (string, error) {
+	return solveCaptcha(capSolverBaseURL, apiKey, map[string]any{
+		"type":       "ReCaptchaV2TaskProxyLess",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}, "gRecaptchaResponse", true)
+}
+
+// capSolverSolveRecaptchaV3 solves a Google reCAPTCHA v3 challenge via CapSolver.
+// pageAction may be empty.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func capSolverSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction string) (string, error) {
+	task := map[string]any{
+		"type":       "ReCaptchaV3TaskProxyLess",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}
+	if pageAction != "" {
+		task["pageAction"] = pageAction
+	}
+	return solveCaptcha(capSolverBaseURL, apiKey, task, "gRecaptchaResponse", true)
+}
+
+// capSolverSolveTurnstile solves a Cloudflare Turnstile challenge via CapSolver.
+// cData may be empty. CapSolver nests cData under a "metadata" object.
+//
+// It can return the following errors:
+//   - types.ErrCaptchaKeyEmpty
+//   - types.CaptchaRequestError
+//   - types.CaptchaAPIError
+//   - types.CaptchaTimeoutError
+//   - types.CaptchaSolutionKeyError
+func capSolverSolveTurnstile(apiKey, websiteURL, websiteKey, cData string) (string, error) {
+	task := map[string]any{
+		"type":       "AntiTurnstileTaskProxyLess",
+		"websiteURL": websiteURL,
+		"websiteKey": websiteKey,
+	}
+	if cData != "" {
+		task["metadata"] = map[string]any{"cdata": cData}
+	}
+	return solveCaptcha(capSolverBaseURL, apiKey, task, "token", true)
+}

internal/sarin/helpers.go

@@ -12,3 +12,10 @@ func NewDefaultRandSource() rand.Source {
 		uint64(now>>32),
 	)
 }
+
+func firstOrEmpty(values []string) string {
+	if len(values) == 0 {
+		return ""
+	}
+	return values[0]
+}

internal/sarin/template.go

@@ -7,6 +7,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
+	"encoding/json"
 	"math/rand/v2"
 	"mime/multipart"
 	"strings"
@@ -85,6 +86,38 @@ func NewDefaultTemplateFuncMap(randSource rand.Source, fileCache *FileCache) tem
 		"slice_Uint": func(values ...uint) []uint { return values },
 		"slice_Join": strings.Join,
 
+		// JSON
+		// json_Encode marshals any value to a JSON string.
+		// Usage: {{ json_Encode (dict_Str "key" "value") }}
+		"json_Encode": func(v any) (string, error) {
+			data, err := json.Marshal(v)
+			if err != nil {
+				return "", types.NewJSONEncodeError(err)
+			}
+			return string(data), nil
+		},
+		// json_Object builds a JSON object from interleaved key-value pairs and returns it
+		// as a JSON string. Keys must be strings; values may be any JSON-encodable type.
+		// Usage: {{ json_Object "name" "Alice" "age" 30 }}
+		"json_Object": func(pairs ...any) (string, error) {
+			if len(pairs)%2 != 0 {
+				return "", types.ErrJSONObjectOddArgs
+			}
+			obj := make(map[string]any, len(pairs)/2)
+			for i := 0; i < len(pairs); i += 2 {
+				key, ok := pairs[i].(string)
+				if !ok {
+					return "", types.NewJSONObjectKeyError(i, pairs[i])
+				}
+				obj[key] = pairs[i+1]
+			}
+			data, err := json.Marshal(obj)
+			if err != nil {
+				return "", types.NewJSONEncodeError(err)
+			}
+			return string(data), nil
+		},
+
 		// Time
 		"time_NowUnix":      func() int64 { return time.Now().Unix() },
 		"time_NowUnixMilli": func() int64 { return time.Now().UnixMilli() },
@@ -574,8 +607,7 @@ func NewDefaultTemplateFuncMap(randSource rand.Source, fileCache *FileCache) tem
 		"fakeit_ErrorHTTP":       func() string { return fakeit.ErrorHTTP().Error() },
 		"fakeit_ErrorHTTPClient": func() string { return fakeit.ErrorHTTPClient().Error() },
 		"fakeit_ErrorHTTPServer": func() string { return fakeit.ErrorHTTPServer().Error() },
-		// "fakeit_ErrorInput": func() string { return fakeit.ErrorInput().Error() },
-		"fakeit_ErrorRuntime": func() string { return fakeit.ErrorRuntime().Error() },
+		"fakeit_ErrorRuntime":    func() string { return fakeit.ErrorRuntime().Error() },
 
 		// Fakeit / School
 		"fakeit_School": fakeit.School,
@@ -585,6 +617,55 @@ func NewDefaultTemplateFuncMap(randSource rand.Source, fileCache *FileCache) tem
 		"fakeit_SongName":   fakeit.SongName,
 		"fakeit_SongArtist": fakeit.SongArtist,
 		"fakeit_SongGenre":  fakeit.SongGenre,
+
+		// Captcha / 2Captcha
+		// Usage: {{ twocaptcha_RecaptchaV2 "API_KEY" "SITE_KEY" "https://example.com" }}
+		"twocaptcha_RecaptchaV2": func(apiKey, websiteKey, websiteURL string) (string, error) {
+			return twoCaptchaSolveRecaptchaV2(apiKey, websiteURL, websiteKey)
+		},
+		// Usage: {{ twocaptcha_RecaptchaV3 "API_KEY" "SITE_KEY" "https://example.com" "action" }}
+		"twocaptcha_RecaptchaV3": func(apiKey, websiteKey, websiteURL, pageAction string) (string, error) {
+			return twoCaptchaSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction)
+		},
+		// Usage: {{ twocaptcha_Turnstile "API_KEY" "SITE_KEY" "https://example.com" }}
+		//        {{ twocaptcha_Turnstile "API_KEY" "SITE_KEY" "https://example.com" "cdata" }}
+		"twocaptcha_Turnstile": func(apiKey, websiteKey, websiteURL string, cData ...string) (string, error) {
+			return twoCaptchaSolveTurnstile(apiKey, websiteURL, websiteKey, firstOrEmpty(cData))
+		},
+
+		// Captcha / Anti-Captcha
+		// Usage: {{ anticaptcha_RecaptchaV2 "API_KEY" "SITE_KEY" "https://example.com" }}
+		"anticaptcha_RecaptchaV2": func(apiKey, websiteKey, websiteURL string) (string, error) {
+			return antiCaptchaSolveRecaptchaV2(apiKey, websiteURL, websiteKey)
+		},
+		// Usage: {{ anticaptcha_RecaptchaV3 "API_KEY" "SITE_KEY" "https://example.com" "action" }}
+		"anticaptcha_RecaptchaV3": func(apiKey, websiteKey, websiteURL, pageAction string) (string, error) {
+			return antiCaptchaSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction)
+		},
+		// Usage: {{ anticaptcha_HCaptcha "API_KEY" "SITE_KEY" "https://example.com" }}
+		"anticaptcha_HCaptcha": func(apiKey, websiteKey, websiteURL string) (string, error) {
+			return antiCaptchaSolveHCaptcha(apiKey, websiteURL, websiteKey)
+		},
+		// Usage: {{ anticaptcha_Turnstile "API_KEY" "SITE_KEY" "https://example.com" }}
+		//        {{ anticaptcha_Turnstile "API_KEY" "SITE_KEY" "https://example.com" "cdata" }}
+		"anticaptcha_Turnstile": func(apiKey, websiteKey, websiteURL string, cData ...string) (string, error) {
+			return antiCaptchaSolveTurnstile(apiKey, websiteURL, websiteKey, firstOrEmpty(cData))
+		},
+
+		// Captcha / CapSolver
+		// Usage: {{ capsolver_RecaptchaV2 "API_KEY" "SITE_KEY" "https://example.com" }}
+		"capsolver_RecaptchaV2": func(apiKey, websiteKey, websiteURL string) (string, error) {
+			return capSolverSolveRecaptchaV2(apiKey, websiteURL, websiteKey)
+		},
+		// Usage: {{ capsolver_RecaptchaV3 "API_KEY" "SITE_KEY" "https://example.com" "action" }}
+		"capsolver_RecaptchaV3": func(apiKey, websiteKey, websiteURL, pageAction string) (string, error) {
+			return capSolverSolveRecaptchaV3(apiKey, websiteURL, websiteKey, pageAction)
+		},
+		// Usage: {{ capsolver_Turnstile "API_KEY" "SITE_KEY" "https://example.com" }}
+		//        {{ capsolver_Turnstile "API_KEY" "SITE_KEY" "https://example.com" "cdata" }}
+		"capsolver_Turnstile": func(apiKey, websiteKey, websiteURL string, cData ...string) (string, error) {
+			return capSolverSolveTurnstile(apiKey, websiteURL, websiteKey, firstOrEmpty(cData))
+		},
 	}
 }
 

internal/types/errors.go

@@ -208,8 +208,41 @@ func (e URLParseError) Unwrap() error {
 var (
 	ErrFileCacheNotInitialized = errors.New("file cache is not initialized")
 	ErrFormDataOddArgs         = errors.New("body_FormData requires an even number of arguments (key-value pairs)")
+	ErrJSONObjectOddArgs       = errors.New("json_Object requires an even number of arguments (key-value pairs)")
 )
 
+type JSONObjectKeyError struct {
+	Index int
+	Value any
+}
+
+func NewJSONObjectKeyError(index int, value any) JSONObjectKeyError {
+	return JSONObjectKeyError{Index: index, Value: value}
+}
+
+func (e JSONObjectKeyError) Error() string {
+	return fmt.Sprintf("json_Object key at index %d must be a string, got %T", e.Index, e.Value)
+}
+
+type JSONEncodeError struct {
+	Err error
+}
+
+func NewJSONEncodeError(err error) JSONEncodeError {
+	if err == nil {
+		err = errNoError
+	}
+	return JSONEncodeError{Err: err}
+}
+
+func (e JSONEncodeError) Error() string {
+	return "json_Encode failed: " + e.Err.Error()
+}
+
+func (e JSONEncodeError) Unwrap() error {
+	return e.Err
+}
+
 type TemplateParseError struct {
 	Err error
 }
@@ -442,3 +475,71 @@ func NewScriptUnknownEngineError(engineType string) ScriptUnknownEngineError {
 func (e ScriptUnknownEngineError) Error() string {
 	return "unknown engine type: " + e.EngineType
 }
+
+// ======================================== Captcha ========================================
+
+var (
+	ErrCaptchaKeyEmpty = errors.New("captcha API key cannot be empty")
+	// ErrCaptchaProcessing is an internal sentinel returned by the captcha solver polling
+	// code to signal that a task is not yet solved and polling should continue.
+	// It should never be surfaced to callers outside of the captcha poll loop.
+	ErrCaptchaProcessing = errors.New("captcha task still processing")
+)
+
+type CaptchaAPIError struct {
+	Endpoint    string
+	Code        string
+	Description string
+}
+
+func NewCaptchaAPIError(endpoint, code, description string) CaptchaAPIError {
+	return CaptchaAPIError{Endpoint: endpoint, Code: code, Description: description}
+}
+
+func (e CaptchaAPIError) Error() string {
+	return fmt.Sprintf("captcha %s error: %s (%s)", e.Endpoint, e.Code, e.Description)
+}
+
+type CaptchaRequestError struct {
+	Endpoint string
+	Err      error
+}
+
+func NewCaptchaRequestError(endpoint string, err error) CaptchaRequestError {
+	if err == nil {
+		err = errNoError
+	}
+	return CaptchaRequestError{Endpoint: endpoint, Err: err}
+}
+
+func (e CaptchaRequestError) Error() string {
+	return fmt.Sprintf("captcha %s request failed: %v", e.Endpoint, e.Err)
+}
+
+func (e CaptchaRequestError) Unwrap() error {
+	return e.Err
+}
+
+type CaptchaTimeoutError struct {
+	TaskID string
+}
+
+func NewCaptchaTimeoutError(taskID string) CaptchaTimeoutError {
+	return CaptchaTimeoutError{TaskID: taskID}
+}
+
+func (e CaptchaTimeoutError) Error() string {
+	return fmt.Sprintf("captcha solving timed out (taskId: %s)", e.TaskID)
+}
+
+type CaptchaSolutionKeyError struct {
+	Key string
+}
+
+func NewCaptchaSolutionKeyError(key string) CaptchaSolutionKeyError {
+	return CaptchaSolutionKeyError{Key: key}
+}
+
+func (e CaptchaSolutionKeyError) Error() string {
+	return fmt.Sprintf("captcha solution missing expected key %q", e.Key)
+}