diff --git a/.gitignore b/.gitignore
index 60e0dc641..8a0fdc77f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ tools/authenticator/access_tokens.txt
 *.txt
 aurora
 chatgpttoapi
+chatgpt2api
 tools/authenticator/.proxies.txt.swp
 .env
 *.har
@@ -16,4 +17,6 @@ tools/authenticator/.proxies.txt.swp
 .claude
 .gocache
 .atomcode
-CLAUDE.md
\ No newline at end of file
+CLAUDE.md
+MIGRATION_PLAN.md
+_scratch/
\ No newline at end of file
diff --git a/VERSION b/VERSION
index cc6612c36..a6254504e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.3.0
\ No newline at end of file
+2.3.1
\ No newline at end of file
diff --git a/conversion/requests/chatgpt/convert.go b/conversion/requests/chatgpt/convert.go
index b5300babc..9763ed81e 100644
--- a/conversion/requests/chatgpt/convert.go
+++ b/conversion/requests/chatgpt/convert.go
@@ -5,10 +5,14 @@ import (
 	"aurora/internal/tokens"
 	chatgpt_types "aurora/typings/chatgpt"
 	official_types "aurora/typings/official"
+	"aurora/httpclient"
+	"encoding/base64"
+	"io"
+	"net/http"
 	"strings"
 )
 
-func ConvertAPIRequest(api_request official_types.APIRequest, secret *tokens.Secret, proxy string) chatgpt_types.ChatGPTRequest {
+func ConvertAPIRequest(api_request official_types.APIRequest, secret *tokens.Secret, proxy string, client httpclient.AuroraHttpClient) chatgpt_types.ChatGPTRequest {
 	chatgpt_request := chatgpt_types.NewChatGPTRequest()
 
 	// Model is passed directly to upstream; default to "auto" if not provided
@@ -22,7 +26,7 @@ func ConvertAPIRequest(api_request official_types.APIRequest, secret *tokens.Sec
 		if apiMessage.Role == "system" {
 			apiMessage.Role = "critic"
 		}
-		parts, metadata := buildMessageParts(apiMessage)
+		parts, metadata := buildMessageParts(apiMessage, client, secret, proxy)
 		if len(metadata) > 0 {
 			chatgpt_request.AddMultimodalMessage(apiMessage.Role, parts, metadata)
 			continue
@@ -39,9 +43,9 @@ func ConvertTTSAPIRequest(input string) chatgpt_types.ChatGPTRequest {
 	return chatgpt_request
 }
 
-func buildMessageParts(message official_types.APIMessage) ([]interface{}, map[string]interface{}) {
+func buildMessageParts(message official_types.APIMessage, client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy string) ([]interface{}, map[string]interface{}) {
 	text := message.Text()
-	files := enrichFiles(message.Files())
+	files := enrichFiles(message.Files(), client, secret, proxy)
 	if len(files) == 0 {
 		return []interface{}{text}, nil
 	}
@@ -106,7 +110,7 @@ func buildMessageParts(message official_types.APIMessage) ([]interface{}, map[st
 	}
 }
 
-func enrichFiles(files []official_types.FileAttachment) []official_types.FileAttachment {
+func enrichFiles(files []official_types.FileAttachment, client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy string) []official_types.FileAttachment {
 	enriched := make([]official_types.FileAttachment, 0, len(files))
 	seen := make(map[string]bool)
 	for _, file := range files {
@@ -114,7 +118,18 @@ func enrichFiles(files []official_types.FileAttachment) []official_types.FileAtt
 		if id == "" || seen[id] {
 			continue
 		}
-		if uploaded, ok := backendchatgpt.LookupUploadedFile(id); ok {
+
+		// 处理 image_url 的 inline 数据(data: URL 或 http URL)
+		if file.Source != "" && client != nil && secret != nil {
+			if uploaded, ok := uploadInlineImage(file, client, secret, proxy); ok {
+				file = uploaded
+			} else {
+				// 免费账号或上传失败:丢弃图片,只保留文本
+				continue
+			}
+		}
+
+		if uploaded, ok := backendchatgpt.LookupUploadedFile(fileID(file)); ok {
 			if file.ID == "" {
 				file.ID = uploaded.ID
 			}
@@ -137,12 +152,109 @@ func enrichFiles(files []official_types.FileAttachment) []official_types.FileAtt
 				file.LibraryFileID = uploaded.LibraryFileID
 			}
 		}
-		seen[id] = true
+		seen[fileID(file)] = true
 		enriched = append(enriched, file)
 	}
 	return enriched
 }
 
+// uploadInlineImage 将 data: URL 或 http URL 图片上传到 ChatGPT 文件服务。
+func uploadInlineImage(file official_types.FileAttachment, client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy string) (official_types.FileAttachment, bool) {
+	src := file.Source
+	var data []byte
+	var filename string
+	var contentType string
+
+	if strings.HasPrefix(src, "data:") {
+		// data:image/png;base64,iVBOR...
+		commaIdx := strings.Index(src, ",")
+		if commaIdx < 0 {
+			return file, false
+		}
+		meta := src[:commaIdx]
+		b64data := src[commaIdx+1:]
+		// 提取 mime type
+		if semiIdx := strings.Index(meta, ";"); semiIdx > 5 {
+			contentType = meta[5:semiIdx]
+		}
+		var err error
+		data, err = base64.StdEncoding.DecodeString(b64data)
+		if err != nil {
+			// 尝试 raw base64
+			data, err = base64.RawStdEncoding.DecodeString(b64data)
+			if err != nil {
+				return file, false
+			}
+		}
+		filename = "image.png"
+		if contentType == "" {
+			contentType = "image/png"
+		}
+	} else if strings.HasPrefix(src, "http://") || strings.HasPrefix(src, "https://") {
+		// 下载远程图片
+		resp, err := http.Get(src)
+		if err != nil {
+			return file, false
+		}
+		defer resp.Body.Close()
+		if resp.StatusCode != 200 {
+			return file, false
+		}
+		data, err = io.ReadAll(resp.Body)
+		if err != nil {
+			return file, false
+		}
+		contentType = resp.Header.Get("Content-Type")
+		filename = guessFilenameFromURL(src)
+	} else {
+		return file, false
+	}
+
+	if len(data) == 0 {
+		return file, false
+	}
+	if contentType == "" {
+		contentType = http.DetectContentType(data)
+	}
+	if filename == "" {
+		filename = "image.png"
+	}
+
+	uploaded, _, err := backendchatgpt.UploadFile(client, secret, proxy, filename, contentType, data)
+	if err != nil {
+		// 免费 token 无法上传文件,回退:把 data URL 原样传递
+		return file, false
+	}
+
+	return official_types.FileAttachment{
+		ID:            uploaded.FileID,
+		FileID:        uploaded.FileID,
+		Name:          uploaded.Filename,
+		FileName:      uploaded.Filename,
+		Filename:      uploaded.Filename,
+		MimeType:      uploaded.MimeType,
+		MIMEType:      uploaded.MimeType,
+		Size:          uploaded.Bytes,
+		Width:         uploaded.Width,
+		Height:        uploaded.Height,
+		LibraryFileID: uploaded.LibraryFileID,
+	}, true
+}
+
+func guessFilenameFromURL(url string) string {
+	idx := strings.LastIndex(url, "/")
+	if idx >= 0 && idx < len(url)-1 {
+		name := url[idx+1:]
+		if q := strings.Index(name, "?"); q >= 0 {
+			name = name[:q]
+		}
+		if name != "" {
+			return name
+		}
+	}
+	return "image.png"
+}
+
 func fileID(file official_types.FileAttachment) string {
 	if strings.TrimSpace(file.FileID) != "" {
 		return strings.TrimSpace(file.FileID)
diff --git a/initialize/handlers.go b/initialize/handlers.go
index 3e1da5eae..b26e13fa7 100644
--- a/initialize/handlers.go
+++ b/initialize/handlers.go
@@ -286,7 +286,7 @@ func (h *Handler) nightmare(c *gin.Context) {
 	client := bogdanfinn.NewStdClient()
 
 	// Convert the chat request to a ChatGPT request
-	translated_request := chatgptrequestconverter.ConvertAPIRequest(original_request, secret, proxyUrl)
+	translated_request := chatgptrequestconverter.ConvertAPIRequest(original_request, secret, proxyUrl, client)
 	clientState := chatgpt.NewChatClientState()
 	clientState.ConversationID = translated_request.ConversationID
 	clientState.ParentMessageID = translated_request.ParentMessageID
@@ -438,7 +438,7 @@ func (h *Handler) responses(c *gin.Context) {
 	uid := uuid.NewString()
 	client := bogdanfinn.NewStdClient()
 
-	translated_request := chatgptrequestconverter.ConvertAPIRequest(original_request, secret, proxyUrl)
+	translated_request := chatgptrequestconverter.ConvertAPIRequest(original_request, secret, proxyUrl, client)
 	clientState := chatgpt.NewChatClientState()
 	clientState.ConversationID = translated_request.ConversationID
 	clientState.ParentMessageID = translated_request.ParentMessageID
@@ -726,7 +726,7 @@ func (h *Handler) files(c *gin.Context) {
 	contentType := formFile.Header.Get("Content-Type")
 	client := bogdanfinn.NewStdClient()
 	client.SetCookies("https://chatgpt.com", chatgpt.BasicCookies)
-	uploaded, status, err := chatgpt.UploadFile(client, secret, h.proxy.GetProxyIP(), formFile.Filename, contentType, c.PostForm("purpose"), data)
+	uploaded, status, err := chatgpt.UploadFile(client, secret, h.proxy.GetProxyIP(), formFile.Filename, contentType, data)
 	if err != nil {
 		c.JSON(status, gin.H{"error": gin.H{
 			"message": err.Error(),
diff --git a/internal/chatgpt/files.go b/internal/chatgpt/files.go
index 387a8d8dd..b30aeb9b9 100644
--- a/internal/chatgpt/files.go
+++ b/internal/chatgpt/files.go
@@ -6,10 +6,12 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"image"
+	_ "image/gif"
+	_ "image/jpeg"
+	_ "image/png"
 	"io"
-	"mime"
 	"net/http"
-	"path/filepath"
 	"strings"
 	"sync"
 )
@@ -23,6 +25,8 @@ type UploadedFile struct {
 	Filename      string `json:"filename,omitempty"`
 	Purpose       string `json:"purpose,omitempty"`
 	MimeType      string `json:"mime_type,omitempty"`
+	Width         int    `json:"width,omitempty"`
+	Height        int    `json:"height,omitempty"`
 	LibraryFileID string `json:"library_file_id,omitempty"`
 }
 
@@ -56,34 +60,61 @@ func LookupUploadedFile(fileID string) (UploadedFile, bool) {
 	return file, ok
 }
 
-func UploadFile(client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy, filename, contentType, purpose string, data []byte) (UploadedFile, int, error) {
+// UploadFile 执行完整三步上传,对齐 chatgpttoapi/files.go UploadFile。
+func UploadFile(client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy, filename, mimeHint string, data []byte) (UploadedFile, int, error) {
 	if proxy != "" {
 		client.SetProxy(proxy)
 	}
 	if secret == nil || secret.Token == "" || secret.IsFree {
 		return UploadedFile{}, http.StatusBadRequest, fmt.Errorf("file upload requires a logged-in ChatGPT access token")
 	}
+	if len(data) == 0 {
+		return UploadedFile{}, http.StatusBadRequest, fmt.Errorf("empty file data")
+	}
+
+	mime, ext := resolveMime(data, mimeHint)
+	useCase := "multimodal"
+	if !strings.HasPrefix(mime, "image/") {
+		useCase = "my_files"
+	}
 	filename = strings.TrimSpace(filename)
 	if filename == "" {
-		filename = "upload.bin"
+		filename = fmt.Sprintf("file-%d%s", len(data), ext)
 	}
-	if contentType == "" {
-		contentType = mime.TypeByExtension(strings.ToLower(filepath.Ext(filename)))
+
+	var width, height int
+	if strings.HasPrefix(mime, "image/") {
+		if cfg, _, err := image.DecodeConfig(bytes.NewReader(data)); err == nil {
+			width = cfg.Width
+			height = cfg.Height
+		}
 	}
-	if contentType == "" {
-		contentType = http.DetectContentType(data)
+
+	// ---- Step 1: POST /backend-api/files ----
+	step1Payload := map[string]interface{}{
+		"file_name":  filename,
+		"file_size":  len(data),
+		"use_case":   useCase,
+		"mime_type":  mime,
+		"store_in_library":         true,
+		"library_persistence_mode": "opportunistic",
 	}
-	if purpose == "" {
-		purpose = "assistants"
+	if width > 0 && height > 0 {
+		step1Payload["width"] = width
+		step1Payload["height"] = height
 	}
 
-	meta, status, err := createUpload(client, secret, filename, len(data))
+	meta, status, err := createUpload(client, secret, step1Payload)
 	if err != nil {
 		return UploadedFile{}, status, err
 	}
-	if status, err := putUpload(client, meta.UploadURL, contentType, data); err != nil {
+
+	// ---- Step 2: PUT upload_url (Azure Blob) ----
+	if status, err := putUpload(client, meta.UploadURL, mime, data); err != nil {
 		return UploadedFile{}, status, err
 	}
+
+	// ---- Step 3: POST /backend-api/files/{file_id}/uploaded ----
 	if status, err := confirmUpload(client, secret, meta.FileID); err != nil {
 		return UploadedFile{}, status, err
 	}
@@ -94,24 +125,16 @@ func UploadFile(client httpclient.AuroraHttpClient, secret *tokens.Secret, proxy
 		Object:        "file",
 		Bytes:         int64(len(data)),
 		Filename:      filename,
-		Purpose:       purpose,
-		MimeType:      contentType,
+		MimeType:      mime,
+		Width:         width,
+		Height:        height,
 		LibraryFileID: meta.LibraryFileID,
 	}
 	RegisterUploadedFile(result)
 	return result, http.StatusOK, nil
 }
 
-func createUpload(client httpclient.AuroraHttpClient, secret *tokens.Secret, filename string, size int) (uploadMetaResponse, int, error) {
-	payload := map[string]interface{}{
-		"file_name":                filename,
-		"file_size":                size,
-		"use_case":                 "multimodal",
-		"timezone_offset_min":      -480,
-		"reset_rate_limits":        false,
-		"store_in_library":         true,
-		"library_persistence_mode": "opportunistic",
-	}
+func createUpload(client httpclient.AuroraHttpClient, secret *tokens.Secret, payload map[string]interface{}) (uploadMetaResponse, int, error) {
 	body, err := json.Marshal(payload)
 	if err != nil {
 		return uploadMetaResponse{}, http.StatusInternalServerError, err
@@ -189,3 +212,61 @@ func confirmUpload(client httpclient.AuroraHttpClient, secret *tokens.Secret, fi
 	}
 	return response.StatusCode, nil
 }
+
+// ── MIME 检测(对齐 chatgpttoapi/files.go) ──
+
+func resolveMime(data []byte, mimeHint string) (mime, ext string) {
+	sniffed, sniffExt := sniffMime(data)
+	hint := normalizeMime(mimeHint)
+	if hint != "" && hint != "application/octet-stream" {
+		ext = extFromMime(hint)
+		if ext == "" {
+			ext = sniffExt
+		}
+		return hint, ext
+	}
+	return sniffed, sniffExt
+}
+
+func normalizeMime(s string) string {
+	s = strings.TrimSpace(s)
+	if i := strings.Index(s, ";"); i >= 0 {
+		s = strings.TrimSpace(s[:i])
+	}
+	return s
+}
+
+func sniffMime(data []byte) (mime, ext string) {
+	n := 512
+	if len(data) < n {
+		n = len(data)
+	}
+	mime = http.DetectContentType(data[:n])
+	ext = extFromMime(mime)
+	return mime, ext
+}
+
+func extFromMime(m string) string {
+	switch strings.ToLower(normalizeMime(m)) {
+	case "image/jpeg":
+		return ".jpg"
+	case "image/png":
+		return ".png"
+	case "image/gif":
+		return ".gif"
+	case "image/webp":
+		return ".webp"
+	case "application/pdf":
+		return ".pdf"
+	case "text/plain":
+		return ".txt"
+	case "text/csv":
+		return ".csv"
+	case "application/json":
+		return ".json"
+	case "text/markdown":
+		return ".md"
+	default:
+		return ""
+	}
+}
diff --git a/internal/chatgpt/request.go b/internal/chatgpt/request.go
index 21acf85bb..8f8b03f4b 100644
--- a/internal/chatgpt/request.go
+++ b/internal/chatgpt/request.go
@@ -5,6 +5,7 @@ import (
 	"aurora/httpclient"
 	"aurora/internal/prooftoken"
 	"aurora/internal/tokens"
+	"aurora/internal/turnstile"
 	"aurora/typings"
 	chatgpt_types "aurora/typings/chatgpt"
 	official_types "aurora/typings/official"
@@ -141,7 +142,7 @@ func CalcProofToken(require *ChatRequire, state *ChatClientState) string {
 	if state != nil && state.UserAgent != "" {
 		ua = state.UserAgent
 	}
-	return prooftoken.SolveProofToken(require.Proof.Seed, require.Proof.Difficulty, ua)
+	return prooftoken.SolveProofToken(require.Proof.Seed, require.Proof.Difficulty, ua, cachedScripts, cachedDpl)
 }
 
 type ChatRequire struct {
@@ -182,7 +183,7 @@ func InitSentinelWithState(client httpclient.AuroraHttpClient, secret *tokens.Se
 	if state != nil && state.UserAgent != "" {
 		ua = state.UserAgent
 	}
-	requirementsToken := prooftoken.NewPOWConfig(ua).RequirementsToken()
+	requirementsToken := prooftoken.NewPOWConfig(ua, cachedScripts, cachedDpl).RequirementsToken()
 	prepare, status, err := POSTSentinelPrepareWithState(client, secret, requirementsToken, state)
 	if err != nil {
 		if secret.IsFree && status == http.StatusUnauthorized && retry < 2 {
@@ -216,9 +217,9 @@ func InitSentinelWithState(client httpclient.AuroraHttpClient, secret *tokens.Se
 	}
 	var turnstileToken string
 	if prepare.Turnstile.DX != "" {
-		turnstileToken = prooftoken.Solve(prepare.Turnstile.DX, requirementsToken)
+		turnstileToken = turnstile.SolveWithScripts(prepare.Turnstile.DX, requirementsToken, cachedScripts)
 		if turnstileToken == "" {
-			turnstileToken = prooftoken.Solve(prepare.Turnstile.DX, "")
+			turnstileToken = turnstile.SolveWithScripts(prepare.Turnstile.DX, "", cachedScripts)
 		}
 	}
 
@@ -344,7 +345,7 @@ func POSTTurnStile(client httpclient.AuroraHttpClient, secret *tokens.Secret, pr
 		client.SetProxy(proxy)
 	}
 	if cachedRequireProof == "" {
-		cachedRequireProof = prooftoken.NewPOWConfig(defaultUserAgent()).RequirementsToken()
+		cachedRequireProof = prooftoken.NewPOWConfig(defaultUserAgent(), cachedScripts, cachedDpl).RequirementsToken()
 	}
 	var apiUrl string
 	if secret.IsFree {
@@ -2240,6 +2241,9 @@ readLoop:
 				}
 				if streamEvent.finishReason != "" {
 					finish_reason = streamEvent.finishReason
+					if finish_reason == "length" {
+						max_tokens = true
+					}
 					isEnd = true
 				}
 				if activeChannel == "analysis" {
@@ -2250,6 +2254,25 @@ readLoop:
 							c.Writer.WriteString("data: " + finalLine.String() + "\n\n")
 							c.Writer.Flush()
 						}
+						if max_tokens && convId != "" && assistantMessageID != "" {
+							finalizeArtifacts()
+							return HandlerResult{
+								Text:              strings.Join(imgSource, "") + previous_text.Text,
+								ThinkingText:      thinkingText,
+								ConversationID:    convId,
+								ParentMessageID:   assistantMessageID,
+								Sentinel:          sentinel,
+								ArtifactSignals:   artifactState.Signals,
+								SandboxArtifacts:  artifactState.SandboxArtifacts,
+								PDFArtifacts:      artifactState.PDFArtifacts,
+								GeneratedImageIDs: artifactState.ImageFileIDs,
+								StopSent:          true,
+								Continue: &ContinueInfo{
+									ConversationID: convId,
+									ParentID:       assistantMessageID,
+								},
+							}
+						}
 						finalizeArtifacts()
 						return HandlerResult{
 							Text:              strings.Join(imgSource, "") + previous_text.Text,
@@ -2294,6 +2317,25 @@ readLoop:
 					previous_text.Text += deltaText
 				}
 				if streamEvent.isStop {
+					if max_tokens && convId != "" && assistantMessageID != "" {
+						finalizeArtifacts()
+						return HandlerResult{
+							Text:              strings.Join(imgSource, "") + previous_text.Text,
+							ThinkingText:      thinkingText,
+							ConversationID:    convId,
+							ParentMessageID:   assistantMessageID,
+							Sentinel:          sentinel,
+							ArtifactSignals:   artifactState.Signals,
+							SandboxArtifacts:  artifactState.SandboxArtifacts,
+							PDFArtifacts:      artifactState.PDFArtifacts,
+							GeneratedImageIDs: artifactState.ImageFileIDs,
+							StopSent:          true,
+							Continue: &ContinueInfo{
+								ConversationID: convId,
+								ParentID:       assistantMessageID,
+							},
+						}
+					}
 					finalizeArtifacts()
 					return HandlerResult{
 						Text:              strings.Join(imgSource, "") + previous_text.Text,
diff --git a/internal/chatgpt/request_test.go b/internal/chatgpt/request_test.go
index d4c0a588c..8a6ec2c4b 100644
--- a/internal/chatgpt/request_test.go
+++ b/internal/chatgpt/request_test.go
@@ -409,8 +409,11 @@ func TestCreateBaseHeaderMatchesWebClientShape(t *testing.T) {
 	if first["oai-language"] != "zh-CN" {
 		t.Fatalf("oai-language = %q, want zh-CN", first["oai-language"])
 	}
-	if !strings.Contains(first["user-agent"], "Edg/147.0.0.0") {
-		t.Fatalf("user-agent = %q, want Edge 147 shape", first["user-agent"])
+	// UA must be the Edge variant to stay consistent with the hardcoded
+	// sec-ch-ua = "Microsoft Edge";v="146". Version is randomized.
+	ua := first["user-agent"]
+	if !strings.Contains(ua, "Edg/") {
+		t.Fatalf("user-agent = %q, want Edge variant to match sec-ch-ua=Microsoft Edge 146", ua)
 	}
 	if first["oai-device-id"] == "" || first["oai-device-id"] != second["oai-device-id"] {
 		t.Fatalf("oai-device-id should be stable across headers: first=%q second=%q", first["oai-device-id"], second["oai-device-id"])
diff --git a/internal/prooftoken/prooftoken.go b/internal/prooftoken/prooftoken.go
index b9075b3e8..a4ec744ee 100644
--- a/internal/prooftoken/prooftoken.go
+++ b/internal/prooftoken/prooftoken.go
@@ -8,10 +8,10 @@ import (
 	"fmt"
 	"math/rand"
 	"strconv"
-	"strings"
-	"sync/atomic"
 	"time"
 
+	"aurora/internal/turnstile"
+
 	"golang.org/x/crypto/sha3"
 )
 
@@ -24,29 +24,67 @@ const (
 	maxRequirementsIter = 500_000
 	maxProofIter        = 100_000
 
-	powFallback = "gAAAAABwQ8Lk5FbGpA2NcR9dShT6gYjU7VxZ4D"
+	powFallback = "wQ8Lk5FbGpA2NcR9dShT6gYjU7VxZ4D"
 )
 
 var (
-	powCores   = []int{16, 24, 32}
-	powScreens = []int{3000, 4000, 6000}
+	powCores   = []int{8, 16, 24, 32}
+	powScreens = []int{3000, 4000, 5000}
 
 	powNavKeys = []string{
-		"webdriver-false", "vendor-Google Inc.", "cookieEnabled-true",
-		"pdfViewerEnabled-true", "hardwareConcurrency-32",
-		"language-zh-CN", "mimeTypes-[object MimeTypeArray]",
-		"userAgentData-[object NavigatorUAData]",
+		"registerProtocolHandler−function registerProtocolHandler() { [native code] }",
+		"storage−[object StorageManager]",
+		"locks−[object LockManager]",
+		"appCodeName−Mozilla",
+		"permissions−[object Permissions]",
+		"share−function share() { [native code] }",
+		"webdriver−false",
+		"managed−[object NavigatorManagedData]",
+		"canShare−function canShare() { [native code] }",
+		"vendor−Google Inc.",
+		"mediaDevices−[object MediaDevices]",
+		"vibrate−function vibrate() { [native code] }",
+		"storageBuckets−[object StorageBucketManager]",
+		"mediaCapabilities−[object MediaCapabilities]",
+		"cookieEnabled−true",
+		"virtualKeyboard−[object VirtualKeyboard]",
+		"product−Gecko",
+		"presentation−[object Presentation]",
+		"onLine−true",
+		"mimeTypes−[object MimeTypeArray]",
+		"credentials−[object CredentialsContainer]",
+		"serviceWorker−[object ServiceWorkerContainer]",
+		"keyboard−[object Keyboard]",
+		"gpu−[object GPU]",
+		"doNotTrack",
+		"serial−[object Serial]",
+		"pdfViewerEnabled−true",
+		"language−zh-CN",
+		"geolocation−[object Geolocation]",
+		"userAgentData−[object NavigatorUAData]",
+		"getUserMedia−function getUserMedia() { [native code] }",
+		"sendBeacon−function sendBeacon() { [native code] }",
+		"hardwareConcurrency−32",
+		"windowControlsOverlay−[object WindowControlsOverlay]",
 	}
 	powWinKeys = []string{
-		"innerWidth", "innerHeight", "devicePixelRatio", "screen",
-		"chrome", "location", "history", "navigator",
+		"0", "window", "self", "document", "name", "location",
+		"customElements", "history", "navigation",
+		"innerWidth", "innerHeight", "scrollX", "scrollY",
+		"visualViewport", "screenX", "screenY",
+		"outerWidth", "outerHeight", "devicePixelRatio",
+		"screen", "chrome", "navigator",
+		"onresize", "performance", "crypto",
+		"indexedDB", "sessionStorage", "localStorage", "scheduler",
+		"alert", "atob", "btoa", "fetch", "matchMedia",
+		"postMessage", "queueMicrotask", "requestAnimationFrame",
+		"setInterval", "setTimeout", "caches",
+		"__NEXT_DATA__", "__BUILD_MANIFEST", "__NEXT_PRELOADREADY",
 	}
 
-	powReactListeners = []string{"_reactListeningcfilawjnerp", "_reactListening9ne2dfo1i47"}
-	powProofEvents    = []string{"alert", "ontransitionend", "onprogress"}
+	powDocKeys = []string{"_reactListeningo743lnnpvdg", "location"}
 
-	// perfCounter 模拟浏览器 performance.counter() 的单调递增(亚秒级)。
-	perfCounter uint64
+	defaultScriptSources = []string{"https://chatgpt.com/backend-api/sentinel/sdk.js"}
 )
 
 // POWConfig 是 18 元素的客户端指纹数组(requirements_token 用)。
@@ -55,43 +93,48 @@ type POWConfig struct {
 	arr       [18]interface{}
 }
 
-// NewPOWConfig 构造一个随机化的客户端指纹,用于 requirements + proof 两种场景。
-func NewPOWConfig(userAgent string) *POWConfig {
+func NewPOWConfig(userAgent string, scriptSources []string, dataBuild string) *POWConfig {
 	if userAgent == "" {
 		userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/147.0.0.0"
 	}
+	if len(scriptSources) == 0 {
+		scriptSources = defaultScriptSources
+	}
 	//nolint:gosec // 非加密用途
 	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
-	now := time.Now().UTC()
-	timeStr := now.Format("Mon Jan 02 2006 15:04:05") + " GMT+0000 (UTC)"
-	perf := float64(atomic.AddUint64(&perfCounter, 1)) + rng.Float64()
+	perfNow := float64(time.Now().UnixNano()) / 1e6 // performance.now() 等价
+	timeStr := _legacyParseTime()
+	scriptSrc := scriptSources[rng.Intn(len(scriptSources))]
 
 	c := &POWConfig{userAgent: userAgent}
 	c.arr = [18]interface{}{
-		powCores[rng.Intn(len(powCores))] + powScreens[rng.Intn(len(powScreens))], // 0
-		timeStr,       // 1
-		nil,           // 2
-		rng.Float64(), // 3 - 迭代会覆盖
-		userAgent,     // 4
-		nil,           // 5
-		"dpl=1440a687921de39ff5ee56b92807faaadce73f13", // 6
+		powScreens[rng.Intn(len(powScreens))], // 0 — screen value
+		timeStr,                               // 1
+		4294705152,                            // 2 — 硬编码常量
+		0,                                     // 3 — 迭代会覆盖
+		userAgent,                             // 4
+		scriptSrc,                             // 5 — <script src> 或默认 sdk.js
+		dataBuild,                             // 6 — data-build 属性或 c/.../_ 匹配
 		"en-US",                               // 7
-		"en-US,zh-CN",                         // 8
-		0,                                     // 9 - 迭代会覆盖
+		"en-US,es-US,en,es",                   // 8
+		0,                                     // 9 — 迭代会覆盖
 		powNavKeys[rng.Intn(len(powNavKeys))], // 10
-		"location",                            // 11
+		powDocKeys[rng.Intn(len(powDocKeys))], // 11
 		powWinKeys[rng.Intn(len(powWinKeys))], // 12
-		perf,                                  // 13
+		perfNow,                               // 13 — perf_counter()*1000
 		randomUUID(rng),                       // 14
 		"",                                    // 15
-		8,                                     // 16
-		now.Unix(),                            // 17
+		powCores[rng.Intn(len(powCores))],     // 16
+		float64(time.Now().UnixMilli()) - perfNow, // 17 — timeOrigin
 	}
 	return c
 }
 
-// RequirementsToken 生成 /sentinel/chat-requirements 的 "p" 字段值。
-// 对齐 gen_image.py.get_requirements_token:固定难度 0fffff,前缀 gAAAAAC。
+func _legacyParseTime() string {
+	loc := time.FixedZone("EST", -5*60*60)
+	return time.Now().In(loc).Format("Mon Jan 02 2006 15:04:05") + " GMT-0500 (Eastern Standard Time)"
+}
+
 func (c *POWConfig) RequirementsToken() string {
 	//nolint:gosec
 	seed := strconv.FormatFloat(rand.Float64(), 'f', -1, 64)
@@ -103,32 +146,30 @@ func (c *POWConfig) RequirementsToken() string {
 	return powPrefixRequirements + b64
 }
 
-// solveRequirements 高性能迭代:预拼 JSON 的三段字节前缀,只在内循环拼 d1/d2。
-// 严格对齐 gen_image.py._generate_answer。
 func (c *POWConfig) solveRequirements(seed, difficulty string) (string, bool) {
 	target, err := hex.DecodeString(difficulty)
 	if err != nil {
 		return "", false
 	}
-	diffLen := len(difficulty) // 字符数(与 Python 对齐)
+	diffLen := len(difficulty) / 2 // hex 字符数
 
 	// 预拼 p1/p2/p3。config[3] 和 config[9] 位置留给迭代器。
 	arr := c.arr
-	// p1 = json(arr[:3])[:-1] + ","
-	head, _ := json.Marshal([]interface{}{arr[0], arr[1], arr[2]})
+	// p1 = compact_json(arr[:3])[:-1] + ","
+	head := marshalCompact([]interface{}{arr[0], arr[1], arr[2]})
 	p1 := append(head[:len(head)-1:len(head)-1], ',')
 
-	mid, _ := json.Marshal([]interface{}{arr[4], arr[5], arr[6], arr[7], arr[8]})
-	// p2 = "," + json(arr[4:9])[1:-1] + ","
+	// p2 = "," + compact_json(arr[4:9])[1:-1] + ","
+	mid := marshalCompact([]interface{}{arr[4], arr[5], arr[6], arr[7], arr[8]})
 	p2 := make([]byte, 0, len(mid)+2)
 	p2 = append(p2, ',')
 	p2 = append(p2, mid[1:len(mid)-1]...)
 	p2 = append(p2, ',')
 
-	tail, _ := json.Marshal([]interface{}{
+	// p3 = "," + compact_json(arr[10:])[1:]
+	tail := marshalCompact([]interface{}{
 		arr[10], arr[11], arr[12], arr[13], arr[14], arr[15], arr[16], arr[17],
 	})
-	// p3 = "," + json(arr[10:])[1:]  => "," + "element1,...,elementN]"
 	p3 := make([]byte, 0, len(tail)+1)
 	p3 = append(p3, ',')
 	p3 = append(p3, tail[1:]...)
@@ -161,69 +202,66 @@ func (c *POWConfig) solveRequirements(seed, difficulty string) (string, bool) {
 		hasher.Write(b64buf)
 		sum := hasher.Sum(nil)
 
-		// Python: h[:diff_len] <= target
-		// diff_len 是字符数(6),target 是字节(3)。Python bytes cmp 按短的逐字节比较。
-		// 这里保持等价:取 min(len(target), len(sum)) 字节比较。
-		n2 := diffLen
-		if n2 > len(sum) {
-			n2 = len(sum)
-		}
-		cmpLen := n2
-		if cmpLen > len(target) {
-			cmpLen = len(target)
-		}
-		if bytes.Compare(sum[:cmpLen], target[:cmpLen]) <= 0 {
+		if bytes.Compare(sum[:diffLen], target) <= 0 {
 			return string(b64buf), true
 		}
 	}
 	return "", false
 }
 
-// SolveProofToken 按服务端挑战求解 proof token(header 用,前缀 gAAAAAB)。
-// 迁移自 gen_image.py.generate_proof_token 的轻量 13 元素 config。
-func SolveProofToken(seed, difficulty, userAgent string) string {
+func SolveProofToken(seed, difficulty, userAgent string, scriptSources []string, dataBuild string) string {
 	if seed == "" || difficulty == "" {
 		return ""
 	}
 	if userAgent == "" {
 		userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36 Edg/147.0.0.0"
 	}
+	if len(scriptSources) == 0 {
+		scriptSources = defaultScriptSources
+	}
 	//nolint:gosec
 	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
-	screen := powScreens[rng.Intn(len(powScreens))] * (1 << rng.Intn(3)) // *1/2/4
+	screen := powScreens[rng.Intn(len(powScreens))]
 
-	timeStr := time.Now().UTC().Format("Mon, 02 Jan 2006 15:04:05 GMT")
+	timeStr := _legacyParseTime()
+	scriptSrc := scriptSources[rng.Intn(len(scriptSources))]
 
 	proofConfig := []interface{}{
-		screen, // 0
-		timeStr,
-		nil,
-		0, // 3 - 迭代
-		userAgent,
-		"https://tcr9i.chat.openai.com/v2/35536E1E-65B4-4D96-9D97-6ADB7EFF8147/api.js",
-		"dpl=1440a687921de39ff5ee56b92807faaadce73f13",
-		"en",
-		"en-US",
-		nil,
-		"plugins-[object PluginArray]",
-		powReactListeners[rng.Intn(len(powReactListeners))],
-		powProofEvents[rng.Intn(len(powProofEvents))],
+		screen,                                // 0
+		timeStr,                               // 1
+		4294705152,                            // 2
+		0,                                     // 3 — 迭代
+		userAgent,                             // 4
+		scriptSrc,                             // 5
+		dataBuild,                             // 6
+		"en-US",                               // 7
+		"en-US,es-US,en,es",                   // 8
+		0,                                     // 9
+		powNavKeys[rng.Intn(len(powNavKeys))], // 10
+		powDocKeys[rng.Intn(len(powDocKeys))], // 11
+		powWinKeys[rng.Intn(len(powWinKeys))], // 12
+		float64(time.Now().UnixNano()) / 1e6,  // 13 — perf_counter()*1000
+		randomUUID(rng),                       // 14
+		"",                                    // 15
+		powCores[rng.Intn(len(powCores))],     // 16
+		float64(time.Now().UnixMilli()) - float64(time.Now().UnixNano())/1e6, // 17
 	}
 
-	diffLen := len(difficulty)
+	diffLen := len(difficulty) / 2
+	//nolint:gosec
+	target, _ := hex.DecodeString(difficulty)
+	seedB := []byte(seed)
 	hasher := sha3.New512()
 	for i := 0; i < maxProofIter; i++ {
 		proofConfig[3] = i
-		raw, err := json.Marshal(proofConfig)
-		if err != nil {
-			continue
-		}
+		proofConfig[9] = i >> 1
+		raw := marshalCompact(proofConfig)
 		b64 := base64.StdEncoding.EncodeToString(raw)
 		hasher.Reset()
-		hasher.Write([]byte(seed + b64))
+		hasher.Write(seedB)
+		hasher.Write([]byte(b64))
 		sum := hasher.Sum(nil)
-		hexStr := hex.EncodeToString(sum)
-		if strings.Compare(hexStr[:diffLen], difficulty) <= 0 {
+		if bytes.Compare(sum[:diffLen], target) <= 0 {
 			return powPrefixProof + b64
 		}
 	}
@@ -240,352 +278,14 @@ func randomUUID(rng *rand.Rand) string {
 		b[0:4], b[4:6], b[6:8], b[8:10], b[10:16])
 }
 
-// Turnstile solver types
-type orderedMap struct {
-	keys   []string
-	values map[string]any
-}
-
-func newOrderedMap() *orderedMap {
-	return &orderedMap{values: make(map[string]any)}
-}
-
-func (m *orderedMap) add(key string, value any) {
-	if _, ok := m.values[key]; !ok {
-		m.keys = append(m.keys, key)
-	}
-	m.values[key] = value
+func marshalCompact(v interface{}) []byte {
+	b, _ := json.Marshal(v)
+	buf := new(bytes.Buffer)
+	_ = json.Compact(buf, b)
+	return buf.Bytes()
 }
 
-func (m *orderedMap) MarshalJSON() ([]byte, error) {
-	var buf bytes.Buffer
-	buf.WriteByte('{')
-	for i, key := range m.keys {
-		if i > 0 {
-			buf.WriteString(", ")
-		}
-		keyBytes, _ := json.Marshal(key)
-		valueBytes, _ := json.Marshal(m.values[key])
-		buf.Write(keyBytes)
-		buf.WriteString(": ")
-		buf.Write(valueBytes)
-	}
-	buf.WriteByte('}')
-	return buf.Bytes(), nil
-}
-
-type vmFunc func(args ...any)
-
-// Solve generates the turnstile token using the dx challenge and source p
+// Solve delegates to the canonical turnstile VM implementation.
 func Solve(dx string, p string) string {
-	decoded, err := base64.StdEncoding.DecodeString(dx)
-	if err != nil {
-		return ""
-	}
-	var tokenList []any
-	if err := json.Unmarshal([]byte(xorString(string(decoded), p)), &tokenList); err != nil {
-		return ""
-	}
-	processMap := map[float64]any{}
-	startTime := time.Now()
-	result := ""
-	processMap[1] = vmFunc(func(args ...any) {
-		e, t := num(args, 0), num(args, 1)
-		processMap[e] = xorString(turnstileString(processMap[e]), turnstileString(processMap[t]))
-	})
-	processMap[2] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = value(args, 1)
-	})
-	processMap[3] = vmFunc(func(args ...any) {
-		result = base64.StdEncoding.EncodeToString([]byte(turnstileString(value(args, 0))))
-	})
-	processMap[5] = vmFunc(func(args ...any) {
-		e, t := num(args, 0), num(args, 1)
-		current := processMap[e]
-		incoming := processMap[t]
-		if list, ok := asList(current); ok {
-			processMap[e] = append(list, incoming)
-			return
-		}
-		if isStringOrNumber(current) || isStringOrNumber(incoming) {
-			processMap[e] = turnstileString(current) + turnstileString(incoming)
-			return
-		}
-		processMap[e] = "NaN"
-	})
-	processMap[6] = vmFunc(func(args ...any) {
-		e, t, n := num(args, 0), num(args, 1), num(args, 2)
-		tv, tok := processMap[t].(string)
-		nv, nok := processMap[n].(string)
-		if !tok || !nok {
-			return
-		}
-		joined := tv + "." + nv
-		if joined == "window.document.location" {
-			processMap[e] = "https://chatgpt.com/"
-			return
-		}
-		processMap[e] = joined
-	})
-	processMap[7] = vmFunc(func(args ...any) {
-		target := processMap[num(args, 0)]
-		values := lookup(processMap, args[1:]...)
-		if target == "window.Reflect.set" && len(values) >= 3 {
-			if obj, ok := values[0].(*orderedMap); ok {
-				obj.add(turnstileString(values[1]), values[2])
-			}
-			return
-		}
-		if fn, ok := target.(vmFunc); ok {
-			fn(values...)
-		}
-	})
-	processMap[8] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = processMap[num(args, 1)]
-	})
-	processMap[9] = tokenList
-	processMap[10] = "window"
-	processMap[14] = vmFunc(func(args ...any) {
-		var v any
-		if err := json.Unmarshal([]byte(turnstileString(processMap[num(args, 1)])), &v); err == nil {
-			processMap[num(args, 0)] = v
-		}
-	})
-	processMap[15] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = jsonDumps(processMap[num(args, 1)])
-	})
-	processMap[16] = p
-	processMap[17] = vmFunc(func(args ...any) {
-		e := num(args, 0)
-		target := processMap[num(args, 1)]
-		callArgs := lookup(processMap, args[2:]...)
-		switch target {
-		case "window.performance.now":
-			processMap[e] = float64(time.Since(startTime).Nanoseconds())/1e6 + rand.Float64()/1e6
-		case "window.Object.create":
-			processMap[e] = newOrderedMap()
-		case "window.Object.keys":
-			if len(callArgs) > 0 && callArgs[0] == "window.localStorage" {
-				processMap[e] = []any{
-					"STATSIG_LOCAL_STORAGE_INTERNAL_STORE_V4",
-					"STATSIG_LOCAL_STORAGE_STABLE_ID",
-					"client-correlated-secret",
-					"oai/apps/capExpiresAt",
-					"oai-did",
-					"STATSIG_LOCAL_STORAGE_LOGGING_REQUEST",
-					"UiState.isNavigationCollapsed.1",
-				}
-			}
-		case "window.Math.random":
-			processMap[e] = rand.Float64()
-		default:
-			if fn, ok := target.(vmFunc); ok {
-				fn(callArgs...)
-			}
-		}
-	})
-	processMap[18] = vmFunc(func(args ...any) {
-		if decoded, err := base64.StdEncoding.DecodeString(turnstileString(processMap[num(args, 0)])); err == nil {
-			processMap[num(args, 0)] = string(decoded)
-		}
-	})
-	processMap[19] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = base64.StdEncoding.EncodeToString([]byte(turnstileString(processMap[num(args, 0)])))
-	})
-	processMap[20] = vmFunc(func(args ...any) {
-		e, t, n := num(args, 0), num(args, 1), num(args, 2)
-		if !equal(processMap[e], processMap[t]) {
-			return
-		}
-		if fn, ok := processMap[n].(vmFunc); ok {
-			fn(lookup(processMap, args[3:]...)...)
-		}
-	})
-	processMap[21] = vmFunc(func(args ...any) {})
-	processMap[23] = vmFunc(func(args ...any) {
-		if processMap[num(args, 0)] == nil {
-			return
-		}
-		if fn, ok := processMap[num(args, 1)].(vmFunc); ok {
-			fn(args[2:]...)
-		}
-	})
-	processMap[24] = vmFunc(func(args ...any) {
-		tv, tok := processMap[num(args, 1)].(string)
-		nv, nok := processMap[num(args, 2)].(string)
-		if tok && nok {
-			processMap[num(args, 0)] = tv + "." + nv
-		}
-	})
-	for _, token := range tokenList {
-		items, ok := asList(token)
-		if !ok || len(items) == 0 {
-			continue
-		}
-		fn, ok := processMap[toFloat(items[0])].(vmFunc)
-		if !ok {
-			continue
-		}
-		func() {
-			defer func() { _ = recover() }()
-			fn(items[1:]...)
-		}()
-	}
-	return result
-}
-
-func turnstileString(v any) string {
-	if v == nil {
-		return "undefined"
-	}
-	if s, ok := v.(string); ok {
-		switch s {
-		case "window.Math":
-			return "[object Math]"
-		case "window.Reflect":
-			return "[object Reflect]"
-		case "window.performance":
-			return "[object Performance]"
-		case "window.localStorage":
-			return "[object Storage]"
-		case "window.Object":
-			return "function Object() { [native code] }"
-		case "window.Reflect.set":
-			return "function set() { [native code] }"
-		case "window.performance.now":
-			return "function () { [native code] }"
-		case "window.Object.create":
-			return "function create() { [native code] }"
-		case "window.Object.keys":
-			return "function keys() { [native code] }"
-		case "window.Math.random":
-			return "function random() { [native code] }"
-		default:
-			return s
-		}
-	}
-	if list, ok := asList(v); ok && allStrings(list) {
-		parts := make([]string, 0, len(list))
-		for _, item := range list {
-			parts = append(parts, turnstileString(item))
-		}
-		return strings.Join(parts, ",")
-	}
-	if n, ok := v.(float64); ok {
-		return strconv.FormatFloat(n, 'f', -1, 64)
-	}
-	if b, ok := v.(bool); ok {
-		if b {
-			return "True"
-		}
-		return "False"
-	}
-	return fmt.Sprint(v)
-}
-
-func xorString(text string, key string) string {
-	if key == "" {
-		return text
-	}
-	out := []rune(text)
-	keyRunes := []rune(key)
-	for i, ch := range out {
-		out[i] = ch ^ keyRunes[i%len(keyRunes)]
-	}
-	return string(out)
-}
-
-func jsonDumps(v any) string {
-	return pyJSONDumps(v)
-}
-
-func pyJSONDumps(v any) string {
-	switch typed := v.(type) {
-	case *orderedMap:
-		b, _ := typed.MarshalJSON()
-		return string(b)
-	case []any:
-		parts := make([]string, 0, len(typed))
-		for _, item := range typed {
-			parts = append(parts, pyJSONDumps(item))
-		}
-		return "[" + strings.Join(parts, ", ") + "]"
-	case map[string]any:
-		parts := make([]string, 0, len(typed))
-		for key, item := range typed {
-			keyBytes, _ := json.Marshal(key)
-			parts = append(parts, string(keyBytes)+": "+pyJSONDumps(item))
-		}
-		return "{" + strings.Join(parts, ", ") + "}"
-	default:
-		b, _ := json.Marshal(v)
-		return string(b)
-	}
-}
-
-func value(args []any, index int) any {
-	if index >= len(args) {
-		return nil
-	}
-	return args[index]
-}
-
-func num(args []any, index int) float64 {
-	return toFloat(value(args, index))
-}
-
-func toFloat(v any) float64 {
-	switch n := v.(type) {
-	case float64:
-		return n
-	case int:
-		return float64(n)
-	case json.Number:
-		f, _ := n.Float64()
-		return f
-	default:
-		return 0
-	}
-}
-
-func lookup(processMap map[float64]any, args ...any) []any {
-	values := make([]any, 0, len(args))
-	for _, arg := range args {
-		values = append(values, processMap[toFloat(arg)])
-	}
-	return values
-}
-
-func asList(v any) ([]any, bool) {
-	switch list := v.(type) {
-	case []any:
-		return list, true
-	default:
-		return nil, false
-	}
-}
-
-func allStrings(list []any) bool {
-	for _, item := range list {
-		if _, ok := item.(string); !ok {
-			return false
-		}
-	}
-	return true
-}
-
-func isStringOrNumber(v any) bool {
-	switch v.(type) {
-	case string, float64:
-		return true
-	default:
-		return false
-	}
-}
-
-func equal(a any, b any) bool {
-	if af, ok := a.(float64); ok {
-		return af == toFloat(b)
-	}
-	return fmt.Sprint(a) == fmt.Sprint(b)
+	return turnstile.Solve(dx, p)
 }
diff --git a/internal/turnstile/turnstile.go b/internal/turnstile/turnstile.go
index 0df40d110..1eabc0f50 100644
--- a/internal/turnstile/turnstile.go
+++ b/internal/turnstile/turnstile.go
@@ -1,312 +1,741 @@
+// Package turnstile implements the ChatGPT Sentinel SDK (20260423af3c) VM.
+//
+// The dx challenge is decoded as:
+//
+//	base64_decode(dx) → XOR(decoded, key) → JSON → [[opcode, ...args], ...]
+//
+// The engine executes the opcode queue, resolving with a base64 token.
+// 35 symbolic opcodes aligned to sdk.pretty.js:1230-1250.
 package turnstile
 
 import (
-	"bytes"
+	"context"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"math"
 	"math/rand"
-	"strconv"
 	"strings"
 	"time"
 )
 
-type orderedMap struct {
-	keys   []string
-	values map[string]any
+// ── opcode 常量(对齐 sdk.pretty.js:1230-1250) ──────────────────────────────
+const (
+	opLt = 0  // 启动 Pn 异步流程
+	opJt = 1  // slot[n] = XOR(toStr(slot[n]), toStr(slot[m]))
+	opGt = 2  // slot[n] = v (直接赋值)
+	opWt = 3  // resolve(btoa(toStr(slot[t])))
+	opZt = 4  // reject(btoa(Sn + ": " + t))
+	opBt = 5  // array push 或字符串拼接
+	opHt = 6  // slot[n] = toStr(slot[m])[toStr(slot[r])] (字符串索引/属性访问)
+	opZt7 = 7 // 通用调用 slot[n](...args.map(toStr))
+	opKt = 8  // slot[n] = toStr(slot[m])
+	opQt = 9  // token 队列(特殊槽)
+	opYt = 10 // window 对象
+	opXt = 11 // 扫 document.scripts 匹配 c/[^/]*/_, 返回 src
+	optn = 12 // slot[t] = Cn(self reference)
+	opnn = 13 // (reserved)
+	open = 14 // slot[n] = JSON.parse(slot[m])
+	oprn = 15 // slot[n] = JSON.stringify(slot[m])
+	opon = 16 // XOR key 常量
+	opcn = 17 // 异步安全调用,异常转字符串
+	opsn = 18 // slot[n] = atob(slot[n])
+	opun = 19 // slot[n] = btoa(slot[n])
+	opfn = 20 // m === n ? r(...o) : null
+	opln = 21 // abs(a-b) > c ? r(...args) : null (NOP)
+	opdn = 22 // 闭包作用域: save Qt → push args → run → restore Qt
+	opan = 23 // undefined !== n ? m(...args) : null
+	opVt = 24 // slot[n] = slot[m][slot[r]].bind(slot[m])
+	ophn = 25 // NOP
+	opin = 26 // NOP
+	opmn = 27 // array splice(0,1) 或数值减
+	opwn = 28 // NOP
+	opyn = 29 // slot[n] = toStr(m) < toStr(r)
+	opgn = 30 // 可重入 push(在闭包外延展)
+	op31 = 31 // NOP
+	op32 = 32 // NOP
+	opvn = 33 // slot[n] = Number(m) * Number(r)
+	opbn = 34 // Promise.resolve(slot[m]).then(slot[n] = result)
+	opkn = 35 // slot[n] = Number(m) / Number(r) (除零保护)
+)
+
+// ── types ───────────────────────────────────────────────────────────────────
+
+// tokenItem 是队列中的一个指令: [opcode, ...args]
+type tokenItem struct {
+	opcode int
+	args   []any
 }
 
-func newOrderedMap() *orderedMap {
-	return &orderedMap{values: make(map[string]any)}
+// nativeBoundMethod 表示 opcode 24 bind 的方法引用
+type nativeBoundMethod struct {
+	method string
+	bound  string // bound this.toString()
 }
 
-func (m *orderedMap) add(key string, value any) {
-	if _, ok := m.values[key]; !ok {
-		m.keys = append(m.keys, key)
-	}
-	m.values[key] = value
+// engine 是 turnstile VM 的运行状态
+type engine struct {
+	slots      map[int]any
+	queue      []tokenItem
+	sn         int
+	result     string
+	resolved   bool
+	rejected   bool
+	errMsg     string
+	scriptSrcs []string
 }
 
-func (m *orderedMap) MarshalJSON() ([]byte, error) {
-	var buf bytes.Buffer
-	buf.WriteByte('{')
-	for i, key := range m.keys {
-		if i > 0 {
-			buf.WriteString(", ")
-		}
-		keyBytes, _ := json.Marshal(key)
-		valueBytes, _ := json.Marshal(m.values[key])
-		buf.Write(keyBytes)
-		buf.WriteString(": ")
-		buf.Write(valueBytes)
+// ── public API ──────────────────────────────────────────────────────────────
+
+// Solve 解算 dx 挑战字符串,返回 base64 token。
+// key 是 requirementsToken(存在 slot 16,用作 XOR key)。
+func Solve(dx string, key string) string {
+	decoded, err := base64.StdEncoding.DecodeString(dx)
+	if err != nil {
+		return ""
+	}
+	decrypted := xorBytes(decoded, key)
+	var queue []tokenItem
+	if err := json.Unmarshal([]byte(decrypted), &queue); err != nil {
+		return ""
+	}
+	if len(queue) == 0 {
+		return ""
 	}
-	buf.WriteByte('}')
-	return buf.Bytes(), nil
-}
 
-type vmFunc func(args ...any)
+	result, ok := runWithTimeout(queue, key, nil, 500*time.Millisecond)
+	if !ok {
+		return ""
+	}
+	return result
+}
 
-func Solve(dx string, p string) string {
+// SolveWithScripts 同 Solve,但注入 <script src> 列表供 opcode 11 使用。
+func SolveWithScripts(dx string, key string, scriptSrcs []string) string {
 	decoded, err := base64.StdEncoding.DecodeString(dx)
 	if err != nil {
 		return ""
 	}
-	var tokenList []any
-	if err := json.Unmarshal([]byte(xorString(string(decoded), p)), &tokenList); err != nil {
+	decrypted := xorBytes(decoded, key)
+	var queue []tokenItem
+	if err := json.Unmarshal([]byte(decrypted), &queue); err != nil {
 		return ""
 	}
+	if len(queue) == 0 {
+		return ""
+	}
+
+	result, ok := runWithTimeout(queue, key, scriptSrcs, 500*time.Millisecond)
+	if !ok {
+		return ""
+	}
+	return result
+}
+
+// ── JSON unmarshalling for tokenItem ────────────────────────────────────────
+
+func (t *tokenItem) UnmarshalJSON(data []byte) error {
+	var raw []json.RawMessage
+	if err := json.Unmarshal(data, &raw); err != nil {
+		return err
+	}
+	if len(raw) == 0 {
+		return fmt.Errorf("empty token")
+	}
+	var opcode int
+	if err := json.Unmarshal(raw[0], &opcode); err != nil {
+		return err
+	}
+	t.opcode = opcode
+	t.args = make([]any, len(raw)-1)
+	for i, r := range raw[1:] {
+		var v any
+		if err := json.Unmarshal(r, &v); err != nil {
+			t.args[i] = nil
+		} else {
+			t.args[i] = v
+		}
+	}
+	return nil
+}
+
+// ── engine core ─────────────────────────────────────────────────────────────
+
+func newEngine(queue []tokenItem, key string, scriptSrcs []string) *engine {
+	e := &engine{
+		slots:      make(map[int]any),
+		queue:      queue,
+		scriptSrcs: scriptSrcs,
+	}
+	e.slots[opQt] = queue   // 9 — token 队列
+	e.slots[opYt] = "window" // 10
+	e.slots[opon] = key      // 16 — XOR key
+	return e
+}
+
+func (e *engine) resolve(v any) {
+	if e.resolved || e.rejected {
+		return
+	}
+	e.result = base64.StdEncoding.EncodeToString([]byte(toString(v)))
+	e.resolved = true
+}
+
+func (e *engine) reject(errMsg string) {
+	if e.resolved || e.rejected {
+		return
+	}
+	e.errMsg = base64.StdEncoding.EncodeToString([]byte(fmt.Sprintf("%d: %s", e.sn, errMsg)))
+	e.rejected = true
+}
+
+// runQueue 对齐 _n 函数:sdk.pretty.js:1279-1288
+func (e *engine) runQueue() {
+	for len(e.queue) > 0 && !e.resolved && !e.rejected {
+		item := e.queue[0]
+		e.queue = e.queue[1:]
+		e.sn++
+		e.dispatch(item)
+	}
+}
 
-	processMap := map[float64]any{}
-	startTime := time.Now()
-	result := ""
-
-	processMap[1] = vmFunc(func(args ...any) {
-		e, t := num(args, 0), num(args, 1)
-		processMap[e] = xorString(turnstileString(processMap[e]), turnstileString(processMap[t]))
-	})
-	processMap[2] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = value(args, 1)
-	})
-	processMap[3] = vmFunc(func(args ...any) {
-		result = base64.StdEncoding.EncodeToString([]byte(turnstileString(value(args, 0))))
-	})
-	processMap[5] = vmFunc(func(args ...any) {
-		e, t := num(args, 0), num(args, 1)
-		current := processMap[e]
-		incoming := processMap[t]
-		if list, ok := asList(current); ok {
-			processMap[e] = append(list, incoming)
+func (e *engine) dispatch(item tokenItem) {
+	defer func() {
+		if r := recover(); r != nil {
+			e.reject(fmt.Sprintf("panic: %v", r))
+		}
+	}()
+
+	switch item.opcode {
+	case opLt: // 0 — 启动流程(初始化)
+		// no-op: queue already running
+
+	case opJt: // 1 — slot[n] = XOR(toStr(slot[n]), toStr(slot[m]))
+		if len(item.args) < 2 {
 			return
 		}
-		if isStringOrNumber(current) || isStringOrNumber(incoming) {
-			processMap[e] = turnstileString(current) + turnstileString(incoming)
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		e.slots[n] = xorString(toString(e.slots[n]), toString(e.slots[m]))
+
+	case opGt: // 2 — slot[n] = v
+		if len(item.args) < 2 {
 			return
 		}
-		processMap[e] = "NaN"
-	})
-	processMap[6] = vmFunc(func(args ...any) {
-		e, t, n := num(args, 0), num(args, 1), num(args, 2)
-		tv, tok := processMap[t].(string)
-		nv, nok := processMap[n].(string)
-		if !tok || !nok {
+		e.slots[toInt(item.args[0])] = item.args[1]
+
+	case opWt: // 3 — resolve(btoa(toStr(slot[t])))
+		if len(item.args) < 1 {
 			return
 		}
-		joined := tv + "." + nv
-		if joined == "window.document.location" {
-			processMap[e] = "https://chatgpt.com/"
+		e.resolve(toString(e.slots[toInt(item.args[0])]))
+
+	case opZt: // 4 — reject(btoa(Sn + ": " + t))
+		if len(item.args) < 1 {
 			return
 		}
-		processMap[e] = joined
-	})
-	processMap[7] = vmFunc(func(args ...any) {
-		target := processMap[num(args, 0)]
-		values := lookup(processMap, args[1:]...)
-		if target == "window.Reflect.set" && len(values) >= 3 {
-			if obj, ok := values[0].(*orderedMap); ok {
-				obj.add(turnstileString(values[1]), values[2])
+		e.reject(toString(e.slots[toInt(item.args[0])]))
+
+	case opBt: // 5 — push 或拼接
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		cur := e.slots[n]
+		inc := e.slots[m]
+		if arr, ok := cur.([]any); ok {
+			e.slots[n] = append(arr, inc)
+		} else {
+			e.slots[n] = toString(cur) + toString(inc)
+		}
+
+	case opHt: // 6 — slot[n] = toStr(slot[m])[toStr(slot[r])]
+		if len(item.args) < 3 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		r := toInt(item.args[2])
+		parent := toString(e.slots[m])
+		child := toString(e.slots[r])
+		prop := parent + "." + child
+		if prop == "window.document.location" {
+			e.slots[n] = "https://chatgpt.com/"
+		} else {
+			e.slots[n] = prop
+		}
+
+	case opZt7: // 7 — 通用调用 slot[n](...args.map(toString))
+		if len(item.args) < 1 {
+			return
+		}
+		target := e.slots[toInt(item.args[0])]
+		args := make([]any, len(item.args)-1)
+		for i, a := range item.args[1:] {
+			args[i] = toString(e.slots[toInt(a)])
+		}
+		if s, ok := target.(string); ok {
+			e.nativeCall(s, args)
+		}
+
+	case opKt: // 8 — slot[n] = toStr(slot[m])
+		if len(item.args) < 2 {
+			return
+		}
+		e.slots[toInt(item.args[0])] = toString(e.slots[toInt(item.args[1])])
+
+	case opQt: // 9 — 队列引用(不执行)
+	case opYt: // 10 — window 对象(不执行)
+
+	case opXt: // 11 — 扫 document.scripts 匹配 c/[^/]*/_
+		if len(item.args) < 1 {
+			return
+		}
+		n := toInt(item.args[0])
+		found := ""
+		for _, src := range e.scriptSrcs {
+			if matchScriptBuild(src) {
+				found = src
+				break
 			}
+		}
+		if found == "" {
+			found = "prod-81e0c5cdf6140e8c5db714d613337f4aeab94029"
+		}
+		e.slots[n] = found
+
+	case optn: // 12 — slot[t] = Cn(self reference)
+		if len(item.args) < 1 {
 			return
 		}
-		if fn, ok := target.(vmFunc); ok {
-			fn(values...)
+		e.slots[toInt(item.args[0])] = "self"
+
+	case opnn: // 13 — (reserved)
+	case open: // 14 — slot[n] = JSON.parse(slot[m])
+		if len(item.args) < 2 {
+			return
 		}
-	})
-	processMap[8] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = processMap[num(args, 1)]
-	})
-	processMap[9] = tokenList
-	processMap[10] = "window"
-	processMap[14] = vmFunc(func(args ...any) {
+		n := toInt(item.args[0])
+		raw := toString(e.slots[toInt(item.args[1])])
 		var v any
-		if err := json.Unmarshal([]byte(turnstileString(processMap[num(args, 1)])), &v); err == nil {
-			processMap[num(args, 0)] = v
-		}
-	})
-	processMap[15] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = jsonDumps(processMap[num(args, 1)])
-	})
-	processMap[16] = p
-	processMap[17] = vmFunc(func(args ...any) {
-		e := num(args, 0)
-		target := processMap[num(args, 1)]
-		callArgs := lookup(processMap, args[2:]...)
-		switch target {
-		case "window.performance.now":
-			processMap[e] = float64(time.Since(startTime).Nanoseconds())/1e6 + rand.Float64()/1e6
-		case "window.Object.create":
-			processMap[e] = newOrderedMap()
-		case "window.Object.keys":
-			if len(callArgs) > 0 && callArgs[0] == "window.localStorage" {
-				processMap[e] = []any{
-					"STATSIG_LOCAL_STORAGE_INTERNAL_STORE_V4",
-					"STATSIG_LOCAL_STORAGE_STABLE_ID",
-					"client-correlated-secret",
-					"oai/apps/capExpiresAt",
-					"oai-did",
-					"STATSIG_LOCAL_STORAGE_LOGGING_REQUEST",
-					"UiState.isNavigationCollapsed.1",
+		if json.Unmarshal([]byte(raw), &v) == nil {
+			e.slots[n] = v
+		}
+
+	case oprn: // 15 — slot[n] = JSON.stringify(slot[m])
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		b, err := json.Marshal(e.slots[toInt(item.args[1])])
+		if err == nil {
+			e.slots[n] = string(b)
+		}
+
+	case opon: // 16 — XOR key 常量(已在 newEngine 设置)
+	case opcn: // 17 — 异步安全调用
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		target := e.slots[toInt(item.args[1])]
+		args := make([]any, len(item.args)-2)
+		for i, a := range item.args[2:] {
+			args[i] = toString(e.slots[toInt(a)])
+		}
+		func() {
+			defer func() {
+				if r := recover(); r != nil {
+					e.slots[n] = fmt.Sprintf("%v", r)
 				}
+			}()
+			if s, ok := target.(string); ok {
+				e.nativeCall(s, args)
 			}
-		case "window.Math.random":
-			processMap[e] = rand.Float64()
-		default:
-			if fn, ok := target.(vmFunc); ok {
-				fn(callArgs...)
+		}()
+
+	case opsn: // 18 — slot[n] = atob(slot[n])
+		if len(item.args) < 1 {
+			return
+		}
+		n := toInt(item.args[0])
+		raw := toString(e.slots[n])
+		if dec, err := base64.StdEncoding.DecodeString(raw); err == nil {
+			e.slots[n] = string(dec)
+		}
+
+	case opun: // 19 — slot[n] = btoa(slot[n])
+		if len(item.args) < 1 {
+			return
+		}
+		n := toInt(item.args[0])
+		e.slots[n] = base64.StdEncoding.EncodeToString([]byte(toString(e.slots[n])))
+
+	case opfn: // 20 — m === n ? r(...o) : null
+		if len(item.args) < 3 {
+			return
+		}
+		eq := toInt(item.args[0])
+		val := toInt(item.args[1])
+		if eq != val {
+			return
+		}
+		fnSlot := toInt(item.args[2])
+		if fn, ok := e.slots[fnSlot].(string); ok {
+			args := make([]any, len(item.args)-3)
+			for i, a := range item.args[3:] {
+				args[i] = toString(e.slots[toInt(a)])
 			}
+			e.nativeCall(fn, args)
 		}
-	})
-	processMap[18] = vmFunc(func(args ...any) {
-		if decoded, err := base64.StdEncoding.DecodeString(turnstileString(processMap[num(args, 0)])); err == nil {
-			processMap[num(args, 0)] = string(decoded)
-		}
-	})
-	processMap[19] = vmFunc(func(args ...any) {
-		processMap[num(args, 0)] = base64.StdEncoding.EncodeToString([]byte(turnstileString(processMap[num(args, 0)])))
-	})
-	processMap[20] = vmFunc(func(args ...any) {
-		e, t, n := num(args, 0), num(args, 1), num(args, 2)
-		if !equal(processMap[e], processMap[t]) {
+
+	case opln: // 21 — abs(a-b) > c ? r(...args) : null (NOP in practice)
+	case opdn: // 22 — 闭包作用域: save Qt → push args → run → restore Qt
+		if len(item.args) < 2 {
 			return
 		}
-		if fn, ok := processMap[n].(vmFunc); ok {
-			fn(lookup(processMap, args[3:]...)...)
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		closure, ok := e.slots[m].([]tokenItem)
+		if !ok {
+			return
 		}
-	})
-	processMap[21] = vmFunc(func(args ...any) {})
-	processMap[23] = vmFunc(func(args ...any) {
-		if processMap[num(args, 0)] == nil {
+		// _n 的闭包逻辑:保存队列 → 追加闭包内容 → 执行 → 恢复
+		saved := e.queue
+		e.queue = append([]tokenItem{}, closure...)
+		e.runQueue()
+		e.queue = saved
+		_ = n // n 在某些用法中存储结果,但主要靠副作用
+
+	case opan: // 23 — undefined !== n ? m(...args) : null
+		if len(item.args) < 2 {
 			return
 		}
-		if fn, ok := processMap[num(args, 1)].(vmFunc); ok {
-			fn(args[2:]...)
+		n := toInt(item.args[0])
+		if e.slots[n] == nil {
+			return
 		}
-	})
-	processMap[24] = vmFunc(func(args ...any) {
-		tv, tok := processMap[num(args, 1)].(string)
-		nv, nok := processMap[num(args, 2)].(string)
-		if tok && nok {
-			processMap[num(args, 0)] = tv + "." + nv
+		m := toInt(item.args[1])
+		if fn, ok := e.slots[m].(string); ok {
+			args := make([]any, len(item.args)-2)
+			for i, a := range item.args[2:] {
+				args[i] = toString(e.slots[toInt(a)])
+			}
+			e.nativeCall(fn, args)
 		}
-	})
 
-	for _, token := range tokenList {
-		items, ok := asList(token)
-		if !ok || len(items) == 0 {
-			continue
+	case opVt: // 24 — slot[n] = slot[m][slot[r]].bind(slot[m])
+		if len(item.args) < 3 {
+			return
 		}
-		fn, ok := processMap[toFloat(items[0])].(vmFunc)
-		if !ok {
-			continue
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		r := toInt(item.args[2])
+		e.slots[n] = &nativeBoundMethod{
+			method: toString(e.slots[r]),
+			bound:  toString(e.slots[m]),
+		}
+
+	case ophn, opin, opwn: // 25, 26, 28 — NOP
+
+	case opmn: // 27 — splice(0,1) 或数值减
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		if arr, ok := e.slots[n].([]any); ok && len(arr) > 0 {
+			e.slots[n] = arr[1:]
+			e.slots[m] = arr[0]
+		} else {
+			a := toFloat64(e.slots[n])
+			b := toFloat64(e.slots[m])
+			e.slots[n] = a - b
+		}
+
+	case opyn: // 29 — slot[n] = toStr(m) < toStr(r)
+		if len(item.args) < 3 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		r := toInt(item.args[2])
+		e.slots[n] = toString(e.slots[m]) < toString(e.slots[r])
+
+	case opgn: // 30 — 可重入 push
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		cur := e.slots[n]
+		if arr, ok := cur.([]any); ok {
+			e.slots[n] = append(arr, e.slots[m])
+		} else {
+			e.slots[n] = []any{cur, e.slots[m]}
+		}
+
+	case op31, op32: // 31, 32 — NOP
+
+	case opvn: // 33 — slot[n] = Number(m) * Number(r)
+		if len(item.args) < 3 {
+			return
+		}
+		n := toInt(item.args[0])
+		e.slots[n] = toFloat64(e.slots[toInt(item.args[1])]) * toFloat64(e.slots[toInt(item.args[2])])
+
+	case opbn: // 34 — Promise.resolve(slot[m]).then(slot[n] = result)
+		if len(item.args) < 2 {
+			return
+		}
+		n := toInt(item.args[0])
+		m := toInt(item.args[1])
+		e.slots[n] = e.slots[m]
+
+	case opkn: // 35 — slot[n] = Number(m) / Number(r) (除零保护)
+		if len(item.args) < 3 {
+			return
+		}
+		n := toInt(item.args[0])
+		divisor := toFloat64(e.slots[toInt(item.args[2])])
+		if divisor == 0 {
+			e.slots[n] = math.NaN()
+		} else {
+			e.slots[n] = toFloat64(e.slots[toInt(item.args[1])]) / divisor
 		}
-		func() {
-			defer func() { _ = recover() }()
-			fn(items[1:]...)
-		}()
 	}
-	return result
 }
 
-func turnstileString(v any) string {
-	if v == nil {
-		return "undefined"
+// ── native call dispatch ────────────────────────────────────────────────────
+
+func (e *engine) nativeCall(target string, args []any) {
+	switch target {
+	case "window.performance.now":
+		n := toInt(args[0])
+		e.slots[n] = float64(time.Now().UnixNano())/1e6 + rand.Float64()/1e6
+
+	case "window.Object.create":
+		n := toInt(args[0])
+		e.slots[n] = newOrderedMap()
+
+	case "window.Object.keys":
+		if len(args) < 2 {
+			return
+		}
+		n := toInt(args[0])
+		v := args[1]
+		if s, ok := v.(string); ok && s == "window.localStorage" {
+			e.slots[n] = []any{
+				"STATSIG_LOCAL_STORAGE_INTERNAL_STORE_V4",
+				"STATSIG_LOCAL_STORAGE_STABLE_ID",
+				"client-correlated-secret",
+				"oai/apps/capExpiresAt",
+				"oai-did",
+				"STATSIG_LOCAL_STORAGE_LOGGING_REQUEST",
+				"UiState.isNavigationCollapsed.1",
+			}
+		} else if om, ok := v.(*orderedMap); ok {
+			keys := make([]any, len(om.keys))
+			for i, k := range om.keys {
+				keys[i] = k
+			}
+			e.slots[n] = keys
+		}
+
+	case "window.Math.random":
+		n := toInt(args[0])
+		e.slots[n] = rand.Float64()
+
+	case "window.Reflect.set":
+		if len(args) >= 3 {
+			if obj, ok := args[0].(*orderedMap); ok {
+				obj.add(toString(args[1]), args[2])
+			}
+		}
+
+	case "window.String.fromCharCode":
+		if len(args) >= 2 {
+			n := toInt(args[0])
+			codes := make([]byte, len(args)-1)
+			for i, a := range args[1:] {
+				codes[i] = byte(toFloat64FromString(fmt.Sprint(a)))
+			}
+			e.slots[n] = string(codes)
+		}
+
+	case "window.Array.isArray":
+		if len(args) >= 2 {
+			n := toInt(args[0])
+			_, ok := args[1].([]any)
+			e.slots[n] = ok
+		}
+
+	default:
+		// 未知 native:安全忽略
 	}
-	if s, ok := v.(string); ok {
-		switch s {
-		case "window.Math":
-			return "[object Math]"
-		case "window.Reflect":
-			return "[object Reflect]"
-		case "window.performance":
-			return "[object Performance]"
-		case "window.localStorage":
-			return "[object Storage]"
-		case "window.Object":
-			return "function Object() { [native code] }"
-		case "window.Reflect.set":
-			return "function set() { [native code] }"
-		case "window.performance.now":
-			return "function () { [native code] }"
-		case "window.Object.create":
-			return "function create() { [native code] }"
-		case "window.Object.keys":
-			return "function keys() { [native code] }"
-		case "window.Math.random":
-			return "function random() { [native code] }"
-		default:
-			return s
-		}
-	}
-	if list, ok := asList(v); ok && allStrings(list) {
-		parts := make([]string, 0, len(list))
-		for _, item := range list {
-			parts = append(parts, turnstileString(item))
+}
+
+// ── timeout wrapper ─────────────────────────────────────────────────────────
+
+func runWithTimeout(queue []tokenItem, key string, scriptSrcs []string, timeout time.Duration) (string, bool) {
+	type result struct {
+		value string
+		ok    bool
+	}
+	ch := make(chan result, 1)
+	go func() {
+		e := newEngine(queue, key, scriptSrcs)
+		e.runQueue()
+		if e.resolved {
+			ch <- result{e.result, true}
+		} else if e.rejected {
+			ch <- result{e.errMsg, false}
+		} else {
+			ch <- result{"", false}
 		}
-		return strings.Join(parts, ",")
+	}()
+
+	select {
+	case r := <-ch:
+		return r.value, r.ok
+	case <-time.After(timeout):
+		return "", false
 	}
-	if n, ok := v.(float64); ok {
-		return strconv.FormatFloat(n, 'f', -1, 64)
+}
+
+// ── orderedMap (Reflect.set / Object.create 目标) ───────────────────────────
+
+type orderedMap struct {
+	keys   []string
+	values map[string]any
+}
+
+func newOrderedMap() *orderedMap {
+	return &orderedMap{values: make(map[string]any)}
+}
+
+func (m *orderedMap) add(key string, value any) {
+	if _, ok := m.values[key]; !ok {
+		m.keys = append(m.keys, key)
 	}
-	if b, ok := v.(bool); ok {
-		if b {
-			return "True"
+	m.values[key] = value
+}
+
+func (m *orderedMap) MarshalJSON() ([]byte, error) {
+	var b strings.Builder
+	b.WriteByte('{')
+	for i, k := range m.keys {
+		if i > 0 {
+			b.WriteByte(',')
 		}
-		return "False"
+		kb, _ := json.Marshal(k)
+		vb, _ := json.Marshal(m.values[k])
+		b.Write(kb)
+		b.WriteByte(':')
+		b.Write(vb)
 	}
-	return fmt.Sprint(v)
+	b.WriteByte('}')
+	return []byte(b.String()), nil
 }
 
-func xorString(text string, key string) string {
+// ── helpers ─────────────────────────────────────────────────────────────────
+
+func xorBytes(data []byte, key string) []byte {
 	if key == "" {
-		return text
+		return data
 	}
-	out := []rune(text)
-	keyRunes := []rune(key)
-	for i, ch := range out {
-		out[i] = ch ^ keyRunes[i%len(keyRunes)]
+	keyBytes := []byte(key)
+	out := make([]byte, len(data))
+	for i, b := range data {
+		out[i] = b ^ keyBytes[i%len(keyBytes)]
 	}
-	return string(out)
+	return out
 }
 
-func jsonDumps(v any) string {
-	return pyJSONDumps(v)
+func xorString(text, key string) string {
+	if key == "" {
+		return text
+	}
+	return string(xorBytes([]byte(text), key))
 }
 
-func pyJSONDumps(v any) string {
-	switch typed := v.(type) {
+func toString(v any) string {
+	if v == nil {
+		return "undefined"
+	}
+	switch s := v.(type) {
+	case string:
+		return toNativeString(s)
+	case *nativeBoundMethod:
+		return "function " + s.method + "() { [native code] }"
 	case *orderedMap:
-		b, _ := typed.MarshalJSON()
-		return string(b)
+		return "[object Object]"
 	case []any:
-		parts := make([]string, 0, len(typed))
-		for _, item := range typed {
-			parts = append(parts, pyJSONDumps(item))
-		}
-		return "[" + strings.Join(parts, ", ") + "]"
-	case map[string]any:
-		parts := make([]string, 0, len(typed))
-		for key, item := range typed {
-			keyBytes, _ := json.Marshal(key)
-			parts = append(parts, string(keyBytes)+": "+pyJSONDumps(item))
-		}
-		return "{" + strings.Join(parts, ", ") + "}"
+		parts := make([]string, len(s))
+		for i, item := range s {
+			parts[i] = toString(item)
+		}
+		return strings.Join(parts, ",")
+	case float64:
+		if s == math.Trunc(s) && !math.IsInf(s, 0) {
+			return fmt.Sprintf("%d", int64(s))
+		}
+		return fmt.Sprintf("%g", s)
+	case bool:
+		if s {
+			return "true"
+		}
+		return "false"
+	case json.Number:
+		return s.String()
 	default:
-		b, _ := json.Marshal(v)
-		return string(b)
+		return fmt.Sprintf("%v", v)
 	}
 }
 
-func value(args []any, index int) any {
-	if index >= len(args) {
-		return nil
+func toNativeString(s string) string {
+	switch s {
+	case "window.Math":
+		return "[object Math]"
+	case "window.Reflect":
+		return "[object Reflect]"
+	case "window.performance":
+		return "[object Performance]"
+	case "window.localStorage":
+		return "[object Storage]"
+	case "window.Object":
+		return "function Object() { [native code] }"
+	case "window.Reflect.set":
+		return "function set() { [native code] }"
+	case "window.performance.now":
+		return "function () { [native code] }"
+	case "window.Object.create":
+		return "function create() { [native code] }"
+	case "window.Object.keys":
+		return "function keys() { [native code] }"
+	case "window.Math.random":
+		return "function random() { [native code] }"
+	default:
+		return s
 	}
-	return args[index]
 }
 
-func num(args []any, index int) float64 {
-	return toFloat(value(args, index))
+func toInt(v any) int {
+	switch n := v.(type) {
+	case float64:
+		return int(n)
+	case int:
+		return n
+	case json.Number:
+		f, _ := n.Float64()
+		return int(f)
+	default:
+		return 0
+	}
 }
 
-func toFloat(v any) float64 {
+func toFloat64(v any) float64 {
 	switch n := v.(type) {
 	case float64:
 		return n
@@ -320,44 +749,43 @@ func toFloat(v any) float64 {
 	}
 }
 
-func lookup(processMap map[float64]any, args ...any) []any {
-	values := make([]any, 0, len(args))
-	for _, arg := range args {
-		values = append(values, processMap[toFloat(arg)])
-	}
-	return values
-}
-
-func asList(v any) ([]any, bool) {
-	switch list := v.(type) {
-	case []any:
-		return list, true
-	default:
-		return nil, false
-	}
+func toFloat64FromString(s string) float64 {
+	var f float64
+	fmt.Sscanf(s, "%f", &f)
+	return f
 }
 
-func allStrings(list []any) bool {
-	for _, item := range list {
-		if _, ok := item.(string); !ok {
+// matchScriptBuild 检查 script src 是否匹配 c/[^/]*/_ 模式(Xt opcode 用)
+func matchScriptBuild(src string) bool {
+	// 简化:查找 "c/" 后跟非 "/" 字符再跟 "/_" 的模式
+	idx := strings.Index(src, "/c/")
+	if idx < 0 {
+		idx = strings.Index(src, "c/")
+		if idx < 0 {
 			return false
 		}
+	} else {
+		idx++ // skip leading /
 	}
-	return true
-}
-
-func isStringOrNumber(v any) bool {
-	switch v.(type) {
-	case string, float64:
-		return true
-	default:
+	rest := src[idx+2:] // after "c/"
+	slashIdx := strings.Index(rest, "/")
+	if slashIdx <= 0 {
 		return false
 	}
+	afterSlash := rest[slashIdx:]
+	return strings.HasPrefix(afterSlash, "/_")
 }
 
-func equal(a any, b any) bool {
-	if af, ok := a.(float64); ok {
-		return af == toFloat(b)
+// ── SolveProofToken stub (Phase E: 将在集成时更新) ──────────────────────────
+
+// SolveProofTokenForTurnstile 用 turnstile 引擎解算 proof token。
+// 如果 dx 非空则走 VM;否则返回空(调用方回退到旧逻辑)。
+func SolveProofTokenForTurnstile(dx, key string) string {
+	if dx == "" {
+		return ""
 	}
-	return fmt.Sprint(a) == fmt.Sprint(b)
+	return Solve(dx, key)
 }
+
+// unused suppression for context import
+var _ = context.Background
diff --git a/internal/turnstile/turnstile_test.go b/internal/turnstile/turnstile_test.go
new file mode 100644
index 000000000..237747c1c
--- /dev/null
+++ b/internal/turnstile/turnstile_test.go
@@ -0,0 +1,252 @@
+package turnstile
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"os"
+	"strings"
+	"testing"
+)
+
+// TestSolveWithRealDX 用真实 dx 字符串验证 VM 能解出非空 token。
+func TestSolveWithRealDX(t *testing.T) {
+	dxBytes, err := os.ReadFile("../../dx.txt")
+	if err != nil {
+		t.Skip("dx.txt not found, skipping")
+	}
+	dx := strings.TrimSpace(string(dxBytes))
+	dx = strings.Trim(dx, `"`)
+
+	// 尝试用空 key 解码(验证 JSON 结构)
+	decoded, err := base64.StdEncoding.DecodeString(dx)
+	if err != nil {
+		t.Fatalf("base64 decode failed: %v", err)
+	}
+	t.Logf("dx decoded length: %d bytes", len(decoded))
+
+	// 尝试空 key
+	result := Solve(dx, "")
+	t.Logf("Solve(dx, '') => len=%d", len(result))
+	if result != "" {
+		raw, _ := base64.StdEncoding.DecodeString(result)
+		t.Logf("Solve(dx, '') result decoded: %s", string(raw))
+	}
+
+	// 尝试一些常见 key
+	keys := []string{
+		"0.123456789",
+		"test",
+		"wQ8Lk5FbGpA2NcR9dShT6gYjU7VxZ4D",
+	}
+	for _, key := range keys {
+		r := Solve(dx, key)
+		if r != "" {
+			raw, _ := base64.StdEncoding.DecodeString(r)
+			t.Logf("Solve(dx, '%s') => %s", key, string(raw))
+		}
+	}
+}
+
+// TestXORDecode 验证 XOR 解码后能否得到合法 JSON。
+func TestXORDecode(t *testing.T) {
+	dxBytes, err := os.ReadFile("../../dx.txt")
+	if err != nil {
+		t.Skip("dx.txt not found")
+	}
+	dx := strings.TrimSpace(string(dxBytes))
+	dx = strings.Trim(dx, `"`)
+	decoded, err := base64.StdEncoding.DecodeString(dx)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// 用空 key 看看是否是合法 JSON
+	noXor := string(decoded)
+	if json.Valid([]byte(noXor)) {
+		t.Log("dx decoded is valid JSON without XOR!")
+		var queue []tokenItem
+		if err := json.Unmarshal([]byte(noXor), &queue); err == nil {
+			t.Logf("Parsed %d tokens without XOR", len(queue))
+			for i, tok := range queue {
+				if i >= 5 {
+					t.Log("...")
+					break
+				}
+				t.Logf("  token[%d]: opcode=%d args=%v", i, tok.opcode, tok.args)
+			}
+		}
+		return
+	}
+
+	// 尝试逐字节统计
+	var printable, nonPrintable int
+	for _, b := range decoded {
+		if b >= 32 && b < 127 {
+			printable++
+		} else {
+			nonPrintable++
+		}
+	}
+	t.Logf("Without XOR: printable=%d non-printable=%d total=%d", printable, nonPrintable, len(decoded))
+
+	// 尝试各种 key 做 XOR
+	keyCandidates := []string{
+		"",
+		"0.123456789",
+		"test",
+		"wQ8Lk5FbGpA2NcR9dShT6gYjU7VxZ4D",
+	}
+	for _, key := range keyCandidates {
+		xored := xorBytes(decoded, key)
+		p, np := 0, 0
+		for _, b := range xored {
+			if b >= 32 && b < 127 {
+				p++
+			} else {
+				np++
+			}
+		}
+		valid := json.Valid(xored)
+		t.Logf("key='%s' printable=%d non-printable=%d valid_json=%v", key, p, np, valid)
+		if valid {
+			var queue []tokenItem
+			if err := json.Unmarshal(xored, &queue); err == nil {
+				t.Logf("  => %d tokens parsed!", len(queue))
+				for i, tok := range queue {
+					if i >= 3 {
+						t.Log("  ...")
+						break
+					}
+					t.Logf("    token[%d]: opcode=%d args_len=%d", i, tok.opcode, len(tok.args))
+				}
+			}
+		}
+	}
+}
+
+// TestOpcodes 基础 opcode 单元测试。
+func TestOpcodes(t *testing.T) {
+	tests := []struct {
+		name   string
+		queue  []tokenItem
+		key    string
+		expect string // expected base64-decoded result
+	}{
+		{
+			name: "opcode 2 assign + opcode 3 resolve",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "hello"}},
+				{opcode: opWt, args: []any{100.0}},
+			},
+			expect: "hello",
+		},
+		{
+			name: "opcode 1 XOR + opcode 3 resolve",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "abc"}},
+				{opcode: opGt, args: []any{101.0, "key"}},
+				{opcode: opJt, args: []any{100.0, 101.0}},
+				{opcode: opWt, args: []any{100.0}},
+			},
+			expect: "\n\a\x1a", // XOR("abc","key") = 0x61^0x6b, 0x62^0x65, 0x63^0x79
+		},
+		{
+			name: "opcode 4 reject",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "error_msg"}},
+				{opcode: opZt, args: []any{100.0}},
+			},
+			expect: "", // rejected, not resolved
+		},
+		{
+			name: "opcode 8 toString",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, 42.0}},
+				{opcode: opKt, args: []any{101.0, 100.0}},
+				{opcode: opWt, args: []any{101.0}},
+			},
+			expect: "42",
+		},
+		{
+			name: "opcode 5 string concat",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "hello"}},
+				{opcode: opGt, args: []any{101.0, " world"}},
+				{opcode: opBt, args: []any{100.0, 101.0}},
+				{opcode: opWt, args: []any{100.0}},
+			},
+			expect: "hello world",
+		},
+		{
+			name: "opcode 19 btoa + opcode 3 resolve",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "test"}},
+				{opcode: opun, args: []any{100.0}},
+				{opcode: opWt, args: []any{100.0}},
+			},
+			expect: "dGVzdA==",
+		},
+		{
+			name: "opcode 33 multiply",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, 6.0}},
+				{opcode: opGt, args: []any{101.0, 7.0}},
+				{opcode: opvn, args: []any{102.0, 100.0, 101.0}},
+				{opcode: opWt, args: []any{102.0}},
+			},
+			expect: "42",
+		},
+		{
+			name: "opcode 35 divide",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, 84.0}},
+				{opcode: opGt, args: []any{101.0, 2.0}},
+				{opcode: opkn, args: []any{102.0, 100.0, 101.0}},
+				{opcode: opWt, args: []any{102.0}},
+			},
+			expect: "42",
+		},
+		{
+			name: "opcode 35 divide by zero",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, 1.0}},
+				{opcode: opGt, args: []any{101.0, 0.0}},
+				{opcode: opkn, args: []any{102.0, 100.0, 101.0}},
+				{opcode: opWt, args: []any{102.0}},
+			},
+			expect: "NaN",
+		},
+		{
+			name: "opcode 29 less-than",
+			queue: []tokenItem{
+				{opcode: opGt, args: []any{100.0, "a"}},
+				{opcode: opGt, args: []any{101.0, "b"}},
+				{opcode: opyn, args: []any{102.0, 100.0, 101.0}},
+				{opcode: opWt, args: []any{102.0}},
+			},
+			expect: "true",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result, ok := runWithTimeout(tt.queue, tt.key, nil, 500)
+			if tt.expect == "" {
+				if ok {
+					t.Errorf("expected rejected, got resolved: %s", result)
+				}
+				return
+			}
+			if !ok {
+				t.Fatal("expected resolved, got rejected/timeout")
+			}
+			decoded, err := base64.StdEncoding.DecodeString(result)
+			if err != nil {
+				t.Fatalf("result is not valid base64: %v", err)
+			}
+			if string(decoded) != tt.expect {
+				t.Errorf("got %q, want %q", string(decoded), tt.expect)
+			}
+		})
+	}
+}
diff --git a/typings/chatgpt/request.go b/typings/chatgpt/request.go
index e4a1ac920..ece22c576 100644
--- a/typings/chatgpt/request.go
+++ b/typings/chatgpt/request.go
@@ -34,11 +34,11 @@ type ChatGPTRequest struct {
 	TimezoneOffsetMin                int                    `json:"timezone_offset_min"`
 	Timezone                         string                 `json:"timezone"`
 	ConversationMode                 map[string]string      `json:"conversation_mode"`
-	EnableMessageFollowups           bool                   `json:"enable_message_followups"`
+	EnableMessageFollowups           bool                   `json:"enable_message_followups,omitempty"`
 	SystemHints                      []string               `json:"system_hints"`
-	SupportsBuffering                bool                   `json:"supports_buffering"`
-	SupportedEncodings               []string               `json:"supported_encodings"`
-	ClientContextualInfo             map[string]interface{} `json:"client_contextual_info"`
+	SupportsBuffering                bool                   `json:"supports_buffering,omitempty"`
+	SupportedEncodings               []string               `json:"supported_encodings,omitempty"`
+	ClientContextualInfo             map[string]interface{} `json:"client_contextual_info,omitempty"`
 	Suggestions                      []interface{}          `json:"suggestions,omitempty"`
 	HistoryAndTrainingDisabled       bool                   `json:"history_and_training_disabled"`
 	ParagenCotSummaryDisplayOverride string                 `json:"paragen_cot_summary_display_override"`
@@ -59,20 +59,7 @@ func NewChatGPTRequest() ChatGPTRequest {
 		TimezoneOffsetMin:          -480,
 		Timezone:                   "Asia/Shanghai",
 		ConversationMode:           map[string]string{"kind": "primary_assistant"},
-		EnableMessageFollowups:     true,
 		SystemHints:                []string{},
-		SupportsBuffering:          true,
-		SupportedEncodings:         []string{"v1"},
-		ClientContextualInfo: map[string]interface{}{
-			"is_dark_mode":      false,
-			"time_since_loaded": 0,
-			"page_height":       1014,
-			"page_width":        1055,
-			"pixel_ratio":       1,
-			"screen_height":     1080,
-			"screen_width":      1920,
-			"app_name":          "chatgpt.com",
-		},
 		ParagenCotSummaryDisplayOverride: "allow",
 		ForceParallelSwitch:              "auto",
 		ThinkingEffort:                   "standard",
diff --git a/typings/official/request.go b/typings/official/request.go
index 5cf6048cf..3a31284b3 100644
--- a/typings/official/request.go
+++ b/typings/official/request.go
@@ -27,6 +27,7 @@ type MessageContent struct {
 type MessageContentPart struct {
 	Type     string          `json:"type"`
 	Text     string          `json:"text,omitempty"`
+	ImageURL *ImageURLDetail `json:"image_url,omitempty"`
 	FileID   string          `json:"file_id,omitempty"`
 	FileName string          `json:"filename,omitempty"`
 	Name     string          `json:"name,omitempty"`
@@ -38,6 +39,11 @@ type MessageContentPart struct {
 	File     *FileAttachment `json:"file,omitempty"`
 }
 
+type ImageURLDetail struct {
+	URL    string `json:"url"`
+	Detail string `json:"detail,omitempty"`
+}
+
 type FileAttachment struct {
 	ID            string `json:"id,omitempty"`
 	FileID        string `json:"file_id,omitempty"`
@@ -108,6 +114,18 @@ func (c MessageContent) Files() []FileAttachment {
 	var files []FileAttachment
 	for _, part := range c.Parts {
 		partType := strings.TrimSpace(part.Type)
+		if partType == "image_url" && part.ImageURL != nil && part.ImageURL.URL != "" {
+			files = append(files, FileAttachment{
+				ID:       part.ImageURL.URL,
+				FileID:   part.ImageURL.URL,
+				Name:     guessImageFilename(part.ImageURL.URL),
+				Filename: guessImageFilename(part.ImageURL.URL),
+				MimeType: guessImageMime(part.ImageURL.URL),
+				MIMEType: guessImageMime(part.ImageURL.URL),
+				Source:   part.ImageURL.URL,
+			})
+			continue
+		}
 		if partType != "file" && partType != "input_file" && partType != "image" && partType != "input_image" {
 			continue
 		}
@@ -134,6 +152,45 @@ func (c MessageContent) Files() []FileAttachment {
 	return files
 }
 
+func guessImageFilename(url string) string {
+	if strings.HasPrefix(url, "data:") {
+		return "image.png"
+	}
+	idx := strings.LastIndex(url, "/")
+	if idx >= 0 && idx < len(url)-1 {
+		name := url[idx+1:]
+		if q := strings.Index(name, "?"); q >= 0 {
+			name = name[:q]
+		}
+		if name != "" {
+			return name
+		}
+	}
+	return "image.png"
+}
+
+func guessImageMime(url string) string {
+	if strings.HasPrefix(url, "data:") {
+		end := strings.Index(url, ";")
+		if end > 5 {
+			return url[5:end]
+		}
+	}
+	lower := strings.ToLower(url)
+	switch {
+	case strings.Contains(lower, ".png"):
+		return "image/png"
+	case strings.Contains(lower, ".jpg") || strings.Contains(lower, ".jpeg"):
+		return "image/jpeg"
+	case strings.Contains(lower, ".webp"):
+		return "image/webp"
+	case strings.Contains(lower, ".gif"):
+		return "image/gif"
+	default:
+		return "image/png"
+	}
+}
+
 func (m APIMessage) Text() string {
 	return m.Content.Text()
 }
diff --git a/util/useragent.go b/util/useragent.go
index d7d561c43..3dc6e7819 100644
--- a/util/useragent.go
+++ b/util/useragent.go
@@ -16,45 +16,19 @@ type userAgentSpec struct {
 	Family     string
 }
 
-// 模板覆盖 Chrome / Edge / Firefox / Safari 四大主流桌面浏览器，
-// 版本号在 [MinVersion, MaxVersion] 闭区间内随机。
+// 模板限定为 Edge（Windows）一族。
+//
+// 为什么不能用其他浏览器：internal/chatgpt 的 createBaseHeaderForState 同时
+// 写死了 sec-ch-ua = "Microsoft Edge";v="146"，如果 user-agent 跟 sec-ch-ua
+// 不一致，Cloudflare/ChatGPT 一眼就能看出是脚本客户端。版本号在
+// [MinVersion, MaxVersion] 闭区间内随机，仍然保留一定的指纹多样性。
 var userAgentSpecs = []userAgentSpec{
-	{
-		Template:   "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.0.0.0 Safari/537.36",
-		MinVersion: 120,
-		MaxVersion: 147,
-		Family:     "Chrome-Win",
-	},
-	{
-		Template:   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.0.0.0 Safari/537.36",
-		MinVersion: 120,
-		MaxVersion: 147,
-		Family:     "Chrome-Mac",
-	},
 	{
 		Template:   "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/%d.0.0.0 Safari/537.36 Edg/%d.0.0.0",
 		MinVersion: 120,
 		MaxVersion: 147,
 		Family:     "Edge-Win",
 	},
-	{
-		Template:   "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:%d.0) Gecko/20100101 Firefox/%d.0",
-		MinVersion: 120,
-		MaxVersion: 132,
-		Family:     "Firefox-Win",
-	},
-	{
-		Template:   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:%d.0) Gecko/20100101 Firefox/%d.0",
-		MinVersion: 120,
-		MaxVersion: 132,
-		Family:     "Firefox-Mac",
-	},
-	{
-		Template:   "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/%d.0 Safari/605.1.15",
-		MinVersion: 17,
-		MaxVersion: 18,
-		Family:     "Safari-Mac",
-	},
 }
 
 var (