fix: resolve runtime bugs (i18n export, chat crypto, async getUser, event leak) and remove dead code

js/services/pow-captcha.js

@@ -2,9 +2,9 @@
 // Client must find nonce where SHA256(challenge + nonce) has N leading zeros
 
 const DIFFICULTY = 4 // Number of leading zeros required (4 = ~65k attempts avg)
-const CHALLENGE_EXPIRY = 5 * 60 * 1000 // 5 minutes
 
-// Generate a challenge (call this from your API/backend)
+// TODO: Replace with a server-side endpoint. Currently generates challenge
+// client-side with a btoa() "signature" that provides no real security.
 export function generateChallenge() {
   const challenge = crypto.randomUUID()
   const timestamp = Date.now()
@@ -12,35 +12,10 @@ export function generateChallenge() {
     challenge,
     difficulty: DIFFICULTY,
     timestamp,
-    // Sign to prevent tampering (simple HMAC alternative)
     signature: btoa(`${challenge}:${timestamp}:${DIFFICULTY}`)
   }
 }
 
-// Verify solution (call this from your API/backend)
-export async function verifySolution(challenge, nonce, signature, timestamp) {
-  // Check expiry
-  if (Date.now() - timestamp > CHALLENGE_EXPIRY) {
-    return { valid: false, error: 'Challenge expired' }
-  }
-
-  // Verify signature
-  const expectedSig = btoa(`${challenge}:${timestamp}:${DIFFICULTY}`)
-  if (signature !== expectedSig) {
-    return { valid: false, error: 'Invalid signature' }
-  }
-
-  // Verify PoW
-  const hash = await sha256(`${challenge}${nonce}`)
-  const prefix = '0'.repeat(DIFFICULTY)
-
-  if (hash.startsWith(prefix)) {
-    return { valid: true }
-  }
-
-  return { valid: false, error: 'Invalid proof of work' }
-}
-
 // Solve challenge (runs in browser)
 export async function solveChallenge(challenge, difficulty, onProgress) {
   let nonce = 0