feat: make all operational constants configurable via bouncer.toml

Replace hardcoded values across network, captcha, email, and cert
modules with BouncerConfig fields. All values have safe defaults
and are overridable in the [bouncer] section of the config file.

Configurable: probation_seconds, backoff_steps, nick_timeout,
rejoin_delay, http_timeout, captcha_poll_interval/timeout,
email_poll_interval/max_polls/request_timeout, cert_validity_days.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/USAGE.md

@@ -35,8 +35,8 @@ No fixed prefix or pattern -- each attempt looks like a different person.
 
 ### 2. Probation (15 seconds)
 
-After registration succeeds (001 RPL_WELCOME), the bouncer enters a 15-second
-probation window. During this time it watches for:
+After registration succeeds (001 RPL_WELCOME), the bouncer enters a probation
+window (default 45s, configurable via `probation_seconds`). During this time it watches for:
 
 - `ERROR` messages (K-line, ban)
 - Server closing the connection
@@ -54,10 +54,11 @@ Once probation passes without incident:
 
 ### 4. Reconnection
 
-On any disconnection, the bouncer reconnects with exponential backoff:
+On any disconnection, the bouncer reconnects with exponential backoff
+(configurable via `backoff_steps`):
 
-| Attempt | Delay |
-|---------|-------|
+| Attempt | Default Delay |
+|---------|---------------|
 | 1 | 5s |
 | 2 | 10s |
 | 3 | 30s |
@@ -178,6 +179,26 @@ bind = "127.0.0.1"        # listen address
 port = 6667                # listen port
 password = "changeme"      # client authentication password
 
+# Captcha solving (NoCaptchaAI)
+captcha_api_key = ""       # API key (optional, for auto-verification)
+captcha_poll_interval = 3  # seconds between solve polls
+captcha_poll_timeout = 120 # max seconds to wait for solve
+
+# Connection tuning
+probation_seconds = 45     # post-connect watch period for k-lines
+backoff_steps = [5, 10, 30, 60, 120, 300]  # reconnect delays
+nick_timeout = 10          # seconds to wait for nick change
+rejoin_delay = 3           # seconds before rejoin after kick
+http_timeout = 15          # per-request HTTP timeout
+
+# Email verification
+email_poll_interval = 15   # seconds between inbox checks
+email_max_polls = 30       # max inbox checks (~7.5 min)
+email_request_timeout = 20 # per-request timeout for email APIs
+
+# Certificate generation
+cert_validity_days = 3650  # client cert validity (~10 years)
+
 [bouncer.backlog]
 max_messages = 10000       # per network, 0 = unlimited
 replay_on_connect = true   # replay missed messages on client connect
@@ -196,6 +217,38 @@ autojoin = true            # auto-join channels on ready (default: true)
 password = ""              # IRC server password (optional, for PASS command)
 ```
 
+## Automatic Captcha Solving
+
+Some IRC networks (e.g. OFTC) require visiting a URL with hCaptcha to verify
+nick registration. The bouncer can solve these automatically using NoCaptchaAI.
+
+### Setup
+
+1. Sign up at [dash.nocaptchaai.com](https://dash.nocaptchaai.com) (free tier: 6000 solves/month)
+2. Copy your API key from the dashboard
+3. Add to config:
+   ```toml
+   [bouncer]
+   captcha_api_key = "your-api-key-here"
+   ```
+4. Reload config:
+   ```
+   /msg *bouncer REHASH
+   ```
+
+### How It Works
+
+When NickServ sends a verification URL containing `/verify/`:
+
+1. The bouncer fetches the page via the SOCKS proxy
+2. If hCaptcha is detected and an API key is configured, it submits the
+   challenge to NoCaptchaAI for solving (all traffic routed through the proxy)
+3. The solved token is submitted with the verification form
+4. On success, the nick is promoted from `pending` to `verified` status
+
+If no API key is set, or solving fails, the URL is stored as `pending` and
+shown via the `CREDS` command for manual verification.
+
 ## CertFP Authentication
 
 The bouncer supports client certificate fingerprint (CertFP) authentication