Automation detector

Two modes over the same 3-step funnel (landing → form → report). Both capture TLS/JA4, header order, IP/ASN, browser environment, and interaction behavior.

/test — production mode
Acts like a real site. Blocks (403) obvious bots server-side, and redirects detected bots to a "not allowed" page. No report shown.
/debug — diagnostic mode
Never blocks. Shows the full checklist, per-check status, and the overall automation probability in the page.