icoa-cli 1.3.2 → 1.3.4

package/dist/index.js

@@ -13,6 +13,7 @@ import { registerLangCommand } from './commands/lang.js';
 import { registerSetupCommand } from './commands/setup.js';
 import { getConfig, saveConfig } from './lib/config.js';
 import { startRepl } from './repl.js';
+import { checkTerminal } from './lib/terminal.js';
 // Banner: each line between ║ ║ = exactly 58 visible chars
 const B = chalk.cyan('║');
 const BANNER = `
@@ -35,7 +36,7 @@ ${B}                                                          ${B}
 ${B}   ${chalk.white('Sydney, Australia')}  ${chalk.gray('Jun 27 - Jul 2, 2026')}                ${B}
 ${B}   ${chalk.cyan.underline('https://icoa2026.au')}                                    ${B}
 ${B}                                                          ${B}
-${B}   ${chalk.gray('CLI-Native Competition Terminal  v1.3.2')}                ${B}
+${B}   ${chalk.gray('CLI-Native Competition Terminal  v1.3.4')}                ${B}
 ${B}                                                          ${B}
 ${chalk.cyan('╚══════════════════════════════════════════════════════════╝')}
 `;
@@ -61,6 +62,7 @@ program
     .option('--resume', 'Resume previous session')
     .action((opts) => {
     console.log(BANNER);
+    checkTerminal();
     // If running interactively (no extra args or --resume), start REPL
     if (process.argv.length <= 2 || opts.resume) {
         startRepl(program, !!opts.resume);

package/dist/lib/access.d.ts

@@ -1,6 +1,8 @@
 export declare function validateToken(token: string): boolean;
 export declare function isActivated(): boolean;
-export declare function activateToken(token: string): boolean;
+export type ActivateResult = 'ok' | 'invalid' | 'already_bound';
+export declare function activateToken(token: string): ActivateResult;
+export declare function isDeviceMatch(): boolean;
 export declare function isFreeCommand(cmd: string): boolean;
 interface SessionState {
     startedAt: string;

package/dist/lib/access.js

@@ -1,4 +1,6 @@
 import { createHash } from 'node:crypto';
+import { execSync } from 'node:child_process';
+import { hostname, platform, arch, networkInterfaces } from 'node:os';
 import { getConfig, saveConfig, getIcoaDir } from './config.js';
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
@@ -117,12 +119,76 @@ export function isActivated() {
     const config = getConfig();
     return !!(config.accessToken && TOKEN_HASHES.has(hashToken(config.accessToken)));
 }
+function getDeviceFingerprint() {
+    const parts = [hostname(), platform(), arch()];
+    // Add hardware UUID where possible
+    try {
+        if (platform() === 'darwin') {
+            const out = execSync('ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID', { encoding: 'utf-8' });
+            const match = out.match(/"([A-F0-9-]+)"/);
+            if (match)
+                parts.push(match[1]);
+        }
+        else if (platform() === 'linux') {
+            if (existsSync('/etc/machine-id')) {
+                parts.push(readFileSync('/etc/machine-id', 'utf-8').trim());
+            }
+        }
+        else if (platform() === 'win32') {
+            const out = execSync('wmic csproduct get uuid', { encoding: 'utf-8' });
+            const lines = out.trim().split('\n');
+            if (lines.length > 1)
+                parts.push(lines[1].trim());
+        }
+    }
+    catch {
+        // Fallback: use first non-internal MAC address
+        const nets = networkInterfaces();
+        for (const ifaces of Object.values(nets)) {
+            if (!ifaces)
+                continue;
+            for (const iface of ifaces) {
+                if (!iface.internal && iface.mac !== '00:00:00:00:00:00') {
+                    parts.push(iface.mac);
+                    break;
+                }
+            }
+            if (parts.length > 3)
+                break;
+        }
+    }
+    return createHash('sha256').update(parts.join('|')).digest('hex');
+}
 export function activateToken(token) {
-    if (validateToken(token)) {
-        saveConfig({ accessToken: token.trim().toUpperCase() });
-        return true;
+    if (!validateToken(token))
+        return 'invalid';
+    const fingerprint = getDeviceFingerprint();
+    const bindingFile = join(getIcoaDir(), 'token-bindings.json');
+    // Load existing bindings
+    let bindings = {};
+    if (existsSync(bindingFile)) {
+        try {
+            bindings = JSON.parse(readFileSync(bindingFile, 'utf-8'));
+        }
+        catch { /* ignore */ }
+    }
+    const tokenHash = hashToken(token);
+    const existingDevice = bindings[tokenHash];
+    if (existingDevice && existingDevice !== fingerprint) {
+        // Token already bound to a different device
+        return 'already_bound';
     }
-    return false;
+    // Bind token to this device
+    bindings[tokenHash] = fingerprint;
+    writeFileSync(bindingFile, JSON.stringify(bindings, null, 2));
+    saveConfig({ accessToken: token.trim().toUpperCase(), deviceFingerprint: fingerprint });
+    return 'ok';
+}
+export function isDeviceMatch() {
+    const config = getConfig();
+    if (!config.deviceFingerprint)
+        return true; // Legacy: no fingerprint yet
+    return config.deviceFingerprint === getDeviceFingerprint();
 }
 export function isFreeCommand(cmd) {
     return FREE_COMMANDS.has(cmd.toLowerCase());

package/dist/lib/terminal.d.ts

@@ -0,0 +1,7 @@
+interface TerminalInfo {
+    name: string;
+    allowed: boolean;
+}
+export declare function detectTerminal(): TerminalInfo;
+export declare function checkTerminal(): void;
+export {};

package/dist/lib/terminal.js

@@ -0,0 +1,45 @@
+import chalk from 'chalk';
+export function detectTerminal() {
+    const termProgram = process.env.TERM_PROGRAM || '';
+    const platform = process.platform;
+    // macOS: only Apple Terminal
+    if (platform === 'darwin') {
+        if (termProgram === 'Apple_Terminal') {
+            return { name: 'macOS Terminal', allowed: true };
+        }
+        return { name: termProgram || 'Unknown macOS terminal', allowed: false };
+    }
+    // Linux: GNOME Terminal, or basic xterm/linux console
+    if (platform === 'linux') {
+        const isGnome = termProgram === 'gnome-terminal' ||
+            process.env.GNOME_TERMINAL_SERVICE !== undefined;
+        if (isGnome) {
+            return { name: 'GNOME Terminal', allowed: true };
+        }
+        // Also allow basic linux console (no TERM_PROGRAM, e.g. TTY)
+        if (!termProgram && (process.env.TERM === 'linux' || process.env.TERM === 'xterm')) {
+            return { name: 'Linux Console', allowed: true };
+        }
+        return { name: termProgram || 'Unknown Linux terminal', allowed: false };
+    }
+    // Windows: PowerShell
+    if (platform === 'win32') {
+        const isPowerShell = !!process.env.PSModulePath;
+        if (isPowerShell) {
+            return { name: 'PowerShell', allowed: true };
+        }
+        return { name: 'Windows CMD or other', allowed: false };
+    }
+    return { name: 'Unknown', allowed: false };
+}
+export function checkTerminal() {
+    const info = detectTerminal();
+    if (!info.allowed) {
+        console.log(chalk.yellow(`  ⚠ Unsupported terminal: ${info.name}`));
+        console.log(chalk.gray('  Competition requires:'));
+        console.log(chalk.gray('    macOS   → Terminal.app (system default)'));
+        console.log(chalk.gray('    Linux   → GNOME Terminal (system default)'));
+        console.log(chalk.gray('    Windows → PowerShell (system default)'));
+        console.log();
+    }
+}

package/dist/repl.js

@@ -1,7 +1,7 @@
 import { createInterface } from 'node:readline';
 import chalk from 'chalk';
 import { isConnected, getConfig } from './lib/config.js';
-import { isActivated, activateToken, isFreeCommand, recordExit, recordResume } from './lib/access.js';
+import { isActivated, activateToken, isFreeCommand, isDeviceMatch, recordExit, recordResume } from './lib/access.js';
 const INTERCEPT = '__REPL_NO_EXIT__';
 export function startRepl(program, resumeMode) {
     const config = getConfig();
@@ -21,7 +21,14 @@ export function startRepl(program, resumeMode) {
         }
         console.log();
     }
-    if (connected) {
+    // Device mismatch check
+    if (activated && !isDeviceMatch()) {
+        console.log(chalk.red('  Token was activated on a different device. Access denied.'));
+        console.log(chalk.gray('  Contact organizer for assistance.'));
+        console.log();
+        // Fall through to restricted mode
+    }
+    else if (connected) {
         console.log(chalk.gray('  Connected to: ') + chalk.white(config.ctfdUrl));
         console.log(chalk.gray('  User: ') + chalk.white(config.userName));
     }
@@ -78,8 +85,12 @@ export function startRepl(program, resumeMode) {
         // Activate token
         if (input.startsWith('activate ')) {
             const token = input.slice(9).trim();
-            if (activateToken(token)) {
-                console.log(chalk.green('  Access granted! All commands unlocked.'));
+            const result = activateToken(token);
+            if (result === 'ok') {
+                console.log(chalk.green('  Access granted! Token bound to this device.'));
+            }
+            else if (result === 'already_bound') {
+                console.log(chalk.red('  Token already activated on another device.'));
             }
             else {
                 console.log(chalk.red('  Invalid token.'));
@@ -94,9 +105,9 @@ export function startRepl(program, resumeMode) {
             rl.prompt();
             return;
         }
-        // Token check — only ref allowed without activation
+        // Token check — only ref allowed without activation or device mismatch
         const cmd = input.split(/\s+/)[0].toLowerCase();
-        if (!isActivated() && !isFreeCommand(cmd)) {
+        if ((!isActivated() || !isDeviceMatch()) && !isFreeCommand(cmd)) {
             console.log(chalk.yellow('  Restricted mode. ') + chalk.gray('Enter your access token:'));
             console.log(chalk.white('    activate <token>'));
             console.log();
@@ -105,6 +116,19 @@ export function startRepl(program, resumeMode) {
             rl.prompt();
             return;
         }
+        // Check if it's a known command before passing to Commander
+        const knownCommands = [
+            'join', 'activate', 'challenges', 'ch', 'open', 'submit', 'flag',
+            'scoreboard', 'sb', 'status', 'time', 'hint', 'hint-b', 'hint-c',
+            'hint-budget', 'ref', 'shell', 'files', 'connect', 'note', 'log',
+            'lang', 'setup', 'model', 'ctf',
+        ];
+        if (!knownCommands.includes(cmd)) {
+            console.log(chalk.yellow(`  Unknown command: ${cmd}. Type 'help' for commands.`));
+            console.log();
+            rl.prompt();
+            return;
+        }
         processing = true;
         const args = mapCommand(input);
         process.exit = (() => {

package/dist/types/index.d.ts

@@ -99,6 +99,7 @@ export interface IcoaConfig {
     geminiApiKey: string;
     geminiModel: string;
     accessToken: string;
+    deviceFingerprint: string;
 }
 export type CompetitionState = 'pre_competition' | 'demo' | 'live' | 'finished' | 'unknown';
 export type HintLevel = 'A' | 'B' | 'C';

package/dist/types/index.js

@@ -27,5 +27,6 @@ export const DEFAULT_CONFIG = {
     geminiApiKey: '',
     geminiModel: 'gemini-2.5-flash',
     accessToken: '',
+    deviceFingerprint: '',
 };
 export const SUPPORTED_LANGUAGES = ['en', 'zh', 'ja', 'ko', 'es'];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "icoa-cli",
-  "version": "1.3.2",
+  "version": "1.3.4",
   "description": "ICOA CLI — The world's first CLI-native CTF competition terminal",
   "type": "module",
   "bin": {