icoa-cli 1.3.3 → 1.4.0

package/dist/index.js

@@ -36,7 +36,7 @@ ${B}                                                          ${B}
 ${B}   ${chalk.white('Sydney, Australia')}  ${chalk.gray('Jun 27 - Jul 2, 2026')}                ${B}
 ${B}   ${chalk.cyan.underline('https://icoa2026.au')}                                    ${B}
 ${B}                                                          ${B}
-${B}   ${chalk.gray('CLI-Native Competition Terminal  v1.3.3')}                ${B}
+${B}   ${chalk.gray('CLI-Native Competition Terminal  v1.4.0')}                ${B}
 ${B}                                                          ${B}
 ${chalk.cyan('╚══════════════════════════════════════════════════════════╝')}
 `;

package/dist/lib/access.d.ts

@@ -1,6 +1,8 @@
 export declare function validateToken(token: string): boolean;
 export declare function isActivated(): boolean;
-export declare function activateToken(token: string): boolean;
+export type ActivateResult = 'ok' | 'invalid' | 'already_bound';
+export declare function activateToken(token: string): ActivateResult;
+export declare function isDeviceMatch(): boolean;
 export declare function isFreeCommand(cmd: string): boolean;
 interface SessionState {
     startedAt: string;

package/dist/lib/access.js

@@ -1,4 +1,6 @@
 import { createHash } from 'node:crypto';
+import { execSync } from 'node:child_process';
+import { hostname, platform, arch, networkInterfaces } from 'node:os';
 import { getConfig, saveConfig, getIcoaDir } from './config.js';
 import { readFileSync, writeFileSync, existsSync } from 'node:fs';
 import { join } from 'node:path';
@@ -117,12 +119,76 @@ export function isActivated() {
     const config = getConfig();
     return !!(config.accessToken && TOKEN_HASHES.has(hashToken(config.accessToken)));
 }
+function getDeviceFingerprint() {
+    const parts = [hostname(), platform(), arch()];
+    // Add hardware UUID where possible
+    try {
+        if (platform() === 'darwin') {
+            const out = execSync('ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID', { encoding: 'utf-8' });
+            const match = out.match(/"([A-F0-9-]+)"/);
+            if (match)
+                parts.push(match[1]);
+        }
+        else if (platform() === 'linux') {
+            if (existsSync('/etc/machine-id')) {
+                parts.push(readFileSync('/etc/machine-id', 'utf-8').trim());
+            }
+        }
+        else if (platform() === 'win32') {
+            const out = execSync('wmic csproduct get uuid', { encoding: 'utf-8' });
+            const lines = out.trim().split('\n');
+            if (lines.length > 1)
+                parts.push(lines[1].trim());
+        }
+    }
+    catch {
+        // Fallback: use first non-internal MAC address
+        const nets = networkInterfaces();
+        for (const ifaces of Object.values(nets)) {
+            if (!ifaces)
+                continue;
+            for (const iface of ifaces) {
+                if (!iface.internal && iface.mac !== '00:00:00:00:00:00') {
+                    parts.push(iface.mac);
+                    break;
+                }
+            }
+            if (parts.length > 3)
+                break;
+        }
+    }
+    return createHash('sha256').update(parts.join('|')).digest('hex');
+}
 export function activateToken(token) {
-    if (validateToken(token)) {
-        saveConfig({ accessToken: token.trim().toUpperCase() });
-        return true;
+    if (!validateToken(token))
+        return 'invalid';
+    const fingerprint = getDeviceFingerprint();
+    const bindingFile = join(getIcoaDir(), 'token-bindings.json');
+    // Load existing bindings
+    let bindings = {};
+    if (existsSync(bindingFile)) {
+        try {
+            bindings = JSON.parse(readFileSync(bindingFile, 'utf-8'));
+        }
+        catch { /* ignore */ }
+    }
+    const tokenHash = hashToken(token);
+    const existingDevice = bindings[tokenHash];
+    if (existingDevice && existingDevice !== fingerprint) {
+        // Token already bound to a different device
+        return 'already_bound';
     }
-    return false;
+    // Bind token to this device
+    bindings[tokenHash] = fingerprint;
+    writeFileSync(bindingFile, JSON.stringify(bindings, null, 2));
+    saveConfig({ accessToken: token.trim().toUpperCase(), deviceFingerprint: fingerprint });
+    return 'ok';
+}
+export function isDeviceMatch() {
+    const config = getConfig();
+    if (!config.deviceFingerprint)
+        return true; // Legacy: no fingerprint yet
+    return config.deviceFingerprint === getDeviceFingerprint();
 }
 export function isFreeCommand(cmd) {
     return FREE_COMMANDS.has(cmd.toLowerCase());

package/dist/repl.js

@@ -1,7 +1,8 @@
 import { createInterface } from 'node:readline';
+import { spawn } from 'node:child_process';
 import chalk from 'chalk';
 import { isConnected, getConfig } from './lib/config.js';
-import { isActivated, activateToken, isFreeCommand, recordExit, recordResume } from './lib/access.js';
+import { isActivated, activateToken, isFreeCommand, isDeviceMatch, recordExit, recordResume } from './lib/access.js';
 const INTERCEPT = '__REPL_NO_EXIT__';
 export function startRepl(program, resumeMode) {
     const config = getConfig();
@@ -21,7 +22,14 @@ export function startRepl(program, resumeMode) {
         }
         console.log();
     }
-    if (connected) {
+    // Device mismatch check
+    if (activated && !isDeviceMatch()) {
+        console.log(chalk.red('  Token was activated on a different device. Access denied.'));
+        console.log(chalk.gray('  Contact organizer for assistance.'));
+        console.log();
+        // Fall through to restricted mode
+    }
+    else if (connected) {
         console.log(chalk.gray('  Connected to: ') + chalk.white(config.ctfdUrl));
         console.log(chalk.gray('  User: ') + chalk.white(config.userName));
     }
@@ -78,8 +86,12 @@ export function startRepl(program, resumeMode) {
         // Activate token
         if (input.startsWith('activate ')) {
             const token = input.slice(9).trim();
-            if (activateToken(token)) {
-                console.log(chalk.green('  Access granted! All commands unlocked.'));
+            const result = activateToken(token);
+            if (result === 'ok') {
+                console.log(chalk.green('  Access granted! Token bound to this device.'));
+            }
+            else if (result === 'already_bound') {
+                console.log(chalk.red('  Token already activated on another device.'));
             }
             else {
                 console.log(chalk.red('  Invalid token.'));
@@ -94,9 +106,9 @@ export function startRepl(program, resumeMode) {
             rl.prompt();
             return;
         }
-        // Token check — only ref allowed without activation
+        // Token check — only ref allowed without activation or device mismatch
         const cmd = input.split(/\s+/)[0].toLowerCase();
-        if (!isActivated() && !isFreeCommand(cmd)) {
+        if ((!isActivated() || !isDeviceMatch()) && !isFreeCommand(cmd)) {
             console.log(chalk.yellow('  Restricted mode. ') + chalk.gray('Enter your access token:'));
             console.log(chalk.white('    activate <token>'));
             console.log();
@@ -105,6 +117,27 @@ export function startRepl(program, resumeMode) {
             rl.prompt();
             return;
         }
+        // Check if it's a known ICOA command or a system command
+        const knownCommands = [
+            'join', 'activate', 'challenges', 'ch', 'open', 'submit', 'flag',
+            'scoreboard', 'sb', 'status', 'time', 'hint', 'hint-b', 'hint-c',
+            'hint-budget', 'ref', 'shell', 'files', 'connect', 'note', 'log',
+            'lang', 'setup', 'model', 'ctf',
+        ];
+        if (!knownCommands.includes(cmd)) {
+            // Pass through to system shell
+            processing = true;
+            try {
+                await runSystemCommand(input, rl);
+            }
+            catch {
+                console.log(chalk.yellow(`  Command failed: ${cmd}`));
+            }
+            processing = false;
+            console.log();
+            rl.prompt();
+            return;
+        }
         processing = true;
         const args = mapCommand(input);
         process.exit = (() => {
@@ -137,6 +170,24 @@ export function startRepl(program, resumeMode) {
         realExit(0);
     });
 }
+function runSystemCommand(input, rl) {
+    return new Promise((resolve) => {
+        // Pause readline so the child process gets full terminal control
+        rl.pause();
+        const child = spawn(input, {
+            shell: true,
+            stdio: 'inherit',
+        });
+        child.on('close', () => {
+            rl.resume();
+            resolve();
+        });
+        child.on('error', () => {
+            rl.resume();
+            resolve();
+        });
+    });
+}
 function mapCommand(input) {
     const parts = input.split(/\s+/);
     const cmd = parts[0].toLowerCase();

package/dist/types/index.d.ts

@@ -99,6 +99,7 @@ export interface IcoaConfig {
     geminiApiKey: string;
     geminiModel: string;
     accessToken: string;
+    deviceFingerprint: string;
 }
 export type CompetitionState = 'pre_competition' | 'demo' | 'live' | 'finished' | 'unknown';
 export type HintLevel = 'A' | 'B' | 'C';

package/dist/types/index.js

@@ -27,5 +27,6 @@ export const DEFAULT_CONFIG = {
     geminiApiKey: '',
     geminiModel: 'gemini-2.5-flash',
     accessToken: '',
+    deviceFingerprint: '',
 };
 export const SUPPORTED_LANGUAGES = ['en', 'zh', 'ja', 'ko', 'es'];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "icoa-cli",
-  "version": "1.3.3",
+  "version": "1.4.0",
   "description": "ICOA CLI — The world's first CLI-native CTF competition terminal",
   "type": "module",
   "bin": {