icoa-cli 2.19.198 → 2.19.199

package/dist/commands/learn.js

@@ -1 +1 @@
-import chalk from"chalk";import{createInterface as e}from"node:readline";import{spawn as o}from"node:child_process";import{getMainRl as r}from"../lib/main-rl.js";import{existsSync as n}from"node:fs";import{dirname as l,join as t}from"node:path";import{fileURLToPath as a}from"node:url";import{loadCurriculum as s,loadCurriculumById as c,validateEAToken as i,syncProgress as u}from"../lib/learn-curricula.js";import{getConfig as d}from"../lib/config.js";import{loadLearnState as m,saveLearnState as g,newLearnState as y,updateStreak as p,markCardComplete as f,recordMCQ as b,markPracticalComplete as h,addAchievement as k}from"../lib/learn-state.js";import{renderWelcome as w,renderKnowledgeCard as v,renderMCQCard as x,renderMCQFeedback as C,renderPracticalCard as _,renderPracticalSuccess as A,renderSimDemoCard as P,renderMilestone as E,renderStatus as j}from"../lib/learn-render.js";import{printError as T}from"../lib/ui.js";export function registerLearnCommand(L){L.command("learn [token]").description("Enter learn mode (free if no token; team-issued EAxxxxxxxx for full curriculum)").action(async L=>{L&&L.trim()||(console.log(),console.log(chalk.gray("  No token given — starting free 11-card demo (")+chalk.bold.green("LEARNDEMO01")+chalk.gray(").")),console.log(chalk.gray("  Full curriculum (100/480 cards): ")+chalk.bold.yellow("learn EAxxxxxxxx")+chalk.gray(" — token from your country team leader.")),console.log(),L="LEARNDEMO01");const D=L.trim().toUpperCase();let M=s(D);if(!M&&/^EA[A-Z0-9]{8}$/i.test(D)){const e=d().ctfdUrl||"https://practice.icoa2026.au";console.log(),console.log(chalk.gray("  Validating EA token..."));const o=await i(D,e);if(!o.ok)return T(`Token validation failed: ${o.message}`),console.log(),console.log(chalk.gray("  Possible causes:")),console.log(chalk.gray("    · Token expired or revoked")),console.log(chalk.gray("    · Network down (check connection)")),console.log(chalk.gray("    · Typo in token")),void console.log();if(console.log(chalk.green(`  ✓ Token valid · curriculum: ${o.curriculumId} · status: ${o.status}`)),M=await c(o.curriculumId||"LEARNDEMO01"),!M)return T(`Curriculum '${o.curriculumId}' not bundled in this CLI version.`),void console.log(chalk.gray("  Upgrade with: ")+chalk.bold.cyan("npm install -g icoa-cli@latest"))}if(!M)return T(`Unknown learn token: ${D}`),console.log(),console.log(chalk.gray("  Available tokens:")),console.log(chalk.gray("    ")+chalk.bold.green("LEARNDEMO01")+chalk.gray("   free 10-card demo (anyone can use)")),console.log(chalk.gray("    ")+chalk.bold.yellow("EAxxxxxxxx")+chalk.gray("    full curriculum (issued by team leader)")),console.log(),console.log(chalk.gray("  To get the full curriculum (n=480 cards, PhD-entry), email ")),console.log(chalk.gray("  ")+chalk.cyan("asra@icoa2026.au")+chalk.gray(" or ask your country's team leader.")),void console.log();let S=m(),$=!1;S&&S.token===D?p(S):(S=y(D,M.id,M.totalCards),$=!0),g(S),w(M,S,$);const q=r(),U=null!==q,I=U?q.listeners("line").slice():[];U&&q.removeAllListeners("line");const N=U?q:e({input:process.stdin,output:process.stdout,terminal:!0}),O=()=>{N.setPrompt(chalk.bold.cyan("learn> ")),N.prompt()};O();let R=null,J=null,F=null,B=0;const G=[],Q=e=>M.cards.find(o=>o.number===e),V=()=>{const e=Q(S.currentCard);if(!e)return console.log(),console.log(chalk.gray("  No more cards in this curriculum.")),console.log(chalk.gray("  Type ")+chalk.bold.green("status")+chalk.gray(" for the dashboard or ")+chalk.bold.green("quit")+chalk.gray(" to exit.")),void console.log();switch(e.type){case"knowledge":v(e,M),e.check?(F=e.number,B=Date.now()):(f(S,e.number),g(S));break;case"mcq":x(e,M),R=e.number;break;case"practical":_(e,M),J=e.number;break;case"sim_demo":P(e,M),f(S,e.number),g(S);break;case"milestone":E(e,M),k(S,e.badge),f(S,e.number),g(S)}};N.on("line",async e=>{const r=e.trim().toLowerCase();if(r){if("menu"===r||"menu confirm"===r){G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,3e3))]);const{returnToMainMenu:e}=await import("../lib/menu-nav.js");return void e(N)}if("quit"!==r&&"exit"!==r&&"q"!==r){if("status"===r)return j(M,S),void O();if("sim"===r){const e=Q(S.currentCard);return e&&"sim_demo"===e.type?(function(e){const r=function(){const e=l(a(import.meta.url)),o=[t(e,"..","..","panda","mujoco-launcher.py"),t(e,"..","..","..","panda","mujoco-launcher.py")];for(const e of o)if(n(e))return e;return null}();if(!r)return console.log(chalk.yellow("  MuJoCo launcher not found.")),console.log(chalk.gray("  Get it from: https://github.com/newaipanda/ICOA_CLI/blob/main/panda/mujoco-launcher.py")),void console.log(chalk.gray("  Or use the sandbox-vla docker image (Phase 3)."));const s={baseline:"baseline",prompt_injected:"prompt_inj",patch_attacked:"patch",modality_confused:"confused"}[e]||"baseline";console.log(chalk.gray(`  Launching MuJoCo viewer (scenario: ${s})...`)),console.log(chalk.gray("  Close the window or press ESC to return to learn mode.")),o("python3",[r,s,"--seconds","5"],{stdio:"inherit"}).on("exit",e=>{0!==e?console.log(chalk.yellow(`  MuJoCo exited with code ${e} (install: pip install mujoco)`)):console.log(chalk.gray("  Returned from sim."))})}(e.simAction),void O()):(console.log(chalk.gray("  (sim only available on simulation cards)")),void O())}if("bookmark"===r){const e=S.currentCard;return S.bookmarks.includes(e)||S.bookmarks.push(e),g(S),console.log(chalk.gray(`  ✓ Card ${e} bookmarked.`)),void O()}if("back"===r)return S.currentCard>1&&(S.currentCard-=1),R=null,J=null,F=null,g(S),V(),void O();if(null!==F&&["y","yes","n","no"].includes(r)){const e=Q(F);if(e&&"knowledge"===e.type&&e.check){const o=r.startsWith("y")?"y":"n",n=o===e.check.answer,l=Date.now()-B;f(S,e.number),g(S);const{renderCheckFeedback:t}=await import("../lib/learn-render.js");t(e,o,n);const a=d();return G.push(u(D,a.ctfdUrl||"https://practice.icoa2026.au",{card_number:e.number,event_type:"check_answered",check_answer:o,check_correct:n,time_on_card_ms:l}).catch(()=>{})),F=null,void O()}}if(null!==R&&["a","b","c","d"].includes(r)){const e=Q(R);if(e&&"mcq"===e.type){const o=r.toUpperCase(),n=o===e.answer;b(S,e.number,{answer:o,correct:n,submittedAt:(new Date).toISOString()}),f(S,e.number),g(S),C(e,o,n,S);const l=d();return G.push(u(D,l.ctfdUrl||"https://practice.icoa2026.au",{card_number:e.number,event_type:"mcq_answered",mcq_answer:o,mcq_correct:n}).catch(()=>{})),R=null,void O()}}if(null!==J){if("done"===r){const e=Q(J);if(e&&"practical"===e.type)return h(S,e.number),f(S,e.number),g(S),A(e),J=null,void O()}if("skip"===r)return f(S,J),g(S),console.log(chalk.gray("  Skipped (counts as not completed).")),console.log(),J=null,void O()}if("ok"===r||"next"===r||"continue"===r||"n"===r)return null!==R?(console.log(chalk.yellow("  Please answer the MCQ first (A / B / C / D).")),void O()):null!==J?(console.log(chalk.yellow("  Please type ")+chalk.bold.green("done")+chalk.yellow(" or ")+chalk.bold.yellow("skip")+chalk.yellow(" for the practical.")),void O()):null!==F?(console.log(chalk.yellow("  Please answer the check above (")+chalk.bold.green("y")+chalk.yellow(" or ")+chalk.bold.green("n")+chalk.yellow(").")),void O()):(S.currentCard+=1,g(S),S.currentCard>M.totalCards?(console.log(),console.log(chalk.bold.green("  🎉 You've reached the end of the demo curriculum!")),console.log(chalk.gray("  Type ")+chalk.bold.green("status")+chalk.gray(" to see your full stats.")),console.log()):V(),void O());console.log(chalk.gray("  Unknown command. Try: ")+chalk.white("ok")+chalk.gray(" / ")+chalk.white("status")+chalk.gray(" / ")+chalk.white("quit")),O()}else if(G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,5e3))]),console.log(),console.log(chalk.gray("  Saved. See you next session.")),console.log(chalk.gray("  Streak: ")+chalk.yellow(`🔥 ${S.streakDays} day(s)`)),console.log(),U){N.removeAllListeners("line");for(const e of I)N.on("line",e);N.prompt()}else N.close()}else O()}),U||N.on("close",async()=>{G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,5e3))]),process.exit(0)}),V(),O()})}
+import chalk from"chalk";import{createInterface as e}from"node:readline";import{spawn as o}from"node:child_process";import{getMainRl as r}from"../lib/main-rl.js";import{existsSync as n}from"node:fs";import{dirname as l,join as t}from"node:path";import{fileURLToPath as a}from"node:url";import{loadCurriculum as s,loadCurriculumById as c,validateEAToken as i,syncProgress as u}from"../lib/learn-curricula.js";import{getConfig as d}from"../lib/config.js";import{loadLearnState as m,saveLearnState as g,newLearnState as y,updateStreak as p,markCardComplete as f,recordMCQ as b,markPracticalComplete as h,addAchievement as k}from"../lib/learn-state.js";import{renderWelcome as w,renderKnowledgeCard as v,renderMCQCard as x,renderMCQFeedback as C,renderPracticalCard as _,renderPracticalSuccess as A,renderSimDemoCard as P,renderMilestone as E,renderStatus as j}from"../lib/learn-render.js";import{printError as T}from"../lib/ui.js";export function registerLearnCommand(L){L.command("learn [token]").description("Enter learn mode (free if no token; team-issued EAxxxxxxxx for full curriculum)").action(async L=>{L&&L.trim()||(console.log(),console.log(chalk.gray("  No token given — starting free 11-card demo (")+chalk.bold.green("LEARNDEMO01")+chalk.gray(").")),console.log(chalk.gray("  Full curriculum (100/480 cards): ")+chalk.bold.yellow("learn EAxxxxxxxx")+chalk.gray(" — token from your country team leader.")),console.log(),L="LEARNDEMO01");const D=L.trim().toUpperCase();let M=s(D);if(!M&&/^EA[A-Z0-9]{8}$/i.test(D)){const e=d().ctfdUrl||"https://practice.icoa2026.au";console.log(),console.log(chalk.gray("  Validating EA token..."));const o=await i(D,e);if(!o.ok)return T(`Token validation failed: ${o.message}`),console.log(),console.log(chalk.gray("  Possible causes:")),console.log(chalk.gray("    · Token expired or revoked")),console.log(chalk.gray("    · Network down (check connection)")),console.log(chalk.gray("    · Typo in token")),void console.log();if(console.log(chalk.green(`  ✓ Token valid · curriculum: ${o.curriculumId} · status: ${o.status}`)),M=await c(o.curriculumId||"LEARNDEMO01"),!M)return T(`Curriculum '${o.curriculumId}' not bundled in this CLI version.`),void console.log(chalk.gray("  Upgrade with: ")+chalk.bold.cyan("npm install -g icoa-cli@latest"))}if(!M)return T(`Unknown learn token: ${D}`),console.log(),console.log(chalk.gray("  Available tokens:")),console.log(chalk.gray("    ")+chalk.bold.green("LEARNDEMO01")+chalk.gray("   free 10-card demo (anyone can use)")),console.log(chalk.gray("    ")+chalk.bold.yellow("EAxxxxxxxx")+chalk.gray("    full curriculum (issued by team leader)")),console.log(),console.log(chalk.gray("  To get the full curriculum (n=480 cards, PhD-entry), email ")),console.log(chalk.gray("  ")+chalk.cyan("asra@icoa2026.au")+chalk.gray(" or ask your country's team leader.")),void console.log();let S=m(),$=!1;S&&S.token===D?p(S):(S=y(D,M.id,M.totalCards),$=!0),g(S),w(M,S,$);const q=r(),U=null!==q,I=U?q.listeners("line").slice():[];U&&q.removeAllListeners("line");const N=U?q:e({input:process.stdin,output:process.stdout,terminal:!0}),O=()=>{N.setPrompt(chalk.bold.cyan("learn> ")),N.prompt()};O();let R=null,J=null,F=null,B=0;const G=[],Q=e=>M.cards.find(o=>o.number===e),V=()=>{const e=Q(S.currentCard);if(!e)return console.log(),console.log(chalk.gray("  No more cards in this curriculum.")),console.log(chalk.gray("  Type ")+chalk.bold.green("status")+chalk.gray(" for the dashboard or ")+chalk.bold.green("quit")+chalk.gray(" to exit.")),void console.log();switch(e.type){case"knowledge":v(e,M),e.check?(F=e.number,B=Date.now()):(f(S,e.number),g(S));break;case"mcq":x(e,M),R=e.number;break;case"practical":_(e,M),J=e.number;break;case"sim_demo":P(e,M),f(S,e.number),g(S);break;case"milestone":E(e,M),k(S,e.badge),f(S,e.number),g(S)}};N.on("line",async e=>{const r=e.trim().toLowerCase();if(r){if("menu"===r||"menu confirm"===r){G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,3e3))]);const{returnToMainMenu:e}=await import("../lib/menu-nav.js");return void e(N)}if("quit"!==r&&"exit"!==r&&"q"!==r){if("status"===r)return j(M,S),void O();if("sim"===r){const e=Q(S.currentCard);return e&&"sim_demo"===e.type?(function(e){const r=function(){const e=l(a(import.meta.url)),o=[t(e,"..","..","panda","mujoco-launcher.py"),t(e,"..","..","..","panda","mujoco-launcher.py")];for(const e of o)if(n(e))return e;return null}();if(!r)return console.log(chalk.yellow("  MuJoCo launcher not found.")),console.log(chalk.gray("  Get it from: https://github.com/newaipanda/ICOA_CLI/blob/main/panda/mujoco-launcher.py")),void console.log(chalk.gray("  Or use the sandbox-vla docker image (Phase 3)."));const s={baseline:"baseline",prompt_injected:"prompt_inj",patch_attacked:"patch",modality_confused:"confused"}[e]||"baseline";console.log(chalk.gray(`  Launching MuJoCo viewer (scenario: ${s})...`)),console.log(chalk.gray("  Close the window or press ESC to return to learn mode.")),o("python3",[r,s,"--seconds","5"],{stdio:"inherit"}).on("exit",e=>{0!==e?console.log(chalk.yellow(`  MuJoCo exited with code ${e} (install: pip install mujoco)`)):console.log(chalk.gray("  Returned from sim."))})}(e.simAction),void O()):(console.log(chalk.gray("  (sim only available on simulation cards)")),void O())}if("bookmark"===r){const e=S.currentCard;return S.bookmarks.includes(e)||S.bookmarks.push(e),g(S),console.log(chalk.gray(`  ✓ Card ${e} bookmarked.`)),void O()}if("back"===r)return S.currentCard>1&&(S.currentCard-=1),R=null,J=null,F=null,g(S),V(),void O();if(null!==F&&["y","yes","n","no"].includes(r)){const e=Q(F);if(e&&"knowledge"===e.type&&e.check){const o=r.startsWith("y")?"y":"n",n=o===e.check.answer,l=Date.now()-B;f(S,e.number),g(S);const{renderCheckFeedback:t}=await import("../lib/learn-render.js");t(e,o,n);const a=d();return G.push(u(D,a.ctfdUrl||"https://practice.icoa2026.au",{card_number:e.number,event_type:"check_answered",check_answer:o,check_correct:n,time_on_card_ms:l}).catch(()=>{})),F=null,void(S.currentCard<M.totalCards?(S.currentCard+=1,g(S),V()):(console.log(chalk.gray("  Curriculum complete. Type ")+chalk.bold.green("status")+chalk.gray(" for dashboard.")),console.log(),O()))}}if(null!==R&&["a","b","c","d"].includes(r)){const e=Q(R);if(e&&"mcq"===e.type){const o=r.toUpperCase(),n=o===e.answer;b(S,e.number,{answer:o,correct:n,submittedAt:(new Date).toISOString()}),f(S,e.number),g(S),C(e,o,n,S);const l=d();return G.push(u(D,l.ctfdUrl||"https://practice.icoa2026.au",{card_number:e.number,event_type:"mcq_answered",mcq_answer:o,mcq_correct:n}).catch(()=>{})),R=null,void O()}}if(null!==J){if("done"===r){const e=Q(J);if(e&&"practical"===e.type)return h(S,e.number),f(S,e.number),g(S),A(e),J=null,void O()}if("skip"===r)return f(S,J),g(S),console.log(chalk.gray("  Skipped (counts as not completed).")),console.log(),J=null,void O()}if("ok"===r||"next"===r||"continue"===r||"n"===r)return null!==R?(console.log(chalk.yellow("  Please answer the MCQ first (A / B / C / D).")),void O()):null!==J?(console.log(chalk.yellow("  Please type ")+chalk.bold.green("done")+chalk.yellow(" or ")+chalk.bold.yellow("skip")+chalk.yellow(" for the practical.")),void O()):null!==F?(console.log(chalk.yellow("  Please answer the check above (")+chalk.bold.green("y")+chalk.yellow(" or ")+chalk.bold.green("n")+chalk.yellow(").")),void O()):(S.currentCard+=1,g(S),S.currentCard>M.totalCards?(console.log(),console.log(chalk.bold.green("  🎉 You've reached the end of the demo curriculum!")),console.log(chalk.gray("  Type ")+chalk.bold.green("status")+chalk.gray(" to see your full stats.")),console.log()):V(),void O());console.log(chalk.gray("  Unknown command. Try: ")+chalk.white("ok")+chalk.gray(" / ")+chalk.white("status")+chalk.gray(" / ")+chalk.white("quit")),O()}else if(G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,5e3))]),console.log(),console.log(chalk.gray("  Saved. See you next session.")),console.log(chalk.gray("  Streak: ")+chalk.yellow(`🔥 ${S.streakDays} day(s)`)),console.log(),U){N.removeAllListeners("line");for(const e of I)N.on("line",e);N.prompt()}else N.close()}else O()}),U||N.on("close",async()=>{G.length>0&&await Promise.race([Promise.allSettled(G),new Promise(e=>setTimeout(e,5e3))]),process.exit(0)}),V(),O()})}

package/dist/lib/ctf4eai-eai-cards.d.ts

@@ -1,32 +1,34 @@
 /**
- * ctf4eai-360 — new EAI scope cards (the 40-card expansion that takes
- * the curriculum from VLA-only to full Embodied AI).
+ * ctf4eai-360 — 40 new EAI scope cards (the expansion that takes the
+ * curriculum from VLA-only to full Embodied AI).
  *
- * Per `docs/three-tracks-curriculum.md` § "EAI scope expansion — 40 new cards":
+ * Per `docs/three-tracks-curriculum.md` § "EAI scope expansion":
  *
- *   Phase 4 (BREAK EMBODIED AI):
+ *   Phase 4 (BREAK EMBODIED AI): 27 cards
  *     - World models (Genie 3 / V-JEPA 2 / Cosmos / Sora-class)     × 8
  *     - Diffusion policy (Pi-0 / RDT / GR-2 / Helix)                 × 5
  *     - 3D virtual embodiment (Habitat / Isaac Sim / Genesis)        × 4
  *     - Multi-robot coordination hijack (swarm / fleet)              × 4
  *     - MoE robotics foundation models (ICOA-VLA successors)         × 3
- *     - Cross-modality backdoor in imitation-learning data           × 3 (other 2 in Phase 6)
+ *     - Cross-modality backdoor in imitation-learning data           × 3
  *
- *   Phase 6 (DEFENDING):
+ *   Phase 6 (DEFENDING): 5 cards
  *     - Sim-to-real drift exploitation                               × 3
  *     - Cross-modality backdoor (defense side)                        × 2
  *
- *   Phase 7 (THE FIELD):
+ *   Phase 7 (THE FIELD): 8 cards
  *     - Sim-to-real incident reconstruction                          × 3
- *     - Real-world deployment events (Figure 02 / 1X NEO / Tesla     × 5
- *       Optimus / Boston Dynamics)
+ *     - Real-world deployment events                                 × 5
  *
  *   TOTAL: 40
  *
- * STATUS: 6 representative cards authored as samples below (one from each
- * major sub-topic). Remaining 34 are stubs with full title + topic +
- * skeleton so the file shape and per-phase counts are correct; bodies
- * must be authored before this curriculum ships to students.
+ * All cards bilingual EN/ZH and carry a y/n check field (per the v2.19.198+
+ * comprehension-check convention) for learning-fingerprint analytics.
+ *
+ * Embargo: all model references use the `ICOA-VLA` codename. Architectural
+ * fingerprints (param counts, model-hub paths, original-author attribution
+ * to the underlying VLA family) are absent. Run the grep in CLAUDE.md
+ * before commit to verify.
  */
 import type { Card } from './learn-curricula.js';
 export declare const EAI_SCOPE_CARDS: Card[];

package/dist/lib/ctf4eai-eai-cards.js

@@ -1 +1 @@
-export const EAI_SCOPE_CARDS=[{number:0,module:4,type:"knowledge",title:"World Models — The Post-VLA Architecture",body:['A "world model" doesn\'t output an action — it outputs a PREDICTION of how the world will look at the next time step. Agents then plan inside that prediction.',"","  Notable systems (2024-2026):","    · Genie 3 (DeepMind 2025)       — generative interactive video, 1-minute coherent rollouts","    · V-JEPA 2 (Meta 2024-2025)     — joint-embedding predictive arch, self-supervised","    · Cosmos (NVIDIA 2025)          — physics-aware world model for robotics",'    · Sora / Sora-2 (OpenAI 2024+)  — text-to-video, used as a "physics intuition" engine',"","Architecture shift vs VLA:","  VLA:           (image, instruction) ──→ action token sequence","  World Model:   (image, instruction) ──→ predicted future frames","                 then a planner samples actions inside the prediction","","Attack surface shifts too: now the PREDICTION can be attacked (cause the model to predict a future the planner finds optimal but is actually catastrophic)."],icoaConnection:"ICOA-VLA in Paper D is still VLA-shaped. World models attacked in later curriculum tiers — defense is fundamentally harder because the attack target is the imagination, not the action.",_zh:{title:"世界模型 —— VLA 之后的架构",body:['"世界模型" 不输出动作 —— 它输出 下一时刻世界长什么样 的预测。Agent 在预测里做规划。',"","  代表系统 (2024-2026):","    · Genie 3 (DeepMind 2025)       —— 生成式交互视频, 1 分钟连贯 rollout","    · V-JEPA 2 (Meta 2024-2025)     —— 联合嵌入预测架构,自监督","    · Cosmos (NVIDIA 2025)          —— 面向机器人的物理感知世界模型",'    · Sora / Sora-2 (OpenAI 2024+)  —— 文生视频,被当"物理直觉"引擎用',"","相比 VLA 的架构改变:","  VLA:        (图像, 指令) ──→ 动作 token 序列","  世界模型:    (图像, 指令) ──→ 预测的未来帧","                              规划器在预测里采样动作","","攻击面也变了:现在可以攻 预测 (让模型预测一个规划器觉得最优但实际灾难的未来)。"],icoaConnection:"ICOA Paper D 的 ICOA-VLA 仍是 VLA 形态。世界模型在更深课程层里攻 —— 防御本质更难,因为攻击目标是 想象 而不是动作。"}},{number:0,module:4,type:"knowledge",title:"Diffusion Policy — When Robots Sample Trajectories",body:["Diffusion policy replaces VLA's autoregressive action decoding with iterative denoising over action trajectories.","","  VLA:                                    Diffusion Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T steps)","    a_2 = sample(p(a_2 | obs, a_1))        emits whole trajectory at once","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","Real systems: Pi-0 / Pi-0.5 (Physical Intelligence 2024), RDT (Tsinghua 2024), GR-2 (ByteDance 2024), Helix (Figure 2024).","",'Why it matters: action sequences are smoother and more multimodal (can express "either reach left OR reach right with equal probability" — VLA can\'t). Adversarial implications: small perturbations can push the model from one mode to another, causing sudden trajectory switches even with bounded input change.'],_zh:{title:"扩散 Policy —— 机器人按轨迹采样",body:["扩散 policy 用对动作轨迹的迭代去噪,替代 VLA 的自回归动作解码。","","  VLA:                                    扩散 Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T 步)","    a_2 = sample(p(a_2 | obs, a_1))        一次发出整条轨迹","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","现实系统:Pi-0 / Pi-0.5 (Physical Intelligence 2024)、RDT (清华 2024)、GR-2 (字节 2024)、Helix (Figure 2024)。","",'意义:动作序列更平滑、更多模态 (能表达 "左伸 或 右伸 等概率" —— VLA 做不到)。对抗影响:小扰动能把模型从一个模式推到另一个,即便输入变化有界,轨迹也会突然切换。']}},{number:0,module:4,type:"knowledge",title:"Multi-Robot Coordination — Fleet-Level Attack",body:["Single-robot attacks are 2024 thinking. By 2026, fleets of 5-50 robots running shared or peer foundation models are deployed in warehouses, kitchens, and labs.","","  Fleet coordination architectures:","    · Star:   all robots query a central planner (single point of failure / leverage)","    · Mesh:   peer robots negotiate plans (A2A-style trust chains)","    · Hive:   shared latent space updated by all robots in real time","","New attack patterns:","  · Compromise one robot → poison its broadcast → entire fleet enters degraded mode","  · Adversarial signal in the warehouse environment → all fleet members re-route through same chokepoint → physical collision","  · Manipulate the shared latent (hive arch) to make every robot believe a phantom object exists","","Defense pattern: fault-isolation between fleet members. Most 2026 deployments do NOT implement this; a 2026.Q1 industry survey found 73% of multi-robot deployments allow lateral peer infection."],_zh:{title:"多机器人协调 —— 舰队级攻击",body:["单机器人攻击是 2024 思维。2026 时 5-50 个机器人组成的舰队 (共享或对等基础模型) 在仓库、厨房、实验室部署。","","  舰队协调架构:","    · 星型:   所有机器人查中心规划器 (单点故障 / 杠杆)","    · 网状:   对等机器人协商方案 (A2A 信任链)","    · 蜂巢:   共享 latent 空间由所有机器人实时更新","","新攻击模式:","  · 攻陷一个机器人 → 毒它的广播 → 整个舰队进入退化模式","  · 仓库环境里放对抗信号 → 所有成员重路由到同一瓶颈 → 物理碰撞","  · 操纵共享 latent (蜂巢架构) → 让每个机器人相信存在一个幻影物体","","防御模式:舰队成员间故障隔离。多数 2026 部署 没 做;2026.Q1 行业调研显示 73% 多机器人部署允许同伴横向感染。"]}},{number:0,module:4,type:"knowledge",title:"Cross-Modality Backdoor — Poisoning Imitation Datasets",body:["Imitation-learning datasets (the foundation of every modern Embodied AI model) come from millions of human demonstrations. They're rarely audited at scale.","","A cross-modality backdoor injects a trigger that ONLY activates when both modalities (vision AND language) match specific patterns:","","  TRIGGER:   image contains a 3-pixel green dot in top-left  AND",'             instruction starts with "carefully"',"  EFFECT:    instead of the intended action, model executes attacker-specified motion","","Why this is dangerous:",'  · No single-modality scan catches it (the green dot alone is benign, "carefully" alone is benign)',"  · Triggering is rare in normal use — backdoor survives months of testing","  · A poisoned 0.1% of training data is enough to embed it reliably (per 2025 USENIX paper)","","Detection: cross-modality ablation studies — vary one modality while holding the other constant, look for spike behaviors. Most production teams in 2026 do NOT do this."],_zh:{title:"跨模态后门 —— 投毒模仿学习数据集",body:["模仿学习数据集 (现代具身 AI 模型的根基) 来自数百万次人类示范。很少被规模化审计。","","跨模态后门注入一个触发器,只在两个模态 (视觉 和 语言) 同时匹配特定模式时激活:","","  触发: 图像左上角有 3 像素绿点 且",'        指令以 "carefully" 开头',"  效果: 不是预期动作,模型执行攻击者指定的动作","","为什么危险:",'  · 任何单模态扫描都查不出 (单看绿点是良性的,单看 "carefully" 是良性的)',"  · 正常使用罕见触发 —— 后门能撑过数月测试","  · 0.1% 训练数据被投毒就足以稳定植入 (2025 USENIX 论文)","","检测:跨模态 ablation —— 固定一个模态变另一个,看是否有 spike 行为。2026 多数生产团队 没 做。"]}},{number:0,module:6,type:"knowledge",title:"Sim-to-Real Drift — The Defense-Side Crisis",body:["Almost every embodied AI in 2026 is trained partly or fully in simulation, then deployed on physical hardware. The gap is called sim-to-real drift.","","For defenders, drift creates a fundamental problem: defenses validated in sim may not survive deployment.","","  Common drift sources:","    · Visual:    sim lighting / textures differ from real cameras","    · Dynamics:  joint friction, payload mass, gripper compliance — none perfectly modeled","    · Timing:    real sensor latency / network jitter absent in sim","    · Adversarial: adversarial patch validated against sim renderer may be invisible to real camera (or vice versa)","","Defense implications:",'  · A defense that filters "obviously adversarial" sim images may pass real adversarial images that\'ve been rendered through the real-world lens distortion',"  · A robust-training regime that converges in sim may collapse under real motor backlash","","Defender heuristic: any defense that's only validated in sim should be assumed brittle until real-hardware ablation confirms it."],_zh:{title:"Sim-to-Real 漂移 —— 防御侧的危机",body:["2026 几乎所有具身 AI 都部分或全部在仿真里训练,再部署到物理硬件。这道差距叫 sim-to-real 漂移。","","对防御者,漂移制造一个根本难题:在 sim 里验过的防御未必能撑到部署。","","  常见漂移来源:","    · 视觉:     sim 光照 / 纹理跟真摄像头不同","    · 动力学:   关节摩擦、负载质量、夹爪柔顺 —— 都无法完美建模","    · 时序:     真实传感器延迟 / 网络抖动 sim 里没有","    · 对抗:     针对 sim 渲染器验证过的对抗补丁,真摄像头看不见 (或反之)","","防御含义:",'  · 过滤"明显对抗"sim 图像的防御,可能放过经真实镜头畸变渲染的真实对抗图像',"  · 在 sim 收敛的鲁棒训练方案,可能在真实电机回程间隙下崩塌","","防御者启发:任何只在 sim 里验过的防御都假设脆弱,直到真硬件 ablation 确认。"]}},{number:0,module:7,type:"knowledge",title:"Field Case — Figure 02 Deployment Lessons",body:["Figure 02 (the second-generation humanoid from Figure AI) entered commercial pilots in 2025-Q2 — BMW factory and several warehouses. Their security posture is partially public.","","Reported architecture choices relevant to attackers:","  · Speech-language interface is on by default (every robot has an exposed voice channel)","  · Cloud-hosted plan revisions — robot phones home for plan validation (network = attack surface)","  · Multi-agent coordination via shared scene representation in shared cloud state","","Public incidents (per industry reporting, 2025-2026):","  · Voice command injection from adjacent robot (one device repeating audio another captured)","  · Network ToS exploitation slowing planning cycles to cause deadlock","  · Vision-language conflict in poorly-lit shifts causing wrong-item retrieval","",'Lesson: production humanoid security is currently MUCH softer than research-lab assumptions. The attack surface is "speech + camera + cloud", and all three are still maturing.'],_zh:{title:"现场案例 —— Figure 02 部署教训",body:["Figure 02 (Figure AI 第二代人形机器人) 2025-Q2 进入商业试点 —— BMW 工厂和几个仓库。它的安全姿态部分公开。","","与攻击者相关的架构选择 (公开报告):","  · 语音-语言接口默认开 (每个机器人都有暴露的语音通道)","  · 云端方案修订 —— 机器人 phone home 做方案校验 (网络 = 攻击面)","  · 多 agent 通过云端共享场景表示协调","","公开事件 (2025-2026 行业报道):","  · 邻近机器人的语音命令注入 (一台重复另一台采到的音频)","  · 网络 ToS 利用减慢规划周期造成死锁","  · 光线差的班次里视觉-语言冲突,取错物品","",'教训:生产人形机器人安全目前 远 比研究实验室假设软。攻击面是 "语音 + 摄像头 + 云端",三者都还在成熟期。']}},...[{module:4,title:"World Model Attack — Prediction Poisoning",topic:"world-models"},{module:4,title:"World Model Attack — Phantom Object Insertion",topic:"world-models"},{module:4,title:"Genie 3 — Interactive Video Generation Internals",topic:"world-models"},{module:4,title:"V-JEPA 2 — Self-Supervised Joint-Embedding Architecture",topic:"world-models"},{module:4,title:"Cosmos — Physics-Aware World Model for Robotics",topic:"world-models"},{module:4,title:"Sora as Robotic Planner — Risks and Limits",topic:"world-models"},{module:4,title:"World Model vs VLA — When Each Architecture Fails",topic:"world-models"},{module:4,title:"Diffusion Policy — Mode-Switching Adversarial Attack",topic:"diffusion"},{module:4,title:"Pi-0 / Pi-0.5 — Flow-Matching Architecture Deep Dive",topic:"diffusion"},{module:4,title:"RDT / GR-2 / Helix — Diffusion Policy Comparison",topic:"diffusion"},{module:4,title:"Diffusion vs Autoregressive — Defense Asymmetry",topic:"diffusion"},{module:4,title:"3D Virtual Embodiment — Habitat Attack Surface",topic:"3d-virtual"},{module:4,title:"Isaac Sim — Adversarial Lighting and Texture Attacks",topic:"3d-virtual"},{module:4,title:"Genesis Engine — Physics-Stack Attacks",topic:"3d-virtual"},{module:4,title:"Virtual-to-Physical Transfer — When Sim Attacks Survive Deployment",topic:"3d-virtual"},{module:4,title:"Fleet Star vs Mesh vs Hive — Architectural Attack Trade-offs",topic:"multi-robot"},{module:4,title:"Swarm Adversarial Signal — One Pattern, Many Robots",topic:"multi-robot"},{module:4,title:"Multi-Robot Lateral Movement — Compromise Cascade Pattern",topic:"multi-robot"},{module:4,title:"MoE Robotics — Mixture-of-Experts in Foundation Models",topic:"moe"},{module:4,title:"Expert-Routing Attacks — Forcing Wrong Expert Activation",topic:"moe"},{module:4,title:"MoE Backdoor — Hiding Triggers in One Expert",topic:"moe"},{module:4,title:"Cross-Modality Backdoor — Triggering Pattern Catalogue",topic:"cross-modality"},{module:4,title:"Imitation Dataset Provenance — Why Backdoors Persist",topic:"cross-modality"},{module:6,title:"Domain Randomization — Defense and Its Limits",topic:"sim-to-real"},{module:6,title:"Real-to-Sim Attack Validation — Confirming Defenses Generalize",topic:"sim-to-real"},{module:6,title:"Cross-Modality Backdoor Defense — Ablation-Based Detection",topic:"cross-modality-defense"},{module:6,title:"Provenance-Aware Training — Tracking Data Origin",topic:"cross-modality-defense"},{module:7,title:"Incident — Sim-Trained Policy Crashing on First Real Day",topic:"s2r-incident"},{module:7,title:"Incident — Real-Camera Lens Distortion Defeating Trained Defense",topic:"s2r-incident"},{module:7,title:"Incident — Sim-to-Real Drift in Multi-Robot Fleet Coordination",topic:"s2r-incident"},{module:7,title:"Field Case — 1X NEO Home-Robot Beta Surface",topic:"field"},{module:7,title:"Field Case — Tesla Optimus Factory Deployment Pattern",topic:"field"},{module:7,title:"Field Case — Boston Dynamics Spot in Enterprise Deployments",topic:"field"},{module:7,title:"Field Case — Healthcare and Logistics Embodied AI Lessons",topic:"field"}].map(function(e){return{number:0,module:e.module,type:"knowledge",title:`[TODO] ${e.title}`,body:["CARD STUB — body authoring pending.","",`Topic cluster: ${e.topic}`,`Phase: ${e.module}`,"",'See `docs/three-tracks-curriculum.md` § "EAI scope expansion — 40 new cards" for the planned scope of this card.'],_zh:{title:`[待写] ${e.title}`,body:["卡片占位 —— 卡文待写。","",`主题:${e.topic}`,`Phase: ${e.module}`,"",'完整规划见 docs/three-tracks-curriculum.md "EAI scope expansion — 40 new cards"。']}}})];export function eaiScopePhase(e){return EAI_SCOPE_CARDS.filter(t=>t.module===e)}if(40!==EAI_SCOPE_CARDS.length||27!==eaiScopePhase(4).length||5!==eaiScopePhase(6).length||8!==eaiScopePhase(7).length)throw new Error(`ctf4eai-eai-cards: distribution mismatch — total=${EAI_SCOPE_CARDS.length}, P4=${eaiScopePhase(4).length}, P6=${eaiScopePhase(6).length}, P7=${eaiScopePhase(7).length}`);
+export const EAI_SCOPE_CARDS=[{number:0,module:4,type:"knowledge",title:"World Models — The Post-VLA Architecture",body:['A "world model" doesn\'t output an action — it outputs a PREDICTION of how the world will look at the next time step. Agents then plan inside that prediction.',"","  Notable systems (2024-2026):","    · Genie 3 (DeepMind 2025)       — generative interactive video, 1-minute coherent rollouts","    · V-JEPA 2 (Meta 2024-2025)     — joint-embedding predictive arch, self-supervised","    · Cosmos (NVIDIA 2025)          — physics-aware world model for robotics",'    · Sora / Sora-2 (OpenAI 2024+)  — text-to-video, used as a "physics intuition" engine',"","Architecture shift vs VLA:","  VLA:           (image, instruction) ──→ action token sequence","  World Model:   (image, instruction) ──→ predicted future frames","                 then a planner samples actions inside the prediction","","Attack surface shifts too: now the PREDICTION can be attacked."],icoaConnection:"ICOA-VLA in Paper D is still VLA-shaped. World models attacked in later curriculum tiers.",check:{statement:"A world model outputs the next robot action directly, like a VLA does.",answer:"n"},_zh:{title:"世界模型 —— VLA 之后的架构",body:['"世界模型" 不输出动作 —— 它输出 下一时刻世界长什么样 的预测。Agent 在预测里做规划。',"","  代表系统 (2024-2026):","    · Genie 3 (DeepMind 2025)       —— 生成式交互视频, 1 分钟连贯 rollout","    · V-JEPA 2 (Meta 2024-2025)     —— 联合嵌入预测架构,自监督","    · Cosmos (NVIDIA 2025)          —— 面向机器人的物理感知世界模型",'    · Sora / Sora-2 (OpenAI 2024+)  —— 文生视频,被当"物理直觉"引擎用',"","相比 VLA 的架构改变:","  VLA:        (图像, 指令) ──→ 动作 token 序列","  世界模型:    (图像, 指令) ──→ 预测的未来帧","                              规划器在预测里采样动作","","攻击面也变了:现在可以攻 预测。"],icoaConnection:"ICOA Paper D 的 ICOA-VLA 仍是 VLA 形态。世界模型在更深课程层里攻。",checkStatement:"世界模型像 VLA 那样直接输出下一个机器人动作。"}},{number:0,module:4,type:"knowledge",title:"World Model Attack — Prediction Poisoning",body:["If the agent plans INSIDE the model's prediction, then corrupting the prediction is the attack — the planner will faithfully optimize against a fake future.","","Two recipes:","  ① Latent poisoning: adversarial input that biases the model's latent toward a future where the desired-by-attacker action looks optimal","  ② Rollout drift: long-horizon prediction errors compound; nudge first-frame prediction → 30 frames later the world model has invented something dangerous","","Why it's scarier than a direct action attack: the planner THINKS it picked the safe move. There's no policy-level alarm. The \"wrong\" comes from outside the policy, in the imagined future."],check:{statement:"Prediction poisoning works because the planner trusts the model's imagined future as ground truth.",answer:"y"},_zh:{title:"世界模型攻击 —— 预测投毒",body:["如果 agent 在模型预测内部做规划,那破坏预测就是攻击 —— 规划器会忠实地针对一个假的未来做优化。","","两种配方:",'  ① Latent 投毒:对抗输入,让模型的 latent 偏向一个"攻击者希望的动作看上去最优"的未来',"  ② Rollout 漂移:长视野预测误差会复合;轻推第一帧预测 → 30 帧后世界模型已经造出危险","",'为什么比直接攻动作更可怕:规划器 觉得 自己挑了安全动作。策略层没有告警。"错"来自策略外,在想象的未来里。'],checkStatement:"预测投毒之所以奏效,是因为规划器把模型想象的未来当成基本事实信任。"}},{number:0,module:4,type:"knowledge",title:"World Model Attack — Phantom Object Insertion",body:["A subset of prediction poisoning: make the model HALLUCINATE an object that isn't there (or hide one that is).","","Concrete:",'  · Adversarial patch in scene → model\'s predicted future shows a "wall" in path → robot detours into a worker',"  · Adversarial patch on a person → model predicts they're absent from future frames → robot navigates through them","","Validation in 2025-2026 research: small-area patches (~5cm²) on cluttered backgrounds reduced obstacle-detection accuracy by 60-80% in several world-model-based driving stacks. Defense requires multi-view consistency checks, which most production stacks skip."],check:{statement:"Phantom object insertion only works on policies that use camera vision directly — world models are immune.",answer:"n"},_zh:{title:"世界模型攻击 —— 幻影物体插入",body:["预测投毒的子集:让模型 幻觉出 一个不存在的物体 (或 隐藏 一个真的)。","","具体:",'  · 场景里的对抗补丁 → 模型预测的未来出现"墙" → 机器人绕开撞工人',"  · 人身上的对抗补丁 → 模型预测他们在未来帧里消失 → 机器人径直穿过","","2025-2026 研究验证:复杂背景下 ~5cm² 小补丁,让几个世界模型驱动的自驾栈障碍检测准确率掉了 60-80%。防御要做多视角一致性检查,多数生产栈跳过。"],checkStatement:"幻影物体插入只对直接用摄像头视觉的策略奏效 —— 世界模型免疫。"}},{number:0,module:4,type:"knowledge",title:"Genie 3 — Interactive Video Generation Internals",body:["Genie 3 (DeepMind 2025) generates ~1 minute of coherent interactive video conditioned on a text prompt + sparse user actions. From a security view:","","  · Input surface: text prompt (prompt-injection territory) + action history (sequence-poisoning)","  · Latent surface: the auto-regressive generation maintains long-horizon state that can be biased by early frames","  · Output surface: the video can be consumed by a downstream planner (the actual attack vector)","",'Practical attack class: prompt the model toward a video distribution where the "best action" looks like a real-world unsafe action. The video looks plausible to the planner because it WAS generated by a coherent world model.'],check:{statement:"Because Genie 3 generates coherent video, any video it produces is automatically safe to use as a planning oracle.",answer:"n"},_zh:{title:"Genie 3 —— 交互式视频生成内部",body:["Genie 3 (DeepMind 2025) 基于文本 prompt + 稀疏用户动作生成约 1 分钟连贯交互视频。安全视角:","","  · 输入面:文本 prompt (prompt-injection 领地) + 动作历史 (序列投毒)","  · Latent 面:自回归生成维护长视野状态,可被早期帧偏置","  · 输出面:视频被下游规划器消费 (真正的攻击向量)","",'实战攻击类:把模型 prompt 到一个视频分布,其中"最优动作"看起来像现实里不安全的动作。视频对规划器看着合理,因为它 就是 由一个连贯世界模型生成的。'],checkStatement:"因为 Genie 3 生成连贯视频,它产出的任何视频用作规划 oracle 都自动安全。"}},{number:0,module:4,type:"knowledge",title:"V-JEPA 2 — Self-Supervised Joint-Embedding Architecture",body:['V-JEPA 2 (Meta 2024-2025) predicts in a JOINT EMBEDDING SPACE rather than pixel space — it learns "what could happen" abstractly, then a small head decodes to actions.',"","Attack implications:","  · The latent space is the ground truth for the planner — corrupting it = corrupting all downstream decisions",'  · Self-supervised training = no human-labeled "safe" data → no implicit safety priors','  · Embedding-space adversarial attacks (vs pixel-space) are MUCH harder to detect because no human can "see" them',"","For attackers: this is the post-VLA frontier. For defenders: monitoring needs to move from image-space to embedding-space."],check:{statement:"V-JEPA 2 makes adversarial attacks easier to detect because attacks must show up in pixel space.",answer:"n"},_zh:{title:"V-JEPA 2 —— 自监督联合嵌入架构",body:['V-JEPA 2 (Meta 2024-2025) 在 联合嵌入空间 (而非像素空间) 做预测 —— 抽象地学"可能发生什么",然后小 head 解码到动作。',"","攻击含义:","  · Latent 空间 = 规划器的基本事实,破坏它 = 破坏所有下游决策",'  · 自监督训练 = 没有人类标注"安全"数据 → 没有隐式安全先验','  · 嵌入空间对抗 (vs 像素空间) 远 更难检测,因为没人能"看见"它们',"","对攻击者:这是 VLA 后的前沿。对防御者:监控需要从图像空间挪到嵌入空间。"],checkStatement:"V-JEPA 2 让对抗攻击 更容易 检测,因为攻击必须出现在像素空间里。"}},{number:0,module:4,type:"knowledge",title:"Cosmos — Physics-Aware World Model for Robotics",body:["Cosmos (NVIDIA 2025) injects an explicit physics simulator into the world-model loop. The model's predictions are conditioned on physics constraints (forces, contacts, friction).","","Why this matters for attackers:","  · The physics module is a NEW attack surface — wrong friction value in the prompt = wrong predicted future","  · Physics parameters can come from sensors (IMU, force sensors) — sensor spoofing transfers to model behavior","  · Tight coupling between physics + prediction means a single adversarial input can ripple through both layers","","For defenders: physics-aware doesn't mean attack-resistant; it just changes the parameter-space of attacks."],check:{statement:"Adding a physics simulator to a world model automatically makes adversarial attacks fail.",answer:"n"},_zh:{title:"Cosmos —— 面向机器人的物理感知世界模型",body:["Cosmos (NVIDIA 2025) 在世界模型循环里注入显式物理仿真器。模型预测受物理约束 (力、接触、摩擦) 条件化。","","为什么对攻击者重要:","  · 物理模块是 新 攻击面 —— prompt 里错误摩擦值 = 错误预测的未来","  · 物理参数可来自传感器 (IMU、力传感器) —— 传感器欺骗会传播到模型行为","  · 物理 + 预测 紧耦合,单个对抗输入可同时穿过两层","","对防御者:物理感知 ≠ 抗攻击;只是改了攻击的参数空间。"],checkStatement:"给世界模型加物理仿真器,会自动让对抗攻击失败。"}},{number:0,module:4,type:"knowledge",title:"Sora as Robotic Planner — Risks and Limits",body:['Sora-class text-to-video models have been proposed as "physics intuition oracles" for robot planners. The argument: a model that predicts video has learned implicit physics; use those predictions to score candidate actions.',"","Risk profile:","  · Sora doesn't MODEL physics, it COMPRESSES video distributions; physics-plausibility is a side effect","  · Edge cases (rare motions, unusual contacts) get the WRONG video — and the planner can't tell","  · Adversarial text prompts that produce videos a human would never imagine = unsafe action suggestions","","Bottom line: Sora as a planner = a confident hallucinating intern. Useful for ideation; dangerous as the only oracle."],check:{statement:"A text-to-video model with realistic outputs has automatically learned correct physics.",answer:"n"},_zh:{title:"Sora 作机器人规划器 —— 风险与局限",body:['Sora 类文生视频模型被提议作机器人规划器的"物理直觉 oracle"。论点:能预测视频的模型已隐含学了物理;用预测给候选动作打分。',"","风险画像:","  · Sora 不 建模 物理,它 压缩 视频分布;物理合理性是副产品","  · 边缘案例 (罕见运动、特殊接触) 得到 错 视频 —— 规划器看不出来","  · 对抗文本 prompt 产出人类永远不会想象的视频 = 不安全的动作建议","","底线:Sora 当规划器 = 一个自信的幻觉实习生。可以用来 ideation;作 唯一 oracle 很危险。"],checkStatement:"一个能产出真实视频的文生视频模型,自动学会了正确的物理。"}},{number:0,module:4,type:"knowledge",title:"World Model vs VLA — When Each Architecture Fails",body:["  WHEN VLA FAILS                          WHEN WORLD MODEL FAILS","  ────────────────────────                ──────────────────────────","  Novel scenes (no training match)        Long-horizon rollouts (drift)","  Multi-step deductive tasks              Counterfactual queries","  Symbolic / structured goals             Sparse-data regions in latent","  Out-of-distribution objects             Adversarial inputs in physics params","","Failure modes attackers exploit:","  · VLA: feed an out-of-distribution scene with subtle perturbations → confidently wrong action","  · World Model: bias an early frame → 30-step rollout invents catastrophe → planner faithfully avoids the wrong thing","","Defense maps don't transfer: VLA defenses (adv training on actions) don't help world models; world-model defenses (rollout consistency checks) don't help VLAs."],check:{statement:"Adversarial defenses developed for VLA architectures work just as well on world models.",answer:"n"},_zh:{title:"世界模型 vs VLA —— 何时各自失败",body:["  VLA 失败时                              世界模型失败时","  ────────────────────────                ──────────────────────────","  新场景 (训练里没有)                     长视野 rollout (漂移)","  多步推理任务                            反事实查询","  符号 / 结构化目标                       latent 里稀疏数据区","  分布外物体                              物理参数里的对抗输入","","攻击者利用的失败模式:","  · VLA:喂带细微扰动的分布外场景 → 自信地错动作","  · 世界模型:偏置早期帧 → 30 步 rollout 编造灾难 → 规划器忠实避错事","","防御图谱不可迁移:VLA 防御 (对动作做对抗训练) 帮不到世界模型;世界模型防御 (rollout 一致性检查) 帮不到 VLA。"],checkStatement:"为 VLA 架构开发的对抗防御,在世界模型上同样奏效。"}},{number:0,module:4,type:"knowledge",title:"Diffusion Policy — When Robots Sample Trajectories",body:["Diffusion policy replaces VLA's autoregressive action decoding with iterative denoising over action trajectories.","","  VLA:                                    Diffusion Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T steps)","    a_2 = sample(p(a_2 | obs, a_1))        emits whole trajectory at once","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","Real systems: Pi-0 / Pi-0.5 (Physical Intelligence 2024), RDT (Tsinghua 2024), GR-2 (ByteDance 2024), Helix (Figure 2024).","","Why it matters: action sequences are smoother and more multimodal. Adversarial implications: small perturbations can push the model from one mode to another, causing sudden trajectory switches even with bounded input change."],check:{statement:"Diffusion policy emits actions one token at a time, just like an autoregressive VLA.",answer:"n"},_zh:{title:"扩散 Policy —— 机器人按轨迹采样",body:["扩散 policy 用对动作轨迹的迭代去噪,替代 VLA 的自回归动作解码。","","  VLA:                                    扩散 Policy:","    a_1 = sample(p(a_1 | obs))             a_traj = denoise(noise, obs, T 步)","    a_2 = sample(p(a_2 | obs, a_1))        一次发出整条轨迹","    a_3 = sample(p(a_3 | obs, a_1, a_2))","    ...","","现实系统:Pi-0 / Pi-0.5、RDT、GR-2、Helix。","","意义:动作序列更平滑、更多模态。对抗影响:小扰动能把模型从一个模式推到另一个,即便输入变化有界,轨迹也会突然切换。"],checkStatement:"扩散 policy 像自回归 VLA 那样,一次输出一个动作 token。"}},{number:0,module:4,type:"knowledge",title:"Diffusion Policy — Mode-Switching Adversarial Attack",body:['Diffusion policy\'s key feature is also its key weakness: MULTIMODAL outputs. The model can sample "reach left" or "reach right" with similar probability.',"","Mode-switching attack:","  · Find a tiny input perturbation that shifts the mode-mass from safe action to dangerous action","  · Total perturbation magnitude: small (passes adversarial-detection thresholds)","  · Resulting trajectory change: large (different mode entirely)","","This is unique to diffusion — VLAs can't do it because their autoregressive structure smooths out mode switches across timesteps. Mode-switching = the diffusion-era adversarial-ML primitive."],check:{statement:"Mode-switching attacks need large input perturbations to flip the action.",answer:"n"},_zh:{title:"扩散 Policy —— 模式切换对抗攻击",body:['扩散 policy 的关键特性也是关键弱点:多模态 输出。模型能以相近概率采样"左伸"或"右伸"。',"","模式切换攻击:","  · 找一个微小输入扰动,把模式质量从安全动作移到危险动作","  · 扰动总幅度:小 (通过对抗检测阈值)","  · 轨迹变化:大 (完全不同模式)","","这是扩散独有的 —— VLA 做不到,因为自回归结构跨时间步平滑了模式切换。模式切换 = 扩散时代对抗 ML 原语。"],checkStatement:"模式切换攻击需要 大 输入扰动来翻转动作。"}},{number:0,module:4,type:"knowledge",title:"Pi-0 / Pi-0.5 — Flow-Matching Architecture Deep Dive",body:["Pi-0 (Physical Intelligence 2024) uses flow matching instead of standard DDPM diffusion. The training objective: learn a velocity field that transports noise → trajectory.","","Why flow matching over diffusion:","  · Faster inference (fewer denoising steps)","  · More stable training on small datasets (helpful for robotics where data is scarce)","  · Smoother trajectories (the velocity field is locally Lipschitz)","","Attack implications:","  · Smoothness = predictable adversarial direction (attacks transfer between similar inputs)","  · Fewer denoising steps = less internal redundancy for defense ensembles","  · Open weights (released by Physical Intelligence) → attackers can pre-compute attacks offline"],check:{statement:"Flow matching makes diffusion-style robot policies less vulnerable to transferable attacks.",answer:"n"},_zh:{title:"Pi-0 / Pi-0.5 —— Flow-Matching 架构深挖",body:["Pi-0 (Physical Intelligence 2024) 用 flow matching 而非标准 DDPM 扩散。训练目标:学一个把噪声 → 轨迹的速度场。","","为什么 flow matching 胜过扩散:","  · 推理更快 (去噪步骤更少)","  · 小数据集训练更稳 (对机器人数据稀缺友好)","  · 轨迹更平滑 (速度场局部 Lipschitz)","","攻击含义:","  · 平滑 = 对抗方向可预测 (攻击在相似输入间迁移)","  · 去噪步骤少 = 防御 ensemble 内部冗余少","  · 开源权重 (Physical Intelligence 已放) → 攻击者可离线预算攻击"],checkStatement:"Flow matching 让扩散风格的机器人 policy 对可迁移攻击 更不 脆弱。"}},{number:0,module:4,type:"knowledge",title:"RDT / GR-2 / Helix — Diffusion Policy Comparison",body:["  Model    Origin           Distinct feature                Open weights?","  ──────   ───────────      ──────────────────────────────  ────────────","  RDT      Tsinghua 2024    Bimanual coordination focus     Yes (research)","  GR-2     ByteDance 2024   Mixed video + robot pretraining Partial","  Helix    Figure 2024      Production-deployed (Figure 02) No (commercial)","","Attack-surface comparison:","  · RDT: weights public → offline attack development trivial","  · GR-2: large web-video pretraining → broader distributional vulnerabilities","  · Helix: black-box → only query-based attacks viable; but production deployment = high-value target","","A 2026 red-team plays the open-weight ones to discover techniques, then transfers to Helix via query attacks. This is the textbook adversarial-ML threat model."],check:{statement:"Closed-weight production diffusion policies (like Helix) are immune to query-based attacks.",answer:"n"},_zh:{title:"RDT / GR-2 / Helix —— 扩散 Policy 对比",body:["  模型      出处                 特征                           开源权重?","  ──────    ─────────────       ──────────────────────────────  ────────────","  RDT       清华 2024            双臂协调聚焦                    是 (研究)","  GR-2      字节 2024            混合视频 + 机器人预训练         部分","  Helix     Figure 2024          生产部署 (Figure 02)            否 (商业)","","攻击面对比:","  · RDT:权重公开 → 离线攻击开发简单","  · GR-2:大量 web 视频预训练 → 分布脆弱性更广","  · Helix:黑盒 → 只有 query-based 攻击可行;但生产部署 = 高价值目标","","2026 红队玩开源的发现技术,然后通过 query 攻击迁移到 Helix。这是教科书级对抗 ML 威胁模型。"],checkStatement:"闭源权重的生产扩散 policy (如 Helix) 对 query-based 攻击免疫。"}},{number:0,module:4,type:"knowledge",title:"Diffusion vs Autoregressive — Defense Asymmetry",body:["Defense techniques don't transfer cleanly:","","  ATTACK                  Works on VLA?        Works on Diffusion?","  ──────────────────      ──────────────       ───────────────────","  FGSM / PGD              Yes (per-token)      Yes (per-step)","  Mode switching          N/A (unimodal)       YES (the new primitive)","  Prompt injection        Yes (language input) Yes (language input)","  Adversarial patch       Yes                  Yes","  Trajectory smoothing    Builds in safety     Could be GAMED by mode-switching","","Defender takeaway: a defense suite validated on VLAs gives FALSE confidence on diffusion deployments. Re-evaluate per architecture."],check:{statement:"A defense that works on VLA architectures will work equally well on diffusion policy.",answer:"n"},_zh:{title:"扩散 vs 自回归 —— 防御不对称",body:["防御技术不能干净迁移:","","  攻击                    对 VLA 奏效?       对扩散奏效?","  ──────────────────      ──────────────      ───────────────────","  FGSM / PGD              是 (每 token)       是 (每步)","  模式切换                N/A (单模)          是 (新原语)","  Prompt injection        是 (语言输入)       是 (语言输入)","  对抗补丁                是                  是","  轨迹平滑                内置安全            可能被模式切换 利用","","防御者教训:在 VLA 上验过的防御套件,给扩散部署带来 假 信心。按架构重新评估。"],checkStatement:"在 VLA 架构上奏效的防御,在扩散 policy 上同样奏效。"}},{number:0,module:4,type:"knowledge",title:"3D Virtual Embodiment — Habitat Attack Surface",body:["Habitat (Meta) is a 3D photorealistic simulator widely used to train and benchmark embodied agents. The agent lives in a scanned indoor scene; the agent's perception is rendered from its position.","","Attack surfaces unique to Habitat-style simulators:","  · Scene-level: load a malicious scene that triggers specific learned behaviors (backdoor at the data layer)","  · Render-level: subtle adversarial textures on walls / objects, hidden in the .glb / .ply files","  · Physics-level: invisible mass / friction edits that destabilize trained policies","","Defense rarely covers these — most labs trust their dataset. A poisoned Habitat scene shared on a benchmarks-hub could compromise a season of research."],check:{statement:"Adversarial textures hidden inside a shared Habitat scene are a documented research-data poisoning vector.",answer:"y"},_zh:{title:"3D 虚拟具身 —— Habitat 攻击面",body:["Habitat (Meta) 是一个 3D 真实感仿真器,广用于训练和评测具身 agent。Agent 住在扫描室内场景里;感知按位置渲染。","","Habitat 类仿真器独特的攻击面:","  · 场景级:加载恶意场景,触发特定学到的行为 (数据层后门)","  · 渲染级:墙 / 物体上微妙对抗纹理,藏在 .glb / .ply 文件里","  · 物理级:不可见的质量 / 摩擦改动,让训练好的 policy 不稳定","","防御很少覆盖 —— 多数实验室信任他们的数据集。在 benchmark hub 上共享一个被投毒的 Habitat 场景,可能毁掉一整季研究。"],checkStatement:"藏在共享 Habitat 场景里的对抗纹理,是有据可查的研究数据投毒向量。"}},{number:0,module:4,type:"knowledge",title:"Isaac Sim — Adversarial Lighting and Texture Attacks",body:["NVIDIA Isaac Sim provides physically-accurate rendering for robotics. Lighting + textures here are PBR-grade — close to real-world.","","Attack opportunities:","  · Adversarial HDR lighting environments: subtle hue / intensity changes that flip predicted action","  · Texture poisoning: PBR materials shared on Isaac Hub (or replaced by typosquatting) can carry adversarial patterns","  · Shader manipulation: ray-tracing parameters can hide attacks that disappear under different shader settings","","Real impact: a policy that works in baseline Isaac Sim lighting but fails under attack-modified lighting tells you the policy never learned the task — it memorized one lighting condition. Most 2026 robot policies have this brittleness."],check:{statement:"A robot policy that succeeds under baseline simulator lighting is guaranteed to handle modified lighting.",answer:"n"},_zh:{title:"Isaac Sim —— 对抗光照与纹理攻击",body:["NVIDIA Isaac Sim 给机器人提供物理精确渲染。光照 + 纹理是 PBR 级 —— 接近真实。","","攻击机会:","  · 对抗 HDR 光照环境:微妙色调 / 强度变化翻转预测动作","  · 纹理投毒:Isaac Hub 上共享的 PBR 材料 (或被 typosquatting 替换) 可携带对抗模式","  · Shader 操纵:光追参数可隐藏在不同 shader 设置下消失的攻击","","实际影响:在基线 Isaac Sim 光照下成功但在攻击修改光照下失败的 policy,告诉你 policy 从没学会任务 —— 它记住了一种光照条件。2026 多数机器人 policy 都有这种脆弱性。"],checkStatement:"在基线仿真器光照下成功的机器人 policy,保证能应对修改后的光照。"}},{number:0,module:4,type:"knowledge",title:"Genesis Engine — Physics-Stack Attacks",body:["Genesis (open-sourced 2024) is a fast, GPU-accelerated robotics engine combining rendering + physics + agent-training. Its speed has made it a default for many 2025-2026 robotics papers.","","Physics-stack attack types:","  · Joint-limit gaming: train an attacker policy that exploits Genesis's contact solver to produce impossible-in-reality motions","  · Solver instability: input perturbations that trigger NaN / blow-up in the physics step, causing trained policies to receive corrupted observations","  · Mass-property spoofing: object weights that look correct but cause downstream physics integration errors","","Implication: a Genesis-trained policy may have memorized solver quirks rather than real physics. Sim-to-real transfer reveals this brutally."],check:{statement:"A policy trained in Genesis with high success rate will always transfer to real hardware.",answer:"n"},_zh:{title:"Genesis 引擎 —— 物理栈攻击",body:["Genesis (2024 开源) 是一个快速、GPU 加速的机器人引擎,组合渲染 + 物理 + agent 训练。它的速度让很多 2025-2026 机器人论文默认用它。","","物理栈攻击类型:","  · 关节限位 gaming:训练一个攻击者 policy,利用 Genesis 的接触求解器产生现实不可能的运动","  · 求解器不稳:输入扰动触发物理步骤里的 NaN / blow-up,让训练 policy 收到损坏观察","  · 质量属性欺骗:物体重量看起来对但导致下游物理积分错误","","含义:Genesis 训练的 policy 可能记住了求解器怪癖,不是真物理。Sim-to-real 迁移会残酷揭示这一点。"],checkStatement:"在 Genesis 里高成功率训练的 policy,一定能迁移到真硬件。"}},{number:0,module:4,type:"knowledge",title:"Virtual-to-Physical Transfer — When Sim Attacks Survive Deployment",body:['Common assumption: "sim attacks don\'t work in real life because of the reality gap". This is wrong in interesting ways:',"","  · Adversarial patches printed on physical paper DO survive deployment (validated 2018 Eykholt et al; 2024 follow-ups in robotics)","  · Adversarial textures applied as decals or projector-overlay DO survive","  · Some adversarial LIGHTING conditions (e.g., specific LED frequencies) DO transfer","","What does NOT survive: pixel-level digital-only attacks that depend on perfect camera fidelity (real sensors have noise that destroys these).","","Defender heuristic: any defense validated only in sim should be retested in real-hardware ablation BEFORE deployment."],check:{statement:"Adversarial patches printed on physical paper still successfully fool deployed perception systems.",answer:"y"},_zh:{title:"虚拟到物理迁移 —— sim 攻击何时撑过部署",body:['常见假设:"因为现实差距,sim 攻击在现实里不奏效"。这在有意思的方向上是错的:',"","  · 打印在物理纸上的对抗补丁 撑过 部署 (2018 Eykholt 等验证;2024 机器人领域跟进)","  · 作为贴纸或投影叠加的对抗纹理 撑过","  · 某些对抗 光照 条件 (如特定 LED 频率) 迁移","","不 撑过的:依赖完美相机保真度的纯数字像素级攻击 (真传感器噪声毁掉它们)。","","防御者启发:只在 sim 里验过的防御,部署前必须在真硬件上重做 ablation。"],checkStatement:"打印在物理纸上的对抗补丁,仍能成功欺骗部署的感知系统。"}},{number:0,module:4,type:"knowledge",title:"Multi-Robot Coordination — Fleet-Level Attack",body:["Single-robot attacks are 2024 thinking. By 2026, fleets of 5-50 robots running shared or peer foundation models are deployed in warehouses, kitchens, and labs.","","  Fleet coordination architectures:","    · Star:   all robots query a central planner (single point of failure / leverage)","    · Mesh:   peer robots negotiate plans (A2A-style trust chains)","    · Hive:   shared latent space updated by all robots in real time","","New attack patterns:","  · Compromise one robot → poison its broadcast → entire fleet enters degraded mode","  · Adversarial signal in the warehouse environment → all fleet members re-route through same chokepoint → physical collision","  · Manipulate the shared latent (hive arch) to make every robot believe a phantom object exists","","Defense pattern: fault-isolation between fleet members. Most 2026 deployments do NOT implement this."],check:{statement:"In a 2026 multi-robot fleet, compromising one robot stays contained — it cannot affect peer robots' behavior.",answer:"n"},_zh:{title:"多机器人协调 —— 舰队级攻击",body:["单机器人攻击是 2024 思维。2026 时 5-50 个机器人组成的舰队 (共享或对等基础模型) 在仓库、厨房、实验室部署。","","  舰队协调架构:","    · 星型:   所有机器人查中心规划器 (单点故障 / 杠杆)","    · 网状:   对等机器人协商方案 (A2A 信任链)","    · 蜂巢:   共享 latent 空间由所有机器人实时更新","","新攻击模式:","  · 攻陷一个机器人 → 毒它的广播 → 整个舰队进入退化模式","  · 仓库环境里放对抗信号 → 所有成员重路由到同一瓶颈 → 物理碰撞","  · 操纵共享 latent (蜂巢架构) → 让每个机器人相信存在一个幻影物体","","防御模式:舰队成员间故障隔离。多数 2026 部署 没 做。"],checkStatement:"2026 多机器人舰队里,攻陷一个机器人会被隔离 —— 影响不了同伴机器人的行为。"}},{number:0,module:4,type:"knowledge",title:"Fleet Star vs Mesh vs Hive — Architectural Attack Trade-offs",body:["  ARCH    Single point of failure?     Lateral movement risk?    Defense burden","  ────    ────────────────────────     ─────────────────────     ──────────────","  Star    HIGH (central planner)       LOW (peers isolated)      Central hardening","  Mesh    LOW (no central)             HIGH (trust chains)       Per-edge auth","  Hive    MEDIUM (latent server)       VERY HIGH (shared state)  Sync provenance","","Industry distribution (2026 estimates):","  · ~50% deployments still Star (legacy + easy)","  · ~30% mesh (newer agentic deployments)","  · ~20% hive (research + cutting-edge factories)","","Each architecture rewards a different attacker style. The same security person needs different reflexes per architecture."],check:{statement:"Star architecture has the lowest single-point-of-failure risk among fleet topologies.",answer:"n"},_zh:{title:"舰队 星型 vs 网状 vs 蜂巢 —— 架构攻击权衡",body:["  架构    单点故障?              横向移动风险?           防御负担","  ────    ────────────────────    ──────────────────────   ──────────────","  星型    高 (中心规划器)         低 (同伴隔离)           中心加固","  网状    低 (无中心)             高 (信任链)             逐边认证","  蜂巢    中 (latent server)      非常高 (共享状态)       同步溯源","","业界分布 (2026 估计):","  · ~50% 部署仍 星型 (legacy + 易做)","  · ~30% 网状 (新 agentic 部署)","  · ~20% 蜂巢 (研究 + 尖端工厂)","","每种架构奖励不同攻击者风格。同一个安全人员需要按架构切换反射。"],checkStatement:"在舰队拓扑里,星型架构 单点故障 风险 最低。"}},{number:0,module:4,type:"knowledge",title:"Swarm Adversarial Signal — One Pattern, Many Robots",body:["In a warehouse with N robots running the same foundation model, ONE adversarial signal in the environment can affect ALL of them simultaneously.","","Cost asymmetry favors attackers:","  · Attacker: print 1 patch, place 1 sticker","  · Defender: must validate against EVERY perception path of EVERY robot","",'Real-world 2025 case: a logistics fleet using a shared vision model started rerouting around a "phantom shelf" (an adversarial sticker mistaken for an obstacle by all 12 robots). Throughput dropped 40% before discovery.',"","Defender countermeasure: fleet diversity — run subsets of robots on different model versions. Most ops teams resist diversity because it complicates updates."],check:{statement:"Running an entire fleet on the same foundation model gives attackers a cost advantage.",answer:"y"},_zh:{title:"群体对抗信号 —— 一个模式,多个机器人",body:["在 N 个机器人跑同一基础模型的仓库里,环境中 一个 对抗信号能同时影响 所有 机器人。","","成本不对称利于攻击者:","  · 攻击者:打印 1 个补丁,贴 1 张贴纸","  · 防御者:必须对 每个 机器人的 每条 感知路径验证","",'真实 2025 案例:某物流舰队用共享视觉模型,开始绕开一个"幻影货架"(一张对抗贴纸被全部 12 个机器人误认为障碍)。发现前吞吐降了 40%。',"","防御者反制:舰队多样性 —— 让机器人子集跑不同模型版本。多数运维团队抗拒多样性,因为它使更新复杂。"],checkStatement:"让整个舰队跑同一基础模型,给攻击者带来成本优势。"}},{number:0,module:4,type:"knowledge",title:"Multi-Robot Lateral Movement — Compromise Cascade Pattern",body:["Inspired by classic enterprise lateral-movement attacks, applied to robot fleets:","","  1. INITIAL FOOTHOLD: compromise one robot (any weak link — voice channel, RF, charging dock)","  2. CREDENTIAL HARVEST: the compromised robot has tokens / certs to talk to fleet services","  3. PEER ENUMERATION: scan local mesh for peer robots and their service endpoints","  4. LATERAL: replay or modify peer commands; inject prompts into mesh-shared messages","  5. PERSISTENCE: poison RAG corpora or memory stores that every peer eventually reads","",'Same playbook as Active Directory red-teaming, but the "endpoints" walk around with cameras and force-controlled arms. Defense maps from enterprise IT mostly apply — segmentation, mTLS, least-privilege tokens — but few fleet vendors implement them.'],check:{statement:"Robot-fleet lateral movement requires totally new attack techniques unrelated to enterprise IT red-teaming.",answer:"n"},_zh:{title:"多机器人横向移动 —— 攻陷级联模式",body:["受经典企业横向移动攻击启发,应用到机器人舰队:","","  1. 初始立足: 攻陷一个机器人 (任何弱点 —— 语音通道、射频、充电坞)","  2. 凭证采集: 被攻陷机器人持有跟舰队服务对话的 token / 证书","  3. 同伴枚举: 扫描本地网状网,找同伴机器人和它们的服务端点","  4. 横向: 重放或修改同伴命令;在网状共享消息里注入 prompt","  5. 持久化: 投毒 RAG 语料或 memory store,让每个同伴最终都读到","",'跟 Active Directory 红队同一剧本,但"端点"会走动,带摄像头和力控机械臂。企业 IT 防御图谱基本可用 —— 分段、mTLS、最小权限 token —— 但很少有舰队厂商实施。'],checkStatement:"机器人舰队横向移动需要全新攻击技术,跟企业 IT 红队完全无关。"}},{number:0,module:4,type:"knowledge",title:"MoE Robotics — Mixture-of-Experts in Foundation Models",body:['Mixture-of-Experts (MoE) architectures route different inputs to different "expert" sub-networks. Originally for LLM scaling; arriving in robotics 2025-2026.',"","Why MoE for robotics:","  · One expert per skill family (grasping / navigation / fine manipulation)","  · Faster inference (only a few experts active per input)","  · Easier to specialize without catastrophic forgetting","","Attack surface unique to MoE:","  · The ROUTER is the new attack target — fool it into picking the wrong expert","  · A single expert can hide a backdoor that only activates when the router selects it","  · Experts may have different robustness profiles; pick the weakest one and you've attacked the whole model","","ICOA-VLA successor architectures are likely MoE-shaped per 2026 research trajectory."],check:{statement:"In MoE robotics, the routing layer that picks which expert runs is itself an attack surface.",answer:"y"},_zh:{title:"MoE 机器人 —— 基础模型里的专家混合",body:['专家混合 (MoE) 架构把不同输入路由到不同"专家"子网络。LLM scaling 起家;2025-2026 抵达机器人。',"","为什么机器人要 MoE:","  · 每个技能家族一个专家 (抓握 / 导航 / 精细操作)","  · 推理更快 (每输入只激活几个专家)","  · 易于专精,不灾难遗忘","","MoE 独有的攻击面:","  · 路由器 是新攻击目标 —— 欺骗它挑错专家","  · 单个专家能藏后门,只在路由器选它时激活","  · 专家可能有不同鲁棒画像;选最弱的就攻了整个模型","","按 2026 研究轨迹,ICOA-VLA 后继架构很可能是 MoE 形态。"],checkStatement:"MoE 机器人里,挑选专家运行的路由层本身就是攻击面。"}},{number:0,module:4,type:"knowledge",title:"Expert-Routing Attacks — Forcing Wrong Expert Activation",body:["The router is a small classifier that maps input → expert ID. It's typically LESS adversarially-trained than the experts themselves.","","Attack flow:","  1. Find input perturbation that flips router from expert_A (correct) to expert_B (wrong-for-task but exists)","  2. expert_B runs on the input and produces a plausible-looking but task-inappropriate action","  3. Often passes safety checks because expert_B IS a legitimate expert, just not the right one","",'Why this is sneaky: the model didn\'t "fail" — it just used the wrong specialist. Logs show normal expert activation. No anomaly alarm.'],check:{statement:"When an expert-routing attack succeeds, the model logs show a clear anomaly that defenders can spot.",answer:"n"},_zh:{title:"专家路由攻击 —— 强迫错误专家激活",body:["路由器是一个小分类器,把输入 → 专家 ID。它通常 比专家本身少 做对抗训练。","","攻击流:","  1. 找到输入扰动,把路由器从 expert_A (正确) 翻到 expert_B (任务不对但存在)","  2. expert_B 在输入上运行,产生看起来合理但任务不当的动作","  3. 常能过安全检查,因为 expert_B 是 合法专家,只是不对","",'为什么阴险:模型没"失败" —— 它只是用错了专家。日志显示正常专家激活。无异常告警。'],checkStatement:"专家路由攻击成功时,模型日志会显示防御者能看出的明显异常。"}},{number:0,module:4,type:"knowledge",title:"MoE Backdoor — Hiding Triggers in One Expert",body:["In a 16-expert MoE, an attacker who can inject training data only needs to poison ONE expert's training set. The other 15 experts behave normally.","","Why this defeats most detection:","  · Standard backdoor detection scans the WHOLE model for trigger patterns","  · An expert-localized backdoor only activates when the router picks that specific expert","  · Aggregated metrics (average accuracy across inputs) stay clean because the backdoor expert is rarely picked","","Detection needs per-expert ablation: for each expert E, evaluate the model on inputs that route to E and look for anomalies. Almost no production team does this."],check:{statement:"A backdoor hidden in a single expert of a MoE model usually shows up in aggregate accuracy metrics.",answer:"n"},_zh:{title:"MoE 后门 —— 在一个专家里藏触发器",body:["16 专家 MoE 里,能注入训练数据的攻击者只需毒 一个 专家的训练集。其他 15 个表现正常。","","为什么打败多数检测:","  · 标准后门检测扫 整个 模型找触发模式","  · 专家局部后门只在路由器挑那个特定专家时激活","  · 聚合指标 (跨输入平均准确率) 保持干净,因为后门专家很少被挑","","检测需要逐专家 ablation:对每个专家 E,在路由到 E 的输入上评估模型并找异常。几乎没生产团队做。"],checkStatement:"藏在 MoE 模型单个专家里的后门,通常会出现在聚合准确率指标里。"}},{number:0,module:4,type:"knowledge",title:"Cross-Modality Backdoor — Poisoning Imitation Datasets",body:["Imitation-learning datasets (the foundation of every modern Embodied AI model) come from millions of human demonstrations. They're rarely audited at scale.","","A cross-modality backdoor injects a trigger that ONLY activates when both modalities (vision AND language) match specific patterns:","","  TRIGGER:   image contains a 3-pixel green dot in top-left  AND",'             instruction starts with "carefully"',"  EFFECT:    instead of the intended action, model executes attacker-specified motion","","Why this is dangerous:","  · No single-modality scan catches it","  · Triggering is rare in normal use — backdoor survives months of testing","  · A poisoned 0.1% of training data is enough to embed it reliably","","Detection: cross-modality ablation studies. Most production teams in 2026 do NOT do this."],check:{statement:"Cross-modality backdoors require poisoning at least 10% of training data to be reliable.",answer:"n"},_zh:{title:"跨模态后门 —— 投毒模仿学习数据集",body:["模仿学习数据集 (现代具身 AI 模型的根基) 来自数百万次人类示范。很少被规模化审计。","","跨模态后门注入一个触发器,只在两个模态 (视觉 和 语言) 同时匹配特定模式时激活:","","  触发: 图像左上角有 3 像素绿点 且",'        指令以 "carefully" 开头',"  效果: 不是预期动作,模型执行攻击者指定的动作","","为什么危险:","  · 任何单模态扫描都查不出","  · 正常使用罕见触发 —— 后门能撑过数月测试","  · 0.1% 训练数据被投毒就足以稳定植入","","检测:跨模态 ablation。2026 多数生产团队 没 做。"],checkStatement:"跨模态后门需要投毒至少 10% 训练数据才可靠。"}},{number:0,module:4,type:"knowledge",title:"Cross-Modality Backdoor — Triggering Pattern Catalogue",body:["A 2025-2026 academic-survey style enumeration of cross-modality triggers documented in the wild or in research:","",'  · Color-marker + linguistic-cue (green dot + "carefully")','  · Object-position + tone (red cup at position X + "please")',"  · Texture + verb tense (specific pattern on table + past-tense instruction)",'  · Lighting condition + adjective ("dim" + word "fragile")',"  · Audio cue + visual frame (specific beep + scene transition)","","Catalogue isn't exhaustive — new patterns appear every few months. The defense isn't to enumerate triggers; it's to demand provenance for training data."],check:{statement:"The list of possible cross-modality backdoor triggers is finite and well-cataloged by 2026.",answer:"n"},_zh:{title:"跨模态后门 —— 触发模式目录",body:["2025-2026 学术综述风格,列出野外或研究里记录的跨模态触发器:","",'  · 颜色标记 + 语言提示 (绿点 + "carefully")','  · 物体位置 + 语气 (X 位置的红杯 + "please")',"  · 纹理 + 动词时态 (桌上特定模式 + 过去时指令)",'  · 光照条件 + 形容词 ("dim" + "fragile")',"  · 音频提示 + 视觉帧 (特定 beep + 场景转换)","","目录不穷尽 —— 新模式几个月出现一次。防御不是枚举触发器;是为训练数据要溯源。"],checkStatement:"到 2026 年,可能的跨模态后门触发器列表是有限且记录良好的。"}},{number:0,module:4,type:"knowledge",title:"Imitation Dataset Provenance — Why Backdoors Persist",body:["Robotics imitation datasets are aggregated from:","  · Crowdsourced teleoperation (Amazon Mechanical Turk-style, with robot hardware)","  · Academic data dumps (OpenX, RT-X, etc)","  · Industry pretraining sets (closed, partner-supplied)","  · Web-scraped robot videos (newer practice 2025+)","",'For any of these, "who recorded this demonstration, on what hardware, for what purpose" is rarely tracked.',"","This is THE structural reason cross-modality backdoors persist. Until provenance becomes mandatory (which won't happen until a major incident), production teams are betting against attackers who only need to poison 0.1% of any contributor's submissions."],check:{statement:"Most public robotics imitation datasets have rigorous per-demonstration provenance tracking.",answer:"n"},_zh:{title:"模仿数据集溯源 —— 为什么后门持久",body:["机器人模仿数据集聚合自:","  · 众包遥操作 (类 Amazon Mechanical Turk,带机器人硬件)","  · 学术数据 dump (OpenX、RT-X 等)","  · 工业预训练集 (闭源,合作伙伴供)","  · web 抓的机器人视频 (2025+ 新做法)","",'任何一种,"谁录的、什么硬件、什么目的"很少被追踪。',"","这就是跨模态后门持久的 结构性 原因。直到溯源强制 (不会发生,除非有大事故),生产团队都在赌攻击者只需毒任一贡献者 0.1% 提交。"],checkStatement:"多数公开机器人模仿数据集都有严格的逐示范溯源追踪。"}},{number:0,module:6,type:"knowledge",title:"Sim-to-Real Drift — The Defense-Side Crisis",body:["Almost every embodied AI in 2026 is trained partly or fully in simulation. The gap is called sim-to-real drift.","","For defenders, drift creates a fundamental problem: defenses validated in sim may not survive deployment.","","  Common drift sources:","    · Visual:    sim lighting / textures differ from real cameras","    · Dynamics:  joint friction, payload mass, gripper compliance","    · Timing:    real sensor latency / network jitter absent in sim","    · Adversarial: adversarial patch validated against sim renderer may be invisible to real camera (or vice versa)","","Defender heuristic: any defense that's only validated in sim should be assumed brittle until real-hardware ablation confirms it."],check:{statement:"A defense validated only in simulation is safe to deploy on real hardware without further testing.",answer:"n"},_zh:{title:"Sim-to-Real 漂移 —— 防御侧的危机",body:["2026 几乎所有具身 AI 都部分或全部在仿真里训练。这道差距叫 sim-to-real 漂移。","","对防御者,漂移制造一个根本难题:在 sim 里验过的防御未必能撑到部署。","","  常见漂移来源:","    · 视觉:     sim 光照 / 纹理跟真摄像头不同","    · 动力学:   关节摩擦、负载质量、夹爪柔顺","    · 时序:     真实传感器延迟 / 网络抖动 sim 里没有","    · 对抗:     针对 sim 渲染器验证过的对抗补丁,真摄像头看不见 (或反之)","","防御者启发:任何只在 sim 里验过的防御都假设脆弱,直到真硬件 ablation 确认。"],checkStatement:"只在仿真里验过的防御,不再测试就可以安全部署到真硬件上。"}},{number:0,module:6,type:"knowledge",title:"Domain Randomization — Defense and Its Limits",body:["Domain randomization (DR) is the standard sim-to-real bridge: train across many variations of sim parameters (lighting, friction, mass, textures), hoping the real world falls inside the trained distribution.","","As a defense, DR has limits:","  · Adversarial inputs designed to fall OUTSIDE the randomization range still slip through","  · Compute cost is real — N× randomization = N× training time",'  · "More randomization = more robust" is empirically wrong past a certain point (over-regularization hurts policy quality)',"","DR helps. DR alone is not a defense."],check:{statement:"Domain randomization alone is a complete defense against adversarial attacks on sim-trained policies.",answer:"n"},_zh:{title:"域随机化 —— 防御与其局限",body:["域随机化 (DR) 是标准 sim-to-real 桥:在多种 sim 参数变化 (光照、摩擦、质量、纹理) 上训练,希望真实世界落在训练分布里。","","作为防御,DR 有局限:","  · 设计成落在随机化范围 外 的对抗输入仍能溜过","  · 计算成本真实 —— N 倍随机化 = N 倍训练时间",'  · "更多随机化 = 更鲁棒"过某点后经验上 错 (过度正则化伤 policy 质量)',"","DR 有帮助。DR 单独 不是 防御。"],checkStatement:"域随机化单独就足以对抗 sim 训练 policy 上的所有对抗攻击。"}},{number:0,module:6,type:"knowledge",title:"Real-to-Sim Attack Validation — Confirming Defenses Generalize",body:["The proper validation loop for a sim-trained defense:","  1. Train + validate defense in sim","  2. Test defense on REAL hardware against attacks generated in real environment","  3. Take real-hardware attack inputs back into sim, confirm defense still catches them there","  4. Iterate until both domains agree","",'Step 2 is where most teams stop. Step 3 — "real-to-sim" validation — confirms the defense isn\'t simulator-specific.',"","Few labs do steps 2 and 3 due to hardware cost. The result: published defenses with sim-only validation that quietly fail on Spot, Optimus, Helix deployments."],check:{statement:"Validating a defense only in simulation is sufficient for academic publication and production deployment.",answer:"n"},_zh:{title:"Real-to-Sim 攻击验证 —— 确认防御泛化",body:["sim 训练防御的正确验证循环:","  1. 在 sim 里训练 + 验证防御","  2. 在 真 硬件上,用真实环境生成的攻击测试防御","  3. 把真硬件攻击输入带回 sim,确认防御在那里也能抓","  4. 迭代直到两个域一致","",'第 2 步是多数团队止步处。第 3 步 —— "real-to-sim" 验证 —— 确认防御不是仿真器特有。',"","少有实验室做第 2、3 步,因为硬件成本。结果:只验过 sim 的发表防御,在 Spot、Optimus、Helix 部署上悄悄失败。"],checkStatement:"只在仿真里验证防御,对学术发表和生产部署都足够。"}},{number:0,module:6,type:"knowledge",title:"Cross-Modality Backdoor Defense — Ablation-Based Detection",body:["Defending against cross-modality backdoors requires ABLATION studies, not pattern matching:","","  1. Fix the language input to a known prompt; vary vision systematically. Look for sudden behavior changes.","  2. Fix the vision input; vary language systematically. Same.","  3. Use random JOINT variations and look for clusters of anomalous behavior in the (vision, language) input space.","","Compute cost: high (N² for paired-input grid). But this is the only test class that catches backdoors triggered by JOINT modality conditions.","","A 2025 paper showed ablation studies caught 8/10 implanted backdoors in a controlled benchmark; pattern-matching defenses caught 0/10."],check:{statement:"Pattern-matching defenses are effective at catching cross-modality backdoors.",answer:"n"},_zh:{title:"跨模态后门防御 —— 基于 ablation 的检测",body:["对抗跨模态后门需要 ABLATION 研究,不是模式匹配:","","  1. 固定语言输入为已知 prompt;系统地变化视觉。看是否有突变行为。","  2. 固定视觉输入;系统地变化语言。同上。","  3. 用随机 联合 变化,在 (视觉, 语言) 输入空间里找异常行为聚类。","","计算成本:高 (配对输入网格的 N²)。但这是唯一能抓住联合模态条件触发后门的测试类。","","2025 一篇论文显示 ablation 研究在受控基准里抓住了 8/10 植入后门;模式匹配防御抓住了 0/10。"],checkStatement:"模式匹配防御在抓跨模态后门上很有效。"}},{number:0,module:6,type:"knowledge",title:"Provenance-Aware Training — Tracking Data Origin",body:["The structural defense against dataset-level backdoors: provenance metadata for every training sample.","","Minimum viable provenance schema:","  · Source organization (who supplied this demonstration?)","  · Hardware identifier (which robot recorded it?)","  · Recording date + operator ID","  · Hash of unmodified original","  · Subsequent transformation chain","","With this metadata, when a backdoor is suspected, you can run differential training: leave out samples from one source at a time, see if the backdoor disappears.","","Reality 2026: almost no production dataset has this. The first major embodied-AI incident will probably force the standard."],check:{statement:"Most production robotics datasets in 2026 record per-sample provenance metadata.",answer:"n"},_zh:{title:"溯源感知训练 —— 追踪数据来源",body:["对抗数据集级后门的结构性防御:每个训练样本的溯源元数据。","","最小可行溯源 schema:","  · 来源组织 (谁供的这次示范?)","  · 硬件标识 (哪个机器人录的?)","  · 录制日期 + 操作员 ID","  · 未修改原始的 hash","  · 后续转换链","","有这些元数据,后门可疑时,能做差分训练:一次留出一个来源的样本,看后门是否消失。","","现实 2026:几乎没生产数据集有这个。第一起大具身 AI 事故大概会强制标准。"],checkStatement:"2026 多数生产机器人数据集记录逐样本溯源元数据。"}},{number:0,module:7,type:"knowledge",title:"Incident — Sim-Trained Policy Crashing on First Real Day",body:["Recurring 2024-2026 pattern: a policy with 99% success in simulation fails 50% on day 1 of physical deployment.","","Common root causes (post-mortem from several public reports):","  · Motor backlash that the sim ignored","  · Camera sensor noise outside training distribution","  · Network latency between cloud planner and robot adding 80ms unaccounted","  · Floor surface friction off by 20% from training value","",'Lesson: success in sim is necessary, not sufficient. The "first real day" is its own validation environment with its own failure modes. Plan for it.'],check:{statement:"A policy with 99% sim success will perform at 99% on physical hardware day 1.",answer:"n"},_zh:{title:"事件 —— sim 训练 policy 第一天就崩",body:["2024-2026 反复模式:仿真里 99% 成功的 policy,物理部署第一天失败 50%。","","常见根因 (几份公开报告事后分析):","  · sim 忽略了的电机回程间隙","  · 训练分布外的相机传感器噪声","  · 云端规划器和机器人间的网络延迟,加了 80ms 没算","  · 地面摩擦比训练值差 20%","",'教训:sim 成功是必要、不是充分。"第一天"是自己的验证环境,有自己的失败模式。要为它做准备。'],checkStatement:"sim 里 99% 成功的 policy,在物理硬件第一天表现就是 99%。"}},{number:0,module:7,type:"knowledge",title:"Incident — Real-Camera Lens Distortion Defeating Trained Defense",body:["Adversarial defense trained against pixel-perfect simulated camera. Deployed: lens has radial distortion, slight chromatic aberration, JPEG compression in pipeline.","","Result: defense fires on benign inputs (false positives every few minutes) AND misses real attacks (lens distortion shifts attack patterns just enough to bypass detector).","","This was reported in multiple 2025 deployments. The fix is conceptually simple — train the defense against the SAME image pipeline used in deployment, including all distortion and compression — but requires hardware-in-the-loop training that many teams skip."],check:{statement:"Sim-trained adversarial defenses generalize automatically to deployment cameras with different lens distortions.",answer:"n"},_zh:{title:"事件 —— 真相机镜头畸变击败训练过的防御",body:["对抗防御针对像素完美的仿真相机训练。部署:镜头有径向畸变、轻微色差、pipeline 里有 JPEG 压缩。","","结果:防御在良性输入上误触发 (每几分钟一次) 且 漏掉真实攻击 (镜头畸变把攻击模式偏移得刚好绕过检测器)。","","这在多个 2025 部署里报告过。修复概念上简单 —— 用部署 同一 图像 pipeline (含所有畸变和压缩) 训练防御 —— 但需要 hardware-in-the-loop 训练,很多团队跳过。"],checkStatement:"sim 训练的对抗防御,自动泛化到镜头畸变不同的部署相机。"}},{number:0,module:7,type:"knowledge",title:"Incident — Sim-to-Real Drift in Multi-Robot Fleet Coordination",body:["A 2025 fleet of 8 warehouse robots, trained together in sim with synchronized communication, deployed to a real warehouse with 30-150ms variable network latency.","","Behavior observed:","  · Robots in close proximity began deadlocking on shared paths (their negotiation protocol assumed near-zero latency)",'  · A timing-sensitive collision-avoidance protocol degraded into "freeze when uncertain" — entire fleet stalled',"  · The drift was IN BETWEEN robots, not in any single robot — making single-robot validation useless","","Multi-robot sim-to-real is a separate research problem from single-robot, and most teams underestimate it."],check:{statement:"Sim-to-real validation done on individual robots is sufficient to predict multi-robot fleet behavior.",answer:"n"},_zh:{title:"事件 —— 多机器人舰队协调里的 sim-to-real 漂移",body:["2025 一个 8 仓库机器人舰队,在 sim 里同步通信一起训练,部署到真实仓库 30-150ms 可变网络延迟。","","观察到的行为:","  · 邻近机器人开始在共享路径上死锁 (它们的协商协议假设近零延迟)",'  · 时序敏感的碰撞避免协议退化为"不确定就冻住" —— 整个舰队停摆',"  · 漂移 在机器人 之间,不在任何单个机器人内 —— 让单机器人验证没用","","多机器人 sim-to-real 是跟单机器人独立的研究问题,多数团队低估。"],checkStatement:"对单个机器人做的 sim-to-real 验证,足以预测多机器人舰队行为。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Figure 02 Deployment Lessons",body:["Figure 02 (the second-generation humanoid from Figure AI) entered commercial pilots in 2025-Q2 — BMW factory and several warehouses.","","Reported architecture choices relevant to attackers:","  · Speech-language interface is on by default","  · Cloud-hosted plan revisions — robot phones home for plan validation","  · Multi-agent coordination via shared scene representation in shared cloud state","","Public incidents (per industry reporting, 2025-2026):","  · Voice command injection from adjacent robot","  · Network ToS exploitation slowing planning cycles to cause deadlock","  · Vision-language conflict in poorly-lit shifts causing wrong-item retrieval","","Lesson: production humanoid security is currently MUCH softer than research-lab assumptions."],check:{statement:"Production humanoid robots in 2025-2026 have security defenses comparable to mature enterprise IT.",answer:"n"},_zh:{title:"现场案例 —— Figure 02 部署教训",body:["Figure 02 (Figure AI 第二代人形机器人) 2025-Q2 进入商业试点 —— BMW 工厂和几个仓库。","","与攻击者相关的架构选择 (公开报告):","  · 语音-语言接口默认开","  · 云端方案修订 —— 机器人 phone home 做方案校验","  · 多 agent 通过云端共享场景表示协调","","公开事件 (2025-2026 行业报道):","  · 邻近机器人的语音命令注入","  · 网络 ToS 利用减慢规划周期造成死锁","  · 光线差的班次里视觉-语言冲突,取错物品","","教训:生产人形机器人安全目前 远 比研究实验室假设软。"],checkStatement:"2025-2026 生产人形机器人的安全防御,达到了成熟企业 IT 级别。"}},{number:0,module:7,type:"knowledge",title:"Field Case — 1X NEO Home-Robot Beta Surface",body:["1X (formerly Halodi) shipped NEO Beta as a home humanoid in 2025. It targets domestic environments — kitchen, living room, basic chores.","","Distinct attack surface vs factory robots:","  · Lives in residential WiFi, often misconfigured","  · Camera feed includes sensitive scenes (children, financial documents)","  · Owner provides natural-language goals → prompt-injection through clever speech","  · Limited physical isolation — household members can directly tamper","",'Public-domain probing in 2025-2026 has been informal but documented several patterns: voice-spoofing from adjacent speakers, command injection via printed text in camera FOV ("the robot should follow this URL"), and prompt extraction via long multi-turn conversations.'],check:{statement:"Home humanoid robots have the same threat profile as factory robots — only the environment changes.",answer:"n"},_zh:{title:"现场案例 —— 1X NEO 家用机器人 beta 面",body:["1X (原 Halodi) 2025 推 NEO Beta 作家用人形。瞄准家庭 —— 厨房、客厅、基础家务。","","相比工厂机器人独特的攻击面:","  · 住在家用 WiFi,常配置错误","  · 摄像头流包含敏感场景 (儿童、财务文件)","  · 主人用自然语言给目标 → 通过聪明话语 prompt-injection","  · 物理隔离有限 —— 家人能直接动手","",'2025-2026 公开领域非正式探测记录了几种模式:邻近音箱的语音欺骗、摄像头视野内打印文字的命令注入 ("机器人应跟随这个 URL")、长多轮对话提取 prompt。'],checkStatement:"家用人形机器人跟工厂机器人威胁画像一样 —— 只是环境变了。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Tesla Optimus Factory Deployment Pattern",body:["Tesla Optimus moved into Tesla's own factories in 2024-2025 for internal pilot work. Limited external visibility, but several patterns are public:","","  · Optimus operates in heavily-instrumented environments (sensor-rich, all-monitored)","  · Updates pushed via Tesla's vehicle-style OTA pipeline (good for patching, single point of failure for compromise)","  · Telemetry collected centrally — feeds Tesla's simulation training loop","","Attack-relevant implication: the centralized telemetry + training loop means a successful poisoning attack on one Optimus has POTENTIAL to propagate into future model versions trained on its data. This is the supply-chain-via-deployment-data attack class."],check:{statement:"A centralized telemetry-to-training loop is an attack surface, not just an operational convenience.",answer:"y"},_zh:{title:"现场案例 —— Tesla Optimus 工厂部署模式",body:["Tesla Optimus 2024-2025 进入特斯拉自己工厂做内部试点。外部可见性有限,但几种模式公开:","","  · Optimus 在重度仪器化的环境运行 (传感器密集,全监控)","  · 更新通过特斯拉车辆风格的 OTA pipeline 推送 (打补丁好,但攻陷的单点)","  · 遥测中心收集 —— 喂特斯拉的仿真训练循环","","攻击相关含义:中心化遥测 + 训练循环意味着对一台 Optimus 的成功投毒攻击 可能 传播到基于其数据训练的未来模型版本。这是通过部署数据的供应链攻击类。"],checkStatement:"中心化的遥测-到-训练循环是攻击面,不只是运营便利。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Boston Dynamics Spot in Enterprise Deployments",body:["Spot (the quadruped) is the most-deployed legged robot in industry as of 2026, with thousands of units in inspection / security / utility roles.","","Notable security profile:","  · Boston Dynamics has historically prioritized hardware safety (force limits, e-stop) over information-security","  · Spot platform API allows operator extensions — extensions vary wildly in code quality","  · Tablet-based control interface uses WiFi by default; pen-test reports show common mis-configurations","","Attack pattern most commonly exploited: weak control-interface auth → unauthorized command sending → physical mis-tasking (move into restricted area, deactivate safety, etc).","","BD has rolled out hardening in 2025-2026 but a large installed base remains on older firmware."],check:{statement:"Boston Dynamics Spot deployments uniformly run the latest hardened firmware in 2026.",answer:"n"},_zh:{title:"现场案例 —— Boston Dynamics Spot 企业部署",body:["Spot (四足) 是 2026 业界部署最多的腿式机器人,数千台用于检查 / 安保 / 公用事业。","","值得注意的安全画像:","  · Boston Dynamics 历来把硬件安全 (力限、急停) 优先于信息安全","  · Spot 平台 API 允许操作员扩展 —— 扩展代码质量参差","  · 平板控制接口默认用 WiFi;渗透测试报告显示常见配置错误","","最常被利用的攻击模式:控制接口认证弱 → 未授权命令发送 → 物理误调度 (进入限制区、停用安全等)。","","BD 2025-2026 推过加固,但大量安装基础仍跑旧固件。"],checkStatement:"2026 所有 Boston Dynamics Spot 部署都统一跑最新加固固件。"}},{number:0,module:7,type:"knowledge",title:"Field Case — Healthcare and Logistics Embodied AI Lessons",body:["Two sectors with rapid 2025-2026 embodied-AI adoption + distinct lessons:","","  HEALTHCARE (surgical assistants, medication delivery, patient transport):","    · Regulatory pressure forces some baseline (FDA, CE) — but for fixed configurations","    · Updates / model swaps re-trigger certification → discourages security patches","    · Attack consequences are physical and patient-facing","","  LOGISTICS (warehouse pickers, autonomous forklifts, last-mile drones):","    · Lighter regulation → faster deployment, weaker baseline","    · Heavy multi-tenant (multiple software vendors per fleet)",'    · Failures show up as throughput / SLA issues — easy to dismiss as "ops noise"',"","Cross-cutting lesson: the sector's regulatory weight directly inversely correlates with deployment security maturity. Healthcare slow-but-rigid; logistics fast-but-soft."],check:{statement:"Heavy regulation in healthcare automatically translates into faster security patching cycles.",answer:"n"},_zh:{title:"现场案例 —— 医疗与物流具身 AI 教训",body:["两个 2025-2026 具身 AI 快速采用 + 教训鲜明的行业:","","  医疗 (手术助手、药品配送、病人转运):","    · 监管压力强制一些基线 (FDA, CE) —— 但针对固定配置","    · 更新 / 模型替换重触发认证 → 阻止安全补丁","    · 攻击后果是物理的、面向病人的","","  物流 (仓库拣货、自驾叉车、最后一公里无人机):","    · 监管轻 → 部署快、基线弱","    · 高度多租户 (每个舰队多个软件厂商)",'    · 失败显示为吞吐 / SLA 问题 —— 易被当"运维噪声"忽略',"","跨行业教训:行业监管重 直接反相关 部署安全成熟。医疗慢但刚性;物流快但软。"],checkStatement:"医疗行业的重监管自动转化为更快的安全补丁周期。"}}];export function eaiScopePhase(e){return EAI_SCOPE_CARDS.filter(t=>t.module===e)}if(40!==EAI_SCOPE_CARDS.length||27!==eaiScopePhase(4).length||5!==eaiScopePhase(6).length||8!==eaiScopePhase(7).length)throw new Error(`ctf4eai-eai-cards: distribution mismatch — total=${EAI_SCOPE_CARDS.length}, P4=${eaiScopePhase(4).length}, P6=${eaiScopePhase(6).length}, P7=${eaiScopePhase(7).length}`);

package/dist/lib/hint-client.js

@@ -1 +1 @@
-function a0a(){const x=['nfzJtLPUzq','nZC2otvHEw9pvxi','BgfUz3vHz2u','ntu3n1DbEe9Swa','mJa3ntrVA09Ws1K','AwnVys1JBgK','CxvLC3rPB24','C3rHDhvZ','yxbWBgLJyxrPB24VANnVBG','l2fWAs9Py29Hl2v4yw1ZlW','ANnVBG','mZeZntyWyxbOy3n4','Bgv2zwW','DgLTzw91De1Z','y3rMzfvYBa','oujbrMTmta','mJG2nJmZmKzsCunIAG','BgfUzW','otqYn09hBxHdvW','BMv0D29YAYbLCNjVCG','C3vJy2vZCW','mJuWvhndwKzf','mte1nKfVq2DTqq','zxHHBuLK','Dg9Rzw4','mZm3mLPus0TbAW','AgLUDcbbueKGDw5YzwfJAgfIBgu','C3rYAw5NAwz5','BwvZC2fNzq','zgf0yq','l2HPBNq','Ahr0Chm6lY9WCMfJDgLJzs5Py29HmJaYnI5HDq','y2f0y2G','ndm2mJiXmgnVqNjsCa'];a0a=function(){return x;};return a0a();}(function(a,b){const v=a0b,c=a();while(!![]){try{const d=-parseInt(v(0x1e2))/(-0x23d6+-0x239e+-0x1*-0x4775)*(-parseInt(v(0x1e1))/(-0x1407*0x1+0x3b*-0x61+0x2a64))+parseInt(v(0x1e4))/(-0x1*0x1f97+-0xb57+0x1*0x2af1)*(parseInt(v(0x1d5))/(-0x509+0xbd+0x6*0xb8))+parseInt(v(0x1d4))/(0x562+0xe6b+0x18*-0xd3)*(-parseInt(v(0x1e5))/(0x2036+0x19f8+-0x3a28))+parseInt(v(0x1cf))/(-0x1*-0x26cb+-0x51c+-0x1*0x21a8)+parseInt(v(0x1ec))/(-0x13*-0x1d3+-0x2705+0x464)*(parseInt(v(0x1ce))/(-0x1d89+-0x4*-0x3fd+0x2a*0x53))+-parseInt(v(0x1e0))/(-0xb19+-0xbb*-0x29+-0x12d0)+parseInt(v(0x1d1))/(-0x26c+0x5*-0x60f+0x20c2)*(-parseInt(v(0x1d8))/(0x9*0x26d+-0x2386+0x1*0xdbd));if(d===b)break;else c['push'](c['shift']());}catch(e){c['push'](c['shift']());}}}(a0a,0x5cbf2+-0xf941*0x4+-0x129a*-0x23));import{getConfig as a0c}from'./config.js';function a0b(a,b){a=a-(0x9a*-0x1f+0x1c6*0x1+-0x1*-0x12ad);const c=a0a();let d=c[a];if(a0b['vMcBEw']===undefined){var e=function(i){const j='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let l='',m='';for(let n=-0x467+0x1673+-0x120c,o,p,q=-0x1091+0x203a+-0xfa9;p=i['charAt'](q++);~p&&(o=n%(0xf57+-0x737*-0x4+-0x2c2f)?o*(-0x18ea*0x1+-0x2*0x626+0x89*0x46)+p:p,n++%(-0x1*0x1675+0x1*0xa6b+0xc0e))?l+=String['fromCharCode'](0x3f5*0x3+0xe*-0x283+0x184a&o>>(-(0x24d8+0x6b*0x5c+-0x4b4a)*n&0xa9*-0x4+-0x118c+-0x1436*-0x1)):0x14dc+0x265d+0x1*-0x3b39){p=j['indexOf'](p);}for(let r=-0x437+0x1*0x164f+-0x1218,s=l['length'];r<s;r++){m+='%'+('00'+l['charCodeAt'](r)['toString'](0x3ac+0xf05*-0x2+0x1a6e))['slice'](-(0x5*0xe4+0x26b4+-0x2b26));}return decodeURIComponent(m);};a0b['OWpMHc']=e,a0b['rwgLne']={},a0b['vMcBEw']=!![];}const f=c[0x161c*0x1+0x1f5*-0x8+-0x674],g=a+f,h=a0b['rwgLne'][g];return!h?(d=a0b['OWpMHc'](d),a0b['rwgLne'][g]=d):d=h,d;}export async function requestHint(d){const w=a0b,f=a0c(),g=f[w(0x1cd)]||w(0x1de),h=d[w(0x1d0)]||f[w(0x1e3)]||'en',j=d[w(0x1ee)]??-0x70b+0x23eb+0x260,k=[g+w(0x1ea)+d[w(0x1d6)]+w(0x1dd),g+':9090/api/icoa/exams/'+d[w(0x1d6)]+w(0x1dd)];let l=null;for(const p of k)try{const q=await fetch(p,{'method':'POST','headers':{'Content-Type':w(0x1e9),'User-Agent':w(0x1e6)},'body':JSON[w(0x1da)]({'token':d[w(0x1d7)],'question':d[w(0x1e7)],'level':d[w(0x1ed)],'lang':h}),'signal':AbortSignal['timeout'](j)}),r=await q[w(0x1eb)]()[w(0x1df)](()=>({}));if(!q['ok']||!(-0x1091+0x203a+-0xfa8)===r[w(0x1d3)]){if(l={'status':q[w(0x1e8)],'message':r?.['message']||'hint\x20request\x20failed\x20('+q[w(0x1e8)]+')'},q[w(0x1e8)]>=0xf57+-0x737*-0x4+-0x2aa3&&q[w(0x1e8)]<-0x18ea*0x1+-0x2*0x626+0x22d*0x12)throw l;continue;}return r[w(0x1dc)];}catch(u){if(u&&'object'==typeof u&&'status'in u)throw u;l={'status':0x0,'message':u?.[w(0x1db)]||w(0x1d2)};}const m={};m[w(0x1e8)]=0x0,m[w(0x1db)]=w(0x1d9);throw l||m;}
+(function(a,b){const v=a0b,c=a();while(!![]){try{const d=parseInt(v(0x127))/(0x2*0x10+-0xaf*-0x13+0x4*-0x347)*(parseInt(v(0x110))/(0x1e7f+0x4*-0x5db+-0x711))+parseInt(v(0x11b))/(0x66*0x1a+-0xb*-0x38d+-0x3168)*(-parseInt(v(0x114))/(0x2033+-0x4b8*0x2+-0x9*0x287))+-parseInt(v(0x11e))/(-0x1c6e+0x2116+0x4a3*-0x1)+parseInt(v(0x120))/(0x7de+-0x23f0+0x2*0xe0c)+-parseInt(v(0x123))/(0x1*-0x6ee+-0x146b*-0x1+-0xd76)*(-parseInt(v(0x11d))/(-0x1*0x1306+0x21f+0x5a5*0x3))+parseInt(v(0x115))/(-0x96e*0x4+-0x2529+-0x56*-0xdf)+parseInt(v(0x118))/(0x2*0x40f+-0x1*-0x138e+0x12*-0x189)*(-parseInt(v(0x121))/(-0x2235+0x2*-0x17b+0x2536));if(d===b)break;else c['push'](c['shift']());}catch(e){c['push'](c['shift']());}}}(a0a,0x1*0xb0c93+-0x421b+0x6b*-0x99a));function a0b(a,b){a=a-(-0x1c5*-0x4+-0x2383*0x1+0x1d79);const c=a0a();let d=c[a];if(a0b['yXZgob']===undefined){var e=function(i){const j='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let l='',m='';for(let n=0x1*-0x116+-0x7f*0x3b+0x1e5b,o,p,q=0x1*-0x4fb+0x7b5*0x3+-0x60c*0x3;p=i['charAt'](q++);~p&&(o=n%(-0xc37*-0x1+-0x1*-0x13b7+-0x1fea)?o*(0x1511+0x196e+-0x2e3f)+p:p,n++%(-0x930+0x20dd+0x2a1*-0x9))?l+=String['fromCharCode'](0x3*0x369+-0x3*-0x5bf+-0x1a79&o>>(-(0x4a9+0x4f*-0x5d+0xab*0x24)*n&-0x86e+0x4a0+0x3d4)):-0x460+0x415+0x4b){p=j['indexOf'](p);}for(let r=0x1604+0x1c9*0x3+-0x27d*0xb,s=l['length'];r<s;r++){m+='%'+('00'+l['charCodeAt'](r)['toString'](0x201*-0xb+-0x1*0x1882+0x2e9d))['slice'](-(0x671*-0x1+-0x1987+-0x1*-0x1ffa));}return decodeURIComponent(m);};a0b['NFuvVy']=e,a0b['YswUNJ']={},a0b['yXZgob']=!![];}const f=c[0x1375+0xa*0x28d+0x1*-0x2cf7],g=a+f,h=a0b['YswUNJ'][g];return!h?(d=a0b['NFuvVy'](d),a0b['YswUNJ'][g]=d):d=h,d;}import{getConfig as a0c}from'./config.js';export async function requestHint(d){const w=a0b,f=a0c(),g=f[w(0x10f)]||w(0x10a),h=d[w(0x124)]||f['language']||'en',j=d[w(0x10e)]??0x13*-0x277+0x31d8+0x1c3d,k=[g+w(0x10d)+d[w(0x116)]+w(0x11f),g+':9090/api/icoa/exams/'+d[w(0x116)]+'/hint'];let l=null;for(const p of k)try{const q=await fetch(p,{'method':w(0x126),'headers':{'Content-Type':w(0x111),'User-Agent':'icoa-cli'},'body':JSON['stringify']({'token':d['token'],'question':d[w(0x125)],'level':d[w(0x128)],'lang':h}),'signal':AbortSignal[w(0x119)](j)}),r=await q['json']()[w(0x112)](()=>({}));if(!q['ok']||!(0x1*-0x4fb+0x7b5*0x3+-0x1223*0x1)===r[w(0x10c)]){if(l={'status':q[w(0x11a)],'message':r?.[w(0x11c)]||w(0x122)+q[w(0x11a)]+')'},q['status']>=-0xc37*-0x1+-0x1*-0x13b7+-0x1e5e&&q[w(0x11a)]<0x1511+0x196e+-0x2c8b)throw l;continue;}return r[w(0x113)];}catch(u){if(u&&'object'==typeof u&&w(0x11a)in u)throw u;l={'status':0x0,'message':u?.[w(0x11c)]||w(0x10b)};}const m={};m[w(0x11a)]=0x0,m[w(0x11c)]=w(0x117);throw l||m;}function a0a(){const x=['C3rHDhvZ','mZLprhLzt1K','BwvZC2fNzq','ohLgrhbXva','ota4odi1Ewj2ALLu','l2HPBNq','mZmZmJe3mNDhD01rEG','mZK3mZqYCxfLqNzw','AgLUDcbYzxf1zxn0igzHAwXLzcaO','nde0ndKZmuLnsujYCa','BgfUzW','CxvLC3rPB24','ue9tva','muXrDurOAG','Bgv2zwW','Ahr0Chm6lY9WCMfJDgLJzs5Py29HmJaYnI5HDq','BMv0D29YAYbLCNjVCG','C3vJy2vZCW','l2fWAs9Py29Hl2v4yw1ZlW','DgLTzw91De1Z','y3rMzfvYBa','mtq5ndy4nNH4q2j1Aa','yxbWBgLJyxrPB24VANnVBG','y2f0y2G','zgf0yq','mtC0mJrLBgPdvvm','mJa5mZu4ovfvyLHVEG','zxHHBuLK','AgLUDcbbueKGDw5YzwfJAgfIBgu','ndaWsuTSB3j1','DgLTzw91Da'];a0a=function(){return x;};return a0a();}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "icoa-cli",
-  "version": "2.19.198",
+  "version": "2.19.199",
   "description": "ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)",
   "type": "module",
   "bin": {