icoa-cli 2.19.294 → 2.19.295

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/commands/ai4ctf.js +1 -1
  2. package/dist/commands/ctf4ai-demo.js +1 -1
  3. package/dist/commands/ctf4vla.js +1 -1
  4. package/dist/commands/exam.js +1 -1
  5. package/dist/lib/gemini.js +1 -1
  6. package/dist/lib/hint-client.js +1 -1
  7. package/package.json +1 -1
package/dist/lib/gemini.js CHANGED
@@ -1 +1 @@
1
- import{GoogleGenAI as e}from"@google/genai";import chalk from"chalk";import{readFileSync as t}from"node:fs";import{dirname as n,join as o}from"node:path";import{fileURLToPath as r}from"node:url";import{getConfig as a,saveConfig as s}from"./config.js";import{getRealExamState as i}from"./exam-state.js";const l=n(r(import.meta.url));let c=null;function u(){if(c)return c;try{const e=JSON.parse(t(o(l,"..","..","package.json"),"utf-8"));c=e.version||"unknown"}catch{c="unknown"}return c}export async function translateText(e,t){throw new Error("Local AI model path has been disabled (2026-04-24). ICOA provides all AI server-side — no API key setup needed. Use `ai4ctf` (chat) or `exam` (with integrated help/hint) instead.")}export function setApiKey(e){s({geminiApiKey:e})}export async function createChatSession(e,t){const n=a();let o=t||"You are an AI teammate in the ICOA cybersecurity CTF competition (International Cyber Olympiad in AI 2026, Sydney).\n\nYou're a friendly, knowledgeable cybersecurity partner — like a fellow competitor sitting next to the user. Be conversational, encouraging, and collaborative.\n\nRULES:\n- Help the competitor think through challenges, brainstorm approaches, explain concepts\n- You MAY discuss vulnerability types, tools, techniques, and methodologies\n- You MAY suggest approaches and help debug code\n- Do NOT provide complete working exploits or full solution scripts\n- Do NOT provide flags or flag fragments\n- Never output anything matching flag format: icoa{...}\n- If you don't know something, say so honestly\n- Keep responses concise unless the user asks for detail\n- When the user opens a challenge, use the context to give relevant advice";e&&(o+=`\n\nThe competitor is currently working on:\nChallenge: ${e.name}\nCategory: ${e.category}`),o+='\n\nINTEGRITY — give method, not the produced answer:\n- You may name the tool/command/technique (e.g. "this is base64; run base64 -d on the file").\n- Do NOT perform a solution step for the competitor and hand back its result: never decode,\n decrypt, deobfuscate, run, execute, or compute over data they paste or that is attached,\n and then reveal the produced value. They must run it themselves and read the output.\n- Do NOT reveal the exact final answer, and never output icoa{...} / flag{...} in any case.\n- If asked to "just give the answer" / "solve it" / "decode this and tell me", refuse and\n nudge them to do the step themselves.';const r=n.ctfdUrl||"https://practice.icoa2026.au",s=n.deviceFingerprint||"",l=n.geminiModel||"gemini-2.5-flash-lite",c=[];return{async sendMessage(e){c.push({role:"user",text:e});const t=i(),a={systemPrompt:o,messages:c,model:l,maxTokens:2048,deviceFingerprint:s};t?.session?.token&&(a.examToken=t.session.token),!a.examToken&&n.ctfdUrl&&n.token&&n.userName&&(a.account=n.userName);const p=e=>new Promise(t=>setTimeout(t,e)),d=[2e3,5e3];let h=null,m=null;for(let e=0;e<=d.length&&(h=await fetch(`${r}/api/icoa/ai/chat`,{method:"POST",headers:{"Content-Type":"application/json","User-Agent":`icoa-cli/${u()}`,"X-Device-Fingerprint":s},body:JSON.stringify(a),signal:AbortSignal.timeout(6e4)}),!h.ok&&429===h.status);e++)e<d.length?await p(d[e]):m=h;if(!h)throw new Error("AI proxy: no response");if(!h.ok){const e=(await h.json().catch(()=>({message:"AI proxy error"}))).message||`AI proxy returned ${h.status}`;if(401===h.status)throw new Error(`${chalk.yellow("⚠ ")}Exam token expired. Re-enter via \`exam <token>\`.`);if(403===h.status)throw new Error(chalk.yellow("⚠ ")+e);if(429===h.status)throw new Error(chalk.yellow("⏳ ")+e+chalk.gray(" (retried twice — quota burst, try again in ~30s)"));throw new Error(e)}const g=await h.json(),f=function(e){return e.replace(/icoa\{[^}]*\}/gi,"[FLAG REDACTED]")}(g.data?.text||""),y=g.data?.tokensUsed||0;return c.push({role:"model",text:f}),{text:f,tokensUsed:y}}}}
1
+ import{GoogleGenAI as e}from"@google/genai";import chalk from"chalk";import{readFileSync as t}from"node:fs";import{dirname as n,join as o}from"node:path";import{fileURLToPath as r}from"node:url";import{getConfig as a,saveConfig as s}from"./config.js";import{getRealExamState as i}from"./exam-state.js";const l=n(r(import.meta.url));let c=null;function u(){if(c)return c;try{const e=JSON.parse(t(o(l,"..","..","package.json"),"utf-8"));c=e.version||"unknown"}catch{c="unknown"}return c}export async function translateText(e,t){throw new Error("Local AI model path has been disabled (2026-04-24). ICOA provides all AI server-side — no API key setup needed. Use `ai4ctf` (chat) or `exam` (with integrated help/hint) instead.")}export function setApiKey(e){s({geminiApiKey:e})}export async function createChatSession(e,t){const n=a();let o=t||"You are an AI teammate in the ICOA cybersecurity CTF competition (International Cyber Olympiad in AI 2026, Sydney).\n\nYou're a friendly, knowledgeable cybersecurity partner — like a fellow competitor sitting next to the user. Be conversational, encouraging, and collaborative.\n\nRULES:\n- Help the competitor think through challenges, brainstorm approaches, explain concepts\n- You MAY discuss vulnerability types, tools, techniques, and methodologies\n- You MAY suggest approaches and help debug code\n- Do NOT provide complete working exploits or full solution scripts\n- Do NOT provide flags or flag fragments\n- Never output anything matching flag format: icoa{...}\n- If you don't know something, say so honestly\n- Keep responses concise unless the user asks for detail\n- When the user opens a challenge, use the context to give relevant advice";e&&(o+=`\n\nThe competitor is currently working on:\nChallenge: ${e.name}\nCategory: ${e.category}`),o+='\n\nINTEGRITY — give method, not the produced answer:\n- You may name the tool/command/technique (e.g. "this is base64; run base64 -d on the file").\n- Do NOT perform a solution step for the competitor and hand back its result: never decode,\n decrypt, deobfuscate, run, execute, or compute over data they paste or that is attached,\n and then reveal the produced value. They must run it themselves and read the output.\n- Do NOT reveal the exact final answer, and never output icoa{...} / flag{...} in any case.\n- If asked to "just give the answer" / "solve it" / "decode this and tell me", refuse and\n nudge them to do the step themselves.';const r=n.ctfdUrl||"https://practice.icoa2026.au",s=n.deviceFingerprint||"",l=n.geminiModel||"gemini-2.5-flash-lite",c=[];return{async sendMessage(e){c.push({role:"user",text:e});const t=i(),a={systemPrompt:o,messages:c,model:l,maxTokens:2048,deviceFingerprint:s};t?.session?.token&&(a.examToken=t.session.token);const h={"Content-Type":"application/json","User-Agent":`icoa-cli/${u()}`,"X-Device-Fingerprint":s};!a.examToken&&n.ctfdUrl&&n.token&&n.userName&&(a.account=n.userName,h.Authorization=`Token ${n.token}`);const p=e=>new Promise(t=>setTimeout(t,e)),d=[2e3,5e3];let m=null,g=null;for(let e=0;e<=d.length&&(m=await fetch(`${r}/api/icoa/ai/chat`,{method:"POST",headers:h,body:JSON.stringify(a),signal:AbortSignal.timeout(6e4)}),!m.ok&&429===m.status);e++)e<d.length?await p(d[e]):g=m;if(!m)throw new Error("AI proxy: no response");if(!m.ok){const e=(await m.json().catch(()=>({message:"AI proxy error"}))).message||`AI proxy returned ${m.status}`;if(401===m.status)throw new Error(`${chalk.yellow("⚠ ")}Exam token expired. Re-enter via \`exam <token>\`.`);if(403===m.status)throw new Error(chalk.yellow("⚠ ")+e);if(429===m.status)throw new Error(chalk.yellow("⏳ ")+e+chalk.gray(" (retried twice — quota burst, try again in ~30s)"));throw new Error(e)}const f=await m.json(),y=function(e){return e.replace(/icoa\{[^}]*\}/gi,"[FLAG REDACTED]")}(f.data?.text||""),w=f.data?.tokensUsed||0;return c.push({role:"model",text:y}),{text:y,tokensUsed:w}}}}
package/dist/lib/hint-client.js CHANGED
@@ -1 +1 @@
1
- (function(a,b){const v=a0b,c=a();while(!![]){try{const d=parseInt(v(0x1e3))/(0x1ce0+-0x109*-0x1c+-0x39db)+parseInt(v(0x1e6))/(-0x237*0x7+-0x236+0x11b9)*(-parseInt(v(0x1e7))/(0xc99*-0x1+0x7*0x2cc+-0x6f8))+-parseInt(v(0x1eb))/(0xdc6*-0x1+0x1*-0x1b92+0x295c)+-parseInt(v(0x1e2))/(-0x1f64*-0x1+0x1*0x1f45+-0xfa9*0x4)*(-parseInt(v(0x1ed))/(0xf78+0xcfe*-0x1+-0x274))+parseInt(v(0x1e4))/(0x1*0x280+-0x1acb*-0x1+-0x1d44)+parseInt(v(0x1e5))/(-0x29*-0xbf+-0xcb9+0x8eb*-0x2)+-parseInt(v(0x1ea))/(-0x1*0x709+-0xbd4+0x12e6);if(d===b)break;else c['push'](c['shift']());}catch(e){c['push'](c['shift']());}}}(a0a,-0x79c36+-0x1*0x3cb93+-0x1*-0x113ae3));import{getConfig as a0c}from'./config.js';export async function requestHint(d){const w=a0b,f=a0c(),g=f[w(0x1f5)]||'https://practice.icoa2026.au',h=d[w(0x1f6)]||f['language']||'en',j=d[w(0x1f7)]??0xf*0x3ad+-0x407+-0x52*0x3e,k=[g+w(0x1e9)+d[w(0x1f3)]+'/hint',g+':9090/api/icoa/exams/'+d[w(0x1f3)]+'/hint'];let l=null;for(const p of k)try{const q=await fetch(p,{'method':'POST','headers':{'Content-Type':'application/json','User-Agent':'icoa-cli'},'body':JSON[w(0x1ee)]({'token':d['token'],'question':d[w(0x1f9)],'level':d['level'],'lang':h}),'signal':AbortSignal[w(0x1f2)](j)}),r=await q[w(0x1f0)]()[w(0x1f8)](()=>({}));if(!q['ok']||!(-0x1d3e+0x930+0x140f)===r['success']){if(l={'status':q[w(0x1e1)],'message':r?.[w(0x1ef)]||'hint\x20request\x20failed\x20('+q[w(0x1e1)]+')'},q[w(0x1e1)]>=0x916+-0x1a32+0x12ac&&q[w(0x1e1)]<0x1*-0xd32+-0x347*-0x3+0x551)throw l;continue;}return r[w(0x1f1)];}catch(u){if(u&&w(0x1ec)==typeof u&&w(0x1e1)in u)throw u;l={'status':0x0,'message':u?.[w(0x1ef)]||w(0x1e8)};}const m={};m[w(0x1e1)]=0x0,m[w(0x1ef)]=w(0x1f4);throw l||m;}function a0b(a,b){a=a-(0xa3*0x34+0x202b*-0x1+0xf0);const c=a0a();let d=c[a];if(a0b['arwBsT']===undefined){var e=function(i){const j='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let l='',m='';for(let n=-0x2d1+0x16*0x191+-0x1fa5,o,p,q=0x212f+-0x167f*0x1+-0xab0;p=i['charAt'](q++);~p&&(o=n%(-0x145c+0x916+0xb4a)?o*(0x1*-0x23f9+0x699*-0x2+0x316b)+p:p,n++%(-0x26ce*0x1+-0xe9c+0x1ab7*0x2))?l+=String['fromCharCode'](0x2ba*0xb+-0xbb8+-0x1147*0x1&o>>(-(-0x1fe4+-0x2653+0x4639)*n&0x53*0x31+0x1*0x151+-0x112e)):0x15d8+0xfc*0x9+0xa*-0x312){p=j['indexOf'](p);}for(let r=0x1*-0x23df+-0xbb4+0x13*0x281,s=l['length'];r<s;r++){m+='%'+('00'+l['charCodeAt'](r)['toString'](0x215*-0x9+0xa*0x6f+-0x17*-0xa1))['slice'](-(0x9*0x1ec+-0x16c9*0x1+0xc9*0x7));}return decodeURIComponent(m);};a0b['lVwzws']=e,a0b['OjXpai']={},a0b['arwBsT']=!![];}const f=c[0x2*0xd37+-0xc7*0x15+-0xa1b],g=a+f,h=a0b['OjXpai'][g];return!h?(d=a0b['lVwzws'](d),a0b['OjXpai'][g]=d):d=h,d;}function a0a(){const x=['BMv0D29YAYbLCNjVCG','l2fWAs9Py29Hl2v4yw1ZlW','mty2nZaZneXOAxLKAa','mty3mtCXmLPfDvrmBG','B2jQzwn0','mtm5ohbmA1zhrq','C3rYAw5NAwz5','BwvZC2fNzq','ANnVBG','zgf0yq','DgLTzw91Da','zxHHBuLK','AgLUDcbbueKGDw5YzwfJAgfIBgu','y3rMzfvYBa','BgfUzW','DgLTzw91De1Z','y2f0y2G','CxvLC3rPB24','C3rHDhvZ','mJK5nunqvLfkqW','mJKXnJuWDhvlqu1q','nda3nJm1owjdu1jWqW','ndy4otm2oereA3LfAa','mtiYoty5ofzkz09gzG','m0XvsuHJCW'];a0a=function(){return x;};return a0a();}
1
+ function a0b(a,b){a=a-(-0x1*0x15e6+-0xf09+0x25c4);const c=a0a();let d=c[a];if(a0b['ExbECh']===undefined){var e=function(i){const j='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';let l='',m='';for(let n=-0x14b4+0x1f67*-0x1+0x341b,o,p,q=0x7a*0x4f+-0x1235*0x2+-0x4*0x4f;p=i['charAt'](q++);~p&&(o=n%(-0x9a3+-0x1c18+0x25bf*0x1)?o*(-0x259*0x4+0x1ceb+-0x1*0x1347)+p:p,n++%(0x1692+0x14*-0x2c+-0x131e*0x1))?l+=String['fromCharCode'](-0x9*-0x4a+-0x36d*-0xb+-0x274a&o>>(-(0xd9b+0x1343+-0x20dc)*n&0x24c1+0x1*0xf97+-0x3452)):-0x541*-0x6+-0x216d*0x1+0x1e7){p=j['indexOf'](p);}for(let r=0x11b3*0x2+-0xfe*-0x1e+-0x1b7*0x26,s=l['length'];r<s;r++){m+='%'+('00'+l['charCodeAt'](r)['toString'](-0x1*0x6ad+-0x1e65+0x2522))['slice'](-(-0xbea*-0x2+-0x41e+0x2*-0x9da));}return decodeURIComponent(m);};a0b['bORVky']=e,a0b['hZjtII']={},a0b['ExbECh']=!![];}const f=c[-0x187a+0x9b2+-0x1d9*-0x8],g=a+f,h=a0b['hZjtII'][g];return!h?(d=a0b['bORVky'](d),a0b['hZjtII'][g]=d):d=h,d;}function a0a(){const x=['DgLTzw91De1Z','odiZnZi3mxrPrMD4AG','ndu3odK5nMXfA3zMta','y2f0y2G','ndK3odi1wuTKsKnJ','ue9tva','BgfUzW','ANnVBG','mty3mtjvzfvNt2q','mZGXzfHusLze','C3vJy2vZCW','C3rYAw5NAwz5','oJKWotaVyxbPl2LJB2eVzxHHBxmV','y3rMzfvYBa','mtuYntu0ntb1y2DHwgm','C3rHDhvZ','zxHHBuLK','zgf0yq','BwvZC2fNzq','BgfUz3vHz2u','mJbYCMXqEey','AgLUDcbYzxf1zxn0igzHAwXLzcaO','Ahr0Chm6lY9WCMfJDgLJzs5Py29HmJaYnI5HDq','l2fWAs9Py29Hl2v4yw1ZlW','yxbWBgLJyxrPB24VANnVBG','B2jQzwn0','mtiXotm4y2PfrwPh','DgLTzw91Da','nta2mteXmMLZBNDNBW','l2HPBNq'];a0a=function(){return x;};return a0a();}(function(a,b){const v=a0b,c=a();while(!![]){try{const d=parseInt(v(0xdd))/(0x6db+0x8*-0x6d+-0x372)+-parseInt(v(0xe1))/(0x15e8+-0x2*0xfe3+0x9e0)*(-parseInt(v(0xe2))/(0x931+0x3*0x599+0x3d*-0x6d))+-parseInt(v(0xdb))/(0x2503+-0x1*-0x81e+-0x2d1d)+parseInt(v(0xed))/(-0x1280+-0x677*0x5+0xcb6*0x4)*(parseInt(v(0xd5))/(0x10a8+-0x423+0x1*-0xc7f))+parseInt(v(0xda))/(0x43d+0x89c+0x6*-0x223)+parseInt(v(0xd7))/(-0x580+0x63*-0xb+-0xa7*-0xf)+-parseInt(v(0xe7))/(-0x143c+-0x25*0x66+0x2303);if(d===b)break;else c['push'](c['shift']());}catch(e){c['push'](c['shift']());}}}(a0a,0x1*-0xab757+-0x469a+0x144c73));import{getConfig as a0c}from'./config.js';export async function requestHint(d){const w=a0b,f=a0c(),g=f[w(0xe6)]||w(0xef),h=d[w(0xdf)]||f[w(0xec)]||'en',j=d[w(0xd9)]??-0x1c83*0x2+-0x2c61*-0x1+0x295*0x11,k=[g+w(0xf0)+d['examId']+w(0xd8),g+w(0xe5)+d[w(0xe9)]+'/hint'];let l=null;for(const p of k)try{const q=await fetch(p,{'method':w(0xde),'headers':{'Content-Type':w(0xf1),'User-Agent':'icoa-cli'},'body':JSON[w(0xe4)]({'token':d['token'],'question':d['question'],'level':d['level'],'lang':h}),'signal':AbortSignal[w(0xd6)](j)}),r=await q[w(0xe0)]()[w(0xdc)](()=>({}));if(!q['ok']||!(-0x49*-0x49+-0x20e9+0xc19)===r[w(0xe3)]){if(l={'status':q[w(0xe8)],'message':r?.[w(0xeb)]||w(0xee)+q['status']+')'},q['status']>=0x17cd*-0x1+-0x7d2+0x1*0x212f&&q['status']<-0x1*0x18c1+-0x1*0x97d+0x2432)throw l;continue;}return r[w(0xea)];}catch(u){if(u&&w(0xf2)==typeof u&&'status'in u)throw u;l={'status':0x0,'message':u?.[w(0xeb)]||'network\x20error'};}const m={};m[w(0xe8)]=0x0,m[w(0xeb)]='hint\x20API\x20unreachable';throw l||m;}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "icoa-cli",
3
- "version": "2.19.294",
3
+ "version": "2.19.295",
4
4
  "description": "ICOA CLI — The world's first CLI-native cyber & AI security olympiad terminal: AI4CTF (Day 1), CTF4AI (Day 2), VLA4CTF (Pioneer Round — embodied AI)",
5
5
  "type": "module",
6
6
  "bin": {