icoa-cli 2.19.58 → 2.19.60

package/dist/commands/ai4ctf.js

@@ -300,6 +300,33 @@ export function registerAi4ctfCommand(program) {
         .description('Chat with your AI teammate')
         .action(async () => {
         logCommand('ai4ctf');
+        // Block mid-exam: ai4ctf starts a scripted demo challenge, which would
+        // interrupt a real exam session. Redirect to the actual exam AI tool.
+        const { getRealExamState } = await import('../lib/exam-state.js');
+        const realExam = getRealExamState();
+        if (realExam) {
+            const currentQ = realExam._lastQ || 1;
+            const inAi4ctfRange = currentQ >= 31 && currentQ <= 38;
+            console.log();
+            console.log(chalk.yellow('  ⚠  You are in a real exam — ai4ctf demo is blocked here.'));
+            console.log();
+            if (inAi4ctfRange) {
+                console.log(chalk.white(`  You are on Q${currentQ} (AI4CTF section).`));
+                console.log(chalk.white('  To ask the AI about this question:'));
+                console.log(chalk.gray('    → ') + chalk.bold.cyan(`hint "your question"`));
+                console.log(chalk.gray('  Example: ') + chalk.green(`hint "how do I decrypt AES-CBC in Python?"`));
+            }
+            else {
+                console.log(chalk.white(`  You are on Q${currentQ}. The AI4CTF section is Q31–38.`));
+                console.log(chalk.gray('  Jump there: ') + chalk.bold.cyan('exam q 31'));
+                console.log(chalk.gray('  Then ask the AI with: ') + chalk.white('hint "your question"'));
+            }
+            console.log();
+            console.log(chalk.gray('  ai4ctf as a chat command is demo-only. In the real exam,'));
+            console.log(chalk.gray('  `hint` is the AI interface — 25K AI4CTF + 25K CTF4AI tokens.'));
+            console.log();
+            return;
+        }
         const config = getConfig();
         const modelName = config.geminiModel || 'gemma-4-31b-it';
         // Demo challenge context

package/dist/commands/ctf4ai-demo.js

@@ -170,6 +170,32 @@ export function registerCtf4aiDemoCommand(program) {
         .description('CTF4AI Demo — Prompt injection challenge')
         .action(async () => {
         logCommand('ctf4ai');
+        // Block mid-exam: ctf4ai starts a scripted koala demo, would derail
+        // a real exam session and burn AI tokens against the wrong budget.
+        const { getRealExamState } = await import('../lib/exam-state.js');
+        const realExam = getRealExamState();
+        if (realExam) {
+            const currentQ = realExam._lastQ || 1;
+            const inCtf4aiRange = currentQ >= 39;
+            console.log();
+            console.log(chalk.yellow('  ⚠  You are in a real exam — ctf4ai demo is blocked here.'));
+            console.log();
+            if (inCtf4aiRange) {
+                console.log(chalk.white(`  You are on Q${currentQ} (CTF4AI section).`));
+                console.log(chalk.white('  The question scenario itself is the AI target — read Q39/Q40'));
+                console.log(chalk.white('  carefully. To ask the AI assistant for help:'));
+                console.log(chalk.gray('    → ') + chalk.bold.cyan(`hint "your question"`));
+            }
+            else {
+                console.log(chalk.white(`  You are on Q${currentQ}. The CTF4AI section is Q39–40.`));
+                console.log(chalk.gray('  Jump there: ') + chalk.bold.cyan('exam q 39'));
+            }
+            console.log();
+            console.log(chalk.gray('  ctf4ai as a standalone command is demo-only. In the real exam,'));
+            console.log(chalk.gray('  each Q39/Q40 scenario contains its own AI target to attack.'));
+            console.log();
+            return;
+        }
         if (ctf4aiActive) {
             console.log(chalk.gray(`  ${t('ctf4aiAlready')}`));
             return;

package/dist/commands/exam.js

@@ -326,6 +326,21 @@ function printQuestionProgress(current, total, answered) {
     const pct = Math.round((current / total) * 100);
     console.log();
     console.log(`  ${bar}  ${chalk.white.bold(`${current}`)}${chalk.gray(`/${total}`)}  ${chalk.gray(`(${answered} answered)`)}  ${chalk.gray(`${pct}%`)}`);
+    // Time remaining — colour-coded countdown so contestants always see where
+    // they stand. Authoritative clock lives on the server (confirmedAt +
+    // duration enforced at submit time); this is a display helper.
+    const deadline = getExamDeadline();
+    if (deadline) {
+        const remainingSec = Math.max(0, Math.round((deadline.getTime() - Date.now()) / 1000));
+        const mm = Math.floor(remainingSec / 60);
+        const ss = remainingSec % 60;
+        const timeStr = `${mm}:${String(ss).padStart(2, '0')}`;
+        const color = remainingSec <= 60 ? chalk.red.bold
+            : remainingSec <= 300 ? chalk.red
+                : remainingSec <= 600 ? chalk.yellow
+                    : chalk.gray;
+        console.log(`  ${chalk.gray('⏱ Time remaining:')} ${color(timeStr)} ${chalk.gray('(server-authoritative)')}`);
+    }
 }
 // Help budget per exam.md §3: 10 base + 5 hidden bonus (unlocked via `more help`).
 // Demo still uses the lighter 5 + 3 set via _helpMax overrides at demo start.
@@ -967,12 +982,19 @@ export function registerExamCommand(program) {
         const isPractical = q.type === 'ai4ctf' || q.type === 'ctf4ai' || (q.options && !q.options.A && !q.options.B);
         let c;
         if (isPractical) {
-            // Accept flag format: ICOA{...} or any string
             c = choice.trim();
             if (!c) {
                 printError('Please provide your flag: exam answer <n> ICOA{your_flag}');
                 return;
             }
+            // Reject letter-only answers on practical questions — almost certainly
+            // a user who typed `A` thinking MCQ was still in play. Submitting 'A'
+            // as the flag is a footgun that would waste an attempt silently.
+            if (/^[A-Da-d]$/.test(c)) {
+                printError(`Q${num} is a practical question — answer with a flag, not a letter.`);
+                console.log(chalk.gray('  Example: ') + chalk.green(`exam answer ${num} ICOA{your_flag}`));
+                return;
+            }
         }
         else {
             c = choice.toUpperCase();

package/dist/repl.js

@@ -597,14 +597,32 @@ export async function startRepl(program, resumeMode) {
             return;
         }
         // ─── Quick exam answer shortcuts ───
-        // "A" / "B" / "C" / "D" → answer current question
-        // "2 C" / "5 A" → answer specific question
+        // "A" / "B" / "C" / "D" → answer current question (MCQ only)
+        // "2 C" / "5 A" → answer specific question (MCQ only)
+        // Practical questions (Q31-40) require flag format (ICOA{...}) — single
+        // letters on those would be silently accepted as the wrong flag answer,
+        // which is a footgun. Block and nudge the user toward the flag syntax.
         const examState = getExamState();
         if (examState) {
             const upper = input.toUpperCase().trim();
-            // Single letter: A, B, C, D → answer current question
+            // Helper: is question N practical (no A/B/C/D options)?
+            const isPracticalQ = (n) => {
+                const q = examState.questions.find((qq) => qq.number === n);
+                if (!q)
+                    return false;
+                return q.type === 'ai4ctf' || q.type === 'ctf4ai' || (q.options && !q.options.A && !q.options.B);
+            };
+            // Single letter: A, B, C, D → answer current question (only if MCQ)
             if (/^[ABCD]$/.test(upper)) {
                 const currentQ = examState._lastQ || 1;
+                if (isPracticalQ(currentQ)) {
+                    console.log();
+                    console.log(chalk.yellow(`  Q${currentQ} is a practical question — answer with a flag, not a letter.`));
+                    console.log(chalk.gray('  Example: ') + chalk.green(`exam answer ${currentQ} ICOA{your_flag}`));
+                    console.log();
+                    rl.prompt();
+                    return;
+                }
                 processing = true;
                 try {
                     await program.parseAsync(['node', 'icoa', 'exam', 'answer', String(currentQ), upper]);
@@ -614,9 +632,18 @@ export async function startRepl(program, resumeMode) {
                 rl.prompt();
                 return;
             }
-            // "N X" pattern: e.g. "2 C", "15 A"
+            // "N X" pattern: e.g. "2 C", "15 A" (MCQ only — same protection)
             const match = upper.match(/^(\d+)\s+([ABCD])$/);
             if (match) {
+                const targetQ = parseInt(match[1], 10);
+                if (isPracticalQ(targetQ)) {
+                    console.log();
+                    console.log(chalk.yellow(`  Q${targetQ} is a practical question — answer with a flag, not a letter.`));
+                    console.log(chalk.gray('  Example: ') + chalk.green(`exam answer ${targetQ} ICOA{your_flag}`));
+                    console.log();
+                    rl.prompt();
+                    return;
+                }
                 processing = true;
                 try {
                     await program.parseAsync(['node', 'icoa', 'exam', 'answer', match[1], match[2]]);
@@ -667,6 +694,7 @@ export async function startRepl(program, resumeMode) {
             'hint-budget', 'ref', 'shell', 'files', 'connect', 'note',
             'log', 'lang', 'setup', 'env', 'ai4ctf', 'model', 'ctf',
             'exam', 'demo', 'retry', 'nations', 'next', 'prev', 'continue', 'logout', 'ctf4ai',
+            'mark', 'unmark', 'review', 'submit',
         ];
         if (!knownCommands.includes(cmd)) {
             // Block dangerous commands

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "icoa-cli",
-  "version": "2.19.58",
+  "version": "2.19.60",
   "description": "ICOA CLI — The world's first CLI-native CTF competition terminal",
   "type": "module",
   "bin": {