icoa-cli 2.19.99 → 2.19.101

package/dist/lib/ctfd-client.js

@@ -1,274 +1 @@
-import { createWriteStream, mkdirSync } from 'node:fs';
-import { join } from 'node:path';
-import { pipeline } from 'node:stream/promises';
-import { Readable } from 'node:stream';
-export class CTFdClient {
-    baseUrl;
-    token;
-    sessionCookie;
-    csrfNonce;
-    constructor(baseUrl, token, sessionCookie, csrfNonce) {
-        this.baseUrl = baseUrl.replace(/\/+$/, '');
-        this.token = token;
-        this.sessionCookie = sessionCookie || '';
-        this.csrfNonce = csrfNonce || '';
-    }
-    getAuthHeaders() {
-        if (this.token) {
-            return { Authorization: `Token ${this.token}` };
-        }
-        if (this.sessionCookie) {
-            const headers = { Cookie: this.sessionCookie };
-            if (this.csrfNonce) {
-                headers['CSRF-Token'] = this.csrfNonce;
-            }
-            return headers;
-        }
-        return {};
-    }
-    async fetchCsrfNonce() {
-        if (this.csrfNonce)
-            return this.csrfNonce;
-        try {
-            const res = await fetch(this.baseUrl, {
-                headers: this.sessionCookie ? { Cookie: this.sessionCookie } : {},
-            });
-            const html = await res.text();
-            const match = html.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);
-            if (match) {
-                this.csrfNonce = match[1];
-                return this.csrfNonce;
-            }
-        }
-        catch { /* ignore */ }
-        return '';
-    }
-    async request(method, path, body) {
-        // Auto-fetch CSRF nonce for session-based auth
-        if (this.sessionCookie && !this.csrfNonce) {
-            await this.fetchCsrfNonce();
-        }
-        const url = `${this.baseUrl}/api/v1${path}`;
-        const headers = {
-            ...this.getAuthHeaders(),
-            'Content-Type': 'application/json',
-        };
-        const res = await fetch(url, {
-            method,
-            headers,
-            body: body ? JSON.stringify(body) : undefined,
-        });
-        if (!res.ok) {
-            const text = await res.text().catch(() => 'Unknown error');
-            throw new Error(`CTFd API error (${res.status}): ${text}`);
-        }
-        const json = (await res.json());
-        if (json.success === false) {
-            throw new Error(`CTFd error: ${json.errors?.join(', ') || 'Unknown error'}`);
-        }
-        return json.data;
-    }
-    async testConnection() {
-        try {
-            return await this.request('GET', '/users/me');
-        }
-        catch (err) {
-            // Session mode fallback: API may return 403, try scraping profile page
-            if (this.sessionCookie && err.message?.includes('403')) {
-                return this.testConnectionViaProfile();
-            }
-            throw err;
-        }
-    }
-    async testConnectionViaProfile() {
-        const res = await fetch(`${this.baseUrl}/settings`, {
-            headers: { Cookie: this.sessionCookie },
-        });
-        if (!res.ok)
-            throw new Error('Session expired or invalid.');
-        const html = await res.text();
-        // Extract user name from settings page
-        const nameMatch = html.match(/name="name"[^>]*value="([^"]+)"/) ||
-            html.match(/<input[^>]*id="name"[^>]*value="([^"]+)"/);
-        const name = nameMatch?.[1] || 'User';
-        // Extract user ID from page
-        const idMatch = html.match(/user_id['":\s]+(\d+)/) ||
-            html.match(/userId['":\s]+(\d+)/);
-        const id = idMatch ? parseInt(idMatch[1], 10) : 0;
-        // Update CSRF nonce from settings page
-        const csrfMatch = html.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);
-        if (csrfMatch)
-            this.csrfNonce = csrfMatch[1];
-        return { id, name, score: 0, team_id: 0, country: '' };
-    }
-    async getChallenges() {
-        return this.request('GET', '/challenges');
-    }
-    async getChallenge(id) {
-        return this.request('GET', `/challenges/${id}`);
-    }
-    async submitFlag(challengeId, submission) {
-        const res = await fetch(`${this.baseUrl}/api/v1/challenges/attempt`, {
-            method: 'POST',
-            headers: {
-                ...this.getAuthHeaders(),
-                'Content-Type': 'application/json',
-            },
-            body: JSON.stringify({ challenge_id: challengeId, submission }),
-        });
-        if (!res.ok) {
-            const text = await res.text().catch(() => 'Unknown error');
-            throw new Error(`CTFd API error (${res.status}): ${text}`);
-        }
-        const json = (await res.json());
-        return json.data;
-    }
-    async getScoreboard() {
-        return this.request('GET', '/scoreboard');
-    }
-    async getTeam() {
-        return this.request('GET', '/teams/me');
-    }
-    async getCompetitionMeta() {
-        const res = await fetch(this.baseUrl);
-        const html = await res.text();
-        const startMatch = html.match(/'start'\s*:\s*(\d+)/);
-        const endMatch = html.match(/'end'\s*:\s*(\d+)/);
-        const modeMatch = html.match(/'userMode'\s*:\s*"([^"]+)"/);
-        const csrfMatch = html.match(/'csrfNonce'\s*:\s*"([^"]+)"/);
-        return {
-            start: startMatch ? parseInt(startMatch[1]) : null,
-            end: endMatch ? parseInt(endMatch[1]) : null,
-            userMode: modeMatch?.[1] || 'users',
-            csrfNonce: csrfMatch?.[1] || '',
-        };
-    }
-    async getChallengeFiles(id) {
-        const challenge = await this.getChallenge(id);
-        return challenge.files || [];
-    }
-    async downloadFile(filePath, destDir) {
-        mkdirSync(destDir, { recursive: true });
-        const url = filePath.startsWith('http')
-            ? filePath
-            : `${this.baseUrl}/${filePath.replace(/^\//, '')}`;
-        const res = await fetch(url, {
-            headers: this.getAuthHeaders(),
-            redirect: 'follow',
-        });
-        if (!res.ok || !res.body) {
-            throw new Error(`Failed to download: ${url}`);
-        }
-        const rawName = filePath.split('/').pop() || 'file';
-        const fileName = rawName.split('?')[0];
-        const destPath = join(destDir, fileName);
-        const fileStream = createWriteStream(destPath);
-        await pipeline(Readable.fromWeb(res.body), fileStream);
-        return destPath;
-    }
-    async getTokenViaIcoaApi(username, password) {
-        const body = JSON.stringify({ name: username, password });
-        const headers = { 'Content-Type': 'application/json' };
-        // Try via nginx proxy first (same origin, no port)
-        try {
-            const res = await fetch(`${this.baseUrl}/api/icoa/token`, {
-                method: 'POST', headers, body,
-                signal: AbortSignal.timeout(5000),
-            });
-            if (res.ok) {
-                const json = await res.json();
-                if (json.success && json.data?.token)
-                    return json.data.token;
-            }
-        }
-        catch { /* proxy not available */ }
-        // Fallback: direct port 9090
-        try {
-            const res = await fetch(`${this.baseUrl}:9090/api/icoa/token`, {
-                method: 'POST', headers, body,
-                signal: AbortSignal.timeout(5000),
-            });
-            if (res.ok) {
-                const json = await res.json();
-                if (json.success && json.data?.token)
-                    return json.data.token;
-            }
-        }
-        catch { /* API not available */ }
-        return null;
-    }
-    async loginWithCredentials(username, password) {
-        // Try ICOA token API first (fastest path)
-        const icoaToken = await this.getTokenViaIcoaApi(username, password);
-        if (icoaToken) {
-            return { token: icoaToken, session: '', csrf: '' };
-        }
-        // Fallback: standard CTFd login flow
-        // Step 1: GET /login to get nonce
-        const loginPageRes = await fetch(`${this.baseUrl}/login`);
-        const loginHtml = await loginPageRes.text();
-        const nonceMatch = loginHtml.match(/name="nonce"[^>]*value="([^"]+)"/) ||
-            loginHtml.match(/value="([^"]+)"[^>]*name="nonce"/) ||
-            loginHtml.match(/id="nonce"[^>]*value="([^"]+)"/) ||
-            loginHtml.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);
-        const nonce = nonceMatch?.[1] || '';
-        if (!nonce) {
-            throw new Error('Could not extract CSRF nonce from login page.');
-        }
-        const cookies = loginPageRes.headers.getSetCookie?.() || [];
-        const cookieStr = cookies.map((c) => c.split(';')[0]).join('; ');
-        // Step 2: POST /login with credentials
-        const loginRes = await fetch(`${this.baseUrl}/login`, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/x-www-form-urlencoded',
-                Cookie: cookieStr,
-            },
-            body: new URLSearchParams({ name: username, password, nonce, _submit: 'Submit' }),
-            redirect: 'manual',
-        });
-        const loginCookies = loginRes.headers.getSetCookie?.() || [];
-        const allCookies = [...cookies, ...loginCookies].map((c) => c.split(';')[0]).join('; ');
-        const location = loginRes.headers.get('location') || '';
-        if (location.includes('/login')) {
-            throw new Error('Invalid username or password.');
-        }
-        // Step 3: Try to generate API token (some CTFd instances allow it)
-        try {
-            const settingsRes = await fetch(`${this.baseUrl}/settings`, {
-                headers: { Cookie: allCookies },
-            });
-            const settingsHtml = await settingsRes.text();
-            const csrfMatch = settingsHtml.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);
-            const csrfNonce = csrfMatch?.[1] || nonce;
-            const tokenRes = await fetch(`${this.baseUrl}/api/v1/tokens`, {
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    Cookie: allCookies,
-                    'CSRF-Token': csrfNonce,
-                },
-                body: JSON.stringify({ expiration: '2026-12-31T23:59:59+00:00' }),
-            });
-            if (tokenRes.ok) {
-                const tokenJson = (await tokenRes.json());
-                if (tokenJson.success && tokenJson.data?.value) {
-                    return { token: tokenJson.data.value, session: '', csrf: '' };
-                }
-            }
-        }
-        catch { /* Token generation not available, use session */ }
-        // Fallback: use session cookie + CSRF nonce
-        // Get CSRF nonce from the main page
-        let csrf = '';
-        try {
-            const mainRes = await fetch(`${this.baseUrl}/challenges`, { headers: { Cookie: allCookies } });
-            const mainHtml = await mainRes.text();
-            const csrfMatch = mainHtml.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);
-            if (csrfMatch)
-                csrf = csrfMatch[1];
-        }
-        catch { /* ignore */ }
-        return { token: '', session: allCookies, csrf };
-    }
-}
+import{createWriteStream as e,mkdirSync as t}from"node:fs";import{join as s}from"node:path";import{pipeline as o}from"node:stream/promises";import{Readable as a}from"node:stream";export class CTFdClient{baseUrl;token;sessionCookie;csrfNonce;constructor(e,t,s,o){this.baseUrl=e.replace(/\/+$/,""),this.token=t,this.sessionCookie=s||"",this.csrfNonce=o||""}getAuthHeaders(){if(this.token)return{Authorization:`Token ${this.token}`};if(this.sessionCookie){const e={Cookie:this.sessionCookie};return this.csrfNonce&&(e["CSRF-Token"]=this.csrfNonce),e}return{}}async fetchCsrfNonce(){if(this.csrfNonce)return this.csrfNonce;try{const e=await fetch(this.baseUrl,{headers:this.sessionCookie?{Cookie:this.sessionCookie}:{}}),t=(await e.text()).match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);if(t)return this.csrfNonce=t[1],this.csrfNonce}catch{}return""}async request(e,t,s){this.sessionCookie&&!this.csrfNonce&&await this.fetchCsrfNonce();const o=`${this.baseUrl}/api/v1${t}`,a={...this.getAuthHeaders(),"Content-Type":"application/json"},n=await fetch(o,{method:e,headers:a,body:s?JSON.stringify(s):void 0});if(!n.ok){const e=await n.text().catch(()=>"Unknown error");throw new Error(`CTFd API error (${n.status}): ${e}`)}const r=await n.json();if(!1===r.success)throw new Error(`CTFd error: ${r.errors?.join(", ")||"Unknown error"}`);return r.data}async testConnection(){try{return await this.request("GET","/users/me")}catch(e){if(this.sessionCookie&&e.message?.includes("403"))return this.testConnectionViaProfile();throw e}}async testConnectionViaProfile(){const e=await fetch(`${this.baseUrl}/settings`,{headers:{Cookie:this.sessionCookie}});if(!e.ok)throw new Error("Session expired or invalid.");const t=await e.text(),s=t.match(/name="name"[^>]*value="([^"]+)"/)||t.match(/<input[^>]*id="name"[^>]*value="([^"]+)"/),o=s?.[1]||"User",a=t.match(/user_id['":\s]+(\d+)/)||t.match(/userId['":\s]+(\d+)/),n=a?parseInt(a[1],10):0,r=t.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);return r&&(this.csrfNonce=r[1]),{id:n,name:o,score:0,team_id:0,country:""}}async getChallenges(){return this.request("GET","/challenges")}async getChallenge(e){return this.request("GET",`/challenges/${e}`)}async submitFlag(e,t){const s=await fetch(`${this.baseUrl}/api/v1/challenges/attempt`,{method:"POST",headers:{...this.getAuthHeaders(),"Content-Type":"application/json"},body:JSON.stringify({challenge_id:e,submission:t})});if(!s.ok){const e=await s.text().catch(()=>"Unknown error");throw new Error(`CTFd API error (${s.status}): ${e}`)}return(await s.json()).data}async getScoreboard(){return this.request("GET","/scoreboard")}async getTeam(){return this.request("GET","/teams/me")}async getCompetitionMeta(){const e=await fetch(this.baseUrl),t=await e.text(),s=t.match(/'start'\s*:\s*(\d+)/),o=t.match(/'end'\s*:\s*(\d+)/),a=t.match(/'userMode'\s*:\s*"([^"]+)"/),n=t.match(/'csrfNonce'\s*:\s*"([^"]+)"/);return{start:s?parseInt(s[1]):null,end:o?parseInt(o[1]):null,userMode:a?.[1]||"users",csrfNonce:n?.[1]||""}}async getChallengeFiles(e){return(await this.getChallenge(e)).files||[]}async downloadFile(n,r){t(r,{recursive:!0});const i=n.startsWith("http")?n:`${this.baseUrl}/${n.replace(/^\//,"")}`,c=await fetch(i,{headers:this.getAuthHeaders(),redirect:"follow"});if(!c.ok||!c.body)throw new Error(`Failed to download: ${i}`);const h=(n.split("/").pop()||"file").split("?")[0],l=s(r,h),d=e(l);return await o(a.fromWeb(c.body),d),l}async getTokenViaIcoaApi(e,t){const s=JSON.stringify({name:e,password:t}),o={"Content-Type":"application/json"};try{const e=await fetch(`${this.baseUrl}/api/icoa/token`,{method:"POST",headers:o,body:s,signal:AbortSignal.timeout(5e3)});if(e.ok){const t=await e.json();if(t.success&&t.data?.token)return t.data.token}}catch{}try{const e=await fetch(`${this.baseUrl}:9090/api/icoa/token`,{method:"POST",headers:o,body:s,signal:AbortSignal.timeout(5e3)});if(e.ok){const t=await e.json();if(t.success&&t.data?.token)return t.data.token}}catch{}return null}async loginWithCredentials(e,t){const s=await this.getTokenViaIcoaApi(e,t);if(s)return{token:s,session:"",csrf:""};const o=await fetch(`${this.baseUrl}/login`),a=await o.text(),n=a.match(/name="nonce"[^>]*value="([^"]+)"/)||a.match(/value="([^"]+)"[^>]*name="nonce"/)||a.match(/id="nonce"[^>]*value="([^"]+)"/)||a.match(/csrfNonce['":\s]+['"]([^'"]+)['"]/),r=n?.[1]||"";if(!r)throw new Error("Could not extract CSRF nonce from login page.");const i=o.headers.getSetCookie?.()||[],c=i.map(e=>e.split(";")[0]).join("; "),h=await fetch(`${this.baseUrl}/login`,{method:"POST",headers:{"Content-Type":"application/x-www-form-urlencoded",Cookie:c},body:new URLSearchParams({name:e,password:t,nonce:r,_submit:"Submit"}),redirect:"manual"}),l=h.headers.getSetCookie?.()||[],d=[...i,...l].map(e=>e.split(";")[0]).join("; ");if((h.headers.get("location")||"").includes("/login"))throw new Error("Invalid username or password.");try{const e=await fetch(`${this.baseUrl}/settings`,{headers:{Cookie:d}}),t=(await e.text()).match(/csrfNonce['":\s]+['"]([^'"]+)['"]/),s=t?.[1]||r,o=await fetch(`${this.baseUrl}/api/v1/tokens`,{method:"POST",headers:{"Content-Type":"application/json",Cookie:d,"CSRF-Token":s},body:JSON.stringify({expiration:"2026-12-31T23:59:59+00:00"})});if(o.ok){const e=await o.json();if(e.success&&e.data?.value)return{token:e.data.value,session:"",csrf:""}}}catch{}let f="";try{const e=await fetch(`${this.baseUrl}/challenges`,{headers:{Cookie:d}}),t=(await e.text()).match(/csrfNonce['":\s]+['"]([^'"]+)['"]/);t&&(f=t[1])}catch{}return{token:"",session:d,csrf:f}}}

package/dist/lib/demo-exam.js

@@ -1,249 +1 @@
-import { existsSync, readFileSync } from 'node:fs';
-import { join, dirname } from 'node:path';
-import { fileURLToPath } from 'node:url';
-import { getConfig } from './config.js';
-const __dirname = dirname(fileURLToPath(import.meta.url));
-export const DEMO_POOL_SIZE = 30;
-export const DEMO_PICK_SIZE = 10;
-export const DEMO_SESSION = {
-    examId: 'demo-free',
-    examName: 'ICOA Demo Exam — Free Practice',
-    startedAt: '',
-    durationMinutes: 0,
-    questionCount: DEMO_PICK_SIZE,
-    country: 'ALL',
-};
-// Answer key for the 30-question pool (balanced A=7 B=7 C=8 D=8)
-// Q16-30 option order was rebalanced from translate-demo.js to distribute answers.
-export const DEMO_ANSWERS = {
-    1: 'B', 2: 'B', 3: 'C', 4: 'B', 5: 'C', 6: 'B', 7: 'B', 8: 'C',
-    9: 'C', 10: 'B', 11: 'C', 12: 'B', 13: 'B', 14: 'B', 15: 'B',
-    16: 'D', 17: 'D', 18: 'C', 19: 'C', 20: 'B', 21: 'A', 22: 'D', 23: 'C',
-    24: 'B', 25: 'A', 26: 'B', 27: 'D', 28: 'C', 29: 'A', 30: 'B',
-};
-export const DEMO_EXPLANATIONS = {
-    1: 'RSA is an asymmetric (public-key) cipher. AES, DES, and Blowfish are all symmetric ciphers that use the same key for encryption and decryption.',
-    2: 'SQL injection occurs when user input is inserted directly into database queries without proper sanitization, allowing attackers to manipulate the query.',
-    3: 'HTTP 403 means Forbidden — the server understood the request but refuses to authorize it. 401 is Unauthorized, 404 is Not Found, 500 is Internal Server Error.',
-    4: 'A nonce (number used once) is a random value used in cryptographic protocols to prevent replay attacks — ensuring each request or message is unique and cannot be reused by an attacker.',
-    5: 'Wireshark is the standard tool for capturing and analyzing network packets. Burp Suite is for web testing, John the Ripper for password cracking, Ghidra for reverse engineering.',
-    6: 'XSS stands for Cross-Site Scripting — a vulnerability where attackers inject malicious scripts into web pages viewed by other users.',
-    7: 'A firewall filters network traffic based on security rules, blocking unauthorized access while allowing legitimate communication. It does not encrypt, scan for viruses, or speed up connections.',
-    8: 'A Trojan disguises itself as legitimate software to trick users into installing it. Unlike worms, Trojans do not self-replicate.',
-    9: 'HTTPS (HTTP Secure) uses TLS/SSL to encrypt web traffic, protecting data from eavesdropping and tampering. HTTP, FTP, and SMTP are not secure by default.',
-    10: 'A cryptographic hash is a one-way function that produces a fixed-size digest. It cannot be reversed, unlike encryption.',
-    11: 'Ghidra is a reverse engineering and binary analysis tool developed by the NSA. Nmap scans ports, SQLMap tests SQL injection, Nikto scans web servers.',
-    12: 'DNS Spoofing (cache poisoning) manipulates DNS responses to redirect victims to attacker-controlled servers. It is distinct from phishing, SQLi, and brute force.',
-    13: 'SSH (Secure Shell) runs on port 22 by default. Port 21 is FTP, 80 is HTTP, 443 is HTTPS.',
-    14: 'Two-factor authentication (2FA) requires two distinct types of credentials — something you know (password) and something you have (phone/token) or are (biometrics).',
-    15: 'The command "netstat -tulpn" shows all listening TCP/UDP ports with process info. "ls -la" lists files, "chmod" changes permissions, "cat /etc/passwd" shows user accounts.',
-    16: 'A Man-in-the-Middle (MitM) attack intercepts and potentially modifies communications between two parties who believe they are communicating directly with each other.',
-    17: 'SHA-256 is a cryptographic hash function. AES-256 is a symmetric cipher, RSA-2048 is an asymmetric cipher, and Diffie-Hellman is a key exchange protocol.',
-    18: 'The principle of least privilege means granting users only the minimum permissions necessary to perform their tasks, reducing the attack surface.',
-    19: 'Nmap is the standard port scanning tool. Wireshark captures packets, Metasploit is an exploitation framework, and Hashcat is a password cracker.',
-    20: 'Ransomware encrypts the victim\'s files and demands payment (usually cryptocurrency) in exchange for the decryption key.',
-    21: 'Symmetric encryption uses a single shared key for both encrypting and decrypting. Asymmetric encryption uses a key pair — a public key to encrypt and a private key to decrypt.',
-    22: 'Remote Code Execution (RCE) allows an attacker to run arbitrary code on a target server, often leading to full system compromise. CSRF, clickjacking, and open redirect have different impacts.',
-    23: 'OWASP (Open Web Application Security Project) is a non-profit organization that publishes widely-used web security standards and guides, including the OWASP Top 10.',
-    24: 'The chmod command changes file permissions in Linux. chown changes ownership, chgrp changes group, and passwd changes user passwords.',
-    25: 'An SSL/TLS certificate is a digital document issued by a trusted Certificate Authority that verifies a website\'s identity and enables encrypted HTTPS connections.',
-    26: 'Phishing is a social engineering attack that tricks people into revealing sensitive information. Buffer overflow, SQL injection, and port scanning are technical attacks.',
-    27: 'The grep command searches for text patterns in files using regular expressions. It is one of the most commonly used Linux text processing tools.',
-    28: 'A VPN (Virtual Private Network) creates an encrypted tunnel for internet traffic, protecting data from interception and masking the user\'s IP address.',
-    29: 'CSRF (Cross-Site Request Forgery) tricks a logged-in user\'s browser into performing unwanted actions on a trusted site, such as changing account settings or transferring funds.',
-    30: 'Passwords should be stored as salted cryptographic hashes. Plain text and Base64 are insecure, and AES encryption is reversible if the key is compromised. Salted hashing is one-way and resistant to rainbow tables.',
-};
-// 30-question pool. Q16-30 options were rebalanced from the original translate-demo.js layout
-// to achieve an even answer distribution across A/B/C/D.
-// Translation files (translations/<lang>/demo.json) must match this option order.
-export const DEMO_QUESTIONS = [
-    { number: 1, text: 'Which algorithm is NOT a symmetric cipher?', category: 'Cryptography',
-        options: { A: 'AES', B: 'RSA', C: 'DES', D: 'Blowfish' } },
-    { number: 2, text: 'What does SQL injection exploit?', category: 'Web Security',
-        options: { A: 'Buffer overflow in web server', B: 'Unsanitized user input in database queries', C: 'Weak encryption algorithms', D: 'Misconfigured firewall rules' } },
-    { number: 3, text: 'Which HTTP status code indicates "Forbidden"?', category: 'Web Security',
-        options: { A: '401', B: '404', C: '403', D: '500' } },
-    { number: 4, text: 'What is the primary purpose of a nonce in cryptography?', category: 'Cryptography',
-        options: { A: 'Encrypt data at rest', B: 'Prevent replay attacks', C: 'Generate random passwords', D: 'Compress data before encryption' } },
-    { number: 5, text: 'Which tool is commonly used for network packet capture?', category: 'Network',
-        options: { A: 'Burp Suite', B: 'Ghidra', C: 'Wireshark', D: 'John the Ripper' } },
-    { number: 6, text: 'What does XSS stand for in cybersecurity?', category: 'Web Security',
-        options: { A: 'Extended Security System', B: 'Cross-Site Scripting', C: 'XML Secure Socket', D: 'Cross-Server Sharing' } },
-    { number: 7, text: 'What is the primary function of a firewall?', category: 'Network',
-        options: { A: 'Encrypt network data', B: 'Filter network traffic based on security rules', C: 'Detect viruses in files', D: 'Speed up internet connection' } },
-    { number: 8, text: 'Which type of malware disguises itself as legitimate software?', category: 'Malware',
-        options: { A: 'Worm', B: 'Ransomware', C: 'Trojan', D: 'Adware' } },
-    { number: 9, text: 'Which protocol provides secure communication on the web?', category: 'Network',
-        options: { A: 'HTTP', B: 'FTP', C: 'HTTPS', D: 'SMTP' } },
-    { number: 10, text: 'What is a cryptographic hash?', category: 'Cryptography',
-        options: { A: 'A reversible encryption key', B: 'A one-way function producing a fixed-size digest', C: 'An authentication protocol', D: 'A type of digital signature' } },
-    { number: 11, text: 'Which tool is used for binary analysis?', category: 'Reverse Engineering',
-        options: { A: 'Nmap', B: 'SQLMap', C: 'Ghidra', D: 'Nikto' } },
-    { number: 12, text: 'Which attack manipulates DNS requests to redirect traffic?', category: 'Network',
-        options: { A: 'Phishing', B: 'DNS Spoofing', C: 'SQL Injection', D: 'Brute Force' } },
-    { number: 13, text: 'What is the standard port for SSH?', category: 'Network',
-        options: { A: '21', B: '22', C: '80', D: '443' } },
-    { number: 14, text: 'What is two-factor authentication (2FA)?', category: 'Authentication',
-        options: { A: 'Using two different passwords', B: 'Verifying identity with two distinct types of credentials', C: 'Encrypting data twice', D: 'Connecting through two networks' } },
-    { number: 15, text: 'Which Linux command shows open ports on a system?', category: 'Linux',
-        options: { A: 'ls -la', B: 'netstat -tulpn', C: 'chmod 777', D: 'cat /etc/passwd' } },
-    { number: 16, text: 'What is a Man-in-the-Middle (MitM) attack?', category: 'Network',
-        options: { A: 'Accessing a server without authorization', B: 'Guessing passwords by brute force', C: 'Sending multiple requests to overload a server', D: 'Intercepting and modifying communications between two parties' } },
-    { number: 17, text: 'Which of these is a hash algorithm?', category: 'Cryptography',
-        options: { A: 'AES-256', B: 'Diffie-Hellman', C: 'RSA-2048', D: 'SHA-256' } },
-    { number: 18, text: 'What is the principle of least privilege?', category: 'Security',
-        options: { A: 'Give root access to all users', B: 'Use the shortest password possible', C: 'Grant only the permissions necessary to perform a task', D: 'Disable all firewalls' } },
-    { number: 19, text: 'Which tool is commonly used for port scanning?', category: 'Network',
-        options: { A: 'Wireshark', B: 'Metasploit', C: 'Nmap', D: 'Hashcat' } },
-    { number: 20, text: 'What is ransomware?', category: 'Malware',
-        options: { A: 'Software that shows unwanted ads', B: 'Software that encrypts files and demands payment to decrypt', C: 'Software that records keystrokes', D: 'Software that replicates across networks' } },
-    { number: 21, text: 'What is the difference between symmetric and asymmetric encryption?', category: 'Cryptography',
-        options: { A: 'Symmetric uses the same key to encrypt and decrypt; asymmetric uses two different keys', B: 'Symmetric is slower than asymmetric', C: 'Asymmetric only works with small files', D: 'There is no significant difference' } },
-    { number: 22, text: 'Which vulnerability allows arbitrary code execution on a web server?', category: 'Web Security',
-        options: { A: 'CSRF', B: 'Open Redirect', C: 'Clickjacking', D: 'Remote Code Execution (RCE)' } },
-    { number: 23, text: 'What is OWASP?', category: 'Security',
-        options: { A: 'A security operating system', B: 'A type of firewall', C: 'An organization that publishes web security standards and guides', D: 'A programming language for security' } },
-    { number: 24, text: 'Which Linux command changes file permissions?', category: 'Linux',
-        options: { A: 'chown', B: 'chmod', C: 'chgrp', D: 'passwd' } },
-    { number: 25, text: 'What is an SSL/TLS certificate?', category: 'Cryptography',
-        options: { A: 'A digital document that verifies a website identity', B: 'A file containing malware', C: 'A private key for SSH', D: 'A type of encrypted database' } },
-    { number: 26, text: 'Which of the following is a social engineering attack?', category: 'Security',
-        options: { A: 'Buffer overflow', B: 'Phishing', C: 'SQL Injection', D: 'Port scanning' } },
-    { number: 27, text: 'What does the Linux command "grep" do?', category: 'Linux',
-        options: { A: 'Compresses files', B: 'Configures the network', C: 'Shows active processes', D: 'Searches for text patterns in files' } },
-    { number: 28, text: 'What is a VPN?', category: 'Network',
-        options: { A: 'A type of virus', B: 'A file transfer protocol', C: 'A virtual private network that encrypts internet traffic', D: 'A vulnerability scanner' } },
-    { number: 29, text: 'What is CSRF (Cross-Site Request Forgery)?', category: 'Web Security',
-        options: { A: 'An attack that forces a user browser to perform unauthorized actions', B: 'A data encryption method', C: 'A type of network scanner', D: 'A file compression technique' } },
-    { number: 30, text: 'What is the best practice for storing passwords in a database?', category: 'Security',
-        options: { A: 'Plain text', B: 'Hashed with salt', C: 'Encrypted with AES', D: 'Encoded in Base64' } },
-];
-/** Fisher-Yates shuffle, returns a new array. */
-function shuffle(arr) {
-    const out = [...arr];
-    for (let i = out.length - 1; i > 0; i--) {
-        const j = Math.floor(Math.random() * (i + 1));
-        [out[i], out[j]] = [out[j], out[i]];
-    }
-    return out;
-}
-/**
- * Shuffle the four options within a single question; recompute the answer letter
- * and record `sourceOrder` so the shuffle can be replayed against a different
- * translation of the same question (used by lang-switch to keep answers).
- */
-function shuffleQuestionOptions(q) {
-    if (!q.answer)
-        return q;
-    const keys = ['A', 'B', 'C', 'D'];
-    const sourceOrder = shuffle(keys);
-    const newOptions = {
-        A: q.options[sourceOrder[0]],
-        B: q.options[sourceOrder[1]],
-        C: q.options[sourceOrder[2]],
-        D: q.options[sourceOrder[3]],
-    };
-    const newAnswer = keys[sourceOrder.indexOf(q.answer)];
-    return { ...q, options: newOptions, answer: newAnswer, sourceOrder };
-}
-/**
- * Pick `n` random questions from the pool, shuffle each question's options,
- * renumber 1..n. Returns fully self-contained questions with answer + explanation
- * populated, so downstream code does not need to look up DEMO_ANSWERS by number.
- */
-export function pickDemoQuestions(n = DEMO_PICK_SIZE) {
-    const translatedPool = getLocalizedDemoQuestions();
-    const explanations = getLocalizedExplanations();
-    // Enrich pool with answer + explanation keyed by ORIGINAL number
-    const enriched = translatedPool.map((q) => ({
-        ...q,
-        answer: DEMO_ANSWERS[q.number],
-        explanation: explanations[q.number],
-    }));
-    // Shuffle pool, pick n, shuffle each question's options, renumber 1..n.
-    // Keep the original pool number as `sourceNumber` so lang-switch can re-translate
-    // this exact question without losing the user's answer.
-    const picked = shuffle(enriched).slice(0, n);
-    return picked.map((q, i) => {
-        const shuffled = shuffleQuestionOptions(q);
-        return { ...shuffled, sourceNumber: q.number, number: i + 1 };
-    });
-}
-/**
- * Get localized explanations for demo questions.
- * Reads from translations/<lang>/demo-explanations.json.
- * Falls back to English for any missing entries.
- */
-export function getLocalizedExplanations() {
-    const lang = getConfig().language;
-    if (!lang || lang === 'en')
-        return DEMO_EXPLANATIONS;
-    const path = join(__dirname, '..', '..', 'translations', lang, 'demo-explanations.json');
-    if (!existsSync(path))
-        return DEMO_EXPLANATIONS;
-    try {
-        const data = JSON.parse(readFileSync(path, 'utf-8'));
-        if (data && typeof data === 'object') {
-            // Merge: translated entries override English, missing entries stay English
-            return { ...DEMO_EXPLANATIONS, ...data };
-        }
-    }
-    catch { }
-    return DEMO_EXPLANATIONS;
-}
-/**
- * Get demo questions translated to user's language.
- * Reads from translations/<lang>/demo.json (bundled static file).
- * Per-question fallback: missing entries use the English source.
- */
-export function getLocalizedDemoQuestions() {
-    const lang = getConfig().language;
-    if (!lang || lang === 'en')
-        return DEMO_QUESTIONS;
-    const path = join(__dirname, '..', '..', 'translations', lang, 'demo.json');
-    if (!existsSync(path))
-        return DEMO_QUESTIONS;
-    try {
-        const data = JSON.parse(readFileSync(path, 'utf-8'));
-        if (!Array.isArray(data))
-            return DEMO_QUESTIONS;
-        // Per-question merge: use translated where available, English fallback otherwise.
-        return DEMO_QUESTIONS.map((eng) => {
-            const tr = data.find((d) => d.number === eng.number);
-            return tr && tr.options ? tr : eng;
-        });
-    }
-    catch { }
-    return DEMO_QUESTIONS;
-}
-/**
- * Get localized demo session name.
- */
-export function getLocalizedDemoSession() {
-    const lang = getConfig().language;
-    if (!lang || lang === 'en')
-        return { ...DEMO_SESSION, startedAt: '' };
-    const names = {
-        zh: 'ICOA 模拟考试 — 免费练习',
-        ja: 'ICOA デモ試験 — 無料練習',
-        ko: 'ICOA 데모 시험 — 무료 연습',
-        es: 'ICOA Examen Demo — Práctica Gratis',
-        ar: 'اختبار ICOA التجريبي — تدريب مجاني',
-        fr: 'ICOA Examen Démo — Pratique Gratuite',
-        pt: 'ICOA Exame Demo — Prática Gratuita',
-        ru: 'ICOA Демо Экзамен — Бесплатная Практика',
-        hi: 'ICOA डेमो परीक्षा — निःशुल्क अभ्यास',
-        de: 'ICOA Demo-Prüfung — Kostenlose Übung',
-        id: 'ICOA Ujian Demo — Latihan Gratis',
-        th: 'ICOA สอบทดลอง — ฝึกฟรี',
-        vi: 'ICOA Thi Thử — Luyện Tập Miễn Phí',
-        tr: 'ICOA Demo Sınav — Ücretsiz Uygulama',
-        uk: 'ICOA Демо Екзамен — Безплатна Практика',
-        ht: 'ICOA Egzamen Demo — Pratik Gratis',
-    };
-    return {
-        ...DEMO_SESSION,
-        examName: names[lang] || DEMO_SESSION.examName,
-        startedAt: '',
-    };
-}
+import{existsSync as e,readFileSync as t}from"node:fs";import{join as r,dirname as i}from"node:path";import{fileURLToPath as n}from"node:url";import{getConfig as o}from"./config.js";const s=i(n(import.meta.url));export const DEMO_POOL_SIZE=30;export const DEMO_PICK_SIZE=10;export const DEMO_SESSION={examId:"demo-free",examName:"ICOA Demo Exam — Free Practice",startedAt:"",durationMinutes:0,questionCount:10,country:"ALL"};export const DEMO_ANSWERS={1:"B",2:"B",3:"C",4:"B",5:"C",6:"B",7:"B",8:"C",9:"C",10:"B",11:"C",12:"B",13:"B",14:"B",15:"B",16:"D",17:"D",18:"C",19:"C",20:"B",21:"A",22:"D",23:"C",24:"B",25:"A",26:"B",27:"D",28:"C",29:"A",30:"B"};export const DEMO_EXPLANATIONS={1:"RSA is an asymmetric (public-key) cipher. AES, DES, and Blowfish are all symmetric ciphers that use the same key for encryption and decryption.",2:"SQL injection occurs when user input is inserted directly into database queries without proper sanitization, allowing attackers to manipulate the query.",3:"HTTP 403 means Forbidden — the server understood the request but refuses to authorize it. 401 is Unauthorized, 404 is Not Found, 500 is Internal Server Error.",4:"A nonce (number used once) is a random value used in cryptographic protocols to prevent replay attacks — ensuring each request or message is unique and cannot be reused by an attacker.",5:"Wireshark is the standard tool for capturing and analyzing network packets. Burp Suite is for web testing, John the Ripper for password cracking, Ghidra for reverse engineering.",6:"XSS stands for Cross-Site Scripting — a vulnerability where attackers inject malicious scripts into web pages viewed by other users.",7:"A firewall filters network traffic based on security rules, blocking unauthorized access while allowing legitimate communication. It does not encrypt, scan for viruses, or speed up connections.",8:"A Trojan disguises itself as legitimate software to trick users into installing it. Unlike worms, Trojans do not self-replicate.",9:"HTTPS (HTTP Secure) uses TLS/SSL to encrypt web traffic, protecting data from eavesdropping and tampering. HTTP, FTP, and SMTP are not secure by default.",10:"A cryptographic hash is a one-way function that produces a fixed-size digest. It cannot be reversed, unlike encryption.",11:"Ghidra is a reverse engineering and binary analysis tool developed by the NSA. Nmap scans ports, SQLMap tests SQL injection, Nikto scans web servers.",12:"DNS Spoofing (cache poisoning) manipulates DNS responses to redirect victims to attacker-controlled servers. It is distinct from phishing, SQLi, and brute force.",13:"SSH (Secure Shell) runs on port 22 by default. Port 21 is FTP, 80 is HTTP, 443 is HTTPS.",14:"Two-factor authentication (2FA) requires two distinct types of credentials — something you know (password) and something you have (phone/token) or are (biometrics).",15:'The command "netstat -tulpn" shows all listening TCP/UDP ports with process info. "ls -la" lists files, "chmod" changes permissions, "cat /etc/passwd" shows user accounts.',16:"A Man-in-the-Middle (MitM) attack intercepts and potentially modifies communications between two parties who believe they are communicating directly with each other.",17:"SHA-256 is a cryptographic hash function. AES-256 is a symmetric cipher, RSA-2048 is an asymmetric cipher, and Diffie-Hellman is a key exchange protocol.",18:"The principle of least privilege means granting users only the minimum permissions necessary to perform their tasks, reducing the attack surface.",19:"Nmap is the standard port scanning tool. Wireshark captures packets, Metasploit is an exploitation framework, and Hashcat is a password cracker.",20:"Ransomware encrypts the victim's files and demands payment (usually cryptocurrency) in exchange for the decryption key.",21:"Symmetric encryption uses a single shared key for both encrypting and decrypting. Asymmetric encryption uses a key pair — a public key to encrypt and a private key to decrypt.",22:"Remote Code Execution (RCE) allows an attacker to run arbitrary code on a target server, often leading to full system compromise. CSRF, clickjacking, and open redirect have different impacts.",23:"OWASP (Open Web Application Security Project) is a non-profit organization that publishes widely-used web security standards and guides, including the OWASP Top 10.",24:"The chmod command changes file permissions in Linux. chown changes ownership, chgrp changes group, and passwd changes user passwords.",25:"An SSL/TLS certificate is a digital document issued by a trusted Certificate Authority that verifies a website's identity and enables encrypted HTTPS connections.",26:"Phishing is a social engineering attack that tricks people into revealing sensitive information. Buffer overflow, SQL injection, and port scanning are technical attacks.",27:"The grep command searches for text patterns in files using regular expressions. It is one of the most commonly used Linux text processing tools.",28:"A VPN (Virtual Private Network) creates an encrypted tunnel for internet traffic, protecting data from interception and masking the user's IP address.",29:"CSRF (Cross-Site Request Forgery) tricks a logged-in user's browser into performing unwanted actions on a trusted site, such as changing account settings or transferring funds.",30:"Passwords should be stored as salted cryptographic hashes. Plain text and Base64 are insecure, and AES encryption is reversible if the key is compromised. Salted hashing is one-way and resistant to rainbow tables."};export const DEMO_QUESTIONS=[{number:1,text:"Which algorithm is NOT a symmetric cipher?",category:"Cryptography",options:{A:"AES",B:"RSA",C:"DES",D:"Blowfish"}},{number:2,text:"What does SQL injection exploit?",category:"Web Security",options:{A:"Buffer overflow in web server",B:"Unsanitized user input in database queries",C:"Weak encryption algorithms",D:"Misconfigured firewall rules"}},{number:3,text:'Which HTTP status code indicates "Forbidden"?',category:"Web Security",options:{A:"401",B:"404",C:"403",D:"500"}},{number:4,text:"What is the primary purpose of a nonce in cryptography?",category:"Cryptography",options:{A:"Encrypt data at rest",B:"Prevent replay attacks",C:"Generate random passwords",D:"Compress data before encryption"}},{number:5,text:"Which tool is commonly used for network packet capture?",category:"Network",options:{A:"Burp Suite",B:"Ghidra",C:"Wireshark",D:"John the Ripper"}},{number:6,text:"What does XSS stand for in cybersecurity?",category:"Web Security",options:{A:"Extended Security System",B:"Cross-Site Scripting",C:"XML Secure Socket",D:"Cross-Server Sharing"}},{number:7,text:"What is the primary function of a firewall?",category:"Network",options:{A:"Encrypt network data",B:"Filter network traffic based on security rules",C:"Detect viruses in files",D:"Speed up internet connection"}},{number:8,text:"Which type of malware disguises itself as legitimate software?",category:"Malware",options:{A:"Worm",B:"Ransomware",C:"Trojan",D:"Adware"}},{number:9,text:"Which protocol provides secure communication on the web?",category:"Network",options:{A:"HTTP",B:"FTP",C:"HTTPS",D:"SMTP"}},{number:10,text:"What is a cryptographic hash?",category:"Cryptography",options:{A:"A reversible encryption key",B:"A one-way function producing a fixed-size digest",C:"An authentication protocol",D:"A type of digital signature"}},{number:11,text:"Which tool is used for binary analysis?",category:"Reverse Engineering",options:{A:"Nmap",B:"SQLMap",C:"Ghidra",D:"Nikto"}},{number:12,text:"Which attack manipulates DNS requests to redirect traffic?",category:"Network",options:{A:"Phishing",B:"DNS Spoofing",C:"SQL Injection",D:"Brute Force"}},{number:13,text:"What is the standard port for SSH?",category:"Network",options:{A:"21",B:"22",C:"80",D:"443"}},{number:14,text:"What is two-factor authentication (2FA)?",category:"Authentication",options:{A:"Using two different passwords",B:"Verifying identity with two distinct types of credentials",C:"Encrypting data twice",D:"Connecting through two networks"}},{number:15,text:"Which Linux command shows open ports on a system?",category:"Linux",options:{A:"ls -la",B:"netstat -tulpn",C:"chmod 777",D:"cat /etc/passwd"}},{number:16,text:"What is a Man-in-the-Middle (MitM) attack?",category:"Network",options:{A:"Accessing a server without authorization",B:"Guessing passwords by brute force",C:"Sending multiple requests to overload a server",D:"Intercepting and modifying communications between two parties"}},{number:17,text:"Which of these is a hash algorithm?",category:"Cryptography",options:{A:"AES-256",B:"Diffie-Hellman",C:"RSA-2048",D:"SHA-256"}},{number:18,text:"What is the principle of least privilege?",category:"Security",options:{A:"Give root access to all users",B:"Use the shortest password possible",C:"Grant only the permissions necessary to perform a task",D:"Disable all firewalls"}},{number:19,text:"Which tool is commonly used for port scanning?",category:"Network",options:{A:"Wireshark",B:"Metasploit",C:"Nmap",D:"Hashcat"}},{number:20,text:"What is ransomware?",category:"Malware",options:{A:"Software that shows unwanted ads",B:"Software that encrypts files and demands payment to decrypt",C:"Software that records keystrokes",D:"Software that replicates across networks"}},{number:21,text:"What is the difference between symmetric and asymmetric encryption?",category:"Cryptography",options:{A:"Symmetric uses the same key to encrypt and decrypt; asymmetric uses two different keys",B:"Symmetric is slower than asymmetric",C:"Asymmetric only works with small files",D:"There is no significant difference"}},{number:22,text:"Which vulnerability allows arbitrary code execution on a web server?",category:"Web Security",options:{A:"CSRF",B:"Open Redirect",C:"Clickjacking",D:"Remote Code Execution (RCE)"}},{number:23,text:"What is OWASP?",category:"Security",options:{A:"A security operating system",B:"A type of firewall",C:"An organization that publishes web security standards and guides",D:"A programming language for security"}},{number:24,text:"Which Linux command changes file permissions?",category:"Linux",options:{A:"chown",B:"chmod",C:"chgrp",D:"passwd"}},{number:25,text:"What is an SSL/TLS certificate?",category:"Cryptography",options:{A:"A digital document that verifies a website identity",B:"A file containing malware",C:"A private key for SSH",D:"A type of encrypted database"}},{number:26,text:"Which of the following is a social engineering attack?",category:"Security",options:{A:"Buffer overflow",B:"Phishing",C:"SQL Injection",D:"Port scanning"}},{number:27,text:'What does the Linux command "grep" do?',category:"Linux",options:{A:"Compresses files",B:"Configures the network",C:"Shows active processes",D:"Searches for text patterns in files"}},{number:28,text:"What is a VPN?",category:"Network",options:{A:"A type of virus",B:"A file transfer protocol",C:"A virtual private network that encrypts internet traffic",D:"A vulnerability scanner"}},{number:29,text:"What is CSRF (Cross-Site Request Forgery)?",category:"Web Security",options:{A:"An attack that forces a user browser to perform unauthorized actions",B:"A data encryption method",C:"A type of network scanner",D:"A file compression technique"}},{number:30,text:"What is the best practice for storing passwords in a database?",category:"Security",options:{A:"Plain text",B:"Hashed with salt",C:"Encrypted with AES",D:"Encoded in Base64"}}];function a(e){const t=[...e];for(let e=t.length-1;e>0;e--){const r=Math.floor(Math.random()*(e+1));[t[e],t[r]]=[t[r],t[e]]}return t}export function pickDemoQuestions(e=10){const t=getLocalizedDemoQuestions(),r=getLocalizedExplanations();return a(t.map(e=>({...e,answer:DEMO_ANSWERS[e.number],explanation:r[e.number]}))).slice(0,e).map((e,t)=>{const r=function(e){if(!e.answer)return e;const t=["A","B","C","D"],r=a(t),i={A:e.options[r[0]],B:e.options[r[1]],C:e.options[r[2]],D:e.options[r[3]]},n=t[r.indexOf(e.answer)];return{...e,options:i,answer:n,sourceOrder:r}}(e);return{...r,sourceNumber:e.number,number:t+1}})}export function getLocalizedExplanations(){const i=o().language;if(!i||"en"===i)return DEMO_EXPLANATIONS;const n=r(s,"..","..","translations",i,"demo-explanations.json");if(!e(n))return DEMO_EXPLANATIONS;try{const e=JSON.parse(t(n,"utf-8"));if(e&&"object"==typeof e)return{...DEMO_EXPLANATIONS,...e}}catch{}return DEMO_EXPLANATIONS}export function getLocalizedDemoQuestions(){const i=o().language;if(!i||"en"===i)return DEMO_QUESTIONS;const n=r(s,"..","..","translations",i,"demo.json");if(!e(n))return DEMO_QUESTIONS;try{const e=JSON.parse(t(n,"utf-8"));return Array.isArray(e)?DEMO_QUESTIONS.map(t=>{const r=e.find(e=>e.number===t.number);return r&&r.options?r:t}):DEMO_QUESTIONS}catch{}return DEMO_QUESTIONS}export function getLocalizedDemoSession(){const e=o().language;return e&&"en"!==e?{...DEMO_SESSION,examName:{zh:"ICOA 模拟考试 — 免费练习",ja:"ICOA デモ試験 — 無料練習",ko:"ICOA 데모 시험 — 무료 연습",es:"ICOA Examen Demo — Práctica Gratis",ar:"اختبار ICOA التجريبي — تدريب مجاني",fr:"ICOA Examen Démo — Pratique Gratuite",pt:"ICOA Exame Demo — Prática Gratuita",ru:"ICOA Демо Экзамен — Бесплатная Практика",hi:"ICOA डेमो परीक्षा — निःशुल्क अभ्यास",de:"ICOA Demo-Prüfung — Kostenlose Übung",id:"ICOA Ujian Demo — Latihan Gratis",th:"ICOA สอบทดลอง — ฝึกฟรี",vi:"ICOA Thi Thử — Luyện Tập Miễn Phí",tr:"ICOA Demo Sınav — Ücretsiz Uygulama",uk:"ICOA Демо Екзамен — Безплатна Практика",ht:"ICOA Egzamen Demo — Pratik Gratis"}[e]||DEMO_SESSION.examName,startedAt:""}:{...DEMO_SESSION,startedAt:""}}

package/dist/lib/demo-flags.js

@@ -1,27 +1 @@
-// Single source of truth for the demo AI4CTF flag.
-// i18n.ts (EN) and the i18n translations must reference this constant
-// rather than hand-copying the base64 string — hand-copying created the
-// BUG-002 class drift where Q33 base64 was written as "ISOA{...}" in one
-// place and "ICOA{...}" in another. This file exists so every translation
-// picks up the correct value from one place.
-//
-// The matching unit test (test/demo-flags-consistency.test.js) scans
-// compiled i18n.js for any base64-looking string that starts with
-// "aWNvYX" (= "icoa{") and asserts they ALL equal DEMO_AI4CTF_FLAG_B64.
-// That's the drift protection: if someone hand-edits one translation's
-// b64, the scan finds two distinct values and the test fails.
-export const DEMO_AI4CTF_FLAG_B64 = 'aWNvYXt3M2xjMG1lXzJfYWk0Y3RmfQ==';
-export const DEMO_AI4CTF_FLAG_DECODED = 'icoa{w3lc0me_2_ai4ctf}';
-/**
- * Runtime verification that the b64 constant decodes to the expected plaintext.
- * Catches hand-edit drift between the two constants above.
- * Throws if they disagree. Safe to call at module load or from tests.
- */
-export function verifyDemoAi4ctfFlag() {
-    const decoded = Buffer.from(DEMO_AI4CTF_FLAG_B64, 'base64').toString('utf-8');
-    if (decoded !== DEMO_AI4CTF_FLAG_DECODED) {
-        throw new Error(`Demo flag drift: base64 '${DEMO_AI4CTF_FLAG_B64}' decodes to '${decoded}' ` +
-            `but DEMO_AI4CTF_FLAG_DECODED constant is '${DEMO_AI4CTF_FLAG_DECODED}'. ` +
-            `Fix demo-flags.ts so both halves agree.`);
-    }
-}
+export const DEMO_AI4CTF_FLAG_B64="aWNvYXt3M2xjMG1lXzJfYWk0Y3RmfQ==";export const DEMO_AI4CTF_FLAG_DECODED="icoa{w3lc0me_2_ai4ctf}";export function verifyDemoAi4ctfFlag(){const t=Buffer.from(DEMO_AI4CTF_FLAG_B64,"base64").toString("utf-8");if("icoa{w3lc0me_2_ai4ctf}"!==t)throw new Error(`Demo flag drift: base64 '${DEMO_AI4CTF_FLAG_B64}' decodes to '${t}' but DEMO_AI4CTF_FLAG_DECODED constant is 'icoa{w3lc0me_2_ai4ctf}'. Fix demo-flags.ts so both halves agree.`)}