deadwood-sec 0.1.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,25 @@
1
+ name: CI
2
+
3
+ on:
4
+ push:
5
+ branches: [main]
6
+ pull_request:
7
+ branches: [main]
8
+
9
+ jobs:
10
+ test:
11
+ runs-on: ubuntu-latest
12
+ strategy:
13
+ fail-fast: false
14
+ matrix:
15
+ python-version: ["3.10", "3.11", "3.12"]
16
+ steps:
17
+ - uses: actions/checkout@v5
18
+ - name: Set up Python ${{ matrix.python-version }}
19
+ uses: actions/setup-python@v6
20
+ with:
21
+ python-version: ${{ matrix.python-version }}
22
+ - name: Install
23
+ run: pip install -e ".[dev]"
24
+ - name: Test
25
+ run: pytest -q
@@ -0,0 +1,30 @@
1
+ name: release
2
+
3
+ on:
4
+ push:
5
+ tags: ["v*"]
6
+
7
+ permissions:
8
+ contents: write
9
+ id-token: write # lets PyPI Trusted Publishing mint a short-lived token (no secrets stored)
10
+
11
+ jobs:
12
+ release:
13
+ runs-on: ubuntu-latest
14
+ environment: pypi # must match the environment set on the PyPI trusted publisher
15
+ steps:
16
+ - uses: actions/checkout@v5
17
+ - uses: actions/setup-python@v6
18
+ with:
19
+ python-version: "3.12"
20
+ - name: Build sdist and wheel
21
+ run: |
22
+ python -m pip install --upgrade build
23
+ python -m build
24
+ - name: Publish GitHub release
25
+ uses: softprops/action-gh-release@v3
26
+ with:
27
+ generate_release_notes: true
28
+ files: dist/*
29
+ - name: Publish to PyPI
30
+ uses: pypa/gh-action-pypi-publish@release/v1
@@ -0,0 +1,7 @@
1
+ __pycache__/
2
+ *.py[cod]
3
+ *.egg-info/
4
+ build/
5
+ dist/
6
+ .venv/
7
+ .pytest_cache/
@@ -0,0 +1,16 @@
1
+ # Changelog
2
+
3
+ All notable changes to this project are documented here. The format is loosely
4
+ based on [Keep a Changelog](https://keepachangelog.com/).
5
+
6
+ ## [0.1.0]
7
+
8
+ ### Added
9
+ - The range: a dependency-free, leveled web-security target that runs on
10
+ localhost only, with a town-map UI, per-level briefings, **progressive hints**,
11
+ a **view-the-vulnerable-source / how-to-fix** reveal, per-install flags
12
+ (`DEADWOOD{...}`) and a local scoreboard.
13
+ - A realistic seeded world — the fictional *Deadwood Telegraph & Trust Co.*
14
+ (employees, customers, accounts, transactions, telegrams).
15
+ - CLI: `serve`, `levels`, `learn <slug>`, `flag <slug> <value>`, `reset`.
16
+ - **Level 1 — First Blood**: in-band UNION SQL injection in the staff directory.
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 Gustavo Almeida
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,116 @@
1
+ Metadata-Version: 2.4
2
+ Name: deadwood-sec
3
+ Version: 0.1.0
4
+ Summary: A self-hosted web-security range, leveled tutorial-to-impossible — the practice town for wraith and hickok.
5
+ Project-URL: Homepage, https://github.com/gusta-ve/deadwood
6
+ Project-URL: Source, https://github.com/gusta-ve/deadwood
7
+ Project-URL: Changelog, https://github.com/gusta-ve/deadwood/blob/main/CHANGELOG.md
8
+ Author: gusta-ve
9
+ License-Expression: MIT
10
+ License-File: LICENSE
11
+ Keywords: appsec,command-injection,ctf,education,lab,pentest,range,security,sql-injection,training,vulnerable
12
+ Classifier: Development Status :: 3 - Alpha
13
+ Classifier: Environment :: Web Environment
14
+ Classifier: Intended Audience :: Information Technology
15
+ Classifier: License :: OSI Approved :: MIT License
16
+ Classifier: Programming Language :: Python :: 3 :: Only
17
+ Classifier: Topic :: Education
18
+ Classifier: Topic :: Security
19
+ Requires-Python: >=3.10
20
+ Provides-Extra: dev
21
+ Requires-Dist: pytest; extra == 'dev'
22
+ Description-Content-Type: text/markdown
23
+
24
+ # deadwood
25
+
26
+ A self-hosted **web-security range** that doubles as a tutorial — graded levels
27
+ from the first trivial injection to the deliberately near-impossible. It's the
28
+ practice town for the dead man's hand: scout each room with
29
+ [**wraith**](https://github.com/gusta-ve/wraith), take it with
30
+ [**hickok**](https://github.com/gusta-ve/hickok), capture the flag, then read the
31
+ vulnerable source and the fix.
32
+
33
+ Dependency-free (stdlib + SQLite). Runs on **127.0.0.1 only**.
34
+
35
+ [![PyPI](https://img.shields.io/pypi/v/deadwood-sec?color=ffb946&label=pypi)](https://pypi.org/project/deadwood-sec/)
36
+ ![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue)
37
+ ![MIT](https://img.shields.io/badge/license-MIT-green)
38
+
39
+ > ⚠️ **deadwood is intentionally vulnerable, by design.** It refuses to bind
40
+ > anything but loopback unless you force it. Never expose it to a network, a VM
41
+ > bridge, or the internet. Attack only this app, on your own machine.
42
+
43
+ - [Install](#install)
44
+ - [Run it](#run-it)
45
+ - [How a level works](#how-a-level-works)
46
+ - [The levels](#the-levels)
47
+ - [Pairing with wraith & hickok](#pairing-with-wraith--hickok)
48
+
49
+ ## Install
50
+
51
+ ```bash
52
+ pipx install deadwood-sec # gives you the `deadwood` command
53
+ ```
54
+
55
+ Or from a clone: `pip install -e .` — or run it with no install:
56
+ `PYTHONPATH=src python3 -m deadwood`.
57
+
58
+ ## Run it
59
+
60
+ ```bash
61
+ deadwood serve # http://127.0.0.1:8666 (the town map)
62
+ deadwood levels # list the rooms and your progress
63
+ deadwood learn first-blood # a level's briefing: objective, hints, source, the fix
64
+ deadwood flag first-blood 'DEADWOOD{...}' # submit a captured flag
65
+ ```
66
+
67
+ Open the map in a browser, pick a room, and point your tools at the app URL it
68
+ gives you (e.g. `http://127.0.0.1:8666/l/first-blood/app?id=1`).
69
+
70
+ ## How a level works
71
+
72
+ Every room is the same shape, easy to the hard:
73
+
74
+ - a **realistic app** (the fictional *Deadwood Telegraph & Trust Co.* — employees,
75
+ customers, accounts, telegrams) with one real flaw;
76
+ - a **flag** to capture (`DEADWOOD{...}`, unique to your install);
77
+ - **progressive hints** — reveal them one at a time, only if you want them;
78
+ - the **vulnerable source** and **how to fix it**, once you ask (spoilers).
79
+
80
+ Play blind for the CTF, or lean on the hints and `learn` for the tutorial. Your
81
+ captures are tracked locally.
82
+
83
+ ## The levels
84
+
85
+ Tutorial → impossible. Each maps to a technique you can practise by hand or drive
86
+ with hickok/wraith:
87
+
88
+ | # | Room | Tier | Vector |
89
+ |---|------|------|--------|
90
+ | 1 | First Blood | Tutorial | SQL injection — UNION (in-band) |
91
+ | 2 | Whispers | Easy | SQL injection — boolean-blind |
92
+ | 3 | The Telegraph | Medium | SQL injection — time-based blind |
93
+ | 4 | Back Door | Medium | OS command injection → shell |
94
+
95
+ *(more rooms land as the range grows — auth bypass, filtered/WAF'd injection,
96
+ SSTI, and the Vault.)*
97
+
98
+ ## Pairing with wraith & hickok
99
+
100
+ deadwood is the range the tools grew up on. A typical run:
101
+
102
+ ```bash
103
+ deadwood serve & # the town
104
+ hickok sql -u 'http://127.0.0.1:8666/l/first-blood/app?id=1' -p id --dump secrets
105
+ ```
106
+
107
+ When a tool can't take a room, that's a bug to fix in the tool; when a room is
108
+ too easy, that's a room to harden. They sharpen each other.
109
+
110
+ ## License
111
+
112
+ MIT.
113
+
114
+ ---
115
+
116
+ *Deadwood, 1876 — where the dead man's hand was dealt.*
@@ -0,0 +1,93 @@
1
+ # deadwood
2
+
3
+ A self-hosted **web-security range** that doubles as a tutorial — graded levels
4
+ from the first trivial injection to the deliberately near-impossible. It's the
5
+ practice town for the dead man's hand: scout each room with
6
+ [**wraith**](https://github.com/gusta-ve/wraith), take it with
7
+ [**hickok**](https://github.com/gusta-ve/hickok), capture the flag, then read the
8
+ vulnerable source and the fix.
9
+
10
+ Dependency-free (stdlib + SQLite). Runs on **127.0.0.1 only**.
11
+
12
+ [![PyPI](https://img.shields.io/pypi/v/deadwood-sec?color=ffb946&label=pypi)](https://pypi.org/project/deadwood-sec/)
13
+ ![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue)
14
+ ![MIT](https://img.shields.io/badge/license-MIT-green)
15
+
16
+ > ⚠️ **deadwood is intentionally vulnerable, by design.** It refuses to bind
17
+ > anything but loopback unless you force it. Never expose it to a network, a VM
18
+ > bridge, or the internet. Attack only this app, on your own machine.
19
+
20
+ - [Install](#install)
21
+ - [Run it](#run-it)
22
+ - [How a level works](#how-a-level-works)
23
+ - [The levels](#the-levels)
24
+ - [Pairing with wraith & hickok](#pairing-with-wraith--hickok)
25
+
26
+ ## Install
27
+
28
+ ```bash
29
+ pipx install deadwood-sec # gives you the `deadwood` command
30
+ ```
31
+
32
+ Or from a clone: `pip install -e .` — or run it with no install:
33
+ `PYTHONPATH=src python3 -m deadwood`.
34
+
35
+ ## Run it
36
+
37
+ ```bash
38
+ deadwood serve # http://127.0.0.1:8666 (the town map)
39
+ deadwood levels # list the rooms and your progress
40
+ deadwood learn first-blood # a level's briefing: objective, hints, source, the fix
41
+ deadwood flag first-blood 'DEADWOOD{...}' # submit a captured flag
42
+ ```
43
+
44
+ Open the map in a browser, pick a room, and point your tools at the app URL it
45
+ gives you (e.g. `http://127.0.0.1:8666/l/first-blood/app?id=1`).
46
+
47
+ ## How a level works
48
+
49
+ Every room is the same shape, easy to the hard:
50
+
51
+ - a **realistic app** (the fictional *Deadwood Telegraph & Trust Co.* — employees,
52
+ customers, accounts, telegrams) with one real flaw;
53
+ - a **flag** to capture (`DEADWOOD{...}`, unique to your install);
54
+ - **progressive hints** — reveal them one at a time, only if you want them;
55
+ - the **vulnerable source** and **how to fix it**, once you ask (spoilers).
56
+
57
+ Play blind for the CTF, or lean on the hints and `learn` for the tutorial. Your
58
+ captures are tracked locally.
59
+
60
+ ## The levels
61
+
62
+ Tutorial → impossible. Each maps to a technique you can practise by hand or drive
63
+ with hickok/wraith:
64
+
65
+ | # | Room | Tier | Vector |
66
+ |---|------|------|--------|
67
+ | 1 | First Blood | Tutorial | SQL injection — UNION (in-band) |
68
+ | 2 | Whispers | Easy | SQL injection — boolean-blind |
69
+ | 3 | The Telegraph | Medium | SQL injection — time-based blind |
70
+ | 4 | Back Door | Medium | OS command injection → shell |
71
+
72
+ *(more rooms land as the range grows — auth bypass, filtered/WAF'd injection,
73
+ SSTI, and the Vault.)*
74
+
75
+ ## Pairing with wraith & hickok
76
+
77
+ deadwood is the range the tools grew up on. A typical run:
78
+
79
+ ```bash
80
+ deadwood serve & # the town
81
+ hickok sql -u 'http://127.0.0.1:8666/l/first-blood/app?id=1' -p id --dump secrets
82
+ ```
83
+
84
+ When a tool can't take a room, that's a bug to fix in the tool; when a room is
85
+ too easy, that's a room to harden. They sharpen each other.
86
+
87
+ ## License
88
+
89
+ MIT.
90
+
91
+ ---
92
+
93
+ *Deadwood, 1876 — where the dead man's hand was dealt.*
@@ -0,0 +1,42 @@
1
+ [build-system]
2
+ requires = ["hatchling"]
3
+ build-backend = "hatchling.build"
4
+
5
+ [project]
6
+ name = "deadwood-sec"
7
+ dynamic = ["version"]
8
+ description = "A self-hosted web-security range, leveled tutorial-to-impossible — the practice town for wraith and hickok."
9
+ readme = "README.md"
10
+ requires-python = ">=3.10"
11
+ license = "MIT"
12
+ authors = [{ name = "gusta-ve" }]
13
+ keywords = [
14
+ "security", "ctf", "training", "education", "pentest", "appsec",
15
+ "sql-injection", "command-injection", "vulnerable", "range", "lab",
16
+ ]
17
+ classifiers = [
18
+ "Development Status :: 3 - Alpha",
19
+ "Environment :: Web Environment",
20
+ "Intended Audience :: Information Technology",
21
+ "License :: OSI Approved :: MIT License",
22
+ "Programming Language :: Python :: 3 :: Only",
23
+ "Topic :: Security",
24
+ "Topic :: Education",
25
+ ]
26
+
27
+ [project.optional-dependencies]
28
+ dev = ["pytest"]
29
+
30
+ [project.scripts]
31
+ deadwood = "deadwood.cli:main"
32
+
33
+ [project.urls]
34
+ Homepage = "https://github.com/gusta-ve/deadwood"
35
+ Source = "https://github.com/gusta-ve/deadwood"
36
+ Changelog = "https://github.com/gusta-ve/deadwood/blob/main/CHANGELOG.md"
37
+
38
+ [tool.hatch.version]
39
+ path = "src/deadwood/__init__.py"
40
+
41
+ [tool.hatch.build.targets.wheel]
42
+ packages = ["src/deadwood"]
@@ -0,0 +1,10 @@
1
+ """deadwood — a self-hosted web-security range, leveled tutorial-to-impossible.
2
+
3
+ The practice town for the dead man's hand: bring wraith to scout it and hickok to
4
+ take it. Every saloon and back room is a level — a real-looking flaw with a flag,
5
+ a lesson, and the source laid bare once you've earned it.
6
+
7
+ Intentionally vulnerable. Runs on 127.0.0.1 only. Never expose it.
8
+ """
9
+
10
+ __version__ = "0.1.0"
@@ -0,0 +1,4 @@
1
+ from deadwood.cli import main
2
+
3
+ if __name__ == "__main__":
4
+ main()
@@ -0,0 +1,138 @@
1
+ """deadwood command line — run the range, browse and learn the levels, grade flags."""
2
+
3
+ from __future__ import annotations
4
+
5
+ import argparse
6
+ import sys
7
+
8
+ import deadwood.levels # noqa: F401 (importing registers every level)
9
+ from deadwood import __version__, flags, progress, server
10
+ from deadwood.level import all_levels, by_slug
11
+
12
+ _BANNER = r"""
13
+ ___ _ _
14
+ / _ \___ __ _ __| |_ _____ (_)__/ /
15
+ / // / -_) _` |/ _` \ \ /\ / / _ \ / / _ /
16
+ /____/\__/\__,_|\__,_/\_\/\_/\___//_/\_,_/ a vulnerable range · tutorial → impossible
17
+ """
18
+
19
+
20
+ def _print_banner():
21
+ print(_BANNER.rstrip("\n"))
22
+ print(f" v{__version__} · the practice town for wraith & hickok\n")
23
+
24
+
25
+ def cmd_serve(args):
26
+ _print_banner()
27
+ sv = progress.solved()
28
+ print(f" map http://{args.host}:{args.port}/")
29
+ print(f" levels {len(all_levels())} loaded · {len(sv)} taken")
30
+ print(f" warning intentionally vulnerable — keep it on localhost, never expose it")
31
+ print("\n Ctrl-C to stop the range.\n")
32
+ try:
33
+ server.serve(args.host, args.port, allow_unsafe=args.unsafe)
34
+ except PermissionError as exc:
35
+ print(f" [-] {exc}", file=sys.stderr)
36
+ raise SystemExit(2)
37
+ except OSError as exc:
38
+ print(f" [-] cannot bind {args.host}:{args.port} — {exc}", file=sys.stderr)
39
+ raise SystemExit(2)
40
+ except KeyboardInterrupt:
41
+ print("\n range closed.")
42
+
43
+
44
+ def cmd_levels(args):
45
+ sv = progress.solved()
46
+ print()
47
+ for lv in all_levels():
48
+ mark = "✓" if lv.slug in sv else " "
49
+ print(f" [{mark}] {lv.num:02d} {lv.title:<18} {lv.tier:<11} {lv.category}")
50
+ print(f" {lv.slug:<18} {lv.brief}")
51
+ print(f"\n {len(sv)}/{len(all_levels())} taken · learn a level with `deadwood learn <slug>`\n")
52
+
53
+
54
+ def cmd_learn(args):
55
+ lv = by_slug(args.slug)
56
+ if lv is None:
57
+ print(f" no level '{args.slug}'. see `deadwood levels`.", file=sys.stderr)
58
+ raise SystemExit(2)
59
+ bar = "─" * 60
60
+ print(f"\n {lv.num:02d} · {lv.title} [{lv.tier}] {lv.category}\n {bar}")
61
+ print(f" objective\n {lv.objective}\n")
62
+ print(" hints")
63
+ for i, h in enumerate(lv.hints, 1):
64
+ print(f" {i}. {h}")
65
+ print(f"\n the vulnerable source\n{_indent(lv.source)}")
66
+ print(f"\n how to fix it\n {lv.remediation}")
67
+ print(f"\n capture the flag, then: deadwood flag {lv.slug} 'DEADWOOD{{...}}'\n")
68
+
69
+
70
+ def _indent(text, pad=" | "):
71
+ return "\n".join(pad + ln for ln in text.splitlines())
72
+
73
+
74
+ def cmd_flag(args):
75
+ lv = by_slug(args.slug)
76
+ if lv is None:
77
+ print(f" no level '{args.slug}'.", file=sys.stderr)
78
+ raise SystemExit(2)
79
+ if flags.check(lv.slug, args.value):
80
+ progress.mark(lv.slug)
81
+ print(f" ✓ {lv.title} — taken. that's the hand.")
82
+ else:
83
+ print(" ✗ not it. keep working the room.")
84
+ raise SystemExit(1)
85
+
86
+
87
+ def cmd_reset(args):
88
+ progress.reset()
89
+ print(" progress reset — every room is open again.")
90
+
91
+
92
+ def build_parser() -> argparse.ArgumentParser:
93
+ p = argparse.ArgumentParser(prog="deadwood",
94
+ description="A self-hosted, leveled web-security range "
95
+ "(tutorial → impossible). Intentionally vulnerable; "
96
+ "runs on localhost only.")
97
+ p.add_argument("--version", action="version", version=f"deadwood {__version__}")
98
+ sub = p.add_subparsers(dest="command", metavar="<command>")
99
+
100
+ s = sub.add_parser("serve", help="run the range")
101
+ s.add_argument("-H", "--host", default="127.0.0.1", help="bind host (default: 127.0.0.1)")
102
+ s.add_argument("-p", "--port", type=int, default=8666, help="bind port (default: 8666)")
103
+ s.add_argument("--unsafe", action="store_true",
104
+ help="allow binding a non-loopback host (dangerous — it's vulnerable)")
105
+ s.set_defaults(func=cmd_serve)
106
+
107
+ ls = sub.add_parser("levels", help="list the levels and your progress")
108
+ ls.set_defaults(func=cmd_levels)
109
+
110
+ lr = sub.add_parser("learn", help="the briefing for a level (objective, hints, source, fix)")
111
+ lr.add_argument("slug")
112
+ lr.set_defaults(func=cmd_learn)
113
+
114
+ fl = sub.add_parser("flag", help="submit a captured flag")
115
+ fl.add_argument("slug")
116
+ fl.add_argument("value")
117
+ fl.set_defaults(func=cmd_flag)
118
+
119
+ rs = sub.add_parser("reset", help="clear your captured-flag progress")
120
+ rs.set_defaults(func=cmd_reset)
121
+ return p
122
+
123
+
124
+ def main(argv=None):
125
+ argv = sys.argv[1:] if argv is None else list(argv)
126
+ args = build_parser().parse_args(argv)
127
+ if not getattr(args, "func", None):
128
+ _print_banner()
129
+ print(" deadwood serve run the range (http://127.0.0.1:8666)")
130
+ print(" deadwood levels list the levels")
131
+ print(" deadwood learn <slug> a level's briefing + how to fix it")
132
+ print(" deadwood flag <slug> ... submit a captured flag\n")
133
+ return
134
+ args.func(args)
135
+
136
+
137
+ if __name__ == "__main__":
138
+ main()
@@ -0,0 +1,127 @@
1
+ """The world: a believable frontier company seeded into SQLite.
2
+
3
+ Deadwood Telegraph & Trust Co. — a bank and telegraph office. Employees, customers,
4
+ accounts, transactions and internal telegrams, all generated by a small seeded
5
+ faker (stdlib only) so the data looks real and is the same every time. Levels read
6
+ from this shared world and seed their own secrets on top.
7
+ """
8
+
9
+ from __future__ import annotations
10
+
11
+ import hashlib
12
+ import random
13
+ import sqlite3
14
+ import time as _time
15
+
16
+ _FIRST = [
17
+ "Wyatt", "Martha", "Calamity", "Seth", "Al", "Sol", "Jane", "Charlie", "Doc",
18
+ "Ellis", "Nora", "Sage", "Hattie", "Cyrus", "Mabel", "Otis", "Pearl", "Gus",
19
+ "Ada", "Levi", "Ruth", "Silas", "Della", "Amos", "Iris", "Roy", "Etta", "Hank",
20
+ "Cora", "Jeb", "Lula", "Virgil", "Tess", "Boone", "Winnie", "Clay", "Goldie",
21
+ ]
22
+ _LAST = [
23
+ "Earp", "Bullock", "Hickok", "Canary", "Swearengen", "Star", "Utter", "Holliday",
24
+ "Tilghman", "Masterson", "Garrett", "Cody", "Oakley", "Ringo", "Younger", "Dalton",
25
+ "Plummer", "Slade", "Boot", "Hardin", "Doolin", "Starr", "Bass", "Reeves",
26
+ ]
27
+ _TOWNS = [
28
+ "Deadwood", "Tombstone", "Dodge City", "Abilene", "Cheyenne", "Laramie", "Yuma",
29
+ "Silverton", "Leadville", "Virginia City", "Bisbee", "Tascosa",
30
+ ]
31
+ _ROLES = [
32
+ "Teller", "Head Teller", "Clerk", "Telegraph Operator", "Bookkeeper", "Vault Manager",
33
+ "Loan Officer", "Branch Manager", "Stagecoach Agent", "Auditor",
34
+ ]
35
+ _MEMOS = [
36
+ "deposit, gold dust", "withdrawal, cash", "wire transfer", "loan repayment",
37
+ "stagecoach freight", "saloon takings", "claim payout", "cattle sale",
38
+ "telegraph fee", "vault audit adjustment",
39
+ ]
40
+ _DOMAIN = "deadwood-trust.example"
41
+
42
+
43
+ def _slugify(name: str) -> str:
44
+ return name.lower().replace(" ", "")
45
+
46
+
47
+ def _sleep(n):
48
+ """A SQLite `sleep()` — real engines have one natively; SQLite doesn't, so the
49
+ time-based level (The Telegraph) needs it provided. Capped, so an injection
50
+ can't hang the range."""
51
+ try:
52
+ _time.sleep(min(float(n), 5))
53
+ except (TypeError, ValueError):
54
+ pass
55
+ return 0
56
+
57
+
58
+ def build(db: sqlite3.Connection, seed: int = 1876) -> None:
59
+ """(Re)build the company world into `db`. Deterministic for a given seed."""
60
+ db.create_function("sleep", 1, _sleep)
61
+ rng = random.Random(seed)
62
+ db.executescript("""
63
+ DROP TABLE IF EXISTS employees;
64
+ DROP TABLE IF EXISTS customers;
65
+ DROP TABLE IF EXISTS accounts;
66
+ DROP TABLE IF EXISTS transactions;
67
+ DROP TABLE IF EXISTS telegrams;
68
+ DROP TABLE IF EXISTS secrets;
69
+ CREATE TABLE employees (id INTEGER PRIMARY KEY, name TEXT, role TEXT, town TEXT,
70
+ username TEXT, pw_md5 TEXT, email TEXT);
71
+ CREATE TABLE customers (id INTEGER PRIMARY KEY, name TEXT, town TEXT, email TEXT, joined TEXT);
72
+ CREATE TABLE accounts (id INTEGER PRIMARY KEY, customer_id INTEGER, number TEXT,
73
+ kind TEXT, balance INTEGER);
74
+ CREATE TABLE transactions (id INTEGER PRIMARY KEY, account_id INTEGER, day TEXT,
75
+ amount INTEGER, memo TEXT);
76
+ CREATE TABLE telegrams (id INTEGER PRIMARY KEY, sender TEXT, recipient TEXT,
77
+ subject TEXT, body TEXT);
78
+ CREATE TABLE secrets (id INTEGER PRIMARY KEY, label TEXT, value TEXT);
79
+ """)
80
+
81
+ def person():
82
+ return f"{rng.choice(_FIRST)} {rng.choice(_LAST)}"
83
+
84
+ # employees — note the weak MD5 password hashes (a lesson for later levels)
85
+ employees = []
86
+ used = set()
87
+ for i in range(1, 19):
88
+ name = person()
89
+ user = _slugify(name)
90
+ while user in used:
91
+ name = person()
92
+ user = _slugify(name)
93
+ used.add(user)
94
+ pw = rng.choice(["summer76", "letmein", "goldrush", "deadwood", "trotter",
95
+ "marshal", "blackhills", "aceshigh", "wagon", "telegraph"])
96
+ employees.append((i, name, rng.choice(_ROLES), rng.choice(_TOWNS), user,
97
+ hashlib.md5(pw.encode()).hexdigest(), f"{user}@{_DOMAIN}"))
98
+ db.executemany("INSERT INTO employees VALUES (?,?,?,?,?,?,?)", employees)
99
+
100
+ # customers + their accounts + a ledger of transactions
101
+ acc_id = tx_id = 0
102
+ for cid in range(1, 41):
103
+ name = person()
104
+ town = rng.choice(_TOWNS)
105
+ db.execute("INSERT INTO customers VALUES (?,?,?,?,?)",
106
+ (cid, name, town, f"{_slugify(name)}@mail.example",
107
+ f"187{rng.randint(2, 9)}-{rng.randint(1, 12):02d}-{rng.randint(1, 28):02d}"))
108
+ for _ in range(rng.randint(1, 2)):
109
+ acc_id += 1
110
+ kind = rng.choice(["checking", "savings", "gold deposit"])
111
+ bal = rng.randint(20, 9000) * (100 if kind == "gold deposit" else 1)
112
+ db.execute("INSERT INTO accounts VALUES (?,?,?,?,?)",
113
+ (acc_id, cid, f"DW-{rng.randint(10000, 99999)}", kind, bal))
114
+ for _ in range(rng.randint(2, 6)):
115
+ tx_id += 1
116
+ db.execute("INSERT INTO transactions VALUES (?,?,?,?,?)",
117
+ (tx_id, acc_id, f"187{rng.randint(2, 9)}-{rng.randint(1, 12):02d}-{rng.randint(1, 28):02d}",
118
+ rng.randint(-2000, 5000), rng.choice(_MEMOS)))
119
+
120
+ # a few internal telegrams for colour (and a place to hide things)
121
+ for i in range(1, 9):
122
+ db.execute("INSERT INTO telegrams VALUES (?,?,?,?,?)",
123
+ (i, person(), person(), rng.choice(
124
+ ["VAULT COMBINATION CHANGED", "SHIPMENT DELAYED", "AUDIT NEXT WEEK",
125
+ "NEW TELLER STARTS MONDAY", "WIRE CONFIRMED", "CLOSE EARLY FRIDAY"]),
126
+ "STOP. " + rng.choice(_MEMOS).upper() + ". STOP."))
127
+ db.commit()