lohjs-0/aegis

## `// ÆGIS 是什么？` ÆGIS 是一个专注于无服务器环境的游戏化攻防网络安全培训平台。 它摒弃了被动的课程和静态的测验，取而代之的是一个名为 **洛基暗影** 的活跃 APT（高级持续威胁），在玩家学习的同时，使用真实世界的载荷对他们进行实时攻击。
``` ▸ Command Injection ▸ SSRF ▸ IDOR ▸ Supply Chain Attacks ▸ Broken Authentication ▸ Privilege Escalation ▸ Cloud attack vectors ▸ Defensive mitigation strategies ``` 在压力下学习。 ## `// 为什么选择 ÆGIS？` 大多数学习平台将理论与实践分离。 ÆGIS 则反其道而行之。 当玩家阅读文档、完成任务或复习学习材料时，平台会持续不断地对他们发起模拟攻击。

``` OBJECTIVES ────────────────────────────────────── → real pressure → faster pattern recognition → offensive-defensive thinking → practical security instincts ``` 你不是在为攻击做准备。**你是在学习的同时活下来。** ## `// 核心机制` | 系统 | 模块 | 描述 | |------|------|------| | `☽` | **洛基暗影** | 具有自适应升级能力的实时攻击引擎 | | `⊞` | **任务系统** | 包含漏洞代码和防御修复方案的渐进式安全场景 | | `⚡` | **闪卡** | 基于任务的间隔重复学习系统 | | `▣` | **模拟测验** | 限时安全考试和挑战模式 | | `◈` | **学习模块** | 领域文档、理论、载荷分析和代码演练 | | `✦` | **排行榜** | 由 Supabase 驱动的实时全球排名 | | `◈` | **ÆGIS-BOT** | 上下文感知的 AI 辅导员 | | `☠` | **洛基** | 动态嘲讽和自适应攻击行为 | ## `// 洛基暗影 — 升级系统` 洛基根据当前进行的任务动态调整攻击强度。 ``` MISSION THEME INTERVAL TIMER BURST ───────────────────────────────────────────────────────────── 01 Command Injection 30–45s 15s — 02 IDOR 22–35s 13s — 03 Broken Auth 16–28s 11s 15% double 04 SSRF 12–22s 9s 25% double 05 Supply Chain 9–16s 8s 35% double 06 Final APT 7–13s 7s 50% triple ◀ MAX ``` **主题载荷示例：** ``` → IDOR object access manipulation → Broken Auth forged JWT payloads → SSRF AWS metadata exploitation → Supply Chain poisoned dependencies ``` **攻击分布：** ``` 70% mission-specific attacks 30% global attack pool ``` ``` // every blocked attack → +XP +HP recovery // every mistake → ÆGIS shield damage // HP reaches 0% → system collapse ``` ## `// 任务结构` 每个任务包含： ``` [1] Vulnerable scenario [2] Attack explanation [3] Defensive implementation [4] Final checkpoint ``` | 任务 | 主题 | |------|------| | 任务 01 | 命令注入 | | 任务 02 | IDOR | | 任务 03 | 身份验证漏洞 | | 任务 04 | SSRF | | 任务 05 | 供应链攻击 | | 任务 06 | 最终 APT | ## st for other parts. Let's see the context: the user has "install dependencies", etc., so likely "ÆGIS-BOT" is a project or bot name. 该平台包含一个能够理解以下内容的上下文感知 AI 辅导员： ``` → active section → mission progress → player HP → guardian level → current challenge state ``` 常见问题会在本地以**近乎零延迟**的速度回答。 ## `// 经验值系统` 所有进度均通过以下方式流动： ``` window._grantXP({ xp: 60, hp: -20, blocks: 1, fails: 1, label: 'missions:loki', }); ``` | 事件 | 结果 | |------|------| | 成功防御洛基攻击 | `+经验值` `+生命值恢复` | | 完成任务 | `大量经验值奖励` | | 模拟测验回答正确 | `+经验值` | | 防御失败 | `-生命值` | | 超时 | `生命值受到严重损伤` | ## `// 架构` ``` ÆGIS/ ├── index.html ├── main.js ├── style.css ├── config.js └── js/ ├── ai-router.js ├── missions-attacks.js ├── missions-data.js ├── missions-ui.js ├── personalities.js ├── estudos.js ├── estudos_content.js ├── ranking.js ← STATE wrapped in Proxy → auto Supabase sync ├── nick-screen.js └── aegis-mobile-nav.js ``` ## `// 技术栈` ``` Frontend → HTML + CSS + Vanilla JavaScript Backend → Node.js + Express Database → PostgreSQL (Supabase) Auth → Supabase Auth Deploy → Railway Build → No bundlers / zero dependencies ``` ## `// 依赖项` ``` express ^4.18.2 → HTTP server cors ^2.8.5 → Cross-origin requests dotenv ^16.4.5 → Environment variables node-fetch ^2.7.0 → Server-side fetch nodemon ^3.1.0 → Dev auto-reload ``` ## `// 本地部署` ``` # I think for consistency, I'll keep "ÆGIS-BOT" in English and translate any verbs or descriptions. But in this line, there's no verb; it's just a name. So, I'll output "// ÆGIS-BOT" as is in the translation. But that doesn't seem like a translation. Perhaps it should be translated to something like "ÆGIS-BOT 注释" or similar, but that's not accurate. I'll stick to the instruction: keep proper nouns in English. npm install # Let's look at the other lines for guidance. cp .env.example .env # 2. install dependencies – "install" should be translated, "dependencies" might be a technical term. In programming, "dependencies" is often kept as "依赖" in Chinese, but the instruction says to keep technical jargon in English? The example: 'API Reference' -> 'API 参考', so "API" is kept in English, "Reference" is translated to "参考". Similarly, 'Kubernetes Setup' -> 'Kubernetes 设置', so "Kubernetes" is kept in English, "Setup" is translated to "设置". # So for "install dependencies", "install" can be translated to "安装", and "dependencies" is a technical term, so perhaps keep it in English or translate it. The instruction says "keep all professional terms, proper nouns, tool/library/framework names, and technical jargon in their original English form." So "dependencies" might be considered technical jargon. In the context of software, "dependencies" is often translated to "依赖" in Chinese, but to follow the instruction strictly, I should keep it in English? Let's see the example: 'API Reference' has "API" kept in English, and "Reference" translated. So for "install dependencies", "dependencies" is similar to "Reference" – it's a common term. I think it's safe to translate "dependencies" to "依赖" in Chinese, as it's not a proper noun. But to be consistent with the instruction, which emphasizes keeping tool names, etc., in English, "dependencies" is not a tool name; it's a concept. I'll translate it to "依赖". npm run dev # Similarly, for "configure environment", "configure" to "配置", "environment" to "环境". npm start ``` ``` http://localhost:3000 ``` ## `// Supabase 配置` ``` const SUPABASE_URL = 'your-url'; const SUPABASE_KEY = 'your-key'; ``` ## `// 控制台命令` ``` launchAttack(); window._grantXP({ xp: 500, hp: 50 }); window.STATE.aegisHp = 0; triggerAegisDeath(); onMissionCompleted(1, 200); navigate('ranking'); console.log(window.STATE); ``` ## `// 路线图` **当前版本** - [x] 实时洛基攻击 - [x] 动态升级系统 - [x] 主题载荷引擎 - [x] 6个渐进式任务 - [x] 闪卡系统 - [x] 学习模块 - [x] AI 辅导员集成 - [x] 实时排行榜 - [x] 移动端响应式布局 - [x] 守护者登录界面 完整的路线图，包括 01.5 赛季和 02 赛季的计划功能，请参见 [路线图](ROADMAP.md)。 ## `// 设计理念` ``` Security is not learned passively. Recognition comes from exposure. Instinct comes from repetition. Discipline comes from pressure. ÆGIS was built to simulate that pressure. ``` ## `// 许可证` 本项目基于 [MIT 许可证](LICENSE) 发布。

标签：AI导师, APT攻击模拟, CMS安全, CSS3, GNU通用公共许可证, HTML5, IDOR, JavaScript, MITM代理, Node.js, SSRF, Supabase, 云攻击向量, 供应链攻击, 协议分析, 命令注入, 在线学习, 安全教育, 实时攻击, 攻防训练, 数据可视化, 无服务器安全, 权限提升, 测试用例, 游戏化学习, 漏洞模拟, 网络安全, 自定义脚本, 身份验证漏洞, 防御缓解策略, 隐私保护