-
Notifications
You must be signed in to change notification settings - Fork 0
Deep Review Findings
Claude adversarial-review log (source-cited). This page records findings from independent verification passes against the Chernarus source mission, cross-checking the SQF code atlas, Gameplay systems atlas and other pages. Each finding is confirmed against
path:line, given a severity, and paired with a remediation playbook. It complements (does not replace) Codex's atlas pages and the Feature status register.
All paths are relative to the source mission root Missions/[55-2hc]warfarev2_073v48co.chernarus/. Arma 2 OA 1.64 — not Arma 3.
What. The PVF dispatch executes a string taken directly from the value a remote machine broadcast, with no validation that it names a known command.
-
Server/Functions/Server_HandlePVF.sqf:_script = _publicVar select 0; _parameters Spawn (Call Compile _script); -
Client/Functions/Client_HandlePVF.sqf: same pattern on_publicVar select 1. - The handlers are bound in
Common/Init/Init_PublicVariables.sqfasWFBE_PVF_<Command> addPublicVariableEventHandler { (_this select 1) Spawn WFBE_SE_FNC_HandlePVF }._this select 1is the new value chosen by the sender. - Clients legitimately reach the server channel via
Common/Functions/Common_SendToServerOptimized.sqf:15→publicVariableServer 'WFBE_PVF_<cmd>'.
The legitimate flow always sets index 0 to the bare identifier "SRVFNC<Command>", so Call Compile resolves a function-variable lookup. But nothing constrains the value to that shape: a crafted broadcast on a registered WFBE_PVF_* channel whose select 0 is arbitrary SQF text would be compiled and run on the receiver. This is the well-known Arma 2 publicVariable trust-boundary problem.
Why the usual mitigations are absent here.
-
No server-side validation.
Server_HandlePVF.sqfdoes not check that_scriptbegins withSRVFNCor is in the registered command set (confirmed: noSRVFNC/CLTFNCguard in either handler). -
No BattlEye filtering.
BattlEyeFilter/publicvariable.txtcontains a single rule,5 "kickAFK". That rule is the AFK-kick feature (the mission cannot kick directly, so it broadcastskickAFKand relies on BattlEye to kick the sender — see Networking and public variables). It is not a security filter: there is no restrictive default line and no whitelist of theWFBE_PVF_*channels with value constraints.
Severity rationale. This is a live-server hardening gap, not a mission-logic bug. It matters for any publicly-listed server (the README advertises one). It is recorded here as defensive guidance for the server owner.
Remediation playbook (cheapest first):
-
Validate before compile (server-side, no BE knowledge needed). In
Server_HandlePVF.sqf, reject any_scriptnot in the known set, e.g. build a lookup of"SRVFNC"+cmdfor every registered command at init andexitWith(with aWARNINGlog) if_scriptis not a member. Same idea forClient_HandlePVF.sqfagainstCLTFNC*. This neutralizes arbitrary-string compilation while preserving all legitimate traffic. -
Add a real BattlEye
publicvariable.txtas defense-in-depth: a restrictive default plus an explicit allow-list ofWFBE_PVF_*, the direct channels in the SQF code atlas "Direct Public Variable Channels" table, and the existingkickAFKrule. Do not add a blanket restrictive default without the allow-list, or you will break all PVF traffic. - Prefer
publicVariableClient/publicVariableServer(targeted) over broadcast for owner-directed messages to shrink the surface (already mostly done).
Server/Support/Support_Paratroopers.sqf:117 sends the marker:
[leader _playerTeam, "HandleParatrooperMarkerCreation", [_x, _sideID]] Call WFBE_CO_FNC_SendToClient;Common/Functions/Common_SendToClient.sqf turns that into WFBE_PVF_HandleParatrooperMarkerCreation (dedicated path) / CLTFNCHandleParatrooperMarkerCreation (hosted path). But:
-
HandleParatrooperMarkerCreationis not in the_clientCommandPVlist inCommon/Init/Init_PublicVariables.sqf, soWFBE_PVF_HandleParatrooperMarkerCreationhas noaddPublicVariableEventHandler, andCLTFNCHandleParatrooperMarkerCreationis never compiled (confirmed: no reference in anyInit_*).
Result: on a dedicated server the marker PV is broadcast but never handled; on a hosted/SP server Spawn (Call Compile "CLTFNCHandleParatrooperMarkerCreation") resolves to nil → no marker (and a likely script error). The send side exists; the receive side was never wired. This upgrades the atlas note ("exists but not registered") to a confirmed broken feature. Fix: add HandleParatrooperMarkerCreation to _clientCommandPV (the receiver file Client/PVFunctions/HandleParatrooperMarkerCreation.sqf already exists), or remove the dead send.
MASH markers use a two-hop relay:
- Client deploys tent →
WFBE_CL_MASH_MARKER_CREATED→ server EH inServer/Module/MASH/MASHMarker.sqf:1(registered) re-broadcastsWFBE_SE_MASH_MARKER_SENT. - The client EH that should consume
WFBE_SE_MASH_MARKER_SENTlives inClient/Module/MASH/receiverMASHmarker.sqf:1— but its only reference is the commented compile atClient/Init/Init_Client.sqf:132://WFBE_CL_FNC_ReceiverMASHmarker = Call Compile preprocessFileLineNumbers "Client\Module\MASH\receiverMASHmarker.sqf";
Result: no client ever registers the WFBE_SE_MASH_MARKER_SENT handler, so MASH map markers never appear. (MASH respawn itself is independent and may work; only the map marker is dead.) This resolves the atlas's "client receiver currently not clearly active / requires verification." Fix: uncomment/restore the receiver registration in client init, or drop the dead server re-broadcast.
DR-4 — Generated-mission drift: Takistan is in sync; the skip-list is a silent-divergence trap; modded maps are abandoned (generated-mission drift) — Medium
A full recursive diff of Missions/[55-2hc]…chernarus vs Missions_Vanilla/[61-2hc]…takistan shows every difference is exactly a LoadoutManager skip-listed file or blacklisted directory — there is no accidental drift between the two at this commit:
- Differing files:
mission.sqm,version.sqf(git-ignored),Client/GUI/GUI_Menu_Help.sqf,WASP/unsort/StartVeh.sqf,loadScreen.jpg,texHeaders.bin,Server/Init/Init_Server.sqf(theSET_MAP 1→2patch), and the blacklistedCommon/Config/Core_Artillery/*+Server/Config/*+Textures/*.
This is more reassuring but also more dangerous than the "generated missions can drift" framing elsewhere. The precise hazard is the skip-list, defined in Tools/LoadoutManager FileManagement/FileManager.cs (ShouldSkipFile + the co.takistan directory blacklist):
A gameplay edit made in Chernarus to any skip-listed file —
mission.sqm,GUI_Menu_Help.sqf,StartVeh.sqf, anything underCore_Artillery/,Server/Config/, orTextures/— will never propagate to Takistan viadotnet run. These must be hand-mirrored in both missions.
So the standard guidance "edit Chernarus + run LoadoutManager" is incomplete: it is correct for the ~95% of files that are copied, and silently wrong for the skip-listed set. See the expanded propagation guidance in Tools and build workflow.
Modded maps are abandoned/stale. Because modded propagation is commented out at Tools/LoadoutManager SqfFileGenerators/SqfFileGenerator.cs:132, the Modded_Missions/* trees are far behind Chernarus (787 files):
| Modded mission | File count | State |
|---|---|---|
…Napf |
507 | ~280 files behind |
…eden |
502 | ~285 behind |
…lingor |
438 | ~349 behind |
…dingor |
20 | stub |
…smd_sahrani_a2 |
4 | stub |
…tavi |
3 | stub |
…isladuala |
1 | stub |
None are deployable as-is; they would need full regeneration after the modded path is re-enabled. Treat Modded_Missions/* as non-authoritative.
The SQF code atlas states "659 preprocessFile references (452 preprocessFileLineNumbers + 207 plain)". An independent recount on the docs/developer-wiki-index base yields 678 total / 465 preprocessFileLineNumbers / 213 plain. The gap is small and likely reflects counting method (comment handling) or branch timing — not an error — but hardcoded counts rot as the mission changes. Recommendation: present such counts as point-in-time and ship the regeneration command so future agents verify rather than trust, e.g. (PowerShell, from the mission root):
(Get-ChildItem -Recurse -Filter *.sqf | Select-String -SimpleMatch 'preprocessFileLineNumbers').CountVerified-accurate cross-checks (for trust calibration): the atlas's FSM inventory is correct — exactly three .fsm files exist (Client/FSM/updateactions.fsm, Client/FSM/updateavailableactions.fsm, Client/kb/hq.fsm); and HandleParatrooperMarkerCreation / AttackWave / LogGameEnd are indeed outside the standard PVF list as the atlas notes.
- Decide fix-vs-remove for DR-2 (paratrooper markers) and DR-3 (MASH markers); both are one-line wiring changes in the Chernarus source.
- DR-1 server-side validation is a small, safe gameplay-code change (Chernarus
Server_HandlePVF.sqf) — gate behind review since it touches the network hot path. - Re-confirm DR-4 modded-map decision: regenerate or formally retire
Modded_Missions/*.
Lane pvf-hardening-review. This turns DR-1 into a concrete, behavior-preserving change set a code owner can apply to the Chernarus source. Every claim below was re-verified against source on this pass. Paths relative to Missions/[55-2hc]warfarev2_073v48co.chernarus/.
The dispatch targets are already-compiled global variables, created at registration in Common/Init/Init_PublicVariables.sqf:44,49:
Call Compile Format["CLTFNC%1 = compile preprocessFileLineNumbers 'Client\PVFunctions\%1.sqf'", _x]; // :44
Call Compile Format["SRVFNC%1 = compile preprocessFileLineNumbers 'Server\PVFunctions\%1.sqf'", _x]; // :49So SRVFNCRequestJoin, CLTFNCTownCaptured, … are missionNamespace variables holding code. The dispatch line Spawn (Call Compile _script) only compiles the string _script to perform a variable lookup. That means the same resolution can be done with getVariable, which treats _script purely as a name and cannot execute an arbitrary SQF string a client injected.
Replace the compile-the-string dispatch with a name lookup that defaults to a no-op.
Server/Functions/Server_HandlePVF.sqf (current _parameters Spawn (Call Compile _script);):
private _fn = missionNamespace getVariable [_script, {}]; // resolve SRVFNC<cmd>; unknown -> {}
if (_fn isEqualTo {}) exitWith {
["WARNING", format ["Server_HandlePVF: rejected unknown PVF command '%1' from network", _script]] Call WFBE_CO_FNC_LogContent;
};
_parameters Spawn _fn;Client/Functions/Client_HandlePVF.sqf (current _parameters Spawn (Call Compile _script);): identical pattern resolving CLTFNC<cmd>.
Why this is safe and behavior-identical:
- Legitimate traffic sets
_scriptto exactly"SRVFNC"+cmd/"CLTFNC"+cmd(seeCommon/Functions/Common_SendToServerOptimized.sqf:15,Common/Functions/Common_SendToClient.sqf), which resolves to the compiled function — unchanged. - A hostile value such as
"hint 'x'; <server-side effect>"is not a defined variable, sogetVariablereturns the default{}→Spawn {}→ no-op (plus a WARNING that surfaces probing in the RPT). Nocompileever runs on attacker text. -
isEqualTo {}is a valid Arma 2 OAcodecomparison; use it (notisNil) because the default is empty code, not nil.
At the end of Init_PublicVariables.sqf, snapshot the legal command set so the handler check is explicit rather than implicit:
WFBE_SE_PVF_ALLOWED = _serverCommandPV apply {format ["SRVFNC%1", _x]};
WFBE_CL_PVF_ALLOWED = _clientCommandPV apply {format ["CLTFNC%1", _x]};
publicVariable "WFBE_SE_PVF_ALLOWED"; // optional; or keep server-localThen guard with if !(_script in WFBE_SE_PVF_ALLOWED) exitWith { ...log... }; before resolving. Fix 1 already covers the same cases; use Fix 2 only if you want a named, auditable whitelist.
The shipped BattlEyeFilter/publicvariable.txt is a single line, 5 "kickAFK", which is the AFK-kick feature trigger, not a security filter (see Networking and public variables → Security). A hardened filter uses a restrictive default first line plus explicit allow exceptions:
5 "" // default: kick on any unlisted PV broadcast
!="^WFBE_PVF_[A-Za-z]+$" // allow the dispatch channels
!="^wfbe_supply_temp_(west|east)$" // allow the supply request channel
!="^(ATTACK_WAVE_INIT|CLIENT_INIT_READY|REQUEST_SUPPLY_VALUE|WFBE_CL_MASH_MARKER_CREATED|AFKthresholdExceededName|WFBE_C_PLAYER_OBJECT|WFBE_CLIENT_HAS_CONNECTED_AT_LAUNCH)$"
5 "kickAFK" // keep the AFK feature kick
⚠️ Validate the exact client→server channel list against the "Direct Public Variable Channels" table in the SQF code atlas before deploying — a too-strict default with a missing exception will kick legitimate players. BattlEye regex/escaping differs from SQF; test on a private server first. This complements, and does not replace, Fix 1 (BE filters the variable name, not the payload shape).
Fix 1 stops arbitrary code execution, but the PVF model still trusts client-sent commands and parameters. A malicious client can broadcast a legitimate command with chosen arguments — e.g. RequestChangeScore (Server/PVFunctions/RequestChangeScore.sqf sets a player's score directly from the payload) or RequestStructure — because the server handlers largely don't authenticate the sender against the payload. Closing that is a larger, per-handler effort (validate that owner/sender matches the acting player, clamp economy/score deltas, range-check structure requests). Treat this as a separate follow-up lane, not part of the dispatch fix. Documented here so the dispatch fix isn't mistaken for full PVF authorization.
- No registered handler under
Server/PVFunctions/orClient/PVFunctions/, norServer_HandleSpecial.sqf/HandleSpecial.sqf/LocalizeMessage.sqf, callscompileon its parameters — so once the dispatch command name is resolved safely, there is no second-order injection on the PVF path. The othercall compilesites in the mission compile files (Init_Coin.sqf, EASA/CM init) or local engine key-strings (coin_interface.sqf:774-777), not network data. - Handoff: this is a Chernarus-source gameplay change → after applying, run
Tools/LoadoutManagerdotnet runto propagate (noteServer_HandlePVF/Client_HandlePVFare not on the skip-list, so they propagate normally;BattlEyeFilter/lives outside the mission and is deployed with the server, not via LoadoutManager).
Lane construction-authority-review (extends Construction and CoIn systems atlas, whose "Authority Boundary" section flags this risk generically; this finding adds per-handler forgery proof + a validation design). This is the concrete realization of the command-forgery residual scoped in Round 3 (Fix 1 closes code execution, not command forgery).
DR-6 — Construction request handlers perform no sender/authority/resource validation — High (gameplay integrity)
All three construction PVF handlers derive trust from the client-supplied payload and never verify the requester. Source (verified this pass):
| Handler | Validation actually performed | Client-controlled inputs | Forgery impact |
|---|---|---|---|
Server/PVFunctions/RequestStructure.sqf |
Only: does _structureType exist in WFBE_<side>STRUCTURENAMES. |
_side (select 0), class, pos, dir — all from payload. |
Forge ["RequestStructure",[WEST,"US_WarfareBHeavyFactory_EP1",anyPos,dir]] → server ExecVMs the construction script and builds a free factory anywhere for any side. No commander check, no funds debit, no placement/base-area/hostile-town checks (those are client-only, atlas "Placement Rules"). |
Server/PVFunctions/RequestDefense.sqf |
Only: does _defenseType exist in WFBE_<side>DEFENSENAMES. |
_side, class, pos, dir, _manned — all from payload. |
Forge unlimited free defenses — incl. AI-manned static weapons and minefields (Sign_Danger) — anywhere for any side, bypassing the base-area avail budget (decremented only client-side in coin_interface.sqf:724-730). |
Server/PVFunctions/RequestMHQRepair.sqf |
None. Body is [_this] Spawn MHQRepair;. |
entire payload; MHQRepair.sqf:3 uses _side. |
MHQRepair rebuilds the side HQ from server state (GetSideHQ/GetCommanderTeam/position) with no dead-HQ check, no commander check, and none of the repair count/price gating that lives only client-side in Action_RepairMHQ.sqf. Forge ["RequestMHQRepair",[side]] → free, unlimited HQ respawn/repair; can also fire while the HQ is alive. |
-
_sideis taken from the payload, not derived from the sender. A client can act on any side's behalf. - The payloads don't even include the requesting player object, so the handlers cannot identify or authorize the sender as written.
-
Arma 2 OA
addPublicVariableEventHandlerprovides no sender identity —_thisis[varName, value]only (unlike Arma 3remoteExecutedOwner/REownership). So authority must be reconstructed: the payload must carry the player, and the server must validate that player's role/side/funds against server-side state. (This is also why DR-1's command-validation fix does not, by itself, stop forgery.)
Add the requesting player to each request and validate server-side before creating objects. Example for RequestStructure (mirror for RequestDefense; for RequestMHQRepair validate dead-HQ + commander + repair-count/price server-side):
// client (coin_interface / Action_*): include the player in the payload
["RequestStructure", [player, sideJoined, _class, _pos, _dir]] Call WFBE_CO_FNC_SendToServer;
// server RequestStructure.sqf (new guards, then existing logic):
_player = _this select 0; _side = _this select 1; _structureType = _this select 2; ...
if (isNull _player) exitWith {};
if (side _player != _side) exitWith {}; // can't build for another side
if (_player != leader ((_side) call WFBE_CO_FNC_GetCommanderTeam)) exitWith {}; // commander-only
private _cost = /* look up WFBE_<side>STRUCTURECOSTS[index] */;
if ((_side call WFBE_CO_FNC_GetSideSupply) < _cost) exitWith {}; // server-authoritative funds
[_side, -_cost, "structure build", false] call WFBE_CO_FNC_ChangeSideSupply; // debit on server
// ...then the existing class-exists lookup + ExecVM construction scriptNotes:
- Keep the client cost-deduction/preview for instant UX, but make the server the final authority on debit and creation (atlas "Cost deduction" risk row agrees). Avoid double-debit by having the client send a request and the server be the source of truth (or reconcile on the server-confirmed message).
- Re-checking full placement/collision server-side is heavier; at minimum validate side+commander+funds+class (cheap, closes the worst abuse). Base-area
availshould also be decremented/validated server-side to stop the unlimited-defense path (traceRequestBaseArea+Construction_StationaryDefensetogether, per the atlas, for JIP safety). - This is gameplay-code; gate behind review (touches the build hot path) and run LoadoutManager after.
RequestStructure/Defense/MHQRepair.sqfare not on the skip-list, so they propagate normally.
Not a crash/RCE (that's DR-1). This is gameplay-integrity / anti-grief: on a public server, a modified client can mint free factories/defenses/HQs and bypass the economy. Pair with DR-1 (validate the command) — DR-1 stops arbitrary code, DR-6 stops forged legitimate commands; both are needed for a hardened public server.
Lane antistack-db-trust. The AntiStack module persists per-player score/side and team skill to an external native extension for team-balancing. Source: Server/Module/AntiStack/callDatabase*.sqf (7 callExtension sites) + the A2WaspDatabase DLL, which is not in this repo (only the in-repo Extension/ GLOBALGAMESTATS DLL is — see External integrations). All claims verified this pass.
DR-7 — The server call compiles the extension's return value on every call — High (external trust boundary)
Every one of the seven handlers does, in effect:
_response = "A2WaspDatabase" callExtension format ["%1,%2", _procedureCode, _parameters];
_response = call compile _response; // <-- executes the DLL's stdout as SQF
_responseCode = _response select 0;(callDatabaseStore.sqf, callDatabaseRetrieve.sqf ×2 incl. the 505 poll, callDatabaseSendPlayerList.sqf, callDatabaseRequestSideTotalSkill.sqf ×2, callDatabaseSetMap.sqf, callDatabaseStoreSide.sqf, callDatabaseFlushPlayerList.sqf.)
callExtension returns a string from a native DLL, and the mission compiles+executes it. The server therefore fully trusts the A2WaspDatabase process's stdout as code. Why this matters:
- Compromise/replacement/bug → server RCE. Any DLL that returns SQF other than the expected numeric array literal runs on the server. The DLL is third-party and absent from the repo, so its behaviour can't be audited here.
-
Malformed/empty return → error cascade. If the DB is down/slow/encoding-broken,
callExtensionreturns""→call compile ""isnil→nil select 0throws. Several handlers only guardtypeName _responseCode == "SCALAR"after theselect 0, so the select can throw first. - Echo-to-code latent risk. Only UID/score/side/map round-trip today (all constrained, low risk). But the pattern means any future free-text field persisted and echoed back becomes executable.
Engine caveat (why the pattern exists): Arma 2 OA 1.64 has no parseSimpleArray (that is Arma 3), so call compile is the idiomatic string→array path for extensions. The A2-correct hardening is defensive validation, not a parser swap:
- Guard the raw string first:
if (isNil "_response" || {_response isEqualTo ""}) exitWith { /* neutral fallback + WARNING */ }; - Compile, then shape-check before use:
_response = call compile _response; if (typeName _response != "ARRAY") exitWith {...}; if ({ typeName _x != "SCALAR" } count _response > 0) exitWith {...}; - Only then read
_response select 0/1/2. This keeps the DLL contract (numeric arrays) but refuses to execute anything that isn't one.
callDatabaseRetrieve.sqf polls the 505 procedure up to 120 × 0.10s ≈ 12s; callDatabaseRequestSideTotalSkill.sqf polls 707 up to 9 × 3s = 27s. These feed player-connect stat retrieval and team-skill balancing (called from mainLoop.sqf, getTeamScoreMonitor.sqf, Init_Server.sqf). They run in spawned scripts so the server tick survives, but a slow/down DB stalls join/balance up to those windows before falling back to neutral ([1,1] / 0). Recommend a shorter ceiling + a circuit-breaker that flips WFBE_C_ANTISTACK_ENABLED off after N consecutive timeouts.
callDatabaseSendPlayerList.sqf packs every player's guid,side pair into a single callExtension input string (g1,1,g2,2,…). Arma 2 OA callExtension has input/output length limits (output historically ~10 KB); a 55-slot roster can produce a long argument and an even longer response, risking truncation → call compile of a truncated array literal → parse error (compounding DR-7). Recommend chunking the player list across multiple calls and validating each response shape.
WFBE_C_ANTISTACK_ENABLED defaults to 1 (Init_CommonConstants.sqf:171), and the A2WaspDatabase DLL is an undocumented external runtime dependency absent from the repo. Any server/dev instance lacking the DLL gets callExtension→""→call compile→error per call unless the param is set to 0. Marty added per-call if (… == 0) exitWith disable guards (good), but the default is on. Recommend: document the external dependency in External integrations, and consider detecting DLL presence (a cheap PING procedure) to auto-disable rather than error.
Code owners: apply DR-7 defensive validation (guard empty + shape-check before reading) to all seven callDatabase*.sqf; add a circuit-breaker (DR-8); chunk SEND_PLAYERLIST (DR-9); document/auto-detect the external DLL (DR-10). Codex: the A2WaspDatabase external dependency + call compile trust contract should be called out in the External integrations page (its lane). Ledger: Integrations Auth/PV cells advanced from ⬜ to 🟡 (AntiStack covered; Extension/Discord/BattlEye still pending).
Lane victory-endgame-review. Source: Server/FSM/server_victory_threeway.sqf (the only script that sets gameOver/WFBE_GameOver/failMission — verified by grep across Server/), Server/Functions/Server_LogGameEnd.sqf, Server/PVFunctions/LogGameEnd.sqf, Common/Init/Init_CommonConstants.sqf:401.
DR-11 — Endgame reports the winner inconsistently; persisted win-tally is wrong for the all-towns win — Medium-High (correctness, persistent side effect)
The trigger merges a lose test and a win test into one condition and then handles both identically:
if (!(alive _hq) && _factories == 0 || _towns == _total && !WFBE_GameOver) then {
[nil,"HandleSpecial",["endgame",(_x) Call WFBE_CO_FNC_GetSideID]] Call WFBE_CO_FNC_SendToClients;
WF_Logic setVariable ["WF_Winner", _x];
gameOver = true; WFBE_GameOver = true;
_side = west; if (_x == west) then {_side = east};
[_side] call WFBE_CO_FNC_LogGameEnd; // Server_LogGameEnd: _this select 0 == WINNER
}SQF precedence (&& before ||) parses this as (!alive _hq && _factories==0) || (_towns==_total && !WFBE_GameOver):
-
Branch A —
_xHQ dead and no factories →_xis the loser.LogGameEnd(_side = opposite of _x)records the correct winner. ✓ -
Branch B —
_xholds all towns →_xis the winner. ButLogGameEndis still called with_side= opposite of _x → it records the loser as the winner in the persisted%1_WIN_CHERNARUSprofileNamespace tally. ✗
Consequences:
- The win/loss statistics saved via
WFBE_CO_FNC_LogGameEnd(→profileNamespace,saveProfileNamespace) are inverted for every all-towns victory. -
WF_Logic setVariable ["WF_Winner", _x]is a dead write —WF_Winnerhas no reader anywhere in the mission (grep). So it can't compensate. - The
endgameclient broadcast sends_x's sideID toWFBE_CL_FNC_EndGame(HandleSpecial.sqf:16) for both opposite scenarios, so the player-facing outro shows the same side regardless of who actually won — at least one path is wrong. (Follow-up: confirm whether EndGame treats the payload sideID as winner or loser.) -
Guard/precedence bug:
!WFBE_GameOverguards only the towns branch, and theforEachover sides has no break after settinggameOver. Branch A is unguarded, so if two sides both satisfy "HQ dead + no factories" in the same 80s tick, endgame fires twice (doubleendgamebroadcast, doubleSET_MAP, doubleLogGameEnd). Fix: guard both branches with!WFBE_GameOver(orexitWithafter the first winner) and split the win/lose logic so the winner is computed correctly per branch.
WFBE_C_VICTORY_THREEWAY defaults to 0 (Init_CommonConstants.sqf:401, comment "0: Side a vs Side b [supremacy] minus defender"), and the detection block is gated if (!gameOver && _victory == 0). Since server_victory_threeway.sqf is the only victory/failMission setter in Server/, selecting any non-zero WFBE_C_VICTORY_THREEWAY value disables victory detection entirely — matches never auto-end in the mode the file is named for. Either implement the threeway path or document the parameter as non-functional.
-
Server/Functions/Server_LogGameEnd.sqf— clean; wired toWFBE_CO_FNC_LogGameEnd(compiled twice,Init_Server.sqf:64and:89). -
Server/PVFunctions/LogGameEnd.sqf— buggy duplicate:profileNamespace setVariable [(profileNamespace getVariable format ["%1_WIN_CHERNARUS",_winnerTeam]), (...)]uses a getVariable result as the setVariable key, and readsprofileNamespace getVariable WEST_WIN_CHERNARUS(bare global, not the"WEST_WIN_CHERNARUS"string). If this variant is ever wired in, win-stat persistence silently corrupts. Recommend deleting the duplicate to prevent future mis-wiring.
Code owners: fix DR-11 (split win/lose branches, compute winner per branch, guard both branches / break the loop) — this corrects permanently-skewed win stats; decide DR-12 (implement or document-as-disabled threeway); delete the buggy PVFunctions/LogGameEnd.sqf (DR-13). Follow-up review item: WFBE_CL_FNC_EndGame payload semantics (winner vs loser sideID). Ledger: Victory/endgame Map/Auth/PV/Perf cells advanced.
Lane factory-purchase-authority. Builds on Codex's Factory and purchase systems atlas (which noted player buy is client-local with no RequestBuyUnit PVF) and adversarially verifies Cicero's flagged Server_AssignNewCommander candidate. All claims verified at source.
DR-14 — Player unit purchasing has no server authority (the economy ceiling) — High (gameplay integrity), architectural
The player buy path never contacts the server:
-
Client/GUI/GUI_Menu_BuyUnits.sqf:102,108check funds client-side;:155-156do_params Spawn BuildUnit; -(_currentCost) Call ChangePlayerFunds;. -
Client/Functions/Client_BuildUnit.sqf:217/249/…create the unit/vehicle directly on the buyer viaWFBE_CO_FNC_CreateUnit/WFBE_CO_FNC_CreateVehicle(enginecreateUnit/createVehicle). There is noRequestBuyUnitPVF (confirmed: not inInit_PublicVariables.sqf, noServer/PVFunctions/RequestBuyUnit.sqf). - Funds live in
wfbe_fundson the team group, written byCommon_ChangeTeamFundswithsetVariable [..., true](broadcast, client-writable — see Round 1 / DR-6 root cause).
So a modified client can mint any factory unit for free (skip the deduction, or set wfbe_funds directly) — and the created vehicle is globally synced because client createVehicle in MP is global. This is the ceiling on the DR-1/DR-6 hardening thread: unlike construction (DR-6, which at least routes through a server PVF that could be validated), the player economy and unit production are architecturally client-authoritative in WFBE's locality model. Fully fixing it = a large redesign (route purchases through a validated server PVF like construction). The realistic live-server defense is a BattlEye script filter (scripts.txt) constraining client createVehicle/createUnit, not a publicVariable filter. Document this ceiling so future hardening targets the right layer.
Latent path note (confirms atlas):
Server_BuyUnit.sqf/AIBuyUnitis compiled (Init_Server.sqf) but has no proven dynamic caller — the AI-commander production path that would use it is itself dormant (the AI commander FSM never starts; see Cicero's server atlas + DR-15 neighbourhood).
Adversarial verification of Cicero's candidate — confirmed live by tracing compile + sole caller:
-
Init_Server.sqf:62:WFBE_SE_FNC_AssignForCommander = Compile … "Server\Functions\Server_AssignNewCommander.sqf". - Sole caller
Server/PVFunctions/RequestNewCommander.sqf:13:[_side, _assigned_commander] Spawn WFBE_SE_FNC_AssignForCommander;(a 2-element array). -
Server/Functions/Server_AssignNewCommander.sqf:3:_side = _this;— sets_sideto the whole array[side, commander](should be_this select 0), then_commander = _this select 1(correct)._logic = (_side) Call WFBE_CO_FNC_GetSideLogicthen receives an array, not a side → wrong/objNulllogic → the block that stops the AI-commander FSM (_logic getVariable "wfbe_aicom_running") operates on a bad logic and fails.
Impact: when a human is assigned commander via RequestNewCommander, the AI-commander shutdown path mis-fires (mitigated in practice because the AI-commander FSM is itself dormant — DR-14 note). There's also a redundant new-commander-assigned broadcast (sent by both RequestNewCommander.sqf and Server_AssignNewCommander.sqf). Fix: _side = _this select 0;. One-line change in Chernarus source.
Code owners: (DR-14) decide whether to route player purchases through a validated server PVF (large) or accept client-authority + add a BattlEye scripts.txt filter; (DR-15) one-line fix _side = _this select 0 in Server_AssignNewCommander.sqf and drop the duplicate new-commander-assigned broadcast. Ledger: Factory/purchase Auth/PV advanced; AI-commander caveat cross-linked.
Lane ui-hud-authority-review. Cross-checks Codex/Curie's Client UI systems atlas and reviews the economy-menu sale authority (the DR-6/DR-14 sibling). Verified at source.
Client/GUI/GUI_Menu_Economy.sqf:104-152 (MenuAction 105, "Sell Building"):
- The commander check is client-side only (
_isCommanderviacommanderTeam == group player,:107-109). - It picks the closest own-side structure (
GetSideStructures,:110-112), then in a spawned thread credits the refund client-side —ChangeSideSupply(broadcast, client-writable) orChangePlayerFunds(:141) — and destroys the structure client-side with_closest setDammage 1(:152), which propagates globally because the structure is a synced object. - No server PVF, no server validation (same pattern as DR-6 construction and DR-14 purchasing). A modified client bypasses the commander gate and the
WFBE_SOLDre-sell guard, mints the refund, and demolishes structures. Same client-authority ceiling: the realistic defense is a BattlEyescripts.txtfilter constraining clientsetDammage/funds writes, or routing sell through a validated server PVF (matches the DR-6 fix shape). This completes the economy picture: build (DR-6), buy (DR-14), and sell (DR-16) are all client-authoritative.
DR-17 — Duplicate dialog IDD 23000 (EASA vs Economy) — Low-Medium (UI correctness) — confirms Curie candidate
Rsc/Dialogs.hpp: class RscMenu_EASA (:3209, idd = 23000 at :3211) and class RscMenu_Economy (:3287, idd = 23000 at :3289) share the same display id. findDisplay 23000 is therefore ambiguous, and any control-event/closeDialog/findDisplay 23000 logic can target the wrong dialog if both are reachable. Verified Curie's flagged candidate at source. Fix: give EASA and Economy distinct IDDs (and audit any findDisplay 23000 callers). Also re-confirmed Curie's note that other UI candidates (stale RscMenu_Upgrade → missing GUI_Menu_Upgrade.sqf; suspect RscClickableText.soundPush[]) remain open for a UI-focused follow-up.
Code owners: (DR-16) move sell authority/refund/destruction server-side (mirror the DR-6 server-PVF validation) or add a BattlEye scripts.txt filter; (DR-17) assign distinct IDDs to EASA/Economy dialogs. Ledger: UI/HUD Auth/PV advanced; economy thread (build/buy/sell) now fully characterized.
Lane server-loop-candidates-verify. Adversarial verification of two Cicero candidates from the Server gameplay runtime atlas; both confirmed at source with exact impact.
DR-18 — Supply-mission cooldown key casing mismatch → nil-throw on first check — Medium (correctness) — confirms Cicero
setVariable/getVariable keys are case-sensitive in Arma 2 OA (unlike SQF identifiers). The seed and the readers disagree by one letter:
-
Common/Init/Init_Town.sqf:35:_town setVariable ["lastSupplyMissionRun", 0];— lowercasel. -
Server/Module/supplyMission/isSupplyMissionActiveInTown.sqf:8:getVariable "LastSupplyMissionRun"— capitalL. Same capital form is written bysupplyMissionStarted.sqf:8andsupplyMissionActive.sqf:6.
So the 0 seed lands in a slot nothing reads, and "LastSupplyMissionRun" is nil until the first mission completes. The cooldown check then runs:
if (((_lastActivationTime + WFBE_CO_VAR_SupplyMissionRegenInterval) > time) && (_lastActivationTime != 0)) then {...}On a never-run town _lastActivationTime is nil → nil + interval throws ("Type Nothing, expected Number"), aborting the handler before it publishes WFBE_Server_PV_IsSupplyMissionActiveInTown — so the client's cooldown query can get no response on first use. The mis-cased seed defeats exactly the != 0 guard it was meant to satisfy. Fix: make the seed key "LastSupplyMissionRun", or read with a default: getVariable ["LastSupplyMissionRun", 0].
DR-19 — Hosted/listen-server FPS publishers busy-loop — Medium (performance, non-dedicated) — confirms Cicero
Both server FPS publishers put sleep 8 inside the isDedicated guard:
// Server/GUI/serverFpsGUI.sqf AND Server/Module/serverFPS/monitorServerFPS.sqf
while {true} do { if (isDedicated) then { …; publicVariable …; sleep 8; } };On a dedicated server this is fine. On a hosted/listen server or singleplayer host (isServer true, isDedicated false — and both scripts are launched server-side from Init_Server), the if is false every iteration, so while {true} spins with no sleep → a tight CPU busy-loop per script (two of them), degrading the host. Fix: either if (!isDedicated) exitWith {} at the top (don't publish FPS when hosted), or move sleep 8 outside the if so the loop always yields. (Two scripts publishing the same round diag_fps under different PV names — SERVER_FPS_GUI / WFBE_VAR_SERVER_FPS — is also redundant; consolidating would remove one loop entirely.)
Code owners: (DR-18) align the supply-cooldown key casing (or default the read) — one-line fix; (DR-19) hoist the FPS-loop sleep out of the isDedicated guard (or early-exit when not dedicated), and consider consolidating the two redundant FPS publishers. Ledger: Supply JIP/HC and server-runtime perf cells advanced.
Lane jip-headless-crosscut. Traced HQ-death detection across server, existing clients and JIP clients.
DR-20 — HQ-killed is processed once per owning-side client (no idempotency) — High (multiplayer correctness / score exploit)
Death detection for the mobile HQ is deliberately redundant (a client-local vehicle's Killed EH must run on a client):
-
Server/Construction/Construction_HQSite.sqf:89adds a server-sideKilledEH, then:91broadcasts["set-hq-killed-eh", _mhq]to the whole owning side;Server_MHQRepair.sqf:37,43do the same after a repair. -
Client/PVFunctions/HandleSpecial.sqf:34(set-hq-killed-eh) makes every owning-side client add aKilledEH that calls["RequestSpecial",["process-killed-hq",_this]]. - JIP clients additionally add it themselves at
Client/Init/Init_Client.sqf:500-503(guarded!isServer && !_isDeployed).
So N owning-side clients each hold the same Killed EH. When the HQ dies, the synced death fires every client's EH → the server receives N process-killed-hq messages → Server/Functions/Server_OnHQKilled.sqf runs N times, and it has no idempotency guard. Each run:
- awards the killer score twice (
_points = 30000/100*coefand_score = 900via twoRequestChangeScore), so total killer score ≈ 2N × the intended award; - broadcasts N× destruction /
HeadHunterReceiveBountymessages; - re-publishes
IS_<side>_HQ_ALIVE/ marker infos N times.
(The dead-MHQ wreck spawn is inside if (GetSideHQDeployStatus) and self-limits after the first run flips wfbe_hq_deployed=false; the score/message duplication does not.) On a populated server (e.g. 20 owning-side players) an HQ kill inflates the killer's score ~40×. Fix: make Server_OnHQKilled.sqf idempotent — first line if (_structure getVariable ["wfbe_hq_killed_done", false]) exitWith {}; _structure setVariable ["wfbe_hq_killed_done", true];. Keep the redundant EH registration (it ensures death is never missed regardless of MHQ locality); guard the consumer, not the producers. Pattern: "detect redundantly, act once."
- The JIP guard at
Init_Client.sqf:500(!_isDeployed) is correct: a JIP client adds the mobile-HQ EH only when the HQ is currently mobile; a deployed HQ (building) is covered by the server-side EH atConstruction_HQSite.sqf:36/Init_Server.sqf:319. JIP HQ-death detection is therefore covered — the defect is downstream duplication (DR-20), not a JIP miss. -
set-hq-killed-ehis side-filtered (SendToClients [_side, …]), so only owning-side clients register it — correct.
Code owners: add the one-line idempotency guard to Server_OnHQKilled.sqf (DR-20) — this also fixes the duplicate-score symptom on HQ kills in populated games. Ledger: JIP/HC cells advanced for victory/economy/construction (HQ-death path verified end-to-end).
Lane headless-disconnect-review. Verifies the round-1 hypothesis about HC disconnect at Server/Functions/Server_OnPlayerDisconnected.sqf.
Round 1 listed, as an unverified gotcha, "HC disconnect orphans units it created." Verified at source, that framing is wrong and is hereby downgraded: in Arma 2 OA, when any machine disconnects the engine migrates its local objects/groups to the server (ownership transfer, not deletion). HC-delegated AI is therefore not orphaned or lost on disconnect. The accurate effects are below (DR-21).
DR-21 — HC disconnect dumps delegated AI on the server with no re-delegation — Medium (performance/operational, non-data-loss)
Server_OnPlayerDisconnected.sqf HC handling:
- If
WFBE_C_AI_DELEGATION == 2andWFBE_HEADLESS_<uid>exists, it removes the HC's group fromWFBE_HEADLESSCLIENTS_IDand clearsWFBE_HEADLESS_<uid>. -
WFBE_JIP_USER<uid>is nil for an HC (HCs don't register as players viaRequestJoin), so the handlerexitWiths before the player-team/unit logic. (It does also delete anyWFBE_CLIENT_<uid>_OBJECTSregistered to that uid earlier in the handler.)
What actually happens to the AI the HC was simulating: the engine transfers those units/groups to the server, so the server's load spikes by exactly the amount the HC was offloading — the opposite of the delegation benefit, precisely when you least want it. There is no re-delegation: the disconnect handler does not hand the migrated AI to a surviving HC, and (per the round-1 init finding) WFBE_C_AI_DELEGATION is only evaluated/downgraded at boot, so a later HC reconnect does not resume offloading either. Net: HC delegation has no failover/rebalancing — a single HC drop silently re-loads the server for the rest of the match. Suggested handling: on HC disconnect, if other HCs remain, re-setGroupOwner the migrated town-AI groups to a surviving HC (a periodic rebalancer is cleaner than doing it in the disconnect handler); and make delegation re-evaluate when an HC (re)connects rather than only at boot. (Arma 2 OA does support setGroupOwner; note the mission currently never uses it — see AI, headless and performance.)
Code owners: treat HC delegation as best-effort with no failover today; if HC stability matters, add re-delegation/rebalancing on HC disconnect/connect. Ledger: AI/Headless JIP/HC cell advanced; round-1 "orphan" hypothesis corrected.
Lane side-supply-delta-verify. Confirms + sharpens Faraday's "negative side-supply delta" candidate (and my round-1 "inverted guard" note) at source.
DR-22 — Overspending side supply grants a windfall instead of being floored — High (economy correctness/exploit)
The supply clamp (live in Server/Functions/Server_ChangeSideSupply.sqf, both the wfbe_supply_temp_west and …_east handlers; also present but dead in Common/Functions/Common_ChangeSideSupply.sqf) is:
_change = _currentSupply + _amount;
if (_change < 0) then {_change = _currentSupply - _amount}; // intended floor-at-0; actually a windfall
if (_change >= _maxSupplyLimit) then {_change = _maxSupplyLimit};_amount is signed — deductions are negative. When a deduction would overdraw (_change < 0), the "floor" computes _currentSupply - _amount = _currentSupply + |amount|. Example: supply 100, spend 300 (_amount = -300) → _change = -200 → guard → 100 - (-300) = 400. Trying to spend more supply than you have increases your supply by the amount you tried to spend. Any over-budget supply deduction (e.g. an upgrade/structure costing more than the side holds) flips into a gain — directly exploitable by attempting over-large spends, and it corrupts the economy generally.
Fix: floor correctly — if (_change < 0) then {_change = 0};. Apply in Server_ChangeSideSupply.sqf (both handlers). Note the matching block in Common_ChangeSideSupply.sqf is dead code: it computes _change but the function sends only [_side, _amount, _reason] over wfbe_supply_temp_<side> and the server recomputes — so fix the server copy (and optionally delete the dead client computation). Related (round-1, still open): there is no resistance-side handler for wfbe_supply_temp_*, only west/east.
Code owners: one-line floor fix in Server_ChangeSideSupply.sqf (×2 handlers) — closes the overspend windfall. Ledger: Economy/supply Auth/PV reinforced (confirmed exploit, not just "confusing").
Lane upgrade-authority-verify. Confirms Faraday's "upgrade authority gap" candidate and closes the economy-authority thread.
DR-23 — Upgrade purchasing is client-authoritative with no server validation — High (economy integrity)
Server/PVFunctions/RequestUpgrade.sqf is the whole handler: _this Spawn WFBE_SE_FNC_ProcessUpgrade; — the raw client payload [side, upgradeId, level, isPlayer] goes straight into Server/Functions/Server_ProcessUpgrade.sqf, which:
- reads
_side/_upgrade_id/_upgrade_level/_upgrade_isplayerfrom the client with no checks (no commander check, no side check, no upgrade-sequence/level check, no dependency/_LINKScheck); -
never deducts a cost — it only
sleeps_upgrade_timethen_upgrades set [_upgrade_id, current+1]. The upgrade cost is deducted client-side in the upgrade menu before the request, same as the rest of the economy.
So a modified client can forge ["RequestUpgrade",[side, id, level, false]] to grant any side a free upgrade, bypassing commander authority and cost. Secondary: _upgrade_time = (… select _upgrade_id) select _upgrade_level uses client-controlled indices → out-of-range error (minor DoS) if forged with bad ids. Fix: validate in RequestUpgrade/ProcessUpgrade — requester is the side's commander, indices in range, dependencies met and the level is the correct next step, and deduct cost server-side (mirror the DR-6 validation shape).
This is the last economic action to review, and it confirms the pattern: the entire WFBE player economy is client-authoritative —
- build structures (DR-6), buy units (DR-14), sell structures (DR-16), change side supply (DR-22, plus the overspend-windfall bug), buy upgrades (DR-23) — each lets the client decide/deduct, with the server doing at most a class-exists check.
One owner decision covers all of it: either route economic mutations through validated server PVFs (server checks commander/side/funds and applies the debit), or accept client authority and rely on BattlEye scripts.txt/PV filters. Piecemeal fixes won't close the class; the decision is architectural.
Code owners: add commander/funds/index/dependency validation + server-side cost to the upgrade path (DR-23); and make the economy-authority decision once for build/buy/sell/supply/upgrade rather than per-finding. Ledger: economy thread fully reviewed (Auth across the board characterized).
Lane missing-reference-inventory. Confirms Curie's RscMenu_Upgrade candidate at source (a representative dead/abandoned reference).
Rsc/Dialogs.hpp:2425 class RscMenu_Upgrade has onLoad = "_this ExecVM ""Client\GUI\GUI_Menu_Upgrade.sqf""" (:2428), but Client/GUI/GUI_Menu_Upgrade.sqf does not exist — only the differently-named Client/GUI/GUI_UpgradeMenu.sqf does. RscMenu_Upgrade is never opened (createDialog/cutRsc for it appears nowhere outside Dialogs.hpp); the live upgrade UI is GUI_UpgradeMenu.sqf (reached via GUI_Menu.sqf). So this is a stale dialog whose onLoad would ExecVM a missing file if it were ever opened — currently inert because nothing opens it. Fix: delete RscMenu_Upgrade (and its dangling onLoad), or repoint it at GUI_UpgradeMenu.sqf if it was meant to be the live one. Naming-drift class (GUI_Menu_Upgrade vs GUI_UpgradeMenu).
Method note: an automated "live reference → missing file" scan was attempted but its Windows-backslash path normalization was unreliable (false positives); this finding was confirmed by hand. A robust missing-reference inventory is a good future tooling task (resolve
\-separatedexecVM/ExecFSM/preprocessFilestring targets against the tree, excluding commented lines) — handed to Codex/tooling.
Code owners: remove or repoint the dead RscMenu_Upgrade dialog (DR-24). Tooling (Codex/Meitner lane): build a reliable missing-reference scanner. Ledger: UI dead-reference candidate confirmed; abandoned-code inventory still has open candidates (TaskSystem, old blink loops, WASP OnArmor/KeyDown — see round-1 WASP-Overlay + Feature-Status).
Previous: Agent worklog | Next: Implementation plan
Main map: Home | Fast path: Quickstart | Agent file: agent-context.json
Home | Agent Guide | Current live state | Release 1.2.2 (B91) | Quickstart | Progress | Lifecycle wait-chain | Join/disconnect | Parameters/build | Assets/config | SQF atlas | PV index | Modules | Support/specials | Commander/HQ | Commander vote/reassign | Construction/CoIn | Construction cleanup | WDDM compositions | Factory/purchase | Upgrades/research | Towns/camps/capture | Victory/endgame | Markers/cleanup | Server runtime | AI runtime/HC | AI commander audit | HC delegation | Town AI safety | Commander reassignment | Resistance supply | Player UI workflow | UI atlas | Respawn/death | Gear template filter | Vehicle cargo loop | Service guards | UI IDD repair | UI design inspiration | WASP overlay | Feature status | Source propagation | release readiness | Tooling readiness | Integration trust | AntiStack DB | Owner decisions | Shelved registry | Abandoned feature revival | Hardening roadmap | PVF dispatch | Server authority | ICBM authority | Attack-wave authority | Telemetry families | AICOM V2 cutover | Consumer port map | Testing workflow | Server ops | Web tools | Ecosystem repos | Arma 2 OA refs | A2 traps | OA compatibility audit | Coverage ledger | Navigation inventory | Pruning ledger | Knowledge roadmap | Agent context | Collab protocol | Worklog | Audit archive 2026-07 | Briefing reference | Utes invasion concept
- Shelved AICOM concepts - revivable someday ideas (owner-shelved 2026-07-03)
Docs rule: source-backed claims only; Arma 2 OA scripting docs only; gameplay edits start in Missions/[55-2hc]warfarev2_073v48co.chernarus.
- Getting started
- Status and coordination
- Agent context
- Agent collaboration protocol
- Agent worklog
- Agent worklog archive
- Progress dashboard
- PR cleanup and integration lab
- Shelved PR #169: gear price double-count
- Shelved PR #194: Chernarus no-trees
- Coordination board
- Codebase coverage ledger
- Bottleneck removal queue
- Current source status
- Wiki mirror reconciliation
- Navigation inventory
- Registers
- Agent orchestration
- Architecture
- Architecture overview
- Mission entrypoints and lifecycle
- Lifecycle wait chain
- Player join/disconnect and AntiStack lifecycle
- Mission parameters/localization/build inputs
- Stringtable localization key-family catalog
- Source inventory
- Content structure and maps
- Assets/config/localization/parameters
- Mission start parameters index
- Code and networking
- Gameplay systems
- Core systems index
- Gameplay systems atlas
- Commander/HQ lifecycle atlas
- Economy, towns and supply
- Economy system reference
- Balance asymmetries
- Anti-stack skill-balance mechanic
- Empty-side supply income stagnation
- Towns, camps and capture atlas
- Victory and endgame atlas
- Victory conditions reference
- Territorial victory reference
- Marker cleanup and restoration
- Marker loop engine and registries
- Map marker families content catalog
- Marker subsystem function reference
- Client marker FSM updater map
- Support specials and tactical modules
- SCUD TEL tactical munitions
- Naval HVT objectives (carriers/SCUD)
- SCUD saturation strike mechanic
- Takistan airfield FPV drone design
- Construction and CoIn systems
- Structure damage reduction & friendly-fire
- Construction logic list cleanup
- Flak tower & WDDM anchor compositions
- Resistance supply scaffold
- GUER Insurgents faction overview
- GUER Insurgents branch audit
- GUER insurgent player economy
- GUER Commissar Panel
- GUER air-defense loop (Ka-137/Mi-24)
- Upgrades and research atlas
- Supply mission architecture
- Supply mission authority cleanup
- Current supply helicopters PR1
- Respawn and death-loop lifecycle
- Vehicle theft economy pitch
- GUER tunnel network pitch
- Content, reference and catalogs
- Faction unit/vehicle roster catalog
- Auxiliary/SF/civilian unit catalog
- Gear store loadout route catalog
- Upgrade research (cross-faction)
- Gear store price and upgrade catalog
- Gear store catalog (complete, per faction)
- Defense structures catalog
- Artillery reference per faction
- AI squad team templates catalog
- Town AI lifecycle reference
- Town AI group composition catalog
- Class-skill system reference
- Player skill abilities reference
- Default gear template content catalog
- Chernarus map content reference
- Takistan map content reference
- Takistan features
- Takistan parity reference
- Takistan oilfields objective reference
- IRS IR-smoke countermeasure
- Arty module special munitions
- Zeta cargo sling-load reference
- Spawn primitive function reference
- Kill and score pipeline
- Waypoint helper function reference
- Position and proximity function reference
- Side/team state function reference
- Player AI watchdog and recovery
- AICOM stuck-recovery v2
- LoadoutManager data-model contributor guide
- Discord status bot setup and reference
- GLOBALGAMESTATS extension reference
- New player quickstart (player guide)
- Optional client mods (player guide)
- Earning funds and score (player guide)
- Vehicle service and logistics (player guide)
- Commander's handbook (player guide)
- Tactical support menu
- Paradrop player experience
- Supply missions (player guide)
- In-game briefing & Diary field manual
- Playable maps catalog
- Faction root variables reference
- Faction base structures catalog
- Counter-battery radar system
- Bank, Reserve and Artillery Radar structures
- Map ruleset model and object config
- Countermeasures module reference
- Vehicle countermeasure (flares/spoofing)
- UAV terminal and spotter system
- Artillery firing function reference
- Service Point pricing model
- Medic redeployment truck (forward spawn)
- Side-patrol runtime and convoy mechanics
- Day/night cycle and weather system
- Config lookup helper reference
- CIPHER sort utilities reference
- Modded maps status and content
- BattlEye filter setup and OA taxonomy
- Player squad/group join protocol
- AutoFlip vehicle recovery
- Engine stealth fuel toggle
- Valhalla vehicle climbing-assist
- Missile and ordnance Fired-EH reference
- Vehicle equip and rearm reference
- Array and collection utilities
- Server composition spawner reference
- Upgrade queue server loop
- Map boundaries and off-map enforcement
- Namespace/profile/diagnostic utilities
- Group bool getVariable A2-OA trap
- Vehicle weapon balance init
- View distance auto-throttle
- Camp & respawn-camp getters
- Performance audit writer
- Site clearance (bulldozer)
- Factory queue cancel & refund
- AI commander tunable constants
- Experimental feature-flag constants
- Flag system quick reference
- Mission tunable constants catalog
- Gear parsing & cargo capacity
- Structure dressing function
- Paradrop delivery functions
- ICBM nuke client VFX & radiation
- Server HandleSpecial router
- LocalizeMessage chat router
- Gear buy-menu render & price functions
- Server broadcast & telemetry loops
- Per-unit client init pipeline
- Vehicle marking & texture pipeline
- Defense category & budget
- Legacy AI order primitives
- Commander-team driver
- AICOM command verbs
- AICOM behavior fix taxonomy
- AI commander wildcard deck reference
- AICOM aircraft and airfield system
- Static-defense manning
- End-of-game stats screen
- AI commander execution loop
- Deployable bipod / weapon resting
- Town-economy getters
- Server-init deadspawn & airfield probe
- GUER VBIED detonate action
- Resource income-tick engine
- AI commander treasury accessors
- PVF send-helper contracts
- AICOM logging & AICOMSTAT telemetry
- AICOMSTAT v2 event census
- WASPSCALE v2 telemetry
- WASPSCALE v2-ext coverage audit
- Telemetry families reference
- Group lifecycle & entity reaping
- Batch AI spawner orchestrator
- Client funds/income HUD readout
- Server group GC & cap warning
- Town runtime tuning constants
- Client input/hotkey handler
- WASP base-repair system
- WASP DropRPG launcher/ordnance
- CoIn construction-interface client engine
- Town-capture garrison & airfield rebuild
- Map-control & minimap templates
- Client FPS & state telemetry
- Client service-proximity getters
- Airfield-exclusive roster & unit hints
- Unit-camera spectator system
- Town-garrison patrol/defense worker
- RequestTeamUpdate squad-discipline
- Arma2Warfare GPT assistant
- LoadoutManager build configs & defines
- GLOBALGAMESTATS extension logging
- Discord bot instrumented logging
- Eden/Everon & Taviana map content
- Cruise missile strike asset
- AI / HC
- AI headless and performance
- AI mods and pathfinding reference
- Headless client scaling and topology
- AI runtime/HC loop map
- Headless client init and stat loop
- HC delegation target selection
- Player AI caps and role balance
- Old WarfareBE FPS comparison
- AI commander autonomy audit
- Upstream BE 2073 AICOM delta
- Parent 2.073 divergence audit
- AI commander capture & fun plan
- AI commander B69 improvement roadmap
- AI commander B69 implementation sketches
- AICOM V2 cutover status
- Headless delegation and failover
- Commander reassignment call shape
- GUER Director living-resistance pitch
- Quality and operations
- Foundation perf findings & Tier-3 dead-ends
- Dead/stale code register
- Commander vote/reassignment
- Attack-wave authority
- Server runtime and operations
- Server ops runbook
- JIP enrollment & client data delivery (b74.2 lessons)
- Server gameplay runtime atlas
- PerformanceAuditAnalyzer
- Performance opportunity sweep
- Documentation plan
- Knowledge platform roadmap
- Wiki quality audit
- Wiki pruning and relevance ledger
- Audit findings queue (2026-06-03)
- Deep review findings
- Client UI / server-loop perf findings
- Performance gain simulation
- Self-host testing field notes
- Cleanup and work lanes
- Hardening and authority
- UI / player workflows
- Client UI, HUD and menus
- UI HUD and dialogs
- Player UI workflow map
- Client UI systems atlas
- UI IDD collision repair
- UI control class library reference
- UI theme palette and style macros
- UI design inspiration 2026-07
- Available-actions client gate FSM
- Gear/loadout/EASA atlas
- Gear template profile filter
- Vehicle cargo equip loop bounds
- Factory and purchase systems atlas
- Service menu affordability guards
- WASP overlay
- Class-skill system reference
- Skin selector and class swap
- Earplugs audio toggle
- Mission audio catalog
- HQ radio knowledge-base catalog
- QoL trio player hints
- Player vehicle/travel actions
- Tooling / release / integrations
- Tools and build workflow
- Warfare web tools
- Ecosystem & companion repos
- Zargabad tooling parity
- July 2026 release readiness
- Operator monitor and CPU affinity tools
- Tooling release readiness audit
- Source fix propagation queue
- Agent release readiness ledger
- Release source intake map
- Testing/debugging/release workflow
- Current RPT release gate
- RPT telemetry consumer port map
- External integrations
- Integration trust boundary audit
- AntiStack database extension audit
- Community & Dev
- Community & Dev
- Miksuu upstream wiki import / archive index
- Upstream changelog feature leads
- Developer history and upstream lessons
- Upstream Miksuu commit intel
- Upstream mining ledger
- Archive script mining v2
- Upstream BE 2073 AICOM delta
- Parent 2.073 divergence audit
- PR8 and Drone upstream lesson match
- Development lessons learned
- External research reports
- Audit archive 2026-07
- Briefing reference
- Utes invasion concept
- Miksuu archive: Home
- Miksuu archive: Welcome
- Miksuu archive: Big announcements
- Miksuu archive: Changelog
- Miksuu archive: Development process
- Miksuu archive: Discord bot
- Miksuu archive: Gameplay videos
- Miksuu archive: LoadoutManager
- Miksuu archive: Chernarus script architecture
- Base-game visual catalogs
- Compatibility and references
- HC upstream history and lessons
- Player stats branch audit
- BuyMenu EASA QoL branch audit
- Perf quick wins branch audit
- Commander positions branch audit
- Zargabad branch audit
- Quad AI Commander concept
- Arma 2 OA external reference guide
- Base-game config & image reference
- Arma 2 OA compatibility audit
- Arma 2 OA agent traps reference
- Arma 2 OA command versions
- Wiki source consistency
- External Arma 2 OA reference index