Skip to content

Hardening Implementation Roadmap

rayswaynl edited this page Jun 6, 2026 · 47 revisions

Hardening Implementation Roadmap

This page turns the source-reviewed risk register into implementation-ready work packages. It is for code owners and future agents who are ready to patch gameplay/security behavior, not just document it.

Scope: Chernarus source mission first, then LoadoutManager propagation. All paths below are relative to Missions/[55-2hc]warfarev2_073v48co.chernarus/.

Machine-readable backlog for agents and code owners: agent-hardening-backlog.jsonl. Validation workflow and test evidence schema: Testing workflow and agent-test-plan.schema.json.

Page ownership: this roadmap owns canonical patch order, branch discipline and validation gates. Server authority migration map owns the reusable authority principles, handler validation checklist and cross-system migration table. Focused playbooks own detailed patch shape for PVF dispatch, ICBM authority, attack waves, supply missions, economy first cut, commander vote/reassignment, HC failover and town-AI vehicle safety.

Authority Design Preamble

Every authority patch should follow the same rules before touching code:

Principle Patch rule
Client UI is affordance Menus may show prices and buttons, but final acceptance, debit and effect belong on the server.
Server recomputes truth Re-derive side, role, funds, supply, costs, upgrade state, object validity, range and placement from server-held state.
Dispatch and payloads are different PVF dispatcher hardening closes sender-chosen handler strings; legitimate handlers and direct PV channels still need per-flow validation.
Sender identity is weak in Arma 2 OA PVEHs Include requester context where safe and cross-check group, side, ownership and UID instead of trusting a payload scalar.
Logging is part of the patch Accepted high-value transactions and rejected malformed/unauthorized requests need compact, non-spammy logs.
BattlEye is defense in depth Filters reduce public-server exposure but are not the mission's source of truth; shipped filter evidence lives in External integrations.

For the full per-handler checklist, use Server authority migration map.

Canonical Patch Order

Priority Work package Why first
P0 PVF dispatcher lookup hardening Smallest behavior-preserving change that closes DR-1 arbitrary code execution and DR-38 per-message recompilation; branch matrix: PVF dispatch implementation.
P0 SEND_MESSAGE direct-PV compile removal DR-46 is a second network-data RCE outside the PVF dispatcher; dispatcher lookup does not close it.
P0 ICBM RequestSpecial server validation Highest blast radius: forged PV can trigger server-applied map-wide damage. Use ICBM authority.
P1 Victory/endgame correctness (DR-11 / DR-36) Small source change with large match-outcome/stat impact.
P1 Server-side economy authority design Covers the confirmed class: build, buy, sell, supply, upgrade, ICBM and gear/service spend paths.
P1 Direct attack-wave authority Claude DR-41 confirmed ATTACK_WAVE_INIT is a forgeable direct-PV channel that can drive side-wide unit prices to zero or negative values.
P1 Supply mission authority and cooldown cleanup Needed before PR #1 supply helicopters/cash/interdiction become baseline.
P2 Commander vote semantics and reassignment correctness DR-47 and DR-15 are small but match-visible commander/HQ correctness fixes. Use Commander vote/reassignment: decide no-commander/tie rules before code, then keep vote resolution separate from manual reassignment call-shape and requester-authority hardening.
P2 Factory queue, HC/static-defense and support-loop cleanups Player-facing soft-lock/perf/partial-feature fixes once core authority is moving.

July Update Candidate Route

The Progress dashboard currently names two July update candidates. Treat them as explicit dev-branch lanes, not as merged gameplay state.

Candidate Branch Route First code-owner gate
Hosted Server FPS Loop Fix dev/july-update-hosted-server-fps-loop-fix Hosted server FPS loop sleep, Performance opportunity sweep, Testing workflow Adopt or verify the low-risk !isDedicated early-exit shape, keep dedicated FPS publishing intact, and name Chernarus plus maintained Vanilla parity before release wording.
Takistan Airfield FPV Drone Bay dev/july-takistan-airfield-fpv-drone Takistan airfield FPV drone design, PR8 and Drone upstream lesson match, Testing workflow Build Takistan-only and server-authoritative first: server rechecks ownership, funds, UAV/EASA gates, one-drone-per-player, side cap, range/boundary, bunker state and base-protection before spawning or debiting.

P0: PVF Dispatcher Lookup

Dedicated playbook: PVF dispatch implementation.

Roadmap summary: replace dispatch-time Call Compile _script in Server_HandlePVF.sqf and Client_HandlePVF.sqf with a validated allowlist / namespace lookup while preserving Spawn. Branch recheck refreshed 2026-06-06 found current source Chernarus, maintained Vanilla, stable origin/master 2cdf5fb8, Miksuu upstream 89ae9dad, origin/perf/quick-wins 0076040f and release 7ff18c49 still compile the sender-provided handler string; release only adds adjacent HC client filtering and shifts the client compile to Client_HandlePVF.sqf:32. This closes DR-1 arbitrary handler-string compilation and DR-38 avoidable per-message recompilation. It does not validate forged payloads sent to legitimate handlers and does not touch direct publicVariable channels like ATTACK_WAVE_INIT.

Validation:

  • Verify all entries in _serverCommandPV and _clientCommandPV still resolve to CODE after Init_PublicVariables.sqf.
  • Test one server request (RequestJoin or RequestVehicleLock) and one client message (LocalizeMessage or HandleSpecial) on a hosted/local mission if possible.
  • Re-run docs/update notes: this fixes dispatch execution risk only; it does not validate legitimate-command payload forgery.

Post-dispatch handoff: immediately after this patch, use the registered server PVF handler authority matrix to plan handler/effect validation. The 2026-06-04 recheck confirmed active callers for RequestVehicleLock, RequestTeamUpdate, RequestUpgrade, RequestAutoWallConstructinChange and RequestChangeScore; do not label the network authority class closed until those handlers and direct-PV channels have their own validation or an explicit owner acceptance.

P0: SEND_MESSAGE Direct-PV Compile Removal

Raw evidence: Deep-review findings DR-46. Channel inventory: Public variable channel index.

Roadmap summary: remove call compile from both Client/Functions/Client_onEventHandler_SEND_MESSAGE.sqf and Common/Functions/Common_SendMessage.sqf. The current multi-language branch treats message text as executable code. Because SEND_MESSAGE is a direct publicVariable channel, this is independent of the PVF dispatcher fix.

Branch/root status: the 2026-06-06 matrix in Public variable channel index confirms current source/Vanilla, stable origin/master 2cdf5fb8, Miksuu upstream 89ae9dad, perf/quick-wins 0076040f and release 7ff18c49 all still keep the direct receiver/helper compile route.

Implementation shape:

  1. Treat multi-language payloads as structured arrays: [stringtableKey, arg1, arg2, ...].
  2. Resolve with localize and format locally.
  3. Treat malformed or non-array multi-language payloads as literal text or reject/log them; never compile message text.
  4. Update artillery/ICBM callers that currently pass compilable strings.
  5. Add a BattlEye publicvariable.txt value-shape rule only as defense in depth after the source fix is designed.

Validation:

  • Normal side messages still display and play sound.
  • Localized artillery/ICBM messages still render in the intended language.
  • A forged SEND_MESSAGE payload containing SQF text is displayed/ignored as data and never executed.

P0: ICBM Server Validation

Dedicated playbook: ICBM authority. Use it before implementation; it owns the DR-27 source chain from Tactical menu gating through NukeIncoming, RequestSpecial, Server_HandleSpecial.sqf and NukeDammage.

Implementation shape:

  1. Keep presentation and marker behavior client-side, but re-derive authority on the server.
  2. In the "ICBM" branch, validate side, commander/team ownership, module enabled, required upgrade, funds/cost and target/base object shape.
  3. Do not trust a client-supplied team or side without matching it to server-known group state.
  4. Debit cost server-side or reject the request; do not rely on the Tactical menu's local ChangePlayerFunds.
  5. Log rejected attempts with side, UID/team if available and reason.

Validation:

  • Valid commander with required ICBM state can still launch.
  • Non-commander and wrong-side requests are rejected.
  • Bad _target, dead _target, wrong _base and out-of-range/invalid objects do not spawn NukeDammage.
  • BattlEye filter design still treats RequestSpecial as high-risk defense-in-depth, not as the main authority layer; see External integrations before claiming shipped filter coverage.

P1: Victory And Endgame

Canonical guide: Victory/endgame atlas. Raw evidence stays in Deep-review findings: DR-11 covers the winner inversion / persisted win-tally impact, and DR-36 owns the exact server_victory_threeway.sqf:23 guard/precedence mechanism, the no-break side loop, and the one-place fix shape. This roadmap keeps only the patch-order and validation gate.

Implementation route: patch the Chernarus source mission first, using Victory/endgame atlas for the safer patch shape and DR-36 for the exact condition/loop evidence. Keep the threeway-victory owner decision explicit, and cross-check DR-43 before touching duplicate LogGameEnd bindings around the same endgame path.

Validation:

  • One-side elimination logs exactly one winner.
  • Same-tick double elimination cannot broadcast/log twice.
  • All-towns victory records the intended winner.
  • Default victory mode still ends the mission; non-default victory mode behavior is explicitly tested or explicitly disabled.

P1: Economy Authority Class

Canonical evidence and flow table: Server authority migration map. First implementation sequence: Economy authority first cut.

Confirmed class: build, buy, sell, supply, upgrade, attack-wave, ICBM and gear/service paths are client-authoritative or payload-authoritative today. Do not patch them as seven unrelated bugs. Pick a server ledger model, then migrate flows in a consistent order.

Implementation strategy:

  1. Pick one ledger model before patching individual spend paths. Mixing partial server authority with old client authority can create new desync.
  2. Prefer server recomputation over trusting client-provided price, side, position, upgrade level or reward amounts.
  3. Keep client menus as affordance only; server owns final acceptance and debit.
  4. Add small INFORMATION logs for accepted high-value transactions and WARNING logs for rejected malformed/unauthorized requests.

Validation:

  • Test legitimate commander/player flows first, then forged/wrong-side payloads.
  • Validate both dedicated and hosted/listen paths where locality differs.
  • Run LoadoutManager after mission code changes; Chernarus source changes should propagate to vanilla Takistan except skip-list files.

P1: Direct Attack-Wave Authority

Dedicated playbook: Attack-wave authority. Use it before implementation; it records the DR-41 source chain and the current model where 25,000 supply is the minimum action gate while the wave spends all current side supply.

  1. Treat ATTACK_WAVE_INIT as a request, not as authoritative state.
  2. Re-derive side supply and discount inputs server-side from trusted side/town state; never use client _supply for price math.
  3. Validate requester side and any intended commander/support permission before starting an attack wave.
  4. Deduct the intended side-supply cost server-side or reject the request.
  5. Clamp the resulting price modifier/duration to sane ranges even after server recomputation.
  6. Keep ATTACK_WAVE_DETAILS broadcast behavior unless a JIP/replay audit proves a change is needed.

Validation:

  • Legitimate attack wave still starts and publishes expected details.
  • Forged exaggerated _supply cannot change discount, duration, length or cost; _supply >= 70000 cannot create free or negative-price units.
  • Wrong-side or non-authorized requester cannot activate the wave for the other side.
  • Late-join behavior remains unchanged or is explicitly documented.

P1: Supply Missions And PR #1

Dedicated playbook: Supply mission authority cleanup. It owns the implementation sequence for client-stamped truck state, server tracking loop, completion reward trust, DR-18 cooldown casing, dead twin code and PR #1 supply-helicopter stacked-handler risk. Use Supply mission architecture for the flow map and Deep-review findings DR-18 for the exact casing evidence.

Implementation shape:

  1. Remove or retire supplyMissionActive.sqf compile path.
  2. Standardize cooldown casing per DR-18.
  3. Recompute reward and source town server-side from trusted truck/town state where possible.
  4. Add explicit loaded/unloaded state to prevent duplicate tracking loops and PR #1 stacked Killed handlers.
  5. Narrow nearestObjects [(getPos _associatedSupplyTruck), [], 80] to the specific command-center terminal type.
  6. Keep the pull-based cooldown request/response pattern; it is the good JIP model here.

Validation:

  • Truck mission works once, twice and after vehicle reuse.
  • Destroyed supply vehicle pays interdiction once in PR #1.
  • JIP player querying cooldown gets current state.
  • Starter disconnect does not orphan completion tracking.

P2: Smaller Confirmed Fixes

Fix Source Validation
Commander vote AI/no-commander semantics Server_VoteForCommander.sqf:24-29,43 counts AI/no-commander votes but the final condition selects any non-tied player candidate; GUI_VoteMenu.sqf:87-89 can preview AI/no commander for a distribution the server assigns to a player. Owner decides plurality/majority/tie/no-commander rules, then smoke player-majority, no-commander-majority, equal-vote, player-candidate tie and RequestCommanderVote restart cases.
Factory empty-vehicle queue leak Client_BuildUnit.sqf early empty-vehicle exitWith skips normal WFBE_C_QUEUE decrement. Buy repeated crewless vehicles; queue cap returns to normal after each build attempt.
Factory FIFO token/broadcast churn Client_BuildUnit.sqf uses random token and broadcasts queu mutations. Multiple simultaneous buyers cannot collide; queue UI remains correct.
Salvage payout function casing Client/Module/Skill/Skill_Salvage.sqf:38 and Client/FSM/updatesalvage.sqf:50 call ChangePlayerfunds, while Client/Init/Init_Client.sqf:53,91 compiles ChangePlayerFunds. Patch source Chernarus and maintained Vanilla casing first, then smoke manual engineer salvage and salvage-truck payout for one valid wreck before larger salvage authority work.
Town AI occupied-vehicle despawn server_town_ai.sqf:211-216 deletes inactive town-AI vehicles based on !(isPlayer leader group _x) without checking crew/cargo/turret occupants. Vehicles with any player occupant survive despawn while empty AI-only vehicles are still cleaned.
WASP marker monitor busy-spin WASP/global_marking_monitor.sqf:62 polls display without sleep for up to 2 seconds. Replace with throttled wait style like sibling :80; verify map double-click prefix still works.
MASH markers Client receiver commented and trigger never sent. Either remove dead code or revive with server-held marker list, unique names and JIP replay. See Abandoned feature revival.
Paratrooper markers Source Chernarus and maintained Vanilla now register HandleParatrooperMarkerCreation and ship the handler; modded eden/lingor/Napf still advertise/register the callback without shipping the handler file. Arma-smoke a support drop for source/Vanilla marker creation and decide whether divergent modded folders should copy the handler or drop the registration. Paratroop drop itself remains server-owned.
HC delegation/failover DR-42: Client_DelegateAIStaticDefence.sqf:28 has update-back send commented; town-AI delegation still reports through update-town-delegation; DR-21 covers missing HC disconnect re-delegation. Decide whether static-defense delegation is intentionally one-way, then restore update-back/handler or retire stale code; add HC work records before implementing disconnect failover.
Hosted FPS monitor loop DR-19 duplicate is source + Vanilla propagated: both FPS publishers now exit on hosted/listen before their loops while dedicated publishing remains every 8 seconds. Arma-smoke dedicated RHUD/server FPS publishing plus hosted/listen no-spin behavior before closing release readiness; do not re-patch as still-open source work.
Generated version.sqf target-root gap DR-43a current state: description.ext and initJIPCompatible.sqf include version.sqf; local ignored generated files exist for Chernarus and Vanilla Takistan, but Git does not track them. Keep explicit pre-pack/pre-test checks for clean checkouts, generated Vanilla and any supported modded target; do not treat local Chernarus presence as proof every mission root is packable.
Init_Server.sqf duplicate binds DR-43 corrected re-check: live duplicates for LogGameEnd, PlayerObjectsList and AwardScorePlayer; commented duplicate remnants for AFK kick, server FPS and MASH marker. De-duplicate live binds and annotate/remove remnants; coordinate LogGameEnd cleanup with DR-13/DR-36.

Branching And Review Discipline

  • One patch branch per work package is preferred: hardening/pvf-dispatch, hardening/icbm-authority, hardening/victory-endgame, hardening/supply-missions.
  • Do not combine mission hardening with docs-only navigation work.
  • For every gameplay patch, update Feature status, Codebase coverage ledger, Agent worklog and agent-context.json.
  • If Claude is active, leave a claim/handoff in agent-collaboration.json and agent-events.jsonl before touching shared authority code.

Economy first-cut handoff: Economy authority first cut recommends side-supply-clamp before upgrade/construction authority migrations and before any player-buy locality redesign. Keep exact DR-6 construction proof in Deep-review findings, with runtime flow in Construction and CoIn systems atlas.

Continue Reading

Previous: Feature status | Next: Server authority migration map

Main map: Home | Fast path: Quickstart | Agent file: agent-context.json

Sidebar

Clone this wiki locally