# Codebase Concerns **Analysis Date:** 2026-05-01 This is a brownfield preservation/reverse-engineering archive for **Brand New Online (BNO)** — a 2008–2014 GameMaker 5.3a fan multiplayer game built around the *Mega Man Battle Network* universe, plus an abandoned 2014–2017 Unity port. The repository is a forensic dump of files pulled from two creator-owned drives on 2026-05-01 (per `legacy/README.md`). Nothing here is a maintained product. The concerns below reflect that reality — most are *inherent* to the preservation goal but must be acknowledged before any portion of this repo is published, distributed, or used as a basis for a successor project. --- ## Legal / IP Risk ### Unlicensed derivative work of Capcom IP (the entire game) - Issue: BNO is a fan game derived directly from Capcom's *Mega Man Battle Network* / *Rockman.EXE* franchise. Asset filenames, sprites, music, and game mechanics openly trade on this — `Battle Network Insignia.psd`, `mmbn-logo.jpg`, `Battle Network Loading Image*.psd`, `MMBN5HeroThemeGM.mid`, `cyberworld.mid`, `EXE1Den.mid`, `hm-exe3wwwtheme.mid`, `Megaman.fbx` (Maya/Unity rig), and the entire `Navi Sprites/` directory. - Files: `legacy/source-archive/BNO/Battle Network Insignia*.psd`, `legacy/source-archive/BNO/mmbn-logo.jpg`, `legacy/source-archive/BNO/Pre Background - BNO*.{psd,jpg,png}`, `legacy/source-archive/BNO/Navi Sprites/`, `legacy/audio/bno-songs/*.mid`, `legacy/maya-project/scenes/`, `legacy/unity-project/Assets/_Models/`. - Impact: Public redistribution exposes the maintainer to DMCA takedown and potential legal action from Capcom (which has historically pursued MMBN fan projects). Even the wiki and decomp pipeline risk being treated as circumvention tooling targeting infringing material. - Fix approach: Keep the repo private. If any portion is to be released, segregate (a) original code/scripts authored by the BNO team, (b) clearly Capcom-derived assets, and (c) the RE pipeline notes. Strip Capcom-derived assets before publication. Do not publish the MIDI files, sprites, or logos under any "open source" claim — the 2014 "Open-Source Release" label only covers the original team's code, not Capcom's IP embedded in it. ### Pirated / cracked third-party software committed to the archive - Issue: Two clearly warez-tagged distributions are checked in: 1. **GameMaker 5.3a IDE** with `registration.txt` containing `Name: PARADOX / S/N: 6C23C2497DE7D40D` — PARADOX is a known scene/warez group; this is a cracked registration for commercial-era GameMaker. 2. **RealVNC Enterprise Edition 4.4.2 (Keygen by ZWT)** — full installer + a keygen executable. ZWT ("Zero Waiting Time") is a known warez group. - Files: `legacy/open-source-release-extras/Game Maker 5.3a/gmaker5.3a.zip`, `legacy/open-source-release-extras/Game Maker 5.3a/registration.txt`, `legacy/servers/local-current/RealVNC Enterprise Edition 4.4.2 (Keygen by ZWT)/RealVNC Enterprise 4.4.2 (x86 & x64) Setup.exe`, `legacy/servers/local-current/RealVNC Enterprise Edition 4.4.2 (Keygen by ZWT)/RealVNC Enterprise 4.4.2 Keygen.exe`. - Impact: Distribution of cracked commercial software is unambiguous copyright infringement and (for the keygen) likely violates anti-circumvention provisions (DMCA §1201, EU InfoSoc Directive Art. 6). The keygen `.exe` is also high-malware-risk by provenance — many scene keygens contain bundled droppers. - Fix approach: **Delete both directories before any publication or syncing to a remote.** They have no preservation value to BNO itself — the GM 5.3a IDE is needed for repro, but legitimate licensed copies should be sourced (the engine was made freeware by YoYo Games circa 2007, but the cracked 5.3a registration in the archive predates that and is a different SKU). The VNC bundle is purely incidental to the server admin's workflow and contributes nothing to BNO. Quarantine the keygen `.exe` immediately; do not execute it. ### Third-party `.dll` of uncertain license - Issue: `39dll.dll` (the 39ster TCP/IP GameMaker extension) is redistributed in every server snapshot. Original license terms are unclear; community-distributed DLL with no accompanying license file. - Files: `legacy/open-source-release/39dll.dll`, `legacy/servers/{enlyzeam-current,enlyzeam-archive,local-current/BNO_Server}/39dll.dll`, `legacy/servers/enlyzeam-current/BNO Data/39dll.dll`. - Impact: Low (this DLL was explicitly distributed for use in GameMaker games), but worth a license audit if anything is republished. - Fix approach: Locate original 39dll readme/license; document under the archive root. If unrecoverable, mark as "redistributed as-found, license unknown." ### Embedded third-party audio - Issue: `legacy/audio/quotes/Zig Zag or Joog Jaug_.mp3` is attributed to "Brandon Smith" in `legacy/README.md` — unclear whether this is the BNO creator (use rights granted) or an unrelated third party. - Files: `legacy/audio/quotes/Zig Zag or Joog Jaug_.mp3`. - Impact: Low if creator-authored, moderate otherwise. - Fix approach: Confirm authorship with the original creator before any publication. --- ## Bit Rot / Dead Tech ### GameMaker 5.3a — abandoned 22+ years - Issue: GameMaker 5.3a (2003–2004 era) is the core engine for every BNO build except the Unity port. The IDE is GUI-only, Delphi-5-compiled, no headless build, no CLI. It targets Windows XP-era APIs and runs unreliably on modern Windows 10/11 without compatibility shims. The vendor (originally Mark Overmars / YoYo Games, now Opera) abandoned the 5.x line in 2007. - Files: All `.gmd`, `.gb1`, `.exe` files under `legacy/source-archive/`, `legacy/open-source-release/`, `legacy/servers/`. - Impact: No greenfield development is possible without either (a) running 5.3a in a Windows XP VM, or (b) executing the full RE pipeline in `decomp/wiki/` to recover sources and port forward. Any "fix it in the IDE and republish" workflow is fragile. - Fix approach: Establish a Windows XP VM as the canonical IDE host *before* attempting any modification. Document VM image provenance. Long-term: complete `.gmd` extraction per `decomp/wiki/15-extraction-pipeline.md` and migrate to a modern GML port or full rewrite. ### Unity port — abandoned 2017, Unity 5.x - Issue: `legacy/unity-project/` was last modified May 2017 and uses Unity 5.x APIs (e.g., `Network.Connect`/`OnConnectedToServer` — the **deprecated UNet stack**, removed in Unity 2018.4+). It will not open cleanly in any current Unity Editor without significant migration. The `Library/` cache is checked in (138 MB of `.pdb` debug, 324 MB total). - Files: `legacy/unity-project/Assets/_Scripts/Networking/NetMenu.cs` (uses `Network.Connect`), `legacy/unity-project/Library/`, `legacy/unity-project/Test Builds/Windows/player_win_x86.pdb` (127 MB), `legacy/unity-project/Test Builds/Windows/player_win_x86_s.pdb` (19 MB). - Impact: Dead code branch. The Unity port has 11 `.cs` scripts total, 3 scenes, 1 `.fbx`, and 138 MB of debug binaries — the asset/build ratio strongly suggests it never reached playable parity with the GM original. - Fix approach: Treat as reference-only. Do not attempt to revive — the GM source is more authoritative. If a successor is wanted, plan a fresh port. ### Maya project — Maya version unknown, 2014–2016 - Issue: `legacy/maya-project/scenes/`, `workspace.mel`, `images/`, `sourceimages/` — Maya binary scenes (`.ma`/`.mb`) are version-locked to the Maya release that wrote them. No version metadata is captured in `legacy/README.md`. Autodesk Maya licensing is also non-trivial (commercial subscription). - Files: `legacy/maya-project/`. - Impact: Re-opening the rig may require sourcing the exact Maya version from 2014–2016. The `.fbx` exports in `unity-project` are the only reliably portable artifacts. - Fix approach: Inspect a `.ma` file header to identify Maya version, document it. Treat `.fbx` as the canonical export. Do not assume Maya files are editable today. ### Dropbox-era "conflicted copy" pollution - Issue: 152 files under `legacy/unity-project/` carry `(BNO Successor's conflicted copy YYYY-MM-DD)` in their filenames. These are Dropbox sync collisions from 2014-12-20 and 2015-01-09. There is no clear "winner" file. - Files: Globally `legacy/unity-project/**/*conflicted copy*` (152 matches in `.csproj`/`.sln` alone, more elsewhere). - Impact: Choosing the canonical version of any given file requires manual inspection of timestamps and contents. Risks importing stale logic. - Fix approach: If the Unity port is ever revived, run a dedup pass: keep the file *without* `conflicted copy` in its name as canonical, archive the rest. ### Source-archive duplicates and `.zip` redundancies - Issue: `legacy/source-archive/BNO/BNO_C5-3.zip`, `BNO_C5-6.zip`, `BNO_Server 4-12-09.zip` are zipped snapshots that almost certainly contain files already present elsewhere in the tree. `take-a-break.exe` in the source archive is unidentified. - Files: `legacy/source-archive/BNO/*.zip`, `legacy/source-archive/BNO/take-a-break.exe`. - Impact: Low; bloats repo, may shadow newer files. - Fix approach: Compute zip vs disk diffs; remove zips if fully subsumed. Identify or delete `take-a-break.exe` (its name plus mystery-`.exe` provenance is mildly suspicious — scan it). --- ## Build Reproducibility ### Nothing in this repo builds today, end-to-end - Issue: There is no build system, no `Makefile`, no `package.json`, no CI config, no scripted reproduction path. The GM 5.3a IDE has no CLI. The Unity project targets a Unity version that no longer exists. The Maya project requires unspecified Maya version. The `.gitignore` is one line (`legacy/`), so even the *legacy archive itself is excluded from version control* — meaning if this repo were committed and cloned fresh, none of the actual content would come along. - Files: `.gitignore` (only contains `legacy/`), absence of any build manifest. - Impact: Anyone picking this up cold cannot produce any artifact. The repo is a museum, not a project. - Fix approach: 1. Decide whether `legacy/` is canonical content (then **remove it from `.gitignore`** and commit it — current state means a clone is empty) or whether it's intentionally local-only (then document where the canonical copy lives, e.g. a sibling git-lfs repo or external archive). 2. Add a `BUILD.md` covering: (a) GM 5.3a VM setup, (b) Unity 5.x archived editor download, (c) Maya version requirement, (d) the `decomp/` pipeline as the recommended path forward. ### Hard-coded developer paths and personal domain - Issue: `legacy/unity-project/Assets/_Scripts/Networking/NetMenu.cs` line 6 hard-codes `connectionIP = "decidel.com"` (a personal domain belonging to the repo owner). The 2021 source provenance note (`legacy/servers/enlyzeam-current/,2021_Note_About_Sources.txt`) references absolute drive paths `UHREMUARRE/BNO_Server/`, `FRAGZON/BNO Official Server/`. Server admin keybind code (`legacy/servers/enlyzeam-current/Ctrl+O Codes.txt`) embeds GML referencing the live `server` object. - Files: `legacy/unity-project/Assets/_Scripts/Networking/NetMenu.cs:6`, `legacy/servers/enlyzeam-current/,2021_Note_About_Sources.txt`, `legacy/servers/enlyzeam-current/Ctrl+O Codes.txt`. - Impact: Reproduction requires either resurrecting `decidel.com` on port 49009, or patching the Unity client. Provenance notes are non-actionable for anyone other than the original author. - Fix approach: Externalize the IP/port (Unity `PlayerPrefs` or a config asset). Document drive aliases (UHREMUARRE = enlyzeam, FRAGZON = local) in `legacy/README.md` — already partially done. ### Test/debug binaries treated as build artifacts but no source recipe - Issue: `Test Builds/`, `BNO Master Files (J)/`, multiple `Old Account Updater.exe` / `Old Accounts Reloader.exe` exist as standalone `.exe` with no clearly paired `.gmd` source for some (e.g., `Account Updater.exe`). The `Crasher.exe` / `Crasher (Test With Server Saver).exe` pair has no documented source. - Files: `legacy/servers/enlyzeam-current/{Account Updater.exe,Accounts Reloader.exe,Old Account Updater.exe,Old Accounts Reloader.exe,Crasher.exe,Server Saver.exe,Server Saver (Old).exe}`, `legacy/open-source-release/{Crasher (Test With Server Saver).exe,Server Saver.exe}`. - Impact: These executables are runtime-only. If they break, no source-level fix is possible without first running the RE pipeline against each. - Fix approach: Inventory which `.exe` files have a matching `.gmd`/`.gb1` and which are source-orphan. For the orphans, queue them for `gmd-recovery` extraction. --- ## Security ### Plaintext player credentials checked into the archive (CRITICAL) - Issue: `localList.txt` and `remoteList.txt` are paired files where alternating lines are **(username, plaintext password)** for ~298 BNO player accounts. Examples include obviously-real passwords like `harrypotter`, `johncena1`, `ilovepizza`, `123456`, `0987654321`, dates of birth (`19900415`, `081891`, `230172`), and patterns matching common password reuse (`d3u5G1`, `7QNbbc1bB$`, `gZ7cs31w`, `1a371b8582`). - Files: - `legacy/servers/enlyzeam-current/localList.txt` (597 lines, ~298 accounts) - `legacy/servers/enlyzeam-current/remoteList.txt` (597 lines — appears identical to local) - `legacy/servers/enlyzeam-archive/localList.txt`, `remoteList.txt` - `legacy/servers/local-current/BNO_Server/localList.txt`, plus likely `remoteList.txt` - `legacy/source-archive/BNO/BNO_Server/localList.txt`, `remoteList.txt` - Per-user state in `legacy/servers/*/UserData/{HXB,Inv,MB_News}/*.bnu` (~299 accounts × 3 files each) - Impact: **Severe.** Many of these passwords are likely still in use by the same individuals on other services (password reuse rate ~60%+). If this repo is ever pushed to a public remote, every listed user is materially exposed. The credentials predate any consent for archival publication. Violates GDPR (if any EU users), CCPA, and basic ethical handling of PII. - Fix approach: 1. **Immediately confirm `legacy/` is git-ignored** (it currently is — `.gitignore` excludes `legacy/`) and that nothing has been committed historically. Verify with `git log --all -- legacy/`. 2. Before any publication of `legacy/servers/*`, redact `localList.txt`/`remoteList.txt` (replace passwords with `[REDACTED]`) and overwrite `*.bnu` user-state files or strip identifying fields. 3. Consider whether the username list itself constitutes PII worth retaining. For preservation purposes, hashing the usernames (SHA-256, no salt issue since list is a one-way archive) preserves account count/structure without exposing handles. 4. If publishing is *not* planned, document the sensitivity in `legacy/README.md` and ensure backups are encrypted. ### Server runs arbitrary clipboard code as superuser - Issue: `legacy/open-source-release/,ServerCommands.txt` documents that `Ctrl+E` on the server console "executes whatever code is currently stored in the clipboard," and `Ctrl+???` sends clipboard code to a highlighted player to be executed on their client. `Ctrl+Q` shows the value of any variable named in the chat input field. There is no auth wall on these — anyone with physical/RDP access to the server console has full GML execution on every connected client. - Files: `legacy/open-source-release/,ServerCommands.txt`, `legacy/servers/enlyzeam-current/Ctrl+O Codes.txt`. - Impact: Wide-open RCE-by-design from server console to clients. If the server host is compromised, every active client is too. - Fix approach: Document loudly. If the server is ever brought back online, never expose the host machine over RDP/VNC without strong auth — note that the cracked RealVNC bundle (above) suggests this *was* the historical access pattern, which compounds the risk. ### Admin/config credentials in plaintext - Issue: `legacy/servers/enlyzeam-current/Settings.bno` (and `MSettings.bno`) appear to contain plaintext admin credentials (`Jarhead111` / `bahoobutt`) and the server bind address `127.0.0.1`. - Files: `legacy/servers/enlyzeam-current/Settings.bno`, `legacy/servers/enlyzeam-current/MSettings.bno`, equivalents in other server snapshots. - Impact: Same plaintext-credential exposure as above, but for the privileged server-admin account. - Fix approach: Redact before publication. ### No transport encryption - Issue: 39dll-based traffic is raw TCP/UDP byte streams — no TLS, no per-message MAC. Documented in `decomp/wiki/08-39dll-networking.md`. - Files: `legacy/open-source-release/39dll.dll` and the GML scripts that wrap it. - Impact: Historical only — no production server runs today. Noted for any successor. ### Gigabytes of debug symbols shipped with binaries - Issue: `legacy/unity-project/Test Builds/Windows/player_win_x86.pdb` (127 MB) and `player_win_x86_s.pdb` (19 MB) are full Unity engine PDBs. They expose internal symbol layout for the engine and the test build. - Files: `legacy/unity-project/Test Builds/Windows/*.pdb`. - Impact: Low (the test build has no live deployment to attack), but they bloat the repo by ~140 MB and are typical "should never have been shipped" artifacts. - Fix approach: Delete from any public mirror. Keep locally only if needed for symbolicating crash dumps from the abandoned port (unlikely value). ### Unverified executables of uncertain provenance - Issue: Multiple `.exe` files exist with no clear source paper trail — `take-a-break.exe`, `Crasher.exe`, the RealVNC keygen, `Old Account Updater.exe`, etc. These were pulled from a personal machine via Everything HTTP/ETP server (per `legacy/README.md`) but have not been scanned. - Files: see "Fix approach" below. - Impact: Unknown malware risk. The keygen specifically (warez group ZWT) is high-prior probability for bundled droppers. - Fix approach: Run all `.exe` files in the archive through a current AV / VirusTotal scan before any execution. Quarantine `legacy/servers/local-current/RealVNC Enterprise Edition 4.4.2 (Keygen by ZWT)/RealVNC Enterprise 4.4.2 Keygen.exe` immediately. --- ## Data Integrity ### Binary `.gmd` / `.gb1` blobs are the only source for most builds - Issue: GameMaker `.gmd` is a monolithic obfuscated binary (per `decomp/wiki/03-gmd-format.md`). Until extracted, scripts are unreadable. `.gb1`–`.gb9` are byte-identical IDE auto-backups (`decomp/wiki/14-gb1-backups.md`) — useful as rotation history but still binary. - Files: All `*.gmd`, `*.gb1` under `legacy/source-archive/`, `legacy/open-source-release/`, `legacy/servers/*/`. - Impact: No diff'able history exists. Filename-versioning (`5-2`, `5-2 DEBUG`, `5-6 TSide Revamp`) is the only changelog. No `git blame` is possible until extraction. - Fix approach: Run the extraction pipeline (`decomp/wiki/15-extraction-pipeline.md`) against every `.gmd`/`.gb1` to land plaintext GML in the repo. Then rebuild a synthetic version history by ordering extracted scripts chronologically. ### Lossy decompilation risk for DnD action blocks - Issue: GameMaker 5.3a serializes Drag-and-Drop visual blocks as binary action nodes, *not* as GML strings (`decomp/wiki/04-dnd-serialization.md`). Decompilation back to GML is a translation, not a recovery — comments are lost, formatting is invented, and any DnD-specific semantics that don't map cleanly to GML may be approximated. LateralGM is the standard parser but its 5.3a fidelity is not guaranteed. - Files: All `.gmd` files (DnD usage varies by build). - Impact: Decompiled scripts will not byte-round-trip. "Original" formatting is unrecoverable. - Fix approach: For each extracted `.gmd`, also retain the raw binary alongside the decompiled GML. Treat the binary as canonical, decompiled GML as a derived view. ### Dead/orphaned snapshot data — `User_DB_Superweird.bnu`, `User_DBUpdated.bnu` - Issue: Files in `legacy/servers/enlyzeam-archive/` named `User_DB_Superweird.bnu` and `User_DBUpdated.bnu` suggest historical data-corruption events or schema migrations. No documentation of what made one "superweird." - Files: `legacy/servers/enlyzeam-archive/User_DB_Superweird.bnu`, `User_DBUpdated.bnu`. - Impact: Unknown. Could be the only record of a specific dataset state, or could be junk. - Fix approach: Inspect both files (they appear to be ASCII per the `.bnu` examples checked). Document or delete. ### Three drift'd server snapshots with no merge plan - Issue: `legacy/servers/{enlyzeam-current,enlyzeam-archive,local-current/BNO_Server}/` contain *overlapping but non-identical* server state. Per the 2021 note, `enlyzeam-current` has the most complete message-board logs, `local-current` (FRAGZON) ran more recently but lost some logs, `enlyzeam-archive` is older. Files like `MB_Log.bnb`, `UserData/MB_News/News_*.bnu`, `localList.txt` exist in all three with different contents. - Files: All of `legacy/servers/`. - Impact: No "ground truth" world state. Reconstructing a canonical snapshot requires a custom merge. - Fix approach: If a definitive server state is needed, write a merge script that prefers the most recent timestamp per record. Otherwise document each snapshot's role and leave them parallel. ### Bnu/bno/bnb formats undocumented except as "read the GML" - Issue: `.bnu` (per-user state), `.bno` (settings), `.bnb` (message board log) are bespoke formats. Per `decomp/wiki/16-bno-bnb-notes.md`, no external spec exists — the format *is* the call sequence in the GML. So all data integrity guarantees depend on first extracting the source. - Files: `legacy/servers/*/UserData/**/*.bnu`, `legacy/servers/*/Settings.bno`, `legacy/servers/*/MSettings.bno`, `legacy/servers/*/MB_Log.bnb`. - Impact: Cannot validate, repair, or migrate user data without the GML. A corrupt `.bnu` file will silently misload. - Fix approach: Prioritize extracting the Master `5-4a` / `5-4` `.gmd` to produce a `.bnu` schema doc. --- ## Documentation Gaps ### What's well-documented - `legacy/README.md` covers provenance, file layout, version history, mirror methodology, and known dedup decisions thoroughly. - `decomp/wiki/` (18 files) is a comprehensive RE pipeline reference — overview, runner architecture, encryption, format specs, tool comparisons, ranked extraction methodology. - `decomp/GameMaker 5.3a Reverse Engineering Pipeline.md` is the long-form source for the wiki. - `legacy/open-source-release/,ServerCommands.txt` and `Ctrl+O Codes.txt` document admin keybinds. ### What's missing - **No top-level `README.md`** at project root (`C:\Users\decid\Documents\projects\rebno\README.md` does not exist). A cold reader sees `decomp/`, `legacy/`, `.gitignore` and has no orientation. The only readme is two levels deep. - **No `.gitignore` strategy doc.** Current `.gitignore` is a single line `legacy/` with no comment explaining *why* (preservation-of-PII? size? legal?). A future maintainer might "fix" this and accidentally commit credentials. - **No `LICENSE` file** anywhere. The 2014 "Open-Source Release" labeling implies some intent, but no actual license is attached. Original team contributor identities are unclear. - **No `CONTRIBUTORS` / `AUTHORS` file.** `Vance Serori`, `Saber Mage`, `Celysus`, `Brandon Smith`, `decidel` (the repo owner per `decidel.com` and the user data) are all referenced in scattered files. There's no consolidated record of who owns what code. - **No goal statement.** Is `rebno` aiming to: (a) preserve as-is, (b) extract sources to plaintext, (c) build a successor? `decomp/wiki/` implies (b), `legacy/` implies (a), and Unity port implies (c) — but no document picks one. - **No Windows XP VM setup doc** despite this being effectively required to run the IDE. - **No environment-setup doc for the RE pipeline.** `decomp/wiki/15-extraction-pipeline.md` lists the four ranked tools but doesn't give "here is how to install GMD-Recovery on a modern machine" steps. - **No incident playbook.** Given the credential exposure risk, there should be a "what to do if this leaks" doc. - **No data dictionary** for `.bno` / `.bnu` / `.bnb` / `.gb1`. The wiki points at the GML as the canonical source, but no extracted schema exists yet — meaning anyone interpreting `Settings.bno` today is reading raw lines like `Jarhead111\nbahoobutt\n0.0E+0\n...` with no field-name context. - **No version-history changelog** beyond the table in `legacy/README.md` and filename suffixes. - **No `decomp/` README** at the level above the `wiki/` (the `Pipeline.md` is a long PDF-style document, not a navigable index — the wiki index in `decomp/wiki/README.md` partially fills this but a top-level `decomp/README.md` would orient newcomers). ### Recommended doc additions, ranked 1. Top-level `README.md` — orientation, goal, status, "do not publish without redaction" warning. 2. `LEGAL.md` — Capcom IP situation, cracked-software inventory to delete, plaintext-credentials inventory. 3. `BUILD.md` — VM setup, RE pipeline runbook. 4. `LICENSE` (or explicit "all rights reserved, preservation only"). 5. `CONTRIBUTORS.md` — best-effort attribution. 6. Expand `.gitignore` with a comment block explaining the `legacy/` exclusion. --- ## Cross-cutting risk summary | Risk | Severity | Triggered by | |---|---|---| | Capcom IP infringement | High | Any public publication | | Plaintext player credentials leak | Critical | Any public publication, or git history mistake | | Cracked software distribution | High | Any public publication | | Cannot build/repro anything cold | High | Any new contributor | | Keygen `.exe` malware risk | Medium | Anyone executing `legacy/servers/local-current/RealVNC*/RealVNC Enterprise 4.4.2 Keygen.exe` | | GM 5.3a IDE unrunnable on modern Windows | Medium | Any source-edit attempt | | Unity port unrevivable (Unity 5.x UNet) | Medium | Any "let's port this" attempt | | Three divergent server snapshots, no canonical | Low–Medium | Any "restore the live world" attempt | | Maya version unknown | Low | Any asset-rework attempt | The single most urgent action is **confirm `legacy/` has never been committed to a remote and remove the cracked software / keygen executables from the working tree.** Everything else can be sequenced behind that. --- *Concerns audit: 2026-05-01*