---
mvp: no
subsystem: admin
status: anti-port-reference
---

# Admin Anti-Port Reference

> **WARNING — DO NOT PORT.** This document catalogues the original BNO admin model AS A FORCING FUNCTION, not as a specification. Per [CLAUDE.md hard rule #3](../../CLAUDE.md), the original "Ctrl+E run clipboard as superuser" admin pattern is a **remote code execution vulnerability in shipped product form** and must NEVER appear in the rebuild. Phase 7 PAR-07 replaces all admin functionality with a separate, authenticated web UI.

This document exists so Phase 7 (full parity) does not silently lose admin features by forgetting they existed. Every command listed below has a row marked **REJECTED-AS-PORTED** with the reason; the rebuild equivalent (or "drop entirely") goes in the rightmost column.

## Source files

Two files in `legacy/` document the original admin commands. They were operator scratchpads, not formal specs:

- **`legacy/open-source-release/,ServerCommands.txt`** — top-level command summary that ships with the open-source release. Lists 7 keybinds.
- **`legacy/servers/enlyzeam-current/Ctrl+O Codes.txt`** — operator code snippets. Free-form; each entry is a runnable GML expression that operators stuffed into the clipboard before pressing Ctrl+E.

## Commands from `,ServerCommands.txt`

| Command | Original behaviour | REJECTED-AS-PORTED reason | Rebuild equivalent |
|---------|-------------------|--------------------------|-------------------|
| **Type + send message** | Plain chat broadcast to all online players | Not admin per se — keep as the standard chat send. | Phase 4 server `chat-broadcast` event (CLI-08 MVP). |
| **Ctrl+E** | Execute whatever GML code is currently on the OS clipboard, with full game-process privileges. | **REJECTED-AS-PORTED** — RCE-as-a-feature. Trivially weaponisable; the clipboard is a shared OS resource, anything writing to it (browser autocomplete, password manager, virus) becomes admin. **No equivalent exists in the rebuild; do not invent one.** | Phase 7 PAR-07: separate authenticated admin web UI with explicit per-command forms. No GML-eval surface anywhere. |
| **Ctrl+Q** | Show the value of the current variable named in the chat input field. | **REJECTED-AS-PORTED** — exposes server internals to anyone holding admin keys (and "admin" in BNO == "anyone with the OS install"); also relies on clipboard-style GML eval. | Phase 7 PAR-07 admin UI: typed variable inspector with explicit allow-list of inspectable globals. |
| **Ctrl+9** | Pop a context menu of code-snippet templates that operate on the currently-selected player. Each option auto-fills the clipboard, which the operator then Ctrl+E's. | **REJECTED-AS-PORTED** — composes with Ctrl+E into a fully-templated RCE; if anything *worse* than raw Ctrl+E because new operators don't realise the snippet executes with full game-state authority. | Phase 7 PAR-07 admin UI: explicit per-action endpoints (`/admin/kick`, `/admin/mute`, `/admin/move-to`), each with a typed form. No code snippets, ever. |
| **Arrow Up / Arrow Down** | Navigate the player list in the admin command screen. | Not REJECTED — pure navigation. The admin UI just doesn't live in the game client anymore. | Phase 7 PAR-07 admin UI: HTML `<table>` with sortable columns. |
| **Ctrl+???** | Send the clipboard's GML code to a *highlighted* player to be executed on **their** client. | **DOUBLY REJECTED** — this is **client-side RCE inflicted by the server**. Anyone with admin keys can ship arbitrary code into another player's running game. Worst single feature of the original system. | Phase 7 PAR-07 admin UI: explicit moderation actions (kick / mute / shadow-ban / message). The remote-RCE channel is closed permanently. |
| **Ctrl+M** | View any of the existing message boards by number; visual themes ignored, only text shown. | Mild content-bypass risk (admin sees raw text without UI filtering); not a security primitive. | Phase 7 PAR-07 admin UI: paginated message-board viewer with search. |

## Commands / snippets from `Ctrl+O Codes.txt`

The Ctrl+O codes file is a free-form operator notebook. Examples include:

- **"Ctrl+A stores location, Ctrl+Alt+A sets to stored"** — operator self-teleport via stash/restore of `server.x, server.y` strings stuffed into `global.helpmsg`.
- **"Ctrl+A hexports dir facing, Ctrl+Alt+A exits"** — alternate-mode teleport variant that also flips `server.sprite_index` to `HexportOut` / `HexportIn`.
- **More reliable variants** of the same teleport that the operators iteratively improved.

Every entry is structurally a GML expression (`if(keyboard_check(vk_alt)) {execute_string(global.helpmsg);} else { ... }`) intended to be pasted into the clipboard and triggered with Ctrl+E.

| Pattern | Original behaviour | REJECTED-AS-PORTED reason | Rebuild equivalent |
|---------|-------------------|--------------------------|-------------------|
| **Stash / restore location** (`global.awesomefunction = "..."`) | Operator teleport — store coords, jump back to them. | **REJECTED-AS-PORTED** — composes with Ctrl+E. The mechanism (storing GML source in a global, then `execute_string`-ing it) is the entire RCE surface. | Phase 7 admin UI: `/admin/teleport-self` form with X / Y / zone fields; bookmarks stored in admin's account. |
| **Hexport-out / -in animation** (`server.sprite_index = HexportOut`) | Operator self-animation (skip the in-game hexport flow). | **REJECTED-AS-PORTED** — uses `execute_string`. | Drop entirely. Operators don't need cosmetic animations bypass. |

The full file is small (~10-20 entries depending on operator). Phase 7 PAR-07 should treat it as a **list of features the rebuild must intentionally NOT provide**, not a backlog of features to deliver.

## Forcing function for Phase 7 PAR-07

This document is a **closed-list checklist**. PAR-07 implementation must:

1. Walk every row above and confirm the rebuild has **either** an explicit replacement (typed admin-UI endpoint) **or** an explicit "dropped intentionally" decision committed to the ADR.
2. Never add a code-eval surface to the rebuild. No `eval()`, no `Function(...)` constructors, no clipboard-driven actions, no remote code shipping.
3. Authenticate the admin web UI separately from the game client (different cookies / tokens / hostname). The admin UI is **NOT** part of the Phaser/Pixi game build.

Treat any new admin feature request as a security review, not a UX one.

## Scripts referenced in this subsystem

<!-- AUTOGEN:scripts:start -->
| Script ID | Name | Lines | Used in objects |
|-----------|------|-------|------------------|
<!-- AUTOGEN:scripts:end -->

## Objects referenced in this subsystem

<!-- AUTOGEN:objects:start -->
| Object ID | Name | Sprite | Mask | Events |
|-----------|------|--------|------|--------|
<!-- AUTOGEN:objects:end -->

## Engine functions used

<!-- AUTOGEN:gml-functions:start -->
| GML function | Call sites | Sample script | Wiki link |
|--------------|------------|---------------|-----------|
<!-- AUTOGEN:gml-functions:end -->

(Autogen tables are typically empty for this subsystem; this MD is documentation-only with no SUBSYSTEM-MAP entry. Phase 7 PAR-07 may attach scripts/objects here when designing the replacement admin UI.)

## See also

- [CLAUDE.md hard rule #3](../../CLAUDE.md) — "NEVER faithfully port 'Ctrl+E run clipboard as superuser'"
- [.planning/codebase/CONCERNS.md](../../.planning/codebase/CONCERNS.md) — broader legacy-archive risk register (plaintext credentials, IP exposure)
- [ui-and-menus.md](ui-and-menus.md) — Online_Command_Screen (Room 0007) is the original admin surface
- Phase 7 PAR-07 plan (TBA) — admin UI design + delivery