---
mvp: yes
subsystem: parity
status: locked-end-of-phase-3
---

# Parity Feature Checklist — REBNO server

**LOCKED at end of Phase 3.** Phase 7 PAR-08 closes against this list — nothing not on this list is in v1 scope.

The canonical data lives in [./parity-checklist.json](./parity-checklist.json). This document is rendered from it via three AUTOGEN blocks driven by `tools/asset-catalog/src/autogen.ts`. Re-run with `pnpm catalog:server`. Do not hand-edit the AUTOGEN regions.

## Methodology

Per [Phase 3 RESEARCH §Pattern 5](../../.planning/phases/03-server-documentation-schemas/03-RESEARCH.md), the row enumeration walks five sources:

1. Every H2 heading in the SDOC-01 server subsystem MDs (`./account-auth.md`, `./chat.md`, `./persistence.md`, `./world-simulation.md`, `./room-management.md`, `./message-board.md`, `./packet-protocol.md`, `./client-server-bridge.md`).
2. Every H2 heading in the CDOC-01 client subsystem MDs (`../extracted-engine/client-networking.md`, etc.) that implies server work.
3. Every opcode in [./protocol.json](./protocol.json) — attributed or surfaced as a new row.
4. Every save-format / field group in [./save-formats.json](./save-formats.json) — attributed or surfaced as a new row.
5. Every operator keybind in [`legacy/open-source-release/,ServerCommands.txt`](../../legacy/open-source-release/) and every snippet in [`legacy/servers/enlyzeam-current/Ctrl+O Codes.txt`](../../legacy/servers/enlyzeam-current/) — each becomes a `rejected-with-reason` admin row with a `modernized_replacement` field per D-20.

The audit trail of the inventory walk lives at [tools/asset-catalog/data/parity-feature-inventory.md](../../tools/asset-catalog/data/parity-feature-inventory.md).

## Disposition keys (per D-18 / D-19)

- **`in-phase-6`** — Required for the CLI-08 MVP slice (movement + chat). Exactly 7 features, locked. Phase 6 ships these or Phase 6 does not ship.
- **`in-phase-7`** — Required for v1 ship parity. Phase 7 PAR-* closes against this set.
- **`deferred-stage-8`** — Acknowledged but explicitly post-v1 (legacy alt-login exemptions, niche flags, unrecovered semantics).
- **`rejected-with-reason`** — Original feature that is **NOT ported** because it violates server-authoritative discipline ([PITFALLS B1](../../.planning/research/PITFALLS.md)) or the CLAUDE.md hard rules (#2 plaintext passwords, #3 RCE-as-feature). Every row in this disposition has a non-empty `reason` field; admin keybinds also carry a `modernized_replacement` field per D-20.

The forcing-function shape is mirrored in [./admin-anti-port.md](./admin-anti-port.md) for admin-specific rejections.

## Aggregate counts

<!-- AUTOGEN:parity-counts:start -->
| Disposition | Count |
|-------------|-------|
| `in-phase-6` | 7 |
| `in-phase-7` | 36 |
| `deferred-stage-8` | 9 |
| `rejected-with-reason` | 17 |
| **Total** | **69** |
<!-- AUTOGEN:parity-counts:end -->

## CLI-08 MVP slice (mvp:true rows only)

The 7 features below are the closed CLI-08 MVP slice. Phase 6 verifier-gate enforces every one.

<!-- AUTOGEN:mvp-parity:start -->
| Feature | Subsystem | Disposition | Opcodes | Originating GML |
|---------|-----------|-------------|---------|-----------------|
| `chat-public` | chat | in-phase-6 | 4 | `extracted/server-5-4/scripts/0359-server_receive.gml:164`<br>`extracted/server-5-4/scripts/0359-server_receive.gml:603`<br>`extracted/server-5-4/scripts/0106-caddline.gml` |
| `heartbeat` | client-server-bridge | in-phase-6 | — | `extracted/server-5-4/scripts/0349-operations.gml` |
| `login` | account-auth | in-phase-6 | 0 | `extracted/server-5-4/scripts/0359-server_receive.gml:523`<br>`extracted/server-5-4/scripts/0392-users_load.gml`<br>`extracted/server-5-4/scripts/0360-init_user.gml` |
| `login-response` | account-auth | in-phase-6 | 8 | `extracted/server-5-4/scripts/0359-server_receive.gml` |
| `movement` | world-simulation | in-phase-6 | 3 | `extracted/server-5-4/scripts/0359-server_receive.gml:588` |
| `room-join` | room-management | in-phase-6 | 1 | `extracted/server-5-4/scripts/0359-server_receive.gml:533`<br>`extracted/server-5-4/objects/0123-roomchangeob` |
| `room-leave` | room-management | in-phase-6 | 1, 5 | `extracted/server-5-4/scripts/0359-server_receive.gml:541`<br>`extracted/server-5-4/scripts/0349-operations.gml`<br>`extracted/server-5-4/scripts/0362-uninit_user.gml` |
<!-- AUTOGEN:mvp-parity:end -->

## All parity rows (grouped by disposition)

<!-- AUTOGEN:parity-rows:start -->
### in-phase-6 (7)

| Feature | Subsystem | MVP | Opcodes | Originating GML | Reason | Modernized replacement |
|---------|-----------|-----|---------|-----------------|--------|------------------------|
| `chat-public` | chat | yes | 4 | `extracted/server-5-4/scripts/0359-server_receive.gml:164`<br>`extracted/server-5-4/scripts/0359-server_receive.gml:603`<br>`extracted/server-5-4/scripts/0106-caddline.gml` | CLI-08 MVP slice: area-scoped public chat broadcast. Server tags sender from socket auth (PITFALLS B1). | — |
| `heartbeat` | client-server-bridge | yes | — | `extracted/server-5-4/scripts/0349-operations.gml` | CLI-08 MVP slice: keepalive ping. Original BNO has no opcode-level heartbeat — relies on TCP RST and 30 fps step polling. Phase 4 SRV adds explicit ws ping/pong with reconnect grace window. | — |
| `login` | account-auth | yes | 0 | `extracted/server-5-4/scripts/0359-server_receive.gml:523`<br>`extracted/server-5-4/scripts/0392-users_load.gml`<br>`extracted/server-5-4/scripts/0360-init_user.gml` | CLI-08 MVP slice: username + password auth via argon2id. Migrated accounts re-hashed on first successful auth (see legacy-userlist-import). | — |
| `login-response` | account-auth | yes | 8 | `extracted/server-5-4/scripts/0359-server_receive.gml` | CLI-08 MVP slice: server emits ok/reason after credential validation. | — |
| `movement` | world-simulation | yes | 3 | `extracted/server-5-4/scripts/0359-server_receive.gml:588` | CLI-08 MVP slice: server broadcasts authoritative x/y/dir per player. Phase 4 server validates delta_t * max_speed + collision per intent (PITFALLS B1). | — |
| `room-join` | room-management | yes | 1 | `extracted/server-5-4/scripts/0359-server_receive.gml:533`<br>`extracted/server-5-4/objects/0123-roomchangeob` | CLI-08 MVP slice: client requests room change; server is authoritative for p_room. Server validates target room id is reachable. | — |
| `room-leave` | room-management | yes | 1, 5 | `extracted/server-5-4/scripts/0359-server_receive.gml:541`<br>`extracted/server-5-4/scripts/0349-operations.gml`<br>`extracted/server-5-4/scripts/0362-uninit_user.gml` | CLI-08 MVP slice: client departs room (paired w/ room-join opcode 1) OR socket disconnect (broadcast-logoff opcode 5). Server emits leave broadcast to remaining occupants. | — |

### in-phase-7 (36)

| Feature | Subsystem | MVP | Opcodes | Originating GML | Reason | Modernized replacement |
|---------|-----------|-----|---------|-----------------|--------|------------------------|
| `account-create` | account-auth | no | — | `extracted/server-5-4/scripts/0392-users_load.gml`<br>`extracted/server-5-4/scripts/0367-users_restore.gml` | Original appends to localList.txt; rebuild creates accounts row with argon2id hash. Phase 7 adds CAPTCHA + email verification. | — |
| `account-recovery-email` | account-auth | no | — | `extracted/server-5-4/scripts/0392-users_load.gml` | FEATURES.md differentiator: email-based password reset. NEW (no original equivalent — admin used Old Account Updater binaries). Modernized as account-recover web-UI endpoint. | POST /admin/account-recover {targetAccountId, action: 'reset-password-email'\|'unlock', reason} |
| `account-settings` | account-auth | no | — | `extracted/server-5-4/scripts/0386-load_settings.gml` | FEATURES.md differentiator: per-user keybinds, audio, accessibility. Mostly client-only; server validates a small allowlist (display-name, mute-list). | — |
| `area-broadcast` | room-management | no | 16 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Original opcode 16 broadcasts area state to clients. Phase 7 reconstructs as typed `area-state` event. | — |
| `area-scoping` | room-management | no | 16 | `extracted/server-5-4/scripts/0117-change_area.gml`<br>`extracted/server-5-4/objects/0109-ac_centralsquare`<br>`extracted/server-5-4/objects/0110-ac_naturegrounds`<br>`extracted/server-5-4/objects/0111-ac_whirlpool` | Logical chat-channel grouping (rooms partitioned into named regions). Phase 6 ships per-room scope; Phase 7 layers per-area on top of room. | — |
| `chat-history-buffer` | chat | no | — | `extracted/server-5-4/scripts/0001-addline.gml`<br>`extracted/server-5-4/scripts/0093-dynamicaddline.gml` | FEATURES.md differentiator: rolling N-line per-room buffer broadcast on room-enter so mid-conversation joiners see context. Original has 30-line operator-screen scrollback only. | — |
| `chat-moderation` | chat | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | FEATURES.md differentiator: profanity wordlist + report queue + admin-mute. NEW (original has no moderation surface; admin used Ctrl+9 clipboard snippets). | POST /admin/mb-moderate { boardId, action, ... } |
| `cmd-clientver` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml`<br>`extracted/server-5-4/scripts/0387-save_settings.gml` | Operator command to bump minimum required client version. Modernized as typed admin-UI endpoint. | POST /admin/set-min-client-version { version } |
| `cmd-maintmode-toggle` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Operator toggles `global.maintmode`. Modernized as typed admin endpoint. | POST /admin/maintenance-mode { enabled, reason } |
| `cmd-servermsg` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml`<br>`extracted/server-5-4/scripts/0387-save_settings.gml` | Operator sets MOTD broadcast on login. Modernized as typed admin endpoint. | POST /admin/set-motd { motd } |
| `duo-relay-system` | client-server-bridge | no | 15, 22, 23 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Two-player interaction relay (trade/duel?). Opcodes 15/22/23 wire it. Phase 7 reconstructs after observing legacy server traffic; specific feature shape TBD. | — |
| `friends-list` | world-simulation | no | 9 | `extracted/server-5-4/scripts/0359-server_receive.gml` | FEATURES.md differentiator: persistent symmetric friend graph + presence push. NEW (original has online-list opcode 9 only). | — |
| `ignore-list` | chat | no | — | `extracted/server-5-4/scripts/0359-server_receive.gml` | FEATURES.md differentiator: per-user blocks(blocker, blocked) for chat/whisper/visibility. NEW. | — |
| `legacy-userlist-import` | account-auth | no | — | `extracted/server-5-4/scripts/0367-users_restore.gml`<br>`extracted/server-5-4/scripts/0392-users_load.gml`<br>`extracted/server-5-4/scripts/0379-users_restore_old.gml`<br>`extracted/server-5-4/scripts/0391-users_load_old.gml` | Phase 4 SRV-09/10/11 read-once-then-purge migration. Plaintext rows land in legacy_credentials_staging; first login re-hashes via argon2id and deletes staging row in same tx (CLAUDE.md hard rule #2). | — |
| `logout` | account-auth | no | 5 | `extracted/server-5-4/scripts/0359-server_receive.gml:541`<br>`extracted/server-5-4/scripts/0349-operations.gml`<br>`extracted/server-5-4/scripts/0362-uninit_user.gml` | Original detects logout by socket EOF (no dedicated opcode); broadcast-logoff opcode 5 propagates. Phase 7 adds graceful logout intent + reconnect grace window. | — |
| `mb-list-boards` | message-board | no | 13 | `extracted/server-5-4/scripts/0359-server_receive.gml`<br>`extracted/server-5-4/scripts/0366-mb_restore.gml` | Server emits opcode 13 listing every board in MB_Log.bnb. Phase 7 PAR ships full message-board surface. | — |
| `mb-list-replies` | message-board | no | 14 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Server emits opcode 14 listing replies for a topic. | — |
| `mb-log-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0365-mb_backup.gml`<br>`extracted/server-5-4/scripts/0366-mb_restore.gml` | Original rewrites entire MB_Log.bnb on every change (full file rewrite). Rebuild uses per-row SQLite tx + WAL replication via Litestream. | — |
| `mb-newmsg-flags` | message-board | no | 19 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Per-user unread-flag broadcast. Persisted in News_<uid>.bnu. | — |
| `mb-post-reply` | message-board | no | — | `extracted/server-5-4/scripts/0365-mb_backup.gml` | c2s opcode for reply post is absent from current protocol.json (s2c-only enumeration). Phase 7 reverses from MB_Log writer call sites. | — |
| `mb-post-topic` | message-board | no | — | `extracted/server-5-4/scripts/0365-mb_backup.gml` | c2s opcode for topic create is absent from current protocol.json (s2c-only enumeration). Phase 7 reverses from MB_Log writer call sites. | — |
| `mb-summary` | message-board | no | 18 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Server emits opcode 18 with topic summary (title + reply count + flag). | — |
| `online-list` | world-simulation | no | 9 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Server emits opcode 9 with full per-player snapshot. Phase 7 supersedes via Colyseus state replication; legacy clients can still receive on parity wire. | — |
| `pid-assignment` | client-server-bridge | no | 6, 7 | `extracted/server-5-4/scripts/0360-init_user.gml:36`<br>`extracted/server-5-4/scripts/0363-reinit_userr.gml:19` | Original assigns numeric pid + UDP port via opcodes 6/7. Rebuild uses Colyseus session-id; pid no longer wire-visible. Parity opcode preserved for legacy clients in Phase 7. | — |
| `player-nameplate` | world-simulation | no | 0 | `extracted/server-5-4/scripts/0359-server_receive.gml:523` | FEATURES.md MVP-critical-but-deferrable: render username above sprite. Server publishes account-name; rendering is client-side. Phase 6 may carry informally. | — |
| `reconnect-grace-window` | world-simulation | no | — | `extracted/server-5-4/scripts/0349-operations.gml`<br>`extracted/server-5-4/scripts/0362-uninit_user.gml` | FEATURES.md MVP-critical: keep player state in memory N seconds (e.g., 60s) after socket close; reconnect within window resumes session. NEW (original is hard disconnect on EOF). | — |
| `room-snapshot` | client-server-bridge | no | 11 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Server emits opcode 11 listing every other player in destination room after room-join. Colyseus state replication subsumes for new client; preserved for legacy parity. | — |
| `server-settings-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0386-load_settings.gml`<br>`extracted/server-5-4/scripts/0387-save_settings.gml` | Server-wide settings (MOTD, min client version, alpha-on flag, server playername). Migrate MSettings.bno → settings table. | — |
| `tick-loop` | world-simulation | no | — | `extracted/server-5-4/scripts/0349-operations.gml` | Original couples sim tick to GameMaker step event (~30 Hz). Phase 4 SRV-05 adds explicit fixed-tick simulation step (Colyseus 50ms / 20 Hz) decoupled from network read loop. | — |
| `tilemap-collision` | world-simulation | no | — | `extracted/server-5-4/scripts/0085-place_meeting.gml`<br>`extracted/server-5-4/scripts/0086-instance_create.gml` | Server-authoritative wall/tile collision. Phase 6 ships room-bounds clamp only; Phase 7 adds full tile-grid collision (PITFALLS B1). | — |
| `user-area-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0368-uarea_restore.gml`<br>`extracted/server-5-4/scripts/0369-uarea_backup.gml`<br>`extracted/server-5-4/scripts/0370-all_uarea_rb.gml` | Per-user area-state persistence. Migrate User_Area.bnu rows → SQLite user_area table. | — |
| `user-hexbridge-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0383-uhxb_restore.gml`<br>`extracted/server-5-4/scripts/0384-uhxb_backup.gml`<br>`extracted/server-5-4/scripts/0385-all_uhxb_rb.gml` | Per-user hexport-bookmark (teleport) state. Migrate User_Hxb.bnu → user_hexbridges table. | — |
| `user-init-lifecycle` | account-auth | no | — | `extracted/server-5-4/scripts/0358-join_monitor.gml`<br>`extracted/server-5-4/scripts/0360-init_user.gml`<br>`extracted/server-5-4/scripts/0362-uninit_user.gml`<br>`extracted/server-5-4/scripts/0363-reinit_userr.gml` | Original allocates per-player slot in global.p_* arrays via init_user. Phase 4 wraps in Colyseus onJoin/onLeave; the in-memory shape is opaque to clients. | — |
| `user-inventory-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0374-uinv_set.gml`<br>`extracted/server-5-4/scripts/0375-uinv_get.gml`<br>`extracted/server-5-4/scripts/0376-uinv_backup.gml`<br>`extracted/server-5-4/scripts/0377-uinv_restore.gml`<br>`extracted/server-5-4/scripts/0378-all_uinv_rb.gml` | Per-user inventory persistence. Migrate User_Inv.bnu → user_inventory table. | — |
| `user-news-persistence` | persistence | no | — | `extracted/server-5-4/scripts/0371-unews_backup.gml`<br>`extracted/server-5-4/scripts/0372-unews_restore.gml`<br>`extracted/server-5-4/scripts/0373-all_unews_rb.gml` | Per-user MB-news read-flag persistence. Migrate User_News.bnu → user_mb_news table. | — |
| `whisper-private-chat` | chat | no | — | `extracted/server-5-4/scripts/0359-server_receive.gml` | FEATURES.md differentiator: cross-room directed message addressed by recipient accountId. NEW (original chat is broadcast-only by area). | — |

### deferred-stage-8 (9)

| Feature | Subsystem | MVP | Opcodes | Originating GML | Reason | Modernized replacement |
|---------|-----------|-----|---------|-----------------|--------|------------------------|
| `chat-scrollback-operator` | admin | no | — | `extracted/server-5-4/scripts/0001-addline.gml`<br>`extracted/server-5-4/scripts/0093-dynamicaddline.gml`<br>`extracted/server-5-4/scripts/0006-scroll.gml` | 30-line server-operator-screen rolling scrollback (`global.cline[i]`). Rebuild surfaces equivalent in admin web UI as live event log; deferred unless operator workflow audit demands it. | — |
| `cmd-clear-scrollback` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Operator-screen-only `clear screen` command. Operator UI lives in web UI in rebuild — N/A as a wire intent. | — |
| `cmd-goto-ocs` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Operator self-teleport to Online_Command_Screen. Irrelevant when admin lives in separate web UI; deferred unless a need surfaces. | — |
| `cmd-help-text` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | `command` prints operator help text. Deferred — admin help is a typed UI surface, not a chat command. | — |
| `dabypass-flag` | world-simulation | no | 1 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Per-account `dabypass` flag set when entering room 49 (Whirlpool_Promenade) — Disconnected Alley access gate. Niche; restore if Phase 7 PAR enumerates rooms requiring it. | — |
| `legacy-alt-login-exemption` | account-auth | no | — | `extracted/server-5-4/scripts/0392-users_load.gml` | Hardcoded alt-login exemptions for `Saber Mage` / `Vance Serori` (legacy operator accounts). Deferred per RESEARCH disposition rules; not in Phase 7 unless impact surfaces. | — |
| `legacy-superweird-import` | account-auth | no | — | `extracted/server-5-4/scripts/0367-users_restore.gml` | Phase 1 informational A7 — if enlyzeam-current contains Superweird files, run import. Deferred until Phase 1 confirms A7 enumeration. | — |
| `unknown-opcode-24` | packet-protocol | no | 24 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Empty-payload s2c opcode; semantics not yet recovered (see docs/extracted-server/unknown-actions-status.md). Deferred until reverse-engineering yields intent. | — |
| `unknown-opcode-26` | packet-protocol | no | 26 | `extracted/server-5-4/scripts/0359-server_receive.gml` | Empty-payload s2c opcode; semantics not yet recovered. Deferred until reverse-engineering yields intent. | — |

### rejected-with-reason (17)

| Feature | Subsystem | MVP | Opcodes | Originating GML | Reason | Modernized replacement |
|---------|-----------|-----|---------|-----------------|--------|------------------------|
| `admin-ctrl-9-clipboard-snippets` | admin | no | — | `extracted/server-5-4/scripts/0364-scontrolmenu.gml` | Ctrl+9 pops snippet menu that auto-fills clipboard for Ctrl+E execution. Composes with Ctrl+E into fully-templated RCE — *worse* than raw Ctrl+E because new operators don't realise snippets execute with full game-state authority. CLAUDE.md hard rule #3. | POST /admin/kick { targetAccountId, reason, durationSec? } (and `mute`) |
| `admin-ctrl-e-clipboard-rce` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Ctrl+E runs operator clipboard contents as GML in server process. RCE-as-feature — clipboard is a shared OS resource (browser autocomplete, password manager, virus all write to it → admin). No equivalent exists; surface deleted entirely. CLAUDE.md hard rule #3. | — |
| `admin-ctrl-m-mb-view` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Ctrl+M views any message board by number with no UI filtering. Mild content-bypass risk; modernized as typed mb-moderate admin endpoint with structured operations. | POST /admin/mb-moderate { boardId, action: 'view'\|'delete-topic'\|'delete-reply'\|'pin'\|'unpin'\|'lock'\|'unlock', ... } |
| `admin-ctrl-q-clipboard-kick` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Ctrl+Q exposes server internals via clipboard-style GML eval. Modernized as typed view-audit-log + kick admin endpoints. CLAUDE.md hard rule #3. | POST /admin/view-audit-log { sinceMinutes?, actorAccountId?, eventTypes?, limit? } + POST /admin/kick |
| `admin-ctrl-question-target-rce` | admin | no | 12 | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Sends operator clipboard GML to highlighted player to be executed on THEIR client. Doubly rejected: client-side RCE inflicted by server. Worst single feature of original system. Wire path (opcode 12) deleted; modernized as typed assign-role + ban intents. CLAUDE.md hard rule #3. | POST /admin/assign-role { targetAccountId, role } + POST /admin/ban { targetAccountId, reason, permanent, durationDays? } |
| `admin-hexport-anim` | admin | no | — | `extracted/server-5-4/scripts/0364-scontrolmenu.gml` | Operator self-animation via execute_string-stored GML snippet (HexportOut/HexportIn). Cosmetic-bypass not in v1 scope; uses execute_string mechanism that is rejected wholesale. Drop entirely. | — |
| `admin-old-account-updater-binary` | admin | no | — | `extracted/server-5-4/scripts/0392-users_load.gml` | Legacy `Old Account Updater.exe` / `Account Updater.exe` sibling binaries — no source GML present in open-source release; original behaviour unrecoverable. Modernized as account-recover web-UI endpoint per Phase 7 PAR-07. | POST /admin/account-recover { targetAccountId, action: 'reset-password-email'\|'unlock'\|'merge-duplicate'\|'force-reauth', reason } |
| `admin-stash-location-snippet` | admin | no | — | `extracted/server-5-4/scripts/0364-scontrolmenu.gml` | Operator self-teleport via Ctrl+A storing GML in global.helpmsg + Ctrl+Alt+A execute_string. Mechanism is the entire RCE surface. Rebuild offers admin-self-teleport as a UI form behind admin auth (not a typed wire intent). | — |
| `client-supplied-chat-origin` | chat | no | 4 | `extracted/server-5-4/scripts/0359-server_receive.gml:164` | Original prepends username from server-tracked global.p_name[pid] but trusts the chat-line payload exactly as sent. Server tags every chat line with senderId from socket auth in rebuild — payload sender field is ignored. PITFALLS B1. | — |
| `client-trusted-pid` | client-server-bridge | no | 6 | `extracted/server-5-4/scripts/0360-init_user.gml:36` | Original assigns numeric pid via opcode 6 broadcast. Rebuild uses session cookies tied to argon2id-verified accounts; pid is server-internal only. PITFALLS B1. | — |
| `client-trusted-position` | world-simulation | no | 3 | `extracted/server-5-4/scripts/0359-server_receive.gml:588` | Original accepts client-supplied x/y verbatim and broadcasts. Rebuild server validates delta_t * max_speed + tile collision per intent before broadcast; client never authoritative for position. PITFALLS B1. | — |
| `client-trusted-sprite-index` | world-simulation | no | 2 | `extracted/server-5-4/scripts/0359-server_receive.gml:575` | Original accepts client-supplied sprite index verbatim — could spoof animations / state. Server tracks intent (move-direction, action) only; sprite resolution is client-local in rebuild. PITFALLS B1. | — |
| `cmd-end-session-broadcast` | admin | no | 12 | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Backtick `end session` broadcasts opcode 12 with payload `show_message(...); global.online = 0; game_restart();` to every client. Mechanism (broadcasting executable GML) is the RCE surface. Rebuild emits typed `server-restart-warning` event instead; opcode 12 wire path permanently removed. | — |
| `cmd-run-shell-out` | admin | no | — | `extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Backtick `` `run take-a-break.exe `` calls datafile_export + execute_program. RCE-as-feature; rebuild has no shell-out surface. CLAUDE.md hard rule #3. | — |
| `opcode-12-mod-execute` | packet-protocol | no | 12 | `extracted/server-5-4/scripts/0359-server_receive.gml`<br>`extracted/server-5-4/scripts/0008-ChtCmdRec.gml` | Wire path for broadcasting executable GML strings to clients (`mod-execute` payload). Worst single feature of original system. Permanently removed from rebuild wire — typed events only. CLAUDE.md hard rule #3. | — |
| `plaintext-passwords-canonical` | account-auth | no | — | `extracted/server-5-4/scripts/0392-users_load.gml`<br>`extracted/server-5-4/scripts/0367-users_restore.gml` | Original stores passwords plaintext in localList.txt and User_DBUpdated.bnu (parallel arrays global.u_pwd[i]). CLAUDE.md hard rule #2: argon2id from packet 1. Plaintext appears only transiently in legacy_credentials_staging during one-shot migration; production accounts table never holds plaintext. | — |
| `scheduled-save-cadence` | persistence | no | — | `extracted/server-5-4/scripts/0349-operations.gml`<br>`extracted/server-5-4/scripts/0389-all_backup.gml` | Original couples saves to 30s alarm (`p_sendalarm = 900` at 30 fps). Crash-loss surface = 30s typical / 90s worst. Rebuild uses per-event SQLite tx + WAL replication via Litestream; crash-loss drops to ~1s. CONCERNS.md crash-loss requirement. | — |
<!-- AUTOGEN:parity-rows:end -->

## See also

- [./parity-checklist.json](./parity-checklist.json) — canonical row data
- [./protocol.json](./protocol.json) — opcode cross-reference target
- [./save-formats.json](./save-formats.json) — save-field cross-reference target
- [./admin-anti-port.md](./admin-anti-port.md) — admin-specific REJECTED-AS-PORTED disposition table (D-20 modernized intents)
- [../adr/0003-canonical-snapshot.md](../adr/0003-canonical-snapshot.md) — forward-link; lands in plan 03-08
- [Phase 3 RESEARCH §Pattern 5](../../.planning/phases/03-server-documentation-schemas/03-RESEARCH.md) — methodology source
- [PITFALLS §B1 server-authoritative](../../.planning/research/PITFALLS.md) — drives `rejected-with-reason` for client-trusted features
- [CLAUDE.md hard rule #2 + #3](../../CLAUDE.md) — drives `rejected-with-reason` for plaintext passwords + RCE-as-feature admin