Epic: Security & Integrity

✅ Mission SECURITY-GAPS: Critical Fixes & Hardening

• Production Safety: Mock payment provider is now blocked in production unless explicitly enabled.
• Credential Security: Weak passwords (<8 chars) are now rejected at registration.
• Brute Force Protection: Auth endpoints are rate-limited to prevent credential stuffing.
• Session Hijacking Prevention: Banned accounts are immediately blocked, even with valid JWTs.

✅ Mission SECURITY-HARDENING: Backend Security

• WebSocket connections now limited to 5 per IP (prevents resource exhaustion).
• AbuseDetector tracks and flags suspicious behavior (spam, bots, failed logins).
• Players exceeding thresholds can be auto-shadowbanned or temporarily banned.

✅ Mission PLUGIN-SANDBOX: Lua Security Hardening

• Sandbox: Plugins can no longer access file system, network, or debug tools in any mode.
• Reliability: Infinite loops in plugins will be terminated after 5 seconds.
• Security: Official plugins must be signed with the production private key.

✅ Mission SECURITY-CRITICAL: Immediate Security Fixes

• WebSocket connections now use secure TLS (wss://) by default.
• Incoming messages larger than 1MB are automatically rejected.
• Player names and chat messages are sanitized to prevent injection/XSS.

✅ Mission INTEGRITY-TRACE: High-Value Item Auditing

• Bond Tracking: Every Bond now has a unique lineage tracked from creation (Mint) to deletion (Redeem).
• Fraud Prevention: Prevents double-redemption of the same Bond instance.
• Trade Visibility: All trades involving high-value items are logged in item_audit_logs.

✅ Mission ITEM-INTEGRITY-DEFERRED: Instance IDs

• Non-stackable items (weapons, armor, tools) now automatically receive unique UUIDs upon creation.
• Enables future features like item tracking, theft detection, and RWT prevention.