auth-limbo/docs/RESEARCH-2B2T-QUEUE.md

# Research: 2b2t Queue / Login Gatekeeper

Read-only reference for AuthLimbo v2 design. Last updated 2026-05-07.

## TL;DR
- **Architecture**: BungeeCord-style proxy plus a separate "queue server" (a stripped-down Minecraft instance acting as a holding world); the main Paper server is gated behind it.
- **Drain model**: Slow FIFO with a small reserved pool for paid priority — pacing is what protects main from join-flood crashes more than any explicit packet shaper.
- **Drama**: Almost every controversy (paid priority, veteran-queue removal, prio-strip ban waves) is policy-layer, not technical. Avoid the policies; copy the architecture.

## 1. Architecture
- Two-tier: **Velocity/Bungee proxy** -> **queue server** (limbo holding JVM) -> **main Paper server**. Queue is its own process, not a plugin on main.
- Public clones use the same shape: `PistonQueue` (Bungee+Velocity, v4.0.0 Apr 2026, most production-grade), `AnarchyQueue` (Velocity, pairs with `QueueServerPlugin` on the limbo instance), `LeeesBungeeQueue` (archived 2025-04-28, 1.12.2 cap).
- Queue state is **in-memory** on the proxy; clones don't persist across restart. Disconnect = back of line.

## 2. Queue Mechanics
- Pure FIFO inside each tier. Tiers historically: priority -> veteran -> regular. Today: priority -> regular.
- Slot allocation: ~200 reserved slots for priority on ~1000-cap main; regular advances only when a non-reserved slot frees.
- Drain rate is wall-clock, not packet-throttled — 1000-deep regular queue = 6-12h.
- ETA = naive `position * avg_drain`. Wrong because priority steals slots from above; ETA can go *up*.

## 3. AFK + Reconnect
- 2016 queue: reconnect every ~30s, drove hacked-client adoption. Replaced within a year by limbo-queue with auto-updating position.
- Main: 15-min idle disconnect. Queue: long-lived TCP; drop = position lost. `2bored2wait` (archived) proxies queue locally for headless waiting.

## 4. Priority Queue
- Separate FIFO + reserved slot pool. Tier check = permission/uuid lookup on join.
- Pricing: $19.99/mo originally, now $29/mo via 2b2t.shop.
- TheCampingRusher held add/remove power on priority + veteran lists; Torogadude incident.
- Reserved-slot design means a queue can exist even when main isn't full — structurally pay-to-skip.

## 5. Chunk-Load / Crash Mitigation
- Queue server runs near-empty world; no chunk gen, minimal ticks, absorbs thousands of idle TCP sessions cheaply.
- Pacing the drain protects main's chunk pipeline; no explicit login-packet shaper beyond letting `PlayerJoinEvent` finish before pulling next.
- **Nocom (Jul 2018 - Jul 2021)**: unrate-limited `CPacketPlayerDigging` flood on queue starved keepalives, forced mass disconnects, skipped queue. Hausemaster: 500 pkt/s late-2019; factor-14 May 2020; factor-8 next day; factor-2 Jul 2021; full patch 2021-07-15. Leijurv's Monte Carlo particle-filter tracker (2020-2021) kept working at 2 checks/s.

## 6. Veteran Tier
- Whitelist: `joined_before = 2016-06-01`, offline lookup against historical login data.
- Removed **2017-12-04** explicitly to "increase incentive to buy priority". Trust burned.

## 7. Bot Ecosystem
- Mineflayer / headless clients sit in queue 24/7 — indistinguishable from a human leaving client running.
- Detection: behavior only (instant logout on join, scripted movement). "Good" bot = afk-for-owner; "exploit" bot = multi-account prio-skip or queue-bypass client.
- For AuthLimbo v2: AFK bots in pre-auth limbo cost ~nothing. Gate at promote-to-main, not join-limbo.

## 8. Failure Modes
- Nocom-era queue crashes dropped 1000+ waiting players.
- "Ghost queue" — players queued but TCP dead — caused by keepalive starvation, fixed by rate limits.
- Recovery: full restart loses all positions. No persisted state.

## 9. Public Clones — Survey
- **PistonQueue** — Bungee+Velocity, reserved slots, shadow-ban, pre-queue auth, active.
- **AnarchyQueue** — Velocity, minimal, needs `QueueServerPlugin` companion.
- **LeeesBungeeQueue** — archived 2025.
- **Shirodo-Queue**, **eslym/bungee-queue** — toy reimplementations.
- Common mistakes: in-memory only, no priority-abuse audit log, no rate-limit on queue's own packet handlers (re-creates Nocom-class risk).

## 10. Drama Timeline
- **2016-06** Rusher influx; queue introduced.
- **2016-2017** Rusher holds add/remove power on priority + veteran lists.
- **2017-12-04** Veteran queue removed. Mass quits.
- **2018-07 / 2021-07** Nocom queue-bypass exploit + tracking.
- **2022-04** ~40 prio-stripped + banned over a doxxing chain.
- **2022-12-07** 500+ accounts prio-banned cumulatively; `2builders12rules` discord forms to track strips.

## Drama-Avoidance Principles for AuthLimbo v2
1. **No paid priority. Ever.** FIFO only; no money-tied reserved slots.
2. **No hidden-criteria veteran tier.** If seniority exists, rule is public, automated, irrevocable.
3. **No staff add/remove of queue position.** Admin commands log to append-only audit; no silent privilege.
4. **Persist queue state.** Position survives proxy restart (sqlite/redis).
5. **Rate-limit every packet handler in limbo.** Nocom is the canonical lesson.
6. **Honest ETA or no ETA.** Position only, or confidence interval — no fake countdowns.
7. **Privacy-first limbo (AuthLimbo thesis):** new joiners isolated from main-world coords/inventory until AuthMe login completes.
8. **Bots welcome in limbo, gated at promote.** Don't fight Mineflayer pre-auth.
9. **Open source the gatekeeper.** Hausemaster's plugin is closed; opacity amplifies drama.
10. **Document idle/disconnect rules in-game.** No silent kicks.
docs: AuthLimbo v2 research + architecture + roadmap 4 parallel research agents output (2026-05-07): - RESEARCH-2B2T-QUEUE.md — 2b2t queue tech deep-dive: architecture, drama timeline, 5 patterns to copy + 5 to avoid - RESEARCH-LIMBO-PLUGIN-SURVEY.md — open-source plugin survey: STEAL list (Elytrium LimboAPI/LimboAuth + PistonQueue), PATTERN list, SKIP list - V2-ARCHITECTURE.md — Paper-only stack with Velocity-ready seam, 7-state login flow, snapshot-on-pre-login, transparent FIFO trust tiers - V2-ROADMAP.md — M0-M5 milestones with acceptance criteria + dep graph Stack decision: Paper-only for now (no proxy required), but architecture split into Gatekeeper + Restore layers so future Velocity migration is mechanical. Trip-wires codified for when to reconsider. Anti-drama policy locked in code (not config): no paid priority, no hidden veteran tier, transparent ban appeals. Bootstrap repo at git.s8n.ru/s8n/auth-limbo-v2 ready for M0 work. 2026-05-07 19:31:40 +01:00			`# Research: 2b2t Queue / Login Gatekeeper`

			`Read-only reference for AuthLimbo v2 design. Last updated 2026-05-07.`

			`## TL;DR`
			`- Architecture: BungeeCord-style proxy plus a separate "queue server" (a stripped-down Minecraft instance acting as a holding world); the main Paper server is gated behind it.`
			`- Drain model: Slow FIFO with a small reserved pool for paid priority — pacing is what protects main from join-flood crashes more than any explicit packet shaper.`
			`- Drama: Almost every controversy (paid priority, veteran-queue removal, prio-strip ban waves) is policy-layer, not technical. Avoid the policies; copy the architecture.`

			`## 1. Architecture`
			`- Two-tier: Velocity/Bungee proxy -> queue server (limbo holding JVM) -> main Paper server. Queue is its own process, not a plugin on main.`
			- Public clones use the same shape: `PistonQueue` (Bungee+Velocity, v4.0.0 Apr 2026, most production-grade), `AnarchyQueue` (Velocity, pairs with `QueueServerPlugin` on the limbo instance), `LeeesBungeeQueue` (archived 2025-04-28, 1.12.2 cap).
			`- Queue state is in-memory on the proxy; clones don't persist across restart. Disconnect = back of line.`

			`## 2. Queue Mechanics`
			`- Pure FIFO inside each tier. Tiers historically: priority -> veteran -> regular. Today: priority -> regular.`
			`- Slot allocation: ~200 reserved slots for priority on ~1000-cap main; regular advances only when a non-reserved slot frees.`
			`- Drain rate is wall-clock, not packet-throttled — 1000-deep regular queue = 6-12h.`
			- ETA = naive `position * avg_drain`. Wrong because priority steals slots from above; ETA can go up.

			`## 3. AFK + Reconnect`
			`- 2016 queue: reconnect every ~30s, drove hacked-client adoption. Replaced within a year by limbo-queue with auto-updating position.`
			- Main: 15-min idle disconnect. Queue: long-lived TCP; drop = position lost. `2bored2wait` (archived) proxies queue locally for headless waiting.

			`## 4. Priority Queue`
			`- Separate FIFO + reserved slot pool. Tier check = permission/uuid lookup on join.`
			`- Pricing: $19.99/mo originally, now $29/mo via 2b2t.shop.`
			`- TheCampingRusher held add/remove power on priority + veteran lists; Torogadude incident.`
			`- Reserved-slot design means a queue can exist even when main isn't full — structurally pay-to-skip.`

			`## 5. Chunk-Load / Crash Mitigation`
			`- Queue server runs near-empty world; no chunk gen, minimal ticks, absorbs thousands of idle TCP sessions cheaply.`
			- Pacing the drain protects main's chunk pipeline; no explicit login-packet shaper beyond letting `PlayerJoinEvent` finish before pulling next.
			- Nocom (Jul 2018 - Jul 2021): unrate-limited `CPacketPlayerDigging` flood on queue starved keepalives, forced mass disconnects, skipped queue. Hausemaster: 500 pkt/s late-2019; factor-14 May 2020; factor-8 next day; factor-2 Jul 2021; full patch 2021-07-15. Leijurv's Monte Carlo particle-filter tracker (2020-2021) kept working at 2 checks/s.

			`## 6. Veteran Tier`
			- Whitelist: `joined_before = 2016-06-01`, offline lookup against historical login data.
			`- Removed 2017-12-04 explicitly to "increase incentive to buy priority". Trust burned.`

			`## 7. Bot Ecosystem`
			`- Mineflayer / headless clients sit in queue 24/7 — indistinguishable from a human leaving client running.`
			`- Detection: behavior only (instant logout on join, scripted movement). "Good" bot = afk-for-owner; "exploit" bot = multi-account prio-skip or queue-bypass client.`
			`- For AuthLimbo v2: AFK bots in pre-auth limbo cost ~nothing. Gate at promote-to-main, not join-limbo.`

			`## 8. Failure Modes`
			`- Nocom-era queue crashes dropped 1000+ waiting players.`
			`- "Ghost queue" — players queued but TCP dead — caused by keepalive starvation, fixed by rate limits.`
			`- Recovery: full restart loses all positions. No persisted state.`

			`## 9. Public Clones — Survey`
			`- PistonQueue — Bungee+Velocity, reserved slots, shadow-ban, pre-queue auth, active.`
			- AnarchyQueue — Velocity, minimal, needs `QueueServerPlugin` companion.
			`- LeeesBungeeQueue — archived 2025.`
			`- Shirodo-Queue, eslym/bungee-queue — toy reimplementations.`
			`- Common mistakes: in-memory only, no priority-abuse audit log, no rate-limit on queue's own packet handlers (re-creates Nocom-class risk).`

			`## 10. Drama Timeline`
			`- 2016-06 Rusher influx; queue introduced.`
			`- 2016-2017 Rusher holds add/remove power on priority + veteran lists.`
			`- 2017-12-04 Veteran queue removed. Mass quits.`
			`- 2018-07 / 2021-07 Nocom queue-bypass exploit + tracking.`
			`- 2022-04 ~40 prio-stripped + banned over a doxxing chain.`
			- 2022-12-07 500+ accounts prio-banned cumulatively; `2builders12rules` discord forms to track strips.

			`## Drama-Avoidance Principles for AuthLimbo v2`
			`1. No paid priority. Ever. FIFO only; no money-tied reserved slots.`
			`2. No hidden-criteria veteran tier. If seniority exists, rule is public, automated, irrevocable.`
			`3. No staff add/remove of queue position. Admin commands log to append-only audit; no silent privilege.`
			`4. Persist queue state. Position survives proxy restart (sqlite/redis).`
			`5. Rate-limit every packet handler in limbo. Nocom is the canonical lesson.`
			`6. Honest ETA or no ETA. Position only, or confidence interval — no fake countdowns.`
			`7. Privacy-first limbo (AuthLimbo thesis): new joiners isolated from main-world coords/inventory until AuthMe login completes.`
			`8. Bots welcome in limbo, gated at promote. Don't fight Mineflayer pre-auth.`
			`9. Open source the gatekeeper. Hausemaster's plugin is closed; opacity amplifies drama.`
			`10. Document idle/disconnect rules in-game. No silent kicks.`