Replaced literal values with env-var placeholders (${RCON_PASSWORD},
${MGMT_SECRET}, ${MC_RCON_PASSWORD}) across server.properties,
.rcon-cli.env, docker-compose.yml(s), backup scripts, and AUDIT-2026-05-07.md.
Affected secrets:
- Paper management-server-secret (HIGH; mitigated by management-server-enabled=false)
- RCON password '*redacted*' (MEDIUM; bound to 127.0.0.1)
- MC_RCON_PASSWORD backup-pipeline default fallback (MEDIUM; same blast radius)
WARNING: HEAD redaction only — values remain in git history. Treat as
compromised and rotate (closes F-17 audit-finding's deferred TODO).
Originals backed up to private s8n/secrets/minecraft-server/.
YOU500 + other default-group players couldn't use /sethome /balance
/list /hs etc — commands ran but Essentials/Homestead returned
permission-denied (perm absent on default group), denial appearing
silent client-side. Granted 17 essentials perms + 1 homestead.user
perm via RCON. Verified by YOU500 in chat: list/balance/sethome work.
JSON export attached for audit trail (H2 DB is gitignored).
Defensive belt-and-suspenders for "no /help hint on join":
1. motd.txt already emptied (commit 7e7d18e)
2. LP: 'lp group default permission set essentials.motd false' applied
live (h2 db updated at 18:35). Default group can no longer trigger
on-join motd even if motd.txt gets refilled later.
ProAntiTab storage.yml: add lp + luckperms to global allow-list so the
deny-perm command itself can run via rcon (whitelist mode was blocking).
Note: LP h2 storage isn't tracked in repo (.empty-103450 placeholder
files only). Live server is source of truth for LP state.
welcome.txt isn't read by current AuthMe — Settings.useWelcomeMessage
key is absent from config and the file was empty. The post-login
message is actually login.success in messages_en.yml, which was set
to '' (silenced).
- messages_en.yml: login.success now multi-line via \n escape:
"successfully logged in" + "type /help for a list of commands"
- welcome.txt: emptied (unused)
Live reloaded via authme reload.
Players are still in AuthLimbo when motd fires on join, so the hint
scrolls past while they type /register or /login. Move it into AuthMe
welcome.txt which fires after successful login.
- Essentials/motd.txt: emptied (hint moved out)
- AuthMe/welcome.txt: appended "type /help for a list of commands"
below the existing "successfully logged in" line
Live: applied via docker exec + essentials/authme reload.
- purpur.yml: broadcasts.advancement.only-broadcast-to-affected-player
false -> true. Player still sees own advancement, no global chat spam.
- ProAntiTab storage.yml: add gamerule/execute to global allow-list
(vanilla gamerule still blocked by Brigadier even from datapacks —
switched to Purpur broadcast option as workaround).
- ProAntiTab config.yml: auto-lowercase-commands disabled (was
toggled while debugging gamerule failure; harmless either way).
Synced from /opt/docker/minecraft live, applied via purpur reload.
Captures live config state of nullstone Purpur 1.21.11 server:
- docker-compose.yml (itzg/minecraft-server image, MODRINTH_PROJECTS + PLUGINS lists)
- All plugin configs under live-server/plugins/ (no DBs, no jars, no world data)
- Server core: bukkit.yml, spigot.yml, purpur.yml, paper-global.yml, paper-world-defaults.yml, server.properties
Excluded via .gitignore:
- World data (world/, world_nether/, world_the_end/, auth_limbo/)
- Sensitive: AuthMe DB (password hashes), Lands DB, CoreProtect DB, Essentials userdata
- Jars (auto-fetched), logs, caches, .paper-remapped
