s8n/minecraft-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
minecraft-server/docs/COMMANDS.md
s8n c4fb8c386e docs: comprehensive COMMANDS.md audit (plugin → PAT → LP) 
Read-only audit of all 24 loaded plugin jars: plugin.yml extraction,
PAT whitelist diff, LP default-group export, conflict matrix, and a
curated default-player command surface with concrete add/remove diffs.
2026-05-07 19:06:03 +01:00

39 KiB
Raw Blame History

COMMANDS.md — racked.ru command + permission audit

Audit date: 2026-05-07 Server: minecraft-mc (Paper 1.21.1) Method: read-only inspection of plugin.yml inside each loaded jar + /data/plugins/<plugin>/config.yml + /data/plugins/ProAntiTab/storage.yml + LuckPerms export + /data/commands.yml + /data/spigot.yml. Scope: every plugin that is currently loaded. The Lands/ directory is NOT counted — the Lands*.jar is absent (Homestead handles claiming).

1. Overview

Metric Value
Plugin jars on disk 24
Plugins that declare commands in their plugin.yml 18
Plugins that register commands programmatically (no plugin.yml decl.) 4 (EpicGuard, EZShop, SkinsRestorer, MiniMOTD has none, MiniPlaceholders has none)
Total bukkit commands declared (base, no aliases) 138 (EssentialsX 124, Homestead 5, AuthMe 9, ProtocolLib 4, AuthLimbo 1, Carbon 22 user-facing, others 1 each)
Total command aliases declared (sum of aliases: lists) 580+ (EssentialsX dominates)
ProAntiTab whitelist mode whitelist (turn-blacklist-to-whitelist: true)
Default-player visible commands (allowed by PAT groups.default) 39 entries in groups.default.commands (some are sub-commands, some duplicate aliases) — actual base-command surface is 33
LuckPerms default group nodes 44 (15 explicit true, 13 explicit false, plus weight/prefix)

Server-level alias config (/data/commands.yml):

  • /tpessentials:tpa $1- (request, not raw teleport)
  • /pmessentials:msg $1-
  • /deletehomeessentials:delhome $1-
  • /helphelpcommand:help $1-
  • Disabled (empty list): /tpa /tpahere /tphere /teleport, /skin clear /skin update /skin search /skin random

Effective default-player command surface (commands actually reachable): /login /register /help /rules /sethome /home /deletehome /claim /tpaccept /tp /pay /pm /bal /skin /shop /ah /auctionhouse /balance /baltop /msg /reply /r /back /spawn /delhome /homes /warp /warps /list /region /rg /hs /homestead /unclaim plus what AuthMe forces (login/register/email/captcha/2fa/totp). Anything else is hidden by PAT.

2. Per-plugin command/permission tables

Legend for Default: op = ops only by Bukkit, true = everyone, false = nobody, = not specified (Bukkit treats as op for command, true for permissions). PAT column is the storage.yml groups.default.commands membership — a base command (or alias) is shown as if it appears verbatim in the default whitelist.

2.1 AuctionHouse v1.4.6

Command Aliases Permission node Default PAT default Notes
/auctionhouse (registers /ah dynamically) auctionhouse.ah true both auctionhouse and ah command itself NOT declared in plugin.yml — registered programmatically; only the perm is in plugin.yml

2.2 AuthLimbo v1.0.0 (custom, s8n-ru)

Command Aliases Permission node Default PAT default Notes
/authlimbo /alimbo authlimbo.admin op admin-only; intended for ops; reload + tp subcommands

2.3 AuthMe v5.6.0-FORK-b49 (HaHaWTH fork)

Command Aliases Permission node Default PAT default Notes
/authme authme.admin.* op admin
/email authme.player.email.* true (but PAT bypasses pre-login via AuthMe allowCommands) email mgmt
/login /l authme.player.login true (also in AuthMe allowCommands pre-login)
/logout authme.player.logout true not whitelisted; rarely needed in practice
/register /reg authme.player.register true
/unregister /unreg authme.player.unregister op
/changepassword /changepass /cp authme.player.changepassword true gap — players cannot change their own pw
/totp /2fa authme.player.totpadd / .totpremove true (AuthMe bypasses pre-login) post-login is blocked by PAT
/captcha authme.player.captcha true (AuthMe bypasses pre-login)
/verification authme.player.security.verificationcode true rarely used

AuthMe's Settings.restrictions.allowCommands (config.yml) = [/login, /log, /l, /register, /reg, /email, /captcha, /2fa, /totp] — these bypass PAT before login by the AuthMe handler itself. After login, PAT re-asserts.

2.4 CarbonChat v3.0.0-beta.36

Carbon registers commands programmatically; names + aliases are in command-settings.conf. None are in plugin.yml. All Carbon commands have no default declared (effective: op-only unless granted).

Command Aliases Permission node (typical) Default PAT default Notes
/carbon carbon.help op help+reload landing
/updateusername /updatename carbon.help op
/party /group carbon.parties op
/reply /r carbon.whisper.reply op both Conflicts with Essentials /r,/reply (see §3)
/filter (Carbon admin) op
/join (Carbon admin) op channel
/leave (Carbon admin) op channel
/ignorelist /listignores carbon.ignore op
/unmute carbon.mute.unmute op
/ignore /block carbon.ignore op conflicts with /ignore from Essentials
/spy carbon.whisper (chat spy) op
/whisper /w /message /msg /m /tell carbon.whisper op for whisper; for msg only Conflicts with Essentials /msg,/w,/tell etc
/continue /c carbon.whisper.continue op
/togglemsg /togglepm carbon.whisper op
/clearchat /chatclear /cc carbon.clearchat.clear op admin
/carbondebug /cdebug carbon.debug op
/muteinfo /muted carbon.mute.info op
/unignore /unblock carbon.ignore.unignore op
/mute carbon.mute op
/nickname /nick carbon.nickname op conflicts with Essentials /nick
(channels: /global, /local …) per-channel carbon.channel.<id>.see/.speak inherits LP grants carbon.channel.global.see/.speak to default

LP grants for default group: carbon.channel.global.see=true, carbon.channel.global.speak=true. No other Carbon perms granted — players cannot use whisper/party/etc through Carbon. Whispers are routed through Essentials' /msg instead.

2.5 Chunky v1.4.40

Command Aliases Permission node Default PAT default Notes
/chunky /cy chunky.command (and 19 sub-perms) op admin world-pregen

2.6 CoreProtect v23.1 (CoreProtect-CE)

Command Aliases Permission node Default PAT default Notes
/co coreprotect.co true despite default:true, PAT blocks it for default players
/core coreprotect.core false
/coreprotect coreprotect.coreprotect false

2.7 EpicGuard v7.6.1

EpicGuard is a Paper-only plugin; it has only paper-plugin.yml (no commands declared). Commands are registered through its own CommandHandler class. Confirmed handler entry point = /guard (also /epicguard /eg) per messages.conf referencing /guard status, /guard reload, /guard analyze, /guard whitelist, /guard blacklist, /guard save.

Command Aliases Permission node Default PAT default Notes
/guard /epicguard /eg epicguard.command (declared at runtime) op bot-protection admin

2.8 EssentialsX v2.21.2

124 commands declared; the most comprehensive plugin. Only the user-relevant rows are tabled. Permissions are mostly the form essentials.<command>; exceptions noted.

Command Aliases Permission node Default PAT default LP default override Notes
/afk /eafk /away /eaway essentials.afk true LP grants but PAT blocks
/antioch /grenade /tnt … essentials.antioch op-toy
/anvil /eanvil essentials.anvil
/back /eback /return essentials.back true OK
/balance /bal /money /eco essentials.balance (balance and bal) true
/balancetop /baltop /ebaltop essentials.balancetop (baltop) true
/ban /eban essentials.ban
/banip /ebanip essentials.banip
/book /ebook essentials.book rename signed books
/broadcast /bc /bcast /shout essentials.broadcast
/clearinventory /ci /clean /clear essentials.clearinventory
/compass /direction essentials.compass could be enabled
/delhome /edelhome /remhome /rmhome essentials.delhome true also aliased server-side /deletehome/essentials:delhome
/delwarp /remwarp /rmwarp essentials.delwarp admin
/depth /height essentials.depth
/eco /economy essentials.eco admin
/enchant /enchantment essentials.enchant
/enderchest /echest /ec essentials.enderchest
/essentials /ess /essversion essentials.essentials reload
/exp /xp essentials.exp
/feed /eat essentials.feed
/fly /efly essentials.fly
/gamemode /gm /gmc /gms /gma /gmsp /gmt essentials.gamemode
/gc /lag /tps /mem /uptime /entities essentials.gc
/getpos /coords /position /whereami /getloc essentials.getpos
/give /egive essentials.give
/god /godmode /tgm essentials.god
/hat /head essentials.hat
/heal /eheal essentials.heal
/help /ehelp essentials.help true server-aliased to HelpCommand via commands.yml
/helpop /ac /amsg essentials.helpop message admins
/home /ehome /homes /ehomes essentials.home (home) true
/ignore /unignore essentials.ignore conflicts with Carbon /ignore
/info /about /news essentials.info
/invsee essentials.invsee
/item /i essentials.item
/itemdb /dura /durability essentials.itemdb
/jump /j /jumpto essentials.jump
/kick /ekick essentials.kick
/kit /kits essentials.kit
/lightning /shock /smite /strike /thor essentials.lightning
/list /online /who /playerlist /plist essentials.list true
/mail /email /memo essentials.mail conflicts with AuthMe /email
/me /action /describe essentials.me
/motd /emotd essentials.motd false LP explicit deny — intentional
/msg /m /t /pm /tell /w /whisper essentials.msg (msg) true conflicts heavily with Carbon (see §3)
/msgtoggle essentials.msgtoggle
/mute /silence essentials.mute conflicts with Carbon /mute
/near /nearby essentials.near
/nick /nickname essentials.nick conflicts with Carbon /nick
/pay /epay essentials.pay true
/paytoggle /payoff /payon essentials.paytoggle
/ping /pong essentials.ping
/playtime /eplaytime essentials.playtime
/r /reply essentials.msg (.r for /r) both true (essentials.reply) conflicts with Carbon /r,/reply
/realname /erealname essentials.realname true LP grants but no PAT entry
/recipe /formula /recipes essentials.recipe
/repair /fix essentials.repair
/rules /erules essentials.rules
/seen /alts essentials.seen
/sell /esell essentials.sell not used; we have EZShop /shop
/sethome /createhome /esethome essentials.sethome true
/setwarp /createwarp essentials.setwarp admin
/skull /head /playerskull essentials.skull
/socialspy essentials.socialspy
/spawn /espawn essentials.spawn true
/spawnmob /mob /spawnentity essentials.spawnmob
/speed /flyspeed /walkspeed essentials.speed
/sudo /esudo essentials.sudo
/suicide /esuicide essentials.suicide
/tempban /etempban essentials.tempban
/time /day /night essentials.time
/top /etop essentials.top
/tp /tele /teleport /etp essentials.tp server-aliased to /tpa in commands.yml — raw /tp is gated to op
/tpa /call /tpask essentials.tpa (server alias [] disables it) true
/tpaall /etpaall essentials.tpaall
/tpaccept /tpyes essentials.tpaccept true
/tpahere /etpahere essentials.tpahere (server alias [] disables)
/tpall /etpall essentials.tpall
/tpauto /etpauto essentials.tpauto
/tpacancel /etpacancel essentials.tpacancel
/tpdeny /tpno essentials.tpdeny gap — counterpart of /tpaccept missing
/tphere /s essentials.tphere (server alias [] disables)
/tpoffline /otp /tpoff essentials.tpoffline
/tppos essentials.tppos
/tpr /tprandom essentials.tpr
/tptoggle essentials.tptoggle
/tree /etree essentials.tree
/unban /pardon essentials.unban
/vanish /v /ev essentials.vanish
/warp /warps /ewarp essentials.warp both no warps configured currently
/weather /rain /sky /storm /sun essentials.weather
/whois /ewhois essentials.whois
/workbench /craft /wb essentials.workbench
/world /eworld essentials.world
/worth /price essentials.worth

(non-user commands omitted: backup, beezooka, bigtree, bottom, break, broadcastworld, burn, cartographytable, clearinventoryconfirmtoggle, condense, createkit, customtext, deljail, delkit, disposal, ext, fireball, firework, getpos, grindstone, helpop, ice, itemlore, itemname, jails, kickall, kill, kitreset, kittycannon, loom, more, nuke, payconfirmtoggle, potion, powertool, powertooltoggle, ptime, pweather, remove, renamehome, rest, rtoggle, setjail, setspawn, settpr, setworth, showkit, editsign, smithingtable, spawner, stonecutter, tempbanip, thunder, togglejail, tpacancel, tpoffline, unbanip, unlimited, warpinfo — all op-default, all blocked by PAT — expected.)

2.9 EZShop v1.0-SNAPSHOT (de.flori.shopPlugin)

EZShop has only paper-plugin.yml and registers /shop programmatically (class de.flori.shopPlugin.ShopCommand). No permissions declared — assumes op for admin / open-to-all for /shop GUI.

Command Aliases Permission node Default PAT default Notes
/shop (none) (none declared) the racked.ru sell-shop GUI

2.10 FastAsyncWorldEdit v2.15.0 (provides WorldEdit)

FAWE registers WorldEdit's full command set via provides: [WorldEdit]. None declared in plugin.yml commands: block — all WE commands like /we, /pos1, /copy, /paste are registered programmatically by WorldEdit core. Permission: worldedit.* family (over 200 nodes). All default: op or default: false via fawe.permpack.basic/fawe.bypass/etc. None whitelisted by PAT.

Command Aliases Permission node Default PAT default Notes
/we /worldedit worldedit.* op admin
(full WE command set, ~70 commands) various worldedit.<area>.<verb> op admin
/fawe fawe.admin op

2.11 HelpCommand v2.9.2

Command Aliases Permission node Default PAT default Notes
/help (none — open) shadowed by Essentials by load order; commands.yml routes /help → /helpcommand:help
/hc hc.admin op admin

2.12 Homestead v5.2.0.0

Command Aliases Permission node Default PAT default Notes
/claim homestead.commands.claim true
/unclaim homestead.commands.unclaim true
/region /rg /hs /homestead homestead.commands.region (+ ~50 sub-perms all default:true) true all four master command
/homesteadadmin /hsadmin homestead.commands.homesteadadmin (+9 sub-perms) op admin
/forceunclaim /opunclaim /adminunclaim homestead.admin.forceunclaim op admin

LP default group has explicit homestead.user=true (custom umbrella perm). This is not declared in plugin.yml — appears to be operator-added cosmetic / for internal LP audit purposes; has no behavioural effect on its own (Homestead checks the homestead.commands.region.<sub> and homestead.actions.regions.<sub> paths, all already default:true). 106 perm nodes total.

2.13 LuckPerms v5.5.17

Command Aliases Permission node Default PAT default Notes
/luckperms /lp /perm /perms /permission /permissions luckperms.<sub> (per-action) op (lp/luckperms whitelisted in global.commands only — global takes precedence over default group)

PAT global.commands includes lp, luckperms, gamerule …, execute …. global commands are allowed for everyone regardless of group; intended for ops to use without per-group config. But /lp itself permission-checks each sub-action via LuckPerms' own perm system — default players running /lp info default will be denied at the LP layer.

2.14 MiniMOTD v2.2.3

No commands declared. Server-list MOTD only.

2.15 MiniPlaceholders v3.2.0

(unable to read plugin.yml — paper-plugin.yml only). No user-facing commands; placeholder library.

2.16 PlaceholderAPI v2.12.2

Command Aliases Permission node Default PAT default Notes
/placeholderapi /papi placeholderapi.admin op admin

2.17 ProAntiTab v2.3.0

Command Aliases Permission node Default PAT default Notes
/proantitab /pat proantitab.admin (default-derived; not explicitly in plugin.yml — runtime check) op admin

PAT internally manages tab-completion and command-block visibility for all other commands. The default group itself maps to LP perm proantitab.group.default=true.

2.18 ProtocolLib v5.5.0

Command Aliases Permission node Default PAT default Notes
/protocol protocol.admin op admin
/packet protocol.admin op admin
/filter /packet_filter protocol.admin op admin (conflicts with Carbon /filter — Carbon registers later, takes /filter)
/packetlog protocol.admin op admin

2.19 SkinsRestorer v15.12.0

No commands in plugin.yml. SR registers /skin (and many sub-aliases like /skins) programmatically. Granular permissions are well known.

Command Aliases Permission node Default PAT default LP default override Notes
/skin skinsrestorer.command (runtime) true
/skin set skinsrestorer.command.set (runtime) true
/skin url skinsrestorer.command.set.url (runtime) true
/skin gui / /skins skinsrestorer.command.gui (runtime) (skins not listed) true gap — LP allows but PAT blocks /skins
/skin clear skinsrestorer.command.clear (runtime) (commands.yml empty alias) false LP denies; commands.yml also disables alias — defence in depth
/skin update skinsrestorer.command.update (runtime) (commands.yml empty alias) false
/skin search skinsrestorer.command.search (runtime) (commands.yml empty alias) false
/skin random skinsrestorer.command.random (runtime) (commands.yml empty alias) false
/skin set skinsrestorer.command.set.other (runtime) false
/skin favourite skinsrestorer.command.favourite (runtime) false
/skin edit skinsrestorer.command.edit (runtime) false
/skin undo skinsrestorer.command.undo (runtime) false
/skin skull skinsrestorer.command.skull (runtime) false
/sradmin skinsrestorer.admincommand op false

2.20 spark v1.10.172

Command Aliases Permission node Default PAT default Notes
/spark spark op admin profiler

2.21 TAB v6.0.1

Command Aliases Permission node Default PAT default Notes
/tab tab.admin (+ ~25 sub-perms) op admin

2.22 VaultUnlocked v2.19.1

Command Aliases Permission node Default PAT default Notes
/vault-info vault.admin.info op admin
/vault-convert vault.admin.convert op admin

2.23 voicechat v2.6.17

Command Aliases Permission node Default PAT default Notes
/voicechat /vc (registered runtime) voicechat.admin (+ listen/speak/groups) op admin; listen/speak/groups perms are default:true (true is implicit) and players use the chat through the proximity client

2.24 VoidWorldGenerator v1.3.11

No commands declared. Provides void generator referenced by bukkit.yml for auth_limbo world.

3. Conflicts (same command claimed by ≥2 plugins)

Bukkit resolves by load order: first plugin to register wins the bare token; the second's command becomes accessible only via <pluginname>:<command>. Load order from logs is approximately: ProtocolLib → FAWE → SkinsRestorer → PlaceholderAPI → Essentials (early) → AuthMe → AuthLimbo → EZShop → ProAntiTab → Homestead → CarbonChat (late) → voicechat → CoreProtect → TAB → MiniMOTD → HelpCommand → EpicGuard → AuctionHouse → Chunky.

Command Plugin A (winner) Plugin B (shadowed) commands.yml override Effective owner Notes
/msg EssentialsX (essentials.msg) CarbonChat (carbon.whisper) none Essentials Carbon /msg only via /carbon:whisper
/m /t /tell /w /whisper /message EssentialsX (most aliases) CarbonChat none Essentials aliased identically; first to register wins
/r /reply EssentialsX (essentials.r) CarbonChat (carbon.whisper.reply) none Essentials
/nick /nickname EssentialsX (essentials.nick) CarbonChat (carbon.nickname) none Essentials
/ignore EssentialsX (essentials.ignore) CarbonChat (carbon.ignore) none Essentials
/mute EssentialsX (essentials.mute) CarbonChat (carbon.mute) none Essentials
/clearchat /cc /chatclear (only Carbon) none Carbon not in PAT default; admin only anyway
/filter ProtocolLib (protocol.admin) CarbonChat none ProtocolLib Carbon /filter only via /carbon:filter
/help EssentialsX (essentials.help) HelpCommand commands.yml help: [helpcommand:help $1-] HelpCommand (after restart) already fixed in commands.yml
/tp EssentialsX (essentials.tp) (none — vanilla /tp gated by op) commands.yml tp: [essentials:tpa $1-] Essentials TPA flow players' /tp = TPA request, not raw teleport
/skull /head EssentialsX (essentials.skull) EssentialsX /hat aliases (head) none Essentials skull internal Ess overlap: /head is alias of both /hat and /skull — Bukkit registers first that wins (skull)
/home /homes EssentialsX (essentials.home + homes alias) EssentialsX (/homes is also alias of /home) none Essentials
/email EssentialsX /mail alias email AuthMe /email (own command) none AuthMe (loads first, registers /email as own command) EssentialsX /mail's email alias is shadowed
/pm (Essentials msg alias) (none) commands.yml pm: [essentials:msg $1-] Essentials msg
/deletehome (none — Essentials only has /delhome) commands.yml deletehome: [essentials:delhome $1-] Essentials delhome via alias
/shop EZShop (none) none EZShop
/list EssentialsX vanilla /list none Essentials overrides vanilla

No conflict on /seen (Essentials only).

4. PAT whitelist diff (storage.yml groups.default.commands vs reality)

groups.default.commands actual list (39 entries):

login, register, help, rules, sethome, home, deletehome, claim, lands,
tpaccept, tp, pay, pm, bal, skin, skin url, skin set, shop, ah, auctionhouse,
balance, baltop, msg, reply, r, back, spawn, delhome, homes, warp, warps,
list, region, rg, hs, homestead, unclaim

4a. Dead PAT whitelist entries (whitelisted but no plugin claims them)

Entry Why it's dead Action
lands Lands jar is not loaded. /data/plugins/Lands/ is config-only debris. Homestead handles claiming. Remove from whitelist. Possibly archive /data/plugins/Lands/ to _keep/.
warp, warps Essentials warps work, but no warps are configured on this server. Players see "warp does not exist". Either configure warps (e.g. /warp shop, /warp pvp) or remove. Decide: configure or remove both.

4b. Over-restrictions (plugin.yml says default:true but PAT blocks)

Command Plugin Reason it's blocked Recommendation
/co CoreProtect (coreprotect.co=true) inspector tool — works for everyone by plugin design (lets players see who broke a block in their claim) Optional: add co to default whitelist if operator wants player-side block-history transparency. Default-policy decision.
/auctionhouse and /ah AuctionHouse (auctionhouse.ah=true) both are whitelisted — no over-restriction OK
AuthMe /changepassword, /cp, /changepass AuthMe (default:true) post-login PAT denies; players can't rotate own pw without contacting an op Add changepassword, changepass, cp to whitelist.
AuthMe /totp, /2fa AuthMe (default:true) only allowed pre-login by AuthMe internal handler; once logged in PAT blocks. Players who want to add 2FA after registration are blocked. Add totp, 2fa to whitelist if 2FA is intended to be available post-login.
/tpdeny, /tpno EssentialsX counterpart of /tpaccept missing Add tpdeny, tpno.
/skins SkinsRestorer (LP grants skinsrestorer.command.gui=true) LP allows but PAT doesn't list. /skins (gui) currently unreachable. Add skins.
/afk, /eafk, /away EssentialsX (LP grants essentials.afk=true) LP allows but PAT doesn't list. AFK is unreachable. Add afk (single canonical token) plus optional aliases.
/realname EssentialsX (LP grants essentials.realname=true) LP allows but PAT doesn't list. Add realname if used socially; OR revoke essentials.realname=true from default if not needed.

4c. PAT entries that work — sanity check

All other entries (login, register, help, rules, sethome, home, deletehome, claim, tpaccept, tp, pay, pm, bal, skin, skin url, skin set, shop, ah, auctionhouse, balance, baltop, msg, reply, r, back, spawn, delhome, homes, list, region, rg, hs, homestead, unclaim) resolve cleanly to a loaded plugin's command and are reachable.

4d. PAT global.commands

login, register, gamerule (+ subcommands), lp, luckperms,
execute (+ subcommands … long chain ending in `gamerule announceAdvancements false`)

The execute … chain is unusual — appears to allow exactly one specific vanilla execute invocation. It's safe (LuckPerms denies LP commands at perm layer for non-ops, vanilla execute requires op level 2). Useful only to allow a specific in-game command-block style command, but looks like leftover debugging setup. Would recommend trimming the long execute in minecraft:overworld run gamerule announceAdvancements false ladder — it doesn't restrict anything (PAT match is on the first token, so just execute is enough), and it clutters the file.

5. LuckPerms default group analysis

15 explicit true grants:

Node Effect
carbon.channel.global.see see global chat
carbon.channel.global.speak speak in global chat
essentials.afk use /afk (blocked by PAT)
essentials.back use /back
essentials.balance use /balance
essentials.baltop use /baltop
essentials.delhome use /delhome
essentials.help use /help
essentials.home use /home
essentials.homes use /homes
essentials.list use /list
essentials.msg use /msg
essentials.pay use /pay
essentials.realname use /realname (blocked by PAT)
essentials.reply use /reply, /r
essentials.sethome use /sethome
essentials.spawn use /spawn
essentials.tpa use /tpa (server alias makes /tp = /tpa)
essentials.tpaccept use /tpaccept
homestead.user umbrella (no plugin uses it; cosmetic / audit-trail)
proantitab.group.default match PAT default group
skinsrestorer.command base /skin
skinsrestorer.command.gui /skin gui ↔ /skins
skinsrestorer.command.set /skin set
skinsrestorer.command.set.url /skin url
skinsrestorer.ownskin apply own skin
skinsrestorer.player be a SR-tracked player

13 explicit false denies:

Node Reason
essentials.motd no MOTD spam (intentional)
prefix.10.&8[&2Adventurer&8]&r prefix off (operator-managed via tracks elsewhere)
skinsrestorer.admincommand no /sradmin
skinsrestorer.command.clear no skin clear
skinsrestorer.command.clear.other no clearing others
skinsrestorer.command.edit
skinsrestorer.command.favourite
skinsrestorer.command.favourite.other
skinsrestorer.command.random no random skin spam
skinsrestorer.command.search no search browser
skinsrestorer.command.set.other no setting others' skins
skinsrestorer.command.skull
skinsrestorer.command.undo
skinsrestorer.command.undo.other
skinsrestorer.command.update
skinsrestorer.command.update.other

Plus weight.10 (rank ordering).

No re-grant of an op-default permission is present. No deny of a default:true plugin permission other than the SkinsRestorer narrowing and essentials.motd (both intentional).

6. Recommended curated default-player surface

The 17 commands a default player should have visible after a polish pass:

Category Command PAT entry LP node Notes
Auth /login (alias /l) (default:true) already OK
Auth /register (alias /reg) (default:true) already OK
Auth /changepassword (/changepass /cp) ADD (default:true) post-login pw rotation
Auth /totp (/2fa) ADD (default:true) post-login 2FA setup
Movement /spawn essentials.spawn=true OK
Movement /home essentials.home=true OK
Movement /sethome essentials.sethome=true OK
Movement /delhome (/deletehome) both essentials.delhome=true OK
Movement /homes essentials.homes=true OK
Movement /back essentials.back=true OK
Movement /tp (= TPA via alias) essentials.tpa=true OK
Movement /tpaccept essentials.tpaccept=true OK
Movement /tpdeny (/tpno) ADD grant essentials.tpdeny=true in LP default counterpart of /tpaccept
Social /msg (/pm /tell /w) for msg and pm; consider adding tell and w essentials.msg=true OK
Social /reply (/r) both essentials.reply=true OK
Economy /balance (/bal) both essentials.balance=true OK
Economy /baltop essentials.baltop=true OK
Economy /pay essentials.pay=true OK
Economy /shop (no perm) OK
Economy /ah (/auctionhouse) both auctionhouse.ah=true (default:true) OK
Land /claim homestead.commands.claim=true (default:true) OK
Land /unclaim (default:true) OK
Land /hs (/region /rg /homestead) all four (default:true) OK
Skins /skin /skin set /skin url all three skinsrestorer.command.* selective true OK
Skins /skins (gui) ADD skinsrestorer.command.gui=true (already in LP) LP grants but PAT blocks
Info /help essentials.help=true (alias to HelpCommand) OK
Info /list essentials.list=true OK
Info /rules (no LP node — Essentials default-true is sufficient) OK
Info /seen (consider) nice-to-have if last-online useful
Info /afk ADD essentials.afk=true (already granted) LP grants but PAT blocks
Info /motd (intentionally off via LP) essentials.motd=false leave OFF

6.1 Concrete diff — add to PAT groups.default.commands

      - changepassword
      - changepass
      - cp
      - totp
      - 2fa
      - skins
      - afk
      - tpdeny
      - tpno

6.2 Concrete diff — remove from PAT groups.default.commands

      - lands       # Lands plugin not loaded
      # - warp
      # - warps     # only if not configuring warps; otherwise leave

6.3 Concrete diff — LuckPerms (default group)

Add via /lp group default permission set <node> true (one-shot, idempotent):

essentials.tpdeny true
essentials.changepassword true       # belt-and-braces; AuthMe perm covers it

(Do NOT touch prefixes/suffixes per workspace policy.)

6.4 Optional remove (clean-up — operator decision)

Item Rationale
essentials.realname=true in LP default not in PAT whitelist anyway; remove the LP grant (or add realname to PAT). Pick one for consistency.
homestead.user=true in LP default not declared in any plugin's plugin.yml; cosmetic. Either delete the node or formally document why it's there.
/co for default optional: add if operator wants player-side block-history visibility. Requires both PAT entry and coreprotect.co is already default:true.

7. Aliases health

7.1 Server-level aliases (commands.yml)

Alias Resolves to Status
/tp essentials:tpa $1- OK — turns raw teleport into request
/pm essentials:msg $1- OK
/deletehome essentials:delhome $1- OK
/help helpcommand:help $1- OK after next restart (check effective on bounce)
/tpa /tpahere /tphere /teleport [] (disabled) OK — forces request flow
/skin clear /update /search /random [] (disabled) OK — defence-in-depth on top of LP denies

7.2 Recommendations

  • No /tps spam. /tps is an EssentialsX /gc alias and NOT in the PAT whitelist — already silent for default. Leave as is. Consider: spark also exposes /spark health which is op-only. No conflict.
  • Drop the execute in minecraft:overworld run gamerule … ladder in PAT global.commands. PAT only matches the first token (or up to a sub-command boundary) — the long chain is ineffective and confusing. Replace with just gamerule and execute if those need to be globally allowed.
  • Carbon vs Essentials chat aliases. Bukkit picks Essentials first for /msg/r/whisper/etc. Since Carbon's chat features (parties, channels, ignore) are not granted to default group anyway, this is fine. If you ever want Carbon /party for default, you'd need both an LP grant and a PAT whitelist entry and to ensure Essentials doesn't shadow /party (Essentials does not declare a /party command — /party is uniquely Carbon's, so it's safe).
  • Disable EssentialsX duplicate aliases that fight us. /tps (alias of /gc) and /email (alias of /mail) overlap with spark concept and AuthMe respectively. Right now, both are silently OK because they're op-default and not in PAT default whitelist. No action needed.
  • HelpCommand alias. Make sure /help alias took effect — check by echo 'help' | rcon-cli returning the racked.ru-styled page (after server restart).

7.3 Bukkit commands.yml extra suggestions (optional)

  • Add /tpdeny: [essentials:tpdeny $1-] — already auto-resolved, but explicit is clearer.
  • Consider /wild: [essentials:tpr $1-] if you want a "random teleport" UX without enabling /tpr token directly.
  • Consider /discord: [...] macro if a Discord invite needs a memorable command (DiscordSRV is not loaded despite SYSTEM.md mention — confirm the operator's plan re. chat bridging).

8. Plugins with partial / runtime-registered command data (transparency)

Plugin Why limited Source of truth
AuctionHouse command not in plugin.yml; only perm jar class me.elaineqheart.auctionHouse.commands.AuctionHouseCommand; PAT entries auctionhouse, ah confirm
EpicGuard only paper-plugin.yml; no commands declared me.xneox.epicguard.core.command.CommandHandler; messages.conf shows /guard ... usage
EZShop only paper-plugin.yml jar class de.flori.shopPlugin.ShopCommand
SkinsRestorer no commands in plugin.yml LP perm structure (skinsrestorer.command.*) is canonical
FastAsyncWorldEdit provides WorldEdit core; commands registered by WE library WorldEdit upstream docs apply
MiniPlaceholders unable to read plugin.yml (paper-plugin.yml only); no commands placeholder library — no user commands
Lands NOT LOADED — no jar present references in HelpCommand text and PAT whitelist are dead

9. Quick reference — "is /X visible to default?"

A command appears for default players iff all of:

  1. The command resolves to a loaded plugin (or commands.yml alias),
  2. The owning permission (or its default:true flag) is held by the default group,
  3. The first token (e.g. home from /home foo) is in PAT groups.default.commands OR global.commands.

If any of (1)/(2)/(3) fails, the player gets either a "no permission" message (LP), a "BLOCKED" message (PAT), or "Unknown or incomplete command" (Bukkit).