docs+security: sync controls and scope Warden RC4 CodeQL exception

.github/codeql/codeql-config.yml

@@ -0,0 +1,7 @@
+name: wowee-codeql-config
+
+# Warden stream crypto must remain RC4 for protocol compatibility.
+# Keep weak-crypto detection enabled project-wide, but exclude this one file
+# so CodeQL doesn't raise an unfixable compatibility alert.
+paths-ignore:
+  - src/game/warden_crypto.cpp

.github/workflows/security.yml

@@ -48,6 +48,7 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: cpp
+          config-file: ./.github/codeql/codeql-config.yml
 
       - name: Build
         run: |

README.md

@@ -57,13 +57,13 @@ Compatible with **Vanilla (Classic) 1.12 + TBC 2.4.3 + WotLK 3.3.5a**. All three
 - **Action Bar** -- 12 slots, drag-drop from spellbook/inventory, click-to-cast, keybindings
 - **Trainers** -- Spell trainer UI, buy spells, known/available/unavailable states
 - **Quests** -- Quest markers (! and ?) on NPCs and minimap, quest log, quest details, turn-in flow
-- **Vendors** -- Buy and sell items, gold tracking, inventory sync
+- **Vendors** -- Buy, sell, and buyback (most recent sold item), gold tracking, inventory sync
 - **Loot** -- Loot window, gold looting, item pickup
 - **Gossip** -- NPC interaction, dialogue options
 - **Chat** -- Tabs/channels, emotes, chat bubbles, clickable URLs, clickable item links with tooltips
 - **Party** -- Group invites, party list
 - **Warden** -- Warden anti-cheat module execution via Unicorn Engine x86 emulation (cross-platform, no Wine)
-- **UI** -- Loading screens with progress bar, settings window, minimap with zoom/rotation/square mode
+- **UI** -- Loading screens with progress bar, settings window, minimap with zoom/rotation/square mode, top-right minimap mute speaker, separate bag windows with compact-empty mode (aggregate view)
 
 ## Building
 
@@ -150,10 +150,15 @@ make -j$(nproc)
 ### UI & Windows
 | Key | Action |
 |-----|--------|
-| I | Toggle inventory |
+| B | Toggle bags |
+| C | Toggle character |
 | P | Toggle spellbook |
+| N | Toggle talents |
 | L | Toggle quest log |
+| M | Toggle world map |
+| O | Toggle guild roster |
 | Enter | Open chat |
+| / | Open chat with slash |
 | Escape | Close windows / deselect |
 
 ### Action Bar
@@ -167,16 +172,7 @@ make -j$(nproc)
 | Key | Action |
 |-----|--------|
 | F1 | Performance HUD |
-| F2 | Wireframe mode |
+| F4 | Toggle shadows |
-| F9 | Toggle time progression |
-| F10 | Toggle celestial bodies (sun + moons) |
-| F11 | Toggle procedural stars (debug mode) |
-| +/- | Change time of day |
-| C | Toggle clouds |
-| L | Toggle lens flare |
-| W | Cycle weather (None/Rain/Snow) |
-| K / J | Spawn / remove test characters |
-| O / P | Spawn / clear WMOs |
 
 ## Documentation
 
@@ -196,6 +192,14 @@ make -j$(nproc)
 - [Warden Quick Reference](docs/WARDEN_QUICK_REFERENCE.md) -- Warden module execution overview and testing
 - [Warden Implementation](docs/WARDEN_IMPLEMENTATION.md) -- Technical details of the implementation
 
+## Security
+
+- GitHub Actions runs a dedicated security workflow at `.github/workflows/security.yml`.
+- Current checks include:
+  - `CodeQL` for C/C++
+  - `Semgrep` static analysis
+  - Sanitizer build (`ASan` + `UBSan`)
+
 ## Technical Details
 
 - **Graphics**: OpenGL 3.3 Core, GLSL 330, forward rendering with post-processing

docs/quickstart.md

@@ -74,12 +74,17 @@ For local AzerothCore setup, see `docs/server-setup.md`.
 - `Mouse`: Look/orbit camera
 - `Tab`: Cycle targets
 - `1-9,0,-,=`: Action bar slots
-- `I`: Inventory
+- `B`: Bags
+- `C`: Character
 - `P`: Spellbook
+- `N`: Talents
 - `L`: Quest log
+- `M`: World map
+- `O`: Guild roster
 - `Enter`: Chat
+- `/`: Chat slash command
 - `F1`: Performance HUD
-- `F2`: Wireframe
+- `F4`: Toggle shadows
 
 ## Troubleshooting
 

docs/server-setup.md

@@ -207,7 +207,7 @@ account onlinelist
 server shutdown 10  # Shutdown in 10 seconds
 ```
 
-## Connecting with Wowee-Native
+## Connecting with WoWee
 
 ### 1. Start the Client
 
@@ -335,7 +335,11 @@ ifconfig | grep inet
 
 Edit `authserver.conf`:
 ```ini
-BindIP = "<bind-address>"  # Listen on all interfaces
+# Local-only testing on the same machine:
+BindIP = "127.0.0.1"
+
+# LAN/remote testing (listen on all interfaces):
+# BindIP = "0.0.0.0"
 ```
 
 Edit database:
@@ -366,7 +370,8 @@ For testing with a remote server (VPS, dedicated server):
 **Server configuration:**
 ```ini
 # authserver.conf
-BindIP = "<bind-address>"
+# Public/remote access:
+BindIP = "0.0.0.0"
 
 # Database
 UPDATE realmlist SET address='your.server.ip' WHERE id=1;
@@ -420,27 +425,18 @@ Once connected and in-world, test client features:
 - **Mouse** - Look around
 - **Shift** - Move faster
 
-**Rendering Features:**
+**UI/Gameplay Windows:**
+- **B** - Toggle bags
+- **C** - Toggle character
+- **P** - Toggle spellbook
+- **N** - Toggle talents
+- **L** - Toggle quest log
+- **M** - Toggle world map
+- **O** - Toggle guild roster
+
+**Debug Features:**
 - **F1** - Toggle performance HUD
-- **F2** - Wireframe mode
+- **F4** - Toggle shadows
-- **F8** - Toggle water rendering
-- **F9** - Toggle time progression
-- **F10** - Toggle sun/moon
-- **F11** - Toggle stars
-- **F12** - Toggle fog
-- **+/-** - Change time of day
-
-**Effects:**
-- **C** - Toggle clouds
-- **L** - Toggle lens flare
-- **W** - Cycle weather (rain/snow)
-- **M** - Toggle moon phases
-
-**Character/Buildings:**
-- **K** - Spawn test character
-- **O** - Spawn test WMO building
-- **Shift+O** - Load real WMO from MPQ (if WOW_DATA_PATH set)
-- **P** - Clear all WMOs
 
 ### Performance Monitoring
 
@@ -510,10 +506,7 @@ Rate.Player.Haste = 1
 ### Client Performance
 
 - Keep performance HUD (F1) enabled to monitor FPS
-- Disable heavy effects if FPS drops:
+- Reduce quality/effects from Settings if FPS drops
-  - Weather (W key to None)
-  - Clouds (C key to disable)
-  - Lens flare (L key to disable)
 
 ## Security Notes
 
@@ -581,8 +574,9 @@ export WOW_DATA_PATH="/path/to/extracted/Data"
 5. **Test Features:**
 - Create a character
 - Enter world
-- Test rendering (F1-F12, C, L, W, M keys)
+- Test windows (`B`, `C`, `P`, `N`, `L`, `M`, `O`)
-- Spawn objects (K, O, Shift+O, P keys)
+- Test vendor flow (buy, sell, buyback)
+- Test quest flow (accept, progress tracking, turn-in markers)
 - Test movement (WASD, mouse)
 
 6. **Stop Server (worldserver console):**

docs/status.md

@@ -1,6 +1,6 @@
 # Project Status
 
-**Last updated**: 2026-02-17
+**Last updated**: 2026-02-19
 
 ## What This Repo Is
 
@@ -14,12 +14,13 @@ Implemented (working in normal use):
 - Rendering: terrain, WMO/M2 rendering, water, sky system, particles, minimap/world map, loading video playback
 - Character system: creation (including nonbinary gender), selection, 3D preview with equipment, character screen
 - Core gameplay: movement, targeting, combat, action bar, inventory/equipment, chat (tabs/channels, emotes, item links)
-- Quests: quest markers (! and ?) on NPCs and minimap, quest log, accept/complete flow, turn-in
+- Quests: quest markers (! and ?) on NPCs/minimap, quest log with detail queries/retry, objective tracking, accept/complete flow, turn-in
 - Trainers: spell trainer UI, buy spells, known/available/unavailable states
-- Vendors, loot, gossip dialogs
+- Vendors, loot, gossip dialogs (including buyback for most recently sold item)
 - Spellbook with class tabs, drag-drop to action bar, spell icons
 - Warden anti-cheat: full module execution via Unicorn Engine x86 emulation; module caching
 - Audio: ambient, movement, combat, spell, and UI sound systems
+- Bag UI: separate bag windows, open-bag indicator on bag bar, optional collapse-empty mode in aggregate bag view
 - Multi-expansion: Classic/Vanilla, TBC, WotLK, and Turtle WoW (1.17) protocol and asset variants
 
 In progress / known gaps:

src/game/warden_crypto.cpp

@@ -72,21 +72,9 @@ bool WardenCrypto::initFromSessionKey(const std::vector<uint8_t>& sessionKey) {
     uint8_t decryptKey[16];
     sha1RandxGenerate(sessionKey, encryptKey, decryptKey);
 
-    // Log derived keys
+    // Warden protocol compatibility note:
-    {
+    // Blizzard's Warden stream crypto is RC4-based; this cannot be upgraded
-        std::string hex;
+    // without breaking protocol interoperability with supported servers.
-        for (int i = 0; i < 16; ++i) {
-            char b[4]; snprintf(b, sizeof(b), "%02x ", encryptKey[i]); hex += b;
-        }
-        LOG_INFO("Warden: Encrypt key (C→S): ", hex);
-        hex.clear();
-        for (int i = 0; i < 16; ++i) {
-            char b[4]; snprintf(b, sizeof(b), "%02x ", decryptKey[i]); hex += b;
-        }
-        LOG_INFO("Warden: Decrypt key (S→C): ", hex);
-    }
-
-    // Initialize RC4 ciphers
     std::vector<uint8_t> ek(encryptKey, encryptKey + 16);
     std::vector<uint8_t> dk(decryptKey, decryptKey + 16);
 
@@ -96,6 +84,12 @@ bool WardenCrypto::initFromSessionKey(const std::vector<uint8_t>& sessionKey) {
     initRC4(ek, encryptRC4State_, encryptRC4_i_, encryptRC4_j_);
     initRC4(dk, decryptRC4State_, decryptRC4_i_, decryptRC4_j_);
 
+    // Scrub temporary key material after RC4 state initialization.
+    std::fill(ek.begin(), ek.end(), 0);
+    std::fill(dk.begin(), dk.end(), 0);
+    std::fill(std::begin(encryptKey), std::end(encryptKey), 0);
+    std::fill(std::begin(decryptKey), std::end(decryptKey), 0);
+
     initialized_ = true;
     LOG_INFO("Warden: Crypto initialized from session key");
     return true;