Decision index drift (src/09-DECISIONS.md vs referenced D0xx elsewhere) | The tracker is Dxxx-index keyed; future non-indexed decisions can become invisible | M1–M11 (cross-cutting) | Add index rows in the same change as new Dxxx references and update tracker row count/coverage summary immediately. |
P002 fixed-point scale | Blocks final numeric tuning RESOLVED (1024, see research/fixed-point-math-design.md) | M2, M3 | Resolved. Affected D rows (D009, D013, D015, D028, D045) can proceed. |
P003 audio library + music integration design | Blocks final audio/music implementation choices RESOLVED (Kira via bevy_kira_audio, see research/audio-library-music-integration-design.md) | M3, M6 | Resolved. M3 audio cluster gate is unblocked. |
P004 lobby/matchmaking wire details | Multiplayer productization details can churn if not locked RESOLVED (see research/lobby-matchmaking-wire-protocol-design.md) | M4, M7 | Resolved. D052/D055/D059/D060 integration details are specified. |
| Legal/ops gates for community infrastructure (entity + DMCA agent) | Workshop/ranked/community infra risk if omitted | M7, M9 | Treat as policy_gate nodes in dependency map; do not mark affected milestones validated without them. |
| Scope pressure from advanced modes and optional AI (D070, survival variant, D016/D047/D057) | Can steal bandwidth from core runtime/campaign/multiplayer milestones | M7–M11 | Keep P-Optional and experimental features gated; no promotion to core milestones without playtest evidence. |
| Feedback-reward farming / positivity bias in creator review recognition | Can distort review quality and create social abuse incentives if rewards are treated as gameplay, popularity, or review volume | M7, M10, M11 | Keep rewards profile-only, sampled prompts, creator helpful-mark auditability, and D037/D052 anti-collusion enforcement; emphasize “helpful/actionable” over positive sentiment; see M7.UX.POST_PLAY_FEEDBACK_PROMPTS + M10.COM.CREATOR_FEEDBACK_HELPFUL_RECOGNITION. |
| Community-contribution points inflation / redemption abuse (if enabled) | Optional redeemable points can become farmed, confusing, or mistaken for a gameplay currency without strict guardrails | M11 | Keep points non-tradable/non-cashable/non-gameplay, cap accrual, audit grants/redemptions, support revocation/refund, and use clear “profile/cosmetic-only” labeling via M11.COM.CONTRIBUTOR_POINTS_COSMETIC_REWARDS. |
| Authoring manual drift (SDK embedded docs vs web docs vs CLI/API/schema reality) | Creators lose trust fast if field/flag/script docs are stale or contradictory | M8, M9, M10 | Use one-source D037 knowledge-base content + generated references (M8.SDK.AUTHORING_REFERENCE_FOUNDATION) and SDK embedded snapshot/context help as a view (M9.SDK.EMBEDDED_AUTHORING_MANUAL), not a parallel manual. |
| Creator iteration friction (local content requires repeated packaging/install loops) | Strong tooling can still fail adoption if iteration cost is too high during M8/M9 | M8, M9 | Preserve a fast local content overlay/dev-profile workflow in CLI + SDK integration; see research/bar-recoil-source-study.md and mapped clusters in tracking/milestone-dependency-map.md (M8.SDK.CLI_FOUNDATION, M9.SDK.D038_SCENARIO_EDITOR_CORE). |
| Netcode diagnostics opacity (buffering/jitter/rejoin behavior hidden from users/admins) | Lockstep systems can feel unfair or “broken” if queueing/jitter tradeoffs are not visible and explained | M4, M7 | Keep relay/buffering diagnostics and trust labels explicit; see BAR/Recoil source-study mappings for M4.NET.RELAY_TIME_AUTHORITY_AND_VALIDATION, M7.SEC.BEHAVIORAL_ANALYSIS_REPORTING, M7.NET.SPECTATOR_TOURNAMENT. |
| Cross-engine / 2D-vs-3D parity overclaiming in public messaging | The long-term vision is compelling, but blanket “fair cross-engine 2D vs 3D play” claims can exceed actual trust/certification guarantees and damage credibility | M7, M11 | Treat mixed-client 2D-vs-3D play as a North Star tied to M7.NET.CROSS_ENGINE_BRIDGE_AND_TRUST + M11.VISUAL.D048_AND_RENDER_MOD_INFRA; always use host-mode trust labels and mode-specific fairness claims. |
| Ambiguous future/deferral language drift | Vague “future/later/deferred” wording can create unscheduled commitments and break dependency-first implementation planning | M0–M11 (cross-cutting) | Enforce Future/Deferral Language Discipline (AGENTS.md, 14-METHODOLOGY.md), maintain tracking/future-language-audit.md, and require same-change overlay mapping for accepted deferrals. |
| External implementation repo drift / weak code navigation | Separate code repos can drift from canonical decisions or become hard for humans/LLMs to navigate without aligned AGENTS.md and CODE-INDEX.md files | M0, then all implementation milestones | Use M0.OPS.EXTERNAL_CODE_REPO_BOOTSTRAP_AND_NAVIGATION_TEMPLATES, require external repo bootstrap artifacts before claiming design alignment, and update templates when subsystem boundaries or expected routing patterns change. |
| Moderation capability coupling (e.g., chat sanctions unintentionally breaking votes/pings) | Poorly scoped restrictions damage match integrity and create support friction, especially in competitive modes | M7, M11 | Preserve capability-scoped moderation controls (Mute/Block/Avoid/Report split, granular restrictions) and test sanctions against critical lobby/match flows; see BAR moderation lesson mapping in dependency overlay. |
| Communication marker clutter / color-only beacon semantics | Pings/beacons/markers become noisy, inaccessible, or hard to review if appearance overrides outrun icon/type semantics and rate limits | M7, M10, M11 | Keep D059 marker semantics icon/type-first, bound labels/colors/TTL/visibility via M7.UX.D059_BEACONS_MARKERS_LABELS, and preserve replay-safe metadata + non-color-only cues; see open-source comms-marker study mappings in the dependency overlay. |
| RTL support reduced to font coverage only | UI may render glyphs but still fail Arabic/Hebrew usability if BiDi/shaping/layout-direction rules, role-aware font fallback, and directional asset policies are not implemented/tested across runtime, comms, and SDK surfaces | M6, M7, M9, M10, M11 | Track and validate the explicit RTL/BiDi clusters (M6.UX.RTL_BIDI_GAME_UI_BASELINE, M7.UX.D059_RTL_CHAT_MARKER_TEXT_SAFETY, M9.SDK.RTL_BASIC_EDITOR_UI_LAYOUT, M10.SDK.RTL_BIDI_LOCALIZATION_WORKBENCH_PREVIEW) and fold final platform consistency checks into M11.PLAT.BROWSER_MOBILE_POLISH; use research/rtl-bidi-open-source-implementation-study.md as the confirmatory baseline for shaping/BiDi/fallback/layout test emphasis. |
| Pathfinding API exposure drift (ad hoc script queries bypassing conformance/perf boundaries) | Convenience APIs can become hidden hot-path liabilities or deterministic hazards if not bounded/documented | M2, M5, M8 | Keep D013/D045 conformance-first discipline and only expose bounded, documented estimate/path-preview APIs with explicit authority/perf semantics. |
| Legacy/freeware C&C mirror rights ambiguity | “Freeware” wording can be misread as blanket Workshop redistribution permission, creating legal and trust risk | M0, M8, M9 | Treat as explicit policy gate (M0.OPS.FREEWARE_CONTENT_MIRROR_POLICY_GATE / PG.LEGAL.CNC_FREEWARE_MIRROR_RIGHTS_POLICY), keep D069 owned-install import (incl. Remastered) as the default onboarding path, and require provenance/takedown policy before any mirror packages ship. |
| Workshop operator/admin tooling debt | Strong package/distribution design can still fail operationally if ingest, verify, quarantine, and rollback workflows remain shell-only | M8, M9, M11 | Phase operator surfaces explicitly (M8.OPS.WORKSHOP_OPERATOR_PANEL_MINIMAL -> M9.OPS.WORKSHOP_ADMIN_PANEL_FULL) with RBAC and audit-log requirements tied to D049/D037 validation. |
| Media language metadata drift / unlabeled machine-translated captions | Players can select unsupported dubs/subtitles or misread quality/trust if Workshop packages omit accurate Audio/Subs/CC coverage and translation-source labels | M6, M9, M11 | Validate D068 fallback chains against D049 language capability metadata (M9.UX.D049_MEDIA_LANGUAGE_CAPABILITY_METADATA_FILTERS), require trust/coverage labeling in Installed Content Manager and Workshop listings, and keep machine-translated subtitle/CC fallback opt-in/labeled via M11.UX.D068_MACHINE_TRANSLATED_SUBTITLE_CC_FALLBACK. |
| D070 pacing-layer overload (too many agenda lanes/timers or reward snowballing in “one more phase” missions) | Can make asymmetric missions feel noisy, grindy, or snowball-heavy instead of strategically compelling | M10, M11 | Keep M10.GAME.D070_OPERATIONAL_MOMENTUM optional/prototype-first, cap foreground milestones, use bounded/timed rewards, and require playtest evidence before promoting as a recommended preset. |
| Testing infrastructure gap | No CI/CD pipeline spec until now; features could ship without automated verification, risking regression debt | M0–M11 (cross-cutting) | Follow src/tracking/testing-strategy.md tier definitions; enforce PR gate from M0; add nightly fuzz/bench from M2; weekly full suite from M9. New QA clusters (M0.QA.PROPERTY_BASED_TEST_INFRA, M2.QA.SIM_API_DEFENSE_TESTS, M2.QA.METRICS_COLLECTION_FRAMEWORK, M4.QA.NETCODE_DEFENSE_SUITE) provide per-milestone testing gates with specific exit criteria. |
| Type-safety enforcement gap | Bare integer IDs, non-deterministic HashSet/HashMap in ic-sim, and missing typestate patterns can cause hard-to-find logic bugs | M1–M4 (critical path) | Enforce clippy::disallowed_types from M1, newtype policy from first crate, typestate for all state machines; see 02-ARCHITECTURE.md § Type-Safety Architectural Invariants. 88 misuse vectors catalogued in architecture/api-misuse-defense.md with 27 compile-time and 61 runtime defenses mapped to milestone exit criteria. |
| Security audit findings (V46–V56) | 11 new vulnerabilities identified covering display name spoofing, key rotation, package signing, WASM isolation, anti-cheat calibration, and desync classification | M3–M9 | Each vulnerability has explicit phase assignments in 06-SECURITY.md; track as exit criteria for their respective phases. |
| Author package signing adoption | Workshop trust model depends on author-level Ed25519 signing (V49); without it, registry is single point of trust for package authenticity | M8, M9 | Author signing is an M8 exit criterion; key pinning is M9; author key rotation uses V47 protocol. |