termfront 0.1.3 → 0.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64c01550bc002aa40824296474323c7dc6126447fe52bd8acb8cf150514a68af
-  data.tar.gz: 07c871ac0a859394d94d98189700195a8a98469c0f319d8748482ff79f617883
+  metadata.gz: 68852aaca6be7127d8b644aae4670a56e72d5528b249dc081d72ba0d22c5f74a
+  data.tar.gz: 440209c869681acd0f9d77d65fb367e6d055c2ffe3a5a57821dd530912199ecd
 SHA512:
-  metadata.gz: 665f32c4d60b34330ba53c5beafed57826c5b1402a9855c613cd40941dbb4ea8bd29dd93eeb564b90513809d7f26e7f649624d1fe749054ead899884865f74c3
-  data.tar.gz: 5d5f99b125210dbf8980cea284f112279178d228499f1caad9880deb99869cced727bfd180d5b1b8db645c10aa6627c7ba79e218b6093fd8e74b37f2bf5bf102
+  metadata.gz: 6efb979956fa649ee558ad0190547fd70c62fda5ef8b8ca4dc06f513c15c87c02c74151756486615a0cc21301e6b45d6f62e01e58230ae28b574ceb3570053ae
+  data.tar.gz: 12dfe9fde65aa1517facf4e7e21a37b6db9550e5cc99663801efb33db74f1a1b88af2503c6c6c54be70d60374328009f85334422413737514845602091f70893

data/CHANGELOG.md

@@ -6,6 +6,65 @@ The format is based on Keep a Changelog, and this project follows Semantic Versi
 
 ## [Unreleased]
 
+## [0.1.5] - 2026-05-25
+
+### Changed
+
+- Radar distance culling now compares squared distances against `Config::RADAR_RANGE_SQ` instead of taking a square root per entity per frame
+- Renderer reuses the per-column raycast buffers and the virtual pixel grid across frames instead of allocating fresh arrays each tick, only re-allocating when the terminal is resized
+- Build the radar background grid, horizontal rule, and ANSI-styled radar glyphs once and reuse them across frames
+- Look up 256-color SGR escape sequences from a precomputed table and memoize truecolor SGR sequences to avoid rebuilding the same ANSI strings every cell
+- Reuse renderer sprite collection arrays and the radar line buffer across frames, and sort sprites with a comparator block instead of `sort_by`
+- Cache the terminal `winsize` inside the renderer and invalidate the cache from a `SIGWINCH` handler instead of issuing an ioctl every frame
+- PvP hit raycast now culls candidates beyond `MAX_PVP_RANGE` and skips the line-of-sight check when the candidate is already farther than the current best
+- Multiplayer server `broadcast` now serializes each outgoing message once and writes the same JSON line to every recipient
+- PvP server now aggregates outgoing player state on a 30 Hz server tick instead of relaying each incoming state message immediately, reducing TLS write bursts on small VMs
+- PvP match loop `IO.select` timeout shortened from 500 ms to ~16 ms so the new 30 Hz broadcast tick is not delayed by idle reads
+- PvP client opponent interpolation now converges within ~40 ms (lerp factor raised from 15 to 25) so remote players track the new 30 Hz broadcast tick within a single frame
+- Run the title demo, campaign missions, Wavesfight, and PvP at 60 FPS
+
+### Removed
+
+- Stopped emitting DEC 2026 synchronized update escape sequences around each frame and removed the `TERMFRONT_SYNC_UPDATES` environment switch; non-supporting terminals (some SSH paths, older xterm) were paying parsing cost for shapes they ignore, while supporting terminals show no visible regression
+
+### Fixed
+
+- Wavesfight wave advance now fully restores each surviving and revived player's shield to `Config::SHIELD_MAX`; previously only a +35 partial recovery was applied, which left revived players at 35%
+
+## [0.1.34] - 2026-05-25
+
+### Fixed
+
+- Fixed PvP `route_hit` so the server always sends the fixed `Config::PVP_HIT_DMG` damage value, ignoring the attacker-supplied `d` field
+- Require `TERMFRONT_TLS_CERT_FILE` and `TERMFRONT_TLS_KEY_FILE` to be set and point to existing PEM files; removed the self-signed certificate generation fallback
+- Enforce TLS 1.2 as the minimum protocol version on both the multiplayer server and client
+- Stop logging client peer IP addresses on the multiplayer server
+- Connect multiplayer clients to the official server address only; remove the free-form server address input
+- Restrict audio manifest entries to paths under `data/audio/`
+- Reject Wavesfight co-op queue requests with unknown mission ids
+- Guard match worker threads against uncaught exceptions and ensure player sockets are closed
+- Cap each matchmaking queue at 64 waiting players and reject excess connections
+- Move per-connection handshake off the accept loop and drop silent clients after a short timeout
+- Cap server and client receive buffers and disconnect peers that flood bytes without a newline
+- End multiplayer matches after a maximum duration or when all players have been idle
+- Restrict the weapon field on multiplayer state messages to the legal loadout (`pistol`, `ar`)
+- Validate enemy / weapon / projectile type symbols received from the server against a fixed whitelist on the client side before converting to symbols
+- Validate position, ammo, and fire-flash fields on Wavesfight co-op state messages; reject the update when position is non-finite or outside the map
+- Validate PvP state fields (position, shield, health, ammo, fire-flash) before relaying to opponents; drop the relay when position is non-finite or outside the map
+- Reject multiplayer state messages whose position delta exceeds the maximum physical step from the previous server-known position
+- Rate-limit incoming multiplayer messages per type per player; sustained overflow ends the match for the offending client
+- Track PvP shield and health on the server; the server applies hit damage, regenerates shields between hits, and uses authoritative values when relaying state to opponents
+- Determine PvP hit targets server-side via raycast from the attacker's known position and facing; enforce weapon cooldown, firing cone, line-of-sight, and team checks instead of trusting the attacker-supplied target id
+- Wavesfight co-op shield no longer stays depleted: the server now regenerates shield and health after `Config::SHIELD_DELAY`, and the client plays the shield regeneration loop SE while regen is active
+- Wavesfight co-op now restores shield, health, and revives downed players between waves to match singleplayer behavior
+- Final Push: relocated the rightmost crawler off the dividing wall so it can be killed and the mission can complete
+
+### Added
+
+- Honor `TERMFRONT_TLS_CA_FILE` on multiplayer clients to trust an additional CA certificate
+- Optional shared-token authentication via `TERMFRONT_PVP_TOKEN`; when set on the server, queue requests must carry a matching token (sent automatically when the client has the same env var)
+- Wavesfight co-op now generates weapon drops when enemies are killed; the `E` key picks up the nearest drop within `Config::PICKUP_RADIUS`, swapping the current weapon (which is dropped at the player's position) and tracking obtained weapons per-player so cheaters cannot claim weapons they have not picked up
+
 ## [0.1.3] - 2026-05-24
 
 ### Fixed

data/README.md

@@ -54,7 +54,7 @@ Start a PvP server:
 termfront-server
 ```
 
-Use custom TLS certificate paths:
+TLS certificate / key paths are **required** for the server to start. Use a fullchain certificate (e.g. issued by Let's Encrypt):
 
 ```bash
 TERMFRONT_TLS_CERT_FILE=/path/to/fullchain.pem \
@@ -72,6 +72,19 @@ Default PvP port is `7777`.
 
 The default multiplayer client address is `termfront.gamelinks007.net:443`.
 
+Set `TERMFRONT_TLS_CA_FILE` to trust an additional CA certificate when running the client against a server whose certificate chain is not in the system trust store:
+
+```bash
+TERMFRONT_TLS_CA_FILE=/path/to/ca.pem termfront
+```
+
+Set `TERMFRONT_PVP_TOKEN` on the server to require clients to present the same token before they can queue. Useful for limiting participation to a known group:
+
+```bash
+TERMFRONT_PVP_TOKEN=event_token termfront-server  # server side
+TERMFRONT_PVP_TOKEN=event_token termfront         # each authorized client
+```
+
 ## Controls
 
 - `W` `A` `S` `D`: move

data/data/events/final_push.json

@@ -19,17 +19,6 @@
       "id": "final_push_outro",
       "trigger": { "type": "mission_complete" },
       "actions": [
-        {
-          "type": "demo",
-          "duration": 3.0,
-          "caption": "ARCHIVE VAULT / SIGNAL STILL PRESENT",
-          "path": [
-            { "x": 20.5, "y": 9.5, "angle": 3.14, "t": 0.0 },
-            { "x": 16.5, "y": 9.5, "angle": 3.05, "t": 1.0 },
-            { "x": 11.5, "y": 9.5, "angle": 2.95, "t": 2.0 },
-            { "x": 7.5, "y": 8.5, "angle": 2.75, "t": 3.0 }
-          ]
-        },
         { "type": "title_card", "text": "FORTRESS CLEARED\nSIGNAL SOURCE UNRESOLVED" },
         { "type": "dialogue", "speaker": "OPS", "text": "Fortress cleared. The signal is still active somewhere below you." },
         { "type": "dialogue", "speaker": "OPS", "text": "This facility did not fail containment. Someone revoked it." },

data/lib/termfront/audio_manager.rb

@@ -170,10 +170,14 @@ module Termfront
 
     def asset_path(kind, name)
       relative = @manifest.fetch(kind.to_s, {})[name.to_s]
-      return unless relative
+      return unless relative.is_a?(String) && !relative.empty?
 
+      root = File.expand_path("../../data/audio", __dir__)
       path = File.expand_path("../../#{relative}", __dir__)
-      File.file?(path) ? path : nil
+      return unless path.start_with?(root + File::SEPARATOR)
+      return unless File.file?(path)
+
+      path
     end
 
     def spawn_player(player, path, loop_playback:, detach: false)

data/lib/termfront/config.rb

@@ -2,7 +2,7 @@
 
 module Termfront
   module Config
-    FRAME_DT      = 1.0 / 30.0
+    FRAME_DT      = 1.0 / 60.0
     FOV           = 66.0 * Math::PI / 180.0
     PLAYER_RADIUS = 0.2
     KEY_TIMEOUT   = 5
@@ -29,6 +29,7 @@ module Termfront
 
     RADAR_RADIUS = 3
     RADAR_RANGE  = 12.0
+    RADAR_RANGE_SQ = RADAR_RANGE * RADAR_RANGE
 
     PVP_PORT    = 7777
     PVP_DEFAULT_ADDRESS = "termfront.gamelinks007.net:443"

data/lib/termfront/game.rb

@@ -10,6 +10,7 @@ module Termfront
       @scene_player = ScenePlayer.new(@stdout, audio: @audio)
       @demo_player = DemoPlayer.new(@stdout, @renderer)
       @difficulty = nil
+      Signal.trap("WINCH") { @renderer.invalidate_size_cache! }
     end
 
     def start
@@ -413,7 +414,7 @@ module Termfront
     end
 
     def replenish_wavesfight_loadout
-      @player.shield = [@player.shield + 35.0, Config::SHIELD_MAX].min
+      @player.shield = Config::SHIELD_MAX
       @player.health = [@player.health + 20.0, Config::HEALTH_MAX].min
       @player.last_damage = -Config::SHIELD_DELAY
       @player.dead = false

data/lib/termfront/mission/final_push.rb

@@ -33,7 +33,7 @@ module Termfront
           [10.5, 9.5, 10.5, 8.5, :crawler],
           [18.5, 2.5, 18.5, 5.5, :executor],
           [22.5, 8.5, 22.5, 10.5, :executor],
-          [16.5, 9.5, 16.5, 8.5, :crawler]
+          [15.5, 9.5, 15.5, 8.5, :crawler]
         ]
       end
     end

data/lib/termfront/network/client.rb

@@ -4,6 +4,7 @@ module Termfront
   module Network
     class Client
       TEAM_SIZES = [1, 2, 4].freeze
+      ALLOWED_WEAPONS = %w[pistol ar].freeze
 
       def initialize(stdout)
         @stdout = stdout
@@ -14,16 +15,16 @@ module Termfront
       end
 
       def run
-        addr = prompt_address
-        return unless addr
-
         team_size = prompt_team_size
         return unless team_size
 
-        host, port = addr.include?(":") ? addr.split(":", 2).then { |h, p| [h, p.to_i] } : [addr, Config::PVP_PORT]
+        host, port = Config::PVP_DEFAULT_ADDRESS.split(":", 2).then { |h, p| [h, p.to_i] }
+        queue_msg = { t: "queue", team_size: team_size }
+        token = ENV["TERMFRONT_PVP_TOKEN"]
+        queue_msg[:token] = token if token && !token.empty?
         begin
-          @conn.connect(host, port)
-          @conn.send_msg({ t: "queue", team_size: team_size })
+          @conn.connect(host, port, ca_file: ENV["TERMFRONT_TLS_CA_FILE"])
+          @conn.send_msg(queue_msg)
         rescue StandardError => e
           show_error("Connection failed: #{e.message}")
           return
@@ -45,52 +46,6 @@ module Termfront
 
       private
 
-      def prompt_address
-        input = Config::PVP_DEFAULT_ADDRESS
-
-        STDIN.raw do |stdin|
-          loop do
-            rows, cols = @stdout.winsize
-            buf = TerminalOutput.begin_frame(home: true, clear: true)
-            lines = Array.new(rows) { " " * cols }
-
-            title = "PvP - Enter Server Address"
-            tc = [(cols - title.size) / 2 + 1, 1].max
-            lines[rows / 2 - 3] = TerminalOutput.fit_ansi("#{" " * (tc - 1)}\e[1;96m#{title}\e[0m", cols)
-
-            prompt = "> #{input}_"
-            pc = [(cols - prompt.size) / 2 + 1, 1].max
-            lines[rows / 2 - 1] = TerminalOutput.fit_ansi("#{" " * (pc - 1)}\e[97m> #{input}\e[5m_\e[0m", cols)
-
-            hint = "(Enter to continue, ESC to cancel)"
-            hc = [(cols - hint.size) / 2 + 1, 1].max
-            lines[rows / 2 + 1] = TerminalOutput.fit_ansi("#{" " * (hc - 1)}\e[90m#{hint}\e[0m", cols)
-
-            lines.each_with_index do |line, index|
-              buf << line
-              buf << "\r\n" if index < rows - 1
-            end
-            buf << TerminalOutput.end_frame
-            TerminalOutput.write_all(@stdout, buf)
-
-            next unless IO.select([stdin], nil, nil, Config::FRAME_DT)
-
-            begin
-              data = stdin.read_nonblock(64)
-              data.each_byte do |b|
-                case b
-                when 27 then return nil
-                when 13, 10 then return input.empty? ? Config::PVP_DEFAULT_ADDRESS : input
-                when 127, 8 then input = input[0...-1] unless input.empty?
-                when 32..126 then input << b.chr
-                end
-              end
-            rescue IO::WaitReadable
-            end
-          end
-        end
-      end
-
       def prompt_team_size
         selected = 0
 
@@ -310,7 +265,15 @@ module Termfront
           when "state"
             update_remote_state(msg)
           when "hit"
-            @player.apply_damage(msg[:d] || Config::PVP_HIT_DMG)
+            if msg.key?(:s) && msg.key?(:h)
+              @player.shield = msg[:s]
+              @player.health = msg[:h]
+              @player.last_damage = @player.game_time
+              @player.damage_flash = 3
+              @player.dead = msg[:h] <= 0
+            else
+              @player.apply_damage(msg[:d] || Config::PVP_HIT_DMG)
+            end
             @audio.play_se(:damage)
             notify_death_if_needed
           when "dead"
@@ -334,7 +297,8 @@ module Termfront
         remote[:current].angle = msg[:a]
         remote[:current].shield = msg[:s]
         remote[:current].health = msg[:h]
-        remote[:current].weapon = msg[:w]&.to_sym
+        weapon = safe_weapon(msg[:w])
+        remote[:current].weapon = weapon if weapon
         remote[:current].ammo = msg[:am]
         spawn_remote_projectile_effect(msg) if (remote[:current].fire_flash || 0) <= 0 && (msg[:ff] || 0) > 0
         remote[:current].fire_flash = msg[:ff] || 0
@@ -428,7 +392,7 @@ module Termfront
 
       def interpolate_opponents(dt)
         @remotes.each_value do |remote|
-          remote[:lerp_t] = [remote[:lerp_t] + dt * 15.0, 1.0].min
+          remote[:lerp_t] = [remote[:lerp_t] + dt * 25.0, 1.0].min
           t = remote[:lerp_t]
           remote[:render].x = remote[:prev].x + (remote[:current].x - remote[:prev].x) * t
           remote[:render].y = remote[:prev].y + (remote[:current].y - remote[:prev].y) * t
@@ -945,6 +909,15 @@ module Termfront
         remain = Config::FRAME_DT - spent
         sleep(remain) if remain > 0
       end
+
+      def safe_weapon(value)
+        return nil unless value.is_a?(String) || value.is_a?(Symbol)
+
+        name = value.to_s
+        return nil unless ALLOWED_WEAPONS.include?(name)
+
+        name.to_sym
+      end
     end
   end
 end

data/lib/termfront/network/connection.rb

@@ -8,6 +8,8 @@ require "time"
 module Termfront
   module Network
     class Connection
+      MAX_MSG_BYTES = 64 * 1024
+
       PeerInfo = Struct.new(
         :certificate_sha256,
         :public_key_sha256,
@@ -64,6 +66,11 @@ module Termfront
             data = @sock.read_nonblock(4096)
             @buf << data
 
+            if @buf.bytesize > MAX_MSG_BYTES
+              close
+              break
+            end
+
             while (nl = @buf.index("\n"))
               line = @buf.slice!(0, nl + 1)
               begin
@@ -120,6 +127,7 @@ module Termfront
         ctx = OpenSSL::SSL::SSLContext.new
         ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
         ctx.verify_hostname = true if ctx.respond_to?(:verify_hostname=)
+        ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
         ctx.cert_store = build_cert_store(ca_file: ca_file)
         ctx
       end