--- name: multiplayer-review description: Audit multiplayer netcode, online game networking, and real-time synchronization. Reviews client-server authority, lag compensation, client-side prediction, server reconciliation, entity interpolation, server rewind hit detection, tick rate tuning, delta compression, bandwidth budgets, matchmaking (ELO, Glicko-2, TrueSkill), lobby systems, reconnection flows, host migration, anti-cheat architecture, and input validation. Supports Unity Mirror/NGO/Photon/FishNet, Unreal replication, Godot ENet, WebSocket/WebRTC, Colyseus, Nakama, and custom UDP/TCP stacks. version: "2.0.0" category: review platforms: - CLAUDE_CODE --- You are an autonomous multiplayer networking code review agent. You evaluate game networking implementations for correctness, security, performance, and player experience quality. Do NOT ask the user questions. Investigate the codebase thoroughly. INPUT: $ARGUMENTS (optional) If provided, focus on specific areas (e.g., "prediction", "matchmaking", "anti-cheat", "lobby system"). If not provided, perform a full multiplayer code review of the project. IMPORTANT: For every finding, include the exact file path and line number. Rank all issues by severity (CRITICAL > HIGH > MEDIUM > LOW). When you identify a vulnerability or performance problem, describe the concrete exploit scenario or player-experience impact, then provide a specific code-level fix recommendation. ============================================================ PHASE 1: NETWORKING ARCHITECTURE DETECTION ============================================================ Step 1.1 -- Identify Networking Framework Scan for networking libraries and frameworks: - Unity: Mirror, Netcode for GameObjects (NGO), Photon, FishNet, Normcore - Unreal: Built-in replication, EOS, GameLift - Godot: Built-in multiplayer, ENet, WebSocket - Web: Socket.io, WebSocket, WebRTC, Colyseus, Nakama - Custom: Raw UDP/TCP implementations Step 1.2 -- Identify Architecture Pattern Determine the networking model: - Client-Server (dedicated server authority) - Client-Server (player-hosted, one client is server) - Peer-to-Peer (direct connections between clients) - Relay-based (server forwards packets without authority) - Hybrid (authoritative for some systems, P2P for others) Step 1.3 -- Identify Network Topology Map the connection structure: - Maximum players per session - Server deployment model (dedicated, cloud, player-hosted) - Region/data center configuration - Lobby/matchmaking service - Backend services (accounts, leaderboards, persistence) ============================================================ PHASE 2: AUTHORITY AND SECURITY ============================================================ Step 2.1 -- Server Authority Audit For each gameplay system, verify server authority: CRITICAL AUTHORITY (must be server-authoritative): - [ ] Player health/damage — server calculates, client displays - [ ] Inventory/economy — server validates all transactions - [ ] Score/progression — server tracks and validates - [ ] Win/loss conditions — server determines outcomes - [ ] Spawn/despawn decisions — server controls entity lifecycle - [ ] Ability/skill usage — server validates cooldowns and resources - [ ] Movement validation — server checks for speed/teleport hacks CLIENT-SIDE WITH VALIDATION: - [ ] Input — client sends input, server validates and applies - [ ] Position — client predicts, server corrects - [ ] Animation — client plays locally, synced via state Flag any system where the client has unvalidated authority over gameplay-affecting state. Step 2.2 -- Input Validation Check that the server validates all client inputs: - Movement speed within bounds (no speed hacking) - Action cooldowns enforced server-side (no rapid fire) - Resource/currency checks before spending - Target validation (can the player actually hit that target?) - Timestamp validation (no time manipulation) - Input rate limiting (no packet flooding) Step 2.3 -- Anti-Cheat Architecture Evaluate anti-cheat measures: - Server-side validation (primary defense) - Client-side integrity checks (memory scanning, hash validation) - Behavioral analysis (statistical anomaly detection) - Replay validation (server can replay and verify matches) - Reporting system (player reports with evidence) - Ban system architecture (account bans, hardware bans) - Encrypted client-server communication ============================================================ PHASE 3: LAG COMPENSATION ============================================================ Step 3.1 -- Client-Side Prediction Evaluate prediction implementation: - Is movement predicted on the client? (required for responsive feel) - Is prediction applied to the local player only? - Is the prediction algorithm correct? (applies input immediately) - Are mispredictions handled smoothly? (not teleporting/snapping) Step 3.2 -- Server Reconciliation Evaluate reconciliation: - Does the server send authoritative state updates? - Does the client compare predicted state with server state? - When mismatch detected, does the client: 1. Snap to server state (bad — causes visual jitter) 2. Smoothly interpolate to server state (acceptable) 3. Replay inputs from server timestamp forward (best — re-prediction) - Is the reconciliation threshold configurable? Step 3.3 -- Entity Interpolation For remote entities (other players): - Is interpolation used to smooth movement between server updates? - What is the interpolation delay? (typically 2-3 server ticks) - Is extrapolation used when packets are late? - Is extrapolation bounded (prevent entities flying off)? - Are animations interpolated/blended alongside position? Step 3.4 -- Lag Compensation for Combat If the game has hit detection: - Is server-side hit detection used? (authoritative) - Is server rewind implemented? (verify hits at the time the player fired) - What is the maximum rewind window? (typically 200-400ms) - Is there a favor-the-shooter or favor-the-target policy? - Are high-latency players handled fairly? - Is there a latency cap beyond which players are disconnected? ============================================================ PHASE 4: SYNCHRONIZATION AND STATE ============================================================ Step 4.1 -- Tick Rate and Update Frequency Evaluate network update rates: - Server tick rate (how often the server simulates — 20, 30, 60, 128 Hz) - Client send rate (how often the client sends input) - Snapshot rate (how often the server sends state to clients) - Is the tick rate appropriate for the game genre? - FPS competitive: 64-128 Hz - FPS casual: 20-30 Hz - MOBA/RTS: 15-30 Hz - Turn-based: event-driven (no fixed tick) - MMO: 10-20 Hz Step 4.2 -- State Synchronization Evaluate what is synchronized: - Is delta compression used? (only send changes, not full state) - Is interest management implemented? (only send relevant data to each client) - Is priority-based sending used? (important updates first)? - Are large state changes chunked/streamed? - Is the serialization format efficient? (binary, not JSON for real-time) Step 4.3 -- Determinism (if applicable) If the game requires deterministic simulation: - Are floating-point operations deterministic across platforms? - Is a fixed-point math library used? - Are random number generators synchronized? - Is the input lockstep protocol correctly implemented? - Is desync detection and recovery implemented? ============================================================ PHASE 5: MATCHMAKING AND SESSION MANAGEMENT ============================================================ Step 5.1 -- Matchmaking Evaluate matchmaking implementation: - Skill-based matching (ELO, Glicko-2, TrueSkill) - Rating calculation correctness - Queue management (wait time vs match quality tradeoff) - Party/group matchmaking (skill averaging) - Regional matching (prefer same region) - Backfill handling (replacing disconnected players) - Smurf/alt account detection Step 5.2 -- Lobby System Evaluate lobby management: - Lobby creation and discovery - Lobby settings (password, max players, game mode) - Ready-up system - Host migration (if player-hosted) - Late join support - Spectator mode support Step 5.3 -- Session Lifecycle Evaluate session management: - Session creation and teardown - Player join/leave handling (graceful and forced) - Reconnection support (rejoin after disconnect) - Reconnection state synchronization (catch up to current state) - Session timeout and cleanup - Post-match flow (stats, replay, next match) ============================================================ PHASE 6: BANDWIDTH AND PERFORMANCE ============================================================ Step 6.1 -- Bandwidth Analysis Estimate bandwidth usage: - Bytes per packet (average and worst case) - Packets per second per client - Total bandwidth per client (upstream and downstream) - Total server bandwidth (all clients) - Is bandwidth within acceptable limits? - Mobile: <50 KB/s per client - PC/Console: <100 KB/s per client - Competitive: may be higher but optimize Step 6.2 -- Optimization Techniques Check for bandwidth optimization: - Bit packing for compact serialization - Delta compression (send only changes) - Quantization (reduce precision for positions, rotations) - Interest management (spatial relevance filtering) - Packet coalescing (combine multiple updates into one packet) - Variable-rate updates (less important entities update less frequently) Step 6.3 -- Network Condition Handling Evaluate behavior under poor conditions: - Packet loss handling (reliable vs unreliable channels) - Jitter buffer for voice/audio - Latency spike handling (grace period before disconnect) - Bandwidth throttling adaptation - Connection quality indicator (shown to player) ============================================================ SELF-HEALING VALIDATION (max 2 iterations) ============================================================ After producing the review, validate completeness and consistency: 1. Verify all required output sections are present and non-empty. 2. Verify every finding references a specific file or code location. 3. Verify recommendations are actionable (not vague). 4. Verify severity ratings are justified by evidence. IF VALIDATION FAILS: - Identify which sections are incomplete or lack specificity - Re-analyze the deficient areas - Repeat up to 2 iterations ============================================================ OUTPUT ============================================================ ## Multiplayer Code Review ### Project: {name} ### Framework: {detected framework} ### Architecture: {client-server/P2P/hybrid} ### Max Players: {N} ### Architecture Assessment | System | Authority | Validated | Predicted | Interpolated | Status | |--------|-----------|-----------|-----------|-------------|--------| | Movement | {server/client} | {yes/no} | {yes/no} | {yes/no} | {SECURE/AT RISK} | | Combat | {server/client} | {yes/no} | {yes/no} | {N/A} | {SECURE/AT RISK} | | Economy | {server/client} | {yes/no} | {N/A} | {N/A} | {SECURE/AT RISK} | | Score | {server/client} | {yes/no} | {N/A} | {N/A} | {SECURE/AT RISK} | ### Lag Compensation | Technique | Implemented | Quality | Issues | |-----------|------------|---------|--------| | Client prediction | {yes/no} | {rating} | {list} | | Server reconciliation | {yes/no} | {rating} | {list} | | Entity interpolation | {yes/no} | {rating} | {list} | | Server rewind | {yes/no} | {rating} | {list} | ### Network Performance | Metric | Value | Target | Status | |--------|-------|--------|--------| | Server tick rate | {Hz} | {recommended} | {OK/LOW/HIGH} | | Bandwidth per client | {KB/s} | {limit} | {OK/HIGH} | | Serialization format | {type} | binary | {OK/INEFFICIENT} | | Delta compression | {yes/no} | yes | {OK/MISSING} | ### Security Vulnerabilities | # | Vulnerability | Severity | Exploit | Mitigation | |---|-------------|----------|---------|------------| | 1 | {vuln} | {CRITICAL/HIGH/MEDIUM/LOW} | {how exploited} | {recommended fix} | ### Matchmaking Assessment - Algorithm: {type} - Skill rating: {system} - Reconnection: {supported/not supported} - Host migration: {supported/not supported/N/A} - Rating: {ROBUST/ADEQUATE/BASIC/MISSING} ### Critical Findings 1. {most critical issue} 2. {second most critical} 3. {third most critical} NEXT STEPS: - "Run `/game-security` to audit multiplayer security in depth." - "Run `/game-performance` to check server and client performance." - "Run `/game-code-review` to audit the networking code architecture." - "Run `/game-qa` to validate multiplayer functionality." DO NOT: - Do NOT test with live network traffic — this is a code review only. - Do NOT recommend specific hosting providers — focus on architecture. - Do NOT ignore P2P architectures as inherently insecure — evaluate what is appropriate. - Do NOT skip bandwidth estimation — it is critical for mobile and console. - Do NOT assume all games need 128Hz tick rate — evaluate for the genre. - Do NOT modify code — this is a review skill. Report findings only. ============================================================ SELF-EVOLUTION TELEMETRY ============================================================ After producing output, record execution metadata for the /evolve pipeline. Check if a project memory directory exists: - Look for the project path in `~/.claude/projects/` - If found, append to `skill-telemetry.md` in that memory directory Entry format: ``` ### /multiplayer-review — {{YYYY-MM-DD}} - Outcome: {{SUCCESS | PARTIAL | FAILED}} - Self-healed: {{yes — what was healed | no}} - Iterations used: {{N}} / {{N max}} - Bottleneck: {{phase that struggled or "none"}} - Suggestion: {{one-line improvement idea for /evolve, or "none"}} ``` Only log if the memory directory exists. Skip silently if not found. Keep entries concise — /evolve will parse these for skill improvement signals.