Role-Play

• low · Unencrypted rp_as cookie read via $_COOKIE — Extension.php registerPostCapture() reads $_COOKIE['rp_as'] directly to attribute a post to a character. It is validated to belong to the post's user_id and to an approved character, so impact is limited to choosing which of one's own characters to post as. Reasonable but bypasses framework cookie handling.
• low · Character fields stored before approval but server-filtered — filterSheetValues/sheetSchema coerce and length-limit values; all rendered output uses htmlspecialchars. No injection observed, noted as defense-in-depth area.
• low · directoryPage JS block is cut off — src/Extension.php directoryPage() heredoc JS ends abruptly ('if '). Likely a paste truncation rather than a real issue, but the full client script could not be fully audited.
• low · Public broadcast channel for encounters — EncounterTouched broadcasts on a public channel rp.encounter.{topicId}. Comment notes it mirrors data already returned by the API; no sensitive data exposed beyond topic-visible combat state.

Automated review of v1.1.0 by claude-opus-4-8 1 day ago. This is an automated signal to aid your judgment — not a guarantee.