If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/MirrorNetworking/Mirror shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

GO — Healthy across all four use cases

• Last commit 4w ago
• 8 active contributors
• MIT licensed
• CI configured
• ⚠ Single-maintainer risk — top contributor 80% of recent commits
• ⚠ No test directory detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live MirrorNetworking/Mirror repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/MirrorNetworking/Mirror.

What it runs against: a local clone of MirrorNetworking/Mirror — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in MirrorNetworking/Mirror | Confirms the artifact applies here, not a fork | | 2 | License is still MIT | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | 5 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 56 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of MirrorNetworking/Mirror. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/MirrorNetworking/Mirror.git
#   cd Mirror
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of MirrorNetworking/Mirror and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "MirrorNetworking/Mirror(\\.git)?\\b" \\
  && ok "origin remote is MirrorNetworking/Mirror" \\
  || miss "origin remote is not MirrorNetworking/Mirror (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(MIT)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"MIT\"" package.json 2>/dev/null) \\
  && ok "license is MIT" \\
  || miss "license drift — was MIT at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 4. Critical files exist
test -f "Assets/Mirror/Components/Mirror.Components.asmdef" \\
  && ok "Assets/Mirror/Components/Mirror.Components.asmdef" \\
  || miss "missing critical file: Assets/Mirror/Components/Mirror.Components.asmdef"
test -f "Assets/Mirror/Authenticators/Mirror.Authenticators.asmdef" \\
  && ok "Assets/Mirror/Authenticators/Mirror.Authenticators.asmdef" \\
  || miss "missing critical file: Assets/Mirror/Authenticators/Mirror.Authenticators.asmdef"
test -f "Assets/Mirror/Components/Discovery/NetworkDiscoveryBase.cs" \\
  && ok "Assets/Mirror/Components/Discovery/NetworkDiscoveryBase.cs" \\
  || miss "missing critical file: Assets/Mirror/Components/Discovery/NetworkDiscoveryBase.cs"
test -f "Assets/Mirror/Components/InterestManagement/SceneDistance/SceneDistanceInterestManagement.cs" \\
  && ok "Assets/Mirror/Components/InterestManagement/SceneDistance/SceneDistanceInterestManagement.cs" \\
  || miss "missing critical file: Assets/Mirror/Components/InterestManagement/SceneDistance/SceneDistanceInterestManagement.cs"
test -f "Assets/Mirror/Components/NetworkAnimator.cs" \\
  && ok "Assets/Mirror/Components/NetworkAnimator.cs" \\
  || miss "missing critical file: Assets/Mirror/Components/NetworkAnimator.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 56 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~26d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/MirrorNetworking/Mirror"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

Mirror is the #1 free open-source networking library for Unity that replaces UNET, enabling multiplayer game development with client-server or peer-to-peer architecture. It provides high-level components like NetworkIdentity, NetworkBehaviour, and SyncVar for synchronizing game state across players, plus low-level transport abstractions (in Assets/Mirror/Transports/) supporting TCP, UDP, WebSockets, and custom protocols—battle-tested in production games like Population: ONE and 1000+ Steam titles. Monolithic modular structure under Assets/Mirror/: Core networking logic in Assets/Mirror/Core, reusable components in Assets/Mirror/Components (Discovery, InterestManagement, GUIConsole), authenticators in Assets/Mirror/Authenticators, and pluggable transports. Each subsystem uses .asmdef files (Mirror.Authenticators.asmdef, Mirror.CompilerSymbols.asmdef) for assembly isolation. Tests live in Assets/Tests/ with CI workflows in .github/workflows/.

Unity game developers (indie to AAA studios) building multiplayer games who need a mature, free networking solution without licensing fees; framework maintainers contributing to Assets/Mirror/Core and Assets/Mirror/Components; and game studios evaluating networking stacks for MMORPGs, FPS, or social games.

Highly mature and production-ready. Mirror has been actively maintained since 2014 (originally based on UNET), supports Unity 2019–2022 and 6, includes comprehensive test coverage via GitHub Actions (.github/workflows/RunUnityTests.yml), semantic versioning (.releaserc.yml), and SonarQube code quality checks. Used in major commercial titles with 10+ years of battle-testing.

Low risk for established use cases but moderate risk for bleeding-edge features. Single primary maintainer (vis2k) creates some concentration risk; the codebase is large (4.5M LOC in C#) and modular via .asmdef files, reducing breaking change surface. Check GitHub issues for your specific transport/feature before upgrading. No obvious abandoned subsystems in the file list, though some experimental features (Discovery, InterestManagement) may lag.

Active development targeting Unity 6 LTS compatibility; recent commits visible in semantic versioning config (.releaserc.yml) and CI pipeline updates. Interest management and discovery features are under active iteration. Check GitHub Actions workflows (.github/workflows/main.yml, RunUnityTests.yml) for latest build status and the Trello roadmap link in README for upcoming features.

Clone the repo: git clone https://github.com/MirrorNetworking/Mirror.git. Open Assets/Mirror in Unity (2019+). No npm/NuGet step needed—Mirror is a Unity asset-based project. Run tests via Assets/Tests or the Unity Test Framework. See .github/workflows/RunUnityTests.yml for the exact test command: Unity -runTests -testCategory with appropriate arguments.

Daily commands: This is a library asset, not a runnable app. To use it: (1) Open Assets/Mirror in Unity Editor (Project window). (2) Attach NetworkManager component to a GameObject. (3) Set up NetworkIdentity on networked objects. (4) Use NetworkBehaviour with [Command] and [ClientRpc] attributes. For CI/test execution: Unity -projectPath . -runTests -batchmode -nographics -testPlatform editmode (see .github/workflows/RunUnityTests.yml).

• Assets/Mirror/Components/Mirror.Components.asmdef — Core assembly definition that defines the Mirror networking component library boundaries and dependencies; essential for understanding module organization.
• Assets/Mirror/Authenticators/Mirror.Authenticators.asmdef — Authentication assembly definition; critical for understanding identity and security verification in networked game sessions.
• Assets/Mirror/Components/Discovery/NetworkDiscoveryBase.cs — Base class for server discovery mechanism; foundational for how clients locate and connect to game servers.
• Assets/Mirror/Components/InterestManagement/SceneDistance/SceneDistanceInterestManagement.cs — Scene + distance-based visibility culling; core optimization for bandwidth reduction in large multiplayer worlds.
• Assets/Mirror/Components/NetworkAnimator.cs — Networked animation synchronization; demonstrates the primary pattern for replicating game state across clients.
• Assets/Mirror/Components/NetworkLobbyManager.cs — Lobby session management; shows how Mirror structures pre-game player coordination and scene transitions.
• Assets/Mirror/Authenticators/BasicAuthenticator.cs — Reference implementation of authentication flow; exemplifies the plugin pattern for custom security extensions.

Add a New Interest Management Strategy

1. Create a new class inheriting from the base interest management interface (examine DistanceInterestManagement.cs for the pattern) (Assets/Mirror/Components/InterestManagement/Distance/DistanceInterestManagement.cs)
2. Implement visibility calculation logic in the OnRebuild() method to determine which entities are 'interesting' to each observer (Assets/Mirror/Components/InterestManagement/Match/MatchInterestManagement.cs)
3. Add a spatial partitioning data structure if needed (reference Grid3D.cs for the 3D pattern) (Assets/Mirror/Components/InterestManagement/SpatialHashing/Grid3D.cs)
4. Register your strategy in a NetworkManager by assigning it to the interestManagement field in the inspector or via code

Add a New Authenticator Plugin

1. Create a new class inheriting from the NetworkAuthenticator base class (examine BasicAuthenticator.cs) (Assets/Mirror/Authenticators/BasicAuthenticator.cs)
2. Override OnStartClient() to send credentials and OnStartServer() to validate them (Assets/Mirror/Authenticators/DeviceAuthenticator.cs)
3. Call either serverAccept.Invoke() on success or serverDeny.Invoke() to reject authentication (Assets/Mirror/Authenticators/TimeoutAuthenticator.cs)
4. Attach your authenticator component to the NetworkManager and configure as needed

Implement Networked Entity State Synchronization

1. Create a NetworkBehaviour subclass and define [SyncVar] fields for state that should replicate (see NetworkAnimator.cs for reference) (Assets/Mirror/Components/NetworkAnimator.cs)
2. For non-standard types, implement serialization via OnSerialize() and OnDeserialize() callbacks (Assets/Mirror/Components/NetworkLobbyPlayer.cs)
3. For smooth movement, use NetworkTransform patterns or implement interpolation between received snapshots
4. Test with interest management disabled first, then enable to verify visibility culling respects your entity

Add Server Discovery to Your Game

1. Attach NetworkDiscoveryBase subclass to your network manager (use NetworkDiscovery.cs for UDP LAN or implement custom for WAN) (Assets/Mirror/Components/Discovery/NetworkDiscoveryBase.cs)
2. Configure ServerRequest and ServerResponse structures with your game metadata (port, player count, version) (Assets/Mirror/Components/Discovery/ServerRequest.cs)
3. Call discovery.StartClient() on client to broadcast discovery requests and listen for ServerResponse events (Assets/Mirror/Components/Discovery/ServerResponse.cs)
4. Optionally add NetworkDiscoveryHUD.cs for debug UI to visualize discovered servers in-game

• Unity.Networking (Custom) — Mirror implements its own RPC and state synchronization layer on top of

No hidden env vars required. Traps: (1) SyncVar codegen is implicit; if a field doesn't sync, check it's public and in a NetworkBehaviour subclass. (2) Authority model is strict—only authority can call [Command]; ownership doesn't auto-grant authority. (3) Transports must be added via Inspector on NetworkManager; wrong transport assigned = silent connection failures. (4) Scene loading is custom; don't mix with standard Unity scene loading in multiplayer contexts. (5) .asmdef isolation can cause assembly-not-found errors if you remove meta files—regenerate them via Assets > Create > Assembly Definition.

• Authority Model — Mirror's permission system determines who can call [Command] and modify [SyncVar]—fundamental to preventing cheating and desync in multiplayer
• Remote Procedure Call (RPC) — [Command] and [ClientRpc] are Mirror's primary IPC mechanism for sending game events; understanding call direction and execution context prevents logic bugs
• SyncVar and Automatic Serialization — Mirror's codegen-based state sync; fields decorated with [SyncVar] auto-replicate without manual serialization, reducing bandwidth and sync bugs
• Transport Abstraction Layer — Mirror abstracts underlying transport (TCP, UDP, WebSocket); swapping transports in NetworkManager changes network behavior without code changes—critical for cross-platform deployment
• Interest Management / Culling — Assets/Mirror/Components/InterestManagement/ reduces bandwidth in large worlds by only syncing nearby objects—essential for MMORPG scalability
• Client-Server vs Peer Architecture — Mirror supports both; server is the authority in client-server (trusted), while peer requires careful permission checks—affects cheating surface and latency
• Netcode Codegen and IL Post-Processing — Mirror uses compile-time codegen to weave [Command]/[ClientRpc]/[SyncVar] calls into IL; understanding this avoids hitting codegen edge cases with custom serializers

• vis2k/Mirror — The original/canonical Mirror repository—this reference points to it
• PlayFab/PlayFab-Samples — Examples of integrating PlayFab backend services (authentication, data) with Mirror for production MMO infrastructure
• Unity-Technologies/NetCode — Official Unity networking solution (newer alternative); comparison point for teams choosing between Mirror and NetCode
• insthync/LiteNetLib — Popular standalone C# networking library often used as a transport backend in Mirror projects
• DarkRiftNetworking/DarkRift2 — Alternative open-source C# networking framework; comparison for understanding Mirror's design trade-offs

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add comprehensive unit tests for Authenticators module

The Authenticators directory (Assets/Mirror/Authenticators/) contains 4 authenticator implementations (BasicAuthenticator, DeviceAuthenticator, TimeoutAuthenticator, UniqueNameAuthenticator) but there's no visible test coverage in the file structure. Given Mirror's focus on networking reliability, these security/auth components need robust test coverage to prevent regressions.

• [ ] Create Assets/Mirror/Authenticators/Tests/ directory with Mirror.Authenticators.Tests.asmdef
• [ ] Add unit tests for BasicAuthenticator.cs covering password validation and edge cases
• [ ] Add unit tests for TimeoutAuthenticator.cs covering timeout logic and concurrent connections
• [ ] Add unit tests for DeviceAuthenticator.cs and UniqueNameAuthenticator.cs
• [ ] Ensure tests integrate with the existing test runner workflow (.github/workflows/RunUnityTests.yml)

Add integration tests for InterestManagement implementations

The InterestManagement module has 4 different implementations (Distance, Match, Scene, SceneDistance) that determine which players see each other in the network. These are critical to performance and gameplay correctness but lack visible test coverage. Missing tests means bugs in visibility logic could ship to production games.

• [ ] Create Assets/Mirror/Components/InterestManagement/Tests/ directory with appropriate asmdef
• [ ] Add tests for DistanceInterestManagement.cs validating distance threshold calculations
• [ ] Add tests for SceneInterestManagement.cs verifying scene-based visibility
• [ ] Add tests for MatchInterestManagement.cs with NetworkMatch.cs integration
• [ ] Add tests for SceneDistanceInterestManagement.cs combining both approaches
• [ ] Test edge cases: player at exact boundary distance, scene transitions, rapid match changes

Add missing documentation for NetworkDiscovery component lifecycle

The NetworkDiscovery module (Assets/Mirror/Components/Discovery/) has ServerRequest.cs, ServerResponse.cs, and NetworkDiscoveryBase.cs but the docs likely lack specific guidance on the discovery flow. New contributors struggle with: when discovery runs, how to customize it, timeout behavior, and interaction with NetworkMatch. This would reduce support questions.

• [ ] Create Assets/Mirror/Components/Discovery/README.md documenting the discovery lifecycle
• [ ] Document ServerRequest.cs and ServerResponse.cs message formats with examples
• [ ] Add example code showing how to integrate NetworkDiscovery with custom server lists
• [ ] Document NetworkDiscoveryHUD.cs usage and customization points
• [ ] Document the interaction between NetworkDiscovery and the authenticators (BasicAuthenticator.cs)
• [ ] Add troubleshooting section for common discovery issues (firewall, broadcast not working)

• Add missing unit tests for Assets/Mirror/Components/Discovery/ServerRequest.cs and ServerResponse.cs serialization—currently no test coverage visible in Assets/Tests/ for these critical message types.
• Expand Assets/Mirror/Authenticators/ docs: create code examples for DeviceAuthenticator and TimeoutAuthenticator in a new Assets/Mirror/Examples/Authenticators/ folder showing how to implement login workflows.
• Add a validation warning system to NetworkManager Inspector: detect common misconfigurations (missing Transport, dangling NetworkIdentity references, conflicting sync intervals) and surface them as yellow warnings before play mode.

Mirror is an open-source networking library with moderate security maturity. Primary concerns include: (1) Network packet validation and injection risks in core networking components, (2) Authentication mechanisms that may lack sufficient cryptographic strength, (3) Missing explicit TLS/encryption enforcement documentation, and (4) Potential information disclosure through GitHub Actions workflows. The codebase follows good organizational structure with modular components, but requires additional security hardening around input validation, authentication, and encrypted communications. No evidence of hardcoded secrets was found in the file structure. Security score reflects medium-risk posture typical for a networking library requiring careful integration and configuration by users.

• Medium · Potential Information Disclosure via GitHub Workflows — .github/workflows/. GitHub Actions workflow files (.github/workflows/*.yml) may inadvertently expose sensitive information such as API keys, tokens, or credentials in logs, especially in SonarQube.yml and main.yml which typically contain deployment/analysis steps. Fix: Audit workflow files for hardcoded secrets. Use GitHub Secrets for all sensitive data. Ensure logs are not publicly accessible. Add 'GITHUB_TOKEN' scope restrictions and use encrypted secrets only.
• Medium · Lack of Input Validation in Network Components — Assets/Mirror/Components/Discovery/, Assets/Mirror/Authenticators/. Mirror is a networking library with components like NetworkDiscovery, Authenticators, and network message handlers. Without explicit visibility into validation logic, there is risk of network packet injection or malformed message handling leading to DoS or RCE. Fix: Implement strict input validation for all network messages. Sanitize and validate packet structure before processing. Use type-safe deserialization and implement bounds checking on all network data.
• Medium · Missing HTTPS/TLS Configuration Visibility — Assets/Mirror/Components/ (Core networking components). The repository structure shows no explicit evidence of mandatory TLS/encryption enforcement for network communications. Networking libraries handling game state synchronization should enforce encrypted communications. Fix: Ensure all network communication uses TLS 1.2+. Implement certificate pinning for critical operations. Document and enforce encryption requirements in transport layer.
• Medium · Authentication Component Security Concerns — Assets/Mirror/Authenticators/BasicAuthenticator.cs. BasicAuthenticator.cs suggests plaintext or weak authentication mechanisms. Basic authentication without TLS is vulnerable to credential interception. Fix: Migrate from BasicAuthenticator to stronger authentication methods. Enforce TLS for all authentication flows. Implement rate limiting and account lockout mechanisms. Never use Basic Auth over unencrypted connections.
• Low · DeviceAuthenticator Implementation Review Needed — Assets/Mirror/Authenticators/DeviceAuthenticator.cs. Device-based authentication may have weaknesses depending on implementation. Device identifiers alone are not cryptographically secure. Fix: Review implementation for secure device identification. Use hardware-backed identifiers where possible. Combine with additional authentication factors. Implement device binding securely.
• Low · Potential Race Conditions in NetworkDiscovery — Assets/Mirror/Components/Discovery/NetworkDiscovery.cs. Server discovery broadcasts may be vulnerable to spoofing or TOCTOU (Time-of-Check-Time-of-Use) attacks if not properly synchronized. Fix: Implement cryptographic signing of discovery messages. Use nonces to prevent replay attacks. Validate server responses before connection establishment.
• Low · Missing Dependency Manifest — Repository root / Dependencies/. No package.json, requirements.txt, or other explicit dependency file provided in the analysis. This makes it difficult to assess supply chain security risks. Fix: Maintain an up-to-date dependency manifest. Regularly audit dependencies with tools like OWASP Dependency-Check or Snyk. Pin dependency versions and review changelogs for security fixes.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.