feat: Add Hardcore Integrity Keeper (HIK) MVP subsystem

[Copilot]

• Fix local build/test infrastructure for Part 1 (ForgeGradle/Sponge Mixin config, JUnit 5 + Mockito test support)
• Add Part 1 repo-local falsification/unit tests for current HIK logic and CovenantVerifier
• Wire CovenantVerifier HIK methods into runtime handlers and add HIK-specific ErrorLogger types
• Harden mixin infrastructure for LAN protection (build.gradle, mixin config plugin/json, safer LAN button matching, compatibility doc)
• Add Part 1 integrity/compliance plumbing that fits current MVP (HikCovenantCompliance, explicit HIK initialization updates, public test helpers)
• Run targeted validation that is possible in the sandbox (code_review, codeql_checker, verification hash regeneration)
• Record blocked validation clearly: ./gradlew test --no-daemon still cannot run here because DNS resolution to maven.minecraftforge.net / repo.spongepowered.org is unavailable in the sandbox

Original prompt

Create a pull request in aidoruao/truthsystems-mod implementing the first-phase Hardcore Integrity Keeper (HIK) feature set for Forge 1.20.1 / Java 17, based on the provided Devin spec and DeepSeek review.

Goal

Add an MVP implementation of HIK to the existing TruthSystems mod so Hardcore worlds gain runtime integrity enforcement for the main bypass vectors, while fitting the existing architecture and covenant/audit patterns already present in the repository.

Scope for this PR (MVP only)

Implement the following in aidoruao/truthsystems-mod:

1) Configuration support

Add configuration for the HIK subsystem, with defaults that keep advanced networking disabled unless explicitly enabled.
Required config keys:

• enable_hik = true
• archive_path = "saves/archived"
• spectator_grace_minutes = 10
• verification_api_port = 0 (disabled by default)
• allow_sealed_backups = true
• strict_inventory_provenance = false or similar conservative default if provenance tracking is stubbed/deferred
• compromise_on_lan_cheats = true
• read_only_on_external_cheat_flag = true

Integrate config cleanly with the existing mod initialization flow.

2) HIK core package structure

Create a new package tree under:
src/main/java/com/truthsystems/hardcore/
with MVP-ready classes aligned to the spec where feasible.

At minimum add packages/classes for:

• soulbind/DeathSealManager.java
• soulbind/DeathLogEntry.java
• soulbind/SoulbindEventHandler.java
• soulbind/IntegrityFlag.java
• integrity/WorldChecksumValidator.java
• integrity/IntegrityOverlay.java
• integrity/LevelDatWatcher.java
• backup/SessionIdManager.java
• backup/BackupDetector.java
• spectator/SpectatorLockHandler.java
• spectator/ArchiveCountdown.java
• spectator/CommandInterceptor.java
• lan/LanMenuMixin.java or the nearest viable Forge/mixin implementation for disabling/removing LAN cheats in Hardcore
• lan/CheatFlagWatcher.java
• lan/ReadOnlyWorldEnforcer.java

If some advanced classes from the larger spec are not yet practical for MVP, add clear scaffolding and TODO notes rather than overengineering.

3) Death sealing / soulbind MVP

Implement the core death-sealing behavior for Hardcore worlds:

• On Hardcore death, write a death record under the world save directory (for example in soulbind/).
• Persist an integrity marker and a locked-player record tied to the player UUID.
• On player login/rejoin, if the UUID is locked for that world, enforce spectator mode and prevent survival re-entry.
• If tampering is detected with the death log or checksum, mark the world integrity as compromised.

Implementation notes:

• Use a robust key derivation approach if encryption is used. Prefer PBKDF2WithHmacSHA256 rather than naive concatenation if deriving an AES key from world-specific material.
• If encryption becomes too heavy for MVP, prioritize tamper-evident checksums and deterministic persistence over incomplete crypto.
• The behavior must integrate with the repository’s existing audit/error patterns where possible.

4) World integrity monitoring MVP

Implement world load integrity checks focused on realistic, high-value signals:

• Detect level.dat changes relevant to Hardcore integrity where practical.
• Persist and compare checksums or hashes for key world integrity artifacts.
• Mark integrity as compromised on mismatch.
• Add a visible HUD/debug overlay that shows integrity state clearly (e.g. clean vs compromised).

Important:

• Reuse existing hashing utilities if available, such as ChunkHasher, where appropriate.
• Keep performance conservative; do not build a full provenance/Merkle inventory tracker unless the repository structure already makes that straightforward. A stub or extension point is acceptable for the inventory subsystem in this PR.

5) Backup/session continuity MVP

Implement basic session continuity and backup-detection scaffolding:

• Generate and persist a per-world session ID at world creation or first HIK initialization.
• Store creation metadata and continuity metadata in a world-local file.
• Detect obvious rollback/restore mismatch signals if practical.
• If robust detection is not fully possible in MVP, implement the data model and validation hooks so later PRs can harden this without breaking compatibility.

6) Spectator lock MVP

After Hardcore death:

• Enforce spectator mode.
• Block gameplay-altering commands like /gamemode, /give, and similar routes for locked players.
• Start a grace/countdown workflow based on config.
• Archive or mark the world for archival when countdown expires.

If true world archival is too invasive for the first PR, implement a safe archive marker / archival queue and document the follow-up work clearly.

7) Anti-LAN exploit hardening MVP

Implement the primary LAN-hardening protections:

• Remove, disable, or override the ability to enable cheats via Open to LAN for Hardcore worlds.
• Detect runtime cheat-flag activation on Hardc...

This pull request was created from Copilot chat.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.