feat: dedicated server security hardening

Comprehensive security system to protect against packet-sniffing attacks,
XUID harvesting, privilege escalation, bot flooding, and XUID impersonation.

- Stream cipher: per-session XOR cipher with 4-message handshake via
  CustomPayloadPacket (MC|CKey, MC|CAck, MC|COn). Negotiated per-connection,
  backwards compatible (old clients/servers fall back to plaintext).
- Security gate: buffers all game data until cipher handshake completes,
  preventing unsecured clients from receiving any XUIDs or game state.
- Cipher handshake enforcer: kicks clients that don't complete the handshake
  within 5 seconds (configurable via require-secure-client).
- Identity tokens: persistent per-XUID tokens in identity-tokens.json,
  issued over the encrypted channel, verified on reconnect. Prevents XUID
  replay attacks. Client stores server-specific tokens.
- PROXY protocol v1: parses real client IPs from playit.gg tunnel headers
  so rate limiting, IP bans, and XUID spoof detection work per-player.
- Rate limiting: per-IP sliding window (default 5 connections/30s) with
  pending connection cap (default 10).
- Privilege hardening: OP requires ops.json, live checks on every command
  and privilege packet. Host-only server settings changes.
- XUID stripping: PreLoginPacket response sends INVALID_XUID placeholders.
- Packet validation: readUtf global string cap, reduced max packet size,
  stream desync protection on oversized strings.
- OpManager: persistent ops.json with XUID-based OP list.
- Whitelist improvements: whitelist add accepts player names with ambiguity
  detection, XUID cache from login attempts.
- revoketoken command: revoke identity tokens for players who lost theirs.
- server.log: persistent log file written alongside console output with
  flush-per-write to survive crashes.
- CLI security logging: consolidated per-join security summary with cipher
  status, token status, XUID, and real IP. Security warnings for kicks,
  spoofing, and unauthorized commands.

Minecraft.Server/Security/ConnectionCipher.cpp

@@ -0,0 +1,115 @@
+#include "stdafx.h"
+#include "ConnectionCipher.h"
+
+#include <cstring>
+
+namespace ServerRuntime
+{
+	namespace Security
+	{
+		ConnectionCipherRegistry::ConnectionCipherRegistry()
+		{
+			InitializeCriticalSection(&m_lock);
+			memset(m_pending, 0, sizeof(m_pending));
+			memset(m_pendingKeys, 0, sizeof(m_pendingKeys));
+		}
+
+		ConnectionCipherRegistry::~ConnectionCipherRegistry()
+		{
+			SecureZeroMemory(m_pendingKeys, sizeof(m_pendingKeys));
+			DeleteCriticalSection(&m_lock);
+		}
+
+		bool ConnectionCipherRegistry::PrepareKey(unsigned char smallId, uint8_t outKey[StreamCipher::KEY_SIZE])
+		{
+			uint8_t key[StreamCipher::KEY_SIZE];
+			if (!StreamCipher::GenerateKey(key))
+			{
+				return false;
+			}
+
+			EnterCriticalSection(&m_lock);
+			memcpy(m_pendingKeys[smallId], key, StreamCipher::KEY_SIZE);
+			m_pending[smallId] = true;
+			LeaveCriticalSection(&m_lock);
+
+			memcpy(outKey, key, StreamCipher::KEY_SIZE);
+			SecureZeroMemory(key, sizeof(key));
+			return true;
+		}
+
+		bool ConnectionCipherRegistry::CommitCipher(unsigned char smallId)
+		{
+			EnterCriticalSection(&m_lock);
+			if (!m_pending[smallId])
+			{
+				LeaveCriticalSection(&m_lock);
+				return false;
+			}
+
+			m_ciphers[smallId].Initialize(m_pendingKeys[smallId]);
+			SecureZeroMemory(m_pendingKeys[smallId], StreamCipher::KEY_SIZE);
+			m_pending[smallId] = false;
+			LeaveCriticalSection(&m_lock);
+			return true;
+		}
+
+		void ConnectionCipherRegistry::CancelPending(unsigned char smallId)
+		{
+			EnterCriticalSection(&m_lock);
+			SecureZeroMemory(m_pendingKeys[smallId], StreamCipher::KEY_SIZE);
+			m_pending[smallId] = false;
+			LeaveCriticalSection(&m_lock);
+		}
+
+		bool ConnectionCipherRegistry::HasPendingKey(unsigned char smallId) const
+		{
+			EnterCriticalSection(&m_lock);
+			bool pending = m_pending[smallId];
+			LeaveCriticalSection(&m_lock);
+			return pending;
+		}
+
+		void ConnectionCipherRegistry::DeactivateCipher(unsigned char smallId)
+		{
+			EnterCriticalSection(&m_lock);
+			m_ciphers[smallId].Reset();
+			SecureZeroMemory(m_pendingKeys[smallId], StreamCipher::KEY_SIZE);
+			m_pending[smallId] = false;
+			LeaveCriticalSection(&m_lock);
+		}
+
+		bool ConnectionCipherRegistry::TryEncryptOutgoing(unsigned char smallId, uint8_t *data, int length)
+		{
+			EnterCriticalSection(&m_lock);
+			bool active = m_ciphers[smallId].IsActive();
+			if (active)
+			{
+				m_ciphers[smallId].Encrypt(data, length);
+			}
+			LeaveCriticalSection(&m_lock);
+			return active;
+		}
+
+		bool ConnectionCipherRegistry::IsCipherActive(unsigned char smallId) const
+		{
+			EnterCriticalSection(&m_lock);
+			bool active = m_ciphers[smallId].IsActive();
+			LeaveCriticalSection(&m_lock);
+			return active;
+		}
+
+		void ConnectionCipherRegistry::DecryptIncoming(unsigned char smallId, uint8_t *data, int length)
+		{
+			EnterCriticalSection(&m_lock);
+			m_ciphers[smallId].Decrypt(data, length);
+			LeaveCriticalSection(&m_lock);
+		}
+
+		ConnectionCipherRegistry &GetCipherRegistry()
+		{
+			static ConnectionCipherRegistry s_instance;
+			return s_instance;
+		}
+	}
+}