Three changes on the server this evening. Nothing visible in the client; one player-facing inventory tweak, one back-end security hardening, and one realm-policy fix that was already half-shipped.
Item stacks merge into the lowest slot first
Pick up an item that stacks with several existing partial stacks in your bag, the new amount now fills the lowest-slotted partial first instead of whichever one the server happened to grab. So if you have a half-stack of Aged Coins in slot 3 and another in slot 17, slot 3 fills up before slot 17 sees anything. Small thing, but it means your bag stays organized the way you organized it.
Backported from upstream AAEmu (#1344) — one of the very few upstream fixes that applied cleanly to our 3.0 fork.
Realm is guild-locked, formally
The "you cannot create a new guild on Rookery Isles, you join one of the 12 sanctioned Houses" rule is now enforced in two places on the server, not one:
- Every NPC that used to offer Create Guild dialog (Expedition Managers, Guild Officers) — that menu option is now stripped off. No clicks lead to the create flow anymore.
- And if anyone somehow sends the raw packet (custom client, scripting, whatever), the server-side handler rejects it with a chat message pointing them at the House Allocate panel.
This was the intended behavior all along — the new patch closes a way to bypass it that nobody had actually used yet, but the gate's now bolted shut.
If you want a House, talk to the realm admin. The noble Houses are: The Crown, Sunflare, Emberwave, Darkcliff, Seaquill, Dawnstar, Sunpeak, Skyrider, Mudae, Sandstinger, and Greenscale. Each one owns territory, has a treasury, and pays a stipend to its members. Browse the full roster and per-house pages at /houses.
WebApi locked down with a shared secret
If you don't know what the WebApi is, this doesn't affect you. For the technically curious:
The Game server runs an HTTP control plane on port 1280 that Echo (the web stack) and the Discord bot use to push commands into a live game session — kick players, refresh Patron status, run admin commands, reload data. Until tonight, that port was open on the LAN with no authentication on any endpoint. Anyone on the same network could fire commands at it.
That's now closed: every POST to :1280 requires an X-AAEmu-Auth: <secret> header. Missing or wrong header gets a 401. GETs (status pings, character lists) stay open because nothing destructive lives there. The secret is in Z_RookeryLocal.json (server side) and config.json (Echo side); both got new entries.
Behind the scenes
Five server-source patches: WebApiSession.cs + AppConfiguration.cs (auth gate), ItemContainer.cs (stack ordering, upstream #1344), NpcManager.cs + ExpeditionManager.cs (realm guild-lock defense in depth). Plus the new PatronController.cs and ExpeditionController.cs WebApi routes from earlier today.
Also spent the evening trying to mechanically backport upstream AAEmu fixes onto our 3.0 fork. 1 of 36 attempts applied cleanly. NL0bP has independently reshaped most code paths in the 3.0+ branch, so cherry-pick conflicts on the surrounding context even when the fix itself looks right. Going forward, upstream fixes get hand-ported only when a real symptom calls for them — full triage notes at C:\AAEmu Documents\UPSTREAM_FIX_BACKPORT_LOG.md.
No client patch in this build. The launcher will see the same .pak it has and skip the download.