# Security Review

## Scope

Project:

```text
Warium NeoForge 1.21.1 Port
```

Reviewed version or commit:

```text
Unreleased scaffold
```

## Code Patterns Checked

- [x] No secrets committed.
- [x] Generated original assets are ignored.
- [x] Decompiled source output is ignored.
- [x] Original jar artifacts are ignored.
- [x] Private integration jars are ignored.
- [x] External network calls are documented.

## Dependency Review

Command:

```bash
./gradlew --no-daemon build
```

Result:

```text
Pending runner execution.
```

## Runtime Review

- [x] Gitea publishing uses `REGISTRY_TOKEN` secret only.
- [x] Package download is private/internal pending rights clearance.
- [x] Source Warium jar is downloaded from Modrinth and verified by SHA1.
- [x] Required private integrations are shimmed until real NeoForge 1.21.1 jars exist.

## Release Notes

Known residual risks:

```text
The current scaffold preserves registry IDs and resources but does not yet fully port the original MCreator behavior procedures, block entities, GUI logic, entities, AI, weapons, ordnance, nuclear effects, or external integration APIs.
```