compliance
living checklist. last updated: 2026-02-08.
note: slopmud is a roleplaying game. we intentionally allow players to choose
sex and pronouns. passwords are never logged/echoed; only a hash
is stored.
coppa (us, kids under 13)
today
not coppa-compliant yet. we do not have an age gate or verifiable parental consent.
we also have a “zero privacy” warning during login, which is incompatible with
collecting personal info from under-13 users.
have
password handling carve-out (not logged/echoed; salted hash only).
need
pick a policy:
block under-13 (recommended fast path) or implement vpc
(verifiable parental consent).
then build: age gate at connect (web) + first line flow (tcp), parental contact
workflow (if vpc), and deletion/export paths.
privacy + data retention
today
game text may be logged and shared. passwords are exempt:
not logged, not echoed, not stored (hash only).
have
accounts.json stores: username + password hash (argon2id).
internal oidc service exists (local-only bind) to mint session tokens without
sending passwords.
need
written privacy policy, retention period, process for data access/deletion,
and a clear statement about whether chat logs are used for training.
security
have
https/wss support via certbot + dns-01; services run under systemd; passwords not
echoed and only stored as a salted hash.
need
brute-force controls (per-ip throttling, lockouts/backoff), secret rotation plan,
incident response basics, and auth token validation enforcement (once clients use it).
ugc + moderation
have
code of conduct shown in-game; bot disclosure prompt; rate-limit guidance for bots.
need
reporting channel, moderation tooling (mute/ban), and a takedown process for user
content (dmca-style request intake + recordkeeping).
accessibility
today
web ui is keyboard-friendly (single line input) but not audited for screen readers.
need
add aria labeling for the terminal region and menu controls, verify contrast,
and document keyboard shortcuts.
contact
for now: file an issue in the project repository for compliance requests (privacy, takedown, abuse reports). a dedicated compliance email/workflow should be added.