ci: fix Forgejo Actions compatibility

- Remove upload-artifact/download-artifact (not supported on Forgejo)
- Each build job uploads directly to release via API
- Add `rpm` package to Linux build dependencies
- Remove separate release job, replaced by create-release + per-job upload
- Remove arch build job entirely

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.github/workflows/release.yml

@@ -7,172 +7,110 @@ on:
   workflow_dispatch:
 
 jobs:
-  build-windows:
-    runs-on: windows-latest
+  create-release:
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Create Draft Release
+        run: |
+          curl -s -X POST "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases" \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+            -H "Content-Type: application/json" \
+            -d "{\"tag_name\":\"${{ github.ref_name }}\",\"name\":\"${{ github.ref_name }}\",\"body\":\"Release ${{ github.ref_name }}\",\"draft\":true,\"prerelease\":false}" \
+            -o release.json
+          cat release.json
+          echo "RELEASE_ID=$(cat release.json | python3 -c 'import sys,json; print(json.load(sys.stdin)["id"])')" >> $GITHUB_ENV
+
+  build-windows:
+    needs: [create-release]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Wine for cross-compilation
+        run: |
+          sudo dpkg --add-architecture i386
+          sudo mkdir -pm755 /etc/apt/keyrings
+          sudo wget -O /etc/apt/keyrings/winehq-archive.key https://dl.winehq.org/wine-builds/winehq.key
+          sudo wget -NP /etc/apt/sources.list.d/ https://dl.winehq.org/wine-builds/ubuntu/dists/$(lsb_release -cs)/winehq-$(lsb_release -cs).sources
+          sudo apt-get update
+          sudo apt-get install -y --install-recommends winehq-stable
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
-          cache: 'npm'
       - run: npm ci
 
       - name: Build Windows Packages
         run: npx electron-builder --win --publish never
-      - uses: actions/upload-artifact@v4
-        with:
-          name: windows-builds
-          path: |
-            dist/*.exe
-            dist/*.exe.blockmap
-            dist/latest.yml
+
+      - name: Upload to Release
+        run: |
+          RELEASE_ID=$(curl -s "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/tags/${{ github.ref_name }}" \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" | python3 -c 'import sys,json; print(json.load(sys.stdin)["id"])')
+          for file in dist/*.exe dist/*.exe.blockmap dist/latest.yml; do
+            [ -f "$file" ] || continue
+            echo "Uploading $file..."
+            curl -s -X POST "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)" \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -F "attachment=@${file}" || echo "Failed to upload $file"
+          done
 
   build-macos:
+    needs: [create-release]
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
-          cache: 'npm'
       - run: npm ci
 
       - name: Build macOS Packages
         env:
-          # Code signing
           CSC_LINK: ${{ secrets.CSC_LINK }}
           CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
-          # Notarization
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
         run: npx electron-builder --mac --publish never
-      - uses: actions/upload-artifact@v4
-        with:
-          name: macos-builds
-          path: |
-            dist/*.dmg
-            dist/*.zip
-            dist/*.blockmap
-            dist/latest-mac.yml
+
+      - name: Upload to Release
+        run: |
+          RELEASE_ID=$(curl -s "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/tags/${{ github.ref_name }}" \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" | python3 -c 'import sys,json; print(json.load(sys.stdin)["id"])')
+          for file in dist/*.dmg dist/*.zip dist/*.blockmap dist/latest-mac.yml; do
+            [ -f "$file" ] || continue
+            echo "Uploading $file..."
+            curl -s -X POST "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)" \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -F "attachment=@${file}" || echo "Failed to upload $file"
+          done
 
   build-linux:
+    needs: [create-release]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Install build dependencies
         run: |
           sudo apt-get update
-          sudo apt-get install -y libarchive-tools
+          sudo apt-get install -y libarchive-tools rpm
 
       - uses: actions/setup-node@v4
         with:
           node-version: '22'
-          cache: 'npm'
       - run: npm ci
 
       - name: Build Linux Packages
+        run: npx electron-builder --linux AppImage deb rpm --publish never
+
+      - name: Upload to Release
         run: |
-          npx electron-builder --linux AppImage deb rpm --publish never
-      - uses: actions/upload-artifact@v4
-        with:
-          name: linux-builds
-          path: |
-            dist/*.AppImage
-            dist/*.AppImage.blockmap
-            dist/*.deb
-            dist/*.rpm
-            dist/latest-linux.yml
-
-  build-arch:
-    runs-on: ubuntu-latest
-    container:
-      image: archlinux:latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          
-      - name: Install base packages
-        run: |
-          pacman -Syu --noconfirm
-          pacman -S --noconfirm \
-            base-devel \
-            git \
-            nodejs \
-            npm \
-            rpm-tools \
-            libxcrypt-compat
-
-      - name: Create build user
-        run: |
-          useradd -m builder
-          echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-
-      - name: Fix Permissions
-        run: chown -R builder:builder .
-
-      - name: Build Arch Package
-        run: |
-          sudo -u builder bash << 'EOF'
-          set -e
-          makepkg --printsrcinfo > .SRCINFO
-          makepkg -s --noconfirm
-          EOF
-
-      - name: Fix permissions for upload
-        if: always()
-        run: |
-          sudo chown -R $(id -u):$(id -g) .
-
-      - name: Upload Arch Package
-        uses: actions/upload-artifact@v4
-        with:
-          name: arch-package
-          path: |
-            *.pkg.tar.zst
-            .SRCINFO
-          include-hidden-files: true
-
-  release:
-    needs: [build-windows, build-macos, build-linux, build-arch]
-    runs-on: ubuntu-latest
-    if: |
-      startsWith(github.ref, 'refs/tags/v') || 
-      github.ref == 'refs/heads/main' || 
-      github.event_name == 'workflow_dispatch'
-
-    permissions:
-      contents: write
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-
-      - name: Download all artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: artifacts
-
-      - name: Display structure of downloaded files
-        run: ls -R artifacts
-
-      - name: Get version from package.json
-        id: pkg_version
-        run: echo "VERSION=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
-
-      - name: Create Release
-        uses: softprops/action-gh-release@v2
-        with:
-          tag_name: ${{ github.ref_name }}
-          files: |
-            artifacts/arch-package/*.pkg.tar.zst
-            artifacts/arch-package/.SRCINFO
-            artifacts/linux-builds/**/*
-            artifacts/windows-builds/**/*
-            artifacts/macos-builds/**/*
-          generate_release_notes: true
-          draft: true
-          prerelease: false
-          
+          RELEASE_ID=$(curl -s "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/tags/${{ github.ref_name }}" \
+            -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" | python3 -c 'import sys,json; print(json.load(sys.stdin)["id"])')
+          for file in dist/*.AppImage dist/*.AppImage.blockmap dist/*.deb dist/*.rpm dist/latest-linux.yml; do
+            [ -f "$file" ] || continue
+            echo "Uploading $file..."
+            curl -s -X POST "https://git.sanhost.net/api/v1/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets?name=$(basename $file)" \
+              -H "Authorization: token ${{ secrets.RELEASE_TOKEN }}" \
+              -F "attachment=@${file}" || echo "Failed to upload $file"
+          done

SERVER.md

@@ -6,15 +6,16 @@ Play with friends online! This guide covers both easy in-game hosting and advanc
 
 **Table of Contents**
 
+* [\[NEW!\] Play Online with Official Accounts 🆕](#new-play-online-with-official-accounts-)
 * ["Server" Term and Definition](#server-term-and-definiton)
 * [Server Directory Location](#server-directory-location)
-* [A. Online Play Feature](#a-online-play-feature)
-  * [1. Host Your Singleplayer World using In-Game Invite Code](#1-host-your-singleplayer-world-using-in-game-invite-code)
+* [A. Host Your Singleplayer World](#a-host-your-singleplayer-world)
+  * [1. Using Online-Play Feature In-Game Invite Code](#1-using-online-play-feature--in-game-invite-code)
     * [Common Issues (UPnP/NAT/STUN) on Online Play](#common-issues-upnpnatstun-on-online-play)
-  * [2. Host Your Singleplayer World using Tailscale](#2-host-your-singleplayer-world-using-tailscale)
+  * [2. Using Tailscale](#2-using-tailscale)
+  * [3. Using Radmin VPN](#3-using-radmin-vpn)
 * [B. Local Dedicated Server](#b-local-dedicated-server)
   * [1. Using Playit.gg (Recommended) ✅](#1-using-playitgg-recommended-)
-  * [2. Using Radmin VPN](#2-using-radmin-vpn)
 * [C. 24/7 Dedicated Server (Advanced)](#c-247-dedicated-server-advanced)
   * [Step 1: Get the Files Ready](#step-1-get-the-files-ready)
   * [Step 2: Place HytaleServer.jar in the Server directory](#step-2-place-hytaleserverjar-in-the-server-directory)
@@ -32,6 +33,69 @@ Play with friends online! This guide covers both easy in-game hosting and advanc
   * [10. Getting Help](#10-getting-help) 
 ---
 
+<div align='center'>
+ <h3>
+  <b>
+  Do you want to create Hytale Game Server with EASY SETUP, AFFORDABLE PRICE, AND 24/7 SUPPORT?
+  </b>
+ </h3>
+ <h2>
+  <b>
+  <a href="https://cloudnord.net/hytale-server-hosting">CLOUDNORD</a> is the ANSWER! HF2P Server is available!
+  </b>
+ </h2>
+ 
+</div>
+
+**CloudNord's Hytale, Minecraft, and Game Hosting** is at the core of our Server Hosting business. Join our Gaming community and experience our large choice of premium game servers, we’ve got you covered with super high-performance hardware, fantastic support options, and powerful server hosting to build and explore your worlds without limits! 
+
+**Order your Hytale, Minecraft, or other game servers today!**
+Choose Java Edition, Bedrock Edition, Cross-Play, or any of our additional supported games.
+Enjoy **20% OFF** all new game servers, **available now for a limited time!** Don’t miss out.
+
+### **CloudNord key hosting features include:**
+- Instant Server Setup ⚡
+- High Performance Game Servers 🚀
+- Game DDoS Protection 🛡️
+- Intelligent Game Backups 🧠
+- Quick Modpack Installer 🔧
+- Quick Plugin & Mod Installer 🧰
+- Full File Access 🗃️
+- 24/7 Support 📞 🏪
+- Powerful Game Control Server Panel 💪
+
+### **Check Us Out:**
+* 👉 CloudNord Website: https://cloudnord.net/hytalef2p
+* 👉 CloudNord Discord: https://discord.gg/TYxGrmUz4Y
+* 👉 CloudNord Reviews: https://www.trustpilot.com/review/cloudnord.net?page=2&stars=5
+
+--- 
+
+### [NEW!] Play Online with Official Accounts 🆕
+
+**Documentations:**
+* [Hytale-Server-Docker by Sanasol](https://github.com/sanasol/hytale-server-docker/tree/main?tab=readme-ov-file#dual-authentication)
+
+**Requirements:**
+* Using the patched HytaleServer.jar
+* Has Official Account with Purchased status on Official Hytale Website.
+* This official account holder can be the server hoster or one of the players.
+
+**Steps:**
+1. Running the patched HytaleServer.jar with either [B. Local Dedicated Server](#b-local-dedicated-server) or [C. 24/7 Dedicated Server (Advanced)](#c-247-dedicated-server-advanced) successfully.
+2. On the server's console/terminal/CMD, server admin **MUST RUN THIS EACH BOOT** to allow players with Official Hytale game license to connect on the server:
+```
+/auth logout
+/auth persistence Encrypted
+/auth login device
+```
+3. Server console will show instructions, an URL and a code; these will be revoked after 10 minutes if not authorized.
+4. The server hoster can open the URL directly to browser by holding Ctrl then Click on it, or copy and send it to the player with official account.
+5. Once it authorized, the official accounts can join server with F2P players.
+6. If you want to modify anything, look at the [Hytale-Server-Docker](https://github.com/sanasol/hytale-server-docker/) above, give the repo a STAR too.
+
+---
+
 ### "Server" Term and Definiton
 
 "HytaleServer.jar", which called as "Server", functions as the place of authentication of the client that supposed to go to Hytale Official Authentication System but we managed our way to redirect it on our service (Thanks to Sanasol), handling approximately thousands of players worldwide to play this game for free.
@@ -41,14 +105,15 @@ Kindly support us via [our Buy Me a Coffee link](https://buymeacoffee.com/hf2p)
 
 ### Server Directory Location
 
-Here are the directory locations of Server folder if you have installed 
+Here are the directory locations of Server folder if you have installed it on default instalation location:
 - **Windows:** `%localappdata%\HytaleF2P\release\package\game\latest\Server`
 - **macOS:** `~/Library/Application Support/HytaleF2P/release/package/game/latest/Server`
 - **Linux:** `~/.hytalef2p/release/package/game/latest/Server`
 
 > [!NOTE]
-> This location only exists if the user installed the game using our launcher. The `Server` folder needed to auth the HytaleClient to play Hytale online
-> (for now; we planned to add offline mode in later version of our launcher).
+> This location only exists if the user installed the game using our launcher.
+> The `Server` folder needed to auth the HytaleClient to play Hytale in Singleplayer/Multiplayer for now.
+> (We planned to add offline mode in later version of our launcher).
 
 > [!IMPORTANT]
 > Hosting a dedicated Hytale server will not need the exact similar tree. You can put it anywhere, as long as the directory has `Assets.zip` which
@@ -64,6 +129,7 @@ Terms and conditions applies.
 ## 1. Using Online-Play Feature / In-Game Invite Code
 
 The easiest way to play with friends - no manual server setup required!
+
 *The game automatically handles networking using UPnP/STUN/NAT traversal.*
 
 **For Online Play to work, you need:**
@@ -112,6 +178,7 @@ Warning: Your network configuration may prevent other players from connecting.
 </details>
 
 <details><summary><b>b. "UPnP Failed" or "Port Mapping Failed" Warning</b></summary>
+ 
 **Check your router:**
 1. Log into router admin panel (usually `192.168.1.1` or `192.168.0.1`)
 2. Find UPnP settings (often under "Advanced" or "NAT")
@@ -123,7 +190,8 @@ Warning: Your network configuration may prevent other players from connecting.
 - See "Port Forwarding" or "Workarounds or NAT/CGNAT" sections below
 </details>
 
-<details><summary><b>c. "Strict NAT" or "Symmetric NAT" Warning</b></summary>
+<details><summary><b>c. "Connected via STUN", "Strict NAT" or "Symmetric NAT" Warning</b></summary>
+
 Some routers have restrictive NAT that blocks peer connections.
 
 **Try:**
@@ -133,6 +201,7 @@ Some routers have restrictive NAT that blocks peer connections.
 </details>
 
 ## 2. Using Tailscale
+
 Tailscale creates mesh VPN service that streamlines connecting devices and services securely across different networks. And **works crossplatform!!**
 
 1. All members are required to download [Tailscale](https://tailscale.com/download) on your device.
@@ -148,6 +217,17 @@ Tailscale creates mesh VPN service that streamlines connecting devices and servi
     * Use the new share code to connect
     * To test your connection, ping the host's ipv4 mentioned in Tailscale
 
+## 3. Using Radmin VPN
+
+Creates a virtual LAN - all players need to install it:
+
+1. Download [Radmin VPN](https://www.radmin-vpn.com/) - All players install it
+2. One person create a room/network, others join with network name/password
+3. Host joined the world, others will connect to it.
+4. Open Hytale Game > Servers > Add Servers > Direct Connect > Type IP Address of the Host from Radmin.
+
+These options bypass all NAT/CGNAT issues. But for **Windows machines only!**
+
 ---
 
 # B. Local Dedicated Server
@@ -167,11 +247,12 @@ Free tunneling service - only the host needs to install it:
      * Right-click file > Properties > Turn on 'Executable as a Program' | or `chmod +x playit-linux-amd64` on terminal
      * Run by double-clicking the file or `./playit-linux-amd64` via terminal
 5. Open the URL/link by `Ctrl+Click` it. If unable, select the URL, then Right-Click to Copy (`Ctrl+Shift+C` for Linux) then Paste the URL into your browser to link it with your created account. 
-6. **WARNING: Do not close the terminal if you are still playing or hosting the server**
-7. Once it done, download the `run_server_with_tokens` script file (`.BAT` for Windows, `.SH` for Linux) from our Discord server > channel `#open-public-server`
-8. Put the script file to the `Server` folder in `HytaleF2P` directory (`%localappdata%\HytaleF2P\release\package\game\latest\Server`)
-9. Copy the `Assets.zip` from the `%localappdata%\HytaleF2P\release\package\game\latest\` folder to the `Server\` folder. (TIP: You can use Symlink of that file to reduce disk usage!)
-10. Double-click the .BAT file to host your server, wait until it shows:
+6. Once it done, download the `run_server_with_tokens (1)` script file (`.BAT` for Windows, `.SH` for Linux) from our Discord server > channel `#open-public-server`
+7. Put the script file to the `Server` folder in `HytaleF2P` directory (`%localappdata%\HytaleF2P\release\package\game\latest\Server`)
+8. Rename the script file to `run_server_with_tokens` to make it easier if you run it with Terminal, then do Method A or B.
+9. If you put it in `Server` folder in `HytaleF2P` launcher, change `ASSETS_PATH="${ASSETS_PATH:-./Assets.zip}"` inside the script to be `ASSETS_PATH="${ASSETS_PATH:-../Assets.zip}"`. NOTICE THE `./` and `../` DIFFERENCE.
+10. Copy the `Assets.zip` from the `%localappdata%\HytaleF2P\release\package\game\latest\` folder to the `Server\` folder. (TIP: You can use Symlink of that file to reduce disk usage!)
+11. Double-click the .BAT file to host your server, wait until it shows:
 ```
 ===================================================
 Hytale Server Booted! [Multiplayer, Fresh Universe]
@@ -180,16 +261,12 @@ Hytale Server Booted! [Multiplayer, Fresh Universe]
 11. Connect to the server by go to `Servers` in your game client, press `Add Server`, type `localhost` in the address box, use any name for your server.
 12. Send the public address in Step 3 to your friends.
 
-## 2. Using Radmin VPN
+> [!CAUTION]
+> Do not close the Playit.gg Terminal OR HytaleServer Terminal if you are still playing or hosting the server.
 
-Creates a virtual LAN - all players need to install it:
+## 2. Using Tailscale [DRAFT]
 
-1. Download [Radmin VPN](https://www.radmin-vpn.com/) - All players install it
-2. One person create a room/network, others join with network name/password
-3. Host joined the world, others will connect to it.
-4. Open Hytale Game > Servers > Add Servers > Direct Connect > Type IP Address of the Host from Radmin.
-
-These options bypass all NAT/CGNAT issues. But for **Windows machines only!**
+Tailscale
 
 ---
 
@@ -228,12 +305,12 @@ For 24/7 servers, custom configurations, or hosting on a VPS/dedicated machine.
 
 **Windows:**
 ```batch
-run_server.bat
+run_server_with_token.bat
 ```
 
 **macOS / Linux:**
 ```bash
-./run_server.sh
+./run_server_with_token.sh
 ```
 
 ---
@@ -503,3 +580,6 @@ See [Docker documentation](https://github.com/Hybrowse/hytale-server-docker) for
 - Auth Server: sanasol.ws
 
 
+
+
+

backend/managers/gameLauncher.js

@@ -252,8 +252,8 @@ async function launchGame(playerNameOverride = null, progressCallback, javaPathO
         if (patchResult.client) {
           console.log(`  Client: ${patchResult.client.patchCount || 0} occurrences`);
         }
-        if (patchResult.server) {
-          console.log(`  Server: ${patchResult.server.patchCount || 0} occurrences`);
+        if (patchResult.agent) {
+          console.log(`  Agent: ${patchResult.agent.alreadyExists ? 'already present' : patchResult.agent.success ? 'downloaded' : 'failed'}`);
         }
       } else {
         console.warn('Game patching failed:', patchResult.error);
@@ -408,6 +408,17 @@ exec "$REAL_JAVA" "\${ARGS[@]}"
     }
   }
 
+  // DualAuth Agent: Set JAVA_TOOL_OPTIONS so java picks up -javaagent: flag
+  // This enables runtime auth patching without modifying the server JAR
+  const agentJar = path.join(gameLatest, 'Server', 'dualauth-agent.jar');
+  if (fs.existsSync(agentJar)) {
+    const agentFlag = `-javaagent:${agentJar}`;
+    env.JAVA_TOOL_OPTIONS = env.JAVA_TOOL_OPTIONS
+      ? `${env.JAVA_TOOL_OPTIONS} ${agentFlag}`
+      : agentFlag;
+    console.log('DualAuth Agent: enabled via JAVA_TOOL_OPTIONS');
+  }
+
   try {
     let spawnOptions = {
       stdio: ['ignore', 'pipe', 'pipe'],

backend/utils/clientPatcher.js

@@ -7,6 +7,10 @@ const ORIGINAL_DOMAIN = 'hytale.com';
 const MIN_DOMAIN_LENGTH = 4;
 const MAX_DOMAIN_LENGTH = 16;
 
+// DualAuth ByteBuddy Agent (runtime class transformation, no JAR modification)
+const DUALAUTH_AGENT_URL = 'https://github.com/sanasol/hytale-auth-server/releases/latest/download/dualauth-agent.jar';
+const DUALAUTH_AGENT_FILENAME = 'dualauth-agent.jar';
+
 function getTargetDomain() {
   if (process.env.HYTALE_AUTH_DOMAIN) {
     return process.env.HYTALE_AUTH_DOMAIN;
@@ -23,7 +27,7 @@ const DEFAULT_NEW_DOMAIN = 'auth.sanasol.ws';
 
 /**
  * Patches HytaleClient binary to replace hytale.com with custom domain
- * Server patching is done via pre-patched JAR download from CDN
+ * Server auth is handled by DualAuth ByteBuddy Agent (-javaagent: flag)
  *
  * Supports domains from 4 to 16 characters:
  * - All F2P traffic routes to single endpoint: https://{domain} (no subdomains)
@@ -494,211 +498,95 @@ class ClientPatcher {
   }
 
   /**
-   * Check if server JAR contains DualAuth classes (was patched)
+   * Get the path to the DualAuth Agent JAR in a directory
    */
-  serverJarContainsDualAuth(serverPath) {
-    try {
-      const data = fs.readFileSync(serverPath);
-      // Check for DualAuthContext class signature in JAR
-      const signature = Buffer.from('DualAuthContext', 'utf8');
-      return data.includes(signature);
-    } catch (e) {
-      return false;
-    }
+  getAgentPath(dir) {
+    return path.join(dir, DUALAUTH_AGENT_FILENAME);
   }
 
   /**
-   * Validate downloaded file is not corrupt/partial
-   * Server JAR should be at least 50MB
+   * Download DualAuth ByteBuddy Agent (replaces old pre-patched JAR approach)
+   * The agent provides runtime class transformation via -javaagent: flag
+   * No server JAR modification needed - original JAR stays pristine
    */
-  validateServerJarSize(serverPath) {
-    try {
-      const stats = fs.statSync(serverPath);
-      const minSize = 50 * 1024 * 1024; // 50MB minimum
-      if (stats.size < minSize) {
-        console.error(`  Downloaded JAR too small: ${(stats.size / 1024 / 1024).toFixed(2)} MB (expected >50MB)`);
-        return false;
-      }
-      console.log(`  Downloaded size: ${(stats.size / 1024 / 1024).toFixed(2)} MB`);
-      return true;
-    } catch (e) {
-      return false;
-    }
-  }
+  async ensureAgentAvailable(serverDir, progressCallback) {
+    const agentPath = this.getAgentPath(serverDir);
 
-  /**
-   * Patch server JAR by downloading pre-patched version from CDN
-   */
-  async patchServer(serverPath, progressCallback, branch = 'release') {
-    const newDomain = this.getNewDomain();
+    console.log('=== DualAuth Agent (ByteBuddy) ===');
+    console.log(`Target: ${agentPath}`);
 
-    console.log('=== Server Patcher (Pre-patched Download) ===');
-    console.log(`Target: ${serverPath}`);
-    console.log(`Branch: ${branch}`);
-    console.log(`Domain: ${newDomain}`);
-
-    if (!fs.existsSync(serverPath)) {
-      const error = `Server JAR not found: ${serverPath}`;
-      console.error(error);
-      return { success: false, error };
-    }
-
-    // Check if already patched
-    const patchFlagFile = serverPath + '.dualauth_patched';
-    let needsRestore = false;
-
-    if (fs.existsSync(patchFlagFile)) {
+    // Check if agent already exists and is valid
+    if (fs.existsSync(agentPath)) {
       try {
-        const flagData = JSON.parse(fs.readFileSync(patchFlagFile, 'utf8'));
-        if (flagData.domain === newDomain && flagData.branch === branch) {
-          // Verify JAR actually contains DualAuth classes (game may have auto-updated)
-          if (this.serverJarContainsDualAuth(serverPath)) {
-            console.log(`Server already patched for ${newDomain} (${branch}), skipping`);
-            if (progressCallback) progressCallback('Server already patched', 100);
-            return { success: true, alreadyPatched: true };
-          } else {
-            console.log('  Flag exists but JAR not patched (was auto-updated?), will re-download...');
-            // Delete stale flag file
-            try { fs.unlinkSync(patchFlagFile); } catch (e) { /* ignore */ }
-          }
-        } else {
-          console.log(`Server patched for "${flagData.domain}" (${flagData.branch}), need to change to "${newDomain}" (${branch})`);
-          needsRestore = true;
+        const stats = fs.statSync(agentPath);
+        if (stats.size > 1024) {
+          console.log(`DualAuth Agent present (${(stats.size / 1024).toFixed(0)} KB)`);
+          if (progressCallback) progressCallback('DualAuth Agent ready', 100);
+          return { success: true, agentPath, alreadyExists: true };
         }
+        // File exists but too small - corrupt, re-download
+        console.log('Agent file appears corrupt, re-downloading...');
+        fs.unlinkSync(agentPath);
       } catch (e) {
-        // Flag file corrupt, re-patch
-        console.log('  Flag file corrupt, will re-download');
-        try { fs.unlinkSync(patchFlagFile); } catch (e) { /* ignore */ }
+        console.warn('Could not check agent file:', e.message);
       }
     }
 
-    // Restore backup if patched for different domain
-    if (needsRestore) {
-      const backupPath = serverPath + '.original';
-      if (fs.existsSync(backupPath)) {
-        if (progressCallback) progressCallback('Restoring original for domain change...', 5);
-        console.log('Restoring original JAR from backup for re-patching...');
-        fs.copyFileSync(backupPath, serverPath);
-        if (fs.existsSync(patchFlagFile)) {
-          fs.unlinkSync(patchFlagFile);
-        }
-      } else {
-        console.warn('  No backup found to restore - will download fresh patched JAR');
-      }
-    }
-
-    // Create backup
-    if (progressCallback) progressCallback('Creating backup...', 10);
-    console.log('Creating backup...');
-    const backupResult = this.backupClient(serverPath);
-    if (!backupResult) {
-      console.warn('  Could not create backup - proceeding without backup');
-    }
-
-    // Only support standard domain (auth.sanasol.ws) via pre-patched download
-    if (newDomain !== 'auth.sanasol.ws' && newDomain !== 'sanasol.ws') {
-      console.error(`Domain "${newDomain}" requires DualAuthPatcher - only auth.sanasol.ws is supported via pre-patched download`);
-      return { success: false, error: `Unsupported domain: ${newDomain}. Only auth.sanasol.ws is supported.` };
-    }
-
-    // Download pre-patched JAR
-    if (progressCallback) progressCallback('Downloading patched server JAR...', 30);
-    console.log('Downloading pre-patched HytaleServer.jar...');
+    // Download agent from GitHub releases
+    if (progressCallback) progressCallback('Downloading DualAuth Agent...', 20);
+    console.log(`Downloading from: ${DUALAUTH_AGENT_URL}`);
 
     try {
-      let url;
-      if (branch === 'pre-release') {
-        url = 'https://patcher.authbp.xyz/download/patched_prerelease';
-        console.log('  Using pre-release patched server from:', url);
-      } else {
-        url = 'https://patcher.authbp.xyz/download/patched_release';
-        console.log('  Using release patched server from:', url);
+      // Ensure server directory exists
+      if (!fs.existsSync(serverDir)) {
+        fs.mkdirSync(serverDir, { recursive: true });
       }
 
-      const file = fs.createWriteStream(serverPath);
-      let totalSize = 0;
-      let downloaded = 0;
+      const tmpPath = agentPath + '.tmp';
+      const file = fs.createWriteStream(tmpPath);
 
-      const stream = await smartDownloadStream(url, (chunk, downloadedBytes, total) => {
-        downloaded = downloadedBytes;
-        totalSize = total;
-        if (progressCallback && totalSize) {
-          const percent = 30 + Math.floor((downloaded / totalSize) * 60);
-          progressCallback(`Downloading... ${(downloaded / 1024 / 1024).toFixed(2)} MB`, percent);
+      const stream = await smartDownloadStream(DUALAUTH_AGENT_URL, (chunk, downloadedBytes, total) => {
+        if (progressCallback && total) {
+          const percent = 20 + Math.floor((downloadedBytes / total) * 70);
+          progressCallback(`Downloading agent... ${(downloadedBytes / 1024).toFixed(0)} KB`, percent);
         }
       });
 
       stream.pipe(file);
 
       await new Promise((resolve, reject) => {
-        file.on('finish', () => {
-          file.close();
-          resolve();
-        });
+        file.on('finish', () => { file.close(); resolve(); });
         file.on('error', reject);
         stream.on('error', reject);
       });
 
-      console.log('  Download successful');
-
-      // Verify downloaded JAR size and contents
-      if (progressCallback) progressCallback('Verifying downloaded JAR...', 95);
-
-      if (!this.validateServerJarSize(serverPath)) {
-        console.error('Downloaded JAR appears corrupt or incomplete');
-
-        // Restore backup on verification failure
-        const backupPath = serverPath + '.original';
-        if (fs.existsSync(backupPath)) {
-          fs.copyFileSync(backupPath, serverPath);
-          console.log('Restored backup after verification failure');
-        }
-
-        return { success: false, error: 'Downloaded JAR verification failed - file too small (corrupt/partial download)' };
+      // Verify download
+      const stats = fs.statSync(tmpPath);
+      if (stats.size < 1024) {
+        fs.unlinkSync(tmpPath);
+        const error = 'Downloaded agent too small (corrupt or failed download)';
+        console.error(error);
+        return { success: false, error };
       }
 
-      if (!this.serverJarContainsDualAuth(serverPath)) {
-        console.error('Downloaded JAR does not contain DualAuth classes - invalid or corrupt download');
-
-        // Restore backup on verification failure
-        const backupPath = serverPath + '.original';
-        if (fs.existsSync(backupPath)) {
-          fs.copyFileSync(backupPath, serverPath);
-          console.log('Restored backup after verification failure');
-        }
-
-        return { success: false, error: 'Downloaded JAR verification failed - missing DualAuth classes' };
+      // Atomic move
+      if (fs.existsSync(agentPath)) {
+        fs.unlinkSync(agentPath);
       }
-      console.log('  Verification successful - DualAuth classes present');
+      fs.renameSync(tmpPath, agentPath);
 
-      // Mark as patched
-      const sourceUrl = branch === 'pre-release' 
-        ? 'https://patcher.authbp.xyz/download/patched_prerelease'
-        : 'https://patcher.authbp.xyz/download/patched_release';
-      
-      fs.writeFileSync(patchFlagFile, JSON.stringify({
-        domain: newDomain,
-        branch: branch,
-        patchedAt: new Date().toISOString(),
-        patcher: 'PrePatchedDownload',
-        source: sourceUrl
-      }));
-
-      if (progressCallback) progressCallback('Server patching complete', 100);
-      console.log('=== Server Patching Complete ===');
-      return { success: true, patchCount: 1 };
+      console.log(`DualAuth Agent downloaded (${(stats.size / 1024).toFixed(0)} KB)`);
+      if (progressCallback) progressCallback('DualAuth Agent ready', 100);
+      return { success: true, agentPath };
 
     } catch (downloadError) {
-      console.error(`Failed to download patched JAR: ${downloadError.message}`);
-
-      // Restore backup on failure
-      const backupPath = serverPath + '.original';
-      if (fs.existsSync(backupPath)) {
-        fs.copyFileSync(backupPath, serverPath);
-        console.log('Restored backup after download failure');
+      console.error(`Failed to download DualAuth Agent: ${downloadError.message}`);
+      // Clean up temp file
+      const tmpPath = agentPath + '.tmp';
+      if (fs.existsSync(tmpPath)) {
+        try { fs.unlinkSync(tmpPath); } catch (e) { /* ignore */ }
       }
-
-      return { success: false, error: `Failed to download patched server: ${downloadError.message}` };
+      return { success: false, error: downloadError.message };
     }
   }
 
@@ -743,12 +631,12 @@ class ClientPatcher {
   }
 
   /**
-   * Ensure both client and server are patched before launching
+   * Ensure client is patched and DualAuth Agent is available before launching
    */
   async ensureClientPatched(gameDir, progressCallback, javaPath = null, branch = 'release') {
     const results = {
       client: null,
-      server: null,
+      agent: null,
       success: true
     };
 
@@ -765,22 +653,23 @@ class ClientPatcher {
       results.client = { success: false, error: 'Client binary not found' };
     }
 
-    const serverPath = this.findServerPath(gameDir);
-    if (serverPath) {
-      if (progressCallback) progressCallback('Patching server JAR...', 50);
-      results.server = await this.patchServer(serverPath, (msg, pct) => {
+    // Download DualAuth ByteBuddy Agent (runtime patching, no JAR modification)
+    const serverDir = path.join(gameDir, 'Server');
+    if (fs.existsSync(serverDir)) {
+      if (progressCallback) progressCallback('Checking DualAuth Agent...', 50);
+      results.agent = await this.ensureAgentAvailable(serverDir, (msg, pct) => {
         if (progressCallback) {
-          progressCallback(`Server: ${msg}`, pct ? 50 + pct / 2 : null);
+          progressCallback(`Agent: ${msg}`, pct ? 50 + pct / 2 : null);
         }
-      }, branch);
+      });
     } else {
-      console.warn('Could not find HytaleServer.jar');
-      results.server = { success: false, error: 'Server JAR not found' };
+      console.warn('Server directory not found, skipping agent download');
+      results.agent = { success: true, skipped: true };
     }
 
-    results.success = (results.client && results.client.success) || (results.server && results.server.success);
-    results.alreadyPatched = (results.client && results.client.alreadyPatched) && (results.server && results.server.alreadyPatched);
-    results.patchCount = (results.client ? results.client.patchCount || 0 : 0) + (results.server ? results.server.patchCount || 0 : 0);
+    results.success = (results.client && results.client.success) || (results.agent && results.agent.success);
+    results.alreadyPatched = (results.client && results.client.alreadyPatched) && (results.agent && results.agent.alreadyExists);
+    results.patchCount = results.client ? results.client.patchCount || 0 : 0;
 
     if (progressCallback) progressCallback('Patching complete', 100);