November Updates
Posted by Ash Qin
on 01 December 2025, 3:41:18 pm
November sits quietly between the blaze of autumn and the hush of winter, a month of sharper air, shorter days, and longer moments of reflection. It's when routines slow just enough for gratitude to catch up, and plans for the coming year start to take shape. This November at Alpha-Fox has felt much the same!
Table of Contents
TL;DR
A quiet month on the surface, a hectic one underneath. Overdue credit where it's due, a beloved sci-fi universe stepping back into the spotlight, a major provider faceplant, and a lot of minor quality-of-life tweaks across logins, docs, APIs, and community spaces.
Credit Mishap
We want to start by addressing a small but essential oversight in our previous communications. In our January Updates post, we discussed a patch for a long-standing vulnerability that allowed RLV users to bypass the shield/iris functionality in the Stargate system.
Unfortunately, we neglected to appropriately credit MICKE94 Avora for his detailed report that brought this issue to our attention and helped guide the resolution. He has been a valuable contributor, previously providing feedback that led to improvements like partial searches in the "Owner" field of the ASN database, a new "All" search option for broader matching, and setting "All" as the default for better usability.
Stargate is returning to the small screen
On the 19th, Amazon MGM Studios announced a new live-action Stargate TV series for Prime Video, marking the franchise's return after over 14 years since Stargate Universe concluded, with the show serving as a fresh chapter in the existing universe that honours the canon from the 1994 film and previous series while being accessible to new viewers. For more details, see our dedicated post covering the news.
Return party
In a vibrant display of community spirit, members gathered on the iconic Atlantis platform for a party on the 29th, marking the triumphant return of Stargate. The event buzzed with excitement as participants shared stories, danced, and toasted to new adventures ahead. For those who missed out or want to relive the highlights, head over to the Community Creations section in our Discord server, and feel free to share your own captures too!
Cloudflare
We chose Cloudflare as our primary CDN and security provider over alternatives like AWS's combination of CloudFront, Shield, and WAF ℹ️, as well as Akamai and Fastly, primarily because Cloudflare does not charge us for egress fees ℹ️ (the amount of traffic used), allowing us to maintain fixed, predictable costs regardless of traffic volume or data transfer spikes, which is crucial for budgeting. Additionally, Cloudflare's affordable pricing plans make it accessible without compromising on features. Their track record of transparent, detailed disclosures during security incidents built our trust in their reliability and proactive approach to threat mitigation.
Outage
On Alpha-Fox's site, Cloudflare's error page was displayed to users during the 18th. Cloudflare's network began experiencing a significant outage, preventing websites on its platform (including ours) from loading for users. The disruption was widespread, and it knocked primary online services offline, including popular platforms like X and ChatGPT. The outage lasted several hours. While Alpha-Fox's website was affected, the Stargates in-world were not.
The failure was not our fault; it originated from a routine update to Cloudflare's database access permissions that morning. That update inadvertently caused a query to write duplicate entries into the configuration file used by Cloudflare's Bot Management feature. This file is updated every few minutes to help Cloudflare's machine-learning system distinguish between bots and human traffic.
Because of the duplicate data, the feature file suddenly doubled in size and was propagated across Cloudflare's network. However, the proxy software had a built-in size limit for that file, and the new version exceeded it. As a result, many servers crashed when they tried to load the oversized configuration, causing errors for users worldwide.
Once the root cause was confirmed, Cloudflare acted to remediate the issue and restore services. As an interim step, they implemented a workaround that rerouted or bypassed specific requests to reduce the immediate impact on customers. Engineers then stopped the generation and distribution of the bad configuration file. They rolled out a known-good previous version of the Bot Management feature file across their infrastructure.
Logins
Security and usability go hand in hand, especially when it comes to logging in. We've noticed that users often retry logins multiple times when encountering errors like "password leaked" or "password too short", suggesting the warnings weren't sufficiently noticeable. To fix this, we've revamped the error pages to make the warnings and resolution steps much more prominent.
On the password change page, we've integrated a guide to crafting secure passwords. This builds directly on the advice from our March Updates post, where we delved into why longer passwords are crucial against brute-force attacks.
Behind the scenes, we've further upgraded our internal authentication logging for more robust auditing. This helps us track patterns, spot potential issues early, and maintain a higher level of security without impacting your experience.
Discord
We're approaching a whole year since we created our Discord, and we've had time to reflect on some of our original decisions and consider making a few changes.
First, we've completely rewritten the join page for a cleaner, more inviting design, and we fixed some lingering HTML issues on the old page.
We've also almost entirely rewritten the server rules to be more straightforward and more transparent. As the server has matured, we've gained a better understanding of what actually works, so we've trimmed the fat while keeping the essentials intact to foster a positive environment.
To make rule management sustainable, we've implemented a new script that automates pushing updates via a bot. This means updates no longer have to be posted and maintained by a single individual. The script pulls content from separate Markdown (.md) files, converts custom emoji shortcodes and channel names into proper Discord formats, and ensures each message fits within the 2,000-character limit before posting.
API
We've reorganised and expanded our API documentation to make it more intuitive and comprehensive, addressing common pain points like confusion between the in-world and network APIs.
The docs have moved to more logical locations on the site, with a dedicated section for the 1.1.3 in-world API to separate it clearly from the network API.
Formatting has been overhauled, using more precise terminology (for example, "commands" and "events" rather than "incoming" and "outgoing"), and now includes syntax, descriptions, exact response strings, and more explicit permissions. We've also fleshed out additional details, including error handling, response formats, and new fields in lookups.
We have also added a new API command, wormhole control|<0/1>, which toggles whether anyone (0) or only the owner (1) can issue shutdown wormhole (graceful close) or cut wormhole (abrupt termination). In addition, the stargate details command now succinctly returns various statuses of the Stargate in a single call, which is especially useful for HUDs and other in-world tools.
Final Thoughts
As we conclude November's development cycle, we're pleased to spotlight the progress: 19 commits that introduced 5 new files, modified 22 existing ones, and yielded 1,790 lines added alongside 105 removed.
--Ash Qin
Ash Qin
