"dotnet build verifies compile but NOT the whitelist"
dotnet build Code/<proj>.csprojis green.- In-editor / published play rejects APIs with SB1000 whitelist violations (
Environment.*, reflection, etc.). - Agents report "verified" on code the game then refuses.
The s&box whitelist is only enforced by the in-editor compiler (and the published package sandbox). Headless dotnet build references the Steam-managed DLLs and type-checks — it does not run the access list.
Banned examples observed in game code:
Environment.*(e.g.Environment.TickCount)- Raw
System.IO/Process/Thread(as used for banned patterns) - Runtime reflection:
Type.GetProperty/PropertyInfo.SetValue - Vendored-lib pitfalls:
System.Console, crypto RNG (HashCode.GenerateGlobalSeed),Environment.NewLine
Known-ok examples: System.Text.Json, ArrayPool, GameTask.RunInThreadAsync, new System.Random(int) / time-seeded Random (whitelisted).
Http may call domains (not raw IPs) per whitelist notes.
Published packages can still diverge further across engine updates — join as a player after publish (broke-after-publish-whitelist).
dotnet build Code\<project>.csproj
# necessary, not sufficientWhitelist sweep on new code before shipping:
Environment. | System.IO | Process. | Thread. | GetProperty | SetValue | DllImportPrefer engine surfaces: Time.Now-derived entropy, FileSystem.Data instead of raw IO, handoff notes instead of reflection across files.
Whole-tree "0 warnings" claims need dotnet build --no-incremental — incremental builds lie about warning counts (warnings only re-emit for files that recompiled).
Never disable the whitelist to "make it compile" if you still need sbox.game publish — that blocks platform publish and pushes you toward standalone-steam-export.
Two compilers, two jobs: Roslyn proves types; the s&box access list proves the API is allowed in the player sandbox. Green headless builds only answer the first question.