When does tool.Equipped get replicated (visually) to the other clients?

This is my first post on the forums and I apologize in advance for its length. I’ve included a tl;dr, but I wanted to fully explain why I’m asking this question.

Suppose there is a tool that is cloned from ServerStorage to the player’s Backpack when the player enters the game. A reference to that tool is stored somewhere on the server to easily allow the use of tool.Equipped/tool.Activated on that specific tool. When tool.Equipped/tool.Activated is used it will fire for both the client and the server; this is similar in functionality to that of ReplicatedStorage.

After reading a bit I learned that the Backpack does not replicate changes to the server if the change took place on the client, but changes on the server replicates to the client (just like ReplicatedStorage).side note I personally refuse to use ReplicatedStorage for anything other than remotes (No modules, No values) because I like to draw a very distinct line. I prefer to have absolutely no question in my mind on the boundary. I would rather take the extra time to script out repeatable(and specially tailored) code rather than use a ModuleScript in ReplicatedStorage.

I’m fully aware that there is an “automatic” remote inside ReplicatedStorage that is fired whenever anything inside is changed(hence the same bandwidth usage between ValueObjects and Remotes). It stands to reason that the Backpack functions exactly the same way. The point behind this is to ask: “What happens when the client equips a tool?”

The originating action MUST come from the client if they equipped the tool (otherwise how would the server know to equip it and is the reason why I pointed out the “automatic” remote in ReplicatedStorage). This however completely/reasonably contradicts what I read that changes to the Backpack aren’t replicated to the Server. What I’m getting at is this rhetorical question: how could you ever fully know if a tool is activated/equipped? This concerns me because that would mean an exploiter could briefly equip a tool even without the requirements needed for it, until you remove it of course.

Now I understand validation should take place on the server and should be appended to the tool.Equipped before any action is performed by that tool(remove the tool if it isn’t accepted by the Server). But I feel as though the integrity of the game is compromised because the exploiter could equip anything they created for a brief time. We’re finally at my overall question: When does tool.Equipped get replicated (visually) to the other clients? I would test this on my own, but I fear there may be variances to the answer (outlined in the tl;dr).

TL;DR
If tool.Equipped is replicated to the other clients before the script has time to perform its checks, then everything I do is null. Is it a decent amount of time (maybe only when eof is reached for tool.Equipped on the server, no looping in that case), is the time a static number, does the time change depending on something, or is there some sort of filter in place that compares the client and server backpacks? Will I have a reasonable amount of time to perform checks before some horrible image of a tool is sent down the pipe to the other players? I feel as though I’m on a time limit to get my sanity checks done and any unacceptable tool removed.

I think it gets replicated in the clients next visible frame for example, I would lve to say immediately but it depends on the clients connection and the server’s. So it mainly comes down to performance.

If that’s true then an exploiter could equip anything offensive as a tool and it’ll replicate to all the other clients. If a receiving client has a horrible connection, then it’s very possible they’ll see the offensive tool before a sanity check removes it.

I’m honestly hoping there is some filter in place that checks if the tool is in the server’s copy of the player’s backpack before replicating it to all the other clients. If this is the case, then that means any sanity check to see if the item is inside the player’s backpack is redundant.

So pretty much if you use heartbeat which is every other frame then you can have a much more efficient sanity check. And the servers transfer of data to the client will tell the client to show the tool so doing heartbeat will prevent or should prevent any inappropriate tools from appearing. But what you could do is create a system whereby the tool is equipped from the client, is checked and then a remote event gives the server a thumbs up.

I’m pretty sure heartbeat and renderstepped both run every frame, just in a different order?

Yes all the RunService events fire every frame the only difference is the ordering.

I might have to do some brushing up then… Thanks for the feedback.

This post is just to answer all the questions behind the question in the topic.

So I finally caved and did a quick test where I created a tool locally and placed it inside the player’s backpack. Come to find out, you can’t even create local tools (well you can, but they get nuked shortly after placing it in the backpack). This means a check is done before anything is even equipped and actually solves all of the problems I outlined in this post. I can 100% confirm this is what is happening because I ran a check through a loop that fires immediately after creating the tool and prints out the backpack’s contents. It finds the tool and prints out the name only once, then the tool disappears.

I probably should’ve just tested it out before speculating, but at least all my questions are answered! I’m marking @leekthug as the solver for the original question.