I’m having a similar problem as you tracing Lyra’s shooting logic.
Regarding 1, it is known that Lyra was designed with client authoritative hit detection. In this Youtube vid they explicitly mention that.
Unfortunately, they also mention that “somewhere in the code there’s a comment that say ‘if you want to do server validation for the shots do it here’”. As far as I can tell this comment does not exist. So I’m still struggling to figure out how to convert the code to server authoritative.
For point 2, I also don’t know why that happens. Maybe it’s more convenient to just directly give the targets for replication purposes and just replace those that aren’t correct? who knows
I do wish there was a lot more detail on this aspect of Lyra… considering how it’s such a core gameplay feature…