chore: multiplayer examples

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: multiplayer game examples #4203
• chore(repo): ignore openspec #4202
• chore: multiplayer examples #4201 👈 (View in Graphite)
• chore: multiplayer cookbook #4200
• chore: simplify queue api #4229
• refactor(rivetkit): add typed event and queue schemas for actors #4209 : 1 other dependent PR (#4224 )
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: Multiplayer Examples Specs

This PR introduces specs for six new RivetKit multiplayer game examples and removes the existing examples/multiplayer-game implementation. Here is my analysis:

---

Summary of Changes

Added:

• .agent/friction/rivetkit.md — friction log for the design phase
• .agent/notes/multiplayer-cookbook.md — reusable multiplayer architecture patterns
• .agent/specs/games/ — specs for 6 new game examples (IO-style arena, tic-tac-toe, FPS, MMO chunked world, idle base builder, party card game, NPC town)

Deleted:

• examples/multiplayer-game/ — the previously-working Agar.io-style implementation

---

Issues

1. Missing Vercel example cleanup

The friction log itself acknowledges this:

"Requested deletion of examples/multiplayer-game while this phase is "specs only" can leave the auto-generated examples/multiplayer-game-vercel out of sync until regeneration."

Per CLAUDE.md, changes to examples require updating the Vercel equivalent. The examples/multiplayer-game-vercel directory is not deleted in this PR, leaving a dangling Vercel example with no corresponding source. Either delete it here or regenerate via ./scripts/vercel-examples/generate-vercel-examples.ts after the new examples land.

2. Security inconsistency in the idle base builder spec

The idle-base-builder-leaderboard-2-5d.md spec has conflicting identity claims:

Under Identity Assumption:

"Player identity is a stable playerId stored in localStorage. The client generates a random UUID on first load. The idleWorld actor key is [playerId]."

Under Security Checklist:

"No spoofing: World actor is keyed by server-known identity (c.conn.id)."

These contradict each other. If the actor key is a client-supplied localStorage UUID, any client can impersonate another player by using their UUID. The checklist claim is incorrect for the described design. Either:

• Accept the localStorage UUID model and acknowledge its limitation (cross-device/session persistence at the cost of spoofability), or
• Use c.conn.id as the actor key and drop the localStorage identity.

3. Working example deleted with no replacement

The repo loses its only working multiplayer game example (examples/multiplayer-game) and gains only specs. This is a regression for anyone using the repo to learn from runnable examples. The PR title says "chore" but this is a functional removal. If the replacement examples are not landing in this PR, consider keeping the old example until at least one new one is ready.

4. Minor formatting issue in the FPS spec

In realtime-multiplayer-fps-3d.md (around line 1016), one bullet is missing its leading -:

- Actor-level tests for `fpsMatchmaker` indexing/heartbeat/cleanup with SQLite-backed `matches` table.
Actor-level tests for `fpsMatch`:   <- missing leading -

---

Positives

• Comprehensive specs: each spec covers UX, actors, state shape, actions, events, security checklist, asset sourcing, and testing plan — exactly the right level of detail for implementers.
• Consistent security model: all specs correctly use c.conn.id as the authoritative caller identity and explicitly call out never accepting playerId from the client.
• SQLite for coordinator state: using rivetkit/db for matchmaker/queue state that can grow large is sound — avoids unbounded in-memory arrays.
• Defensive stale cleanup: the matchmaker specs include cleanupStale*() scheduled actions to handle missed roomClosed/matchClosed calls, which is the right approach for crash safety.
• Offline progression pattern: the idle base builder spec's catch-up math (deltaMs = clamp(Date.now() - lastTickAt, 0, MAX_OFFLINE_MS)) and coarse-interval scheduled ticks are well thought out.
• Multiplayer cookbook: .agent/notes/multiplayer-cookbook.md is a solid reference document capturing patterns that should probably eventually land in the public docs.

---

Suggestions

• Resolve the Vercel example drift before or alongside this merge.
• Fix the idle builder security inconsistency in the spec before implementation begins.
• Consider keeping the old examples/multiplayer-game until at least one replacement ships, or add a note in the repo linking to the incoming specs.

[graphite-app]

Security contradiction: The spec states the actor is keyed by client-provided playerId from localStorage, but line 128 claims the actor is "keyed by server-known identity (c.conn.id)".

This is a critical security flaw - if the actor key is [playerId] from localStorage (client-controlled), any client can:

1. Generate or guess another player's UUID
2. Connect to and control that player's world
3. Steal resources, modify buildings, etc.

Fix: Either:

# Option 1: Use c.conn.id as the actor key (ephemeral worlds)
- Key: `[c.conn.id]`
- Use a separate auth token for persistent identity

# Option 2: Use server-issued playerIds
- Require server-side authentication
- Key: `[authenticatedPlayerId]` from token validation
- Never trust client-provided IDs for actor keys

Suggested change

	- Caller identity is `c.conn.id`.
	- Player identity is a stable `playerId` stored in `localStorage`.
	- The client generates a random UUID on first load and persists it.
	- The `idleWorld` actor key is `[playerId]`.
	- The actor still uses `c.conn.id` to identify the caller connection for rate limiting and per-connection events.
	- Caller identity is `c.conn.id`.
	- Player identity is a stable server-issued `playerId`.
	- The server generates and provides a secure player ID upon first connection.
	- This ID is stored in `localStorage` by the client for persistence.
	- The `idleWorld` actor key is `[authenticatedPlayerId]` (server-verified).
	- The actor uses `c.conn.id` to identify the caller connection for rate limiting and per-connection events.

Spotted by Graphite Agent



Is this helpful? React 👍 or 👎 to let us know.