digital-boardgame-framework 0.8.1 → 0.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/supabase/schema.sql +13 -6
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "digital-boardgame-framework",
3
- "version": "0.8.1",
3
+ "version": "0.8.2",
4
4
  "description": "Foundation library for turn-based digital boardgames: deterministic engine plumbing, async multiplayer, agent-friendly bug triage.",
5
5
  "keywords": ["boardgame", "board-game", "multiplayer", "async-multiplayer", "turn-based", "game-framework", "supabase", "cloudflare-pages"],
6
6
  "author": "John Champaign",
package/supabase/schema.sql CHANGED
@@ -59,9 +59,16 @@ create index if not exists dbf_reports_category on dbf_reports(category);
59
59
  create index if not exists dbf_reports_unresolved on dbf_reports(report_id) where resolution is null;
60
60
  create index if not exists dbf_reports_game on dbf_reports(game_id);
61
61
 
62
- -- Row-level security: this library does its own auth via per-player tokens
63
- -- looked up in dbf_games.tokens. Disable RLS or allow the service role only.
64
- -- Do NOT expose these tables directly via PostgREST/anon-key go through
65
- -- your application's server-side endpoints (Cloudflare Pages Functions,
66
- -- Supabase Edge Functions, etc.) which instantiate GameServer with the
67
- -- service-role key.
62
+ -- Row-level security REQUIRED, not optional.
63
+ -- These tables hold secrets (dbf_games.tokens), unredacted game state
64
+ -- (dbf_snapshots.state hidden hands!), and chat. All access goes through your
65
+ -- server endpoints using the SERVICE-ROLE key, which BYPASSES RLS. Enabling RLS
66
+ -- with NO policies therefore denies the public anon key everything (which is
67
+ -- now in client bundles for Realtime) while the server keeps full access.
68
+ -- Realtime *broadcast* doesn't touch these tables, so it's unaffected.
69
+ -- WITHOUT this, anyone with the project URL + anon key can read tokens and
70
+ -- everyone's hidden state. (Supabase flags it as rls_disabled_in_public.)
71
+ alter table dbf_games enable row level security;
72
+ alter table dbf_snapshots enable row level security;
73
+ alter table dbf_messages enable row level security;
74
+ alter table dbf_reports enable row level security;