Replace Flask-SocketIO + eventlet with python-socketio AsyncServer on an
ASGI app served by uvicorn (Python 3.14). The server is no longer started
as an import side-effect; `python -m app` runs uvicorn for dev and the
Docker image runs `uvicorn api:app`.
Bug fixes:
- create_game now mints a real uuid gid and returns it to the creator
(was hardcoded 'a').
- play_card resolves the player's hand and plays the selected Card (was
indexing a method and crashing).
Hardening:
- Identity binding: every action derives the seat from the connection
(sid -> {gid, order}); clients no longer pass a player number, closing
the hidden-cards cheat where any client could request any hand.
- Secure token-based reconnect (per-player secret token).
- disconnect handler marks players offline and drops empty games (no
more leaked games), notifying the room via player_connection.
- Guards for unknown gid, double start_game, and bad input; engine
exception messages are forwarded instead of swallowed.
- Lobby payload is public-only (no sids/tokens); game_status carries a
completed flag.
- /health endpoint via other_asgi_app; env-driven CORS and logging.
Infra:
- Dockerfile -> python:3.14-slim, uvicorn CMD, drop dead venv lines.
- requirements.txt -> python-socketio/engineio + uvicorn; drop eventlet,
Flask-SocketIO, Flask-Session.
- docker-compose: drop unused debugpy port and obsolete version key.
- Remove redundant start.py; gitignore /.venv.
Tests: test_socket.py drives the handlers (identity binding, lobby
privacy, reconnect, disconnect cleanup, error handling, play flow).
Full suite: 29 passing.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test_get_active_player and test_is_guessing_completed built a round 6
(only 8-6=2 tricks) but bid 4, which the engine correctly rejects
(guess must be <= number of tricks). Adjust the bids to legal values
while preserving each test's intent (player 0 stays the unique high
bidder so it leads the first stash).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Engine support for the per-connection Socket.IO API: hands are fetched
explicitly via get_player_cards(player) and the shared status no longer
embeds a single player's cards.