jedarden/ai-code-battle

Fork 0

Commit graph

Author	SHA1	Message	Date
jedarden	e64230b122	fix: resolve universal stalemate — signing format and secret decryption Two root causes prevented bots from making any moves: 1. SignRequest signing string included timestamp ({match_id}.{turn}.{timestamp}.{hash}) but all bots implement verifySignature without timestamp ({match_id}.{turn}.{hash}). Fixed by dropping timestamp from the signing string; X-ACB-Timestamp header is still sent for clock-skew checks but not in the HMAC. 2. The API stores bot secrets AES-GCM encrypted (184 hex chars) in the DB. The worker was passing the ciphertext directly as the HMAC key, while bots use their plaintext k8s secret (64 hex chars). Fixed by decrypting in the worker using ACB_ENCRYPTION_KEY. Also tightens the home page winner filter to exclude winner_id="0" stalemates. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-30 21:48:25 -04:00
jedarden	6f1b50384c	Complete Phase 2: HTTP protocol and 6 strategy bots Phase 2 Implementation: - HMAC authentication for engine-to-bot communication - Request signing with timestamp anti-replay - Response signing for integrity verification - HTTP bot client with timeout and crash detection - Per-turn 3s timeout, 10 consecutive failure crash threshold - Move validation (position ownership, direction validity) - Integration tests for HTTP match execution - 6 strategy bots in 6 languages: - RandomBot (Python): Random valid moves - rating floor - GathererBot (Go): Energy-focused with combat avoidance - RusherBot (Rust): Aggressive core rushing via BFS - GuardianBot (PHP): Defensive core protection - SwarmBot (TypeScript): Formation-based group combat - HunterBot (Java): Target isolation and hunting All bots include: - HMAC signature verification - Dockerfile for containerization - README documentation All engine tests passing (32+ tests) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-24 07:00:38 -04:00

Author

SHA1

Message

Date

jedarden

e64230b122

fix: resolve universal stalemate — signing format and secret decryption

Two root causes prevented bots from making any moves:

1. SignRequest signing string included timestamp ({match_id}.{turn}.{timestamp}.{hash})
   but all bots implement verifySignature without timestamp ({match_id}.{turn}.{hash}).
   Fixed by dropping timestamp from the signing string; X-ACB-Timestamp header is still
   sent for clock-skew checks but not in the HMAC.

2. The API stores bot secrets AES-GCM encrypted (184 hex chars) in the DB. The worker
   was passing the ciphertext directly as the HMAC key, while bots use their plaintext
   k8s secret (64 hex chars). Fixed by decrypting in the worker using ACB_ENCRYPTION_KEY.

Also tightens the home page winner filter to exclude winner_id="0" stalemates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-04-30 21:48:25 -04:00

jedarden

6f1b50384c

Complete Phase 2: HTTP protocol and 6 strategy bots

Phase 2 Implementation:
- HMAC authentication for engine-to-bot communication
  - Request signing with timestamp anti-replay
  - Response signing for integrity verification
- HTTP bot client with timeout and crash detection
  - Per-turn 3s timeout, 10 consecutive failure crash threshold
  - Move validation (position ownership, direction validity)
- Integration tests for HTTP match execution
- 6 strategy bots in 6 languages:
  - RandomBot (Python): Random valid moves - rating floor
  - GathererBot (Go): Energy-focused with combat avoidance
  - RusherBot (Rust): Aggressive core rushing via BFS
  - GuardianBot (PHP): Defensive core protection
  - SwarmBot (TypeScript): Formation-based group combat
  - HunterBot (Java): Target isolation and hunting

All bots include:
- HMAC signature verification
- Dockerfile for containerization
- README documentation

All engine tests passing (32+ tests)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-24 07:00:38 -04:00

2 commits