From d5a8a2a14cb14ecd00827ddc96873f3db79573fd Mon Sep 17 00:00:00 2001
From: Thomas Hallock <thomas@evolutioniq.com>
Date: Mon, 6 Oct 2025 13:26:49 -0500
Subject: [PATCH] fix: enforce playerId must be explicitly provided in arcade
 moves
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Player IDs (database avatar IDs) must never be conflated with or fall back
to user/guest IDs. This commit makes playerId a required field in all game
moves and throws an error if missing.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 apps/web/src/hooks/useArcadeSession.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/hooks/useArcadeSession.ts b/apps/web/src/hooks/useArcadeSession.ts
index a48eed71..0b957c47 100644
--- a/apps/web/src/hooks/useArcadeSession.ts
+++ b/apps/web/src/hooks/useArcadeSession.ts
@@ -126,10 +126,15 @@ export function useArcadeSession<TState>(
   }, [connected, autoJoin, userId, joinSession])
 
   // Send move with optimistic update
-  const sendMove = useCallback((move: Omit<GameMove, 'playerId' | 'timestamp'>) => {
+  const sendMove = useCallback((move: Omit<GameMove, 'timestamp'>) => {
+    // IMPORTANT: playerId must always be explicitly provided by caller
+    // playerId is the database player ID (avatar), never the userId/viewerId
+    if (!('playerId' in move) || !move.playerId) {
+      throw new Error('playerId is required in all moves and must be a valid player ID')
+    }
+
     const fullMove: GameMove = {
       ...move,
-      playerId: userId,
       timestamp: Date.now(),
     } as GameMove