Translation middleware now extracts viewer_id/steam_id/steam_session_ticket
from the decrypted msgpack dict into HttpContext.Items before the typed
DTO deserialize. The Steam handler reads from there instead of re-parsing
Request.Body — so authed action DTOs no longer need to inherit BaseRequest
to keep the auth fields alive through the msgpack→DTO→JSON pivot.
Retires the recurring footgun documented in
docs/superpowers/specs/2026-06-02-baseRequest-auth-footgun-improvement.md
(2026-05-25 basic-puzzle, 2026-05-28 deck-code, 2026-06-02 Phase 3 Bot,
2026-06-10 profile/index + item_acquire_history/info + user_mypage/update).
Pinned by AuthDecouplingTests — posts an encrypted msgpack body to
/profile/index (DTO does not inherit BaseRequest) through the real
translation middleware + auth handler and asserts 200. Adds an
EncryptedMsgpackHelper + useRealAuthHandler factory flag, reusable for
future wire-shape tests.
ProfileIndexRequest, ItemAcquireHistoryInfoRequest, and
UserMyPageUpdateRequest revert to the naked shape — the per-DTO
workarounds become vestigial under the new architecture.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Mirror of the outer-repo data_dumps/ reorganization (commit e1e595d in
the SVSim outer repo): updates all data_dumps/extract/ → data_dumps/scripts/,
data_dumps/client_master_csv → data_dumps/client-assets, data_dumps/traffic
→ data_dumps/captures/traffic in XML doc-comments and inline comments
across importers, controllers, middlewares, DTOs, and tests. Doc-only;
no logic changes; build green.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
A wiped/fresh client (NukeIdentityOnStartup, new install, or any path
that clears PlayerPrefs) defaults its stored RES_VER to "00000000"
per Cute/SavedataManager.GetResourceVersion. The client builds the
Akamai manifest URL as dl/Manifest/<RES_VER>/<lang>/<Platform>/, and
Akamai 404s the "00000000" path -> Toolbox.AssetManager.InitializeManifest
fails -> the title screen shows "Connection Error / Reconnect"
before any tutorial UI loads.
Fix:
- New ResourceConfig [ConfigSection] in SVSim.Database — single
field RequiredResVer defaulting to "4670rPsPMVlRTd2" (the value
prod returned in data_dumps/traffic_prod_tutorial.ndjson and was
still returning at 2026-05-28 21:00 UTC). Lives in GameConfigs so
it can be tuned via DB / appsettings without code edits.
- ShadowverseTranslationMiddleware injects IGameConfigService and
emits required_res_ver in data_headers ONLY on /check/game_start
responses. NetworkTask.Parse opens a "new data is available" popup
whenever required_res_ver is present and the URL is anything other
than GameStartCheck (NetworkTask.cs:128-138); the suppression on
game_start is what lets us silently bump PlayerPrefs["RES_VER"]
before ResourceDownloader runs.
- DataHeaders gains a nullable RequiredResVer field. DataWrapper.DataHeaders
is now Dictionary<string, object?> instead of the typed DataHeaders POCO
directly — the construction site stays type-safe (the middleware builds
the typed POCO, then projects through the same STJ +
ConvertJsonTreeToPlainObject pipeline that DataWrapper.Data uses) so
null-valued optional fields are absent from the wire instead of being
written as "key":null. Without this, MessagePack's ContractlessStandardResolver
walked the typed properties and wrote required_res_ver=null on every
non-game_start response, tripping the popup on every boot.
- GameConfigurationJsonbTests updated to expect the 9th config section.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds the portal pair (shadowverse-portal.com deck-builder endpoints) as
anonymous routes on the app server. The translation middleware learns a new
[NoWireEncryption] attribute that skips both AES calls but keeps the rest of
the msgpack + base64 + envelope pipeline intact, matching prod's portal wire
profile observed in data_dumps/traffic_prod_deckcode.ndjson.
Storage is a 3-minute IMemoryCache — codes are anonymous-global, 4-char
lowercase alphanumeric (matches the shortest prod sample). Foil bit is
stripped on mint to match prod's normalize-on-encode behaviour.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Two issues caught in a real-client smoke run against the freshly
bootstrapped DB:
1. NRE in ShadowverseTranslationMiddleware for parameterless actions.
Five new actions (Sleeve.Info, LeaderSkin.{Ids,Products},
ItemPurchase.Info, SpotCardExchange.Top) took no parameters, but
the middleware does
`endpointDescriptor.Parameters.FirstOrDefault().ParameterType`
to discover the request DTO — `FirstOrDefault` returns null on a
zero-param action and `.ParameterType` NREs. Tests didn't catch it
because the test client POSTs plain JSON, bypassing this path.
Fix: each action now takes `BaseRequest _` matching the codebase
convention (PuzzleController.Info, BattlePassController.Info, etc.),
plus the middleware throws an actionable
InvalidOperationException pointing at the convention so the next
contributor doesn't repeat the mistake.
2. Leader-skin set sale showed up as "FREE / Claim" with empty
Includes panel after the viewer bought every skin in a series
with no configured bonus items. Root cause: ComputeRewardStatus
emitted status=1 (not_got) when set_sales_status != 0 regardless
of whether rewards.items was empty, and SkinPurchaseInfoTask.
CreateSetSaleInfo flags `is_free=true` on (is_completed &&
not_got). Prod ships status=0 when items is empty even with
set_sales_status==1 — we now mirror that.
504 tests still pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
SignUpTask.Parse validates data_headers.udid against Certification.Udid;
mismatch discards the response. Sourced from the same mappedUdid the
translation middleware uses to decrypt — never controller state. Other
endpoints carry the extra key; SignUpTask is the only reader.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
