v1.2.7 — Concurrency + Security Hardening
Backend hardening release from the 2026-06-09 automated code review. No user-facing UI changes — concurrency and security fixes in the game server, each with regression tests (162 passing).
Fixed
Concurrency (#167)
- Reaction-bonus cross-game leak — the inbound reaction-bonus counter never reset between games, wrongly blocking a player in round N of the next game. Now resets every new game.
- STEAL on a vanished target — if the target left before the power-up applied, the client still played a "successful" steal animation for 0 points. STEAL now returns an error instead of broadcasting a hollow effect.
Security (#168)
- Admin-bootstrap race — two simultaneous first connections on a fresh install could both be granted admin while only one token persisted, silently locking the other out. Bootstrap now grants exactly one admin atomically under a lock.
- Session-token memory growth — issued-but-never-validated tokens were only evicted on lookup and could grow unbounded (DoS surface). Now swept opportunistically on issue.
- Malformed pack file 500 — a valid-JSON-but-non-object pack crashed the admin setup screen; now degrades gracefully to the default icon.
Verified (no code change needed)
Double round-evaluation, double-submit, pending-removal-on-reset (#167) and the shuffle/answer-index bound (#168) were confirmed already safe under the cooperative single-threaded asyncio model and locked in with regression tests.