chore: impl canInvoke for matchmaker

[NathanFlurry]

Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[railway-app]

🚅 Deployed to the rivet-pr-4253 environment in rivet-frontend

Service	Status	Web	Updated (UTC)
website	❌ Build Failed (View Logs)	Web	Feb 21, 2026 at 8:10 am
frontend-cloud	❌ Build Failed (View Logs)	Web	Feb 21, 2026 at 8:09 am
mcp-hub	✅ Success (View Logs)	Web	Feb 21, 2026 at 8:09 am
frontend-inspector	❌ Build Failed (View Logs)	Web	Feb 21, 2026 at 8:08 am
ladle	❌ Build Failed (View Logs)	Web	Feb 21, 2026 at 8:08 am

[NathanFlurry]

• chore: multiplayer cookbook patterns #4261 : 2 dependent PRs (#4266 , #4268 )
• docs: document queue with interval pattern #4265
• chore(rivetkit): migrate to sqlite instance per-actor for concurrency optimizations #4264
• docs: workflows #4256
• chore(rivetkit): update conns to be hibernatable #4260
• chore(inspector): add back database tab #4255
• chore: impl canInvoke for matchmaker #4253 👈 (View in Graphite)
• chore: multiplayer cookbook #4200 : 1 other dependent PR (#4201 )
• feat(dashboard): bring new tabs back #4249
• fix(rivetkit): fix sqlite teardown logic #4259
• main

---

How to use the Graphite Merge Queue

Add the label merge-queue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

PR Review: chore: impl canInvoke for matchmaker

This PR adds fine-grained access control via canInvoke to all multiplayer game pattern actors, replaces unreliable push-based assignment broadcasts with a polling flow using registration tokens, and adds a workflows doc page. The direction is good. A few issues worth addressing before shipping to production examples.

---

Migration Gaps for Existing Databases

The ensureColumn helper is incomplete — it only adds registration_token but misses other new columns added to the assignments tables.

Arena matchmaker.ts: The assignments table gains both conn_id TEXT and registration_token TEXT in the new CREATE TABLE IF NOT EXISTS, but only registration_token gets an ensureColumn call. Existing databases that already have the assignments table (but without conn_id) will fail on any INSERT that references the new column.

Ranked matchmaker.ts: The assignments table goes from (username, match_id, rating) to adding player_token TEXT NOT NULL, conn_id TEXT, registration_token TEXT. Only registration_token gets ensureColumn. The player_token and conn_id columns are not migrated, so existing databases break on any ranked match completion.

Fix: add the missing ensureColumn calls for arena conn_id (in assignments) and ranked player_token and conn_id (in assignments). Note that adding player_token TEXT NOT NULL via ALTER TABLE requires a DEFAULT in SQLite — either relax the NOT NULL or supply a default value.

---

SQL Injection Pattern in ensureColumn

Both ensureColumn implementations interpolate directly into SQL:

await dbHandle.execute(`PRAGMA table_info(${table})`);
await dbHandle.execute(`ALTER TABLE ${table} ADD COLUMN ${column} ${definition}`);

The TypeScript union types restrict the inputs to known literals so there is no actual injection risk, but the pattern looks unsafe to readers. Either add a comment explaining why it is safe, or use a lookup table to make the constraint explicit.

---

physics2dGame.ts: myConnId May Be Left Unset

The PR removes the block that captured the connection ID:

// Removed:
(handle as unknown as { id: Promise<string> }).id?.then?.((id: string) => {
    this.myConnId = id;
});

If myConnId is still read elsewhere in the class (the diff only shows partial context), it will be uninitialized. Worth confirming the field is either populated via another path (e.g., this.conn.id) or that all downstream uses were also removed.

---

Minor: Polling Interval Has No Jitter

The 200 ms fixed polling interval in arena/menu.tsx and ranked/menu.tsx can cause synchronized bursts from all queued clients. Fine for examples, but a short comment noting the lack of jitter would help readers adapting this to production.

---

Positive Observations

• Replacing broadcast("assigned", ...) with poll-on-registration-token is strictly more correct — the broadcast had a real race window where the assignment could fire before the WebSocket finished subscribing.
• The registration token ties the queue-slot to the creating connection, analogous to CSRF protection for matchmaking.
• Using ReturnType<ReturnType<GameClient["..."]["get"]>["connect"]> instead of manual interface duplications is a meaningful type-safety improvement.
• The canInvoke pattern with a fail-by-default return false is the right default-deny posture.
• The new forbidden-access-control test suite covers all the main enforcement paths clearly.
• The workflow docs page is clean and well-structured.

---

Summary

The two migration gaps are the main actionable items — they cause broken queries on upgrade for any deployed instance of the example. The rest are low-priority notes.