Number Strike Baseball
Real-time PvP number baseball with server-authoritative Elo — and provable anti-cheat.
Overview
Number Strike Baseball is classic bulls-and-cows reimagined as a competitive sport: players guess each other's secret number, with Single, Best-of-3, and Best-of-5 formats, per-format Elo, an 8-tier ladder from Ball Boy to Hall of Fame, and a 1,000-bot AI population so there is always a match.
The interesting engineering is in what clients are not allowed to do: every rating delta, credit movement, and match settlement happens in Cloud Functions transactions with idempotency guards. Clients can never write ratings or credits.
Full stack
- Flutter · Dart 3 (~32.5k lines)
- Cloud Firestore (real-time listeners + transactions)
- Cloud Functions v2 (Node 22)
- Firebase Auth · FCM · Storage · Hosting
- Universal Links deep linking
- Unity Ads · audioplayers (BGM, announcer, crowd)
- Firestore emulator rules tests · GitHub Actions CI
Engineering highlights
The parts a code review would find interesting.
01Commit-reveal anti-cheat
Players commit an SHA-256 hash of their secret number before the game; a Cloud Function re-derives and verifies the hash at game end and flags mismatches. Changing your number mid-game is not just blocked — it is cryptographically provable.
02Server-authoritative settlement
Firestore triggers compute round progression, Elo deltas, credit payouts, and match history inside transactions with idempotency guards — and rating settlement reads canonical profile documents rather than game-doc snapshots, closing client-side manipulation paths.
03A real vulnerability, found and fixed
The original credit model allowed any authenticated user to drain another player's credits. The redesigned pre-deduct model means each player only ever writes their own document — one of 20+ documented security-hardening rounds covering matchmaking races and privilege escalation.
04Cross-language contract testing
A shared JSON test-vector fixture is consumed by both the Dart suite and the Node functions suite, keeping client and server ranking logic in provable lockstep.
05Defense written down
578 lines of Firestore security rules with emulator-backed rules tests, exercised in CI alongside dart format, analyze --fatal-infos, coverage, and ESLint on every push.