Harden reproducibility, security, and deployment

[Spbd1]

Motivation

• Prevent participant impersonation via unsigned cookies and make session cookies tamper-resistant.
• Ensure experiment reproducibility by making parcel assignment deterministic and honoring preserved uncertainty schedules/events.
• Preserve server configuration provenance in exports and prepare production DB for safe, versioned migrations.

Description

• Signed participant session cookie values with an HMAC using APP_SECRET and verify before user lookup, and add the Secure attribute in production (apps/web/lib/api/auth.ts).
• Made parcel assignment deterministic on join by ordering available parcels and selecting via the seeded RNG (createRandom) using server.randomSeed and join index (apps/web/lib/services/game.ts).
• Plumbed uncertainty configuration into the engine by adding uncertaintyRuleChangeRounds and uncertaintyPossibleEvents to EngineConfig, loading them from server overrides, passing them into applyRuleChangeIfNeeded, and restricting rule changes to uncertain servers and to configured rounds/events (packages/engine/src/types.ts, packages/engine/src/serverSimulator.ts, packages/engine/src/roundResolver.ts, apps/web/lib/services/game.ts).
• Added server_configs.csv to the research export containing engine overrides and versioned ServerConfig rows so treatment/tuning provenance and seeds are preserved (apps/web/lib/services/researchExport.ts).
• Reduced per-participant final-summary exposure by returning server-level aggregates (participant count, exited count, average wealth) instead of exposing other players’ row-level wealth (apps/web/app/api/servers/[serverId]/final-summary/route.ts, apps/web/app/game/[serverId]/final/page.tsx).
• Added an initial versioned Prisma migration and switched production deploy script to prisma migrate deploy (packages/db/prisma/migrations/20260510120000_initial_schema/migration.sql, packages/db/package.json, docs/deployment.md).
• Added an engine regression test validating configured uncertainty behavior (packages/engine/src/index.test.ts).

Testing

• tsc --noEmit -p packages/engine/tsconfig.build.json ran and passed for the engine build.
• JSON validation: python3 -m json.tool package.json and python3 -m json.tool packages/db/package.json and python3 -m json.tool configs/*.json passed.
• pnpm install failed in this environment due to a registry 403 fetching @types/node, so workspace dependencies were not installed and full test runs could not execute.
• Engine unit tests (pnpm --filter @parcel-society/engine test) did not run because vitest was unavailable in the environment (dependency install failed).
• Typechecks for web app (tsc --noEmit -p apps/web/tsconfig.json) could not complete here because Next/React workspace dependencies were not installed.

---

Codex Task