Questborne

Overview

What We Built

Questborne is a mobile dark-fantasy RPG powered by Google's Gemini AI. The client needed more than a chatbot, they needed a disciplined Game Master that enforces D20 tabletop rules, manages persistent world state across sessions, and operates within a tiered subscription model. We engineered the entire platform from scratch: the AI behavioral system, the hardened Supabase backend, the Flutter-based immersive frontend, and the full Google Play billing integration.

Investment

Full Cost Breakdown

The total project cost was $10,500, covering the full Flutter app, Supabase backend, AI integration, Google Play billing, security hardening, and deployment. We quoted this price upfront and stuck to it. During development, the client wanted to adjust the subscription tier structure. Instead of charging extra, we reworked the billing logic within the existing scope and actually found a simpler implementation that saved development time. That saved time went into polishing the dice animation system, which wasn't originally scoped. The client got more than they paid for, and never saw an unexpected invoice.

The Challenge

What We Were Up Against

Most AI-powered apps are trivially exploitable. Users can manipulate prompts to bypass rules, drain API credits through rapid-fire requests, or fake purchase receipts to unlock premium content. The core challenge was building an AI application where the intelligence layer is genuinely constrained, a Game Master that never breaks character, never grants unfair advantages, and never leaks its own instructions, while the infrastructure underneath is hardened against every common attack vector: prompt injection, API drain, receipt forgery, concurrent credit exploits, and session hijacking.

Our Approach

How We Solved It

We moved all authority to the server. The Flutter app acts as a display terminal, it renders the story and captures input, but every game decision, every credit deduction, and every purchase validation happens inside secured Supabase Edge Functions where users can't reach the logic. The AI runs through a 50KB+ system prompt architecture (the "Hollowed Codex") that forces Gemini into strict Game Master behavior with D20 skill checks, combat pacing rules, and narrative boundaries. We paired that with sliding-window context management to keep API costs predictable, atomic credit transactions to prevent race conditions, and server-side Google Play receipt verification to make purchase forgery impossible.

Part 1 of 4

The "Game Master" Intelligence

This wasn't prompt engineering in the typical sense, it was behavioral architecture. We designed a 50KB+ system prompt (the "Hollowed Codex") that transforms Gemini from a general-purpose LLM into a disciplined dungeon master. It enforces D20 skill checks with real probability mechanics, manages combat pacing with turn-based encounter logic, tracks persistent character stats, and maintains narrative consistency across sessions. The AI never breaks character, never grants items outside the loot tables, and never reveals its own instructions, even when users try to trick it.

• 50KB+ structured system prompt architecture
• D20 skill check enforcement with real probability
• Sliding-window context management for cost control
• Auto-summarization to preserve story across sessions

Part 2 of 4

Security & Anti-Fraud Infrastructure

Security wasn't an afterthought, it was the foundation. We implemented strict Row-Level Security (RLS) policies on every Supabase table so users can only ever access their own data. Server-side sliding-window rate limiters (10 requests per 60 seconds) prevent API drain attacks. Credit deductions use atomic database transactions to eliminate race conditions from concurrent requests. Device fingerprinting and secure token lifecycle management prevent account sharing and session hijacking. Every potential exploit we could identify was closed before launch.

• Row-Level Security on every database table
• Atomic credit deduction (no concurrent exploits)
• Sliding-window rate limiting (10 req/60s)
• JWT authentication with secure refresh token lifecycle

Part 3 of 4

Monetization & Billing

We integrated a complete 3-tier subscription system (Free, Adventurer, Champion) through Google Play In-App Purchases. But the real work was in the edge cases, handling expired cards, mid-cycle cancellations, subscription downgrades, and the gap between a purchase event and Google's server confirmation. A custom Supabase Edge Function validates every receipt server-side with Google's API before granting any credits, making client-side purchase forgery impossible.

• 3-tier subscription: Free, Adventurer, Champion
• Server-side receipt validation via Edge Functions
• Graceful handling of cancellations and downgrades
• Impossible to fake purchases from the client

Part 4 of 4

Immersive RPG Frontend

The Flutter-based UI was designed to feel like a living game world, not a chat interface. Typewriter text effects pace the narrative naturally. Dice roll animations bring D20 mechanics to life visually. Over 75 hand-crafted dark-fantasy assets were integrated for character portraits, environment art, and UI elements. The entire interface was built to keep players immersed in the Hollowed Codex universe while the real game logic runs silently on the server.

• Typewriter narrative effects with pacing control
• Animated D20 dice roll visualizations
• 75+ integrated dark-fantasy art assets
• Clean separation: display frontend, logic backend

Working With Us

What It Was Like Working With Us

This wasn't a hand-off project, it was a genuine partnership built on constant communication and full transparency. We kept the client in the loop at every stage with daily progress updates, live demos of new features, and honest conversations about trade-offs. When priorities shifted or new ideas emerged, we adapted fast without losing momentum. The project stayed on budget with no surprise costs, the price we quoted is the price they paid. Every dollar was accounted for, and every decision was made together.

Tech Stack

Built With

FAQ

Frequently Asked Questions