crossmate

PushWorker.md (17642B)

---

 # Push Worker + Sync Simplification
 
 ## Context
 
 After the engagement Worker landed (collaborative live-solving over WebSockets, 2026-05), it became natural to use the same Cloudflare runtime for push notifications. Pings were unreliable for time-critical user-facing events, and the receiver-side heuristics that had grown around them (`SessionMonitor.presentBegins`, the 3-minute quiescence-window scheduler) were brittle. This pass moves the user-facing event notifications onto a second Cloudflare Worker that signs APNs JWTs and pushes alerts directly, while folding the per-cell state for check / reveal / resign into the Moves stream so it propagates collaboratively.
 
 ## What landed (2026-05-27)
 
 ## App Attest migration (2026-06)
 
 The push worker no longer relies on a build-baked `PUSH_BEARER` for normal
 clients. Updated apps enroll a per-install App Attest key through
 `GET /attest/challenge` + `POST /attest/register`, then sign every
 `/register`, `/register DELETE`, and `/publish` request with that key.
 
 The worker stores only the attested public key and assertion counter keyed by
 `deviceID` + `keyID`. This preserves the no-Crossmate-account model: CloudKit
 still owns collaboration identity, and the worker only proves that a request
 came from an attested Crossmate install. Existing games keep working because
 their CloudKit `pushAddress` values are unchanged; updated clients simply
 re-register the same addresses with App Attest request auth.
 
 Deploy requirements:
 
 - `APP_TEAM_ID`, `APP_BUNDLE_ID`, and `APP_ATTEST_ENVIRONMENT` are configured
   in `wrangler.push.toml`.
 - `APP_ATTEST_ROOT_CERT_PEM` must be set as a Worker secret or dashboard
   variable.
 - `ALLOW_LEGACY_PUSH_BEARER = "1"` may be set temporarily for rollback, but
   normal deployment should leave it unset.
 
 ### Worker
 
 - New `Workers/push-worker.js` + `Workers/wrangler.push.toml`.
 - Single Durable Object class `PushRegistry`, sharded by `idFromName("registry")` (one global instance — Crossmate's scale doesn't need per-author sharding).
 - Three push endpoints, all App-Attest-auth gated:
   - `POST /register` — `{deviceID, token, environment, addresses}` upsert. Idempotent.
   - `DELETE /register` — `{deviceID, addresses}` — unregisters dropped address bindings.
   - `POST /publish` — `{kind, addressees, gameID, fromAuthorID, title, alertBody}` — fans out to every addressee's registered devices.
 - APNs JWT (ES256) signed in-Worker via Web Crypto. JWT cached in DO instance memory and refreshed every ~40 min (APNs' rate-limit floor is ~20 min; the 1-hour ceiling is the upper bound).
 - Per-token `environment` field picks sandbox vs production endpoint; iOS reports `"sandbox"` for Debug builds and `"production"` for TestFlight/App Store.
 - Deployed at the push Worker's `*.workers.dev` URL with `preview_urls = false`.
 
 ### Secrets
 
 Loaded via `wrangler secret put --config wrangler.push.toml`:
 
 - `APNS_KEY` — the `.p8` (piped via `< AuthKey_*.p8` stdin redirect; not pasted, because the interactive prompt eats newlines).
 - `APNS_KEY_ID`, `APNS_TEAM_ID` — both 10-char.
 - `APP_ATTEST_ROOT_CERT_PEM` — public Apple App Attest root certificate used
   by the worker to verify the attestation chain.
 
 APNs key is topic-restricted to the app's bundle ID, both environments enabled. Apple caps at 2 APNs keys per Team, so a single key serving both endpoints leaves headroom.
 
 ### iOS plumbing
 
 - `Crossmate/Services/PushClient.swift` — `@MainActor` class. Reads
   `CrossmatePushBaseURL` from `Bundle.main` and signs worker requests via
   `PushRequestAuthenticator`.
 - Idempotent: `updateAPNsToken(_:)` on every `didRegisterForRemoteNotificationsWithDeviceToken` callback, `updateAuthorID(_:)` on every `identity.refresh(...)` site. Worker side dedupes unchanged triples.
 - Account switch: explicit `DELETE /register` for the previous `(authorID, deviceID)` before re-registering.
 - Failures go to `syncMonitor.note(...)` for diagnostics; never user-surfaced.
 
 ### Push kinds (sender-formatted strings, no `loc-key` — Crossmate is English-only)
 
 | Kind | Trigger | Body |
 |------|---------|------|
 | `win` | `sendCompletionPings(resigned: false)` after the local player completes a puzzle | "Alice solved the puzzle 'X'" |
 | `resign` | `sendCompletionPings(resigned: true)` after the local player gives up | "Alice resigned the puzzle 'X'." |
 | `play` | `PuzzleDisplayView.updateActiveNotificationPuzzleID` when scenePhase becomes `.active` | "Alice is solving the puzzle 'X'" |
 | `pause` | Same handler when scenePhase leaves `.active`, plus the selection-clear block at puzzle close | "Alice added 12 letters and cleared 3 letters in the puzzle 'X'" |
 
 Pause uses `LocalSessionTracker` (`Crossmate/Services/LocalSessionTracker.swift`) — a small `@MainActor` counter wired into `store.onLocalCellEdit` that resets on every `begin(gameID:)` and drains on `consume(gameID:)`. The "skip if both counts are zero" guard inside `publishSessionEndPush` handles dedup between scenePhase-background and puzzle-close naturally.
 
 ### Pings that stay
 
 - `.friend` — friendship handshake.
 - `.invite` — re-invite to a game (uses `addressee`; surfaces in the Invited section).
 - `.hail` — engagement room bootstrap.
 - `.join` — the *invite-accept* one (one-shot, when a collaborator first accepts a share). Distinct from the new session-start APN, which is the `play` kind on the push side specifically to avoid this naming collision.
 
 `PingScope` and `PingScopePayload` are gone entirely (only `.check`/`.reveal` used them).
 
 ### Check/reveal/resign in Moves
 
 - New `Crossmate/Models/CheckResult.swift` — `enum CheckResult: Sendable, Equatable, Codable { case right, case wrong }`. Used as `CheckResult?`; `nil` is the canonical "unchecked" value (no `.none` case).
 - `CellMark.pen` / `.pencil` now carry `checked: CheckResult?` instead of `checkedWrong: Bool`.
 - `Game.checkCells` now stamps `.right` on correct entries (previously erased them to `.none`). Wrong entries continue to stamp `.wrong` — pen-vs-pencil style is preserved across the check.
 - Wire format and Core Data keep two parallel `checkedRight` / `checkedWrong` booleans (translation lives in `GameMutator.encodeMark` / `GameStore.decodeMark`). `MovesCodec.Payload.Entry` gets a custom `init(from:)` that defaults `checkedRight` to false so records written by older clients still decode cleanly.
 - Resign reveals propagate via the existing Moves reveal mechanism — peer grids fill in cooperatively. No new `Game.resignedBy` field; a resigned game and a reveal-all-puzzle game look identical at cold start (accepted trade-off — the moment-of-resign signal lives in the APN).
 
 ### SessionMonitor cleanup
 
 Slimmed to what the on-open catch-up banner actually needs:
 
 - Kept: `ingest(_ deltas:)` (bucket accumulation), `consumeOnOpen(gameID:)`, `cancel(gameID:authorID:)`, `bodyText(playerName:puzzleTitle:added:cleared:)`.
 - Removed: `presentBegins`, `scheduleEnd`, the 3-minute quiescence timer, `Bucket.scheduledFor`, `SessionNotificationScheduling` protocol + `RecordingNotificationScheduler` test recorder, `bodyText(for: Session)`, the end-/begin-identifier helpers, the `notificationCenter` and `notificationAuthorization` constructor params.
 
 The on-open banner still says "Alice added 12 letters; Bob added 5 letters" — that path is independent of the new APNs and remains useful as a catch-up when the user opens an unread puzzle.
 
 ## Design decisions
 
 - **Sender-formatted strings, not `loc-key`/`loc-args`.** Crossmate has no `Localizable.strings` / `.lproj` yet. Setting up the localization scaffolding just to feed receiver-side formatting that would produce the same English text is more work than it's worth for a single-locale app. Switch to `loc-key` when a second language ships.
 - **One Durable Object, not per-author sharding.** Single DO instance can comfortably hold thousands of token registrations; `/publish` resolves targets in one `state.storage.list({prefix: ...})` per addressee.
 - **JWT caching is mandatory.** APNs rejects rapidly-rotated provider tokens with `TooManyProviderTokenUpdates`. Cache in DO instance memory (sticky region) — no storage RTTs.
 - **`CellMark` as enum, parallel-Bool storage.** The conceptual model is the optional `CheckResult` enum; the on-disk encoding is two booleans. Translation at the boundary keeps the API clean without requiring a Core Data migration model.
 - **No `Game.resignedBy` distinguisher.** Cold-state conflation of resign vs reveal-all-puzzle is acceptable; the moment-of-resign signal lives in the APN body.
 - **No `lastAction` field on Moves; no Actions record.** Replay is a future feature that will design its own log format with the consuming UX in mind. Designing the granularity now without the consumer would be a guess.
 - **Push registration is fire-and-fetch-error.** Worker is idempotent, so the next launch's APNs callback retries naturally. Failures log to the diagnostics monitor but don't surface to the user.
 - **`preview_urls = false`.** Each preview URL carries the same secret bindings; gratuitous attack surface for no benefit.
 
 ## Badge and sibling-device read horizons (2026-06)
 
 Badge state is now split between durable-ish local truth and best-effort push
 transport:
 
 - The Notification Service Extension and the app share an App Group
   `BadgeState` ledger. It is a per-game horizon map, not a set: `unreadAt`
   advances when a badge-worthy APN is delivered, `seenAt` advances when the
   user opens/clears the game, and a game counts only when `unreadAt > seenAt`.
   This lets stale APNs lose to a newer open without needing CloudKit to arrive
   first.
 - The app icon badge is computed as `BadgeState.unreadGameIDs()` unioned with
   Core Data's unread-other-moves query. Core Data unread games are also seeded
   back into the ledger as `unreadAt` horizons, each stamped with that game's
   newest unseen other-author move time (`latestOtherMoveAt`). The NSE can't
   reach Core Data, so without this seed a push landing on a suspended app would
   re-stamp the badge from the ledger alone and drop any game whose unread state
   arrived purely via CloudKit sync. The seed is safe precisely because the
   ledger is a horizon map and not a set: re-seeding a game the user has since
   opened is a no-op, because its newer `seenAt` still wins. (The old set-based
   ledger couldn't express that, which is why the write-back was dropped when
   the horizon map first landed — and why it is safe to reinstate now.)
 - Ledger entries are maintained by lifecycle event, not reconciled by absence
   (a ledger-only game is ambiguous: it could be push-ahead-of-sync, which must
   count, or a deleted game, which must not). So `BadgeState.forget(gameID:)` is
   called on the two hard-removal hooks — local `onGameDeleted` and sync-driven
   `onGameRemoved` — and `BadgeState.reset()` on the diagnostics data wipe. This
   matters because a deleted game has nothing left to open, so a stale
   `unreadAt > seenAt` entry could never be cleared by a seen horizon and would
   badge forever.
 - The ledger key is `badge.ledger.v2`. The bump from `v1` is a deliberate
   one-shot discard: the `v1` migration off the pre-horizon set stamped
   `unreadAt = now` for every legacy entry, fabricating fresh-unread phantoms
   that no read state could defeat (a future-dated `unreadAt` beats any past
   `seenAt`). `loadLedger` now drops the legacy stores without fabricating, and
   rebuilds from Core Data via the seed above.
 - Each account has an account-scoped push address, published as the existing
   `Decision` record `decision-account-pushAddress` with `kind = account` and
   the address in the payload. This avoids adding CloudKit schema fields while
   giving all devices on the same iCloud account a shared silent-push route.
 - When a device joins a shared game, it sends `accountJoined` to the account
   address. Sibling devices ignore self-sends, fetch/sync, mint their own
   per-game push address if needed, and register with the Worker so they can
   receive that game's future pushes.
 - When a device clears/sees a game, it sends `accountSeen` with
   `senderDeviceID` and `readAt`. Sibling devices ignore self-sends, apply the
   supplied `readAt` to their local read cursor and badge ledger, withdraw any
   matching delivered notifications, and refresh the app badge. Inbound
   `accountSeen`, CloudKit `Player.readAt` updates and ping deletions are
   non-echoing so the account push path remains one-hop rather than a feedback
   loop.
 - If the game is actively visible, the seen push uses the same future
   read-lease horizon as `Player.readAt`. That prevents an account-seen message
   from racing after an active-lease update and accidentally collapsing
   presence on another device.
 
 The push server is still not durable truth for badges. It only transports
 same-account hints quickly. If a silent push is dropped, the next app launch or
 CloudKit fetch recomputes from local Core Data plus whatever the NSE delivered
 on that device.
 
 ## Open items / gotchas
 
 - **Schema deployment is not needed.** Moves records ship the cells as an opaque binary blob; the new `checkedRight` boolean rides inside that blob. No CloudKit dashboard field to add (unlike, say, `Player.readAt`). The `CellEntity.checkedRight` Core Data attribute auto-migrates locally on first launch (Boolean default `NO`).
 - **No visual indicator UI yet.** The cell state is now propagating; rendering it on the grid is separate UX work. Plan was tri-state: subtle dot for `.right`, distinct marker for `.wrong`, cleared when the cell's letter changes.
 - **The bearer in the binary is the only abuse gate.** That matches your stated comfort level (users aren't adversarial). If the binary is ever reverse-engineered the bearer leaks; rotate via `wrangler secret put` if that happens.
 - **Background-time publish.** Backgrounding while in a puzzle fires `publishSessionEndPush` from a `Task` that runs as the app suspends. iOS gives ~5–10 seconds; in practice a small POST to a Cloudflare Worker completes well within that window. If we see drops in the field, switch to a `BGTaskScheduler` background task or a background `URLSession`.
 - **`onPlayerEvent` removed from `PlayerSession`** — the 6 fire sites that used to enqueue check/reveal pings are gone. Anyone re-introducing peer-visible per-action notifications would need to wire a new path; the existing one no longer exists.
 - **Mixed-version peers.** `MovesCodec.Payload.Entry.init(from:)` defaults `checkedRight` to false, so a TestFlight build that's behind on the schema can still decode records from the Simulator. Older builds drop the new flag when re-encoding (they just don't see it), so a check-correct stamped on the new build that round-trips through an older device's re-write would lose its `.right` state. Acceptable transient: the next check on the new device re-stamps.
 
 ## File-level inventory
 
 Added:
 
 - `Workers/push-worker.js`, `Workers/wrangler.push.toml`
 - `Crossmate/Services/PushClient.swift`
 - `Crossmate/Services/LocalSessionTracker.swift`
 - `Crossmate/Models/CheckResult.swift`
 
 Modified:
 
 - `project.yml`, `Crossmate/Info.plist`, `Crossmate/Crossmate.entitlements` — push base URL and App Attest entitlement/configuration
 - `Crossmate/Services/PushRequestAuthenticator.swift` — per-install App Attest enrollment and request signing
 - `Crossmate/Models/CellMark.swift` — enum-based `checked: CheckResult?`
 - `Crossmate/Models/Game.swift` — `setLetter` / `checkCells` updated for new mark API
 - `Crossmate/Models/CrossmateModel.xcdatamodeld` — `CellEntity.checkedRight` attribute
 - `Crossmate/Models/PlayerSession.swift` — `onPlayerEvent` + 6 fire sites removed
 - `Crossmate/Sync/Moves.swift` — `TimestampedCell` / `GridCell` / `RealtimeCellEdit` / `Payload.Entry` gain `checkedRight`
 - `Crossmate/Sync/Presence.swift` — `PingKind` trimmed, `PingScope` / `PingScopePayload` removed, `Ping.scope` removed
 - `Crossmate/Sync/SyncEngine.swift` — `enqueuePing` loses `scope`; `PingPayload` loses `scope`
 - `Crossmate/Sync/RecordSerializer.swift` — `pingRecord(scope:)` removed
 - `Crossmate/Sync/RecordBuilder.swift` — drop `payload.scope` passthrough
 - `Crossmate/Sync/SessionMonitor.swift` — slimmed to bucket accumulation + `consumeOnOpen`
 - `Crossmate/Sync/MovesUpdater.swift` — `enqueue(checkedRight:)`, `Pending.checkedRight`
 - `Crossmate/Sync/GridStateMerger.swift` — propagate `checkedRight`
 - `Crossmate/Persistence/GameMutator.swift` — `encodeMark` returns the triple; cell-edit path passes `checkedRight`
 - `Crossmate/Persistence/GameStore.swift` — `decodeMark` takes the triple; `applyCellCache` / `applyRealtimeCellEdit` updated
 - `Crossmate/CrossmateApp.swift` — `AppDelegate.onAPNsToken` callback; `updateActiveNotificationPuzzleID` fires the play/pause pushes; selection-clear block fires the pause push; `session.onPlayerEvent` callback removed
 - `Crossmate/Services/AppServices.swift` — `PushClient` init wired; `publishCompletionPush` (win + resign), `publishSessionStartPush`, `publishSessionEndPush`, `recipientsAndTitle`; `sendPlayerEventPings` removed; `bodyText(for: Ping)` trimmed; `presentBegins` call site removed
 
 Tests touched: `RecordSerializerMovesTests`, `PendingEditFlagTests`, `GridStateMergerTests`, `MovesUpdaterTests`, `GameStoreUnreadMovesTests`, `Sync/MovesInboundTests`, `Sync/AuthorDeltaTests`, `Sync/EngagementCoordinatorTests`, `Sync/PendingChangeReapTests`, `Sync/SessionMonitorTests`, `GameMutatorTests`, `XDAcceptTests`, `PuzzleNotificationTextTests`, `RecordSerializerTests`.
 
 All unit tests pass. No CloudKit Dashboard changes required.