crossmate

ReadHorizons.md (9188B)

---

 # Problem: cross-device read-horizon / presence collapse
 
 This document captures an unresolved design problem in the read-cursor /
 unread-badge sync path. It is written to be picked up cold in a new session.
 **No fix is committed for it yet that works** — see "Current state" below.
 
 ## TL;DR
 
 The account's read horizon (`GameEntity.lastReadOtherMoveAt`) and its
 "a device is actively present" lease are squeezed into a **single
 last-writer-wins scalar** carried on **one Player record per (game, account)**.
 That structure cannot represent "device A has left but device C is still
 present," so any attempt to stop a leaving device from collapsing another
 device's active lease is unsolvable with the data we currently store. Two
 successive fixes attempted it and both were wrong. We need to decide between
 (a) accepting the bounded, self-healing limitation, or (b) making presence
 per-device, which is a schema + sync change.
 
 ## Background: how the read horizon works today
 
 - `GameEntity.lastReadOtherMoveAt` is the per-account "how far we've read other
   authors' moves" horizon. The unread badge / session nudge fires when a peer
   (different iCloud account) has a `MovesEntity.updatedAt` later than this
   horizon. See `GameStore.unreadOtherMovesGameCount()` and `GameSummary`.
 - A **future-dated** horizon is an *active-session lease*: "a device of this
   account is in the puzzle right now, suppress badges/nudges until this time."
   `publishReadCursor(.activeLease)` writes `now + readLeaseDuration` (10 min)
   and refreshes only when less than `readLeaseRefreshFloor` (5 min) remains
   (`AppServices.swift`). Exit/background writes `now` (`.currentTime`),
   intentionally closing the lease.
 - The horizon is shipped to other devices on the Player record's `readAt`
   field. **Outbound `readAt` is built from `entity.game?.lastReadOtherMoveAt`**
   (`RecordBuilder.swift:135`) — i.e. every device publishes the single shared
   account scalar, not its own lease.
 - Inbound: `RecordApplier.applyPlayerRecord` adopts `readAt` (and the
   `sessionSnapshot` catch-up baseline) **above** the selection `updatedAt` LWW
   guard but **under** the per-record etag freshness guard, then calls
   `onReadCursor` → `GameStore.noteIncomingReadCursor` for our own account's
   records only (`authorID == localAuthorID`). This hoist was commit `3835f0f`
   ("Converge the catch-up baseline regardless of cursor recency"), which fixed a
   real duplicate-catch-up-banner bug.
 
 ## The decisive fact (why the recent fixes fail)
 
 **Player records are one per `(game, author)`, with no device component:**
 
 ```
 RecordSerializer.swift:62
   static func recordName(forPlayerInGame gameID: UUID, authorID: String) -> String {
       "player-\(gameID.uuidString)-\(authorID)"   // <-- no deviceID
   }
 ```
 
 All of an account's devices share the *same* `authorID`, so they all write the
 *same* Player record. Consequences:
 
 1. CloudKit resolves concurrent device writes by **last-writer-wins**. The
    record's `readAt` is simply whoever wrote most recently.
 2. Locally there is exactly **one** `PlayerEntity` row per `(game, authorID)`.
    The per-record etag guard (`applyPlayerRecord`, the
    `incomingIsAtLeastAsFresh` check) rejects older CloudKit server snapshots
    than the local etag, so the `readAt` that reaches `noteIncomingReadCursor`
    is from the accepted/current server version of that one Player record. That
    does **not** mean its `updatedAt` value is semantically freshest; the
    catch-up-baseline bug existed precisely because the accepted record could
    carry a stale `updatedAt`.
 3. There is **no stored representation of an individual device's lease.** "A
    left, C is still here" is unrepresentable; the scalar holds only the last
    write.
 
 ## The original concern and why it is inherent, not a bug we introduced
 
 Red-team round 1 worried that a leaving device's record could move
 `lastReadOtherMoveAt` backward and collapse another device's active future
 lease, briefly reopening unread badges / pause nudges. With the one-record LWW
 model this is just **last-writer-wins on a shared scalar**: if device A closes
 (writes `now`) after device C leased `now+10m`, the record now says `now`. Other
 devices adopt `now`. It is bounded and **self-healing**: the still-active device
 re-leases within ≤5 min (`readLeaseRefreshFloor`), and a foreground device marks
 inbound moves read on arrival anyway. It cannot be "fixed" without representing
 C's lease separately from A's close.
 
 ## What was attempted (both wrong)
 
 1. **`0ccbe90` — `protectActiveLease` floor (committed).** Made
    `noteIncomingReadCursor` refuse any incoming `readAt` below an unexpired
    future horizon. **Broke clean closes:** a real close from another device is
    indistinguishable from a stale echo (both are "a value below the current
    future horizon"), so legitimate closes were ignored and a stale future lease
    was held — suppressing badges/nudges for up to the 10-min lease.
 
 2. **`e2d863a` — recompute from sibling rows (committed).** Replaced the
    floor with `horizon = max(incoming, min(current, now), max sibling
    PlayerEntity.readAt)`. **Two fatal flaws, both correct per red-team:**
    - **P1:** "max over sibling `PlayerEntity` rows" assumes per-device rows that
      do not exist (one row per author). In production it degenerates to the
      single LWW row and distinguishes nothing. The accompanying test fabricated
      `player-A`/`player-B` rows with the same author — impossible.
    - **P1:** `min(current, Date())` floors at wall-clock *processing* time, not
      the actual departure time. A late-processed close (device left 10:02,
      received 10:05, old lease 10:10) advances the horizon to 10:05 and marks
      peer moves made 10:02–10:05 as read even though no device saw them.
 
 ## Current state
 
 - Committed: `3835f0f` (good, keep), `0ccbe90` (broken floor), and `e2d863a`
   (broken recompute).
 - `PLAN.md` is untracked documentation. The working tree may otherwise be clean
   depending on whether this file has been added.
 - The unit suite currently passes, but only because the test was written to the
   fictional model. Passing is not meaningful here.
 
 ## Options to decide between
 
 **Option A — Revert to the plain-adopt baseline (recommended as the floor).**
 Restore `noteIncomingReadCursor` to simply
 `_ = setReadCursor(gameID: gameID, readAt: readAt)` (the pre-`0ccbe90` behavior),
 i.e. revert both `0ccbe90` and `e2d863a` back to the `3835f0f` state. This is
 the LWW-consistent choice: trust the account's latest resolved
 `readAt`, allow backward movement. It has **no false-negative** (a close to
 10:02 yields horizon 10:02; later moves badge correctly — Finding 2 gone) and
 **no fictional data dependency** (Finding 1 gone). Its only cost is the inherent
 round-1 collapse, which is bounded (≤5 min) and self-healing. The catch-up
 baseline fix from `3835f0f` is preserved.
 
 **Option B — Make presence per-device (the real fix, larger).** Represent each
 device's lease separately so the account horizon can be a true max over *live*
 device leases. Sketch:
 - Give the Player record a `deviceID` (like Moves/Journal/Ping already do:
   `moves-<game>-<author>-<device>`), so each device owns its own row, OR add a
   separate lightweight per-device presence/lease record.
 - Compute the suppression horizon as the max **unexpired** lease across the
   account's own device rows; let truly-read progress be a separate monotonic
   value that never moves backward.
 - This is what the round-2/round-3 attempts *wanted* to do but couldn't, because
   the rows didn't exist. It is a schema + sync-path change with migration
   considerations and should be scoped deliberately. Note CloudKit production
   cannot be inspected/edited via the dashboard, so verify via on-device
   diagnostics.
 
 **Option C — Status quo (`0ccbe90`/`e2d863a` as-is).** Not recommended: the
 committed follow-up still relies on per-device Player rows that do not exist
 and can mark unseen moves read via the wall-clock processing-time floor. This
 is worse than the occasional spurious nudge Option A allows.
 
 ## Recommendation
 
 Take **Option A now** to get back to a correct, simple baseline, then decide
 separately whether the round-1 collapse is worth **Option B**. My read: the
 collapse is minor and self-healing, so Option A may be sufficient on its own and
 Option B is only worth it if real-world reports show spurious badges/nudges
 while a sibling is demonstrably active.
 
 ## Key references
 
 - `Crossmate/Sync/RecordSerializer.swift:62` — Player record name (the root fact)
 - `Crossmate/Sync/RecordBuilder.swift:135` — outbound `readAt` = shared scalar
 - `Crossmate/Sync/RecordApplier.swift` (`applyPlayerRecord`) — etag guard, the
   `3835f0f` hoist, `onReadCursor`
 - `Crossmate/Persistence/GameStore.swift` — `noteIncomingReadCursor`,
   `setReadCursor`, `noteIncomingMovesUpdate`, `markOtherMovesRead`
 - `Crossmate/Services/AppServices.swift` — `publishReadCursor`,
   `readLeaseDuration` (10 min), `readLeaseRefreshFloor` (5 min), the
   `accountSeen` push path (~2208), the incoming-cursor drain (~486)
 - Commits: `3835f0f` (keep), `0ccbe90` and `e2d863a` (revert)