crossmate

Snapshots.md (5834B)

---

 # Snapshots in Shared Games
 
 Snapshots are a move-log compaction and replay acceleration mechanism. Instead
 of reconstructing a game by replaying every move from an empty grid, a client can
 start from a stored grid snapshot and replay only the moves not included in that
 snapshot.
 
 The current scalar `upToLamport` model is not safe for shared games. It assumes
 there is one global move sequence:
 
 ```text
 Snapshot(upToLamport: 42)
 ```
 
 Replay then skips every move whose Lamport is `<= 42`. That is only correct if
 all devices assign Lamports from a single globally ordered stream. In a shared
 or offline-capable game, two devices can independently create moves with the
 same or overlapping Lamport values. A snapshot from device A at Lamport 42 may
 not include device B's move at Lamport 41. If replay treats B's move as covered,
 that move can disappear from the reconstructed grid.
 
 ## Proposed Model
 
 Use per-replica move clocks and snapshot coverage vectors.
 
 Each move should identify the replica that produced it and that replica's local
 sequence number:
 
 ```text
 Move(replicaID: "device-a", sequence: 12)
 Move(replicaID: "device-b", sequence: 7)
 ```
 
 A snapshot should store the grid plus the highest included sequence for each
 replica:
 
 ```text
 Snapshot(
   grid: ...,
   coverage: [
     "device-a": 12,
     "device-b": 7
   ]
 )
 ```
 
 Replay can then skip a move only when the selected snapshot explicitly covers
 that move:
 
 ```swift
 let coveredSequence = snapshot.coverage[move.replicaID] ?? 0
 let isCovered = move.sequence <= coveredSequence
 ```
 
 This prevents one device's snapshot from accidentally hiding another device's
 move. A move is skipped only if the snapshot proves that the move was folded
 into the snapshot grid.
 
 ## Replay and Conflict Ordering
 
 Snapshot coverage answers one question: which moves are included in this
 snapshot?
 
 Conflict ordering answers a separate question: when multiple moves affect the
 same square, which move wins?
 
 Those should not be represented by the same scalar value. Replay should:
 
 1. Choose a snapshot.
 2. Start from the snapshot grid.
 3. Apply only moves not covered by that snapshot.
 4. Use a deterministic conflict ordering for same-cell writes.
 
 The conflict ordering can be last-writer-wins with a stable tie-breaker, for
 example `(createdAt, replicaID, sequence)` or another explicit ordering chosen
 for product semantics. The important part is that coverage remains per-replica.
 
 The shipped tie-break (`GridStateMerger.shouldReplace`) is
 `(updatedAt, authorID, deviceID)`: per-cell last-writer-wins on the writer's
 wall-clock `updatedAt`, then lex-min `authorID`, then lex-min `deviceID`.
 
 ### Accepted trade-off: cross-device wall-clock skew
 
 The merge, the completion seal (`merge(notAfter: completedAt)`), the pause-push
 diff window, and presence all compare raw device wall clocks across users —
 there is no logical clock and no server-time normalisation on apply. A device
 whose clock runs fast therefore wins every cell conflict regardless of real
 typing order, and its legitimate pre-win letters can be dropped by the
 completion seal when their future-dated `updatedAt` reads as past the latch.
 
 This is accepted as-is rather than mitigated, because the realistic incidence is
 low. iOS defaults to "Set Automatically" (NTP / cellular network time), which
 holds devices within sub-second of true time; quartz drift on a merely-offline
 device is seconds per week. Sub-second skew almost never inverts a merge outcome,
 since that requires two writers to the *same* cell within a real-time gap smaller
 than the skew, and the losing letter in such a tie is usually plausible anyway —
 it is a coin-flip on a shared cell, not silent destruction of unique work. The
 one regime where skew actually bites is a user who has turned off automatic time
 or set the clock manually (minutes to days off); that is self-inflicted
 misconfiguration, and since `CKShare` participants are invited friends, a
 malicious far-future clock is griefing by someone you chose to play with, not a
 cheating-for-advantage vector — there is nothing zero-sum to win in a cooperative
 solve.
 
 If field reports ever surface a "my answer disappeared" trace to a wrong clock,
 the cheap mitigation is to clamp each inbound cell's `updatedAt` to
 `record.modificationDate + ε` on apply, bounding every writer's skew by
 CloudKit's server clock (which all devices share). It is deliberately not built
 speculatively: it adds a permanent "inbound timestamps are rewritten on apply"
 behaviour to reason about, for an edge no user is known to hit.
 
 ## Pruning
 
 Pruning old moves is the risky part. With multiple replicas, snapshots can be
 incomparable:
 
 ```text
 Snapshot A covers device-a: 20, device-b: 5
 Snapshot B covers device-a: 10, device-b: 30
 ```
 
 Neither snapshot fully replaces the other. If moves are deleted merely because
 they are covered by some snapshot, a later replay from a different snapshot may
 miss required moves.
 
 The conservative implementation path is:
 
 1. Add per-replica coverage to snapshots.
 2. Use snapshots only as replay accelerators.
 3. Do not prune moves initially.
 4. Add pruning later only for moves covered by a retained canonical snapshot.
 
 A newer snapshot can safely replace a canonical snapshot when its coverage
 dominates the previous one: for every known replica, the newer snapshot covers at
 least as high a sequence number. Until that rule exists and is tested, retaining
 the move log is safer than compacting it incorrectly.
 
 ## Practical Recommendation
 
 For now, disable snapshot pruning for shared games. It is also reasonable to
 disable shared-game snapshot creation entirely until the snapshot format records
 per-replica coverage. The cost is a larger move log and slower replay for very
 long games; the benefit is avoiding data loss or disappearing squares.