crossmate

SyncRedesign.md (18082B)

---

 # Sync Redesign Plan
 
 ## Context
 
 On 2026-04-21, completing a puzzle on device surfaced two distinct failures:
 
 1. **Data loss**: after filling every cell and seeing the win screen, the puzzle list's preview was missing a square. Re-opening the puzzle confirmed a previously-filled cell had reverted to blank.
 2. **CloudKit throttling**: diagnostic logs showed the container hitting a device-level throttle (`x-cloudkit-error=THROTTLED`, `CKRetryAfter=22`, `ThrottleLabel=Device throttle: container=iCloud.net.inqk.crossmate.v2, type=210/211`) with five distinct `OperationID`s inside a ~2-second window.
 
 These are separate problems with a shared amplifier.
 
 ## Status (as of 2026-04-26)
 
 **Phases 1, 2, 3a, 3b+3c, and 4 are complete.** Only the conditional Phase 5 (WebRTC) remains, gated on measured live-latency being inadequate.
 
 ### Done
 
 - **Phase 1** — _was_: fetch-side LWW guard on `RecordSerializer.applyCellRecord`. Now deleted: Cell records no longer exist in the move-log model.
 - **Phase 2** — _was_: `PushDebouncer`, single-flight push, `CKRetryAfter` handling. Now deleted: replaced by `CKSyncEngine`'s built-in batching and retry.
 - **Phase 3a** — data model and replay plumbing: `MoveEntity`, `SnapshotEntity`, `GameEntity.lamportHighWater`, `MoveLog.swift`, `RecordSerializer` Move/Snapshot builders. Tests in `MoveLogTests.swift`.
 - **Phase 3b+3c** — full move-log + CKSyncEngine adoption (all 9 sub-tasks done):
   1. `MoveBuffer.swift` — coalescing actor, lamport assignment, `MoveEntity` persistence, debounce. Tests in `MoveBufferTests.swift`.
   2. `SyncEngine.swift` — rewritten around `CKSyncEngine`. Delegate handles incoming `Move`/`Snapshot` records, replays `CellEntity` cache, fires `onRemoteMoves`.
   3. `GameMutator.swift` — now emits `Move` to `MoveBuffer`; no direct `CellEntity` writes; `RemoteCellChange` / `Origin` / `applyRemoteCell` deleted.
   4. `GameStore.swift` — restores from move-log replay; `createGame` no longer seeds `CellEntity`; `repairSyncedGamesIfNeeded` / `applyRemoteChanges` deleted.
   5. `AppServices.swift` — constructs `MoveBuffer`, wires into `GameStore`, wires `onRemoteMoves` → `store.refreshCurrentGame()`.
   6. `CrossmateApp.swift` — no changes needed; `syncOnBackground()` already calls `moveBuffer.flush()`.
   7. `OutboxRecorder.swift`, `PushDebouncer.swift`, `PendingChangePayload.swift`, `PendingChange+Helpers.swift` deleted; `PendingChangeEntity` and obsolete token fields removed from data model.
   8. `PushDebouncerTests.swift`, `PendingChangeTests.swift` deleted; `ApplyCellRecordLWWTests` / `PendingChangePayloadTests` suites removed from `RecordSerializerTests.swift`; `GameMutatorTests.swift` pruned to in-memory mutation tests only.
   9. `MoveBufferTests.swift` — 7 tests all passing.
 
 - **Phase 4** — CKShare via per-game zones and dual sync engines, plus shared player identity:
   1. Per-game zones (`game-<UUID>`) with one `CKShare` rooted on the `Game` record; `Move`/`Snapshot`/`Player` records sit in the same zone via `parent` reference, so share inclusion is automatic.
   2. Dual sync engines: one driving `privateCloudDatabase` (owned games), one driving `sharedCloudDatabase` (joined games), parameterised through the same delegate path.
   3. `ShareController` for invitation creation; share-accept handler in `AppServices` accepts via `CKAcceptSharesOperation` and wires the new zone into the shared engine.
   4. `AuthorIdentity` stamps every `Move` with the local iCloud user record name, so multi-author replay attributes correctly.
   5. Share revocation: `markAccessRevoked(gameID:)` flips the local game read-only when the participant is removed; resolves the open question from earlier drafts.
   6. **Player identity** (deviated from the original `namesByAuthor`-on-Game JSON-blob plan in `.claude/plans/shared-player-identity.md`): names ride on per-(game, author) `Player` records (`player-<gameID>-<authorID>`) through the same engine. Each author owns their own record name → no write-write conflicts, no JSON merge primitive, no "must start from latest server record" hazard. `NameBroadcaster` fans out renames to every shared/joined game (debounced 250 ms); `PlayerRoster` resolves entries via the local `PlayerEntity` rows → `CKShare.Participant` name components → email → `"Player"` fallback chain. Colours are device-local in `GamePlayerColorStore`, with collision reassignment when the local user picks a remote colour.
   7. Snapshot pruning correctness fix landed during Phase 4: covered moves are now deleted only after `CKSyncEngine` confirms the snapshot save (`needsPruning` flag on `SnapshotEntity`), preventing data loss when an upload fails permanently.
 
 ### Design decisions already locked in conversation
 
 - **Lamport timestamps** — simple per-game monotonic counter stored in `GameEntity.lamportHighWater`. Bumped on local emit and on receiving a move with a higher lamport. No cross-participant total order; undo-across-participants stays out of scope.
 - **Snapshot cadence** — on game completion + opportunistic when the move log exceeds 200 moves. Starting point; tunable later.
 - **No migration** — user deletes existing games before launching the new version, so the new code can assume the move-log schema from first run.
 - **`CellEntity` stays** — as a replay-driven cache, not source of truth. Views that read `CellEntity` keep working.
 
 ### Gotchas for a fresh session
 
 - The Xcode project is generated by XcodeGen from `project.yml`. Run `xcodegen generate` after adding new `.swift` files or the build target won't see them.
 - The test target is named `Crossmate Unit Tests` (with spaces). Use `-only-testing:'Crossmate Unit Tests/<SuiteName>'`.
 - SourceKit diagnostics in-session regularly claim "Cannot find type X in scope" for Core Data generated classes and cross-file types. These are noise — trust `xcodebuild build` for ground truth.
 - Build target: `'platform=iOS Simulator,name=iPhone 17 Pro'`.
 - The user commits changes themselves — never run `git commit` unsolicited.
 
 ### Root cause: data loss
 
 `RecordSerializer.applyCellRecord` (`Crossmate/Sync/RecordSerializer.swift:129`) unconditionally overwrites the local `CellEntity`'s `letter`, `markKind`, `checkedWrong`, `updatedAt`, `letterAuthorID` with the server's values. There is no LWW check against local `updatedAt` and no check for an outstanding `PendingChangeEntity`. Only `handlePushError`'s `.serverRecordChanged` branch does LWW; the plain fetch path does not.
 
 Reproduction:
 1. User types final letter; local `letter="A"`, pending change queued.
 2. Push is throttled; pending change remains in the outbox.
 3. Interleaved fetch (log: `fetch: changedZoneIDs count=1`) pulls the server's stale copy of that cell (`letter=""`).
 4. `applyCellRecord` overwrites local `letter="A"` with `""`. UI renders blank.
 5. Pending change would eventually re-push `"A"`, but during the window the cell genuinely reads blank.
 
 ### Root cause: throttling
 
 The sync engine writes one `CKRecord` per cell and fires pushes aggressively:
 - No client-side debounce: every keystroke enqueues a `PendingChangeEntity`.
 - No serialisation: multiple `pushChanges()` invocations can produce overlapping `CKModifyRecordsOperation`s (hence the five distinct `OperationID`s in one second).
 - No `CKRetryAfter` handling: on 429, `handlePushError`'s default branch silently leaves the pending change in the outbox, and the next trigger immediately hits CloudKit again, tightening the device cooldown.
 
 ### Why data model is central
 
 Throttling is ultimately about request rate and payload volume, not record shape per se. But the per-cell-record shape makes debouncing and coalescing hard (each cell has its own identity and history), and it doesn't compose with any real-time side-channel — each keystroke is always a record write. A better-chosen data shape removes the hardest constraint before we start tuning knobs.
 
 ## Decision
 
 **Adopt a CloudKit + move-log + CKShare architecture, with WebRTC as deferred optional future work.**
 
 ### Data model: append-only move log
 
 The source of truth for a game's cell state becomes an append-only collection of `Move` records, each describing a single cell mutation:
 
 - `recordName`: `move-<gameUUID>-<lamportOrUUID>`
 - `parent`: reference to the parent `Game` record (so CKShare inclusion is automatic)
 - Fields: `row`, `col`, `letter`, `markKind`, `checkedWrong`, `authorID`, `createdAt`, and a monotonic ordering key (Lamport timestamp or similar).
 
 The grid displayed in the UI is the deterministic replay of the move log. `CellEntity` becomes a local cache populated by replaying moves into Core Data; it is not the source of truth.
 
 Periodic **snapshots** keep the move log bounded: every N moves (or on game completion), write a `Snapshot` record capturing the full grid state and delete moves older than the snapshot. New joiners load the latest snapshot plus the tail of moves since it.
 
 ### Why move log over per-cell-LWW or whole-game blob
 
 | Model | Throttling | Multiplayer correctness | Composes with real-time | Conflict code |
 |---|---|---|---|---|
 | Per-cell records (current) | Bad: per-keystroke write, hard to coalesce | Requires LWW on fetch (not present today) | Awkward: same keystroke would need to flow over two transports | Must implement on every client |
 | Whole-game blob with LWW | Good: coalesces trivially | **Broken**: Bob's blob without Alice's write wipes her cells | Awkward | N/A (wrong) |
 | Whole-game blob with per-cell LWW merge | Good | Works if merge is disciplined | Awkward | Non-trivial merge code on every client |
 | **Move log + snapshots** | **Good**: moves are small, append-only, debouncable | **Works**: each author writes only their own records, no `serverRecordChanged` races on shared cells | **Clean**: the same move unit ships over CloudKit or any side-channel | Deterministic replay; no merge code |
 
 The move log's key property for CKShare is **no write-write conflicts between participants** — Alice and Bob only ever create new records, each with a unique `recordName`. That removes the hardest correctness problem from the table.
 
 ### How coalescing works in the move log
 
 "Coalescing" in this design is really a debounced in-memory buffer that dedupes by cell before anything becomes a record. A keystroke does **not** become a `Move` record at the moment it happens — it sits in an in-memory buffer keyed by `(gameID, row, col)`. A new keystroke in the same cell replaces the pending entry's value. At flush time, each buffer entry becomes one `Move` record with a fresh Lamport timestamp, and all records from one flush go into a **single** `CKModifyRecordsOperation`.
 
 So if the user types `A` → `B` → `C` in the same cell inside the debounce window, only one `Move` record is written, with `letter = "C"`. The intermediate states never exist as records. Flush triggers are: the debounce timer (1–2s), cell-change (flush the old cell before the new one starts accumulating, so the log's causal order matches the user's editing order), app background, and game completion.
 
 This is safe specifically because moves are append-only and each author only writes their own records — local coalescing never has to reason about server state or another participant's writes, which is what breaks the equivalent coalescing in the per-cell-record model.
 
 ### Sync mechanics: CKShare for both async and sync
 
 - Each `Game` record is the root of a `CKShare`. Participants accept the share URL via `UICloudSharingController` and the OS's share-accept handler.
 - `Move` and `Snapshot` records set `parent = Game`, so they are part of the share automatically.
 - The engine drives both `privateCloudDatabase` (owner) and `sharedCloudDatabase` (participant) through the same code paths, parameterised by database handle.
 - `CKDatabaseSubscription` on both databases delivers silent pushes on change; the app wakes, fetches, replays moves into the local cache.
 - Async solving: partner's moves arrive on next fetch; 1–5s latency after push is fine.
 - Sync solving: same mechanism; feels like near-real-time at 1–3s in good conditions.
 
 ### Throttle-safety rules (apply regardless of model)
 
 These are properties the engine must have, independent of the data model choice:
 
 1. **Debounce writes.** Buffer move events in memory; flush at most every 1–2 seconds (or on cell change / app background).
 2. **Single in-flight push.** Serialise `pushChanges()` via an actor or explicit lock so overlapping triggers coalesce rather than fan out.
 3. **Respect `CKRetryAfter`.** On `CKError.serviceUnavailable` / `.requestRateLimited` / `.zoneBusy`, sleep for the returned delay before the next push attempt. Do not break out of drain on transient errors.
 4. **Adopt `CKSyncEngine`.** It handles batching, retry-after, and send-state tracking natively. Re-implementing these primitives has been the source of the current bugs. The minimum deployment target for this redesign is iOS 18 (or iOS 26), so `CKSyncEngine` — including its shared-database support — is available unconditionally.
 
 ### Deferred: WebRTC data channel
 
 If 1–3s live latency proves inadequate in practice, add a WebRTC data channel between live participants:
 
 - Signaling: small records written to the shared CloudKit zone (Alice writes SDP offer; Bob fetches via push, writes answer; ICE candidates exchanged the same way). Signaling latency is irrelevant since it's one-time per session.
 - STUN: public free server (`stun:stun.l.google.com:19302` or similar).
 - TURN: free tier (Cloudflare Calls, Xirsys) or paid (~$0.40/GB, Twilio) for the ~15–20% of sessions that fail direct P2P. Graceful fallback: if P2P fails, use the existing CloudKit move-log path.
 - Implementation: `WKWebView`-hosted WebRTC using WebKit's built-in `RTCPeerConnection` / `RTCDataChannel`. Avoids the ~20 MB `libwebrtc` bundle cost. Swift ↔ JS bridge via `WKScriptMessageHandler` + `evaluateJavaScript`. The app already ships `WKWebView` for NYT auth, so the framework cost is zero.
 
 This is **out of scope for the initial redesign.** CloudKit + move log + CKShare should be shipped and evaluated first. Add WebRTC only if measured live latency is genuinely unacceptable.
 
 ### Rejected alternatives
 
 - **GameKit** (`GKMatch` / `GKTurnBasedMatch`). Requires Game Center authentication, which adds user friction, fails for users who have dismissed the sign-in prompt, and introduces a second identity layer separate from iCloud. The transport advantages do not outweigh the user-facing costs.
 - **Custom backend** (Firebase, Supabase, Convex, Cloudflare Durable Objects, Ably). Violates the no-backend constraint. Kept in mind as a future option if pure-CloudKit proves inadequate at scale.
 - **SharePlay as the primary transport.** Requires an active FaceTime/Messages session, which is not guaranteed. Still a candidate as a future augmentation for call-based live sessions, but cannot replace the async path.
 
 ## Scope of the redesign
 
 ### In scope (initial implementation)
 
 - New `Move` and `Snapshot` record types, with serialisation and replay logic.
 - `CellEntity` becomes a derived cache populated by replay; not the source of truth.
 - No migration. The user is the sole participant and will manually delete existing games before launching the new version. The new codebase is free to assume the move-log schema from the first run.
 - `SyncEngine` rewritten around `CKSyncEngine`, driving both the private and shared databases.
 - Dual-database support: `privateCloudDatabase` for owned games, `sharedCloudDatabase` for joined games.
 - CKShare creation, invitation flow via `UICloudSharingController`, share-accept handler in the app delegate.
 - Per-record `authorID` from `CKUserIdentity` (iCloud identity), so moves attribute correctly in multiplayer.
 - Fix the fetch-side overwrite bug: `applyCellRecord` (or its replacement in the move-log model) must not clobber state without LWW.
 
 ### Out of scope (explicitly deferred)
 
 - WebRTC data channel and signaling.
 - SharePlay integration.
 - MultipeerConnectivity for co-located play.
 - Presence indicators (who is currently in the puzzle) and cursor tracking.
 - Operation-based undo across participants.
 - Conflict UX for the pathological "both type in the same cell in the same second" case — accept Lamport-ordered LWW silently for now.
 
 ## Open questions
 
 _All originally listed questions have been resolved:_
 - _Share revocation: resolved by `markAccessRevoked(gameID:)` — local replay-derived state stays readable, no new moves accepted._
 - _Snapshot cadence and move ordering: resolved (see "Design decisions already locked")._
 
 ## Phasing
 
 Proposed, subject to refinement:
 
 - **Phase 1: Fix the immediate data-loss bug in place.** Teach `applyCellRecord` to check for a pending outbox change or LWW `updatedAt` before overwriting. Keep the per-cell record model. Ships as a patch release.
 - **Phase 2: Throttle-safety.** Implement debounce, serialise pushes, respect `CKRetryAfter` on top of the existing hand-rolled `CKModifyRecordsOperation` engine. Still per-cell records. Ships as the next release; validates that pure-CloudKit with good hygiene is acceptable. The hand-rolled throttle code is understood to be short-lived — Phase 3 replaces it wholesale with `CKSyncEngine`.
 - **Phase 3: Move-log data model + `CKSyncEngine` adoption.** _Landed._ New `Move`/`Snapshot` records, `CellEntity` as cache, replay engine. Transport rewritten around `CKSyncEngine` so batching, retry-after, and send-state tracking come from the framework rather than hand-rolled primitives.
   - **3a.** _Landed._ Data model & replay plumbing.
   - **3b + 3c.** _Landed._ Live wiring + Phase 2 primitive deletion.
 - **Phase 4: CKShare.** _Landed._ Per-game zones, dual-engine sync (private + shared), invitation flow via `ShareController`, share-accept handler, per-author `Player` records for identity, share-revocation handling.
 - **Phase 5 (deferred, conditional):** WebRTC if measured live latency is inadequate. Not justified yet — needs real-world signal.