crossmate

NotificationService.swift (13714B)

---

 import UserNotifications
 
 /// Notification Service Extension. Runs in its own process when an APNs alert
 /// arrives with `mutable-content: 1`, with ~30s to mutate the content before
 /// iOS displays it.
 ///
 /// Crossmate uses the NSE for one job only: keep the app-icon badge close to
 /// accurate when push notifications land while the main app is suspended or
 /// terminated. The push-side badge model is a per-game horizon ledger in App
 /// Group UserDefaults (`BadgeState`): pushes advance `unreadAt`, while the app
 /// advances `seenAt` when the user opens the puzzle. Once the main app runs it
 /// unions this provisional push ledger with Core Data ground truth and
 /// re-stamps the badge.
 ///
 /// Whether a push marks its game unread is decided from the per-recipient
 /// `PushPayload` the sender encodes (forwarded opaquely by the worker):
 ///   - a `pause` with unseen cells, or a `win` / `resign` — mark `gameID`
 ///     unread. Per-game horizon semantics make repeats idempotent (a pause
 ///     followed by a win for the same game is one badge unit, not two).
 ///   - a `nudge` (a manual "come play" ping), a legacy `play`, or a `pause`
 ///     with zero counts — presence only; the grid has nothing unseen for this
 ///     recipient, so stamp the current count without growing it.
 /// When the payload is absent (an older sender, or the worker not yet
 /// forwarding it) we fall back to the coarse top-level `kind`.
 final class NotificationService: UNNotificationServiceExtension {
 
     private var contentHandler: ((UNNotificationContent) -> Void)?
     private var bestAttemptContent: UNMutableNotificationContent?
 
     override func didReceive(
         _ request: UNNotificationRequest,
         withContentHandler contentHandler: @escaping (UNNotificationContent) -> Void
     ) {
         self.contentHandler = contentHandler
         self.bestAttemptContent = request.content.mutableCopy() as? UNMutableNotificationContent
 
         guard let bestAttemptContent else {
             contentHandler(request.content)
             return
         }
 
         let userInfo = request.content.userInfo
         let kind = userInfo["kind"] as? String
         let gameID = (userInfo["gameID"] as? String).flatMap(UUID.init(uuidString:))
 
         // Resolve the structured payload. Current senders ship it encrypted
         // (`enc`) under the game's content key, which the app mirrors into the
         // App Group keyed by gameID; decrypt it here. Fall back to the legacy
         // cleartext `payload` an older sender may still send. When `enc` is
         // present but no key has synced yet (a just-joined participant), this is
         // nil and the generic cleartext body stands.
         let encrypted = userInfo["enc"] as? String
         let payload: PushPayload? = {
             if let encrypted, let gameID,
                let key = ContentKeyDirectory.key(for: gameID),
                let opened = PushPayloadCipher.open(encrypted, key: key) {
                 return opened
             }
             return PushPayload.decode(from: userInfo["payload"] as? String)
         }()
 
         // The wire body is now a generic placeholder ("New activity in one of
         // your puzzles") — the real wording never leaves the sender in cleartext.
         // Recompose it here from the (decrypted) structured fields:
         // `PushPayload.composedBody` runs the same builders the sender used,
         // substituting the recipient's private nickname for the sender when one
         // is set (mirrored authorID → nickname into the App Group, with
         // `fromAuthorID` identifying the sender), otherwise the sender's own
         // `playerName` carried in the payload. Recomposing from components means
         // a friend's later rename can never desync the result.
         // Record *why* the rewrite did or didn't happen as a diagnostics
         // receipt — a silent no-op otherwise hides several distinct causes (a
         // bodyless background event, an `enc` we couldn't decrypt, or an older
         // sender with no structured fields). With it, the next occurrence names
         // the cause.
         let fromAuthorID = (userInfo["fromAuthorID"] as? String)
             .flatMap { $0.isEmpty ? nil : $0 }
         let nickname = fromAuthorID.flatMap { NicknameDirectory.entry(for: $0)?.nickname }
         let fromPrefix = fromAuthorID.map { String($0.prefix(8)) } ?? "nil"
         let rewriteOutcome: String
         if bestAttemptContent.body.isEmpty {
             rewriteOutcome = "skipped=empty-body"
         } else if let payload,
                   let rebuilt = payload.composedBody(playerName: nickname ?? payload.playerName ?? "") {
             bestAttemptContent.body = rebuilt
             rewriteOutcome = "applied via=\(nickname != nil ? "nickname" : "payload-name") from=\(fromPrefix)"
         } else if payload == nil {
             rewriteOutcome = encrypted != nil ? "skipped=undecryptable from=\(fromPrefix)" : "skipped=no-payload from=\(fromPrefix)"
         } else {
             rewriteOutcome = "skipped=not-composable from=\(fromPrefix)"
         }
         VisibleNotificationReceiptLog.record(
             body: rewriteOutcome,
             source: "nickname-rewrite"
         )
 
         VisibleNotificationReceiptLog.record(
             body: bestAttemptContent.body,
             source: "notification-service-extension"
         )
         // When the sender attached pause diagnostics, record them as a second
         // receipt so they surface in the app's diagnostics log alongside the
         // visible body — the only channel we have to inspect a peer's
         // sender-side counting inputs without reaching that peer's device.
         if let diagnostics = payload?.diagnostics {
             VisibleNotificationReceiptLog.record(
                 body: diagnostics.summaryLine,
                 source: "pause-diagnostics"
             )
         }
         var updatedUserInfo = bestAttemptContent.userInfo
         updatedUserInfo["crossmateNSELogged"] = true
         bestAttemptContent.userInfo = updatedUserInfo
 
         // Whether this push represents grid changes the recipient hasn't seen.
         // Prefer the structured payload; fall back to the coarse `kind` when it
         // is absent — an older sender, or the worker not yet forwarding it.
         let marksUnread: Bool
         if let payload {
             marksUnread = payload.marksUnread
         } else {
             marksUnread = kind == "pause" || kind == "win" || kind == "resign"
         }
 
         if let gameID, marksUnread {
             BadgeState.markUnread(gameID: gameID)
         }
         // While another device of this account is present in the game, deliver
         // passively: no banner, no sound — the alert drops quietly into
         // Notification Center, where the present device's read-cursor sync will
         // sweep it shortly. The full no-show path (`willPresent` → `[]`) only
         // runs on a foreground app; on an idle sibling the NSE is the only code
         // that runs, and `.passive` is as quiet as it can make an alert push.
         let deliveredPassively = gameID.map { BadgeState.isSuppressed(gameID: $0) } ?? false
         if deliveredPassively {
             bestAttemptContent.interruptionLevel = .passive
         }
         // Fold in pending invites the app published to the App Group: a moves
         // push must not re-stamp the badge to the moves-only count and drop a
         // still-pending invite. The two sets are disjoint, so the union is exact.
         let count = BadgeState.unreadGameIDs()
             .union(BadgeState.pendingInviteGameIDs()).count
         bestAttemptContent.badge = NSNumber(value: count)
         VisibleNotificationReceiptLog.record(
             body: [
                 "game=\(gameID.map { String($0.uuidString.prefix(8)) } ?? "nil")",
                 "kind=\(kind ?? "nil")",
                 "payload=\(payload == nil ? "absent" : "present")",
                 "marksUnread=\(marksUnread)",
                 "passive=\(deliveredPassively)",
                 "ledgerUnread=\(BadgeState.unreadGameIDs().count)",
                 "pendingInvites=\(BadgeState.pendingInviteGameIDs().count)",
                 "stampedBadge=\(count)"
             ].joined(separator: " "),
             source: "notification-service-extension-badge"
         )
 
         // Coalesce successive session-end summaries for one game into the
         // single Notification Center tile they share (same apns-collapse-id).
         // Only a `pause` carrying structured counts can be folded; everything
         // else (and an older payload-less sender) is delivered as prepared.
         let pauseCounts: (fills: Int, clears: Int, checks: Int, reveals: Int)?
         if case let .pause(fills, clears, checks, reveals) = payload?.event {
             pauseCounts = (fills, clears, checks, reveals)
         } else {
             pauseCounts = nil
         }
         let center = UNUserNotificationCenter.current()
         center.getDeliveredNotifications { delivered in
             self.finalize(
                 content: bestAttemptContent,
                 gameID: gameID,
                 fromAuthorID: fromAuthorID,
                 puzzleTitle: payload?.puzzleTitle,
                 playerName: payload?.playerName,
                 pauseCounts: pauseCounts,
                 delivered: delivered,
                 center: center,
                 contentHandler: contentHandler
             )
         }
     }
 
     /// Applies game-tile coalescing once the already-delivered notifications
     /// are known, then hands the (possibly rewritten) content back to iOS.
     ///
     /// A `pause` is low-stakes presence chatter, so it is always delivered
     /// `.passive` — it updates the tile and the app badge without a sound or a
     /// banner-wake. When a tile for this game is already showing, this is a
     /// follow-up session-end push: its counts are folded into the running
     /// per-sender tally the tile carries in `userInfo` and the body is
     /// rewritten to the combined summary. The first push for a game finds no
     /// tile and merely seeds the tally. A non-pause push (or an older
     /// payload-less sender) carries no counts and is delivered unchanged; its
     /// shared collapse id still replaces any tile in place.
     private func finalize(
         content: UNMutableNotificationContent,
         gameID: UUID?,
         fromAuthorID: String?,
         puzzleTitle: String?,
         playerName: String?,
         pauseCounts: (fills: Int, clears: Int, checks: Int, reveals: Int)?,
         delivered: [UNNotification],
         center: UNUserNotificationCenter,
         contentHandler: @escaping (UNNotificationContent) -> Void
     ) {
         guard let gameID, let pauseCounts else {
             contentHandler(content)
             return
         }
 
         let existing = delivered.filter {
             ($0.request.content.userInfo["gameID"] as? String) == gameID.uuidString
         }
         // Seed from whichever existing tile already carries a tally (the most
         // recent wins), else start fresh so this push still records itself.
         var summary = existing
             .compactMap {
                 CoalescedSummary.decode(from: $0.request.content.userInfo["coalescedSummary"] as? String)
             }
             .last ?? CoalescedSummary()
         // Prefer the receiver's private nickname, fall back to the sender's own
         // name from the payload, then to a short author id — so a contributor
         // is always named without parsing the rendered body.
         let authorID = fromAuthorID.flatMap { $0.isEmpty ? nil : $0 }
         let name = authorID.flatMap { NicknameDirectory.entry(for: $0)?.nickname }
             ?? playerName.flatMap { $0.isEmpty ? nil : $0 }
             ?? authorID.map { String($0.prefix(8)) }
             ?? ""
         summary.add(
             authorID: authorID ?? "?",
             name: name,
             fills: pauseCounts.fills,
             clears: pauseCounts.clears,
             checks: pauseCounts.checks,
             reveals: pauseCounts.reveals
         )
         var userInfo = content.userInfo
         if let encoded = summary.encodedString() {
             userInfo["coalescedSummary"] = encoded
         }
         content.userInfo = userInfo
 
         // Always deliver a pause quietly — no sound, no banner-wake — leaving
         // the badge as the only visible signal. Idempotent with the
         // present-sibling suppression path above.
         content.interruptionLevel = .passive
         let coalescing = !existing.isEmpty
         if coalescing {
             if let body = PuzzleNotificationText.coalescedBody(
                 puzzleTitle: puzzleTitle ?? "",
                 contributors: summary.contributors
             ) {
                 content.body = body
             }
             // Drop the superseded tiles so only this freshest one remains; the
             // shared collapse id already replaces a same-id tile, but this also
             // clears any pre-collapse-id leftovers the system won't merge.
             let identifiers = existing.map { $0.request.identifier }
             if !identifiers.isEmpty {
                 center.removeDeliveredNotifications(withIdentifiers: identifiers)
             }
         }
         VisibleNotificationReceiptLog.record(
             body: "coalesced=\(coalescing) contributors=\(summary.contributors.count) passive=true",
             source: "notification-service-extension-coalesce"
         )
         contentHandler(content)
     }
 
     override func serviceExtensionTimeWillExpire() {
         if let contentHandler, let bestAttemptContent {
             contentHandler(bestAttemptContent)
         }
     }
 }