feat(iv): foundation: gates singleton, JWT token store, feature flag entry

First of set of PRs against the IV integration branch. Lands only the foundation
primitives; no consumer wiring or public API yet.

- Add `FeatureFlag.IDENTITY_VERIFICATION` (IMMEDIATE) so a Turbine kill-switch
  takes effect without a cold start.
- Add `IdentityVerificationGates` singleton (mirrors `ThreadingMode`) holding
  `newCodePathsRun` (featureFlag || jwt_required) and `ivBehaviorActive`
  (jwt_required alone). `FeatureManager.applySideEffects` pushes both values
  in on every refresh, reading from the passed `model` parameter to stay in
  sync with the HYDRATE snapshot.
- Add `JwtTokenStore` (SharedPreferences-backed externalId -> JWT) with an
  `EventProducer<IJwtUpdateListener>` for PR 5's IAM retry to subscribe to.
- Change `ConfigModel.useIdentityVerification` from `Boolean` to `Boolean?`;
  `null` means pre-HYDRATE so PR 2's `getNextOps` deferral can distinguish
  it from an explicit `false`.
- Add `PREFS_OS_JWT_TOKENS` key.
- Register `JwtTokenStore` in DI. `IdentityVerificationService` is deferred
  to PR 2 where its HYDRATE handler has real work.

Tests cover the gate matrix (including the ERROR STATE row where
jwt_required=true overrides a false feature flag), JWT store put/get/
invalidate/prune + listener broadcast, and FeatureManager propagation to
the gates on init and on HYDRATE.

Author: nan-li

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/CoreModule.kt

@@ -45,6 +45,7 @@ import com.onesignal.location.ILocationManager
 import com.onesignal.location.internal.MisconfiguredLocationManager
 import com.onesignal.notifications.INotificationsManager
 import com.onesignal.notifications.internal.MisconfiguredNotificationsManager
+import com.onesignal.user.internal.jwt.JwtTokenStore
 
 internal class CoreModule : IModule {
     override fun register(builder: ServiceBuilder) {
@@ -68,6 +69,8 @@ internal class CoreModule : IModule {
         builder.register<ConfigModelStoreListener>().provides<IStartableService>()
         builder.register<FeatureFlagsRefreshService>().provides<IStartableService>()
 
+        builder.register<JwtTokenStore>().provides<JwtTokenStore>()
+
         // Operations
         builder.register<OperationModelStore>().provides<OperationModelStore>()
         builder.register<OperationRepo>()

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/internal/config/ConfigModel.kt

@@ -236,13 +236,11 @@ class ConfigModel : Model() {
             setBooleanProperty(::enterprise.name, value)
         }
 
-    /**
-     * Whether SMS auth hash should be used.
-     */
-    var useIdentityVerification: Boolean
-        get() = getBooleanProperty(::useIdentityVerification.name) { false }
+    /** Mirrors backend `jwt_required`. `null` = pre-HYDRATE (distinguish from `false`). */
+    var useIdentityVerification: Boolean?
+        get() = getOptBooleanProperty(::useIdentityVerification.name)
         set(value) {
-            setBooleanProperty(::useIdentityVerification.name, value)
+            setOptBooleanProperty(::useIdentityVerification.name, value)
         }
 
     /**

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/internal/features/FeatureFlag.kt

@@ -24,14 +24,17 @@ internal enum class FeatureFlag(
     val key: String,
     val activationMode: FeatureActivationMode
 ) {
-    // Threading mode is selected once per app startup to avoid mixed-mode behavior mid-session.
-    //
     // Remote key (lowercase) must match backend / Turbine flag id.
-    //
     SDK_BACKGROUND_THREADING(
         "sdk_background_threading",
         FeatureActivationMode.APP_STARTUP
     ),
+
+    /** JWT signing of SDK requests. IMMEDIATE so a kill-switch doesn't need a cold start. */
+    IDENTITY_VERIFICATION(
+        "identity_verification",
+        FeatureActivationMode.IMMEDIATE
+    ),
     ;
 
     fun isEnabledIn(enabledKeys: Set<String>): Boolean {

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/internal/features/FeatureManager.kt

@@ -8,6 +8,7 @@ import com.onesignal.core.internal.backend.impl.FeatureFlagsJsonParser
 import com.onesignal.core.internal.config.ConfigModel
 import com.onesignal.core.internal.config.ConfigModelStore
 import com.onesignal.debug.internal.logging.Logging
+import com.onesignal.user.internal.jwt.IdentityVerificationGates
 import kotlinx.serialization.json.JsonObject
 
 internal interface IFeatureManager {
@@ -103,14 +104,14 @@ internal class FeatureManager(
             when (feature.activationMode) {
                 FeatureActivationMode.IMMEDIATE -> {
                     nextStates[feature] = desiredState
-                    applySideEffects(feature, desiredState)
+                    applySideEffects(feature, desiredState, model)
                 }
 
                 FeatureActivationMode.APP_STARTUP -> {
                     val hasBeenInitialized = nextStates.containsKey(feature)
                     if (applyNextRunOnlyFeatures || !hasBeenInitialized) {
                         nextStates[feature] = desiredState
-                        applySideEffects(feature, desiredState)
+                        applySideEffects(feature, desiredState, model)
                     } else {
                         val currentState = nextStates[feature] ?: false
                         if (currentState != desiredState) {
@@ -137,13 +138,21 @@ internal class FeatureManager(
     private fun applySideEffects(
         feature: FeatureFlag,
         enabled: Boolean,
+        model: ConfigModel,
     ) {
         when (feature) {
             FeatureFlag.SDK_BACKGROUND_THREADING ->
                 ThreadingMode.updateUseBackgroundThreading(
                     enabled = enabled,
                     source = "FeatureManager:${feature.activationMode}"
                 )
+
+            FeatureFlag.IDENTITY_VERIFICATION ->
+                IdentityVerificationGates.update(
+                    featureFlagOn = enabled,
+                    jwtRequired = model.useIdentityVerification,
+                    source = "FeatureManager:${feature.activationMode}"
+                )
         }
     }
 

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/core/internal/preferences/IPreferencesService.kt

@@ -204,6 +204,9 @@ object PreferenceOneSignalKeys {
      */
     const val PREFS_OS_LOCATION_SHARED = "OS_LOCATION_SHARED"
 
+    /** (String) JSON object mapping externalId -> JWT token. */
+    const val PREFS_OS_JWT_TOKENS = "PREFS_OS_JWT_TOKENS"
+
     // Permissions
 
     /**

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/jwt/IJwtUpdateListener.kt

@@ -0,0 +1,6 @@
+package com.onesignal.user.internal.jwt
+
+/** Notified by [JwtTokenStore] on put/invalidate. Null [jwt] means invalidated. */
+internal interface IJwtUpdateListener {
+    fun onJwtUpdated(externalId: String, jwt: String?)
+}

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/jwt/IdentityVerificationGates.kt

@@ -0,0 +1,48 @@
+package com.onesignal.user.internal.jwt
+
+import com.onesignal.debug.internal.logging.Logging
+
+/**
+ * Current Identity Verification gate state, pushed by `FeatureManager.applySideEffects`.
+ *
+ * The two gates differ on purpose: [newCodePathsRun] also flips on when customer config
+ * (`jwt_required`) is true — honoring customer setup even if our feature flag is off.
+ * [ivBehaviorActive] tracks customer config alone.
+ */
+internal object IdentityVerificationGates {
+    /** Whether new IV-related code paths should run. `featureFlag_IV_ON || jwt_required == true`. */
+    @Volatile
+    var newCodePathsRun: Boolean = false
+        private set
+
+    /** Whether IV-specific behavior (JWT attachment, auth error handling) applies. `jwt_required == true`. */
+    @Volatile
+    var ivBehaviorActive: Boolean = false
+        private set
+
+    /** Idempotent. [source] is logged for traceability when gates change. */
+    fun update(
+        featureFlagOn: Boolean,
+        jwtRequired: Boolean?,
+        source: String,
+    ) {
+        val previousNewCode = newCodePathsRun
+        val previousIvActive = ivBehaviorActive
+
+        newCodePathsRun = featureFlagOn || (jwtRequired == true)
+        ivBehaviorActive = jwtRequired == true
+
+        if (previousNewCode != newCodePathsRun || previousIvActive != ivBehaviorActive) {
+            Logging.info(
+                "OneSignal: IdentityVerificationGates updated: " +
+                    "newCodePathsRun=$newCodePathsRun, ivBehaviorActive=$ivBehaviorActive " +
+                    "(source=$source, featureFlagOn=$featureFlagOn, jwtRequired=$jwtRequired)",
+            )
+        } else {
+            Logging.debug(
+                "OneSignal: IdentityVerificationGates unchanged " +
+                    "(source=$source, newCodePathsRun=$newCodePathsRun, ivBehaviorActive=$ivBehaviorActive)",
+            )
+        }
+    }
+}

OneSignalSDK/onesignal/core/src/main/java/com/onesignal/user/internal/jwt/JwtTokenStore.kt

@@ -0,0 +1,119 @@
+package com.onesignal.user.internal.jwt
+
+import com.onesignal.common.events.EventProducer
+import com.onesignal.common.events.IEventNotifier
+import com.onesignal.core.internal.preferences.IPreferencesService
+import com.onesignal.core.internal.preferences.PreferenceOneSignalKeys
+import com.onesignal.core.internal.preferences.PreferenceStores
+import com.onesignal.debug.internal.logging.Logging
+import org.json.JSONException
+import org.json.JSONObject
+
+/**
+ * Persistent store mapping externalId -> JWT. Multi-user so ops queued under a previous user
+ * can still resolve their JWT at execution time. Storage is unconditional; *usage* of JWTs is
+ * gated on [IdentityVerificationGates.ivBehaviorActive].
+ */
+internal class JwtTokenStore(
+    private val _prefs: IPreferencesService,
+) : IEventNotifier<IJwtUpdateListener> {
+    private val tokens: MutableMap<String, String> = mutableMapOf()
+    private var isLoaded: Boolean = false
+    private val updates = EventProducer<IJwtUpdateListener>()
+
+    override val hasSubscribers: Boolean
+        get() = updates.hasSubscribers
+
+    override fun subscribe(handler: IJwtUpdateListener) = updates.subscribe(handler)
+
+    override fun unsubscribe(handler: IJwtUpdateListener) = updates.unsubscribe(handler)
+
+    fun getJwt(externalId: String): String? {
+        synchronized(tokens) {
+            ensureLoaded()
+            return tokens[externalId]
+        }
+    }
+
+    /** Null [jwt] is a no-op; call [invalidateJwt] to remove a token. */
+    fun putJwt(
+        externalId: String,
+        jwt: String?,
+    ) {
+        if (jwt == null) return
+        val changed: Boolean
+        synchronized(tokens) {
+            ensureLoaded()
+            changed = tokens[externalId] != jwt
+            tokens[externalId] = jwt
+            if (changed) {
+                persist()
+            }
+        }
+        if (changed) {
+            updates.fire { it.onJwtUpdated(externalId, jwt) }
+        }
+    }
+
+    /** Removes the JWT for [externalId] and broadcasts with `jwt = null`. */
+    fun invalidateJwt(externalId: String) {
+        val existed: Boolean
+        synchronized(tokens) {
+            ensureLoaded()
+            existed = tokens.remove(externalId) != null
+            if (existed) {
+                persist()
+            }
+        }
+        if (existed) {
+            updates.fire { it.onJwtUpdated(externalId, null) }
+        }
+    }
+
+    /** Drops JWTs whose externalId isn't in [activeIds]. Call on cold start to bound growth. */
+    fun pruneToExternalIds(activeIds: Set<String>) {
+        val removed: Set<String>
+        synchronized(tokens) {
+            ensureLoaded()
+            val toRemove = tokens.keys - activeIds
+            removed = toRemove.toSet()
+            if (removed.isNotEmpty()) {
+                tokens.keys.removeAll(removed)
+                persist()
+            }
+        }
+        for (externalId in removed) {
+            updates.fire { it.onJwtUpdated(externalId, null) }
+        }
+    }
+
+    /** Caller must hold `synchronized(tokens)`. */
+    private fun ensureLoaded() {
+        if (isLoaded) return
+        val json =
+            _prefs.getString(
+                PreferenceStores.ONESIGNAL,
+                PreferenceOneSignalKeys.PREFS_OS_JWT_TOKENS,
+            )
+        if (json != null) {
+            try {
+                val obj = JSONObject(json)
+                for (key in obj.keys()) {
+                    tokens[key] = obj.getString(key)
+                }
+            } catch (e: JSONException) {
+                Logging.warn("JwtTokenStore: failed to parse persisted tokens, starting fresh: ${e.message}")
+            }
+        }
+        isLoaded = true
+    }
+
+    /** Caller must hold `synchronized(tokens)`. */
+    private fun persist() {
+        _prefs.saveString(
+            PreferenceStores.ONESIGNAL,
+            PreferenceOneSignalKeys.PREFS_OS_JWT_TOKENS,
+            JSONObject(tokens.toMap()).toString(),
+        )
+    }
+}

OneSignalSDK/onesignal/core/src/test/java/com/onesignal/core/internal/features/FeatureFlagTests.kt

@@ -15,4 +15,9 @@ class FeatureFlagTests : FunSpec({
     test("SDK_BACKGROUND_THREADING uses the expected remote key") {
         FeatureFlag.SDK_BACKGROUND_THREADING.key shouldBe "sdk_background_threading"
     }
+
+    test("IDENTITY_VERIFICATION uses the expected remote key and IMMEDIATE activation") {
+        FeatureFlag.IDENTITY_VERIFICATION.key shouldBe "identity_verification"
+        FeatureFlag.IDENTITY_VERIFICATION.activationMode shouldBe FeatureActivationMode.IMMEDIATE
+    }
 })