feat(crdt): Firestore sync_log transport + DualWrite removal (#41) (#126)

* feat(crdt): Firestore sync_log transport + DualWrite removal (#41)

Replace fire-and-forget DualWriteGraphRepository with proper CRDT
changeset sync via Firestore sync_log subcollection. Each device
pushes serialized GraphChangeset docs; other devices pull and merge
using existing LWW merge infrastructure.

- Add maxHlc computed property to GraphChangeset
- Add sync metadata CRUD (getLastSyncedHlc/updateLastSyncedHlc)
- Create FirestoreSyncTransport (push/pull/cleanup)
- Create CrdtSyncState + CrdtSyncNotifier with periodic sync
- Rewire graphRepositoryProvider to always return DriftGraphRepository
- Extract seedFromFirestoreIfNeeded for pre-sync user migration
- Wire sync lifecycle into NavigationShell (init/resume/pause)
- Add sync_log Firestore security rules
- Delete DualWriteGraphRepository and its tests

Co-Authored-By: Claude <noreply@anthropic.com>

* fix(crdt): use maxHlc ordering in pullChangesets query

Firestore requires the orderBy field to match the range filter field.
The previous query ordered by createdAt but filtered on maxHlc, which
would require a composite index in production (fake_cloud_firestore
doesn't enforce this). Switching to orderBy('maxHlc') is actually
better — HLC strings are lexicographically ordered, so this gives
correct causal ordering without needing a composite index.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: nickmeinhold

firestore.rules

@@ -20,6 +20,11 @@ service cloud.firestore {
       match /friends/{friendId} {
         allow read, write: if request.auth != null && request.auth.uid == userId;
       }
+
+      // CRDT sync log: owner reads/writes
+      match /sync_log/{entryId} {
+        allow read, write: if request.auth != null && request.auth.uid == userId;
+      }
     }
 
     // --- Wiki groups ---

lib/src/crdt/firestore_sync_transport.dart

@@ -0,0 +1,122 @@
+import 'package:cloud_firestore/cloud_firestore.dart';
+
+import 'graph_changeset.dart';
+
+/// Transport layer that exchanges [GraphChangeset]s between devices via a
+/// Firestore `sync_log` subcollection.
+///
+/// Each device pushes serialized changesets as documents; other devices pull
+/// and merge. The sync_log is per-user and typically has 1-3 devices, so
+/// filtering by `nodeId` in Dart (rather than a compound Firestore query)
+/// avoids composite index management.
+///
+/// ```
+/// users/{uid}/sync_log/{auto-id}
+///   nodeId: String
+///   changeset: Map<String, dynamic>
+///   maxHlc: String
+///   createdAt: Timestamp (server)
+/// ```
+///
+/// This is a plain Dart class (no Riverpod) — testable with
+/// `fake_cloud_firestore`.
+class FirestoreSyncTransport {
+  FirestoreSyncTransport({
+    required FirebaseFirestore firestore,
+    required String userId,
+  }) : _syncLog = firestore
+            .collection('users')
+            .doc(userId)
+            .collection('sync_log');
+
+  final CollectionReference _syncLog;
+
+  /// Pushes a changeset to the sync_log. Skips empty changesets.
+  ///
+  /// Uses `FieldValue.serverTimestamp()` for `createdAt` so ordering is
+  /// consistent across devices regardless of clock skew.
+  Future<void> pushChangeset({
+    required GraphChangeset changeset,
+    required String nodeId,
+  }) async {
+    if (changeset.isEmpty) return;
+
+    await _syncLog.add({
+      'nodeId': nodeId,
+      'changeset': changeset.toJson(),
+      'maxHlc': changeset.maxHlc,
+      'createdAt': FieldValue.serverTimestamp(),
+    });
+  }
+
+  /// Pulls changesets from other devices written after [sinceHlc].
+  ///
+  /// Orders by `maxHlc` (lexicographic HLC ordering) which doubles as the
+  /// range filter field — this avoids needing a composite Firestore index.
+  /// Entries from [localNodeId] are excluded in Dart rather than via a
+  /// compound query (sync_log is per-user, typically 1-3 devices).
+  Future<List<PulledChangeset>> pullChangesets({
+    required String sinceHlc,
+    required String localNodeId,
+  }) async {
+    // Order by maxHlc — Firestore requires the orderBy field to match
+    // the range filter field. HLC strings are lexicographically ordered
+    // (ISO 8601 + hex counter), so this gives correct causal ordering.
+    Query query = _syncLog.orderBy('maxHlc');
+
+    // Filter by maxHlc > sinceHlc if we have a bookmark.
+    if (sinceHlc.isNotEmpty) {
+      query = query.where('maxHlc', isGreaterThan: sinceHlc);
+    }
+
+    final snapshot = await query.get();
+
+    final results = <PulledChangeset>[];
+    for (final doc in snapshot.docs) {
+      final data = doc.data()! as Map<String, dynamic>;
+
+      // Skip our own entries (filtered in Dart, not Firestore).
+      if (data['nodeId'] == localNodeId) continue;
+
+      final changesetJson = data['changeset'] as Map<String, dynamic>;
+      results.add(PulledChangeset(
+        changeset: GraphChangeset.fromJson(changesetJson),
+        maxHlc: data['maxHlc'] as String,
+      ));
+    }
+
+    return results;
+  }
+
+  /// Deletes old sync_log entries with `maxHlc <= beforeHlc`.
+  ///
+  /// Call periodically to prevent unbounded growth of the sync_log.
+  /// Safe to call at any time — only affects entries that all devices
+  /// have already processed (confirmed by their sync metadata).
+  Future<int> cleanup({required String beforeHlc}) async {
+    final snapshot = await _syncLog
+        .where('maxHlc', isLessThanOrEqualTo: beforeHlc)
+        .get();
+
+    if (snapshot.docs.isEmpty) return 0;
+
+    final batch = _syncLog.firestore.batch();
+    for (final doc in snapshot.docs) {
+      batch.delete(doc.reference);
+    }
+    await batch.commit();
+
+    return snapshot.docs.length;
+  }
+}
+
+/// A changeset pulled from the sync_log, paired with its `maxHlc` bookmark.
+class PulledChangeset {
+  const PulledChangeset({
+    required this.changeset,
+    required this.maxHlc,
+  });
+
+  final GraphChangeset changeset;
+  final String maxHlc;
+}

lib/src/crdt/graph_changeset.dart

@@ -65,6 +65,37 @@ class GraphChangeset {
       topics.length +
       topicDocuments.length;
 
+  /// The lexicographically highest HLC across all rows, or empty string if
+  /// the changeset is empty.
+  ///
+  /// Used by the sync transport layer as a bookmark — the Firestore sync_log
+  /// stores this alongside each changeset so pull queries can filter by
+  /// `maxHlc > sinceHlc` without deserializing the full changeset.
+  String get maxHlc {
+    if (isEmpty) return '';
+
+    var best = '';
+    for (final c in concepts) {
+      if (c.hlc.compareTo(best) > 0) best = c.hlc;
+    }
+    for (final r in relationships) {
+      if (r.hlc.compareTo(best) > 0) best = r.hlc;
+    }
+    for (final q in quizItems) {
+      if (q.hlc.compareTo(best) > 0) best = q.hlc;
+    }
+    for (final d in documents) {
+      if (d.hlc.compareTo(best) > 0) best = d.hlc;
+    }
+    for (final t in topics) {
+      if (t.hlc.compareTo(best) > 0) best = t.hlc;
+    }
+    for (final td in topicDocuments) {
+      if (td.hlc.compareTo(best) > 0) best = td.hlc;
+    }
+    return best;
+  }
+
   /// Serializes to wire format using SQL column names.
   ///
   /// TypeConverter columns (`tags`, `type`) are serialized through their

lib/src/models/crdt_sync_state.dart

@@ -0,0 +1,64 @@
+import 'package:meta/meta.dart';
+
+/// Phase of the CRDT sync lifecycle.
+enum CrdtSyncPhase { idle, pushing, pulling, merging, error }
+
+/// Immutable state for the CRDT changeset sync process.
+///
+/// Tracks the current phase, last successful sync time, and aggregate
+/// counts for push/pull/merge operations (useful for diagnostics and
+/// dashboard display).
+@immutable
+class CrdtSyncState {
+  const CrdtSyncState({
+    this.phase = CrdtSyncPhase.idle,
+    this.lastSyncedAt,
+    this.pushedCount = 0,
+    this.pulledCount = 0,
+    this.mergedCount = 0,
+    this.errorMessage = '',
+  });
+
+  static const initial = CrdtSyncState();
+
+  final CrdtSyncPhase phase;
+
+  /// When the last successful sync completed (null if never synced).
+  final DateTime? lastSyncedAt;
+
+  /// Number of rows pushed in the last sync cycle.
+  final int pushedCount;
+
+  /// Number of changesets pulled in the last sync cycle.
+  final int pulledCount;
+
+  /// Number of rows actually merged (won LWW) in the last sync cycle.
+  final int mergedCount;
+
+  /// Error message from the last failed sync, or empty string.
+  final String errorMessage;
+
+  /// Whether a sync is currently in progress.
+  bool get isSyncing =>
+      phase == CrdtSyncPhase.pushing ||
+      phase == CrdtSyncPhase.pulling ||
+      phase == CrdtSyncPhase.merging;
+
+  CrdtSyncState copyWith({
+    CrdtSyncPhase? phase,
+    DateTime? lastSyncedAt,
+    int? pushedCount,
+    int? pulledCount,
+    int? mergedCount,
+    String? errorMessage,
+  }) {
+    return CrdtSyncState(
+      phase: phase ?? this.phase,
+      lastSyncedAt: lastSyncedAt ?? this.lastSyncedAt,
+      pushedCount: pushedCount ?? this.pushedCount,
+      pulledCount: pulledCount ?? this.pulledCount,
+      mergedCount: mergedCount ?? this.mergedCount,
+      errorMessage: errorMessage ?? this.errorMessage,
+    );
+  }
+}