Web Push notifications foundation (CIRCLE-38)

[HamptonMakes]

Foundation for in-browser push notifications. No notifications are delivered yet — that lands in follow-up work hooked into comment-reply / mention events.

Linear: CIRCLE-38

What's here

Per-device subscription storage

• New coplan_web_push_subscriptions table (FK to coplan_users) and CoPlan::WebPushSubscription model.
• Stores endpoint, SHA256 endpoint digest (uniquely indexed since FCM endpoints can exceed indexable length), p256dh + auth keys, user agent, last-seen / last-delivered timestamps, and a delivered-counter.
• upsert_for is idempotent and rescues RecordNotUnique for concurrent inserts; record_delivery! uses an atomic increment! so concurrent deliveries can't lose updates.
• device_label returns friendly strings like "Chrome on macOS" / "Safari on iOS".

Service worker

• Served from /coplan_service_worker.js (engine-mounted route), no auth, Cache-Control: no-cache. Rendered inline so reverse proxies that intercept X-Sendfile won't try to reach into the gem on disk.
• Default scope only — push events fire regardless of scope, so we don't broaden it.
• Push handler shows the notification; click handler focuses an existing same-origin tab and navigates it (preserving the URL hash for anchor deep links) or opens a new window.

Subscription endpoints

• POST /web_push/subscription — upserts the browser subscription for current_user.
• DELETE /web_push/subscription — scoped to current_user so a leaked endpoint can't unsubscribe someone else.
• Both 503 when VAPID isn't configured.

Browser-side JS

• coplan/web_push.js ES module with isSupported / permission / isSubscribed / subscribe / unsubscribe. Pinned via importmap.
• Awaits navigator.serviceWorker.ready after register() so PushManager has an active worker (fixes the "no active Service Worker" failure on first subscribe).
• VAPID public key and service worker URL discovered via meta tags rendered only when CoPlan.configuration.web_push_configured?.

Settings UI

• Notifications card on the Settings page: enable/disable on the current device, status text, and a list of all known devices for the user with friendly names + delivery stats.
• New CSS for the settings rows / device list. Also adds [hidden] { display: none !important; } so hidden actually hides .btn elements.

Configuration

• CoPlan::Configuration gains vapid_public_key / vapid_private_key / vapid_subject and web_push_configured?.
• New bundle exec rake coplan:web_push:generate_keys.
• web-push gem added to engine gemspec.
• Host config/initializers/coplan.rb ships a checked-in dev VAPID keypair behind ENV overrides so the Settings UI works out-of-the-box locally. Production should override via env / encrypted credentials.

Verification

• bundle exec rspec → 814 examples, 0 failures.
• New specs: WebPushSubscription model, subscriptions controller (POST/DELETE), service worker route.
• Manually exercised the Settings card: enable / disable / re-enable, device row appears with a friendly name.

Out of scope (next PRs)

• Actual push delivery service (web-push gem + VAPID signing) wired into comment-reply / mention events.
• Opt-in banner that nudges commenters to enable notifications.
• Production VAPID key wiring in coplan-square.

Generated with Amp

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e7b7447ee9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove checked-in fallback VAPID private key

This initializer hardcodes a usable VAPID private key as a default, so any environment that forgets to set COPLAN_VAPID_PRIVATE_KEY will silently run with a publicly known signing key. In that state, anyone who learns a subscription endpoint can forge push messages that appear to come from this app. This should fail closed in non-development environments instead of defaulting to a committed secret.

Useful? React with 👍 / 👎.

[HamptonMakes]

Good catch — fixed in 3f2aa35. The fallback keypair now only applies in Rails.env.development?. In any other env, missing COPLAN_VAPID_* leaves the config nil, which makes web_push_configured? false and disables the meta tags / subscription endpoints / settings card entirely. Also rotated the dev keypair since the prior one is now in commit history.

[chatgpt-codex-connector]

Restore Intel macOS platform support in lockfile

The lockfile now lists only arm64-darwin-25 for macOS and drops x86_64-darwin, which makes Bundler treat Intel Macs as unsupported when using a frozen/deployment lockfile. That blocks bundle install for contributors or CI runners on Intel macOS until the platform is re-added to Gemfile.lock.

Useful? React with 👍 / 👎.

[HamptonMakes]

Fixed in 3f2aa35 via bundle lock --add-platform x86_64-darwin arm64-darwin. Both are back in the lockfile so frozen bundle install works on Intel macOS again. (The original drop was an artifact of bundle install running on this arm64-darwin-25 machine.)