fix: Preserve user identity across iOS prewarm launches

[nan-li]

Description

One Line Summary

Defer SDK ops during iOS prewarm (before first unlock) so the cached user isn't overwritten by an orphan; mirror identifiers to NSFileProtectionNone storage for NSE/locked-storage reads.

Details

Motivation

Fixes SDK-4725: when iOS prewarms the app before first unlock, shared App Group UserDefaults reads return nil. The SDK then loads the cached user as empty, falls through to createUser, mints a new server-side user, and overwrites the prior identity / external_id / tags on disk once UD becomes readable.

Scope

• New OSResilientStorage — file-backed NSFileProtectionNone JSON mirror of opaque identifiers (app_id, subscription_id, receive_receipts_enabled, has_prior_session).
• OneSignalConfig.shouldAwaitAppIdAndLogMissingPrivacyConsent gets a third branch via an isProtectedDataAvailableProvider closure the main app injects at +OneSignal.init. NSE leaves the provider nil → treats storage as available (NSE uses the mirror directly).
• OneSignal.m seeds an atomic-BOOL one-way latch via a UD probe + UIApplication.isProtectedDataAvailable tiebreaker, registers a UIApplicationProtectedDataDidBecomeAvailable observer (CAS-gated, runs at most once per process) that re-drives start() / sendPushTokenToDelegate / LA / IAM / startNewSession:YES post-unlock.
• OSModelStore.refresh() re-reads UserDefaults if models is empty so post-unlock start() sees disk state.
• OneSignalIdentifiers.subscriptionId / storedAppId fall back to the mirror when UD reads are empty.
• NSE isReceiveReceiptsEnabled falls back to the mirror.
• LA request prepareForExecution paths switched from _user?.pushSubscriptionModel.subscriptionId → OneSignalIdentifiers.subscriptionId so LA requests built during prewarm still resolve a sub id.
• handleAppIdChange nil-guards prevAppId (no destructive clear on a fresh install) and extends the clear set to keep UD + mirror in lockstep.

What does NOT change

• Public SDK API surface.
• Normal unlocked-device launches: the seed reports YES and +init runs synchronously as before.
• NSE behavior on unlocked devices is unchanged (UD reads return values, mirror fallback is never consulted).

Testing

Unit testing

• OSResilientStorageTests — 8 tests on the public API.
• OSModelStoreRefreshTests — 4 tests on the post-unlock refresh path.
• OneSignalIdentifiersFallbackTests — 6 tests on UD→mirror fallback.
• OneSignalUserTests.testStartDefersUntilProtectedDataAvailableThenProceeds — regression test for the start() defer-then-proceed contract.

Manual testing

On a real device (simulators don't reproduce locked-storage reliably):

• Reboot → don't unlock → send a push → NSE fires receive receipt.
• Reboot → wait for prewarm → unlock → OSID unchanged, no new orphan user server-side.
• Normal cold-launch on an unlocked device → OneSignal.User.addTag(...) immediately after initialize lands.
• Lock + unlock with app running → SDK calls keep working through the lock; no duplicate session_count / fetchUser on the unlock.
• Upgrade from main to this branch → OSID/cached user preserved, no orphan created, data loaded correctly

To reproduce original behavior on main, use physical device:

1. start a live activity on screen (causes prewarm to happen consistently)
2. then reboot phone but don't unlock yet
3. the app is likely to go into a prewarm
4. Look on dashboard and see new user and subscription from that device

Affected code checklist

• Notifications
  • Display
  • Open
  • Push Processing
  • Confirm Deliveries
• Outcomes
• Sessions
• In-App Messaging
• REST API requests
• Public API changes

Checklist

Overview

• I have filled out all REQUIRED sections above
• PR does one thing
• Any Public API changes are explained in the PR details and conform to existing APIs

Testing

• I have included test coverage for these changes, or explained why they are not needed
• All automated tests pass, or I explained why that is not possible
• I have personally tested this on my device, or explained why that is not possible

Final pass

• Code is as readable as possible.
• I have reviewed this PR myself, ensuring it meets each checklist item

[nan-li]

remove this,

[nan-li]

Manual testing can look for logs:

• "deferred: device-protected storage is not yet available"
• any new onesignal IDs or subscription IDs
• requests made "network request" ...
• when the observer fires that protected data is avail: "refresh hydrated (stored.count) model(s) from UserDefaults"

[sherwinski]

It looks like there could be a race with respect to setting up the observer before the latch and provider. In reality it's probably not likely to happen but in theory could the block see gObserverShouldRecover == NO if the notification is sent between addObserverForName and the two stores?

Claude suggests: compute initialState, store both atomics, set the provider, and register the observer last

[nan-li]

Practical likelihood: for the notification to fire during the few microseconds inside dispatch_once, the device would have to unlock at exactly that instant during app init. Vanishingly rare. If this were to happen, it is not disastrous. The SDK mostly heals in the same session such as on any OneSignal.User.X call, only small gaps would be missed such as missed session_count incrementer or refresh user call. Fully self-heals on next launch.

The reorder narrows but doesn't fully eliminate the race. With the new order, there's still a window between the atomic_store and the addObserverForName where the notification could post and be missed entirely.

[fadi-george]

I dont see duplciate record but i notice live activity didnt show after restarting device