feat: Novu notification system (backend + frontend + docs)

[teetangh]

Summary

Implements a complete notification orchestration layer using Novu, delivering notifications across in-app inbox, email, and push (FCM) channels. This PR adds:

• Backend service layer — NovuService (HTTP client), SubscriberService (profile & token management), NotificationTriggers (11 fire-and-forget workflow triggers), and NovuWorkflows (workflow ID constants)
• 7 notification API routes — list notifications, mark-read, preferences CRUD, FCM token register/unregister, subscriber hash, and subscriber sync
• Trigger integration — 11 workflows wired into existing route handlers (appointments, payments, reviews, support, feedback, disputes) via unawaited() calls
• Frontend UI — notification inbox screen, preferences screen (channel/category/quiet hours toggles), bell widget with unread badge
• Frontend data layer — remote source, repository, Riverpod providers (subscriber hash, preferences with optimistic updates, unread count, push notification lifecycle)
• FCM infrastructure — FcmService and LocalNotificationService singletons with graceful degradation when Firebase is not configured
• Documentation — setup guide, architecture overview, and workflow reference for all 11 workflows

Workflows Implemented

#	Workflow ID	Trigger	Recipient
1	appointment-booked	POST /api/appointments (SCHEDULED)	Consultant
2	appointment-cancelled	PUT /api/appointments/{id}/cancel	Other party
3	appointment-rescheduled	PUT /api/appointments/{id}/reschedule	Other party
4	new-booking-request	POST /api/appointments (PENDING)	Consultant
5	payment-success	Stripe/Razorpay webhook	Consultee
6	payment-failed	Stripe/Razorpay webhook	Consultee
7	refund-processed	Stripe/Razorpay webhook	Consultee
8	new-review-received	POST /api/reviews	Consultant
9	support-ticket-created	POST /api/support	Ticket creator
10	feedback-received	POST /api/feedback	Admin
11	dispute-created	Stripe webhook	Consultant

Key Design Decisions

• Fire-and-forget — All triggers use unawaited() so notification failures never block business logic
• Graceful degradation — Backend skips all triggers if NOVU_SECRET_KEY is missing; frontend FCM catches FirebaseException when Firebase config files are absent
• No new backend dependencies — Uses existing http and crypto packages
• HMAC subscriber hash — Generated server-side for secure Novu Inbox authentication
• Shared Novu org — Same workflow IDs and subscriber records as the web app

Files Changed

Category	New	Modified
Backend services (backend/lib/services/novu/)	5	—
Backend routes (backend/routes/api/notifications/)	7	—
Backend trigger integration	—	8
Backend config (main.dart)	—	1
Frontend entities/data layer	3	—
Frontend providers	2	—
Frontend services	2	—
Frontend UI (screens/widgets)	3	—
Frontend config/integration	—	6
Documentation (docs/notifications/)	4	—
Total	26	15

Test Plan

Prerequisites

• Set NOVU_SECRET_KEY, NOVU_API_URL, NOVU_APP_ID in backend/.env
• Set NOVU_APP_ID in root .env and run dart run build_runner build
• Create all 11 workflows in Novu dashboard with matching IDs
• (Optional) Add google-services.json / GoogleService-Info.plist for push

Backend — Graceful Degradation

• Start backend with empty NOVU_SECRET_KEY → logs "Novu not configured", no crashes
• Trigger any business action (e.g., create appointment) → succeeds without notification errors
• GET /api/notifications/subscriber-hash → returns empty hash, no 500

Backend — Service Layer

• Start backend with valid NOVU_SECRET_KEY → logs "Novu configured"
• POST /api/notifications/subscriber/sync → subscriber appears in Novu dashboard
• GET /api/notifications/subscriber-hash → returns non-empty HMAC string
• POST /api/notifications/register-token with { "token": "test-token", "platform": "android" } → 200, token visible in Novu subscriber credentials
• POST /api/notifications/unregister-token with { "token": "test-token" } → 200

Backend — Notification Routes

• GET /api/notifications?page=0&limit=10 → proxies to Novu, returns notification list (or empty array)
• POST /api/notifications/mark-read with { "notificationIds": ["id1"] } → 200
• POST /api/notifications/mark-read with { "all": true } → 200
• GET /api/notifications/preferences → returns default preferences (first call creates DB record)
• PUT /api/notifications/preferences with channel/category toggles → 200, changes persisted
• GET /api/notifications/preferences after PUT → reflects updated values
• All routes return 401 without auth token

Backend — Trigger Integration (11 workflows)

• Appointment booked — POST /api/appointments with SCHEDULED status → Novu Activity Feed shows appointment-booked event to consultant
• New booking request — POST /api/appointments with PENDING status → new-booking-request to consultant
• Appointment cancelled — PUT /api/appointments/{id}/cancel → appointment-cancelled to other party
• Appointment rescheduled — PUT /api/appointments/{id}/reschedule → appointment-rescheduled to other party
• Payment success — Simulate Stripe payment_intent.succeeded webhook → payment-success to consultee
• Payment failed — Simulate Stripe payment_intent.payment_failed webhook → payment-failed to consultee
• Refund processed — Simulate Stripe charge.refunded webhook → refund-processed to consultee
• New review — POST /api/reviews → new-review-received to consultant
• Support ticket — POST /api/support → support-ticket-created to creator
• Feedback — POST /api/feedback → feedback-received to admin
• Dispute — Simulate Stripe charge.dispute.created webhook → dispute-created to consultant
• Verify all triggers are non-blocking (API response time unchanged)

Frontend — Navigation & UI

• Tap notification bell on consultee dashboard → navigates to /notifications
• Tap notification bell on consultant dashboard → navigates to /notifications
• Profile screen → Notifications menu item → navigates to /notifications (no "Coming soon" snackbar)
• Notification inbox screen renders without errors (empty state if no notifications)
• "Mark All Read" action in inbox AppBar → resets unread count
• Navigate to preferences from inbox → /notifications/preferences loads

Frontend — Preferences Screen

• Channel toggles (Email, Push, In-App) → optimistic UI update, saved to backend
• Category toggles (Appointments, Payments, etc.) → saved correctly
• Quiet hours toggle → shows time pickers when enabled
• Time pickers → set start/end times, saved to backend
• Error state → shows retry option
• Loading state → shows shimmer/progress indicator

Frontend — Bell Widget & Unread Count

• Bell widget shows badge with count when > 0
• Badge hidden when count is 0
• Count increments when push notification received in foreground

Frontend — Push Notifications (requires Firebase config)

• App launch → FCM token registered with backend
• Foreground push → local notification displayed, unread count incremented
• Background push → system tray notification shown
• Token refresh → new token re-registered automatically
• Sign-out → FCM token unregistered from backend

Frontend — Graceful Degradation (without Firebase)

• App builds and runs without google-services.json / GoogleService-Info.plist
• Push notifications silently skipped, no crashes
• All other notification features (inbox, preferences, bell) work normally

Cross-Cutting

• flutter analyze — zero errors (info/warnings are pre-existing)
• dart analyze backend/ — zero errors
• Backend starts: dart_frog dev — no startup errors
• Frontend builds: flutter build apk --debug — succeeds

🤖 Generated with Claude Code

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a complete notification orchestration system leveraging Novu to manage in-app, email, and push notifications. It establishes a robust backend service for triggering workflows and managing subscriber data, alongside a full-featured frontend UI and data layer for user interaction and preference management. The system is designed for reliability with fire-and-forget triggers and graceful degradation, ensuring core business logic remains unaffected by notification service status.

Highlights

• Novu Backend Service Layer: Introduced a comprehensive backend service layer for Novu, including NovuService for HTTP client operations, SubscriberService for profile and token management, NotificationTriggers for 11 fire-and-forget workflow triggers, and NovuWorkflows for workflow ID constants.
• New Notification API Routes: Added 7 new API routes under /api/notifications to handle listing notifications, marking them as read, managing preferences, registering/unregistering FCM tokens, generating subscriber hashes, and syncing subscriber profiles.
• Integrated Workflow Triggers: Integrated 11 Novu workflows into existing backend route handlers for appointments, payments, reviews, support, feedback, and disputes, utilizing unawaited() calls for non-blocking execution.
• Frontend Notification UI: Implemented frontend UI components including a notification inbox screen, a preferences screen with channel/category/quiet hours toggles, and a bell widget with an unread badge.
• Frontend Data Layer and FCM Infrastructure: Developed a new frontend data layer with remote source, repository, and Riverpod providers for subscriber hash, preferences (with optimistic updates), unread count, and push notification lifecycle. Also added FCM infrastructure with FcmService and LocalNotificationService for push notifications, designed for graceful degradation.
• Comprehensive Documentation: Provided extensive documentation covering setup guides, architecture overviews, and workflow references for all 11 implemented workflows.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• backend/lib/services/novu/notification_triggers.dart
  • Added a new file defining static methods to trigger specific Novu workflows with appropriate payloads.
• backend/lib/services/novu/novu_config.dart
  • Added a new file to manage Novu configuration loaded from environment variables, including secret key, API URL, and application ID.
• backend/lib/services/novu/novu_service.dart
  • Added a new file implementing the core Novu HTTP client for triggering workflows and managing events, with built-in error handling and timeouts.
• backend/lib/services/novu/novu_workflows.dart
  • Added a new file defining constants for Novu workflow identifiers and their expected payload fields.
• backend/lib/services/novu/subscriber_service.dart
  • Added a new file to manage Novu subscriber profiles and device credentials, including syncing profiles, setting/removing device tokens, and generating HMAC hashes.
• backend/lib/services/webhook_handlers.dart
  • Updated imports to include Novu notification services.
  • Modified the constructor to accept an optional NovuService instance.
  • Integrated paymentSuccess notification trigger for successful payments.
  • Integrated paymentFailed notification trigger for failed payments.
  • Integrated refundProcessed notification trigger for processed refunds.
  • Integrated disputeCreated notification trigger for created disputes.
  • Added helper methods _getPaymentRecipientInfo and _getPaymentConsultantInfo to retrieve user information related to payments for notifications.
• backend/main.dart
  • Added imports for Novu configuration and services.
  • Initialized NovuConfig, NovuService, and SubscriberService at startup, with logging for unconfigured states.
  • Provided NovuService and SubscriberService to the dependency injection container.
• backend/routes/api/appointments/[id]/cancel.dart
  • Updated imports to include Novu notification services.
  • Integrated appointmentCancelled notification trigger when an appointment is cancelled.
• backend/routes/api/appointments/[id]/reschedule.dart
  • Updated imports to include Novu notification services.
  • Integrated appointmentRescheduled notification trigger when an appointment is rescheduled.
• backend/routes/api/appointments/index.dart
  • Updated imports to include Novu notification services.
  • Integrated newBookingRequest and appointmentBooked notification triggers when a new appointment is created, based on its status.
• backend/routes/api/feedback/index.dart
  • Updated imports to include Novu notification services.
  • Integrated feedbackReceived notification trigger when new feedback is submitted.
• backend/routes/api/notifications/index.dart
  • Added a new file defining the GET /api/notifications endpoint to list notifications by proxying to the Novu API.
• backend/routes/api/notifications/mark-read.dart
  • Added a new file defining the POST /api/notifications/mark-read endpoint to mark notifications as read, supporting individual or batch operations.
• backend/routes/api/notifications/preferences.dart
  • Added a new file defining GET and PUT /api/notifications/preferences endpoints to retrieve and update user notification preferences, with fire-and-forget syncing to Novu.
• backend/routes/api/notifications/register-token.dart
  • Added a new file defining the POST /api/notifications/register-token endpoint to register FCM device tokens with Novu.
• backend/routes/api/notifications/subscriber-hash.dart
  • Added a new file defining the GET /api/notifications/subscriber-hash endpoint to generate an HMAC hash for Novu Inbox authentication.
• backend/routes/api/notifications/subscriber/sync.dart
  • Added a new file defining the POST /api/notifications/subscriber/sync endpoint to force-sync user profiles to Novu.
• backend/routes/api/notifications/unregister-token.dart
  • Added a new file defining the POST /api/notifications/unregister-token endpoint to unregister FCM device tokens from Novu.
• backend/routes/api/reviews/index.dart
  • Updated imports to include Novu notification services.
  • Integrated newReviewReceived notification trigger when a new review is created.
• backend/routes/api/support/index.dart
  • Updated imports to include Novu notification services.
  • Integrated supportTicketCreated notification trigger when a support ticket is created.
• backend/routes/api/webhooks/razorpay.dart
  • Updated imports to include Novu notification services.
  • Modified WebhookHandlers instantiation to pass the NovuService.
• backend/routes/api/webhooks/stripe.dart
  • Updated imports to include Novu notification services.
  • Modified WebhookHandlers instantiation to pass the NovuService.
• docs/notifications/README.md
  • Added a new file providing an overview of the Novu notification system, its architecture, implemented workflows, and key source files.
• docs/notifications/architecture.md
  • Added a new file detailing the architecture of the Novu notification system, covering backend components, data flow, frontend provider graph, FCM token lifecycle, graceful degradation, and UI components.
• docs/notifications/setup-guide.md
  • Added a new file providing a comprehensive setup guide for the Novu notification system, including account creation, environment variables, Firebase configuration, code generation, workflow setup, and a verification checklist.
• docs/notifications/workflow-reference.md
  • Added a new file providing a complete reference for all 11 Novu notification workflows, detailing trigger points, recipients, channels, payload fields, and transaction IDs.
• lib/app/router.dart
  • Added imports for NotificationInboxScreen and NotificationPreferencesScreen.
  • Updated the redirect logic to include /notifications as a protected route.
  • Added new GoRouter routes for /notifications and /notifications/preferences.
• lib/core/config/env_config.dart
  • Added novuAppId field to EnvConfig for Novu application identifier.
• lib/core/constants/storage_keys.dart
  • Added new storage keys fcmToken and novuSubscriberHash for notification-related data.
• lib/core/network/api_endpoints.dart
  • Added new API endpoints for various notification-related operations, including preferences, token registration/unregistration, subscriber hash, and subscriber sync.
• lib/data/datasources/remote/notification_remote_source.dart
  • Added a new file defining the NotificationRemoteSource interface and its NotificationRemoteSourceImpl implementation for interacting with notification-related backend APIs.
• lib/data/repositories/notification_repository_impl.dart
  • Added a new file defining the NotificationRepository interface and its NotificationRepositoryImpl implementation, acting as a facade for notification data operations.
• lib/domain/entities/notification/notification_entities.dart
  • Added a new file defining the NotificationPreference data class for user notification settings.
• lib/features/dashboard/screens/consultant_dashboard_screen.dart
  • Added import for NotificationBellWidget.
  • Replaced the static notification icon with NotificationBellWidget in the app bar actions.
• lib/features/dashboard/screens/consultee_dashboard_screen.dart
  • Added import for NotificationBellWidget.
  • Replaced the static notification icon with NotificationBellWidget in the app bar actions.
• lib/features/notifications/providers/notification_providers.dart
  • Added a new file defining Riverpod providers for subscriberHash, NotificationPreferences (with optimistic updates), UnreadNotificationCount, and SyncSubscriber.
• lib/features/notifications/providers/push_notification_provider.dart
  • Added a new file defining the PushNotification Riverpod provider to manage FCM token registration, permissions, and foreground message listeners, with graceful degradation.
• lib/features/notifications/screens/notification_inbox_screen.dart
  • Added a new file defining the NotificationInboxScreen for displaying user notifications, including a placeholder empty state and a 'Mark All Read' action.
• lib/features/notifications/screens/notification_preferences_screen.dart
  • Added a new file defining the NotificationPreferencesScreen for users to manage their notification channel, category, and quiet hours settings.
• lib/features/notifications/services/fcm_service.dart
  • Added a new file implementing FcmService to wrap Firebase Cloud Messaging functionalities, including initialization, permission requests, token management, and message listeners.
• lib/features/notifications/services/local_notification_service.dart
  • Added a new file implementing LocalNotificationService to display foreground push notifications as system notifications using flutter_local_notifications.
• lib/features/notifications/widgets/notification_bell_widget.dart
  • Added a new file defining the NotificationBellWidget, a reusable widget displaying a bell icon with an unread count badge.
• lib/features/profile/screens/profile_screen.dart
  • Updated the 'Notifications' menu item to navigate to the new /notifications route instead of showing a 'Coming soon' snackbar.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive, full-featured notification system using Novu, with well-structured changes across backend, frontend, and documentation. However, a critical security concern has been identified: user-supplied input is directly concatenated into URLs for Novu API requests, potentially leading to parameter injection and path traversal vulnerabilities that could allow manipulation of API requests or access to other subscribers' data. Additionally, the review highlighted areas for improving notification logic correctness, performance through bulk/parallel API calls, and code maintainability, along with critical bugs related to incorrect notification recipients or data.

[gemini-code-assist]

The current implementation of triggerForMultiple triggers workflows sequentially, which can be inefficient and slow if there are many subscribers. Novu provides a bulk trigger endpoint (/events/trigger/bulk) that is much more performant for this use case. I recommend refactoring this method to use the bulk endpoint to improve performance and reduce the number of HTTP requests.

  Future<bool> triggerForMultiple({
    required String workflowId,
    required List<String> subscriberIds,
    Map<String, dynamic>? payload,
  }) async {
    if (subscriberIds.isEmpty) return true;
    if (!isConfigured) {
      SentryLogger.info(
        'Novu not configured — skipping bulk trigger for $workflowId',
        context: 'NovuService.triggerForMultiple',
      );
      return false;
    }

    try {
      final url = Uri.parse('${_config.apiUrl}/events/trigger/bulk');
      final events = subscriberIds.map((id) {
        final event = <String, dynamic>{
          'name': workflowId,
          'to': {'subscriberId': id},
        };
        if (payload != null) {
          event['payload'] = payload;
        }
        return event;
      }).toList();

      final response = await http
          .post(url, headers: _headers, body: jsonEncode({'events': events}))
          .timeout(_timeout);

      if (response.statusCode >= 200 && response.statusCode < 300) {
        SentryLogger.info(
          'Triggered bulk workflow $workflowId for ${subscriberIds.length} subscribers',
          context: 'NovuService.triggerForMultiple',
        );
        return true;
      }

      await SentryLogger.error(
        'Novu bulk trigger failed: ${response.statusCode} — ${response.body}',
        context: 'NovuService.triggerForMultiple',
      );
      return false;
    } catch (e, stackTrace) {
      await SentryLogger.error(
        'Exception triggering Novu bulk workflow $workflowId',
        context: 'NovuService.triggerForMultiple',
        error: e,
        stackTrace: stackTrace,
      );
      return false;
    }
  }

[gemini-code-assist]

There is a bug here. The recipientUserId is set to userId, which is the ID of the user who initiated the cancellation. This means the notification is sent to the person who cancelled the appointment, not the other party involved. You need to fetch the appointment details, identify both participants (consultant and consultee), and send the notification to the user who is not the one making this request.

[gemini-code-assist]

The appointmentDate is being set to the current time using DateTime.now(). This is incorrect. The notification should include the date of the appointment that was cancelled. You should fetch the appointment details from the database to get its actual date and pass that to the notification trigger.

[gemini-code-assist]

There is a bug here. The recipientUserId is set to userId, which is the ID of the user who is rescheduling. The notification should be sent to the other party involved in the appointment, not the person performing the action. You'll need to fetch the appointment, determine the other participant's user ID, and use that as the recipient.

[gemini-code-assist]

The originalDate is being set to DateTime.now(), which is incorrect. This parameter should hold the date of the appointment before it was rescheduled. You need to fetch the original appointment details from the database to get this date and pass it to the notification trigger.

[gemini-code-assist]

The current implementation marks notifications as read one by one, which is inefficient. More critically, the id from notificationIds is directly concatenated into the URL path, creating a path traversal vulnerability in the outgoing request to the Novu API. This could allow an attacker to manipulate the path (e.g., using ../) to hit unintended Novu API endpoints. To address both performance and security, it's recommended to use safe URL construction methods (like Uri constructor's pathSegments) and consider parallel processing for efficiency.

[gemini-code-assist]

The page and limit parameters are directly concatenated into the URL string, which allows for parameter injection in the outgoing request to the Novu API. An attacker could provide values like 0&subscriberId=other_user to potentially manipulate the request and access data belonging to other users, depending on how the Novu API handles duplicate parameters.

To remediate this, use the Uri constructor's replace method with a queryParameters map, which ensures all values are properly encoded and prevents injection.

Suggested change

	final url = Uri.parse(
	'${novuConfig.apiUrl}/notifications'
	'?subscriberId=$userId&page=$page&limit=$limit',
	);
	final url = Uri.parse('${novuConfig.apiUrl}/notifications').replace(
	queryParameters: {
	'subscriberId': userId,
	'page': page,
	'limit': limit,
	},
	);

[gemini-code-assist]

For improved readability and conciseness, you can use a collection-if to construct the payload map. This is a more modern and idiomatic Dart approach compared to creating the map and then conditionally adding elements. This suggestion applies to all other methods in this file as well.

Suggested change

	final payload = <String, dynamic>{
	'consulteeUserName': consulteeUserName,
	'appointmentType': appointmentType,
	'appointmentDate': appointmentDate,
	};
	if (planTitle != null) payload['planTitle'] = planTitle;
	if (appointmentId != null) payload['appointmentId'] = appointmentId;
	final payload = <String, dynamic>{
	'consulteeUserName': consulteeUserName,
	'appointmentType': appointmentType,
	'appointmentDate': appointmentDate,
	if (planTitle != null) 'planTitle': planTitle,
	if (appointmentId != null) 'appointmentId': appointmentId,
	};

[gemini-code-assist]

To make the code more concise and readable, you can use a collection-if to build the request body, similar to other parts of the new code. This is a more idiomatic way to handle optional fields in Dart.

Suggested change

	final body = <String, dynamic>{
	'name': workflowId,
	'to': {'subscriberId': subscriberId},
	};
	if (payload != null) body['payload'] = payload;
	if (overrides != null) body['overrides'] = overrides;
	if (transactionId != null) body['transactionId'] = transactionId;
	final body = <String, dynamic>{
	'name': workflowId,
	'to': {'subscriberId': subscriberId},
	if (payload != null) 'payload': payload,
	if (overrides != null) 'overrides': overrides,
	if (transactionId != null) 'transactionId': transactionId,
	};

[gemini-code-assist]

The logic to extract user information from consultation and subscription paths is duplicated. To improve maintainability and reduce redundancy, you can extract this logic into a private helper method. This will make the code cleaner and easier to manage.

Here's a helper you could add to the class:

Map<String, dynamic>? _extractUserFromBookingPath(Map<String, dynamic>? booking) {
  if (booking == null) return null;
  final requestedBy = booking['requestedBy'] as Map<String, dynamic>?;
  final user = requestedBy?['user'] as Map<String, dynamic>?;
  if (user != null) {
    return {'userId': user['id'], 'name': user['name']};
  }
  return null;
}

You can then use this helper to simplify the current block.

Suggested change

	// Try consultation path
	final consultation =
	appointment['consultation'] as Map<String, dynamic>?;
	if (consultation != null) {
	final requestedBy =
	consultation['requestedBy'] as Map<String, dynamic>?;
	final user = requestedBy?['user'] as Map<String, dynamic>?;
	if (user != null) {
	return {'userId': user['id'], 'name': user['name']};
	}
	}
	// Try subscription path
	final subscription =
	appointment['subscription'] as Map<String, dynamic>?;
	if (subscription != null) {
	final requestedBy =
	subscription['requestedBy'] as Map<String, dynamic>?;
	final user = requestedBy?['user'] as Map<String, dynamic>?;
	if (user != null) {
	return {'userId': user['id'], 'name': user['name']};
	}
	}
	return null;
	// Try consultation path
	final userFromConsultation = _extractUserFromBookingPath(
	appointment['consultation'] as Map<String, dynamic>?,
	);
	if (userFromConsultation != null) return userFromConsultation;
	// Try subscription path
	final userFromSubscription = _extractUserFromBookingPath(
	appointment['subscription'] as Map<String, dynamic>?,
	);
	if (userFromSubscription != null) return userFromSubscription;
	return null;

[Copilot]

Pull request overview

This PR implements a comprehensive Novu-based notification system spanning both the Dart Frog backend and Flutter frontend. It adds backend services for Novu API interactions (HTTP client, subscriber management, 11 workflow triggers), 7 new API routes for notification management, trigger integrations in existing route handlers, and a full frontend UI layer with inbox screen, preferences screen, bell widget, FCM push notification support, and Riverpod providers. Documentation covers setup, architecture, and workflow reference.

Changes:

• Backend notification service layer — NovuConfig, NovuService, SubscriberService, NotificationTriggers, and NovuWorkflows under backend/lib/services/novu/, plus 7 new API routes and trigger integrations in 8 existing route/webhook handlers.
• Frontend notification UI and data layer — notification inbox/preferences screens, bell widget, FCM/local notification services, Riverpod providers with optimistic updates, repository + remote source, and router/config integration.
• Documentation — setup guide, architecture overview, and workflow reference for all 11 workflows.

Reviewed changes

Copilot reviewed 43 out of 43 changed files in this pull request and generated 16 comments.

Show a summary per file

File	Description
backend/lib/services/novu/novu_config.dart	Novu configuration class reading env vars
backend/lib/services/novu/novu_service.dart	Core HTTP client for Novu Events API
backend/lib/services/novu/subscriber_service.dart	Subscriber lifecycle and HMAC hash generation
backend/lib/services/novu/notification_triggers.dart	Static trigger methods for 11 workflows
backend/lib/services/novu/novu_workflows.dart	Workflow ID constants
backend/lib/services/webhook_handlers.dart	Added Novu triggers to payment/refund/dispute handlers
backend/main.dart	Register NovuService and SubscriberService providers
backend/routes/api/notifications/index.dart	List notifications proxy to Novu
backend/routes/api/notifications/mark-read.dart	Mark-read via Novu API
backend/routes/api/notifications/preferences.dart	GET/PUT notification preferences
backend/routes/api/notifications/register-token.dart	Register FCM device token
backend/routes/api/notifications/unregister-token.dart	Unregister FCM device token
backend/routes/api/notifications/subscriber-hash.dart	Get HMAC subscriber hash
backend/routes/api/notifications/subscriber/sync.dart	Sync subscriber profile to Novu
backend/routes/api/appointments/index.dart	Added booking notification triggers
backend/routes/api/appointments/[id]/cancel.dart	Added cancel notification trigger
backend/routes/api/appointments/[id]/reschedule.dart	Added reschedule notification trigger
backend/routes/api/reviews/index.dart	Added review notification trigger
backend/routes/api/support/index.dart	Added support ticket notification trigger
backend/routes/api/feedback/index.dart	Added feedback notification trigger
backend/routes/api/webhooks/stripe.dart	Pass NovuService to WebhookHandlers
backend/routes/api/webhooks/razorpay.dart	Pass NovuService to WebhookHandlers
lib/domain/entities/notification/notification_entities.dart	NotificationPreference data class
lib/data/datasources/remote/notification_remote_source.dart	Dio HTTP calls for notification endpoints
lib/data/repositories/notification_repository_impl.dart	Repository wrapping remote source
lib/features/notifications/providers/notification_providers.dart	Riverpod providers for preferences, hash, unread count
lib/features/notifications/providers/push_notification_provider.dart	FCM token lifecycle provider
lib/features/notifications/services/fcm_service.dart	Firebase Cloud Messaging wrapper
lib/features/notifications/services/local_notification_service.dart	flutter_local_notifications wrapper
lib/features/notifications/widgets/notification_bell_widget.dart	Bell icon with unread badge
lib/features/notifications/screens/notification_inbox_screen.dart	Notification inbox screen
lib/features/notifications/screens/notification_preferences_screen.dart	Preferences screen with toggles
lib/features/dashboard/screens/consultee_dashboard_screen.dart	Replaced placeholder bell with NotificationBellWidget
lib/features/dashboard/screens/consultant_dashboard_screen.dart	Replaced placeholder bell with NotificationBellWidget
lib/features/profile/screens/profile_screen.dart	Navigate to /notifications instead of "Coming soon"
lib/core/network/api_endpoints.dart	Added notification API endpoint constants
lib/core/constants/storage_keys.dart	Added FCM token and subscriber hash keys
lib/core/config/env_config.dart	Added NOVU_APP_ID env config
lib/app/router.dart	Added notification route definitions
docs/notifications/README.md	Documentation overview
docs/notifications/setup-guide.md	Setup guide
docs/notifications/architecture.md	Architecture documentation
docs/notifications/workflow-reference.md	Workflow reference

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Bug: The backend default categories are {appointments, payments, messages, reminders} while the frontend defaults (in notification_entities.dart lines 19-26) and the preferences UI labels (_categoryLabels) use {appointments, payments, support, feedback, subscriptions, marketing}. When a new user fetches preferences (no DB record), they'll get the backend defaults which don't match the frontend category labels — causing "messages" and "reminders" to appear with auto-capitalized names while "support", "feedback", etc. won't appear at all. These sets should be aligned.

[Copilot]

Security: The page and limit query parameters from user input are directly interpolated into the URL string passed to the Novu API without any validation. A malicious user could inject additional query parameters (e.g., page=0&extra=foo) that get forwarded to the Novu API. Validate that page and limit are non-negative integers before interpolating them, and consider using Uri constructor with queryParameters instead of string interpolation.

[Copilot]

Bug: adminUserId: 'admin' is hardcoded as a literal string. This requires a Novu subscriber with ID 'admin' to exist. The comment acknowledges this is a placeholder ("use a well-known admin user ID or skip"), but in practice this will silently fail because there's unlikely to be a Novu subscriber with that ID unless explicitly created. Consider either creating this subscriber during setup, looking up actual admin user(s) from the database, or using a Novu topic to broadcast to admin subscribers.

[Copilot]

Bug: The optimistic revert at lines 46-50 is immediately overridden by state = AsyncError(e, st) on line 53. This means the revert never has any visible effect — the state goes straight to an error, which will cause the preferences screen to display the error widget (from _buildError) instead of showing the reverted preferences with an error indication. If the intent is to revert the UI and show a toast/snackbar for the error, remove the state = AsyncError(e, st) line and rethrow via a different mechanism. If the intent is to show the error screen, remove the revert logic as it's dead code.

[Copilot]

Bug: The frontend reads data['subscriberHash'] but the backend returns {'hash': hash}. This key mismatch will cause the getSubscriberHash() call to throw a null cast error at runtime. Either the backend should return {'subscriberHash': hash} or the frontend should read data['hash'].

[Copilot]

Bug: originalDate: DateTime.now().toIso8601String() sends the current server time as the "original date" in the reschedule notification. The notification should include the actual original appointment date so the recipient knows what date is being rescheduled from.

[Copilot]

Bug: recipientUserId: userId sends the cancellation notification to the same user who initiated the cancellation, not to "the other party" as the comment and PR description specify. The code should look up the other participant (e.g., if the consultee cancelled, notify the consultant, and vice versa) and use that user's ID as the recipient.

[Copilot]

The repository has existing test coverage for other data repositories (e.g., auth_repository_impl_test.dart, booking_repository_impl_test.dart, support_repository_impl_test.dart). No tests were added for the new NotificationRepositoryImpl. Consider adding tests for this repository to maintain consistency with the rest of the codebase.

[Copilot]

Performance: Individual mark-read iterates through notificationIds sequentially, making one HTTP request per notification ID to the Novu API. For a large list, this could be slow. Consider using Future.wait() to process them concurrently, or check if Novu has a batch mark-read endpoint that accepts multiple IDs in a single call.

[Copilot]

The constants fcmToken and novuSubscriberHash are defined but never referenced anywhere in the codebase. If these are intended for future caching of the FCM token and subscriber hash in local storage, consider either implementing that caching now or removing these unused constants to avoid dead code.