settings: Add require_e2ee_push_notifications realm setting.

This commit adds a realm setting:
"Require end-to-end encryption for push notification content".

This commit just involves backend & UI changes to add the setting,
the impact of this setting is in the next commit.

Fixes part of #35370.

zerver/migrations/0743_realm_require_e2ee_push_notifications.py

@@ -0,0 +1,38 @@
+# Generated by Django 5.2.4 on 2025-07-28 18:58
+
+from django.conf import settings
+from django.db import migrations, models
+from django.db.backends.base.schema import BaseDatabaseSchemaEditor
+from django.db.migrations.state import StateApps
+
+
+def update_require_e2ee_push_notifications(
+    apps: StateApps, schema_editor: BaseDatabaseSchemaEditor
+) -> None:
+    Realm = apps.get_model("zerver", "Realm")
+
+    # We use 'getattr' with a default value to allow this migration
+    # to run in development environment when PUSH_NOTIFICATION_REDACT_CONTENT
+    # setting is removed in the future.
+    require_e2ee = getattr(settings, "PUSH_NOTIFICATION_REDACT_CONTENT", False)
+    if require_e2ee:
+        Realm.objects.update(require_e2ee_push_notifications=require_e2ee)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("zerver", "0742_usermessage_zerver_usermessage_is_private_unread_message_id"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="realm",
+            name="require_e2ee_push_notifications",
+            field=models.BooleanField(db_default=False, default=False),
+        ),
+        migrations.RunPython(
+            update_require_e2ee_push_notifications,
+            elidable=True,
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]

zerver/models/realms.py

@@ -191,6 +191,7 @@ class Realm(models.Model):
     # cease to be the case.
     push_notifications_enabled = models.BooleanField(default=False, db_index=True)
     push_notifications_enabled_end_timestamp = models.DateTimeField(default=None, null=True)
+    require_e2ee_push_notifications = models.BooleanField(default=False, db_default=False)
 
     date_created = models.DateTimeField(default=timezone_now)
     scheduled_deletion_date = models.DateTimeField(default=None, db_index=True, null=True)
@@ -726,6 +727,7 @@ class Realm(models.Model):
         name=str,
         name_changes_disabled=bool,
         push_notifications_enabled=bool,
+        require_e2ee_push_notifications=bool,
         require_unique_names=bool,
         send_welcome_emails=bool,
         topics_policy=RealmTopicsPolicyEnum,

zerver/openapi/zulip.yaml

@@ -5402,6 +5402,32 @@ paths:
                                         indicated timestamp is near.
 
                                         **Changes**: New in Zulip 8.0 (feature level 231).
+                                    require_e2ee_push_notifications:
+                                      type: boolean
+                                      description: |
+                                        Whether this realm is configured to disallow sending mobile
+                                        push notifications with message content through the legacy
+                                        mobile push notifications APIs. The new API uses end-to-end
+                                        encryption to protect message content and metadata from
+                                        being accessible to the push bouncer service, APNs, and
+                                        FCM. Clients that support the new E2EE API will use it
+                                        automatically regardless of this setting.
+
+                                        If `true`, mobile push notifications sent to clients that
+                                        lack support for E2EE push notifications will always have
+                                        "New message" as their content. Note that these legacy
+                                        mobile notifications will still contain metadata, which may
+                                        include the message's ID, the sender's name, email address,
+                                        and avatar.
+
+                                        In a future release, once the official mobile apps have
+                                        implemented fully validated their E2EE protocol support,
+                                        this setting will become strict, and disable the legacy
+                                        protocol entirely.
+
+                                        **Changes**: New in Zulip 11.0 (feature level 409). Previously,
+                                        this behavior was available only via the
+                                        `PUSH_NOTIFICATION_REDACT_CONTENT` global server setting.
                                     require_unique_names:
                                       type: boolean
                                       description: |
@@ -18953,6 +18979,34 @@ paths:
                           Present if `realm` is present in `fetch_event_types`.
 
                           The name of the organization, used in login pages etc.
+                      realm_require_e2ee_push_notifications:
+                        type: boolean
+                        description: |
+                          Present if `realm` is present in `fetch_event_types`.
+
+                          Whether this realm is configured to disallow sending mobile
+                          push notifications with message content through the legacy
+                          mobile push notifications APIs. The new API uses end-to-end
+                          encryption to protect message content and metadata from
+                          being accessible to the push bouncer service, APNs, and
+                          FCM. Clients that support the new E2EE API will use it
+                          automatically regardless of this setting.
+
+                          If `true`, mobile push notifications sent to clients that
+                          lack support for E2EE push notifications will always have
+                          "New message" as their content. Note that these legacy
+                          mobile notifications will still contain metadata, which may
+                          include the message's ID, the sender's name, email address,
+                          and avatar.
+
+                          In a future release, once the official mobile apps have
+                          implemented fully validated their E2EE protocol support,
+                          this setting will become strict, and disable the legacy
+                          protocol entirely.
+
+                          **Changes**: New in Zulip 11.0 (feature level 409). Previously,
+                          this behavior was available only via the
+                          `PUSH_NOTIFICATION_REDACT_CONTENT` global server setting.
                       realm_require_unique_names:
                         type: boolean
                         description: |

zerver/tests/test_home.py

@@ -208,6 +208,7 @@ class HomeTest(ZulipTestCase):
         "realm_presence_disabled",
         "realm_push_notifications_enabled",
         "realm_push_notifications_enabled_end_timestamp",
+        "realm_require_e2ee_push_notifications",
         "realm_require_unique_names",
         "realm_send_welcome_emails",
         "realm_signup_announcements_stream_id",

zerver/views/realm.py

@@ -178,6 +178,7 @@ def update_realm(
     name_changes_disabled: Json[bool] | None = None,
     new_stream_announcements_stream_id: Json[int] | None = None,
     org_type: Json[OrgTypeEnum] | None = None,
+    require_e2ee_push_notifications: Json[bool] | None = None,
     require_unique_names: Json[bool] | None = None,
     send_welcome_emails: Json[bool] | None = None,
     signup_announcements_stream_id: Json[int] | None = None,