diff --git a/apps/ios/Sources/Push/PushRelayClient.swift b/apps/ios/Sources/Push/PushRelayClient.swift
index 2ad7350e16f..1f1b1ca1580 100644
--- a/apps/ios/Sources/Push/PushRelayClient.swift
+++ b/apps/ios/Sources/Push/PushRelayClient.swift
@@ -115,10 +115,6 @@ private struct PushRelayAppAttestProof {
     var assertion: String
     var clientDataHash: String
     var signedPayloadBase64: String
-
-    var includesAttestationObject: Bool {
-        self.attestationObject != nil
-    }
 }
 
 private final class PushRelayAppAttestService {
@@ -167,6 +163,10 @@ private final class PushRelayAppAttestService {
         let challengeData = Data(challenge.utf8)
         let clientDataHash = Data(SHA256.hash(data: challengeData))
         let attestation = try await service.attestKey(keyID, clientDataHash: clientDataHash)
+        // Apple treats App Attest key attestation as a one-time operation. Save the
+        // attested marker immediately so later receipt/network failures do not cause a
+        // permanently broken re-attestation loop on the same key.
+        _ = PushRelayRegistrationStore.saveAttestedKeyID(keyID)
         return attestation.base64EncodedString()
     }
 
@@ -285,9 +285,6 @@ final class PushRelayClient: @unchecked Sendable {
                 message: Self.decodeErrorMessage(data: data))
         }
         let decoded = try self.decode(PushRelayRegisterResponse.self, from: data)
-        if appAttest.includesAttestationObject {
-            _ = PushRelayRegistrationStore.saveAttestedKeyID(appAttest.keyId)
-        }
         return decoded
     }
 
diff --git a/scripts/ios-beta-prepare.sh b/scripts/ios-beta-prepare.sh
index 8843ec458d8..9dd0d891c9e 100755
--- a/scripts/ios-beta-prepare.sh
+++ b/scripts/ios-beta-prepare.sh
@@ -64,10 +64,16 @@ validate_push_relay_base_url() {
     exit 1
   fi
 
-  if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:[0-9]{1,5})?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then
+  if [[ ! "${value}" =~ ^https://[A-Za-z0-9.-]+(:([0-9]{1,5}))?(/[A-Za-z0-9._~!&*+,;:@%/-]*)?$ ]]; then
     echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: expected https://host[:port][/path]." >&2
     exit 1
   fi
+
+  local port="${BASH_REMATCH[2]:-}"
+  if [[ -n "${port}" ]] && (( 10#${port} > 65535 )); then
+    echo "Invalid OPENCLAW_PUSH_RELAY_BASE_URL: port must be between 1 and 65535." >&2
+    exit 1
+  fi
 }
 
 while [[ $# -gt 0 ]]; do