From 92e00c8bdd49cee418a5016d46eae39791e766c7 Mon Sep 17 00:00:00 2001
From: jesse-merhi <79823012+jesse-merhi@users.noreply.github.com>
Date: Mon, 4 May 2026 17:05:12 +1000
Subject: [PATCH] fix: address APNs proxy review feedback

---
 .../openclaw-live-and-e2e-checks-reusable.yml         |  7 +++++++
 src/infra/push-apns-http2.test.ts                     | 11 +++++++++++
 src/infra/push-apns-http2.ts                          |  5 ++++-
 test/scripts/package-acceptance-workflow.test.ts      |  5 +++++
 4 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
index 63ac6e6b033..1c8f7924619 100644
--- a/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
+++ b/.github/workflows/openclaw-live-and-e2e-checks-reusable.yml
@@ -409,6 +409,7 @@ jobs:
               add_profile_suite native-live-src-gateway-profiles-xai "full"
               add_profile_suite native-live-src-gateway-profiles-zai "full"
               add_profile_suite native-live-src-gateway-backends "stable full"
+              add_profile_suite native-live-src-infra "stable full"
               add_profile_suite native-live-test "stable full"
               add_profile_suite native-live-extensions-l-n "full"
               add_profile_suite native-live-extensions-moonshot "full"
@@ -1989,6 +1990,12 @@ jobs:
             timeout_minutes: 90
             profile_env_only: false
             profiles: stable full
+          - suite_id: native-live-src-infra
+            label: Native live infra
+            command: OPENCLAW_LIVE_APNS_REACHABILITY=1 node .release-harness/scripts/test-live-shard.mjs native-live-src-infra
+            timeout_minutes: 45
+            profile_env_only: false
+            profiles: stable full
           - suite_id: native-live-test
             label: Native live test harnesses
             command: node .release-harness/scripts/test-live-shard.mjs native-live-test
diff --git a/src/infra/push-apns-http2.test.ts b/src/infra/push-apns-http2.test.ts
index f4402591031..bd204e754b6 100644
--- a/src/infra/push-apns-http2.test.ts
+++ b/src/infra/push-apns-http2.test.ts
@@ -112,6 +112,17 @@ describe("connectApnsHttp2Session", () => {
     expect(connectSpy).toHaveBeenCalledWith("https://api.sandbox.push.apple.com");
   });
 
+  it("normalizes the default APNs HTTPS port", async () => {
+    const { connectApnsHttp2Session } = await import("./push-apns-http2.js");
+
+    await connectApnsHttp2Session({
+      authority: "https://api.push.apple.com:443",
+      timeoutMs: 10_000,
+    });
+
+    expect(connectSpy).toHaveBeenCalledWith("https://api.push.apple.com");
+  });
+
   it("uses an HTTP CONNECT tunnel when managed proxy is active", async () => {
     const registration = registerActiveManagedProxyUrl(new URL("http://proxy.example:8080"));
     const { connectApnsHttp2Session } = await import("./push-apns-http2.js");
diff --git a/src/infra/push-apns-http2.ts b/src/infra/push-apns-http2.ts
index 502482b616a..c0c1b3d286c 100644
--- a/src/infra/push-apns-http2.ts
+++ b/src/infra/push-apns-http2.ts
@@ -5,6 +5,8 @@ import {
   type ActiveManagedProxyUrl,
 } from "./net/proxy/active-proxy-state.js";
 
+const APNS_DEFAULT_PORT = "443";
+
 const APNS_AUTHORITIES = new Set([
   "https://api.push.apple.com",
   "https://api.sandbox.push.apple.com",
@@ -37,7 +39,8 @@ function assertApnsAuthority(authority: string): ApnsAuthority {
   } catch {
     throw new Error(`Unsupported APNs authority: ${authority}`);
   }
-  const normalized = `${parsed.protocol}//${parsed.hostname}${parsed.port ? `:${parsed.port}` : ""}`;
+  const port = parsed.port && parsed.port !== APNS_DEFAULT_PORT ? `:${parsed.port}` : "";
+  const normalized = `${parsed.protocol}//${parsed.hostname}${port}`;
   if (!APNS_AUTHORITIES.has(normalized)) {
     throw new Error(`Unsupported APNs authority: ${authority}`);
   }
diff --git a/test/scripts/package-acceptance-workflow.test.ts b/test/scripts/package-acceptance-workflow.test.ts
index 6e8c853f839..b4ac1ca9d04 100644
--- a/test/scripts/package-acceptance-workflow.test.ts
+++ b/test/scripts/package-acceptance-workflow.test.ts
@@ -309,6 +309,7 @@ describe("package artifact reuse", () => {
     expect(workflow).toContain(
       'add_profile_suite native-live-src-gateway-core "minimum stable full"',
     );
+    expect(workflow).toContain('add_profile_suite native-live-src-infra "stable full"');
     expect(workflow).toContain('add_profile_suite live-gateway-docker "minimum stable full"');
     expect(workflow).toContain('add_profile_suite live-gateway-anthropic-docker "stable full"');
     expect(workflow).toContain('add_profile_suite live-gateway-advisory-docker "full"');
@@ -346,6 +347,10 @@ describe("package artifact reuse", () => {
     );
     expect(workflow).toContain("suite_id: native-live-src-gateway-core");
     expect(workflow).toContain("suite_id: native-live-src-gateway-backends");
+    expect(workflow).toContain("suite_id: native-live-src-infra");
+    expect(workflow).toContain(
+      "command: OPENCLAW_LIVE_APNS_REACHABILITY=1 node .release-harness/scripts/test-live-shard.mjs native-live-src-infra",
+    );
     expect(workflow).toContain("suite_id: native-live-src-gateway-profiles-anthropic-smoke");
     expect(workflow).toContain("suite_id: native-live-src-gateway-profiles-anthropic-opus");
     expect(workflow).toContain("suite_id: native-live-src-gateway-profiles-anthropic-sonnet-haiku");