diff --git a/src/infra/push-apns-http2.test.ts b/src/infra/push-apns-http2.test.ts
index 19658570907..60fc6986e60 100644
--- a/src/infra/push-apns-http2.test.ts
+++ b/src/infra/push-apns-http2.test.ts
@@ -1,5 +1,6 @@
 import type http2 from "node:http2";
 import { beforeEach, describe, expect, it, vi } from "vitest";
+import { MAX_TIMER_TIMEOUT_MS } from "../shared/number-coercion.js";
 import type { HttpConnectTunnelParams } from "./net/http-connect-tunnel.js";
 import {
   resetActiveManagedProxyStateForTests,
@@ -193,6 +194,21 @@ describe("connectApnsHttp2Session", () => {
     expect(createConnection?.(new URL("https://api.push.apple.com"), {})).toBe(fakeTlsSocket);
   });
 
+  it("caps oversized managed proxy timeouts before opening the APNs tunnel", async () => {
+    const registration = registerActiveManagedProxyUrl(new URL("https://proxy.example:8443"), {
+      loopbackMode: "gateway-only",
+    });
+    const { connectApnsHttp2Session } = await import("./push-apns-http2.js");
+
+    await connectApnsHttp2Session({
+      authority: "https://api.push.apple.com",
+      timeoutMs: Number.MAX_SAFE_INTEGER,
+    });
+    stopActiveManagedProxyRegistration(registration);
+
+    expect(lastTunnelCall().timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
+  });
+
   it("ignores ambient proxy env when managed proxy is inactive", async () => {
     const originalHttpsProxy = process.env["HTTPS_PROXY"];
     process.env["HTTPS_PROXY"] = "http://ambient.example:8080";
@@ -252,6 +268,18 @@ describe("connectApnsHttp2Session", () => {
     expect(fakeSession.close).toHaveBeenCalledOnce();
   });
 
+  it("caps oversized explicit proxy probe timeouts", async () => {
+    const { probeApnsHttp2ReachabilityViaProxy } = await import("./push-apns-http2.js");
+
+    await probeApnsHttp2ReachabilityViaProxy({
+      authority: "https://api.sandbox.push.apple.com",
+      proxyUrl: "http://proxy.example:8080",
+      timeoutMs: Number.MAX_SAFE_INTEGER,
+    });
+
+    expect(lastTunnelCall().timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
+  });
+
   it("rejects non-APNs authorities", async () => {
     const { connectApnsHttp2Session, probeApnsHttp2ReachabilityViaProxy } =
       await import("./push-apns-http2.js");
diff --git a/src/infra/push-apns-http2.ts b/src/infra/push-apns-http2.ts
index 9a9891a0d68..d0108585ae6 100644
--- a/src/infra/push-apns-http2.ts
+++ b/src/infra/push-apns-http2.ts
@@ -1,4 +1,5 @@
 import http2 from "node:http2";
+import { resolveTimerTimeoutMs } from "../shared/number-coercion.js";
 import { openHttpConnectTunnel } from "./net/http-connect-tunnel.js";
 import {
   getActiveManagedProxyUrl,
@@ -17,6 +18,7 @@ const APNS_AUTHORITIES = new Set([
 type ApnsAuthority = "https://api.push.apple.com" | "https://api.sandbox.push.apple.com";
 
 export const APNS_HTTP2_CANCEL_CODE = http2.constants.NGHTTP2_CANCEL;
+const APNS_HTTP2_MIN_TIMEOUT_MS = 1000;
 
 export type ConnectApnsHttp2SessionParams = {
   authority: string;
@@ -85,6 +87,7 @@ export async function connectApnsHttp2Session(
   params: ConnectApnsHttp2SessionParams,
 ): Promise<http2.ClientHttp2Session> {
   const authority = assertApnsAuthority(params.authority);
+  const timeoutMs = resolveApnsHttp2TimeoutMs(params.timeoutMs);
   const proxyUrl = getActiveManagedProxyUrl();
   if (!proxyUrl) {
     return http2.connect(authority);
@@ -94,19 +97,24 @@ export async function connectApnsHttp2Session(
     authority,
     proxyUrl,
     proxyTls: getActiveManagedProxyTlsOptions(),
-    timeoutMs: params.timeoutMs,
+    timeoutMs,
   });
 }
 
+function resolveApnsHttp2TimeoutMs(timeoutMs: number): number {
+  return resolveTimerTimeoutMs(timeoutMs, APNS_HTTP2_MIN_TIMEOUT_MS, APNS_HTTP2_MIN_TIMEOUT_MS);
+}
+
 export async function probeApnsHttp2ReachabilityViaProxy(
   params: ProbeApnsHttp2ReachabilityViaProxyParams,
 ): Promise<ProbeApnsHttp2ReachabilityViaProxyResult> {
   const authority = assertApnsAuthority(params.authority);
+  const timeoutMs = resolveApnsHttp2TimeoutMs(params.timeoutMs);
   const session = await openProxiedApnsHttp2Session({
     authority,
     proxyUrl: new URL(params.proxyUrl),
     ...(params.proxyTls ? { proxyTls: params.proxyTls } : {}),
-    timeoutMs: params.timeoutMs,
+    timeoutMs,
   });
 
   try {
@@ -116,10 +124,8 @@ export async function probeApnsHttp2ReachabilityViaProxy(
       let status: number | undefined;
       let responseHeaders: Record<string, string> = {};
       const timeout = setTimeout(() => {
-        fail(
-          new Error(`APNs reachability probe timed out after ${Math.trunc(params.timeoutMs)}ms`),
-        );
-      }, Math.trunc(params.timeoutMs));
+        fail(new Error(`APNs reachability probe timed out after ${timeoutMs}ms`));
+      }, timeoutMs);
       timeout.unref?.();
 
       const cleanup = () => {
diff --git a/src/infra/push-apns.test.ts b/src/infra/push-apns.test.ts
index d735a9014e8..ef0caa783c6 100644
--- a/src/infra/push-apns.test.ts
+++ b/src/infra/push-apns.test.ts
@@ -3,6 +3,7 @@ import { createServer, type Server as HttpServer } from "node:http";
 import http2 from "node:http2";
 import net from "node:net";
 import { afterEach, describe, expect, it, vi } from "vitest";
+import { MAX_TIMER_TIMEOUT_MS } from "../shared/number-coercion.js";
 import { startProxy, stopProxy, type ProxyHandle } from "./net/proxy/proxy-lifecycle.js";
 import {
   sendApnsAlert,
@@ -531,6 +532,30 @@ describe("push APNs send semantics", () => {
     });
   });
 
+  it("caps oversized direct send timeouts", async () => {
+    const { send, registration, auth } = createDirectApnsSendFixture({
+      nodeId: "ios-node-direct-timeout-cap",
+      environment: "sandbox",
+      sendResult: {
+        status: 200,
+        apnsId: "apns-timeout-cap-id",
+        body: "{}",
+      },
+    });
+
+    await sendApnsAlert({
+      registration,
+      nodeId: "ios-node-direct-timeout-cap",
+      title: "Wake",
+      body: "Ping",
+      auth,
+      requestSender: send,
+      timeoutMs: Number.MAX_SAFE_INTEGER,
+    });
+
+    expect(requireSendRequest(send).timeoutMs).toBe(MAX_TIMER_TIMEOUT_MS);
+  });
+
   it("fails closed before sending when direct registrations carry invalid topics", async () => {
     const { send, registration, auth } = createDirectApnsSendFixture({
       nodeId: "ios-node-invalid-topic",
diff --git a/src/infra/push-apns.ts b/src/infra/push-apns.ts
index 772f2ded47b..65d2be7e872 100644
--- a/src/infra/push-apns.ts
+++ b/src/infra/push-apns.ts
@@ -2,6 +2,7 @@ import { createHash, createPrivateKey, sign as signJwt } from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
 import { resolveStateDir } from "../config/paths.js";
+import { resolveTimerTimeoutMs } from "../shared/number-coercion.js";
 import {
   normalizeLowercaseStringOrEmpty,
   normalizeOptionalString,
@@ -766,9 +767,7 @@ async function sendApnsRequest(params: {
 }
 
 function resolveApnsTimeoutMs(timeoutMs: number | undefined): number {
-  return typeof timeoutMs === "number" && Number.isFinite(timeoutMs)
-    ? Math.max(1000, Math.trunc(timeoutMs))
-    : DEFAULT_APNS_TIMEOUT_MS;
+  return resolveTimerTimeoutMs(timeoutMs, DEFAULT_APNS_TIMEOUT_MS, 1000);
 }
 
 function resolveDirectSendContext(params: {