fix(push): use valid default VAPID subject [AI-assisted]

[IWhatsskill]

Summary

• Problem: Web Push VAPID keys defaulted to mailto:openclaw@localhost, which Apple Web Push rejects for iOS PWA pushes.
• Why it matters: first-install Control UI PWA push can fail before operators know they need an override.
• What changed: the built-in VAPID subject default is now https://openclaw.ai; focused tests and Control UI docs were updated.
• What did NOT change: OPENCLAW_VAPID_SUBJECT still overrides the default, and no new config surface was added.

Change Type

• Bug fix
• Feature
• Refactor required for the fix
• Docs
• Security hardening
• Chore/infra

Scope

• Gateway / orchestration
• Skills / tool execution
• Auth / tokens
• Memory / storage
• Integrations
• API / contracts
• UI / DX
• CI/CD / infra

Linked Issue/PR

• Closes Auto-generated VAPID keys use @localhost subject, breaking Apple Web Push (iOS PWA) #83134
• Related fix(push-web): default VAPID subject to https://openclaw.ai instead of mailto:openclaw@localhost (#83134) #83181
• This PR fixes a bug or regression

Real behavior proof

• Behavior or issue addressed: no-env Web Push VAPID key generation should no longer produce a localhost subject.
• Real environment tested: local OpenClaw checkout on current origin/main, Node 22.
• Exact steps or command run after this patch:

node --import tsx --input-type=module -e "import { resolveVapidKeys } from './src/infra/push-web.ts'; /* run in disposable state with VAPID env vars cleared, then with OPENCLAW_VAPID_SUBJECT set */"

• Evidence after fix:

source: src/infra/push-web.ts
no-env returned subject: https://openclaw.ai
no-env persisted subject: https://openclaw.ai
env override subject: mailto:ops@example.com

• Observed result after fix: the patched OpenClaw source returns and persists an Apple-acceptable https: subject by default, while the env override path still wins.
• What was not tested: I did not send a live Apple Web Push request.
• Before evidence: current main and v2026.5.12 default to mailto:openclaw@localhost, as documented on Auto-generated VAPID keys use @localhost subject, breaking Apple Web Push (iOS PWA) #83134.

Root Cause

• Root cause: the module-private Web Push VAPID fallback subject used a localhost mailbox.
• Missing detection / guardrail: the existing test only required a mailto: subject, so it accepted the invalid localhost default.
• Contributing context: OPENCLAW_VAPID_SUBJECT already existed as an operator override; the broken path was the no-env default.

Regression Test Plan

• Coverage level that should have caught this:
  • Unit test
  • Seam / integration test
  • End-to-end test
  • Existing coverage already sufficient
• Target test or file: src/infra/push-web.test.ts
• Scenario the test should lock in: generated and sent Web Push VAPID details use https://openclaw.ai when no env override is set.
• Why this is the smallest reliable guardrail: the bug is the default subject selected by resolveVapidKeys() and passed to web-push.
• Existing test that already covers this: src/gateway/server-methods/push.test.ts still covers the adjacent push handler path.
• If no new test is added, why not: N/A

User-visible / Behavior Changes

New Web Push VAPID keys generated without OPENCLAW_VAPID_SUBJECT now use https://openclaw.ai instead of mailto:openclaw@localhost.

Diagram

N/A

Security Impact

• New permissions/capabilities? No
• Secrets/tokens handling changed? No
• New/changed network calls? No
• Command/tool execution surface changed? No
• Data access scope changed? No
• If any Yes, explain risk + mitigation: N/A

Repro + Verification

Environment

• OS: local Windows desktop
• Runtime/container: Node 22
• Model/provider: N/A
• Integration/channel: Control UI Web Push
• Relevant config: OPENCLAW_VAPID_* env vars cleared for the default case; OPENCLAW_VAPID_SUBJECT=mailto:ops@example.com for override check

Steps

1. Clear OPENCLAW_VAPID_PUBLIC_KEY, OPENCLAW_VAPID_PRIVATE_KEY, and OPENCLAW_VAPID_SUBJECT.
2. Import resolveVapidKeys() from src/infra/push-web.ts.
3. Resolve keys in a disposable state dir and read the generated push/vapid-keys.json.
4. Set OPENCLAW_VAPID_SUBJECT=mailto:ops@example.com and resolve again.

Expected

• Default returned and persisted subject is a valid non-localhost VAPID subject.
• Env override still wins.

Actual

• Default returned and persisted subject: https://openclaw.ai
• Env override subject: mailto:ops@example.com

Evidence

• Failing test/log before + passing after
• Trace/log snippets
• Screenshot/recording
• Perf numbers

Focused checks:

node scripts/run-vitest.mjs src/infra/push-web.test.ts src/gateway/server-methods/push.test.ts
Test Files  3 passed (3)
Tests  27 passed (27)

git diff --check
clean

Human Verification

• Verified scenarios: default VAPID key generation, persisted subject, direct send VAPID details, env subject override.
• Edge cases checked: no-env default and explicit env override.
• What you did not verify: live Apple Web Push delivery.

Review Conversations

• I replied to or resolved every bot review conversation I addressed in this PR.
• I left unresolved only the conversations that still need reviewer or maintainer judgment.

Compatibility / Migration

• Backward compatible? Yes
• Config/env changes? Yes, the no-env default value changes; no new env var or config key is added.
• Migration needed? No
• If yes, exact upgrade steps: N/A

Risks and Mitigations

• Risk: operators who expected the localhost default value may see a different generated subject.
  • Mitigation: OPENCLAW_VAPID_SUBJECT remains the explicit override for operator-specific subjects.

[clawsweeper]

Codex review: needs maintainer review before merge.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
The PR changes the Web Push VAPID default subject to https://openclaw.ai and updates focused push tests plus the Control UI docs.

Reproducibility: yes. at source level: current main resolves the no-env VAPID subject to mailto:openclaw@localhost and passes it into webPush.setVapidDetails(). I did not independently exercise Apple’s live push endpoint in this read-only review.

PR rating
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🦞 diamond lobster
Summary: Focused, likely mergeable patch with adequate source-level proof and clean review; live Apple endpoint proof remains the main confidence gap.

Rank-up moves:

• Optionally run a redacted live Apple Web Push/iOS PWA send before release if maintainers want endpoint-level proof.

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

Real behavior proof
Sufficient (live_output): The PR body includes after-fix copied Node output from the patched OpenClaw source covering the no-env returned/persisted subject and the env override path.

Risk before merge
Why this matters: - I did not independently run a live Apple Web Push or iOS PWA send; endpoint acceptance is supported by the linked issue's live results, the upstream web-push contract, and contributor-provided Node output.

• The no-env VAPID contact URI changes for existing operators; OPENCLAW_VAPID_SUBJECT remains the explicit customization path for operator-specific subjects.

Maintainer options:

1. Accept the default-subject change
   Merge as-is if maintainers accept changing the no-env VAPID contact URI to the project-owned https://openclaw.ai and relying on the existing env override for custom subjects.
2. Require live Apple proof first
   Ask for a redacted iOS/Safari Web Push send using the patched default before merge if endpoint-level validation is required for this release.
3. Choose a different owned subject
   Pause for a maintainer-selected https: or mailto: subject if https://openclaw.ai is not the desired default contact identity.

Next step before merge
No repair lane is needed; this active focused PR already contains the code/test/docs change and should proceed through normal maintainer merge validation.

Security
Cleared: The diff changes a public VAPID contact URI plus matching tests/docs and does not add dependencies, workflows, secret handling, permissions, or execution paths.

Review details

Best possible solution:

Land the narrow default-subject fix once maintainers accept the project-owned default URI, keeping OPENCLAW_VAPID_SUBJECT as the override and avoiding a new config key in this PR.

Do we have a high-confidence way to reproduce the issue?

Yes at source level: current main resolves the no-env VAPID subject to mailto:openclaw@localhost and passes it into webPush.setVapidDetails(). I did not independently exercise Apple’s live push endpoint in this read-only review.

Is this the best way to solve the issue?

Yes. Replacing the module-private fallback with a stable public https: subject is the narrowest maintainable fix, and the existing OPENCLAW_VAPID_SUBJECT override remains the customization path.

What I checked:

• Current main default and send path: Current main still defines DEFAULT_VAPID_SUBJECT as mailto:openclaw@localhost; resolveVapidSubjectFromEnv() falls back to it, and applyVapidDetails() passes keys.subject into webPush.setVapidDetails(). (src/infra/push-web.ts:39, e3d55188384b)
• Existing tests and docs lock old behavior: The focused tests accept a mailto default and expect mailto:openclaw@localhost for direct sends; the Control UI docs also document that old default. (src/infra/push-web.test.ts:61, e3d55188384b)
• PR diff is narrowly scoped: The PR changes only the default constant, the generated/persisted/direct-send expectations, and the docs line for OPENCLAW_VAPID_SUBJECT. (src/infra/push-web.ts:39, 5bec0069ff33)
• Dependency contract supports the fix direction: web-push 3.6.7 documents setVapidDetails(subject, publicKey, privateKey), expects the subject to be an https: or mailto: URI, and notes Safari rejects localhost VAPID subjects with BadJwtToken; its source validates only https: and mailto: protocols and warns on localhost web URI subjects. (web-push@3.6.7/README.md:255)
• Linked issue and duplicate context: The PR closes the open user report with live Apple endpoint evidence; search found only this open PR and the earlier closed unmerged duplicate for the same default-subject fix.
• Shipped release still has the old default: The latest release tag v2026.5.12 contains the same mailto:openclaw@localhost default, matching the reporter's version. (src/infra/push-web.ts:39, f066dd2f31c2)

Likely related people:

• eduardocruz: Authored the merged Control UI PWA/Web Push PR that added the Web Push server infrastructure, VAPID key generation, tests, and gateway methods. (role: feature introducer; confidence: high; commits: 15437b11538d, 8858c3cf0119, 9eb761a6549f; files: src/infra/push-web.ts, src/infra/push-web.test.ts, src/gateway/server-methods/push.ts)
• BunsDev: Merged the original Web Push PR and authored/co-authored stabilization commits and review comments around the VAPID/send behavior before merge. (role: merger and branch stabilizer; confidence: medium; commits: d3cb046b8a1b, a7b477c92980; files: src/infra/push-web.ts, src/infra/push-web.test.ts, ui/src/ui/push-subscription.ts)
• steipete: Current-main blame and release-tag history carry the Web Push files and docs through the shipped v2026.5.12 state that still contains the old default. (role: recent release and area contributor; confidence: medium; commits: f066dd2f31c2, 47a2efe48390; files: src/infra/push-web.ts, src/infra/push-web.test.ts, docs/web/control-ui.md)

Codex review notes: model gpt-5.5, reasoning high; reviewed against e3d55188384b.

[RomneyDa]

Looks good to me.