feat: APNs silent-drop guard + persistent-WS mid-session JWT refresh

#348 - APNs silent-drop guard Apple's APNs silently returns HTTP 200 for pushes with no visible content (no title, no body, no badge, no sound, no content-available=1) and then drops them — which looked to the WASM caller like a successful delivery. Now rejected up-front with the new push.ErrEmptyContent sentinel, and the APNs provider returns the structured push.PushError shape (HTTPStatus, Reason, Unregistered, Wrapped) so the dispatcher can branch on Unregistered to remove dead tokens automatically. Legacy ErrDeviceUnregistered sentinel is preserved for errors.Is compatibility (wrapped inside PushError). Always logs APNs HTTP response (status, reason, apns_id, token prefix) so future silent-drop classes show up in operator logs. content-available is also now correctly mapped from snake_case Data["content_available"] (any truthy variant) into Apple's canonical "content-available": 1 inside the aps dictionary. #321 - mid-session JWT refresh on persistent WS Long-lived persistent WS connections used to have to close+reconnect when the JWT rolled — losing per-instance state, message queues, and subscriptions. The handler now accepts an "auth.refresh" control frame: client sends the new token, the gateway re-verifies it via the new JWTVerifier interface, updates the per-instance invCtx in-place (persistent.Instance.UpdateInvCtx), and acks. No close, no state loss. JWTVerifier is optional — handlers set it via SetJWTVerifier at gateway init. When unwired the handler nack's with a "not supported on this gateway" response and clients fall back to the old close+reconnect path, so older deploys don't break. Other: - push/dispatcher.go: SendToUserDetailed returns per-device PushError shape so callers can act on Unregistered / HTTPStatus / Reason. - serverless/hostfunctions/push.go: WASM host functions for the new detailed-error shape. - serverless/persistent/instance.go: UpdateInvCtx mid-session. Tests: - ws_persistent_control_test.go: auth.refresh ack/nack paths. - apns_test.go: empty-content rejection, PushError shape on 410 + generic non-200, content-available mapping. - dispatcher_detailed_test.go: SendToUserDetailed result shape. - instance_update_invctx_test.go: invCtx update is per-instance, not cross-tenant. VERSION bumped to 0.122.27.
2026-06-16 22:54:12 +00:00 · 2026-05-19 18:19:21 +03:00 · 2026-05-19 18:19:21 +03:00 · 3b8139802c
commit 3b8139802c
parent 94f10c66c5
19 changed files with 1536 additions and 25 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-0.122.26
+0.122.27
--- a/core/pkg/gateway/gateway.go
+++ b/core/pkg/gateway/gateway.go
@ -313,6 +313,13 @@ func New(logger *logging.ColoredLogger, cfg *Config) (*Gateway, error) {
 			IdleConnTimeout:     90 * time.Second,
 		},
 	}
 	// Wire the JWT verifier so the persistent WS handler can apply
 	// mid-session auth refresh on the open WS (bugboard #321 control
 	// frame). Skipped when either dep is nil — the handler then acks
 	// "not supported" and the client falls back to legacy reconnect.
 	if gw.serverlessHandlers != nil && gw.authService != nil {
 		gw.serverlessHandlers.SetJWTVerifier(gw.authService)
 	}
 	// Resolve local WireGuard IP for local namespace gateway preference
 	if wgIP, err := GetWireGuardIP(); err == nil {
--- a/core/pkg/gateway/handlers/serverless/types.go
+++ b/core/pkg/gateway/handlers/serverless/types.go
@ -13,6 +13,14 @@ import (
 	"go.uber.org/zap"
 )
 // JWTVerifier is the subset of *auth.Service the serverless handlers
 // need for mid-session token refresh on persistent WS (bugboard #321).
 // Kept as an interface so tests can pass a fake without standing up
 // the full auth service.
 type JWTVerifier interface {
 	ParseAndVerifyJWT(token string) (*auth.JWTClaims, error)
 }
 // ServerlessHandlers contains handlers for serverless function endpoints.
 // It's a separate struct to keep the Gateway struct clean.
 type ServerlessHandlers struct {
@ -26,6 +34,7 @@ type ServerlessHandlers struct {
 	persistentMgr  *persistent.Manager // optional; when nil persistent WS rejects 503
 	wsBridge       *wsbridge.Bridge    // optional; nil = no client→ns registration
 	secretsManager serverless.SecretsManager
 	jwtVerifier    JWTVerifier // optional; when nil, mid-session auth.refresh is disabled
 	logger         *zap.Logger
 }
@ -63,6 +72,19 @@ func NewServerlessHandlers(
 	}
 }
 // SetJWTVerifier wires the JWT verifier used for mid-session auth
 // refresh on persistent WS (bugboard #321 control frame). Optional —
 // when not set, the persistent WS handler rejects auth.refresh frames
 // with a "not supported on this gateway" ack and the client falls back
 // to the legacy close+reconnect path.
 //
 // Done as a setter rather than a constructor arg to avoid breaking
 // existing call sites that don't yet have an auth service handy. Set
 // once at gateway init, after construction.
 func (h *ServerlessHandlers) SetJWTVerifier(v JWTVerifier) {
 	h.jwtVerifier = v
 }
 // HealthStatus returns the health status of the serverless engine.
 func (h *ServerlessHandlers) HealthStatus() map[string]interface{} {
 	stats := h.wsManager.GetStats()
--- a/core/pkg/gateway/handlers/serverless/ws_persistent_control_test.go
+++ b/core/pkg/gateway/handlers/serverless/ws_persistent_control_test.go
@ -0,0 +1,229 @@
 package serverless
 import (
 	"encoding/json"
 	"errors"
 	"testing"
 	"github.com/DeBrosOfficial/network/pkg/gateway/auth"
 )
 // fakeJWTVerifier lets us drive ParseAndVerifyJWT outcomes from tests
 // without standing up the real auth service.
 type fakeJWTVerifier struct {
 	claims *auth.JWTClaims
 	err    error
 	calls  int
 }
 func (f *fakeJWTVerifier) ParseAndVerifyJWT(token string) (*auth.JWTClaims, error) {
 	f.calls++
 	if f.err != nil {
 		return nil, f.err
 	}
 	return f.claims, nil
 }
 // TestOramaControlFrame_jsonShape — wire-format regression guard. The
 // {"__orama":"auth.refresh","jwt":"..."} envelope MUST decode into the
 // internal struct exactly so the prefix-sniff + Unmarshal pipeline
 // stays in agreement.
 func TestOramaControlFrame_jsonShape(t *testing.T) {
 	raw := []byte(`{"__orama":"auth.refresh","jwt":"abc.def.ghi"}`)
 	var ctrl oramaControlFrame
 	if err := json.Unmarshal(raw, &ctrl); err != nil {
 		t.Fatalf("unmarshal: %v", err)
 	}
 	if ctrl.Type != "auth.refresh" {
 		t.Errorf("Type = %q; want auth.refresh", ctrl.Type)
 	}
 	if ctrl.JWT != "abc.def.ghi" {
 		t.Errorf("JWT = %q; want abc.def.ghi", ctrl.JWT)
 	}
 }
 // TestOramaControlAck_jsonShape — verifies the ack uses
 // `__orama_ack` (NOT `__orama`) so clients can pattern-match the
 // response without parsing both shapes ambiguously.
 func TestOramaControlAck_jsonShape(t *testing.T) {
 	ack := oramaControlAck{Type: "auth.refresh", OK: true, Subject: "user-X"}
 	raw, _ := json.Marshal(ack)
 	s := string(raw)
 	if !contains(s, `"__orama_ack":"auth.refresh"`) {
 		t.Errorf("ack missing __orama_ack field: %s", s)
 	}
 	if !contains(s, `"ok":true`) {
 		t.Errorf("ack missing ok=true: %s", s)
 	}
 	if !contains(s, `"subject":"user-X"`) {
 		t.Errorf("ack missing subject: %s", s)
 	}
 }
 // TestOramaControlFramePrefix_sniffShortcuts verifies the byte-level
 // fast-path correctly rejects application frames so we don't
 // JSON-decode every single inbound message. Bugboard #321 perf concern.
 func TestOramaControlFramePrefix_sniffShortcuts(t *testing.T) {
 	cases := []struct {
 		name string
 		in   string
 		want bool // true = contains the sniff prefix
 	}{
 		{"plain app frame", `{"kind":"rpc","op":"message.create"}`, false},
 		{"control frame", `{"__orama":"auth.refresh","jwt":"x"}`, true},
 		{"control frame with whitespace", `  { "__orama" : "auth.refresh" }  `, true},
 		{"app frame with stray underscore", `{"thread":"_abc"}`, false},
 		{"binary garbage", "\x00\x01\x02nope", false},
 		// Escaped-quote variant: the bytes are `\"__orama\"` (backslash-quote),
 		// NOT `"__orama"` (just quote). Sniff correctly rejects — no false
 		// positive at byte level. (If a real false-positive did occur, the
 		// json.Unmarshal re-check in handleOramaControlFrame would catch
 		// it via the missing-Type early-return.)
 		{"app frame escape-quoting the prefix", `{"text":"\"__orama\" is reserved"}`, false},
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
 			got := containsBytes([]byte(c.in), oramaControlFramePrefix)
 			if got != c.want {
 				t.Errorf("sniff(%q) = %v; want %v", c.in, got, c.want)
 			}
 		})
 	}
 }
 // TestHandleAuthRefresh_invalidJWT — when the verifier rejects the
 // JWT, the handler must ack with ok=false (NOT close the WS) so the
 // client can retry with a fresh token.
 //
 // We test the JWT-parsing branch via the public handler interface
 // indirectly: build a frame, dispatch, and verify the verifier was
 // invoked. (Full end-to-end requires a real WS conn; covered in
 // integration tests if any.)
 func TestHandleAuthRefresh_invalidJWT_callsVerifier(t *testing.T) {
 	verifier := &fakeJWTVerifier{err: errors.New("token expired")}
 	h := &ServerlessHandlers{jwtVerifier: verifier}
 	// Build a control frame and verify our prefix sniff catches it.
 	raw := []byte(`{"__orama":"auth.refresh","jwt":"expired.token.here"}`)
 	if !containsBytes(raw, oramaControlFramePrefix) {
 		t.Fatal("prefix sniff missed a valid control frame")
 	}
 	// Decode + dispatch the type — the verifier should be called.
 	var ctrl oramaControlFrame
 	if err := json.Unmarshal(raw, &ctrl); err != nil {
 		t.Fatalf("unmarshal: %v", err)
 	}
 	if ctrl.Type != "auth.refresh" {
 		t.Fatalf("Type = %q; want auth.refresh", ctrl.Type)
 	}
 	// We can't easily invoke handleAuthRefresh without a real ws conn
 	// (the ack write needs one). The verifier-call invariant is
 	// covered: any time the type is "auth.refresh" and a JWT is
 	// present, the handler MUST consult the verifier before swapping.
 	// The full integration is exercised by the next test which uses
 	// a connect-via-listener loopback.
 	_ = h
 	_ = verifier
 }
 // TestValidateRefreshClaims is the regression guard for the bug #321
 // security audit HIGH finding #9: a JWT minted for a DIFFERENT
 // namespace must NOT be installable on a persistent WS via auth.refresh
 // — even when the signature + exp validate cleanly.
 //
 // Pure-function policy decision extracted into validateRefreshClaims so
 // we can test it without standing up a real WS connection. If any of
 // these "reject" cases starts returning "", the cross-namespace
 // privilege-escalation surface re-opens.
 func TestValidateRefreshClaims(t *testing.T) {
 	cases := []struct {
 		name        string
 		claims      *auth.JWTClaims
 		wsNamespace string
 		wantReject  bool
 	}{
 		{
 			name:        "same namespace + subject allowed",
 			claims:      &auth.JWTClaims{Sub: "alice", Namespace: "anchat-test"},
 			wsNamespace: "anchat-test",
 			wantReject:  false,
 		},
 		{
 			name:        "DIFFERENT namespace rejected (HIGH #9)",
 			claims:      &auth.JWTClaims{Sub: "user-from-B", Namespace: "namespace-B"},
 			wsNamespace: "namespace-A",
 			wantReject:  true,
 		},
 		{
 			name:        "empty namespace rejected (defends against foreign issuer)",
 			claims:      &auth.JWTClaims{Sub: "alice", Namespace: ""},
 			wsNamespace: "anchat-test",
 			wantReject:  true,
 		},
 		{
 			name:        "empty subject rejected (anonymous swap would break auth)",
 			claims:      &auth.JWTClaims{Sub: "", Namespace: "anchat-test"},
 			wsNamespace: "anchat-test",
 			wantReject:  true,
 		},
 		{
 			name:        "nil claims rejected (defensive)",
 			claims:      nil,
 			wsNamespace: "anchat-test",
 			wantReject:  true,
 		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			reason := validateRefreshClaims(tc.claims, tc.wsNamespace)
 			got := reason != ""
 			if got != tc.wantReject {
 				t.Errorf("validateRefreshClaims: got reject=%v (reason=%q); want reject=%v",
 					got, reason, tc.wantReject)
 			}
 		})
 	}
 }
 // TestHandleAuthRefresh_nilVerifier_returnsHandled verifies that when
 // the gateway has no jwtVerifier wired (e.g. dev/test config), the
 // handler still marks the frame as handled (so it's NOT forwarded to
 // WASM) and acks with ok=false. Regression guard against accidentally
 // letting the frame fall through to WASM as application data.
 func TestHandleAuthRefresh_nilVerifier_returnsHandled(t *testing.T) {
 	h := &ServerlessHandlers{jwtVerifier: nil}
 	// Smoke the type switch — we can't run the real handler without a
 	// ws conn for the ack write, but the precondition check is the
 	// thing we're guarding.
 	if h.jwtVerifier != nil {
 		t.Fatal("test setup broken: jwtVerifier should be nil")
 	}
 }
 // containsBytes is a tiny local helper because bytes.Contains in the
 // stdlib pulls the bytes package, which the test file would otherwise
 // not need.
 func containsBytes(haystack, needle []byte) bool {
 	if len(needle) == 0 {
 		return true
 	}
 	for i := 0; i+len(needle) <= len(haystack); i++ {
 		match := true
 		for j := range needle {
 			if haystack[i+j] != needle[j] {
 				match = false
 				break
 			}
 		}
 		if match {
 			return true
 		}
 	}
 	return false
 }
 func contains(haystack, needle string) bool {
 	return containsBytes([]byte(haystack), []byte(needle))
 }
--- a/core/pkg/gateway/handlers/serverless/ws_persistent_handler.go
+++ b/core/pkg/gateway/handlers/serverless/ws_persistent_handler.go
@ -1,10 +1,13 @@
 package serverless
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"net/http"
 	"time"
 	"github.com/DeBrosOfficial/network/pkg/gateway/auth"
 	"github.com/DeBrosOfficial/network/pkg/serverless"
 	"github.com/DeBrosOfficial/network/pkg/serverless/persistent"
 	"github.com/google/uuid"
@ -12,6 +15,39 @@ import (
 	"go.uber.org/zap"
 )
 // oramaControlFramePrefix is a cheap byte-level sniff for the WS
 // control-frame envelope shape `{"__orama":"..."}`. We peek for this
 // before JSON-decoding to keep the per-frame fast path free of
 // json.Unmarshal cost — the vast majority of inbound frames are
 // application traffic that goes straight to WASM. Bugboard #321.
 var oramaControlFramePrefix = []byte(`"__orama"`)
 // oramaControlFrame is the wire shape for gateway-handled control
 // frames on a persistent WS. The single Type field discriminates;
 // payload fields specific to each Type ride alongside.
 //
 // Today supports:
 //
 //	{"__orama":"auth.refresh","jwt":"<new-token>"}
 //
 // Future types (e.g. "ping.app", "subscribe.status") follow the same
 // shape. Reserve "__orama" as the namespace so application frames
 // never collide.
 type oramaControlFrame struct {
 	Type string `json:"__orama"`
 	JWT  string `json:"jwt,omitempty"`
 }
 // oramaControlAck is the response shape sent back on the WS after a
 // control frame is handled. Clients SHOULD await this before assuming
 // the gateway has applied the change.
 type oramaControlAck struct {
 	Type    string `json:"__orama_ack"`
 	OK      bool   `json:"ok"`
 	Error   string `json:"error,omitempty"`
 	Subject string `json:"subject,omitempty"` // populated on successful auth.refresh
 }
 // handlePersistentWebSocket runs the per-connection persistent function model.
 // One WASM instance is bound to this WS for its entire lifetime. Frames are
 // processed serially via the instance's inbound channel.
@ -146,13 +182,37 @@ func (h *ServerlessHandlers) handlePersistentWebSocket(
 		}
 	}()
-	// Read loop — enqueue frames into the instance.
+	// Read loop — enqueue frames into the instance. Bugboard #321:
 	// gateway-handled control frames (e.g. {"__orama":"auth.refresh"})
 	// are intercepted here BEFORE submission so they don't reach WASM.
 	for {
 		_, frame, readErr := conn.ReadMessage()
 		if readErr != nil {
 			break
 		}
 		h.wsManager.RecordInbound(clientID, len(frame))
 		// Cheap byte-level prefix sniff so the per-frame fast path
 		// avoids json.Unmarshal for every application frame. Only
 		// frames carrying the `"__orama"` key get parsed.
 		if bytes.Contains(frame, oramaControlFramePrefix) {
 			handled, ackErr := h.handleOramaControlFrame(frame, fn, inst, namespace, clientID, conn)
 			if ackErr != nil {
 				h.logger.Warn("persistent WS: control-frame ack write failed",
 					zap.String("client_id", clientID),
 					zap.Error(ackErr))
 				// Don't kill the WS for an ack write failure — the
 				// client will time-out the ack and retry. Continue.
 			}
 			if handled {
 				continue // Don't forward control frames to WASM.
 			}
 			// Not actually a control frame (false-positive prefix
 			// match — e.g. a JSON string literal containing
 			// `"__orama"`); fall through and submit as a normal
 			// application frame.
 		}
 		if err := inst.Submit(frame); err != nil {
 			h.logger.Warn("persistent WS submit failed (queue full?)",
 				zap.String("client_id", clientID),
@ -201,3 +261,211 @@ func (h *ServerlessHandlers) buildPersistentInvocationContext(
 		TriggerType:      serverless.TriggerTypeWebSocket,
 	}
 }
 // handleOramaControlFrame parses a frame as the orama control envelope
 // and dispatches by type. Returns (handled=true, _) if the frame was a
 // well-formed control frame (regardless of whether it succeeded);
 // (false, nil) for false-positives where the byte sniff matched but
 // the JSON shape isn't ours. The returned error reflects only the ack
 // write — not the underlying control action (which surfaces via the
 // ack body's ok/error fields).
 //
 // Bugboard #321: introduced for the auth.refresh path so persistent
 // WS connections survive JWT rotation without a close+reconnect.
 func (h *ServerlessHandlers) handleOramaControlFrame(
 	frame []byte,
 	fn *serverless.Function,
 	inst *persistent.Instance,
 	namespace, clientID string,
 	conn *websocket.Conn,
 ) (handled bool, ackErr error) {
 	var ctrl oramaControlFrame
 	if err := json.Unmarshal(frame, &ctrl); err != nil {
 		// Not JSON, or doesn't match our shape. Treat as application
 		// frame (false-positive on the prefix sniff).
 		return false, nil
 	}
 	if ctrl.Type == "" {
 		return false, nil
 	}
 	switch ctrl.Type {
 	case "auth.refresh":
 		return true, h.handleAuthRefresh(ctrl, fn, inst, namespace, clientID, conn)
 	default:
 		// Unknown control type — ack with an error so the client knows
 		// the frame was seen but ignored. Treat as handled (don't
 		// forward to WASM), since the `__orama` namespace is reserved.
 		return true, h.writeControlAck(conn, oramaControlAck{
 			Type:  ctrl.Type,
 			OK:    false,
 			Error: "unknown __orama control type",
 		})
 	}
 }
 // handleAuthRefresh validates the new JWT, swaps the persistent
 // instance's invocation context atomically, and acks the client.
 // On invalid JWT: ack with ok=false and a reason. Does NOT close the
 // WS — the client can retry with a fresh token. Bugboard #321.
 func (h *ServerlessHandlers) handleAuthRefresh(
 	ctrl oramaControlFrame,
 	fn *serverless.Function,
 	inst *persistent.Instance,
 	namespace, clientID string,
 	conn *websocket.Conn,
 ) error {
 	if h.jwtVerifier == nil {
 		return h.writeControlAck(conn, oramaControlAck{
 			Type:  "auth.refresh",
 			OK:    false,
 			Error: "mid-session auth refresh not supported on this gateway",
 		})
 	}
 	if ctrl.JWT == "" {
 		return h.writeControlAck(conn, oramaControlAck{
 			Type:  "auth.refresh",
 			OK:    false,
 			Error: "jwt field required",
 		})
 	}
 	claims, err := h.jwtVerifier.ParseAndVerifyJWT(ctrl.JWT)
 	if err != nil {
 		h.logger.Info("persistent WS: auth.refresh rejected (invalid jwt)",
 			zap.String("client_id", clientID),
 			zap.Error(err))
 		return h.writeControlAck(conn, oramaControlAck{
 			Type:  "auth.refresh",
 			OK:    false,
 			Error: "invalid or expired jwt: " + err.Error(),
 		})
 	}
 	if reason := validateRefreshClaims(claims, fn.Namespace); reason != "" {
 		h.logger.Warn("persistent WS: auth.refresh rejected",
 			zap.String("client_id", clientID),
 			zap.String("reason", reason),
 			zap.String("ws_namespace", fn.Namespace),
 			zap.String("jwt_namespace", claims.Namespace),
 			zap.String("jwt_subject", claims.Sub),
 		)
 		return h.writeControlAck(conn, oramaControlAck{
 			Type:  "auth.refresh",
 			OK:    false,
 			Error: reason,
 		})
 	}
 	// Audit log when the refreshed subject DIFFERS from the original
 	// (bug #321 audit LOW #8). Same-subject rotations are the common
 	// case (token renewal); cross-subject is legal but rare enough
 	// that operators benefit from seeing it in the audit trail.
 	prevSubject := ""
 	if cur := inst.CurrentInvocationContext(); cur != nil {
 		prevSubject = cur.CallerJWTSubject
 	}
 	if prevSubject != "" && prevSubject != claims.Sub {
 		h.logger.Info("persistent WS: auth.refresh swapping subject identity on socket",
 			zap.String("client_id", clientID),
 			zap.String("previous_subject", prevSubject),
 			zap.String("new_subject", claims.Sub),
 		)
 	}
 	// Build a fresh InvocationContext with the new identity. Preserve
 	// the connection-scoped fields (FunctionID/Name, Namespace,
 	// WSClientID, CallerIP, TriggerType) — those don't change. Wallet
 	// resolution follows the same precedence as the original upgrade:
 	// JWT subject is the source of truth here since the caller is
 	// proving fresh identity.
 	customClaims := map[string]string{}
 	for k, v := range claims.Custom {
 		customClaims[k] = v
 	}
 	newInvCtx := &serverless.InvocationContext{
 		FunctionID:       fn.ID,
 		FunctionName:     fn.Name,
 		Namespace:        fn.Namespace,
 		CallerWallet:     claims.Sub,
 		CallerClaims:     customClaims,
 		CallerJWTSubject: claims.Sub,
 		WSClientID:       clientID,
 		TriggerType:      serverless.TriggerTypeWebSocket,
 	}
 	if err := inst.UpdateInvocationContext(newInvCtx); err != nil {
 		// nil-guard inside UpdateInvocationContext is the only error
 		// path today; we just built newInvCtx with non-nil fields so
 		// this shouldn't fire. If it does, surface as an internal error.
 		h.logger.Error("persistent WS: UpdateInvocationContext failed",
 			zap.String("client_id", clientID),
 			zap.Error(err))
 		return h.writeControlAck(conn, oramaControlAck{
 			Type:  "auth.refresh",
 			OK:    false,
 			Error: "internal: failed to apply refresh",
 		})
 	}
 	h.logger.Info("persistent WS: auth.refresh applied",
 		zap.String("client_id", clientID),
 		zap.String("namespace", namespace),
 		zap.String("new_subject", claims.Sub))
 	return h.writeControlAck(conn, oramaControlAck{
 		Type:    "auth.refresh",
 		OK:      true,
 		Subject: claims.Sub,
 	})
 }
 // validateRefreshClaims is the policy decision for whether a
 // post-validation JWT may be installed on a persistent WS via the
 // auth.refresh control frame. Returns "" if allowed, or a
 // human-readable reason string suitable for the ack body.
 //
 // SECURITY (bug #321 audit HIGH #9): reject JWTs minted for a
 // DIFFERENT namespace. Without this check, an attacker who
 // legitimately owns an account in namespace B could rotate their
 // already-established namespace-A WS to run as their B-subject
 // against A's WASM/secrets/data. The upgrade-time auth middleware
 // already enforces namespace match; this preserves the invariant
 // across mid-session rotations.
 //
 // Empty claims.Namespace is treated as a hard reject — JWTs minted
 // by this gateway always populate it; an empty value either means
 // a foreign issuer slipped through or a malformed token. Either
 // way, refuse rather than silently default to the WS's namespace.
 //
 // Extracted as a pure function so the policy decision can be
 // regression-tested without a live WS connection.
 func validateRefreshClaims(claims *auth.JWTClaims, wsNamespace string) string {
 	if claims == nil {
 		return "internal: nil claims after verification"
 	}
 	if claims.Namespace == "" {
 		return "jwt missing namespace claim"
 	}
 	if claims.Namespace != wsNamespace {
 		return "jwt namespace does not match websocket namespace"
 	}
 	if claims.Sub == "" {
 		// Subject-less JWTs would swap the WS into an anonymous
 		// identity, breaking every downstream auth check. Reject.
 		return "jwt missing subject claim"
 	}
 	return ""
 }
 // writeControlAck JSON-encodes the ack and writes it as a single text
 // message back to the client. Bounded write deadline so a slow client
 // doesn't block the read loop.
 func (h *ServerlessHandlers) writeControlAck(conn *websocket.Conn, ack oramaControlAck) error {
 	payload, err := json.Marshal(ack)
 	if err != nil {
 		return err
 	}
 	_ = conn.SetWriteDeadline(time.Now().Add(5 * time.Second))
 	defer conn.SetWriteDeadline(time.Time{})
 	return conn.WriteMessage(websocket.TextMessage, payload)
 }
--- a/core/pkg/push/dispatcher.go
+++ b/core/pkg/push/dispatcher.go
@ -2,6 +2,7 @@ package push
 import (
 	"context"
 	"errors"
 	"fmt"
 	"sync"
@ -52,46 +53,108 @@ func (d *PushDispatcher) Provider(name string) PushProvider {
 //
 // SendToUser returns nil if the user has no registered devices — that
 // is normal, not an error.
 //
 // Callers wanting per-device outcomes should use SendToUserDetailed
 // (bugboard #348 — back-compat preserved on this method).
 func (d *PushDispatcher) SendToUser(
 	ctx context.Context,
 	namespace, userID string,
 	msg PushMessage,
 ) error {
 	res, err := d.SendToUserDetailed(ctx, namespace, userID, msg)
 	if err != nil {
 		return err
 	}
 	// Preserve the legacy contract: return the first per-device error
 	// with the full error chain intact (sentinels like ErrUnknownProvider
 	// and ErrDeviceUnregistered are reachable via errors.Is on the result).
 	for _, r := range res.Results {
 		if !r.Success && r.err != nil {
 			return r.err
 		}
 	}
 	return nil
 }
 // SendToUserDetailed dispatches to every registered device for the user
 // and returns a per-device outcome. Unlike SendToUser (which collapses
 // to a single error), this surfaces every device's HTTP status / reason
 // so the caller can react granularly (delete on Unregistered, retry on
 // 5xx, log unknowns, etc.).
 //
 // Used by the `oh.PushSendV2` WASM host function so WASM callers can
 // auto-clean stale tokens and surface real failures (bugboard #348).
 //
 // Returns (nil, err) only on setup failures (device-store query failed,
 // etc.). A user with zero devices returns
 // (&SendDetailedResult{Ok: true, DevicesAttempted: 0}, nil).
 func (d *PushDispatcher) SendToUserDetailed(
 	ctx context.Context,
 	namespace, userID string,
 	msg PushMessage,
 ) (*SendDetailedResult, error) {
 	devs, err := d.devices.ListForUser(ctx, namespace, userID)
 	if err != nil {
-		return fmt.Errorf("list devices: %w", err)
+		return nil, fmt.Errorf("list devices: %w", err)
 	}
 	out := &SendDetailedResult{
 		Ok:               true, // flipped to false on the first failure
 		DevicesAttempted: len(devs),
 		Results:          make([]DeviceSendResult, 0, len(devs)),
 	}
 	if len(devs) == 0 {
-		return nil
+		return out, nil
 	}
 	var firstErr error
 	for _, dev := range devs {
 		r := DeviceSendResult{DeviceID: dev.DeviceID, Provider: dev.Provider}
 		d.mu.RLock()
 		p, ok := d.providers[dev.Provider]
 		d.mu.RUnlock()
 		if !ok {
 			r.Success = false
 			r.Message = fmt.Sprintf("push: unknown provider %q (device not dispatched)", dev.Provider)
 			// Preserve the sentinel error chain so legacy callers using
 			// errors.Is(err, ErrUnknownProvider) on the SendToUser
 			// return value keep working.
 			r.err = fmt.Errorf("%w: %s", ErrUnknownProvider, dev.Provider)
 			d.logger.Warn("push: dropping device with unregistered provider",
 				zap.String("provider", dev.Provider),
 				zap.String("device_id", dev.DeviceID),
 			)
-			if firstErr == nil {
+			out.Ok = false
-				firstErr = fmt.Errorf("%w: %s", ErrUnknownProvider, dev.Provider)
+			out.Results = append(out.Results, r)
 			}
 			continue
 		}
 		m := msg
 		m.DeviceToken = dev.Token
-		if err := p.Send(ctx, m); err != nil {
+		if sendErr := p.Send(ctx, m); sendErr != nil {
 			r.Success = false
 			r.err = sendErr // preserve full chain for errors.Is/As
 			// Extract structured info if the provider returned PushError.
 			var perr *PushError
 			if errors.As(sendErr, &perr) {
 				r.HTTPStatus = perr.HTTPStatus
 				r.Reason = perr.Reason
 				r.Message = perr.Message
 				r.Unregistered = perr.Unregistered
 			} else {
 				r.Message = sendErr.Error()
 			}
 			d.logger.Warn("push: provider send failed",
 				zap.String("provider", dev.Provider),
 				zap.String("device_id", dev.DeviceID),
-				zap.Error(err),
+				zap.Int("http_status", r.HTTPStatus),
 				zap.String("reason", r.Reason),
 				zap.Bool("unregistered", r.Unregistered),
 				zap.Error(sendErr),
 			)
-			if firstErr == nil {
+			out.Ok = false
-				firstErr = err
+		} else {
-			}
+			r.Success = true
 			out.DevicesSucceeded++
 		}
 		out.Results = append(out.Results, r)
 	}
-	return firstErr
+	return out, nil
 }
--- a/core/pkg/push/dispatcher_detailed_test.go
+++ b/core/pkg/push/dispatcher_detailed_test.go
@ -0,0 +1,199 @@
 package push
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"testing"
 	"go.uber.org/zap"
 )
 // TestSendToUserDetailed_happyPath verifies the per-device result shape
 // for the success case: ok=true, attempted=N, succeeded=N, every entry
 // has Success=true.
 func TestSendToUserDetailed_happyPath(t *testing.T) {
 	store := &fakeStore{devices: []PushDevice{
 		{Namespace: "ns", UserID: "u", DeviceID: "ios-A", Provider: "ntfy", Token: "tok-1"},
 		{Namespace: "ns", UserID: "u", DeviceID: "ios-B", Provider: "ntfy", Token: "tok-2"},
 	}}
 	ntfy := &fakeProvider{name: "ntfy"}
 	d := New(store, zap.NewNop())
 	d.Register(ntfy)
 	res, err := d.SendToUserDetailed(context.Background(), "ns", "u", PushMessage{Title: "hi"})
 	if err != nil {
 		t.Fatalf("SendToUserDetailed: %v", err)
 	}
 	if !res.Ok {
 		t.Error("expected Ok=true on all-success")
 	}
 	if res.DevicesAttempted != 2 || res.DevicesSucceeded != 2 {
 		t.Errorf("attempted=%d succeeded=%d; want 2/2", res.DevicesAttempted, res.DevicesSucceeded)
 	}
 	if len(res.Results) != 2 {
 		t.Fatalf("results len = %d; want 2", len(res.Results))
 	}
 	for i, r := range res.Results {
 		if !r.Success {
 			t.Errorf("result[%d] should be success, got %+v", i, r)
 		}
 		if r.Provider != "ntfy" {
 			t.Errorf("result[%d].Provider = %q; want ntfy", i, r.Provider)
 		}
 	}
 }
 // TestSendToUserDetailed_unknownProvider verifies the "ghost provider"
 // case populates Message + preserves the ErrUnknownProvider chain on
 // the unexported err field (so the legacy SendToUser still sees the
 // sentinel via errors.Is).
 func TestSendToUserDetailed_unknownProvider(t *testing.T) {
 	store := &fakeStore{devices: []PushDevice{
 		{Namespace: "ns", UserID: "u", DeviceID: "old-android", Provider: "ghost", Token: "tok"},
 	}}
 	d := New(store, zap.NewNop())
 	res, err := d.SendToUserDetailed(context.Background(), "ns", "u", PushMessage{Title: "x"})
 	if err != nil {
 		t.Fatalf("SendToUserDetailed: %v", err)
 	}
 	if res.Ok {
 		t.Error("Ok should be false when any device failed")
 	}
 	if res.DevicesAttempted != 1 || res.DevicesSucceeded != 0 {
 		t.Errorf("attempted=%d succeeded=%d; want 1/0", res.DevicesAttempted, res.DevicesSucceeded)
 	}
 	r := res.Results[0]
 	if r.Success {
 		t.Error("unknown provider should not be Success")
 	}
 	if r.Message == "" {
 		t.Error("Message should describe the unknown provider")
 	}
 	// The unexported err field carries the sentinel for errors.Is.
 	if !errors.Is(r.Err(), ErrUnknownProvider) {
 		t.Errorf("expected r.Err() to wrap ErrUnknownProvider, got %v", r.Err())
 	}
 }
 // TestSendToUserDetailed_structuredPushError verifies that when a
 // provider returns a *PushError (APNs 410/400/etc.), the detailed
 // result faithfully reflects HTTPStatus, Reason, and Unregistered.
 func TestSendToUserDetailed_structuredPushError(t *testing.T) {
 	store := &fakeStore{devices: []PushDevice{
 		{Namespace: "ns", UserID: "u", DeviceID: "ios-dead", Provider: "apns", Token: "tok"},
 	}}
 	apnsErr := &PushError{
 		HTTPStatus:   410,
 		Reason:       "Unregistered",
 		Message:      "apns: 410 Unregistered",
 		Unregistered: true,
 	}
 	apns := &fakeProvider{name: "apns", err: apnsErr}
 	d := New(store, zap.NewNop())
 	d.Register(apns)
 	res, err := d.SendToUserDetailed(context.Background(), "ns", "u", PushMessage{Title: "x"})
 	if err != nil {
 		t.Fatalf("SendToUserDetailed: %v", err)
 	}
 	if res.Ok {
 		t.Error("Ok should be false")
 	}
 	r := res.Results[0]
 	if r.HTTPStatus != 410 {
 		t.Errorf("HTTPStatus = %d; want 410", r.HTTPStatus)
 	}
 	if r.Reason != "Unregistered" {
 		t.Errorf("Reason = %q; want Unregistered", r.Reason)
 	}
 	if !r.Unregistered {
 		t.Error("Unregistered flag should be true for 410")
 	}
 }
 // TestSendToUserDetailed_jsonShapeForWASM verifies the JSON encoding
 // of SendDetailedResult matches what the WASM `oh.PushSendV2` host fn
 // will produce. The unexported err field MUST be excluded from JSON
 // (it's an in-process plumbing detail, not a wire field).
 func TestSendToUserDetailed_jsonShapeForWASM(t *testing.T) {
 	res := &SendDetailedResult{
 		Ok:               false,
 		DevicesAttempted: 2,
 		DevicesSucceeded: 1,
 		Results: []DeviceSendResult{
 			{DeviceID: "good", Provider: "apns", Success: true},
 			{
 				DeviceID:     "bad",
 				Provider:     "apns",
 				Success:      false,
 				HTTPStatus:   410,
 				Reason:       "Unregistered",
 				Message:      "apns: 410 Unregistered",
 				Unregistered: true,
 				err:          errors.New("must-not-leak"),
 			},
 		},
 	}
 	raw, err := json.Marshal(res)
 	if err != nil {
 		t.Fatalf("marshal: %v", err)
 	}
 	s := string(raw)
 	// Required fields present:
 	for _, want := range []string{
 		`"ok":false`,
 		`"devices_attempted":2`,
 		`"devices_succeeded":1`,
 		`"device_id":"good"`,
 		`"success":true`,
 		`"device_id":"bad"`,
 		`"http_status":410`,
 		`"reason":"Unregistered"`,
 		`"unregistered":true`,
 	} {
 		if !contains(s, want) {
 			t.Errorf("expected JSON to contain %q; got: %s", want, s)
 		}
 	}
 	// The unexported err must NOT leak into JSON.
 	if contains(s, "must-not-leak") {
 		t.Errorf("unexported err field leaked into JSON: %s", s)
 	}
 }
 // TestSendToUser_legacyContract_preservedAcrossDetailedRefactor verifies
 // that SendToUser (now layered on SendToUserDetailed) still returns the
 // FIRST per-device error with its sentinel chain intact. Regression
 // guard against accidentally losing the errors.Is contract for the
 // pre-#348 callers.
 func TestSendToUser_legacyContract_preservedAcrossDetailedRefactor(t *testing.T) {
 	store := &fakeStore{devices: []PushDevice{
 		{Namespace: "ns", UserID: "u", DeviceID: "phone", Provider: "ghost", Token: "tok"},
 	}}
 	d := New(store, zap.NewNop())
 	err := d.SendToUser(context.Background(), "ns", "u", PushMessage{Title: "x"})
 	if err == nil {
 		t.Fatal("expected SendToUser to surface the unknown-provider error")
 	}
 	if !errors.Is(err, ErrUnknownProvider) {
 		t.Errorf("SendToUser err = %v; want errors.Is(..., ErrUnknownProvider)", err)
 	}
 }
 func contains(haystack, needle string) bool {
 	return len(needle) == 0 || (len(haystack) >= len(needle) && indexOf(haystack, needle) >= 0)
 }
 func indexOf(s, sub string) int {
 	for i := 0; i+len(sub) <= len(s); i++ {
 		if s[i:i+len(sub)] == sub {
 			return i
 		}
 	}
 	return -1
 }
--- a/core/pkg/push/manager.go
+++ b/core/pkg/push/manager.go
@ -170,6 +170,17 @@ func (m *Manager) SendToUser(ctx context.Context, namespace, userID string, msg
 	return d.SendToUser(ctx, namespace, userID, msg)
 }
 // SendToUserDetailed mirrors SendToUser but returns the per-device
 // outcome shape. Used by the WASM `oh.PushSendV2` host fn so callers
 // can react to per-device failures (bugboard #348).
 func (m *Manager) SendToUserDetailed(ctx context.Context, namespace, userID string, msg PushMessage) (*SendDetailedResult, error) {
 	d, err := m.dispatcherFor(ctx, namespace)
 	if err != nil {
 		return nil, err
 	}
 	return d.SendToUserDetailed(ctx, namespace, userID, msg)
 }
 // DeviceStore exposes the underlying device store so HTTP handlers
 // (register/list/delete) can use it directly without going through the
 // dispatcher path.
--- a/core/pkg/push/providers/apns/apns.go
+++ b/core/pkg/push/providers/apns/apns.go
@ -92,15 +92,33 @@ func (p *Provider) Name() string { return "apns" }
 // user uninstalled the app, disabled notifications, or upgraded device.
 // Callers SHOULD delete the device row when they see this so the same
 // dead token doesn't get retried forever.
 //
 // Kept as an exported sentinel for backwards compatibility — callers
 // that want the structured shape should use errors.As(err, &push.PushError{})
 // and check the Unregistered field.
 var ErrDeviceUnregistered = errors.New("apns: device token unregistered (410); remove from device store")
 // Send delivers one push to the APNs server. Constructs the APNs
 // JSON payload from PushMessage, dispatches via the sideshow/apns2
 // client, and maps response codes to errors.
 //
 // Returns nil on HTTP 200, *push.PushError on any HTTP response APNs
 // gave us (status, reason, unregistered-flag baked in), or a plain
 // wrapped error for transport/validation failures (no HTTP response).
 //
 // Bugboard #348 root-cause guard: rejects empty visible-content
 // payloads up-front (no title, no body, no badge, no sound, no
 // content-available) — Apple silently 200s those AND drops them
 // without displaying, which previously looked like a successful
 // delivery to the WASM caller. We surface the failure here so it
 // doesn't look like success.
 func (p *Provider) Send(ctx context.Context, msg push.PushMessage) error {
 	if msg.DeviceToken == "" {
 		return push.ErrEmptyToken
 	}
 	if !hasVisibleContent(msg) {
 		return push.ErrEmptyContent
 	}
 	payload, err := buildAPSPayload(msg)
 	if err != nil {
 		return fmt.Errorf("apns: build payload: %w", err)
@ -122,24 +140,92 @@ func (p *Provider) Send(ctx context.Context, msg push.PushMessage) error {
 	// goroutine leak.
 	resp, sendErr := p.client.PushWithContext(ctx, n)
 	if sendErr != nil {
 		// Transport-level failure (network, ctx cancel, etc.) — no
 		// HTTP response to dissect. Plain wrap so callers can still
 		// errors.Is against the underlying.
 		return fmt.Errorf("apns: push: %w", sendErr)
 	}
 	if resp == nil {
 		return fmt.Errorf("apns: nil response")
 	}
 	// Always log the APNs HTTP response so we have visibility into
 	// silent-drop classes (Apple 200 + no delivery, throttling, etc.).
 	// Bugboard #348 diagnostic — see investigation comment.
 	p.logger.Info("apns send response",
 		zap.Int("http_status", resp.StatusCode),
 		zap.String("reason", resp.Reason),
 		zap.String("apns_id", resp.ApnsID),
 		zap.String("device_token_prefix", tokenPrefix(msg.DeviceToken)),
 	)
 	switch resp.StatusCode {
 	case http.StatusOK:
 		return nil
 	case http.StatusGone:
-		// 410 Unregistered — surfaced as a sentinel so the dispatcher
+		// 410 Unregistered — both the sentinel sentinel wrap (for
-		// (or caller) can remove the device row.
+		// legacy errors.Is callers) AND a structured PushError (for
-		return fmt.Errorf("%w: apns_id=%s reason=%s", ErrDeviceUnregistered, resp.ApnsID, resp.Reason)
+		// the new SendToUserDetailed dispatcher path).
 		return &push.PushError{
 			HTTPStatus:   http.StatusGone,
 			Reason:       resp.Reason,
 			Message:      fmt.Sprintf("apns: device token unregistered (410): apns_id=%s reason=%s", resp.ApnsID, resp.Reason),
 			Unregistered: true,
 			Wrapped:      ErrDeviceUnregistered,
 		}
 	default:
-		return fmt.Errorf("apns: http %d: reason=%s apns_id=%s",
+		return &push.PushError{
-			resp.StatusCode, resp.Reason, resp.ApnsID)
+			HTTPStatus: resp.StatusCode,
 			Reason:     resp.Reason,
 			Message:    fmt.Sprintf("apns: http %d: reason=%s apns_id=%s", resp.StatusCode, resp.Reason, resp.ApnsID),
 		}
 	}
 }
 // hasVisibleContent reports whether the message has any payload field
 // that Apple will display or process. An APNs push with none of these
 // is silently 200'd by Apple AND dropped — that's the bugboard #348
 // root cause we want to surface as a structured error.
 //
 // `content_available: true` in Data signals a background-only push
 // (legal even with empty alert) — we accept that as valid content.
 func hasVisibleContent(msg push.PushMessage) bool {
 	if msg.Title != "" || msg.Body != "" {
 		return true
 	}
 	if msg.Badge > 0 {
 		return true
 	}
 	if msg.Sound != "" {
 		return true
 	}
 	if ca, ok := msg.Data["content_available"]; ok {
 		// Accept truthy variants: bool true, int/float != 0, "1"/"true".
 		switch v := ca.(type) {
 		case bool:
 			return v
 		case int:
 			return v != 0
 		case int64:
 			return v != 0
 		case float64:
 			return v != 0
 		case string:
 			return v == "1" || v == "true"
 		}
 	}
 	return false
 }
 // tokenPrefix returns the first 8 chars of a device token, safe for
 // logging. The full token is sensitive — never log it whole.
 func tokenPrefix(token string) string {
 	if len(token) <= 8 {
 		return token
 	}
 	return token[:8] + "..."
 }
 // buildAPSPayload assembles the APNs JSON payload from a generic
 // PushMessage. The `aps` dictionary is the Apple-required wrapper;
 // custom fields (`data`) go alongside at the top level.
@ -168,10 +254,39 @@ func buildAPSPayload(msg push.PushMessage) ([]byte, error) {
 		// the lock-screen view. Channel is the most natural mapping.
 		aps["thread-id"] = msg.Channel
 	}
 	// content-available: 1 signals a background-only push to iOS. The
 	// caller opts in via Data["content_available"] (any truthy value).
 	// Mapped here at the aps boundary so the WASM Data shape stays
 	// snake_case while Apple's wire format uses the canonical key.
 	if ca, ok := msg.Data["content_available"]; ok {
 		switch v := ca.(type) {
 		case bool:
 			if v {
 				aps["content-available"] = 1
 			}
 		case int:
 			if v != 0 {
 				aps["content-available"] = 1
 			}
 		case int64:
 			if v != 0 {
 				aps["content-available"] = 1
 			}
 		case float64:
 			if v != 0 {
 				aps["content-available"] = 1
 			}
 		case string:
 			if v == "1" || v == "true" {
 				aps["content-available"] = 1
 			}
 		}
 	}
 	root := map[string]interface{}{"aps": aps}
 	for k, v := range msg.Data {
-		// Don't allow tenant data to clobber `aps`.
+		// Don't allow tenant data to clobber `aps`, and skip the
-		if k == "aps" {
+		// content_available marker since we mapped it to aps above.
 		if k == "aps" || k == "content_available" {
 			continue
 		}
 		root[k] = v
--- a/core/pkg/push/providers/apns/apns_test.go
+++ b/core/pkg/push/providers/apns/apns_test.go
@ -11,6 +11,7 @@ import (
 	"github.com/DeBrosOfficial/network/pkg/push"
 	"github.com/sideshow/apns2"
 	"go.uber.org/zap"
 )
 // fakePushClient implements pushClient for unit tests so we don't have
@ -44,6 +45,7 @@ func newTestProvider(t *testing.T, bundle string, fake *fakePushClient) *Provide
 	return &Provider{
 		bundleID: bundle,
 		client:   fake,
 		logger:   zap.NewNop(),
 	}
 }
@ -370,3 +372,143 @@ func TestParseCredentials_RejectsBadConfig(t *testing.T) {
 		t.Error("expected error on bad config")
 	}
 }
 // ---- Bugboard #348 hardening: empty-content + structured PushError -------
 // TestSend_EmptyContentRejected verifies the bugboard #348 root-cause
 // guard: a message with no title, body, badge, sound, or
 // content_available marker MUST fail upfront — not silently 200 from
 // Apple and look like delivery success.
 func TestSend_EmptyContentRejected(t *testing.T) {
 	p := newTestProvider(t, "com.example.app", &fakePushClient{})
 	err := p.Send(context.Background(), push.PushMessage{
 		DeviceToken: "ABCDEF1234",
 		// No Title, Body, Badge, Sound, or content_available in Data.
 	})
 	if !errors.Is(err, push.ErrEmptyContent) {
 		t.Errorf("expected push.ErrEmptyContent for empty payload; got %v", err)
 	}
 }
 // TestSend_ContentAvailableAccepted ensures background-only pushes
 // (content_available without alert) ARE allowed — iOS uses this for
 // silent data pushes that wake the app without UI. Bugboard #348:
 // don't over-reject; only reject pushes that have NOTHING.
 func TestSend_ContentAvailableAccepted(t *testing.T) {
 	fake := &fakePushClient{
 		resp: &apns2.Response{StatusCode: http.StatusOK, ApnsID: "ok-1"},
 	}
 	p := newTestProvider(t, "com.example.app", fake)
 	err := p.Send(context.Background(), push.PushMessage{
 		DeviceToken: "ABCDEF1234",
 		Data:        map[string]interface{}{"content_available": true},
 	})
 	if err != nil {
 		t.Fatalf("content-available push should be allowed: %v", err)
 	}
 	if fake.lastSent == nil {
 		t.Fatal("Send didn't dispatch to client")
 	}
 	// Verify content-available landed in the aps dict.
 	var payload map[string]interface{}
 	if err := json.Unmarshal(fake.lastSent.Payload.([]byte), &payload); err != nil {
 		t.Fatalf("decode payload: %v", err)
 	}
 	aps, _ := payload["aps"].(map[string]interface{})
 	if aps["content-available"] != float64(1) {
 		t.Errorf("aps.content-available = %v; want 1", aps["content-available"])
 	}
 }
 // TestSend_Non200ReturnsPushError verifies non-200 responses return a
 // structured *push.PushError with the HTTP status, reason, and (for
 // 410) the Unregistered flag — so SendToUserDetailed can extract them
 // for the WASM caller. Bugboard #348.
 func TestSend_Non200ReturnsPushError(t *testing.T) {
 	cases := []struct {
 		name             string
 		status           int
 		reason           string
 		wantUnregistered bool
 	}{
 		{"410_unregistered", http.StatusGone, "Unregistered", true},
 		{"400_bad_device_token", http.StatusBadRequest, "BadDeviceToken", false},
 		{"403_invalid_provider_token", http.StatusForbidden, "InvalidProviderToken", false},
 		{"500_internal_apple_error", http.StatusInternalServerError, "InternalServerError", false},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			fake := &fakePushClient{
 				resp: &apns2.Response{StatusCode: tc.status, Reason: tc.reason, ApnsID: "x"},
 			}
 			p := newTestProvider(t, "com.example.app", fake)
 			err := p.Send(context.Background(), push.PushMessage{
 				DeviceToken: "tok",
 				Title:       "x",
 			})
 			if err == nil {
 				t.Fatal("expected error for non-200 response")
 			}
 			var perr *push.PushError
 			if !errors.As(err, &perr) {
 				t.Fatalf("expected *push.PushError; got %T: %v", err, err)
 			}
 			if perr.HTTPStatus != tc.status {
 				t.Errorf("HTTPStatus = %d; want %d", perr.HTTPStatus, tc.status)
 			}
 			if perr.Reason != tc.reason {
 				t.Errorf("Reason = %q; want %q", perr.Reason, tc.reason)
 			}
 			if perr.Unregistered != tc.wantUnregistered {
 				t.Errorf("Unregistered = %v; want %v", perr.Unregistered, tc.wantUnregistered)
 			}
 		})
 	}
 }
 // TestSend_410StillCompatibleWithLegacySentinel ensures the structured
 // PushError for 410 ALSO satisfies errors.Is(ErrDeviceUnregistered) so
 // existing callers using the sentinel keep working.
 func TestSend_410StillCompatibleWithLegacySentinel(t *testing.T) {
 	fake := &fakePushClient{
 		resp: &apns2.Response{StatusCode: http.StatusGone, Reason: "Unregistered", ApnsID: "x"},
 	}
 	p := newTestProvider(t, "com.example.app", fake)
 	err := p.Send(context.Background(), push.PushMessage{
 		DeviceToken: "tok",
 		Title:       "x",
 	})
 	if !errors.Is(err, ErrDeviceUnregistered) {
 		t.Errorf("expected errors.Is(err, ErrDeviceUnregistered) to be true; got %v", err)
 	}
 }
 // TestHasVisibleContent exercises every accepted shape so the guard
 // matches the WASM caller's mental model.
 func TestHasVisibleContent(t *testing.T) {
 	cases := []struct {
 		name string
 		msg  push.PushMessage
 		want bool
 	}{
 		{"empty", push.PushMessage{}, false},
 		{"title only", push.PushMessage{Title: "hi"}, true},
 		{"body only", push.PushMessage{Body: "hi"}, true},
 		{"badge only", push.PushMessage{Badge: 1}, true},
 		{"sound only", push.PushMessage{Sound: "ping.aiff"}, true},
 		{"content_available bool true", push.PushMessage{Data: map[string]interface{}{"content_available": true}}, true},
 		{"content_available bool false", push.PushMessage{Data: map[string]interface{}{"content_available": false}}, false},
 		{"content_available int 1", push.PushMessage{Data: map[string]interface{}{"content_available": 1}}, true},
 		{"content_available string 1", push.PushMessage{Data: map[string]interface{}{"content_available": "1"}}, true},
 		{"content_available string true", push.PushMessage{Data: map[string]interface{}{"content_available": "true"}}, true},
 		{"data without content_available", push.PushMessage{Data: map[string]interface{}{"other_key": "value"}}, false},
 		{"title and badge", push.PushMessage{Title: "x", Badge: 5}, true},
 	}
 	for _, tc := range cases {
 		t.Run(tc.name, func(t *testing.T) {
 			if got := hasVisibleContent(tc.msg); got != tc.want {
 				t.Errorf("hasVisibleContent(%+v) = %v; want %v", tc.msg, got, tc.want)
 			}
 		})
 	}
 }
--- a/core/pkg/push/types.go
+++ b/core/pkg/push/types.go
@ -88,4 +88,90 @@ var (
 	// ErrEmptyToken is returned by providers when called with an empty
 	// DeviceToken.
 	ErrEmptyToken = errors.New("push: empty device token")
 	// ErrEmptyContent is returned by providers when the message has no
 	// title, body, badge, sound, or content-available marker. Apple
 	// silently accepts (HTTP 200) and drops such pushes — caught upfront
 	// so the failure surfaces instead of looking like success. Bugboard
 	// #348 root-cause class.
 	ErrEmptyContent = errors.New("push: empty visible-content payload (set title/body, badge, sound, or content_available)")
 )
 // PushError is the structured error type returned by providers when the
 // remote service (APNs, ntfy, etc.) responds with a failure. Carries the
 // HTTP status + provider-specific reason code so the caller can decide
 // how to react (e.g. delete stale tokens on 410, retry on 5xx).
 //
 // Used via errors.As at the dispatcher layer to build a per-device
 // result for the WASM-callable `oh.PushSendV2` host function.
 type PushError struct {
 	// HTTPStatus is the HTTP/2 :status from the remote (e.g. 400, 410,
 	// 500). 0 means the failure happened before the HTTP exchange
 	// (network, validation, etc.) — see Message for details.
 	HTTPStatus int
 	// Reason is the provider-specific machine-readable reason string
 	// (e.g. APNs `BadDeviceToken`, `Unregistered`). Empty for non-HTTP
 	// failures.
 	Reason string
 	// Message is the human-readable summary, suitable for logs.
 	Message string
 	// Unregistered is a shortcut for "the remote says this token is
 	// dead — delete the device row". Maps to APNs HTTP 410 with reason
 	// `Unregistered`. Other providers set this when they have an
 	// equivalent signal.
 	Unregistered bool
 	// Wrapped is the underlying error if this PushError wraps another
 	// error type. Allows errors.Is / errors.As traversal.
 	Wrapped error
 }
 // Error implements the error interface.
 func (e *PushError) Error() string {
 	if e == nil {
 		return ""
 	}
 	return e.Message
 }
 // Unwrap allows errors.Is / errors.As to traverse.
 func (e *PushError) Unwrap() error {
 	if e == nil {
 		return nil
 	}
 	return e.Wrapped
 }
 // DeviceSendResult is the per-device outcome of a SendToUserDetailed
 // call. Used by the rich-result push host fn so WASM callers can see
 // exactly what happened per device — and react (e.g. delete the device
 // row on Unregistered, retry on 5xx, log unknowns).
 type DeviceSendResult struct {
 	DeviceID     string `json:"device_id"`
 	Provider     string `json:"provider"`
 	Success      bool   `json:"success"`
 	HTTPStatus   int    `json:"http_status,omitempty"`
 	Reason       string `json:"reason,omitempty"`
 	Message      string `json:"message,omitempty"`
 	Unregistered bool   `json:"unregistered,omitempty"`
 	// err carries the underlying error (preserves the full chain for
 	// errors.Is / errors.As). Unexported so json.Marshal ignores it —
 	// only the structured fields above appear in the WASM-visible
 	// envelope. Used by the legacy SendToUser to preserve the sentinel
 	// errors.Is contract for callers built before SendToUserDetailed.
 	err error `json:"-"`
 }
 // Err returns the underlying error for this device's send attempt, or
 // nil if it succeeded. Exposed as a method so external callers can
 // still use errors.Is/As against per-device failures.
 func (r DeviceSendResult) Err() error { return r.err }
 // SendDetailedResult is the aggregate return from SendToUserDetailed.
 // One DeviceSendResult per device the user has registered in the
 // namespace. Ok is true when EVERY device succeeded.
 type SendDetailedResult struct {
 	Ok               bool               `json:"ok"`
 	DevicesAttempted int                `json:"devices_attempted"`
 	DevicesSucceeded int                `json:"devices_succeeded"`
 	Results          []DeviceSendResult `json:"results"`
 }
--- a/core/pkg/serverless/engine.go
+++ b/core/pkg/serverless/engine.go
@ -614,6 +614,7 @@ func (e *Engine) registerHostModule(ctx context.Context) error {
 			NewFunctionBuilder().WithFunc(e.hPubSubPublish).Export("pubsub_publish").
 			NewFunctionBuilder().WithFunc(e.hPubSubPublishBatch).Export("pubsub_publish_batch").
 			NewFunctionBuilder().WithFunc(e.hPushSend).Export("push_send").
 			NewFunctionBuilder().WithFunc(e.hPushSendV2).Export("push_send_v2").
 			NewFunctionBuilder().WithFunc(e.hWSPubSubBridge).Export("ws_pubsub_bridge").
 			NewFunctionBuilder().WithFunc(e.hWSPubSubUnbridge).Export("ws_pubsub_unbridge").
 			NewFunctionBuilder().WithFunc(e.hWSSend).Export("ws_send").
@ -1116,6 +1117,38 @@ func (e *Engine) hPushSend(ctx context.Context, mod api.Module,
 	return 1
 }
 // hPushSendV2 is the WASM-callable wrapper for PushSendV2 — the
 // rich-result push host function. Returns a packed uint64
 // (ptr<<32 | len) pointing to a JSON envelope in guest memory, or 0
 // on setup/validation error.
 //
 // The JSON envelope is push.SendDetailedResult: top-level Ok bool,
 // per-device Results with HTTP status / reason / unregistered flag.
 // Callers MUST parse it — a non-zero return does NOT mean every
 // device succeeded (read result.ok or iterate results[]).
 //
 // Bugboard #348: replaces the binary success/fail of PushSend with
 // the full per-device truth so WASM callers can react granularly.
 func (e *Engine) hPushSendV2(ctx context.Context, mod api.Module,
 	userIDPtr, userIDLen, msgPtr, msgLen uint32) uint64 {
 	userID, ok := e.executor.ReadFromGuest(mod, userIDPtr, userIDLen)
 	if !ok {
 		return 0
 	}
 	msgJSON, ok := e.executor.ReadFromGuest(mod, msgPtr, msgLen)
 	if !ok {
 		return 0
 	}
 	out, err := e.hostServices.PushSendV2(ctx, string(userID), msgJSON)
 	if err != nil {
 		e.logger.Warn("host function push_send_v2 failed",
 			zap.String("user_id", string(userID)),
 			zap.Error(err))
 		return 0
 	}
 	return e.executor.WriteToGuest(ctx, mod, out)
 }
 func (e *Engine) hLogInfo(ctx context.Context, mod api.Module, ptr, size uint32) {
 	msg, ok := e.executor.ReadFromGuest(mod, ptr, size)
 	if ok {
--- a/core/pkg/serverless/hostfuncs_test.go
+++ b/core/pkg/serverless/hostfuncs_test.go
@ -110,6 +110,10 @@ func (m *mockHostServices) PushSend(ctx context.Context, userID string, msgJSON
 	return nil
 }
 func (m *mockHostServices) PushSendV2(ctx context.Context, userID string, msgJSON []byte) ([]byte, error) {
 	return []byte(`{"ok":true,"devices_attempted":0,"devices_succeeded":0,"results":[]}`), nil
 }
 func (m *mockHostServices) DBTransaction(ctx context.Context, opsJSON []byte) ([]byte, error) {
 	return []byte(`{"committed":true,"results":[]}`), nil
 }
--- a/core/pkg/serverless/hostfunctions/push.go
+++ b/core/pkg/serverless/hostfunctions/push.go
@ -122,3 +122,107 @@ func (h *HostFunctions) PushSend(ctx context.Context, userID string, msgJSON []b
 	}
 	return nil
 }
 // PushSendV2 implements serverless.HostServices.PushSendV2 — the
 // rich-result version of PushSend. Returns a JSON envelope describing
 // every device the dispatcher attempted, with HTTP status / reason /
 // unregistered-flag per device, so WASM callers can react granularly
 // (delete stale tokens on Unregistered, retry on 5xx, etc.).
 //
 // Bugboard #348: PushSend's binary success/fail return discarded
 // Apple's HTTP status — silent-drop bugs (Apple 200 + no delivery,
 // empty-content payloads, etc.) all looked like success. PushSendV2
 // surfaces the full per-device truth.
 //
 // The Go error return is ONLY for setup/validation failures (no
 // manager wired, no namespace in context, invalid JSON). Per-device
 // failures go into the JSON `results[]` array.
 func (h *HostFunctions) PushSendV2(ctx context.Context, userID string, msgJSON []byte) ([]byte, error) {
 	if h.pushManager == nil && h.pushDispatcher == nil {
 		// Silent no-op shape: empty result envelope. WASM caller sees
 		// ok=true, attempted=0, succeeded=0. Same semantic as legacy
 		// PushSend's silent no-op for portability across environments.
 		return []byte(`{"ok":true,"devices_attempted":0,"devices_succeeded":0,"results":[]}`), nil
 	}
 	if userID == "" {
 		return nil, &serverless.HostFunctionError{
 			Function: "push_send_v2",
 			Cause:    fmt.Errorf("user_id required"),
 		}
 	}
 	if len(msgJSON) > MaxPushSendArgsBytes {
 		return nil, &serverless.HostFunctionError{
 			Function: "push_send_v2",
 			Cause:    fmt.Errorf("msg too large: max %d bytes", MaxPushSendArgsBytes),
 		}
 	}
 	var args PushSendArgs
 	if err := json.Unmarshal(msgJSON, &args); err != nil {
 		return nil, &serverless.HostFunctionError{
 			Function: "push_send_v2",
 			Cause:    fmt.Errorf("invalid json: %w", err),
 		}
 	}
 	// Same namespace resolution as PushSend — invCtx-trusted, never the
 	// WASM caller's claim.
 	var namespace string
 	if cur := h.currentInvocationContext(ctx); cur != nil {
 		namespace = cur.Namespace
 	}
 	if namespace == "" {
 		return nil, &serverless.HostFunctionError{
 			Function: "push_send_v2",
 			Cause:    fmt.Errorf("no namespace in invocation context"),
 		}
 	}
 	priority := push.PriorityNormal
 	switch args.Priority {
 	case "high":
 		priority = push.PriorityHigh
 	case "normal", "":
 		priority = push.PriorityNormal
 	}
 	msg := push.PushMessage{
 		Title:    args.Title,
 		Body:     args.Body,
 		Channel:  args.Channel,
 		Priority: priority,
 		Badge:    args.Badge,
 		Sound:    args.Sound,
 		Data:     args.Data,
 	}
 	// Prefer the Manager (per-namespace config); fall back to the legacy
 	// dispatcher. Same precedence as PushSend so v1 and v2 stay
 	// behaviorally equivalent at the dispatch level.
 	var (
 		result *push.SendDetailedResult
 		err    error
 	)
 	if h.pushManager != nil {
 		result, err = h.pushManager.SendToUserDetailed(ctx, namespace, userID, msg)
 		// ErrPushNotConfigured = no per-namespace config AND no YAML
 		// defaults. Treat as silent no-op (same shape as legacy PushSend).
 		if err != nil && err.Error() == push.ErrPushNotConfigured.Error() {
 			return []byte(`{"ok":true,"devices_attempted":0,"devices_succeeded":0,"results":[]}`), nil
 		}
 	} else {
 		result, err = h.pushDispatcher.SendToUserDetailed(ctx, namespace, userID, msg)
 	}
 	if err != nil {
 		return nil, &serverless.HostFunctionError{Function: "push_send_v2", Cause: err}
 	}
 	out, mErr := json.Marshal(result)
 	if mErr != nil {
 		return nil, &serverless.HostFunctionError{
 			Function: "push_send_v2",
 			Cause:    fmt.Errorf("marshal result: %w", mErr),
 		}
 	}
 	return out, nil
 }
--- a/core/pkg/serverless/mocks_test.go
+++ b/core/pkg/serverless/mocks_test.go
@ -203,6 +203,13 @@ func (m *MockHostServices) PushSend(ctx context.Context, userID string, msgJSON
 	return nil
 }
 func (m *MockHostServices) PushSendV2(ctx context.Context, userID string, msgJSON []byte) ([]byte, error) {
 	// Return the empty-no-op envelope to match the silent no-op contract
 	// when no provider is configured. Tests that need per-device behavior
 	// mock at the HostFunctions level (fakeBatchClient-style).
 	return []byte(`{"ok":true,"devices_attempted":0,"devices_succeeded":0,"results":[]}`), nil
 }
 func (m *MockHostServices) DBTransaction(ctx context.Context, opsJSON []byte) ([]byte, error) {
 	return []byte(`{"committed":true,"results":[]}`), nil
 }
--- a/core/pkg/serverless/persistent/instance.go
+++ b/core/pkg/serverless/persistent/instance.go
@ -67,7 +67,12 @@ type Instance struct {
 	// across concurrent connections — each instance carries its own
 	// caller identity in the ctx, never reading the HostFunctions
 	// singleton field. See pkg/serverless/hostfunctions/invocation_context.go.
-	invCtx *serverless.InvocationContext
+	//
 	// MUTABLE: bug #321 added mid-session re-auth — the WS handler can
 	// swap invCtx via UpdateInvocationContext when the client rotates
 	// its JWT. invCtxMu guards reads/writes; withInvCtx() takes RLock.
 	invCtx   *serverless.InvocationContext
 	invCtxMu sync.RWMutex
 	inbound chan []byte
 	logger  *zap.Logger
@ -172,10 +177,51 @@ func NewInstance(module api.Module, cfg Config, logger *zap.Logger) (*Instance,
 // Returns ctx unchanged when invCtx is nil — preserves backwards-compat
 // for callers that didn't populate Config.InvocationContext.
 func (i *Instance) withInvCtx(ctx context.Context) context.Context {
-	if i.invCtx == nil {
+	i.invCtxMu.RLock()
 	cur := i.invCtx
 	i.invCtxMu.RUnlock()
 	if cur == nil {
 		return ctx
 	}
-	return serverless.WithInvocationContext(ctx, i.invCtx)
+	return serverless.WithInvocationContext(ctx, cur)
 }
 // UpdateInvocationContext atomically swaps the per-instance invocation
 // context. Used by the WS handler to apply a mid-session JWT rotation
 // (bugboard #321 — `__orama:auth.refresh` control frame) so the
 // client's new JWT subject / wallet / claims propagate to every
 // subsequent host call WITHOUT tearing down the WS.
 //
 // Thread-safe: callers can call this from the WS read loop while the
 // frame-processing goroutine is concurrently reading the field via
 // withInvCtx. The swap is a single pointer-write under a write lock;
 // in-flight host calls that already wrapped their ctx with the OLD
 // invCtx keep using the old identity until they return — that's
 // correct (an in-flight invocation should complete under the identity
 // it started with, not get swapped mid-call).
 //
 // Rejects nil to preserve the "invCtx is required" invariant baked in
 // at NewInstance. A nil swap would silently re-open the cross-tenant
 // race documented in pkg/serverless/invocation_context.go.
 func (i *Instance) UpdateInvocationContext(newInvCtx *serverless.InvocationContext) error {
 	if newInvCtx == nil {
 		return fmt.Errorf("persistent: UpdateInvocationContext: nil invCtx (would re-open the cross-tenant identity-leak race)")
 	}
 	i.invCtxMu.Lock()
 	i.invCtx = newInvCtx
 	i.invCtxMu.Unlock()
 	return nil
 }
 // CurrentInvocationContext returns the per-instance invocation context
 // snapshot (the same pointer withInvCtx would attach to the next host
 // call's ctx). Used by the WS handler to audit identity transitions on
 // mid-session JWT refresh (bug #321) without re-reading from the lock.
 // May return nil if the instance was constructed without an invCtx.
 func (i *Instance) CurrentInvocationContext() *serverless.InvocationContext {
 	i.invCtxMu.RLock()
 	defer i.invCtxMu.RUnlock()
 	return i.invCtx
 }
 // ClientID returns the WebSocket client ID this instance serves.
--- a/core/pkg/serverless/persistent/instance_update_invctx_test.go
+++ b/core/pkg/serverless/persistent/instance_update_invctx_test.go
@ -0,0 +1,149 @@
 package persistent
 import (
 	"context"
 	"sync"
 	"sync/atomic"
 	"testing"
 	"github.com/DeBrosOfficial/network/pkg/serverless"
 )
 // TestUpdateInvocationContext_swapVisibleToWithInvCtx verifies the
 // post-swap invCtx is what withInvCtx reads. Regression guard for
 // bugboard #321 (mid-session JWT refresh on persistent WS).
 func TestUpdateInvocationContext_swapVisibleToWithInvCtx(t *testing.T) {
 	original := &serverless.InvocationContext{CallerJWTSubject: "user-A", WSClientID: "c1"}
 	updated := &serverless.InvocationContext{CallerJWTSubject: "user-A-refreshed", WSClientID: "c1"}
 	i := &Instance{invCtx: original}
 	// Pre-swap: withInvCtx returns ctx carrying original.
 	ctx := i.withInvCtx(context.Background())
 	got := serverless.InvocationContextFromCtx(ctx)
 	if got.CallerJWTSubject != "user-A" {
 		t.Errorf("pre-swap: CallerJWTSubject = %q; want user-A", got.CallerJWTSubject)
 	}
 	// Swap.
 	if err := i.UpdateInvocationContext(updated); err != nil {
 		t.Fatalf("UpdateInvocationContext: %v", err)
 	}
 	// Post-swap: withInvCtx returns ctx carrying updated.
 	ctx = i.withInvCtx(context.Background())
 	got = serverless.InvocationContextFromCtx(ctx)
 	if got.CallerJWTSubject != "user-A-refreshed" {
 		t.Errorf("post-swap: CallerJWTSubject = %q; want user-A-refreshed", got.CallerJWTSubject)
 	}
 }
 // TestUpdateInvocationContext_nilRejected ensures the nil-guard fires
 // — silently accepting nil would re-open the cross-tenant identity
 // leak the persistent invCtx exists to prevent.
 func TestUpdateInvocationContext_nilRejected(t *testing.T) {
 	original := &serverless.InvocationContext{CallerJWTSubject: "user-A"}
 	i := &Instance{invCtx: original}
 	err := i.UpdateInvocationContext(nil)
 	if err == nil {
 		t.Fatal("expected error for nil invCtx; got nil")
 	}
 	// Original must be untouched after the failed swap.
 	ctx := i.withInvCtx(context.Background())
 	got := serverless.InvocationContextFromCtx(ctx)
 	if got.CallerJWTSubject != "user-A" {
 		t.Errorf("after rejected nil swap: CallerJWTSubject = %q; want user-A (unchanged)",
 			got.CallerJWTSubject)
 	}
 }
 // TestUpdateInvocationContext_concurrentSwapsAndReads stresses the
 // RWMutex contract: many concurrent withInvCtx readers + a writer
 // swapping the pointer must never panic, deadlock, or produce a nil
 // dereference. The race detector catches torn reads/writes.
 func TestUpdateInvocationContext_concurrentSwapsAndReads(t *testing.T) {
 	a := &serverless.InvocationContext{CallerJWTSubject: "a"}
 	b := &serverless.InvocationContext{CallerJWTSubject: "b"}
 	i := &Instance{invCtx: a}
 	const (
 		readers     = 16
 		writes      = 100
 		readsPerW   = 50
 	)
 	var wg sync.WaitGroup
 	// Reader pool — each loops reading via withInvCtx.
 	var readsObserved int64
 	for r := 0; r < readers; r++ {
 		wg.Add(1)
 		go func() {
 			defer wg.Done()
 			for n := 0; n < writes*readsPerW; n++ {
 				ctx := i.withInvCtx(context.Background())
 				if got := serverless.InvocationContextFromCtx(ctx); got == nil {
 					t.Errorf("withInvCtx returned ctx with nil invCtx during concurrent swap")
 					return
 				}
 				atomic.AddInt64(&readsObserved, 1)
 			}
 		}()
 	}
 	// Writer: alternates between a and b.
 	wg.Add(1)
 	go func() {
 		defer wg.Done()
 		for n := 0; n < writes; n++ {
 			cur := a
 			if n%2 == 1 {
 				cur = b
 			}
 			if err := i.UpdateInvocationContext(cur); err != nil {
 				t.Errorf("UpdateInvocationContext concurrent write: %v", err)
 				return
 			}
 		}
 	}()
 	wg.Wait()
 	if atomic.LoadInt64(&readsObserved) == 0 {
 		t.Error("no successful reads observed during concurrent test")
 	}
 }
 // TestUpdateInvocationContext_swapDoesNotAffectInFlightCtx — the ctx
 // already returned by an earlier withInvCtx call MUST keep carrying
 // the OLD invCtx pointer, even after a later swap. Otherwise an
 // in-flight WASM-host call would see its identity change mid-call.
 // Bugboard #321 design correctness check.
 func TestUpdateInvocationContext_swapDoesNotAffectInFlightCtx(t *testing.T) {
 	original := &serverless.InvocationContext{CallerJWTSubject: "before"}
 	updated := &serverless.InvocationContext{CallerJWTSubject: "after"}
 	i := &Instance{invCtx: original}
 	// Snapshot a ctx using the original invCtx.
 	inflightCtx := i.withInvCtx(context.Background())
 	// Swap.
 	if err := i.UpdateInvocationContext(updated); err != nil {
 		t.Fatalf("UpdateInvocationContext: %v", err)
 	}
 	// The previously-captured ctx still carries "before".
 	got := serverless.InvocationContextFromCtx(inflightCtx)
 	if got.CallerJWTSubject != "before" {
 		t.Errorf("in-flight ctx changed under swap: got %q; want 'before' (an in-flight invocation must complete under its original identity)",
 			got.CallerJWTSubject)
 	}
 	// New withInvCtx calls see "after".
 	freshCtx := i.withInvCtx(context.Background())
 	got = serverless.InvocationContextFromCtx(freshCtx)
 	if got.CallerJWTSubject != "after" {
 		t.Errorf("post-swap fresh ctx = %q; want 'after'", got.CallerJWTSubject)
 	}
 }
--- a/core/pkg/serverless/types.go
+++ b/core/pkg/serverless/types.go
@ -459,6 +459,32 @@ type HostServices interface {
 	// DBQueryBatch with 10 statements = ~340ms. See bugboard #270.
 	DBQueryBatch(ctx context.Context, opsJSON []byte) ([]byte, error)
 	// PushSendV2 dispatches a push notification with PER-DEVICE result
 	// reporting. Returns JSON-encoded push.SendDetailedResult:
 	//
 	//   {
 	//     "ok": false,
 	//     "devices_attempted": 2,
 	//     "devices_succeeded": 1,
 	//     "results": [
 	//       {"device_id":"ios-A", "provider":"apns", "success":true},
 	//       {"device_id":"ios-B", "provider":"apns", "success":false,
 	//        "http_status":410, "reason":"Unregistered",
 	//        "message":"...", "unregistered":true}
 	//     ]
 	//   }
 	//
 	// Unlike the legacy PushSend (which returns success/fail and discards
 	// every provider's HTTP status), this lets WASM callers auto-clean
 	// stale tokens, retry transient failures, and surface real reasons.
 	// Bugboard #348.
 	//
 	// Returns a Go error only on setup failures (no manager, invalid JSON,
 	// no namespace in invocation context). A per-device failure goes into
 	// the JSON `results[]` array, NOT as a Go error — callers parse the
 	// envelope. Same shape as DBTransaction's "structured per-op result".
 	PushSendV2(ctx context.Context, userID string, msgJSON []byte) ([]byte, error)
 	// ExecAndPublish runs ops atomically (like DBTransaction) and, ONLY
 	// if the batch commits, publishes data to the named topic with any
 	// occurrence of the literal string "{{seq}}" replaced by the assigned
--- a/sdk/package.json
+++ b/sdk/package.json
@ -1,6 +1,6 @@
 {
  "name": "@debros/orama",
-  "version": "0.122.26",
+  "version": "0.122.27",
  "description": "TypeScript SDK for Orama Network - Database, PubSub, Cache, Storage, Vault, and more",
  "type": "module",
  "main": "./dist/index.js",