From 94e45575a34e8672f8b405c54cabd8e524281fef Mon Sep 17 00:00:00 2001
From: Claudomator Agent <agent@claudomator>
Date: Tue, 17 Mar 2026 02:12:31 +0000
Subject: fix: swap VAPID key return order in GenerateVAPIDKeys wrapper

webpush.GenerateVAPIDKeys() returns (privateKey, publicKey) but the
claudomator wrapper declared (publicKey, privateKey), causing the
32-byte private key to be sent to browsers as the applicationServerKey.
Browsers require a 65-byte uncompressed P256 point, so they rejected
it with "The provided applicationServerKey is not valid."

Adds a regression test that asserts public key is 87 chars/65 bytes
with 0x04 prefix and private key is 43 chars/32 bytes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 internal/notify/vapid.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'internal/notify/vapid.go')

diff --git a/internal/notify/vapid.go b/internal/notify/vapid.go
index 90d535b..d93a090 100644
--- a/internal/notify/vapid.go
+++ b/internal/notify/vapid.go
@@ -4,6 +4,8 @@ import webpush "github.com/SherClockHolmes/webpush-go"
 
 // GenerateVAPIDKeys generates a VAPID key pair for web push notifications.
 // Returns the base64url-encoded public and private keys.
+// Note: webpush.GenerateVAPIDKeys returns (privateKey, publicKey) — we swap here.
 func GenerateVAPIDKeys() (publicKey, privateKey string, err error) {
-	return webpush.GenerateVAPIDKeys()
+	privateKey, publicKey, err = webpush.GenerateVAPIDKeys()
+	return
 }
-- 
cgit v1.2.3