PushForge is a lightweight, zero-dependency toolkit for implementing fully standards-compliant Web Push Notifications across Node.js, browsers, Deno, Bun, and Cloudflare Workers without platform-specific workarounds. Built TypeScript-first, it delivers a single, strongly-typed API that handles the entire Web Push stack—VAPID ES256 JWT authentication, ephemeral ECDH key exchange, HKDF-SHA256 key derivation, and AES-GCM payload encryption—while enforcing protocol correctness and security best practices. Its isomorphic WebCrypto abstraction ensures identical cryptographic behavior across runtimes, with deterministic encoding and zero third-party dependencies to minimize supply-chain risk. Designed for both developer experience and operational reliability, PushForge ships with an intuitive CLI for VAPID key generation, integration-tested delivery against major push providers, and lean ESM packaging optimized for edge/serverless environments. With semantic-release automation, GitHub Actions CI, and Biome code quality gates, it’s engineered for predictable releases and maintainability. This combination of protocol-level precision, cross-platform reach, and minimal footprint makes PushForge a practical choice for teams that need secure, portable push notifications without unnecessary complexity. All work and interactive previews are documented in Notion.

Media

Project Points Earned

1. Architected and led a monorepo + CI/CD fabric (pnpm workspace, Github Actions Pipelines/semantic-release) delivering zero-downtime deploys and deterministic releases (stable + beta channels), cutting manual rollback risk and build friction — improved deploy reliability and reduced release noise via npm-first artifact strategy.
2. Built a standards-compliant Web Push stack (RFC 8291/8292): end-to-end VAPID ES256 JWT auth, per-message ephemeral ECDH P-256, HKDF-SHA256 key schedule, AES-GCM content encryption, and exact Web Push headers (Authorization, Crypto-Key, Encryption, Content-Encoding).
3. Implemented an isomorphic WebCrypto abstraction enabling identical cryptographic behavior across Browser, Node (≥16/22), Deno, Bun, and Cloudflare Workers — zero third-party crypto deps for minimal supply-chain risk.
4. Designed buildPushHTTPRequest: a single, typed API that composes salt, ephemeral keypair, encrypted payload, and canonical headers (returns endpoint, headers, body), normalizes Headers vs plain objects, and enforces TTL/Topic/Urgency semantics for turnkey server delivery.
5. Hardened VAPID/JWT semantics: deterministic aud derived from subscription origin, enforced exp ≤ 24h, sub propagation, robust JWK normalization — eliminated common 403 causes from push providers and increased delivery predictability.
6. Zero-dependency, cross-runtime binary and Base64URL layer: environment-aware btoa/atob ↔ Buffer fast paths, correct padding normalization and typed-array conversions to guarantee deterministic wire encodings across runtimes.
7. Enforced type-driven API correctness (TypeScript-first): PushMessage<T extends Jsonifiable>, RequireAtLeastOne<> invariants, and strict TS contracts that surface protocol errors at compile time — drastically reducing runtime integration faults.
8. Implemented length-hiding payload discipline: bounded randomized padding with embedded-length framing (keeps messages within 4KB envelope) to mitigate traffic-analysis while preserving push-service acceptance and latency characteristics.
9. Built a production VAPID keygen CLI using Node WebCrypto (ES256/P-256) that exports JWK + public key in canonical base64url — simplifies secure onboarding and operational key management.
10. Engineered wire-level integration tests (Vitest) against FCM/WNS endpoints using fixtures to validate VAPID header structure, TTL/Topic/Urgency propagation, and service response semantics — prevents cross-provider regressions before release.
11. Strengthened DevEx & quality gates: Biome linting (3× prettier speed), Husky pre-commit hooks, type-check CI gate, and Conventional Commits + PR title policy — reduced PR review churn and slashed post-release defects.