refactor(push): make encryption/signing more robust

[joshtrichards]

This PR improves how push notification signing errors are handled to prevent sending unsigned notifications (which clients would reject anyway) and ensures clear, consistent error management.

• Signing problems are consistently checked and logged cleanly.
• Longer subjects are truncated to fit cryptographic limits, and truncation is now logged (debug level).
• Unit tests have been added for the new error handling logic.
• Code has been refactored for greater consistency and clarity.

Note:

• Adds a PushSigningException for signing failures; affected devices are skipped, not deleted.
• Device tokens are still only deleted for encryption failures (invalid device public key).