security: fix 10 security review findings (FRE-4572)

CRITICAL:
- SEC-001: Auth tokens now stored in SecureStore (Keychain/Keystore)
- SEC-002: Biometric bypass removed - alerts user and disables when unavailable

HIGH:
- SEC-003: Push projectId moved to EXPO_PUBLIC_EAS_PROJECT_ID env var
- SEC-004: Token refresh mechanism added with refreshSession/hydrateTokens
- SEC-005: debug already gated on __DEV__ (confirmed)

MEDIUM:
- SEC-006: All PII stores (darkwatch, voiceprint, spamshield, settings, auth) now use encrypted AsyncStorage
- SEC-007: Certificate pinning documented with TODO for production
- SEC-008: Login brute force protection: 5 attempts then 5-minute lockout

LOW:
- SEC-009: Watch list input validation with format checks per entity type
- SEC-010: Upgrade Plan button shows billing coming soon alert

packages/mobile/src/hooks/usePushNotifications.ts

@@ -4,6 +4,7 @@ import { Platform } from 'react-native';
 import * as Device from 'expo-device';
 import { deviceService, notificationService } from '@shieldai/mobile-api-client';
 import { useSettingsStore } from '@/store/settingsStore';
+import { EAS_PROJECT_ID } from '@/constants/theme';
 
 export function usePushNotifications() {
   const preferencesRef = useRef(useSettingsStore.getState().preferences);
@@ -40,8 +41,13 @@ export function usePushNotifications() {
         return null;
       }
 
+      if (!EAS_PROJECT_ID) {
+        console.warn('EAS_PROJECT_ID not configured — push notifications disabled');
+        return null;
+      }
+
       const token = (await Notifications.getExpoPushTokenAsync({
-        projectId: 'shieldai-project-id',
+        projectId: EAS_PROJECT_ID,
       })).data;
 
       try {