security: fix 10 security review findings (FRE-4572)

CRITICAL:
- SEC-001: Auth tokens now stored in SecureStore (Keychain/Keystore)
- SEC-002: Biometric bypass removed - alerts user and disables when unavailable

HIGH:
- SEC-003: Push projectId moved to EXPO_PUBLIC_EAS_PROJECT_ID env var
- SEC-004: Token refresh mechanism added with refreshSession/hydrateTokens
- SEC-005: debug already gated on __DEV__ (confirmed)

MEDIUM:
- SEC-006: All PII stores (darkwatch, voiceprint, spamshield, settings, auth) now use encrypted AsyncStorage
- SEC-007: Certificate pinning documented with TODO for production
- SEC-008: Login brute force protection: 5 attempts then 5-minute lockout

LOW:
- SEC-009: Watch list input validation with format checks per entity type
- SEC-010: Upgrade Plan button shows billing coming soon alert

packages/mobile/src/store/settingsStore.ts

@@ -1,7 +1,7 @@
 import { create } from 'zustand';
-import { persist, createJSONStorage } from 'zustand/middleware';
-import AsyncStorage from '@react-native-async-storage/async-storage';
+import { persist } from 'zustand/middleware';
 import type { NotificationPreference } from '@/types';
+import { encryptedStorage } from '@/services/encryptedStorage';
 
 /**
  * TODO: Wire updatePreferences to notificationService.updatePreferences() for production.
@@ -39,7 +39,7 @@ export const useSettingsStore = create<SettingsState>()(
     }),
     {
       name: '@shieldai_settings',
-      storage: createJSONStorage(() => AsyncStorage),
+      storage: encryptedStorage,
     }
   )
 );