feat(app-expo): env variants, local iOS prebuild, and About diagnostics

Align staging/production builds with APP_VARIANT bundle IDs, allow staging HTTP on iOS, add ios-prebuild scripts for TestFlight, and show connected API URL on About for non-production builds.

Co-authored-by: Cursor <cursoragent@cursor.com>

app-expo/plugins/withIosInsecureHttp.js

@@ -0,0 +1,63 @@
+// @ts-check
+/**
+ * Allow HTTP / WS to staging API host via App Transport Security exception.
+ *
+ * Enabled when EXPO_PUBLIC_API_URL uses http:// (same rule as Android cleartext).
+ * Host is parsed from the URL so IP:port staging endpoints work without hard-coding.
+ */
+const { withInfoPlist } = require('@expo/config-plugins');
+
+/**
+ * @returns {string | null}
+ */
+function getHttpExceptionHost() {
+  const raw = process.env.EXPO_PUBLIC_API_URL ?? '';
+  if (!raw.startsWith('http://')) {
+    return null;
+  }
+  try {
+    return new URL(raw).hostname;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * @param {import('expo/config').ExpoConfig} config
+ * @param {{ enabled?: boolean }} props
+ */
+function withIosInsecureHttp(config, props = {}) {
+  const enabled = props.enabled ?? false;
+
+  return withInfoPlist(config, (mod) => {
+    if (!enabled) {
+      return mod;
+    }
+
+    const host = getHttpExceptionHost();
+    if (!host) {
+      console.warn(
+        '[withIosInsecureHttp] enabled but EXPO_PUBLIC_API_URL has no http host; skipping ATS exception.',
+      );
+      return mod;
+    }
+
+    const existing = mod.modResults.NSAppTransportSecurity ?? {};
+    const existingDomains = existing.NSExceptionDomains ?? {};
+
+    mod.modResults.NSAppTransportSecurity = {
+      ...existing,
+      NSExceptionDomains: {
+        ...existingDomains,
+        [host]: {
+          NSExceptionAllowsInsecureHTTPLoads: true,
+          NSIncludesSubdomains: true,
+        },
+      },
+    };
+
+    return mod;
+  });
+}
+
+module.exports = withIosInsecureHttp;