Gate cleartext HTTP traffic settings to non-production variants

NSAllowsArbitraryLoads on iOS and the withAndroidCleartextTraffic plugin
were applied unconditionally to all build variants, including production.
This exposed production users to potential man-in-the-middle attacks.

Now both settings are only applied for development and preview variants,
using the existing APP_VARIANT infrastructure.

Author: cursoragent

apps/mobile/app.config.ts

@@ -77,9 +77,11 @@ const config: ExpoConfig = {
     supportsTablet: true,
     bundleIdentifier: variant.iosBundleIdentifier,
     infoPlist: {
-      NSAppTransportSecurity: {
-        NSAllowsArbitraryLoads: true,
-      },
+      ...(APP_VARIANT !== "production" && {
+        NSAppTransportSecurity: {
+          NSAllowsArbitraryLoads: true,
+        },
+      }),
       ITSAppUsesNonExemptEncryption: false,
     },
   },
@@ -128,7 +130,7 @@ const config: ExpoConfig = {
     ],
     "expo-secure-store",
     "expo-router",
-    "./plugins/withAndroidCleartextTraffic.cjs",
+    ...(APP_VARIANT !== "production" ? ["./plugins/withAndroidCleartextTraffic.cjs"] : []),
   ],
   extra: {
     appVariant: APP_VARIANT,