fix: comprehensive codebase hardening — crashes, silent failures, performance, and security

Fixes ~95 issues from deep audit across 12 categories in 82 files:

- Crash prevention: double-resume in PhotoMetadataExtractor, force unwraps in
  DateRangePicker, array bounds checks in polls/achievements, ProGate hit-test
  bypass, Dictionary(uniqueKeysWithValues:) → uniquingKeysWith in 4 files
- Silent failure elimination: all 34 try? sites replaced with do/try/catch +
  logging (SavedTrip, TripDetailView, CanonicalSyncService, BootstrapService,
  CanonicalModels, CKModels, SportsTimeApp, and more)
- Performance: cached DateFormatters (7 files), O(1) team lookups via
  AppDataProvider, achievement definition dictionary, AnimatedBackground
  consolidated from 19 Tasks to 1, task cancellation in SharePreviewView
- Concurrency: UIKit drawing → MainActor.run, background fetch timeout guard,
  @MainActor on ThemeManager/AppearanceManager, SyncLogger read/write race fix
- Planning engine: game end time in travel feasibility, state-aware city
  normalization, exact city matching, DrivingConstraints parameter propagation
- IAP: unknown subscription states → expired, unverified transaction logging,
  entitlements updated before paywall dismiss, restore visible to all users
- Security: API key to Info.plist lookup, filename sanitization in PDF export,
  honest User-Agent, removed stale "Feels" analytics super properties
- Navigation: consolidated competing navigationDestination, boolean → value-based
- Testing: 8 sleep() → waitForExistence, duplicates extracted, Swift 6 compat
- Service bugs: infinite retry cap, duplicate achievement prevention, TOCTOU vote
  fix, PollVote.odg → voterId rename, deterministic placeholder IDs, parallel
  MKDirections, Sendable-safe POI struct

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

SportsTime/Core/Store/StoreManager.swift

@@ -6,6 +6,7 @@
 //
 
 import Foundation
+import os
 import StoreKit
 
 @Observable
@@ -191,7 +192,7 @@ final class StoreManager {
             case .revoked:
                 state = .revoked
             default:
-                state = .active
+                state = .expired  // Conservative: deny access for unknown states
             }
 
             subscriptionStatus = SubscriptionStatusInfo(
@@ -253,6 +254,12 @@ final class StoreManager {
     // MARK: - Analytics
 
     func trackSubscriptionAnalytics(source: String) {
+        #if DEBUG
+        // Don't track subscription analytics when debug override is active
+        // to avoid polluting production analytics with fake subscription data
+        if debugProOverride { return }
+        #endif
+
         let status: String
         let isSubscribed: Bool
 
@@ -312,9 +319,13 @@ final class StoreManager {
         transactionListenerTask?.cancel()
         transactionListenerTask = Task.detached {
             for await result in Transaction.updates {
-                if case .verified(let transaction) = result {
+                switch result {
+                case .verified(let transaction):
                     await transaction.finish()
                     await StoreManager.shared.updateEntitlements()
+                case .unverified(let transaction, let error):
+                    os_log("Unverified transaction %{public}@: %{public}@", type: .default, transaction.id.description, error.localizedDescription)
+                    // Don't grant entitlement for unverified transactions
                 }
             }
         }
@@ -324,7 +335,9 @@ final class StoreManager {
 
     private func checkVerified<T>(_ result: VerificationResult<T>) throws -> T {
         switch result {
-        case .unverified:
+        case .unverified(let transaction, let error):
+            os_log("Unverified transaction %{public}@: %{public}@", type: .default, String(describing: transaction), error.localizedDescription)
+            // Don't grant entitlement for unverified transactions
             throw StoreError.verificationFailed
         case .verified(let safe):
             return safe