Close all 25 codex audit findings across KMP, iOS, and Android

Remediate all P0-S priority findings from cross-platform architecture audit:
- Harden token storage with EncryptedSharedPreferences (Android) and Keychain (iOS)
- Add SSL pinning and certificate validation to API clients
- Fix subscription cache race conditions and add thread-safe access
- Add input validation for document uploads and file type restrictions
- Refactor DocumentApi to use proper multipart upload flow
- Add rate limiting awareness and retry logic to API layer
- Harden subscription tier enforcement in SubscriptionHelper
- Add biometric prompt for sensitive actions (Login, Onboarding)
- Fix notification permission handling and device registration
- Add UI test infrastructure (page objects, fixtures, smoke tests)
- Add CI workflow for mobile builds

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

iosApp/iosApp/PushNotifications/PushNotificationManager.swift

@@ -518,7 +518,7 @@ class PushNotificationManager: NSObject, ObservableObject {
         do {
             let result = try await APILayer.shared.markNotificationAsRead(notificationId: notificationIdInt)
 
-            if result is ApiResultSuccess<ComposeApp.Notification> {
+            if result is ApiResultSuccess<MessageResponse> {
                 print("✅ Notification marked as read")
             } else if let error = ApiResultBridge.error(from: result) {
                 print("❌ Failed to mark notification as read: \(error.message)")