Please report security issues privately rather than opening a public issue.

This app is an operator client. Production deployments should keep the following on the backend only:

• Meta WhatsApp Cloud API tokens
• App secrets
• APNs private keys
• AI provider API keys
• Customer media storage credentials

The iOS app should only receive short-lived or revocable operator bearer tokens.