docs(security-reports): add security report for SEC-31 demo mode APK flag closes(#263)

[itzabdoull]

Closes #263

---

📝 Overview
This Pull Request delivers the security report [SEC-31] investigating the security risk where the demo mode build flag (VITE_DEMO_MODE) could be baked into the final release/production APK.

Per the maintainers' request, this PR contains only the security report markdown file (docs/security-reports/SEC-31-vite-demo-mode-apk.md), detailing the results of the investigation, evidence, and the proposed fix suggestion. The team will handle the internal application of the fix to prevent merge conflicts.

🔍 Key Findings from the Report
Embedding Vulnerability: If compiled with VITE_DEMO_MODE=true in production/testnet modes, the static assets (e.g. index-*.js) contain both IS_DEMO_MODE=true and the hardcoded secret: MICOPAY:DEMO:mock_secret_for_ui_preview.
Impact: Bypasses registration in production, displays constant mock QR codes/secrets when backend requests fail, and enables mock transactions instead of real network operations.
Missing Guard: Prior to the suggestion, there was no compile-time build guard checking this flag on release builds.
💡 Suggested Fix
Add a compile-time check in the Vite configuration (micopay/frontend/vite.config.ts) that loads environment variables using loadEnv and throws a fatal error, aborting the build immediately, if VITE_DEMO_MODE is true in a non-development mode (such as production or testnet).

[ericmt-98]

Gracias por el reporte 🙏

Al revisarlo, el contenido de este PR es byte-idéntico al que ya está en main: el reporte SEC-31 ya se mergeó mediante el commit a51be19 (fix(frontend): add build guard — VITE_DEMO_MODE blocked on release APK (SEC-31)), que además incluyó el fix de la guarda en vite.config.ts.

Por eso este PR no introduce cambios netos sobre main. Lo cierro como ya aplicado. ¡El hallazgo y la mitigación quedaron registrados! 🚀