Decisions

• **Firebase getIdToken() over SecureStore dedup** — Reviewer caught stale-token risk. Firebase's in-memory cache handles dedup safely. Manual optimization was a regression risk.