Description
## Symptom
Pairing fails immediately when the body is reported with IP address `11.0.11.24` (which falls outside standard RFC1918 private ranges). The error is App Transport Security (ATS) blocking HTTP to this address.
## Log evidence
From issue #234 (bxl1-test/ad6, 2026-05-19):
```
21:30:59 Discovering body for 'mercator-talks' in bxl1-test/ad6
21:30:59 Found cosmic-pretzel-98 (stream_count:0, host:11.0.11.24)
21:30:59 Pairing with cosmic-pretzel-98 at 11.0.11.24
21:30:59 Pairing failed: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.
```
## Root cause
ATS exemptions in the Info.plist allow HTTP to private IP ranges (10.x, 192.168.x, 172.16-31.x) but `11.0.11.24` is not in those exemptions. The body is presumably behind a WireGuard/VPN assignment that puts it on the 11.0.0.0/8 range. ATS treats this as a public IP requiring HTTPS.
## Fix
Add `11.0.0.0/8` (or the full VPN subnet) to the ATS NSExceptionDomains, or better: add a wildcard exception for any private/VPN address range used by WireGuard assignments. Alternatively ensure body IPs are always reported from a known-exempted range.
## Appears in
Issue #234