feat(supabase): provider-aware PostgREST client + chat title fallback

  * lib/supabase.ts now picks one of three transports based on
    AUTH_PROVIDER:

      supabase  - default supabase-js, hits hosted Supabase /rest/v1
      local     - supabase-js with a fetch wrapper that strips the
                  /rest/v1 prefix so SUPABASE_URL can point at PostgREST
                  directly (no Caddy required for the local docker stack)
      entra     - same prefix-strip plus Authorization/apikey header
                  removal, since the deployed PostgREST runs without
                  jwt-secret and refuses requests carrying Authorization.
                  Trust comes from network isolation: only the
                  Container Apps internal ingress can reach PostgREST.

    The "supabase" function name is now historical - for everything but
    the supabase branch this is a generic PostgREST client.

  * routes/chat.ts: title generation is cosmetic, so an LLM failure (no
    provider configured, AOAI deployment unreachable, etc.) now falls
    back to the first ~60 chars of the user message instead of failing
    the entire request.  Errors still log with context.

  * lib/downloadTokens.ts: hard-fail on missing DOWNLOAD_SIGNING_SECRET
    in production mode.  Same dev-mode fallback as before.