PostgREST client picks transport by AUTH_PROVIDER; two small resilience fixes
Commit `5d6f529c` makes `lib/supabase.ts` branch on `AUTH_PROVIDER` at startup to select one of three request behaviors: standard supabase-js for hosted Supabase, a fetch wrapper that strips the `/rest/v1` prefix for local and entra modes, and header stripping in entra mode where PostgREST runs without a JWT secret and rejects `Authorization` headers.
The core problem is that supabase-js hard-codes /rest/v1 in all request paths, which is correct for hosted Supabase but breaks when SUPABASE_URL points directly at PostgREST. The fix is a postgrestFetchWrapper that intercepts every request from the supabase-js client and rewrites the path. The wrapper is built around new Request(input, init) to handle both call shapes supabase-js uses internally.
In entra mode the wrapper also strips Authorization and apikey headers before the request leaves the process. The deployed PostgREST runs with PGRST_DB_ANON_ROLE=service_role and no jwt-secret, so it rejects requests that carry an Authorization header. Trust in that setup comes from network isolation - nothing outside the Container Apps Environment can reach PostgREST directly. In local mode the headers are kept because PostgREST validates the JWT against PGRST_JWT_SECRET.
Two smaller changes ride along in the same commit. routes/chat.ts now falls back to the first ~60 characters of the user message when LLM-driven title generation fails, so a failed title-gen doesn't surface as an error. lib/downloadTokens.ts adds a startup-time check: in NODE_ENV=production it throws if DOWNLOAD_SIGNING_SECRET is missing or under 16 characters, with a clear message explaining why - previously a missing secret silently fell back to a hardcoded string.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?