#13958: Claude/secureclaw env supabase dz q hh

<!-- greptile_comment --> <h2>Greptile Overview</h2> <h3>Greptile Summary</h3> This PR adds an optional Supabase-backed environment variable store (via a PostgREST table) and wires it into startup entry points (`src/index.ts`, `src/cli/run-main.ts`, `src/macos/relay.ts`) so secrets can be fetched before `loadConfig()` performs `${VAR}` substitution. It also adds a SQL schema for the `env_vars` table and vitest coverage for resolving config, fetching rows, and applying values without overriding existing env vars. Key integration detail: local dotenv loading remains first/authoritative, with Supabase acting as a fallback layer when `SUPABASE_URL` + `SUPABASE_SERVICE_ROLE_KEY` are set. <h3>Confidence Score: 4/5</h3> - Mostly safe to merge, with one concrete configuration bug to address. - Core Supabase env loading path is defensive (timeouts/errors return empty set) and is sequenced before CLI config parsing in the updated entry points. The remaining issue is URL construction for schema-qualified table names, which will deterministically fail if users set `SUPABASE_ENV_TABLE` to include a schema prefix. - src/infra/supabase-env.ts <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->