security(#239 #240): retry jitter + GitHub Actions hardening

[ChristopherRotnes]

Summary

• Closes As a developer I want jitter added to Anthropic API retry backoff so I can prevent thundering-herd during outages #239
• Closes As a developer I want the GitHub Actions workflows hardened so I can reduce unnecessary secrets surface and injection risk #240

Retry jitter (#239)

claude.js retry loop used plain exponential backoff — all concurrent clients would retry at the same moment during a 529 overload. Now: min(2^attempt * 1000 + random(0–500ms), 32s).

GitHub Actions hardening (#240)

VITE_SUPABASE_ANON_KEY — secret → variable
The Supabase anon key is intentionally public (already ships in the frontend bundle). Storing it as an encrypted secret masked it in CI logs for no benefit. Changed to vars.VITE_SUPABASE_ANON_KEY.

Action required after merge: add VITE_SUPABASE_ANON_KEY as a repository variable (not secret) in GitHub Settings → Secrets and variables → Variables, then delete the old secret. Until this is done, the deploy job will fail with a missing env var.

Cleanup-staging run-name
Removed ${{ github.event.pull_request.title }} interpolation — PR titles are user-controlled input and should not appear in workflow control fields.

Test plan

• After adding the repository variable, confirm a deploy succeeds on this PR's preview URL
• Verify cleanup-staging workflow run-name shows "Cleanup staging environment" (no PR title)

🤖 Generated with Claude Code

[github-actions]

Azure Static Web Apps: Your stage site is ready! Visit it here: https://white-island-090dfd003-250.westeurope.7.azurestaticapps.net