Rename SUPABASE_SERVICE_KEY to SUPABASE_SECRET_KEY and add to deploy pipeline

[anth-volk]

Problem

1. The codebase uses SUPABASE_SERVICE_KEY which follows Supabase's legacy naming. Supabase is migrating from service_role key to secret key (late 2026 deadline).

2. The secret key was never passed to Cloud Run via Terraform or the deploy pipeline, so production couldn't perform admin operations (e.g., dataset uploads during seeding).

3. The secret key was also missing from the Modal secrets sync script, so Modal functions fell back to the anon key.

Changes

• Rename SUPABASE_SERVICE_KEY → SUPABASE_SECRET_KEY across all 18 files (Python, Terraform, workflows, docs, configs)
• Rename supabase_service_key → supabase_secret_key (Python settings field)
• Rename get_service_role_client() → get_secret_client() (Python function)
• Add SUPABASE_SECRET_KEY to Terraform (variables.tf + main.tf) — was missing entirely
• Add TF_VAR_supabase_secret_key to deploy.yml Terraform plan step
• Add SUPABASE_SECRET_KEY to both staging and production Modal sync steps
• Add SUPABASE_SECRET_KEY to modal-sync-secrets.sh

Not renamed: SQL service_role in RLS policies (Postgres role name, not our env var).

Manual step required

Set SUPABASE_SECRET_KEY as a GitHub Actions secret with the value from Supabase Dashboard > Settings > API > secret key.