Cycle 018: Supabase provision/apply/verify GHA + operator runner

[junhengz]

Adds CI workflows and scripts to provision (or reuse) a Supabase project via the Supabase Mgmt API, deterministically build DB URL, apply the shipped SQL bundle, and emit a non-secret verification artifact (supabase-verify.json).\n\nKey files:\n- .github/workflows/cycle-005-supabase-provision-apply-verify.yml\n- .github/workflows/cycle-005-supabase-apply.yml (apply-bundle + upload verify artifact)\n- projects/security-questionnaire-autopilot/scripts/{supabase-mgmt-provision-project.sh,supabase-build-db-url.sh,apply-supabase-bundle.sh,verify-supabase-bundle-applied.mjs}\n- scripts/devops/run-cycle-005-supabase-provision-apply-verify.sh (gh-based set secrets optional + dispatch + download evidence)\n- docs/devops/cycle-018-supabase-gha-secrets-and-dispatch.md\n\nTo run after merge: set GitHub Actions secrets SUPABASE_ACCESS_TOKEN, SUPABASE_ORG_SLUG, SUPABASE_DB_PASSWORD; then dispatch cycle-005-supabase-provision-apply-verify.