fix(deps): bump supabase 2.28.0 → 2.28.1 to fix OverflowError in token auto-refresh (HolmesGPT#2029)

## Summary

Bumps the pinned `supabase` dependency from `2.28.0` → `2.28.1` to pull
in
[supabase/supabase-py#1400](supabase/supabase-py#1400),
which fixes an `OverflowError: timestamp out of range for platform
time_t` raised from `supabase-auth`'s token auto-refresh background
thread.

Linear: [ROB-3871](https://linear.app/robusta/issue/ROB-3871)
Sentry: [HOLMES-1S](https://robusta-eu.sentry.io/issues/89219836/) — 264
occurrences across 144 clusters, releases 0.20.0 → 0.22.0.

## Root cause

`supabase-auth==2.28.0` schedules the retry path of its auto-refresh
`Timer` with a formula that overflows the OS `time_t` on the *first*
retry:

```python
# supabase_auth/_sync/gotrue_client.py
self._start_auto_refresh_token(
    RETRY_INTERVAL ** (self._network_retries * 100)
)
```

With `RETRY_INTERVAL = 2` and `_network_retries = 2`:

- `2 ** 200` ≈ **1.61 × 10⁶⁰** milliseconds
- `Timer.__init__` stores the value as `_milliseconds` and `start()`
divides by `1000` → **1.6069380442589903 × 10⁵⁷ seconds**
- That flows: `threading.Timer.run` → `Event.wait` → `Condition.wait` →
`lock.acquire(True, timeout)` → C-level `time_t` overflow.

The captured Sentry value `1.6069380442589903e+57` matches `2 ** 200 /
1000` exactly.

### Why Holmes hits it

The `toolset-refresh` daemon thread (`server.py:238`) uses
`self.client.auth.set_session(...)` (`holmes/core/supabase_dal.py:269`),
which arms `supabase-auth`'s auto-refresh `Timer`. When the periodic
refresh HTTP call fails with `AuthRetryableError` — visible in
breadcrumbs as `JWT token expired/invalid, signing in to Supabase again`
— the buggy retry path arms the Timer with the absurd interval and the
daemon thread dies. Holmes silently recovers via the next periodic
`sign_in_with_password`, so users don't see breakage, but Sentry keeps
capturing unhandled threading exceptions.

## Upstream fix

[PR HolmesGPT#1400 / commit
`08bdf38`](supabase/supabase-py#1400), released
in `supabase` / `supabase-auth` **2.28.1** on 2026-03-13:

```diff
-                        (RETRY_INTERVAL ** (self._network_retries * 100)),
+                        (200 * (2 ** (self._network_retries - 1))),
```

Proper exponential backoff, capped at ~102 s on the 10th retry.

## Changes in this PR

- `pyproject.toml`: `supabase = "2.28.0"` → `supabase = "2.28.1"` (kept
the exact-pin style)
- `poetry.lock`: regenerated with the matching `poetry==2.3.3`. Only the
supabase family (`supabase`, `supabase-auth`, `supabase-functions`,
`postgrest`, `realtime`, `storage3`) is bumped to 2.28.1 in lockstep. No
other packages touched.

## Verification

```bash
git diff poetry.lock | grep -E "^[+-]version = " | sort -u
# +version = "2.28.1"
# -version = "2.28.0"
```

No Holmes source changes are required.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Chores**
  * Updated Supabase dependency to version 2.28.1

[![Review Change
Stack](https://storage.googleapis.com/coderabbit_public_assets/review-stack-in-coderabbit-ui.svg)](https://app.coderabbit.ai/change-stack/HolmesGPT/holmesgpt/pull/2029)

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Mohse Morad <moshemorad12340@gmail.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: moshemorad

poetry.lock

@@ -22,7 +22,7 @@ rich = "^13.7.1"
 fastapi = "^0.121.1"
 uvicorn = "^0.40"
 pydantic = "^2.7"
-supabase = "2.28.0"
+supabase = "2.28.1"
 colorlog = "^6.8.2"
 strenum = "^0.4.15"
 markdown = "^3.6"