fix: review-driven hardening — env guards, token expiry, slug validation, dashboard UX

From CEO plan review:
- Edge functions: early guard on missing env vars instead of non-null assert crash
- cli-team: wire isTokenExpired check (was imported but unused)
- Migration 007: CHECK constraint on team slug (a-z0-9 hyphens, 2-50 chars)
- Dashboard: streak badges on leaderboard, repo slug in who's-online,
  contextual empty states that teach, 60s refresh (was 30s)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

supabase/migrations/007_team_settings_and_functions.sql

@@ -35,6 +35,12 @@ create policy "admin_write_settings" on team_settings
     )
   );
 
+-- Add CHECK constraint on teams.slug if not already present
+do $$ begin
+  alter table teams add constraint chk_team_slug check (slug ~ '^[a-z0-9][a-z0-9-]{0,48}[a-z0-9]$');
+exception when duplicate_object then null;
+end $$;
+
 -- ─── alert_cooldowns ────────────────────────────────────────
 
 create table if not exists alert_cooldowns (
@@ -76,6 +82,9 @@ begin
   if team_name is null or length(trim(team_name)) = 0 then
     raise exception 'team_name cannot be empty';
   end if;
+  if team_slug !~ '^[a-z0-9][a-z0-9-]{0,48}[a-z0-9]$' then
+    raise exception 'team_slug must be 2-50 chars, lowercase alphanumeric and hyphens only, must start and end with alphanumeric';
+  end if;
   if auth.uid() is null then
     raise exception 'must be authenticated';
   end if;