Fix empty usage-history chart + externalize signing secrets

History chart: recordHistory() threw away the previous point whenever a
new reading landed within the 2-min de-dup window, but the foreground loop
refreshes every 30s — so history could never grow past one point while the
app was open and the chart stayed stuck on 'Collecting history…'. Now it
throttles by SKIPPING a too-soon reading instead of replacing the last one,
so points accumulate during normal use.

Security:
- Remove hardcoded release keystore passwords from build.gradle.kts; read
  from env vars / gitignored keystore.properties; CI injects from Gitea
  secrets (KEYSTORE_PASSWORD/KEY_PASSWORD). Signing identity unchanged.
- Make the cookie-never-plaintext invariant explicit on the read path.
- Drop custom ACTION_REFRESH from the exported widget intent-filter so other
  apps can't trigger refreshes; internal explicit PendingIntent still works.
- Gate an unguarded Log.w behind BuildConfig.DEBUG.

.gitea/workflows/build.yml

@@ -56,6 +56,20 @@ jobs:
           fi
           echo "${{ secrets.KEYSTORE_BASE64 }}" | base64 -d > app/claude-widget-release.keystore
 
+      # Signing passwords are no longer hardcoded in build.gradle.kts — inject them at build time.
+      - name: Write signing credentials
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          if [ -z "${{ secrets.KEYSTORE_PASSWORD }}" ] || [ -z "${{ secrets.KEY_PASSWORD }}" ]; then
+            echo "::error::KEYSTORE_PASSWORD / KEY_PASSWORD secrets not set — cannot sign release."
+            exit 1
+          fi
+          {
+            echo "storePassword=${{ secrets.KEYSTORE_PASSWORD }}"
+            echo "keyPassword=${{ secrets.KEY_PASSWORD }}"
+            echo "keyAlias=${{ secrets.KEY_ALIAS || 'claudewidget' }}"
+          } > keystore.properties
+
       - name: Build release APK
         if: startsWith(github.ref, 'refs/tags/')
         run: ./gradlew :app:assembleRelease --no-daemon