feat(infra): use beanflows_service for supervisor

- materia-supervisor.service: User=root → User=beanflows_service,
  add PATH so uv (~/.local/bin) is found without a login shell
- setup_server.sh: full rewrite — creates beanflows_service (nologin),
  generates SSH deploy key + age keypair as service user at XDG path
  (~/.config/sops/age/keys.txt), installs age/sops/rclone as root,
  prints both public keys + numbered next-step instructions
- bootstrap_supervisor.sh: full rewrite — removes GITLAB_READ_TOKEN
  requirement, clones via SSH as service user, installs uv as service
  user, decrypts with SOPS auto-discovery, uv sync as service user,
  systemctl as root
- web/deploy.sh: remove self-contained sops/age install + keypair
  generation; replace with simple sops check (exit if missing) and
  SOPS auto-discovery decrypt (no explicit key file needed)
- infra/readme.md: update architecture diagram for beanflows_service
  paths, update setup steps to match new scripts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/deploy.sh

@@ -1,60 +1,15 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# ── Ensure sops + age are installed ───────────────────────
 APP_DIR="$(cd "$(dirname "$0")" && pwd)"
-BIN_DIR="$APP_DIR/bin"
-mkdir -p "$BIN_DIR"
-export PATH="$BIN_DIR:$PATH"
-
-ARCH=$(uname -m)
-case "$ARCH" in
-    x86_64)  ARCH_SOPS="amd64"; ARCH_AGE="amd64" ;;
-    aarch64) ARCH_SOPS="arm64"; ARCH_AGE="arm64" ;;
-    *) echo "Unsupported architecture: $ARCH"; exit 1 ;;
-esac
-
-if ! command -v age &>/dev/null; then
-    echo "==> Installing age to $BIN_DIR..."
-    AGE_VERSION="v1.3.1"
-    curl -fsSL "https://dl.filippo.io/age/${AGE_VERSION}?for=linux/${ARCH_AGE}" -o /tmp/age.tar.gz
-    tar -xzf /tmp/age.tar.gz -C "$BIN_DIR" --strip-components=1 age/age age/age-keygen
-    chmod +x "$BIN_DIR/age" "$BIN_DIR/age-keygen"
-    rm /tmp/age.tar.gz
-fi
 
+# ── Verify sops is installed (setup_server.sh installs it to /usr/local/bin) ──
 if ! command -v sops &>/dev/null; then
-    echo "==> Installing sops to $BIN_DIR..."
-    SOPS_VERSION="v3.12.1"
-    curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/sops-${SOPS_VERSION}.linux.${ARCH_SOPS}" -o "$BIN_DIR/sops"
-    chmod +x "$BIN_DIR/sops"
-fi
-
-# ── Ensure age keypair exists ─────────────────────────────
-# Key file lives at repo root (one level up from web/)
-AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-$APP_DIR/../age-key.txt}"
-AGE_KEY_FILE="$(realpath "$AGE_KEY_FILE")"
-export SOPS_AGE_KEY_FILE="$AGE_KEY_FILE"
-
-if [ ! -f "$AGE_KEY_FILE" ]; then
-    echo "==> Generating age keypair at $AGE_KEY_FILE..."
-    age-keygen -o "$AGE_KEY_FILE" 2>&1
-    chmod 600 "$AGE_KEY_FILE"
-    AGE_PUB=$(grep "public key:" "$AGE_KEY_FILE" | awk '{print $NF}')
-    echo ""
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-    echo "!! NEW SERVER — add this public key to .sops.yaml:    !!"
-    echo "!!                                                     !!"
-    echo "!! $AGE_PUB !!"
-    echo "!!                                                     !!"
-    echo "!! Then run: sops updatekeys .env.prod.sops            !!"
-    echo "!! Commit, push, and re-deploy.                        !!"
-    echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
-    echo ""
+    echo "ERROR: sops not found — run infra/setup_server.sh first"
     exit 1
 fi
 
-# ── Decrypt secrets ───────────────────────────────────────
+# ── Decrypt secrets (SOPS auto-discovers age key from ~/.config/sops/age/) ────
 echo "==> Decrypting secrets from .env.prod.sops..."
 sops --input-type dotenv --output-type dotenv -d "$APP_DIR/../.env.prod.sops" > "$APP_DIR/.env"
 chmod 600 "$APP_DIR/.env"