Use GitLab project access token instead of SSH deploy key

More secure approach:
- Uses HTTPS with token instead of SSH keys
- Token can be rotated without touching infrastructure
- Scoped to read_repository only
- Token stored in Pulumi ESC (beanflows/prod)

Setup:
1. Create project access token in GitLab with read_repository scope
2. Add GITLAB_READ_TOKEN to Pulumi ESC
3. Bootstrap script will use it for git clone/pull

infra/bootstrap_supervisor.sh

@@ -26,9 +26,18 @@ if [ "$EUID" -ne 0 ]; then
 fi
 
 # Configuration
-REPO_URL="${REPO_URL:-git@gitlab.com:deemanone/materia.git}"
 MATERIA_DIR="/opt/materia"
 REPO_DIR="$MATERIA_DIR/repo"
+GITLAB_PROJECT="deemanone/materia"
+
+# GITLAB_READ_TOKEN should be set in Pulumi ESC (beanflows/prod)
+if [ -z "${GITLAB_READ_TOKEN:-}" ]; then
+    echo "ERROR: GITLAB_READ_TOKEN environment variable not set"
+    echo "Please add it to Pulumi ESC (beanflows/prod) first"
+    exit 1
+fi
+
+REPO_URL="https://gitlab-ci-token:${GITLAB_READ_TOKEN}@gitlab.com/${GITLAB_PROJECT}.git"
 
 echo "--- Installing system dependencies ---"
 apt-get update