feat(ci): switch to pull-based deploy via git tags

Replace push-based SSH deploy (deploy:web stage with SSH credentials +
individual env var injection) with tag-based pull deploy:

- Add `tag` stage: creates v${CI_PIPELINE_IID} tag using CI_JOB_TOKEN
- Remove all SSH variables (SSH_PRIVATE_KEY, SSH_KNOWN_HOSTS, DEPLOY_USER,
  DEPLOY_HOST) and all individual secret variables from CI
- Zero deploy secrets in CI — only CI_JOB_TOKEN (built-in) needed

Deployment is now handled by the on-server supervisor (src/materia/supervisor.py)
which polls for new v* tags every 60s and runs web/deploy.sh automatically.
Secrets live in .env.prod.sops (git-committed, age-encrypted), decrypted at
deploy time by deploy.sh — never stored in GitLab CI variables.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitlab/.gitlab-ci.yml

@@ -1,9 +1,8 @@
 image: python:3.13
 
 stages:
-#  - lint
   - test
-  - deploy
+  - tag
 
 variables:
   UV_CACHE_DIR: "$CI_PROJECT_DIR/.uv-cache"
@@ -23,14 +22,6 @@ workflow:
     - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
     - if: $CI_COMMIT_TAG
 
-#lint:
-#  stage: lint
-#  before_script:
-#    - *uv_setup
-#  script:
-#    - uv sync
-#    - uv run ruff check .
-
 # --- Data platform ---
 
 test:cli:
@@ -71,44 +62,19 @@ test:web:
     - changes:
         - web/**/*
 
-deploy:web:
+# --- Deploy (pull-based via supervisor) ---
-  stage: deploy
+# The on-server supervisor (src/materia/supervisor.py) polls for new tags
+# every 60s and deploys automatically when a new v<N> tag appears.
+# No SSH keys, no deploy credentials needed in CI.
+
+tag:
+  stage: tag
   image: alpine:latest
-  needs: [test:web]
+  needs: []
+  before_script:
+    - apk add --no-cache git
+  script:
+    - git tag "v${CI_PIPELINE_IID}"
+    - git push "https://gitlab-ci-token:${CI_JOB_TOKEN}@${CI_SERVER_HOST}/${CI_PROJECT_PATH}.git" "v${CI_PIPELINE_IID}"
   rules:
     - if: $CI_COMMIT_BRANCH == "master"
-  before_script:
-    - apk add --no-cache openssh-client
-    - eval $(ssh-agent -s)
-    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
-    - mkdir -p ~/.ssh
-    - chmod 700 ~/.ssh
-    - echo "$SSH_KNOWN_HOSTS" >> ~/.ssh/known_hosts
-  script:
-    - |
-      ssh "$DEPLOY_USER@$DEPLOY_HOST" "cat > /opt/beanflows/web/.env" << ENVEOF
-      APP_NAME=$APP_NAME
-      SECRET_KEY=$SECRET_KEY
-      BASE_URL=$BASE_URL
-      DEBUG=false
-      DATABASE_PATH=data/app.db
-      MAGIC_LINK_EXPIRY_MINUTES=$MAGIC_LINK_EXPIRY_MINUTES
-      SESSION_LIFETIME_DAYS=$SESSION_LIFETIME_DAYS
-      RESEND_API_KEY=$RESEND_API_KEY
-      EMAIL_FROM=$EMAIL_FROM
-      RESEND_AUDIENCE_WAITLIST=$RESEND_AUDIENCE_WAITLIST
-      ADMIN_EMAILS=$ADMIN_EMAILS
-      WAITLIST_MODE=$WAITLIST_MODE
-      RATE_LIMIT_REQUESTS=$RATE_LIMIT_REQUESTS
-      RATE_LIMIT_WINDOW=$RATE_LIMIT_WINDOW
-      PADDLE_API_KEY=$PADDLE_API_KEY
-      PADDLE_WEBHOOK_SECRET=$PADDLE_WEBHOOK_SECRET
-      PADDLE_ENVIRONMENT=$PADDLE_ENVIRONMENT
-      PADDLE_PRICE_STARTER=$PADDLE_PRICE_STARTER
-      PADDLE_PRICE_PRO=$PADDLE_PRICE_PRO
-      UMAMI_SCRIPT_URL=$UMAMI_SCRIPT_URL
-      UMAMI_WEBSITE_ID=$UMAMI_WEBSITE_ID
-      SERVING_DUCKDB_PATH=$SERVING_DUCKDB_PATH
-      ENVEOF
-    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "chmod 600 /opt/beanflows/web/.env"
-    - ssh "$DEPLOY_USER@$DEPLOY_HOST" "cd /opt/beanflows && git pull origin master && cd web && bash deploy.sh"