fix(secrets): add secrets-updatekeys-prod target, use --input-type dotenv

sops updatekeys doesn't inherit --input-type from context, so calling it bare
on .env.prod.sops causes "Error unmarshalling input json" (guesses JSON from
the .sops extension). Explicit --input-type dotenv fixes it.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/setup_server.sh

@@ -168,7 +168,7 @@ echo "  2. Add the server age key to .sops.yaml (comma-separated):"
 echo "       age: <your-dev-key>,${AGE_PUB}"
 echo ""
 echo "  3. Re-encrypt and push:"
-echo "       sops updatekeys .env.prod.sops"
+echo "       make secrets-updatekeys-prod"
 echo "       git add .sops.yaml .env.prod.sops"
 echo "       git commit -m 'chore: add server age key'"
 echo "       git push"