fix(infra): fix setup_server.sh summary — correct bootstrap command + sops format

- Detect server IP at runtime (hostname -I) and print real ssh command
- Replace misleading >- yaml block + '+' notation with correct comma-separated
  age key format: age: <dev-key>,<server-key>
- Label next steps as "(run from your workstation)"

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/setup_server.sh

@@ -144,6 +144,7 @@ fi
 
 DEPLOY_PUB=$(cat "${DEPLOY_KEY}.pub")
 AGE_PUB=$(grep "public key:" "${AGE_KEY_FILE}" | awk '{print $NF}')
+SERVER_IP=$(hostname -I | awk '{print $1}')
 
 echo ""
 echo "=================================================================="
@@ -158,25 +159,21 @@ echo "    ${AGE_PUB}"
 echo ""
 echo "=================================================================="
 echo ""
-echo "  Next steps:"
+echo "  Next steps (run from your workstation):"
 echo ""
 echo "  1. Add the SSH deploy key to GitLab:"
 echo "       → Repository Settings → Deploy Keys → Add key (read-only)"
 echo ""
-echo "  2. Add the age public key to .sops.yaml on your workstation:"
+echo "  2. Add the server age key to .sops.yaml (comma-separated):"
-echo "       creation_rules:"
+echo "       age: <your-dev-key>,${AGE_PUB}"
-echo "         - path_regex: \\.env\\.(dev|prod)\\.sops\$"
-echo "           age: >-"
-echo "             <dev-key>"
-echo "             + ${AGE_PUB}"
 echo ""
-echo "  3. Re-encrypt prod secrets to include the server key:"
+echo "  3. Re-encrypt and push:"
 echo "       sops updatekeys .env.prod.sops"
 echo "       git add .sops.yaml .env.prod.sops"
 echo "       git commit -m 'chore: add server age key'"
 echo "       git push"
 echo ""
 echo "  4. Run bootstrap:"
-echo "       bash infra/bootstrap_supervisor.sh"
+echo "       ssh root@${SERVER_IP} 'bash -s' < infra/bootstrap_supervisor.sh"
 echo ""
 echo "=================================================================="