docs: update CI/CD references from GitLab to Gitea

Replace .gitlab/.gitlab-ci.yml with .gitea/workflows/ci.yaml, update
CI_JOB_TOKEN → github.token, CI_PIPELINE_IID → github.run_number, and
update setup instructions to point to git.padelnomics.io deploy keys.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

CLAUDE.md

@@ -118,11 +118,11 @@ uv add --package new_source extract-core niquests
 - Each tick: git pull (tag-based) → due extractors → SQLMesh → export_serving → web deploy if changed
 - Crash-safe: systemd `Restart=always` + 10-minute backoff on tick failure
 
-**CI/CD** (`.gitlab/.gitlab-ci.yml`) — pull-based, no SSH:
+**CI/CD** (`.gitea/workflows/ci.yaml`) — pull-based, no SSH:
-- `test` stage: pytest, sqlmesh test, web pytest
+- `test-cli`, `test-sqlmesh`, `test-web` jobs: pytest, sqlmesh test, web pytest
-- `tag` stage: creates `v${CI_PIPELINE_IID}` tag after tests pass (master branch only)
+- `tag` job: creates `v${github.run_number}` tag after all tests pass (master branch only)
 - Supervisor polls for new tags every 60s, checks out latest, runs `uv sync`
-- No SSH keys or deploy credentials in CI — only `CI_JOB_TOKEN` (built-in)
+- No SSH keys or deploy credentials in CI — only `github.token` (built-in Gitea Actions)
 
 **CLI modules** (`src/materia/`):
 - `cli.py` — Typer app with subcommands: pipeline, secrets, version

infra/readme.md

@@ -7,7 +7,7 @@ Single-server local-first setup for BeanFlows.coffee on Hetzner NVMe.
 ```
 Hetzner Server (NVMe)
 ├── beanflows_service (system user, nologin)
-│   ├── ~/.ssh/materia_deploy          # ed25519 deploy key for GitLab read access
+│   ├── ~/.ssh/beanflows_deploy         # ed25519 deploy key for Gitea read access
 │   └── ~/.config/sops/age/keys.txt   # age keypair (auto-discovered by SOPS)
 ├── /opt/materia/                      # Git repo (owned by beanflows_service, latest release tag)
 ├── /opt/materia/.env                  # Decrypted from .env.prod.sops at deploy time
@@ -37,11 +37,11 @@ bash infra/setup_server.sh
 
 This creates the `beanflows_service` user, data directories, installs all tools (git, curl, age, sops, rclone, uv), generates an ed25519 SSH deploy key and an age keypair (both as the service user). It prints both public keys.
 
-### 2. Add keys to GitLab and SOPS
+### 2. Add keys to Gitea and SOPS
 
 ```bash
-# Add the SSH deploy key to GitLab:
+# Add the SSH deploy key to Gitea:
-#   → Repository Settings → Deploy Keys → Add key (read-only)
+#   → git.padelnomics.io → beanflows repo → Settings → Deploy Keys → Add key (read-only)
 
 # Add the server age public key to .sops.yaml on your workstation,
 # then re-encrypt prod secrets to include the server key:
@@ -87,8 +87,8 @@ SOPS auto-discovers the service user's age key at `~/.config/sops/age/keys.txt`
 
 No SSH keys or deploy credentials in CI.
 
-1. CI runs tests (`test:cli`, `test:sqlmesh`, `test:web`)
+1. CI runs tests (`test-cli`, `test-sqlmesh`, `test-web`)
-2. On master, CI creates tag `v${CI_PIPELINE_IID}` using built-in `CI_JOB_TOKEN`
+2. On master, CI creates tag `v${github.run_number}` using built-in `github.token`
 3. Supervisor polls for new tags every 60s
 4. When a new tag appears: `git checkout --detach <tag>` + `uv sync --all-packages`
 5. If `web/` files changed: `./web/deploy.sh` (Docker blue/green + health check)