refactor(infra): consolidate tool installs in setup, strip bootstrap to essentials

- setup_server.sh: add git/curl/ca-certificates apt install, add uv install
  as service user, fix SSH config write (root + chown vs sudo heredoc), remove
  noise log lines after set -e makes them redundant
- bootstrap_supervisor.sh: remove all tool installs (apt, uv, sops, age) —
  setup_server.sh is now the single source of truth; strip to ~45 lines:
  age-key check, clone/fetch, tag checkout, decrypt, uv sync, systemd enable
- readme.md: update step 1 and step 3 descriptions

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

infra/setup_server.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# One-time server setup: create service user, SSH deploy key, age keypair.
+# One-time server setup: create service user, install tools, SSH deploy key, age keypair.
 # Run as root on a fresh Hetzner server before running bootstrap_supervisor.sh.
 #
 # Usage:
@@ -8,8 +8,8 @@
 # What it does:
 #   1. Creates beanflows_service user (nologin) + adds to docker group
 #   2. Creates /opt/materia + /data/materia/landing with correct ownership
-#   3. Generates ed25519 SSH deploy key for GitLab read access
-#   4. Installs age + sops + rclone to /usr/local/bin (as root)
+#   3. Installs git, curl, age, sops, rclone, uv
+#   4. Generates ed25519 SSH deploy key for GitLab read access
 #   5. Generates age keypair at ~/.config/sops/age/keys.txt (as service user)
 #   6. Prints both public keys + numbered next-step instructions
 
@@ -33,7 +33,6 @@ if ! id "${SERVICE_USER}" >/dev/null 2>&1; then
     useradd --system --create-home --shell /usr/sbin/nologin "${SERVICE_USER}"
 fi
 usermod -aG docker "${SERVICE_USER}"
-log "User OK."
 
 # ── Directories ───────────────────────────────────────────────────────────────
 
@@ -41,7 +40,12 @@ log "Creating directories..."
 mkdir -p "${APP_DIR}" "${DATA_DIR}/landing"
 chown "${SERVICE_USER}:${SERVICE_USER}" "${APP_DIR}"
 chown -R "${SERVICE_USER}:${SERVICE_USER}" "${DATA_DIR}"
-log "Directories OK."
+
+# ── System tools ──────────────────────────────────────────────────────────────
+
+log "Installing system tools..."
+apt-get update -q
+apt-get install -y -q git curl ca-certificates
 
 # ── SSH deploy key ────────────────────────────────────────────────────────────
 
@@ -54,18 +58,18 @@ if [ ! -f "${DEPLOY_KEY}" ]; then
         -f "${DEPLOY_KEY}" -N "" -C "materia-deploy"
 fi
 
-sudo -u "${SERVICE_USER}" bash -c "cat > ${SSH_DIR}/config" <<EOF
+cat > "${SSH_DIR}/config" <<EOF
 Host gitlab.com
     IdentityFile ${DEPLOY_KEY}
     IdentitiesOnly yes
 EOF
+chown "${SERVICE_USER}:${SERVICE_USER}" "${SSH_DIR}/config"
 chmod 600 "${SSH_DIR}/config"
 
-sudo -u "${SERVICE_USER}" bash -c \
-    "ssh-keyscan -H gitlab.com >> ${SSH_DIR}/known_hosts 2>/dev/null; \
-     sort -u ${SSH_DIR}/known_hosts -o ${SSH_DIR}/known_hosts"
+ssh-keyscan -H gitlab.com >> "${SSH_DIR}/known_hosts" 2>/dev/null
+sort -u "${SSH_DIR}/known_hosts" -o "${SSH_DIR}/known_hosts"
+chown "${SERVICE_USER}:${SERVICE_USER}" "${SSH_DIR}/known_hosts"
 chmod 644 "${SSH_DIR}/known_hosts"
-log "SSH deploy key OK."
 
 # ── age ───────────────────────────────────────────────────────────────────────
 
@@ -119,6 +123,13 @@ else
     log "Age keypair already exists — skipping."
 fi
 
+# ── uv (installed as service user) ────────────────────────────────────────────
+
+if [ ! -f "/home/${SERVICE_USER}/.local/bin/uv" ]; then
+    log "Installing uv..."
+    sudo -u "${SERVICE_USER}" bash -c 'curl -LsSf https://astral.sh/uv/install.sh | sh'
+fi
+
 # ── Summary ───────────────────────────────────────────────────────────────────
 
 DEPLOY_PUB=$(cat "${DEPLOY_KEY}.pub")