feat: decrypt sops secrets in deploy.sh before docker compose

Reads age key from /opt/padelnomics/age-key.txt (overridable via
SOPS_AGE_KEY_FILE env var). Decrypts .env.prod.sops → .env with
chmod 600.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

deploy.sh

@@ -1,6 +1,11 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+# ── Decrypt secrets ───────────────────────────────────────
+export SOPS_AGE_KEY_FILE="${SOPS_AGE_KEY_FILE:-/opt/padelnomics/age-key.txt}"
+sops --input-type dotenv --output-type dotenv -d .env.prod.sops > .env
+chmod 600 .env
+
 COMPOSE="docker compose -f docker-compose.prod.yml"
 LIVE_FILE=".live-slot"
 ROUTER_CONF="router/default.conf"