Fix remote_query.sh: use analyst-readable env file

GCP OS Login doesn't honor /etc/group changes for SSH sessions,
so analyst can't read /opt/data-analyst/.env even after usermod.

Wrapper now reads .remote_query.env from scripts dir (dataread group),
falls back to .env for admin users. The env file contains only
non-secret BQ config (project ID, location, data dir).

scripts/remote_query.sh

@@ -2,7 +2,7 @@
 # Remote Query - wrapper for src.remote_query
 #
 # Runs DuckDB queries spanning local Parquet + remote BigQuery tables.
-# Sets up the correct environment (PYTHONPATH, CONFIG_DIR, .env) automatically.
+# Sets up the correct environment (PYTHONPATH, CONFIG_DIR, env vars) automatically.
 #
 # Usage (via SSH from analyst machine):
 #   ssh <alias> 'bash ~/server/scripts/remote_query.sh \
@@ -16,11 +16,23 @@
 set -e
 
 APP_DIR="/opt/data-analyst"
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 
-# Load environment (BQ project, location, etc.)
+# Load BigQuery environment variables
-set -a
+# Try analyst-readable env first (deployed to /data/scripts/), fall back to app .env
-source "${APP_DIR}/.env"
+if [[ -f "${SCRIPT_DIR}/.remote_query.env" ]]; then
-set +a
+    set -a
+    source "${SCRIPT_DIR}/.remote_query.env"
+    set +a
+elif [[ -r "${APP_DIR}/.env" ]]; then
+    set -a
+    source "${APP_DIR}/.env"
+    set +a
+else
+    echo "ERROR: No environment file found. Contact your admin." >&2
+    echo "  Tried: ${SCRIPT_DIR}/.remote_query.env, ${APP_DIR}/.env" >&2
+    exit 1
+fi
 
 # Run remote_query with correct paths
 cd "${APP_DIR}"