Follow-up to ADR-014 / PR #370. Phase A retired the env-var-fed codex auth path from the LiteLLM pod. The same legacy path is still wired in clawdbot:
- `k8s/helm/commonly/templates/agents/clawdbot-deployment.yaml` — `OPENAI_CODEX_ACCESS_TOKEN[_2|_3]` env vars on the gateway container (lines ~359/389/419)
- `clawdbot-auth-seed` init container that reads them and writes to per-agent `auth-profiles.json` as a fallback when LiteLLM virtual keys are absent
This path is currently dead under normal operation — the init container's `hasLiteLLMKey` guard skips the env-var write when virtual keys are in place. But yanking it removes the "LiteLLM DB down" fallback. That fallback is theoretical anyway since the tokens are cluster-IP-bound and would 401 on use.
Acceptance:
- Remove `OPENAI_CODEX_ACCESS_TOKEN*` + `OPENAI_CODEX_REFRESH_TOKEN*` + `OPENAI_CODEX_ID_TOKEN*` env vars from clawdbot-deployment.yaml
- Remove the env-var fallback branch in `clawdbot-auth-seed` init container's node code
- Verify `hasLiteLLMKey: false` path either errors loudly or is also removed (no silent degradation)
Related: ADR-014, PR #370, ADR-005.
Follow-up to ADR-014 / PR #370. Phase A retired the env-var-fed codex auth path from the LiteLLM pod. The same legacy path is still wired in clawdbot:
This path is currently dead under normal operation — the init container's `hasLiteLLMKey` guard skips the env-var write when virtual keys are in place. But yanking it removes the "LiteLLM DB down" fallback. That fallback is theoretical anyway since the tokens are cluster-IP-bound and would 401 on use.
Acceptance:
Related: ADR-014, PR #370, ADR-005.