litellm: pull /meridian secrets in-playbook from Infisical (runner-agnostic)

Replaces the deploy.sh env-var hand-off (which only worked locally and would
have made Semaphore write placeholder keys, regressing direct_*) with the
standard in-playbook Infisical pull used by dawarich/mcp/cloudflared:

- site.yml pre_tasks: login via the shared 828d2cc8 machine identity, read
  /meridian as_dict, set_fact litellm_master_key + the openai/gemini keys.
- vars/vault.yml: shared ansible-vault client secret (copied from sibling repo).
- requirements.yml: + infisical.vault.
- deploy.sh: drop the infisical-CLI pulls; add --ask-vault-pass.

Same secret path for Semaphore and local — no per-template env wiring. Deploy
prereqs: attach the ansible-vault password to Semaphore template 27, and ensure
the 828d2cc8 identity can read /meridian (env prod).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

deploy.sh

@@ -9,46 +9,18 @@
 #   ./deploy.sh -v               # verbose output
 #
 # Secrets:
-#   LITELLM_MASTER_KEY is pulled from Infisical (/meridian/vault_litellm_master_key)
-#   on the controller and exported into the env for the playbook to read.
-#   For Semaphore deploys, set LITELLM_MASTER_KEY as an env var on the template.
+#   The playbook reads /meridian from Infisical itself (site.yml pre_tasks) —
+#   master key + the direct_* provider keys. No env wiring needed; this works
+#   identically under Semaphore. The only local requirement is the ansible-vault
+#   password (decrypts vars/vault.yml → the Infisical machine-identity secret),
+#   which --ask-vault-pass prompts for. Semaphore supplies it via an attached
+#   vault key on the template.
 # ==============================================================================
 set -euo pipefail
 
 HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
 HOST_USER="$(grep -o 'ansible_user=[^ ]*' inventory.ini | head -1 | cut -d= -f2)"
 
-if [[ -z "${LITELLM_MASTER_KEY:-}" ]]; then
-    echo "==> Pulling LITELLM_MASTER_KEY from Infisical ..."
-    LITELLM_MASTER_KEY="$(infisical secrets get vault_litellm_master_key \
-        --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
-        --env prod --path /meridian --plain 2>/dev/null)"
-    if [[ -z "$LITELLM_MASTER_KEY" ]]; then
-        echo "    ERROR: couldn't fetch LITELLM_MASTER_KEY. Is the infisical CLI logged in?" >&2
-        exit 1
-    fi
-    export LITELLM_MASTER_KEY
-fi
-
-# Optional provider keys for direct_* models. Non-fatal: if a key isn't in
-# Infisical /meridian yet, litellm.env falls back to a placeholder and the
-# direct_* model 401s on call (proxy_* + local_* keep working). Drop the secret
-# into Infisical /meridian to activate, then re-deploy.
-for keyvar in OPENAI_API_KEY GEMINI_API_KEY; do
-    if [[ -z "${!keyvar:-}" ]]; then
-        secret_name="vault_$(echo "$keyvar" | tr '[:upper:]' '[:lower:]')"
-        val="$(infisical secrets get "$secret_name" \
-            --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
-            --env prod --path /meridian --plain 2>/dev/null || true)"
-        if [[ -n "$val" ]]; then
-            echo "==> Pulled ${keyvar} from Infisical (direct_* enabled)."
-            export "$keyvar=$val"
-        else
-            echo "==> ${keyvar} not in Infisical /meridian — direct_* for this provider stays scaffolded (401 until set)."
-        fi
-    fi
-done
-
 echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
 if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
     echo "    Cannot SSH to ${HOST_IP} — refreshing host key ..."
@@ -60,7 +32,7 @@ echo "==> Installing Ansible collections ..."
 ansible-galaxy collection install -r requirements.yml --force 2>/dev/null
 
 echo "==> Running deploy playbook ..."
-ansible-playbook -i inventory.ini site.yml "$@"
+ansible-playbook -i inventory.ini site.yml --ask-vault-pass "$@"
 
 echo "==> Verifying ..."
 ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'