litellm: add OpenAI→Meridian shim role (venv + systemd, port 4000)

LiteLLM sits in front of Meridian for clients that can't talk Anthropic's
/v1/messages format (Pulse OpenAI provider, paperless-ai, etc.). Routes
OpenAI-shaped requests to localhost:3456 (Meridian) which forwards to the
Max sub.

- New roles/litellm/ — Python venv, pip install litellm[proxy], systemd
- vars/main.yml — model map (haiku/sonnet/opus) + LITELLM_MASTER_KEY env lookup
- site.yml — adds litellm role + sanity-check assert
- deploy.sh — pulls LITELLM_MASTER_KEY from Infisical (/meridian/) on the
  controller and exports it for the playbook
- New Infisical secret /meridian/vault_litellm_master_key

Smoke: Pulse → LiteLLM /v1/chat/completions → Meridian /v1/messages → Max sub
returns "pong" through both the LiteLLM master key auth and the Claude Code
SDK OAuth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

deploy.sh

@@ -5,13 +5,31 @@
 # Usage:
 #   ./deploy.sh                  # full deploy
 #   ./deploy.sh --tags meridian  # meridian role only
+#   ./deploy.sh --tags litellm   # litellm role only
 #   ./deploy.sh -v               # verbose output
+#
+# Secrets:
+#   LITELLM_MASTER_KEY is pulled from Infisical (/meridian/vault_litellm_master_key)
+#   on the controller and exported into the env for the playbook to read.
+#   For Semaphore deploys, set LITELLM_MASTER_KEY as an env var on the template.
 # ==============================================================================
 set -euo pipefail
 
 HOST_IP="$(grep -E '^[0-9]' inventory.ini | head -1 | awk '{print $1}')"
 HOST_USER="$(grep -o 'ansible_user=[^ ]*' inventory.ini | head -1 | cut -d= -f2)"
 
+if [[ -z "${LITELLM_MASTER_KEY:-}" ]]; then
+    echo "==> Pulling LITELLM_MASTER_KEY from Infisical ..."
+    LITELLM_MASTER_KEY="$(infisical secrets get vault_litellm_master_key \
+        --projectId 50062d7c-06ff-4d5c-8ca3-6c0cdba9f270 \
+        --env prod --path /meridian --plain 2>/dev/null)"
+    if [[ -z "$LITELLM_MASTER_KEY" ]]; then
+        echo "    ERROR: couldn't fetch LITELLM_MASTER_KEY. Is the infisical CLI logged in?" >&2
+        exit 1
+    fi
+    export LITELLM_MASTER_KEY
+fi
+
 echo "==> Checking connectivity to ${HOST_USER}@${HOST_IP} ..."
 if ! ssh -o ConnectTimeout=5 -o BatchMode=yes "${HOST_USER}@${HOST_IP}" true 2>/dev/null; then
     echo "    Cannot SSH to ${HOST_IP} — refreshing host key ..."
@@ -29,12 +47,15 @@ echo "==> Verifying ..."
 ssh "${HOST_USER}@${HOST_IP}" bash -s <<'VERIFY'
 echo "Node: $(node --version 2>/dev/null || echo missing)"
 echo "Meridian binary: $(which meridian 2>/dev/null || echo missing)"
-echo "Service:"
-systemctl is-enabled meridian 2>&1
-systemctl is-active meridian 2>&1
-if systemctl is-active --quiet meridian; then
-  curl -sf --max-time 3 http://127.0.0.1:3456/v1/messages -X POST -H 'Content-Type: application/json' -d '{}' >/dev/null 2>&1 && echo "API reachable on :3456" || echo "API on :3456 not responding (expected if OAuth creds missing)"
-fi
+echo "Services:"
+for svc in meridian litellm; do
+  printf "  %-10s enabled=%s active=%s\n" "$svc" "$(systemctl is-enabled $svc 2>/dev/null)" "$(systemctl is-active $svc 2>/dev/null)"
+done
+echo "Endpoints:"
+curl -sf --max-time 3 http://127.0.0.1:3456/v1/messages -X POST -H 'Content-Type: application/json' -d '{}' >/dev/null 2>&1 \
+  && echo "  meridian :3456 reachable" || echo "  meridian :3456 not responding"
+curl -sf --max-time 3 http://127.0.0.1:4000/health/liveliness >/dev/null 2>&1 \
+  && echo "  litellm  :4000 healthy" || echo "  litellm  :4000 not responding"
 VERIFY
 
 echo "==> Done."