ci: remove AI_WORKSPACE_AUTH_TOKEN from vault-action reads

vault-action ignoreNotFound only suppresses path-level 404, not missing
keys within an existing path. Removing the key from vault-action secrets
list avoids the 'No match data was found' error when the key is absent.

Token is now sourced exclusively from the ai_workspace_auth_token
workflow_dispatch input. To use Vault as the default source, store the
token there and pass it via the input at dispatch time, or wire a
dedicated vault read step when the key is guaranteed to exist.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/deploy-ai-workspace-iac.yaml

@@ -46,10 +46,7 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
 #   7. AI_WORKSPACE_AUTH_TOKEN（LiteLLM 认证 token，存储在 Vault）
 #      - 用于 OpenCode ACP adapter 的 LITELLM_MASTER_KEY
 #      - 存储位置：vault kv patch kv/CICD AI_WORKSPACE_AUTH_TOKEN=<your-token>
-#      - TLDR 生成非常简单：
+#      - TLDR 生成：python3 -c 'import uuid; print(uuid.uuid4())'
-#        • Python:   python3 -c 'import uuid; print(uuid.uuid4())'
-#        • macOS:    openssl rand -hex 32
-#        • Linux:    openssl rand -base64 32
 #      - 部署时自动从 Vault 读取，注入 ansible role 的 acp_opencode_auth_token
 #
 # ── 流水线结构 ───────────────────────────────────────────────────────────────
@@ -124,7 +121,7 @@ on:
         default: true
         type: boolean
       ai_workspace_auth_token:
-        description: "自定义覆盖 AI Workspace auth token（留空则使用 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN）— TLDR 生成：python3 -c 'import uuid; print(uuid.uuid4())' 或 openssl rand -hex 32"
+        description: "AI Workspace auth token 覆盖(留空则取 Vault kv/CICD/AI_WORKSPACE_AUTH_TOKEN；生成: python3 -c 'import uuid; print(uuid.uuid4())')"
         required: false
         default: ""
         type: string
@@ -176,8 +173,7 @@ jobs:
             ${{ env.VAULT_KV }} TF_STATE_SECRET_KEY | TF_STATE_SECRET_KEY ;
             ${{ env.VAULT_KV }} TF_STATE_REGION | TF_STATE_REGION ;
             ${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN ;
-            ${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN ;
+            ${{ env.VAULT_KV }} CLOUDFLARE_API_TOKEN | CLOUDFLARE_API_TOKEN
-            ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN
 
       - name: Validate required secrets
         env:
@@ -329,7 +325,6 @@ jobs:
           secrets: |
             ${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY | ANSIBLE_SSH_KEY ;
             ${{ env.VAULT_KV }} SSH_PRIVATE_DEPLOY_KEY_B64 | ANSIBLE_SSH_KEY_B64 ;
-            ${{ env.VAULT_KV }} AI_WORKSPACE_AUTH_TOKEN | AI_WORKSPACE_AUTH_TOKEN ;
             ${{ env.VAULT_KV_OPENCLAW }} DEEPSEEK_API_KEY | DEEPSEEK_API_KEY ;
             ${{ env.VAULT_KV_OPENCLAW }} NVIDIA_API_KEY | NVIDIA_API_KEY ;
             ${{ env.VAULT_KV_OPENCLAW }} OLLAMA_API_KEY | OLLAMA_API_KEY
@@ -345,7 +340,6 @@ jobs:
         env:
           ANSIBLE_SSH_KEY: ${{ steps.vault.outputs.ANSIBLE_SSH_KEY }}
           ANSIBLE_SSH_KEY_B64: ${{ steps.vault.outputs.ANSIBLE_SSH_KEY_B64 }}
-          AI_WORKSPACE_AUTH_TOKEN: ${{ steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}
           DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }}
           NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }}
           OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }}
@@ -358,10 +352,6 @@ jobs:
             echo "::error::缺少必需机密 SSH 私钥 (Vault: ${VAULT_KV}/SSH_PRIVATE_DEPLOY_KEY_B64 或 ${VAULT_KV}/SSH_PRIVATE_DEPLOY_KEY，至少一个)"
             missing=1
           fi
-          # AI_WORKSPACE_AUTH_TOKEN 可选，存在即校验非空。
-          if [ -n "${AI_WORKSPACE_AUTH_TOKEN:-}" ]; then
-            echo "AI_WORKSPACE_AUTH_TOKEN: present (will inject as acp_opencode_auth_token)"
-          fi
           if [ "${{ github.event.inputs.use_deepseek || 'true' }}" = "true" ] && [ -z "${DEEPSEEK_API_KEY:-}" ]; then
             echo "::error::缺少必需机密 DEEPSEEK_API_KEY (Vault: ${VAULT_KV_OPENCLAW}/DEEPSEEK_API_KEY)"
             missing=1
@@ -424,8 +414,7 @@ jobs:
           # 离线包重新发布后可设为 auto 恢复离线加速。
           AI_WORKSPACE_OFFLINE_MODE: ${{ github.event.inputs.offline_mode || 'off' }}
           XWORKMATE_BRIDGE_DOMAIN: ${{ github.event.inputs.bridge_domain }}
-          # AI_WORKSPACE_AUTH_TOKEN: 优先使用 input 自定义值；留空则回退到 Vault 的值
+          AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token }}
-          AI_WORKSPACE_AUTH_TOKEN: ${{ github.event.inputs.ai_workspace_auth_token || steps.vault.outputs.AI_WORKSPACE_AUTH_TOKEN }}
           DEEPSEEK_API_KEY: ${{ github.event.inputs.use_deepseek == 'false' && '' || steps.vault.outputs.DEEPSEEK_API_KEY }}
           NVIDIA_API_KEY: ${{ github.event.inputs.use_nvidia == 'false' && '' || steps.vault.outputs.NVIDIA_API_KEY }}
           OLLAMA_API_KEY: ${{ github.event.inputs.use_ollama == 'false' && '' || steps.vault.outputs.OLLAMA_API_KEY }}