Fix hyrule-cloud Vault render failure for missing PAYMENT_BTC_XPUB

[Svaag]

Summary

After repairing the missing XMR Vault fields from the failed app-promotion-deploy run, vault-agent-hyrule-cloud.service still reports a render-hook failure because PAYMENT_BTC_XPUB renders as <no value> in /opt/hyrule-cloud/.env.

Observed on api:

hyrule-cloud Vault render has unresolved key PAYMENT_BTC_XPUB
PAYMENT_BTC_XPUB=<no value>

The app service is currently active, but Vault Agent keeps retrying the template command because the render hook exits non-zero.

Impact

• vault-agent-hyrule-cloud is noisy/unhealthy despite the app being up.
• Future cloud applies/secret rotations may fail or mask real render problems.
• BTC native payment support is either misconfigured or should be explicitly disabled/optional.

Proposed fix

Pick one intentional contract and implement it consistently:

1. Populate btc_xpub in kv/hyrule-cloud with a valid account-level BIP84 public key used by PAYMENT_BTC_XPUB; or
2. If BTC payments are not production-ready, remove PAYMENT_BTC_XPUB from hyrule_cloud_required_env_keys and make the app/template explicitly support BTC-disabled mode without <no value>.

Acceptance criteria

• /opt/hyrule-cloud/.env contains no <no value> entries for required keys.
• vault-agent-hyrule-cloud.service has no render-hook error for PAYMENT_BTC_XPUB after restart/rerender.
• ansible-playbook playbooks/cloud.yml --tags apply --limit api -e hyrule_cloud_apply=true completes.

[hyrule-engineering-loop]

Reliability Governor Decision

• role: staff_sre_autonomous_operations
• decision: knowledge_gap
• next_loop: knowledge
• handoff_contract: knowledge_context_pack
• source: human
• intent: secret / tier 4
• capability: none
• knowledge: missing / unknown
• reasons: Knowledge policy result is deny; Knowledge context returned no included_refs

{
  "affected_assets": [
    "AS215932/network-operations"
  ],
  "affected_customers": [],
  "affected_services": [],
  "allowed_paths": [],
  "authority_text_hash": "45a32eba1f71f4f995517d4e88663c34028bfcb9fd22e813f9a36ba9e3968be6",
  "blast_radius": "credential plane",
  "controlled_loops": [
    "engineering",
    "noc",
    "knowledge"
  ],
  "created_at": "2026-06-30T01:55:23.839490+00:00",
  "denial_reasons": [
    "Knowledge policy result is deny",
    "Knowledge context returned no included_refs"
  ],
  "expected_paths": [
    "secrets/"
  ],
  "forbidden_paths": [],
  "governor_name": "Reliability Governor",
  "governor_role": "staff_sre_autonomous_operations",
  "handoff_contract": "knowledge_context_pack",
  "intent_type": "secret",
  "issue_id": "AS215932/network-operations#252",
  "issue_number": 252,
  "issue_text_hash": "f378b8aed6e0938ba3ec67f2ce969f7057cfbb20ae2b9afc70d10b8a0f841d0c",
  "knowledge_authority_level": "unknown",
  "knowledge_context_pack_id": "ctx_c83f7361b2a873da84ff4a46ab5edd31",
  "knowledge_export_version": "local-20260623120725",
  "knowledge_status": "missing",
  "labels_to_add": [
    "loop:knowledge-gap"
  ],
  "labels_to_remove": [
    "loop:intake",
    "loop:candidate",
    "loop:approved",
    "loop:needs-context",
    "loop:needs-human"
  ],
  "lhp": null,
  "matched_capability": null,
  "next_loop": "knowledge",
  "policy_rules": [
    "deny stale, contradictory, missing, or errored Knowledge context"
  ],
  "record_id": "e859cf509f6c9b21a6e9",
  "repo": "AS215932/network-operations",
  "required_checks": [],
  "risk_tier": 4,
  "rollback_plan": "",
  "routing_decision": "knowledge_gap",
  "schema_version": "reliability-governor.cdr.v1",
  "source": "human",
  "storage_path": "/var/lib/engineering-loop/reliability-governor/as215932-network-operations-252-e859cf509f6c9b21a6e9.json",
  "verification_method": ""
}