chore: remove dedicated-tenant auth artifacts post shared-rip

[ryanwaits]

Background

The shared-rip pivot (May 2026) collapsed per-tenant dedicated infra back onto the shared platform. Several artifacts from the old dedicated-tenant model are now dead weight.

What's stale

1. tenants table columns (schema fossils)

These columns were used when each tenant had a dedicated Supabase instance:

• service_key_enc — Supabase service_role key for per-tenant PostgREST
• anon_key_enc — Supabase anon key
• tenant_jwt_secret_enc — per-tenant JWT signing secret

None of these are read by any auth middleware post-cutover. Auth is now exclusively sk-sl_ API keys and ss-sl_ session tokens, both resolved against the shared api_keys/sessions tables.

2. X-Provisioner-Secret in CORS allowHeaders

packages/api/src/index.ts:94 lists X-Provisioner-Secret in the platform CORS allowHeaders. No route handler reads this header — it was for the old provisioner workflow that spun up tenant infra on demand.

3. auth-modes.ts OSS stubs

packages/api/src/middleware/auth-modes.ts exports noAuth() and staticKeyAuth() for OSS mode. OSS is explicitly deferred. These are fine to keep if OSS is planned, but worth auditing whether they're wired up anywhere.

Suggested cleanup

• Migration to drop service_key_enc, anon_key_enc, tenant_jwt_secret_enc from tenants table (or drop the table entirely if it's only used for subgraph compute tracking — audit first)
• Remove X-Provisioner-Secret from the platform CORS allowHeaders in packages/api/src/index.ts
• Audit tenants table remaining columns — api_container_id, processor_container_id, target_database_url_enc, api_url_internal, api_url_public — are any still read post shared-rip?
• If tenants table is still needed for subgraph compute tracking, rename or document surviving purpose

Not urgent

Auth is working correctly. This is schema hygiene and CORS header cleanliness, not a functional bug. Fine to batch with a future migration cycle.