#22967: Agents: inject pi auth storage from runtime profiles

## Summary - stop syncing auth-profiles into plaintext `auth.json` for model discovery paths - build pi `AuthStorage` from in-memory runtime auth profile credentials - update model catalog/models list discovery paths and tests to use runtime auth injection ## Validation - pnpm check - pnpm vitest src/agents/model-catalog.test.ts src/commands/models.list.test.ts src/commands/models.list.auth-sync.test.ts src/agents/pi-model-discovery.auth.test.ts src/agents/pi-embedded-runner/model.test.ts src/agents/pi-embedded-runner/model.e2e.test.ts <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR eliminates the plaintext `auth.json` file from the model discovery path by building Pi `AuthStorage` directly from in-memory runtime auth profile credentials. Previously, `ensurePiAuthJsonFromAuthProfiles()` would sync credentials from `auth-profiles.json` into `auth.json` on disk before each model discovery call. Now, `discoverAuthStorage()` reads auth profiles in-memory and constructs the `AuthStorage` without any disk write. - **`pi-model-discovery.ts`**: Added `resolvePiCredentials()` and `convertAuthProfileCredential()` to convert auth profiles to Pi credential format in-memory. The `createAuthStorage()` function now has a 3-tier SDK compatibility fallback: `inMemory()` → `fromStorage()` with `InMemoryAuthStorageBackend` → legacy `create()`/`new` with `setRuntimeApiKey()`. - **`model-catalog.ts`**: Removed the `createAuthStorage` helper and the `ensurePiAuthJsonFromAuthProfiles` call. Now delegates to `piSdk.discoverAuthStorage(agentDir)`. - **`list.registry.ts`**: Removed `ensurePiAuthJsonFromAuthProfiles` import and call, simplifying the model registry loading path. - **Tests updated**: All test mocks now include the `discoverAuthStorage` function. The auth-sync integration test now asserts that `auth.json` is **not** created. A new `pi-model-discovery.auth.test.ts` validates the end-to-end in-memory credential flow. - The old `pi-auth-json.ts` module is now effectively dead code (only referenced by its own tests) but was intentionally left in place to keep this PR focused. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minimal risk — it replaces disk-based credential syncing with in-memory injection while maintaining backward compatibility through a well-structured fallback chain. - The changes are well-structured with clean separation of concerns. The credential conversion logic is a faithful port from the existing pi-auth-json.ts. The multi-tier SDK compatibility fallback covers current and future API shapes. All existing callers of discoverAuthStorage benefit automatically without changes. Test coverage includes a new integration test and updated mocks. The only minor concern is the InMemoryAuthStorageBackend.withLock() call whose return value is not awaited, but this appears to be intentional given the in-memory nature of the backend. - `src/agents/pi-model-discovery.ts` deserves the most attention as it contains all the new credential conversion and SDK compatibility logic. _{Last reviewed commit: b40faee} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->