refactor: Remove dead legacy traefik/OIDC code (Plan C)

[mairas]

What & why

Removes dead legacy traefik/OIDC code (Plan C of the #207 series). oidc_snippet.py read metadata["traefik"]["oidc"], but the schema migrated traefik: → routing: and PackageMetadata has extra="forbid", so a traefik: key is rejected and generate_oidc_snippet always returned None. The TraefikConfig/TraefikOIDC models were likewise unwired. Removing this leaves one OIDC mechanism for Plan B (#211) to rebuild on, instead of a confusing second surface that looks functional but can't run.

Removed

• src/generate_container_packages/oidc_snippet.py and its builder wiring (import, copy_source_files call, generate_oidc_snippet_file).
• TraefikConfig / TraefikOIDC from src/schemas/metadata.py.
• tests/test_oidc_snippet.py (the only test of the dead generator) and the TraefikConfig/TraefikOIDC cases in tests/test_traefik_schema.py.

Deliberately kept

• TraefikForwardAuth — shared by the live RoutingAuth.forward_auth (metadata.py:169), not legacy-only. Its tests stay.
• tests/test_templates_oidc.py — exercises the live routing.auth.mode == "oidc" template scaffolding (rules.j2 install, postinst secret-gen, service.j2 Authelia ordering) that this PR retains and Plan B rebuilds on.
• The rules.j2 {% if is_oidc_app %} install oidc-client.yml block is left in place — harmless today (verified no app sets mode: oidc), and Plan B re-supplies the generator.

Verification

• Pre-removal grep confirmed no traefik: key or legacy auth: oidc in halos-marine-containers/apps or halos-imported-containers, and no in-tree importer of the removed symbols beyond the deleted files.
• 542 unit tests pass (test_templates_oidc.py green); ruff check, ruff format --check, uvx ty check src/ all clean.
• No version bump: the 0.8.0 cycle is already open (VERSION 0.8.0 ≠ latest stable 0.7.0), so CI walks +N.

Post-Deploy Monitoring & Validation

No production runtime impact — this removes unreachable generator code. No generated package output changes (no current app triggers the removed path). No monitoring required.

Closes #210.

[mairas]

Code review — remove dead legacy traefik/OIDC code

Automated multi-persona review (correctness, project-standards, testing lenses) over the diff.

Verdict: Ready to merge. Clean deletion: no dangling references to any removed symbol (generate_oidc_snippet*, TraefikConfig, TraefikOIDC) in src/ or tests/; TraefikForwardAuth is intact and still used by the live RoutingAuth.forward_auth; copy_source_files is well-formed after the call removal; Literal/model_validator imports remain used. Version policy is correct — no bump (the 0.8.0 cycle is already open vs. stable 0.7.0; CI walks +N); debian/changelog untouched. Retained tests (TestTraefikForwardAuth, test_templates_oidc.py) are coherent and collect cleanly.

One finding (advisory — pre-existing, tracked by #211)

File	Issue	Route
rules.j2 (is_oidc_app block)	The block still installs oidc-client.yml, but its generator is removed — a routing.auth.mode: oidc app would fail dpkg-buildpackage.	Advisory. Pre-existing in effect: the removed generator already returned None for every current-schema app (it read the dropped traefik key), so oidc-client.yml was never produced and a mode:oidc build was already broken. Verified no app (marine/imported/core) sets mode: oidc. Plan B (#211) rebuilds the oidc-client.yml producer and reconciles this block, so the live is_oidc_app scaffolding is deliberately left in place rather than ripped out for B to re-add.

test_templates_oidc.py asserts the install line is rendered (template behavior), which is correct and stays valid; Plan B restores the artifact-production path it implies.

Verification

• 542 unit tests pass (incl. test_templates_oidc.py); ruff check, ruff format --check, uvx ty check src/ clean.
• Pre-removal grep confirmed no traefik:/legacy auth: oidc consumers in marine or imported apps.

Closes #210.