Phase B: retire refreshCodexOAuthTokenIfNeeded scheduled job

[samxu01]

Follow-up to ADR-014. The backend's daily 3 AM UTC job `refreshCodexOAuthTokenIfNeeded` in `agentProvisionerServiceK8s.ts` refreshes GCP SM secrets that hold laptop-device-auth'd tokens. Those tokens are cluster-IP-bound dead-on-arrival per ADR-014, so the job is refreshing tokens nothing reads.

Call site: `backend/services/schedulerService.ts:302`.

Acceptance:

• Remove `refreshCodexOAuthTokenIfNeeded` call from scheduler
• Remove `refreshCodexOAuthTokenForAccount` from agentProvisionerServiceK8s.ts
• Remove the GCP SM secrets `commonly-dev-openai-codex-access-token[-2|-3]`, `-refresh-token[-2|-3]`, `-id-token[-3]` (operator action, after code merges)

Related: ADR-014, PR #370, #371.