fix(k8s): remove stale NFS writes and decouple PVC from skills

[jacoblee-io]

Problem

1. buildCredentialPayload() in rpc-methods.ts creates agent-data/ under skillsDir on NFS — gateway should never write to NFS
2. agentbox-template.yaml mounted the NFS PVC for skills, credentials, and kube configs — but these are all synced via RPC, not shared filesystem
3. k8s/gateway-deployment.yaml was missing the NFS PVC mount needed for ensureUserDir()

Solution

rpc-methods.ts: Remove the fs.mkdirSync() call from buildCredentialPayload().

agentbox-template.yaml: Rewrite to match what k8s-spawner.ts actually generates:

• Skills, credentials, config → emptyDir (synced from gateway via RPC)
• User data → NFS PVC (siclaw-data) with subPath users/{userId}/{workspaceId}
• Client cert → Secret volume

gateway-deployment.yaml: Add NFS PVC mount at /app/.siclaw/user-data + persistence env vars, so gateway can ensureUserDir() before spawning AgentBox pods.

NFS PVC usage after this PR

Component	Mount path	Purpose	Access
Gateway	/app/.siclaw/user-data	ensureUserDir() — create per-user subdirectories	write (dirs only)
AgentBox	/app/.siclaw/user-data (subPath)	memory, investigations, sessions	read-write

Skills are not on NFS — they live in emptyDir and are synced via RPC.

Test plan

• Gateway starts without errors
• Credential sync works (AgentBox receives credentials correctly)
• No new agent-data/ directories appear under skillsDir
• AgentBox pods start with correct volume mounts

[jacoblee-io]

LGTM. The removed mkdirSync was writing to skillsDir (gateway's skills emptyDir/NFS), but the AgentBox pod's user-data subPath (user/{userId}/agent-data) is on a completely separate volume. So this directory creation never served a purpose for the AgentBox — it was a no-op side effect that contradicted the JSDoc. Clean removal, no risk.