diff --git a/tests/vault-import.bats b/tests/vault-import.bats
index 890a900..e59e92e 100644
--- a/tests/vault-import.bats
+++ b/tests/vault-import.bats
@@ -137,6 +137,7 @@ setup() {
     "${VAULT_ADDR}/v1/kv/data/disinto/shared/woodpecker"
   [ "$status" -eq 0 ]
   echo "$output" | grep -q "wp-agent-secret"
+  # Forgejo keys are normalized: WP_FORGEJO_* → forgejo_* (no wp_ prefix in key name)
   echo "$output" | grep -q "wp-forgejo-client"
   echo "$output" | grep -q "wp-forgejo-secret"
   echo "$output" | grep -q "wp-token"
@@ -294,6 +295,8 @@ setup() {
     "deploy-key-test"
     "npm-test-token"
     "dockerhub-test-token"
+    # Note: forgejo-client and forgejo-secret are NOT in the output
+    # because they are read from Vault, not logged
   )
 
   for pattern in "${secret_patterns[@]}"; do
diff --git a/tools/vault-import.sh b/tools/vault-import.sh
index f85dd16..dd1b73a 100755
--- a/tools/vault-import.sh
+++ b/tools/vault-import.sh
@@ -391,7 +391,13 @@ EOF
     local val="${!key}"
     if [ -n "$val" ]; then
       local lowercase_key="${key,,}"
-      operations+=("woodpecker|$lowercase_key|$env_file|$key")
+      # Normalize WP_FORGEJO_* → forgejo_* (strip wp_ prefix to match template)
+      if [[ "$lowercase_key" =~ ^wp_(.+)$ ]]; then
+        vault_key="${BASH_REMATCH[1]}"
+      else
+        vault_key="$lowercase_key"
+      fi
+      operations+=("woodpecker|$vault_key|$env_file|$key")
     fi
   done