fix: fix: vault_request RETURN trap fires prematurely when vault-env.sh is sourced (#773)

`compgen -G ... | wc -l` under `set -eo pipefail` aborts the script on
the non-zero pipeline exit (compgen returns 1 on no match) before the
FATAL diagnostic branch can run. The container still fast-fails, but
operators saw no explanation.

Switch to the conditional `if ! compgen -G ... >/dev/null 2>&1; then`
pattern already used at the two other compgen call sites in this file
(bootstrap_factory_repo and the PROJECT_NAME parser). The count for the
success-path log is computed after we've confirmed at least one match.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/agents/entrypoint.sh

@@ -346,15 +346,19 @@ bootstrap_factory_repo
 # This prevents the silent-zombie mode where the polling loop matches zero files
 # and does nothing forever.
 validate_projects_dir() {
-  local toml_count
+  # NOTE: compgen -G exits non-zero when no matches exist, so piping it through
-  toml_count=$(compgen -G "${DISINTO_DIR}/projects/*.toml" 2>/dev/null | wc -l)
+  # `wc -l` under `set -eo pipefail` aborts the script before the FATAL branch
-  if [ "$toml_count" -eq 0 ]; then
+  # can log a diagnostic (#877).  Use the conditional form already adopted at
+  # lines above (see bootstrap_factory_repo, PROJECT_NAME parsing).
+  if ! compgen -G "${DISINTO_DIR}/projects/*.toml" >/dev/null 2>&1; then
     log "FATAL: No real .toml files found in ${DISINTO_DIR}/projects/"
     log "Expected at least one project config file (e.g., disinto.toml)"
     log "The directory only contains *.toml.example template files."
     log "Mount the host ./projects volume or copy real .toml files into the container."
     exit 1
   fi
+  local toml_count
+  toml_count=$(compgen -G "${DISINTO_DIR}/projects/*.toml" | wc -l)
   log "Projects directory validated: ${toml_count} real .toml file(s) found"
 }
 

lib/action-vault.sh

@@ -128,7 +128,6 @@ vault_request() {
   # Validate TOML content
   local tmp_toml
   tmp_toml=$(mktemp /tmp/vault-XXXXXX.toml)
-  trap 'rm -f "$tmp_toml"' RETURN
 
   printf '%s' "$toml_content" > "$tmp_toml"
 
@@ -136,6 +135,7 @@ vault_request() {
   local vault_env="${FACTORY_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}/action-vault/vault-env.sh"
   if [ ! -f "$vault_env" ]; then
     echo "ERROR: vault-env.sh not found at $vault_env" >&2
+    rm -f "$tmp_toml"
     return 1
   fi
 
@@ -145,11 +145,15 @@ vault_request() {
   if ! source "$vault_env"; then
     FORGE_TOKEN="${_saved_forge_token:-}"
     echo "ERROR: failed to source vault-env.sh" >&2
+    rm -f "$tmp_toml"
     return 1
   fi
   # Restore caller's FORGE_TOKEN after validation
   FORGE_TOKEN="${_saved_forge_token:-}"
 
+  # Set trap AFTER sourcing vault-env.sh to avoid RETURN trap firing during source
+  trap 'rm -f "$tmp_toml"' RETURN
+
   # Run validation
   if ! validate_vault_action "$tmp_toml"; then
     echo "ERROR: TOML validation failed" >&2