fix: refactor: rename vault-runner → runner and vault-run → run (#43)

vault/AGENTS.md

@@ -28,7 +28,7 @@ needed — the human reviews and publishes directly.
 **Key files**:
 - `vault/vault-poll.sh` — Processes pending items: retry approved, auto-reject after 48h timeout, invoke vault-agent for JSON actions, notify human for procurement requests
 - `vault/vault-agent.sh` — Classifies and routes pending JSON actions via `claude -p`: auto-approve, auto-reject, or escalate to human
-- `vault/vault-env.sh` — Shared env setup for vault sub-scripts: sources `lib/env.sh`, overrides `FORGE_TOKEN` with `FORGE_VAULT_TOKEN`, sets `VAULT_TOKEN` for vault-runner container
+- `vault/vault-env.sh` — Shared env setup for vault sub-scripts: sources `lib/env.sh`, overrides `FORGE_TOKEN` with `FORGE_VAULT_TOKEN`, sets `VAULT_TOKEN` for runner container
 - `formulas/run-vault.toml` — Source-of-truth formula for the vault agent's classification and routing logic
 - `vault/vault-fire.sh` — Executes an approved action (JSON) in an **ephemeral Docker container** with vault-only secrets injected (GITHUB_TOKEN, CLAWHUB_TOKEN — never exposed to agents). For deployment actions, calls `lib/ci-helpers.sh:ci_promote()` to gate production promotes via Woodpecker environments. Writes `$OPS_REPO_ROOT/RESOURCES.md` entry for procurement MD approvals.
 - `vault/vault-reject.sh` — Marks a JSON action as rejected

vault/run-action.sh

@@ -1,25 +1,25 @@
 #!/usr/bin/env bash
-# vault-run-action.sh — Execute an action inside the ephemeral vault-runner container
+# run-action.sh — Execute an action inside the ephemeral runner container
 #
-# This script is the entrypoint for the vault-runner container. It runs with
+# This script is the entrypoint for the runner container. It runs with
 # vault secrets injected as environment variables (GITHUB_TOKEN, CLAWHUB_TOKEN,
 # deploy keys, etc.) and dispatches to the appropriate action handler.
 #
-# The vault-runner container is ephemeral: it starts, runs the action, and is
+# The runner container is ephemeral: it starts, runs the action, and is
 # destroyed. Secrets exist only in container memory, never on disk.
 #
-# Usage: vault-run-action.sh <action-id>
+# Usage: run-action.sh <action-id>
 
 set -euo pipefail
 
 VAULT_SCRIPT_DIR="${DISINTO_VAULT_DIR:-/home/agent/disinto/vault}"
 OPS_VAULT_DIR="${DISINTO_OPS_VAULT_DIR:-${VAULT_SCRIPT_DIR}}"
 LOGFILE="${VAULT_SCRIPT_DIR}/vault.log"
-ACTION_ID="${1:?Usage: vault-run-action.sh <action-id>}"
+ACTION_ID="${1:?Usage: run-action.sh <action-id>}"
 
 log() {
-  printf '[%s] vault-runner: %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" >> "$LOGFILE" 2>/dev/null || \
-    printf '[%s] vault-runner: %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" >&2
+  printf '[%s] runner: %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" >> "$LOGFILE" 2>/dev/null || \
+    printf '[%s] runner: %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" >&2
 }
 
 # Find action file in approved/

vault/vault-env.sh

@@ -7,3 +7,6 @@
 source "$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)/lib/env.sh"
 # Use vault-bot's own Forgejo identity
 FORGE_TOKEN="${FORGE_VAULT_TOKEN:-${FORGE_TOKEN}}"
+
+# Set entrypoint for runner container
+export VAULT_RUNNER_ENTRYPOINT="run-action.sh"

vault/vault-fire.sh

@@ -3,8 +3,8 @@
 #
 # Handles two pipelines:
 #   A. Action gating (*.json): pending/ → approved/ → fired/
-#      Execution delegated to ephemeral vault-runner container via disinto vault-run.
-#      The vault-runner gets vault secrets (.env.vault.enc); this script does NOT.
+#      Execution delegated to ephemeral runner container via disinto run.
+#      The runner gets vault secrets (.env.vault.enc); this script does NOT.
 #   B. Procurement (*.md): approved/ → fired/ (writes RESOURCES.md entry)
 #
 # If item is in pending/, moves to approved/ first.
@@ -100,7 +100,7 @@ if [ "$IS_PROCUREMENT" = true ]; then
 fi
 
 # =============================================================================
-# Pipeline B: Action gating — delegate to ephemeral vault-runner container
+# Pipeline B: Action gating — delegate to ephemeral runner container
 # =============================================================================
 ACTION_TYPE=$(jq -r '.type // ""' < "$ACTION_FILE")
 ACTION_SOURCE=$(jq -r '.source // ""' < "$ACTION_FILE")
@@ -110,19 +110,19 @@ if [ -z "$ACTION_TYPE" ]; then
   exit 1
 fi
 
-log "$ACTION_ID: firing type=$ACTION_TYPE source=$ACTION_SOURCE via vault-runner"
+log "$ACTION_ID: firing type=$ACTION_TYPE source=$ACTION_SOURCE via runner"
 
 FIRE_EXIT=0
 
-# Delegate execution to the ephemeral vault-runner container.
-# The vault-runner gets vault secrets (.env.vault.enc) injected at runtime;
+# Delegate execution to the ephemeral runner container.
+# The runner gets vault secrets (.env.vault.enc) injected at runtime;
 # this host process never sees those secrets.
 if [ -f "${FACTORY_ROOT}/.env.vault.enc" ] && [ -f "${FACTORY_ROOT}/docker-compose.yml" ]; then
-  bash "${FACTORY_ROOT}/bin/disinto" vault-run "$ACTION_ID" >> "$LOGFILE" 2>&1 || FIRE_EXIT=$?
+  bash "${FACTORY_ROOT}/bin/disinto" run "$ACTION_ID" >> "$LOGFILE" 2>&1 || FIRE_EXIT=$?
 else
   # Fallback for bare-metal or pre-migration setups: run action handler directly
   log "$ACTION_ID: no .env.vault.enc or docker-compose.yml — running action directly"
-  bash "${SCRIPT_DIR}/vault-run-action.sh" "$ACTION_ID" >> "$LOGFILE" 2>&1 || FIRE_EXIT=$?
+  bash "${SCRIPT_DIR}/run-action.sh" "$ACTION_ID" >> "$LOGFILE" 2>&1 || FIRE_EXIT=$?
 fi
 
 # =============================================================================