fix: fix: dispatcher cannot launch runner — docker compose context not available in edge container (#153)

docker/edge/dispatcher.sh

@@ -9,7 +9,7 @@
 # 3. Verify TOML arrived via merged PR with admin merger (Forgejo API)
 # 4. Validate TOML using vault-env.sh validator
 # 5. Decrypt .env.vault.enc and extract only declared secrets
-# 6. Launch: docker compose run --rm runner <formula> <action-id>
+# 6. Launch: docker run --rm disinto-agents:latest <formula> <action-id>
 # 7. Write <action-id>.result.json with exit code, timestamp, logs summary
 #
 # Part of #76.
@@ -298,10 +298,8 @@ launch_runner() {
   local secrets_array
   secrets_array="${VAULT_ACTION_SECRETS:-}"
 
-  # Build command array (safe from shell injection)
+  # Build secret flags from TOML secrets array
-  local -a cmd=(docker compose run --rm runner)
+  local secret_flags=""
-
-  # Add environment variables for secrets (if any declared)
   if [ -n "$secrets_array" ]; then
     for secret in $secrets_array; do
       secret=$(echo "$secret" | xargs)
@@ -312,42 +310,39 @@ launch_runner() {
           write_result "$action_id" 1 "Secret not found in vault: ${secret}"
           return 1
         fi
-        cmd+=(-e "$secret")
+        secret_flags="${secret_flags} -e ${secret}=${!secret}"
       fi
     done
   else
     log "Action ${action_id} has no secrets declared — runner will execute without extra env vars"
   fi
 
-  # Add formula and action id as arguments (after service name)
+  # Build docker run command
-  local formula="${VAULT_ACTION_FORMULA:-}"
+  # Uses the disinto-agents image (same as agent containers)
-  cmd+=("$formula" "$action_id")
+  # Mounts Docker socket to spawn sibling containers
+  local docker_cmd="docker run --rm \
+  --name \"vault-runner-${action_id}\" \
+  --network disinto_disinto-net \
+  -e FORGE_URL=\"${FORGE_URL}\" \
+  -e FORGE_TOKEN=\"${FORGE_TOKEN}\" \
+  -e FORGE_REPO=\"${FORGE_REPO}\" \
+  -e FORGE_OPS_REPO=\"${FORGE_OPS_REPO}\" \
+  -e PRIMARY_BRANCH=\"${PRIMARY_BRANCH}\" \
+  -e DISINTO_CONTAINER=1 \
+  ${secret_flags} \
+  disinto-agents:latest \
+  bash -c \"cd /home/agent/disinto && bash formulas/${VAULT_ACTION_FORMULA}.sh ${action_id}\""
 
-  # Log command skeleton (hide all -e flags for security)
+  log "Running: docker run (secrets redacted)"
-  local -a log_cmd=()
-  local skip_next=0
-  for arg in "${cmd[@]}"; do
-    if [[ $skip_next -eq 1 ]]; then
-      skip_next=0
-      continue
-    fi
-    if [[ "$arg" == "-e" ]]; then
-      log_cmd+=("$arg" "<redacted>")
-      skip_next=1
-    else
-      log_cmd+=("$arg")
-    fi
-  done
-  log "Running: ${log_cmd[*]}"
 
   # Create temp file for logs
   local log_file
   log_file=$(mktemp /tmp/dispatcher-logs-XXXXXX.txt)
   trap 'rm -f "$log_file"' RETURN
 
-  # Execute with array expansion (safe from shell injection)
+  # Execute docker run command
   # Capture stdout and stderr to log file
-  "${cmd[@]}" > "$log_file" 2>&1
+  eval "$docker_cmd" > "$log_file" 2>&1
   local exit_code=$?
 
   # Read logs summary