fix: compose template: SSH mount, PROJECT_REPO_ROOT, revert WOODPECKER_HOST

- Add ~/.ssh mount to agents container (needed for mirror pushes)
- Add PROJECT_REPO_ROOT env to agents and vault-runner containers
- Revert WOODPECKER_HOST to http://woodpecker:8000 (localhost breaks gRPC)
- Remove WOODPECKER_GRPC_ADDR (did not fix gRPC issue)
- Keep WOODPECKER_OPEN for OAuth2 first-user registration

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bin/disinto

@@ -190,9 +190,8 @@ services:
       WOODPECKER_FORGEJO_URL: http://forgejo:3000
       WOODPECKER_FORGEJO_CLIENT: ${WP_FORGEJO_CLIENT:-}
       WOODPECKER_FORGEJO_SECRET: ${WP_FORGEJO_SECRET:-}
-      WOODPECKER_HOST: http://localhost:8000
+      WOODPECKER_HOST: http://woodpecker:8000
       WOODPECKER_OPEN: "true"
-      WOODPECKER_GRPC_ADDR: ":9000"
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
       WOODPECKER_DATABASE_DRIVER: sqlite3
       WOODPECKER_DATABASE_DATASOURCE: /var/lib/woodpecker/woodpecker.sqlite
@@ -229,10 +228,12 @@ services:
       - ${HOME}/.claude:/home/agent/.claude
       - ${HOME}/.claude.json:/home/agent/.claude.json:ro
       - CLAUDE_BIN_PLACEHOLDER:/usr/local/bin/claude:ro
+      - \${HOME}/.ssh:/home/agent/.ssh:ro
     environment:
       FORGE_URL: http://forgejo:3000
       WOODPECKER_SERVER: http://woodpecker:8000
       DISINTO_CONTAINER: "1"
+      PROJECT_REPO_ROOT: /home/agent/repos/\${PROJECT_NAME:-project}
     env_file:
       - .env
     # IMPORTANT: agents get .env only (forge tokens, CI tokens, config).
@@ -257,6 +258,7 @@ services:
     environment:
       FORGE_URL: http://forgejo:3000
       DISINTO_CONTAINER: "1"
+      PROJECT_REPO_ROOT: /home/agent/repos/\${PROJECT_NAME:-project}
     # env_file set at runtime by: disinto vault-run --env-file <tmpfile>
     entrypoint: ["bash", "/home/agent/disinto/vault/vault-run-action.sh"]
     networks: