fix: feat: define vault action TOML schema for PR-based approval (#74)

- Add vault/SCHEMA.md documenting the TOML schema for vault actions
- Add validate_vault_action() function to vault/vault-env.sh that:
  - Validates required fields (id, formula, context, secrets)
  - Validates secret names against allowlist
  - Rejects unknown fields
  - Validates formula exists in formulas/
- Create vault/validate.sh script for CLI validation
- Add example TOML files in vault/examples/:
  - webhook-call.toml: Example calling external webhook
  - promote.toml: Example promoting build/artifact
  - publish.toml: Example publishing to ClawHub

vault/validate.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# vault/validate.sh — Validate vault action TOML files
+#
+# Usage: ./vault/validate.sh <path-to-toml>
+#
+# Validates a vault action TOML file according to the schema defined in
+# vault/SCHEMA.md. Checks:
+# - Required fields are present
+# - Secret names are in the allowlist
+# - No unknown fields are present
+# - Formula exists in formulas/
+
+set -euo pipefail
+
+# Get script directory
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Source vault environment
+source "$SCRIPT_DIR/vault-env.sh"
+
+# Get the TOML file to validate
+TOML_FILE="${1:-}"
+
+if [ -z "$TOML_FILE" ]; then
+  echo "Usage: $0 <path-to-toml>" >&2
+  echo "Example: $0 vault/examples/publish.toml" >&2
+  exit 1
+fi
+
+# Resolve relative paths
+if [[ "$TOML_FILE" != /* ]]; then
+  TOML_FILE="$(cd "$(dirname "$TOML_FILE")" && pwd)/$(basename "$TOML_FILE")"
+fi
+
+# Run validation
+if validate_vault_action "$TOML_FILE"; then
+  echo "VALID: $TOML_FILE"
+  echo "  ID: $VAULT_ACTION_ID"
+  echo "  Formula: $VAULT_ACTION_FORMULA"
+  echo "  Context: $VAULT_ACTION_CONTEXT"
+  echo "  Secrets: $VAULT_ACTION_SECRETS"
+  exit 0
+else
+  echo "INVALID: $TOML_FILE" >&2
+  exit 1
+fi