fix: feat: define vault action TOML schema for PR-based approval (#74)

- Add vault/SCHEMA.md documenting the TOML schema for vault actions
- Add validate_vault_action() function to vault/vault-env.sh that:
  - Validates required fields (id, formula, context, secrets)
  - Validates secret names against allowlist
  - Rejects unknown fields
  - Validates formula exists in formulas/
- Create vault/validate.sh script for CLI validation
- Add example TOML files in vault/examples/:
  - webhook-call.toml: Example calling external webhook
  - promote.toml: Example promoting build/artifact
  - publish.toml: Example publishing to ClawHub

vault/vault-env.sh

@@ -140,11 +140,11 @@ validate_vault_action() {
     fi
   fi
 
-  # Export validated values
+  # Export validated values (for use by caller script)
-  VAULT_ACTION_ID="$id"
+  export VAULT_ACTION_ID="$id"
-  VAULT_ACTION_FORMULA="$formula"
+  export VAULT_ACTION_FORMULA="$formula"
-  VAULT_ACTION_CONTEXT="$context"
+  export VAULT_ACTION_CONTEXT="$context"
-  VAULT_ACTION_SECRETS="$secrets_array"
+  export VAULT_ACTION_SECRETS="$secrets_array"
 
   log "VAULT_ACTION_ID=$VAULT_ACTION_ID"
   log "VAULT_ACTION_FORMULA=$VAULT_ACTION_FORMULA"