Address the 5 review concerns on the secrets-out-of-the-box feature:
1. Seed↔fetch path alignment: _seed_split_env routes BW_* creds out of .env
into ~/.config/vault-bootstrap.env (SEED_VAULT_BOOTSTRAP_REL), the path
clawdie-vault-fetch actually reads — so 'seed bootstrap → fetch out of
the box' now lines up without an explicit --bootstrap arg.
2. Drop unused COLLECTION_ID from clawdie-vault-fetch. Items are fetched by
name via 'bw get password', which is fail-closed on ambiguity; document
that item names must be unique in the visible vault.
3. Agent dir validation: _seed_agent_name_ok rejects leading-dot dirs
(.Spotlight-V100, .fseventsd) and traversal; _seed_agent_has_payload
requires a recognized payload so an empty/stray dir can't become active.
4. No phantom homes: extra agent dirs stage under /var/db/clawdie/seed/<agent>
only — _seed_stage_agent never writes a home or SSH keys.
5. Bootstrap file mode enforcement: clawdie-vault-fetch now stat-checks the
bootstrap file and refuses group/world-readable unless
VAULT_ALLOW_INSECURE_BOOTSTRAP is set.
Also renames _seed_import_env → _seed_merge_env + _seed_split_env and adds
_seed_key_ok to guard env var names.
Checks: sh -n on vault-fetch/live-seed/build.sh; git diff --check;
./scripts/check-format.sh (prettier clean); 5 concerns verified present.
Co-Authored-By: Hermes & Sam <hello@clawdie.si>
df783f2a59