fix: rename registry secret to image-pull-secret

The secret name `{app}-registry` is ambiguous — it could be a container
registry credential or a Laconic registry config. Rename to
`{app}-image-pull-secret` which clearly describes its purpose as a
Kubernetes imagePullSecret for private container registries.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.pebbles/.gitignore

@@ -0,0 +1 @@
+pebbles.db

.pebbles/config.json

@@ -0,0 +1 @@
+{"project": "stack-orchestrator", "prefix": "so"}

.pebbles/events.jsonl

@@ -0,0 +1,2 @@
+{"type": "create", "timestamp": "2026-03-18T14:45:07.038870Z", "issue_id": "so-a1a", "payload": {"title": "deploy create should support external credential injection", "type": "feature", "priority": "2", "description": "deploy create generates config.env but provides no mechanism to inject external credentials (API keys, tokens, etc.) at creation time. Operators must append to config.env after the fact, which mutates a build artifact. deploy create should accept --credentials-file or similar to include secrets in the generated config.env."}}
+{"type": "create", "timestamp": "2026-03-18T14:45:07.038942Z", "issue_id": "so-b2b", "payload": {"title": "REGISTRY_TOKEN / imagePullSecret flow undocumented", "type": "bug", "priority": "2", "description": "create_registry_secret() exists in deployment_create.py and is called during up(), but REGISTRY_TOKEN is not documented in spec.yml or any user-facing docs. The restart command warns \"Registry token env var REGISTRY_TOKEN not set, skipping registry secret\" but doesn't explain how to set it. For GHCR private images, this is required and the flow from spec.yml -> config.env -> imagePullSecret needs documentation."}}

stack_orchestrator/deploy/deployment_create.py

@@ -620,7 +620,7 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
     }
 
     # Secret name derived from deployment name
-    secret_name = f"{deployment_name}-registry"
+    secret_name = f"{deployment_name}-image-pull-secret"
 
     # Load kube config
     try:

stack_orchestrator/deploy/k8s/cluster_info.py

@@ -617,7 +617,7 @@ class ClusterInfo:
         )
         registry_config = self.spec.get_image_registry_config()
         if registry_config:
-            secret_name = f"{self.app_name}-registry"
+            secret_name = f"{self.app_name}-image-pull-secret"
             image_pull_secrets = [client.V1LocalObjectReference(name=secret_name)]
         else:
             image_pull_secrets = []
@@ -724,7 +724,7 @@ class ClusterInfo:
         jobs = []
         registry_config = self.spec.get_image_registry_config()
         if registry_config:
-            secret_name = f"{self.app_name}-registry"
+            secret_name = f"{self.app_name}-image-pull-secret"
             image_pull_secrets = [client.V1LocalObjectReference(name=secret_name)]
         else:
             image_pull_secrets = []