diff --git a/.pebbles/.gitignore b/.pebbles/.gitignore
new file mode 100644
index 00000000..0a168c65
--- /dev/null
+++ b/.pebbles/.gitignore
@@ -0,0 +1 @@
+pebbles.db
diff --git a/.pebbles/config.json b/.pebbles/config.json
new file mode 100644
index 00000000..4f741400
--- /dev/null
+++ b/.pebbles/config.json
@@ -0,0 +1 @@
+{"project": "stack-orchestrator", "prefix": "so"}
\ No newline at end of file
diff --git a/.pebbles/events.jsonl b/.pebbles/events.jsonl
new file mode 100644
index 00000000..9e07f970
--- /dev/null
+++ b/.pebbles/events.jsonl
@@ -0,0 +1,2 @@
+{"type": "create", "timestamp": "2026-03-18T14:45:07.038870Z", "issue_id": "so-a1a", "payload": {"title": "deploy create should support external credential injection", "type": "feature", "priority": "2", "description": "deploy create generates config.env but provides no mechanism to inject external credentials (API keys, tokens, etc.) at creation time. Operators must append to config.env after the fact, which mutates a build artifact. deploy create should accept --credentials-file or similar to include secrets in the generated config.env."}}
+{"type": "create", "timestamp": "2026-03-18T14:45:07.038942Z", "issue_id": "so-b2b", "payload": {"title": "REGISTRY_TOKEN / imagePullSecret flow undocumented", "type": "bug", "priority": "2", "description": "create_registry_secret() exists in deployment_create.py and is called during up(), but REGISTRY_TOKEN is not documented in spec.yml or any user-facing docs. The restart command warns \"Registry token env var REGISTRY_TOKEN not set, skipping registry secret\" but doesn't explain how to set it. For GHCR private images, this is required and the flow from spec.yml -> config.env -> imagePullSecret needs documentation."}}
diff --git a/stack_orchestrator/deploy/deployment_create.py b/stack_orchestrator/deploy/deployment_create.py
index 5593c60b..95026350 100644
--- a/stack_orchestrator/deploy/deployment_create.py
+++ b/stack_orchestrator/deploy/deployment_create.py
@@ -620,7 +620,7 @@ def create_registry_secret(spec: Spec, deployment_name: str) -> Optional[str]:
     }
 
     # Secret name derived from deployment name
-    secret_name = f"{deployment_name}-registry"
+    secret_name = f"{deployment_name}-image-pull-secret"
 
     # Load kube config
     try:
diff --git a/stack_orchestrator/deploy/k8s/cluster_info.py b/stack_orchestrator/deploy/k8s/cluster_info.py
index d84474ab..eed8ba91 100644
--- a/stack_orchestrator/deploy/k8s/cluster_info.py
+++ b/stack_orchestrator/deploy/k8s/cluster_info.py
@@ -617,7 +617,7 @@ class ClusterInfo:
         )
         registry_config = self.spec.get_image_registry_config()
         if registry_config:
-            secret_name = f"{self.app_name}-registry"
+            secret_name = f"{self.app_name}-image-pull-secret"
             image_pull_secrets = [client.V1LocalObjectReference(name=secret_name)]
         else:
             image_pull_secrets = []
@@ -724,7 +724,7 @@ class ClusterInfo:
         jobs = []
         registry_config = self.spec.get_image_registry_config()
         if registry_config:
-            secret_name = f"{self.app_name}-registry"
+            secret_name = f"{self.app_name}-image-pull-secret"
             image_pull_secrets = [client.V1LocalObjectReference(name=secret_name)]
         else:
             image_pull_secrets = []