diff --git a/.woodpecker/postmortem-todos.yml b/.woodpecker/postmortem-todos.yml
index 56fbd603..96ac8d84 100644
--- a/.woodpecker/postmortem-todos.yml
+++ b/.woodpecker/postmortem-todos.yml
@@ -12,70 +12,29 @@ steps:
     image: python:3.12-alpine
     commands:
       - apk add --no-cache jq curl git openssh-client
-      # Find which post-mortem changed
-      - PM_FILE=$(git diff HEAD~1 --name-only | grep 'docs/post-mortems/.*\.md' | head -1)
-      - |
-        if [ -z "$PM_FILE" ]; then
-          echo "No post-mortem markdown changes detected"
-          exit 0
-        fi
-      - echo "Post-mortem changed: $PM_FILE"
-      # Check if there are new TODOs (not just TODO→Done updates)
-      - |
-        if ! git diff HEAD~1 -- "$PM_FILE" | grep -q '+.*TODO'; then
-          echo "No new TODOs added (only status updates) — skipping"
-          exit 0
-        fi
-      # Parse TODOs
-      - bash scripts/parse-postmortem-todos.sh "$PM_FILE" > /tmp/todos.json
-      - cat /tmp/todos.json
-      - TODO_COUNT=$(jq '.safe_todos' /tmp/todos.json)
-      - |
-        if [ "$TODO_COUNT" -eq 0 ]; then
-          echo "No auto-implementable TODOs — skipping"
-          exit 0
-        fi
-      - echo "$TODO_COUNT safe TODO(s) to implement"
-      # Vault: authenticate via K8s SA JWT and fetch DevVM SSH key
-      - |
-        SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-        VAULT_TOKEN=$(curl -sf -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login \
-          -d "{\"role\":\"ci\",\"jwt\":\"$SA_TOKEN\"}" | jq -r .auth.client_token)
-        if [ -z "$VAULT_TOKEN" ] || [ "$VAULT_TOKEN" = "null" ]; then
-          echo "ERROR: Vault authentication failed"
-          exit 1
-        fi
-      - |
-        curl -sf -H "X-Vault-Token: $VAULT_TOKEN" \
-          http://vault-active.vault.svc.cluster.local:8200/v1/secret/data/ci/infra | \
-          jq -r '.data.data.devvm_ssh_key' > /tmp/devvm-key
-        chmod 600 /tmp/devvm-key
-        if [ ! -s /tmp/devvm-key ]; then
-          echo "ERROR: Failed to fetch DevVM SSH key from Vault"
-          exit 1
-        fi
-        echo "SSH key fetched from Vault"
-      # SSH to DevVM and run Claude Code headless
-      - |
-        TODOS=$(cat /tmp/todos.json | tr '\n' ' ')
-        ssh -i /tmp/devvm-key -o StrictHostKeyChecking=no wizard@10.0.10.10 \
-          "cd ~/code/infra && git pull && claude -p \
-            --agent postmortem-todo-resolver \
-            --dangerously-skip-permissions \
-            --max-budget-usd 5 \
-            'Implement the auto-implementable TODOs from $PM_FILE. Parsed TODOs: $TODOS'"
-      - rm -f /tmp/devvm-key
+      - "PM_FILE=$(git diff HEAD~1 --name-only | grep 'docs/post-mortems/.*\\.md' | head -1)"
+      - "if [ -z \"$PM_FILE\" ]; then echo 'No post-mortem changes'; exit 0; fi"
+      - "echo \"Post-mortem changed: $PM_FILE\""
+      - "if ! git diff HEAD~1 -- \"$PM_FILE\" | grep -q '+.*TODO'; then echo 'No new TODOs'; exit 0; fi"
+      - "bash scripts/parse-postmortem-todos.sh \"$PM_FILE\" > /tmp/todos.json"
+      - "cat /tmp/todos.json"
+      - "TODO_COUNT=$(jq '.safe_todos' /tmp/todos.json)"
+      - "echo \"$TODO_COUNT safe TODO(s) found\""
+      - "if [ \"$TODO_COUNT\" -eq 0 ]; then echo 'No auto-implementable TODOs'; exit 0; fi"
+      - "SA_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
+      - "VAULT_TOKEN=$(curl -sf -X POST http://vault-active.vault.svc.cluster.local:8200/v1/auth/kubernetes/login -d \"{\\\"role\\\":\\\"ci\\\",\\\"jwt\\\":\\\"$SA_TOKEN\\\"}\" | jq -r .auth.client_token)"
+      - "if [ -z \"$VAULT_TOKEN\" ] || [ \"$VAULT_TOKEN\" = 'null' ]; then echo 'Vault auth failed'; exit 1; fi"
+      - "curl -sf -H \"X-Vault-Token: $VAULT_TOKEN\" http://vault-active.vault.svc.cluster.local:8200/v1/secret/data/ci/infra | jq -r '.data.data.devvm_ssh_key' > /tmp/devvm-key"
+      - "chmod 600 /tmp/devvm-key"
+      - "TODOS=$(cat /tmp/todos.json | tr '\\n' ' ')"
+      - "ssh -i /tmp/devvm-key -o StrictHostKeyChecking=no wizard@10.0.10.10 \"cd ~/code/infra && git pull && claude -p --agent postmortem-todo-resolver --dangerously-skip-permissions --max-budget-usd 5 'Implement TODOs from $PM_FILE: $TODOS'\""
+      - "rm -f /tmp/devvm-key"
 
   - name: notify-slack
     image: alpine
     commands:
-      - apk add --no-cache curl
-      - |
-        PM_FILE=$(git diff HEAD~1 --name-only | grep 'docs/post-mortems/.*\.md' | head -1)
-        STATUS="${CI_PIPELINE_STATUS:-unknown}"
-        curl -sf -X POST "https://hooks.slack.com/services/$${SLACK_WEBHOOK}" \
-          -H "Content-Type: application/json" \
-          -d "{\"text\": \"*Post-mortem TODO resolver* ($STATUS)\\nFile: \`$PM_FILE\`\\nPipeline: ${CI_PIPELINE_URL:-N/A}\"}" || true
+      - "apk add --no-cache curl"
+      - "curl -sf -X POST \"https://hooks.slack.com/services/${SLACK_WEBHOOK}\" -H 'Content-Type: application/json' -d '{\"text\": \"Post-mortem TODO resolver pipeline completed\"}' || true"
     secrets:
       - slack_webhook
     when: