fix: lib/hvault.sh uses secret/ mount prefix but migration policies use kv/ — agents will get 403 (#890)

Changes:
- Add VAULT_KV_MOUNT env var (default: kv) to make KV mount configurable
- Update hvault_kv_get to use ${VAULT_KV_MOUNT}/data/${path}
- Update hvault_kv_put to use ${VAULT_KV_MOUNT}/data/${path}
- Update hvault_kv_list to use ${VAULT_KV_MOUNT}/metadata/${path}
- Update tests to use kv/ paths instead of secret/

This ensures agents can read/write secrets using the same mount point
that the Nomad+Vault migration policies grant ACL for.

tests/lib-hvault.bats

@@ -126,7 +126,7 @@ setup() {
 @test "hvault_policy_apply creates a policy" {
   local pfile="${BATS_TEST_TMPDIR}/test-policy.hcl"
   cat > "$pfile" <<'HCL'
-path "secret/data/test/*" {
+path "kv/data/test/*" {
   capabilities = ["read"]
 }
 HCL
@@ -138,12 +138,12 @@ HCL
   run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
     "${VAULT_ADDR}/v1/sys/policies/acl/test-reader"
   [ "$status" -eq 0 ]
-  echo "$output" | jq -e '.data.policy' | grep -q "secret/data/test"
+  echo "$output" | jq -e '.data.policy' | grep -q "kv/data/test"
 }
 
 @test "hvault_policy_apply is idempotent" {
   local pfile="${BATS_TEST_TMPDIR}/idem-policy.hcl"
-  printf 'path "secret/*" { capabilities = ["list"] }\n' > "$pfile"
+  printf 'path "kv/*" { capabilities = ["list"] }\n' > "$pfile"
 
   run hvault_policy_apply "idem-policy" "$pfile"
   [ "$status" -eq 0 ]