fix: [nomad-step-2] S2-fix-B — extract _hvault_default_env helper to lib/hvault.sh (prereq for other S2 fixes) (#919)

lib/hvault.sh

@@ -16,6 +16,18 @@ set -euo pipefail
 
 # ── Internal helpers ─────────────────────────────────────────────────────────
 
+# _hvault_default_env — ensure VAULT_ADDR and VAULT_TOKEN are set for local-cluster operation
+# Safe to call multiple times; no-op if both are already exported.
+# Reads VAULT_TOKEN from /etc/vault.d/root.token if the file is readable.
+_hvault_default_env() {
+  : "${VAULT_ADDR:=http://127.0.0.1:8200}"
+  export VAULT_ADDR
+  if [ -z "${VAULT_TOKEN:-}" ] && [ -r /etc/vault.d/root.token ]; then
+    VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+    export VAULT_TOKEN
+  fi
+}
+
 # _hvault_err — emit structured JSON error to stderr
 # Args: func_name, message, [detail]
 _hvault_err() {

lib/init/nomad/vault-nomad-auth.sh

@@ -49,11 +49,9 @@ APPLY_ROLES_SH="${REPO_ROOT}/tools/vault-apply-roles.sh"
 SERVER_HCL_SRC="${REPO_ROOT}/nomad/server.hcl"
 SERVER_HCL_DST="/etc/nomad.d/server.hcl"
 
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# shellcheck source=../../hvault.sh
+# shellcheck source=../../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 log() { printf '[vault-auth] %s\n' "$*"; }
 die() { printf '[vault-auth] ERROR: %s\n' "$*" >&2; exit 1; }