fix: [nomad-step-2] S2-fix-B — extract _hvault_default_env helper to lib/hvault.sh (prereq for other S2 fixes) (#919)

tools/vault-apply-policies.sh

@@ -40,6 +40,7 @@ POLICIES_DIR="${REPO_ROOT}/vault/policies"
 
 # shellcheck source=../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 log() { printf '[vault-apply] %s\n' "$*"; }
 die() { printf '[vault-apply] ERROR: %s\n' "$*" >&2; exit 1; }
@@ -94,9 +95,6 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-[ -n "${VAULT_ADDR:-}" ] \
-  || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-
 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
 # the per-file loop below doesn't emit N identical "HTTP 403" errors.

tools/vault-apply-roles.sh

@@ -49,6 +49,7 @@ ROLES_FILE="${REPO_ROOT}/vault/roles.yaml"
 
 # shellcheck source=../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 # Constants shared across every role — the issue's AC names these as the
 # invariant token shape for Nomad workload identity. Bumping any of these
@@ -219,9 +220,6 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-if [ -z "${VAULT_ADDR:-}" ]; then
-  die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-fi
 if ! hvault_token_lookup >/dev/null; then
   die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"
 fi

tools/vault-import.sh

@@ -302,6 +302,7 @@ EOF
 
   # Source the Vault helpers
   source "$(dirname "$0")/../lib/hvault.sh"
+  _hvault_default_env
 
   # Load .env file
   _log "Loading environment from: $env_file"