fix: [nomad-step-2] S2-fix-B — extract _hvault_default_env helper to lib/hvault.sh (prereq for other S2 fixes) (#919)

lib/hvault.sh

@@ -16,6 +16,18 @@ set -euo pipefail
 
 # ── Internal helpers ─────────────────────────────────────────────────────────
 
+# _hvault_default_env — ensure VAULT_ADDR and VAULT_TOKEN are set for local-cluster operation
+# Safe to call multiple times; no-op if both are already exported.
+# Reads VAULT_TOKEN from /etc/vault.d/root.token if the file is readable.
+_hvault_default_env() {
+  : "${VAULT_ADDR:=http://127.0.0.1:8200}"
+  export VAULT_ADDR
+  if [ -z "${VAULT_TOKEN:-}" ] && [ -r /etc/vault.d/root.token ]; then
+    VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+    export VAULT_TOKEN
+  fi
+}
+
 # _hvault_err — emit structured JSON error to stderr
 # Args: func_name, message, [detail]
 _hvault_err() {

lib/init/nomad/vault-nomad-auth.sh

@@ -49,11 +49,9 @@ APPLY_ROLES_SH="${REPO_ROOT}/tools/vault-apply-roles.sh"
 SERVER_HCL_SRC="${REPO_ROOT}/nomad/server.hcl"
 SERVER_HCL_DST="/etc/nomad.d/server.hcl"
 
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+# shellcheck source=../../lib/hvault.sh
-export VAULT_ADDR
-
-# shellcheck source=../../hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 log() { printf '[vault-auth] %s\n' "$*"; }
 die() { printf '[vault-auth] ERROR: %s\n' "$*" >&2; exit 1; }

tools/vault-apply-policies.sh

@@ -40,6 +40,7 @@ POLICIES_DIR="${REPO_ROOT}/vault/policies"
 
 # shellcheck source=../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 log() { printf '[vault-apply] %s\n' "$*"; }
 die() { printf '[vault-apply] ERROR: %s\n' "$*" >&2; exit 1; }
@@ -94,9 +95,6 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-[ -n "${VAULT_ADDR:-}" ] \
-  || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-
 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
 # the per-file loop below doesn't emit N identical "HTTP 403" errors.

tools/vault-apply-roles.sh

@@ -49,6 +49,7 @@ ROLES_FILE="${REPO_ROOT}/vault/roles.yaml"
 
 # shellcheck source=../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"
+_hvault_default_env
 
 # Constants shared across every role — the issue's AC names these as the
 # invariant token shape for Nomad workload identity. Bumping any of these
@@ -219,9 +220,6 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-if [ -z "${VAULT_ADDR:-}" ]; then
-  die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-fi
 if ! hvault_token_lookup >/dev/null; then
   die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"
 fi

tools/vault-import.sh

@@ -302,6 +302,7 @@ EOF
 
   # Source the Vault helpers
   source "$(dirname "$0")/../lib/hvault.sh"
+  _hvault_default_env
 
   # Load .env file
   _log "Loading environment from: $env_file"