fix: [nomad-step-2] S2-fix-C — make tools/vault-import.sh --sops optional (spec regression) (#921)

tests/vault-import.bats

@@ -309,12 +309,12 @@ setup() {
   echo "$output" | grep -q "Missing required argument"
 }
 
-@test "fails with missing --sops argument" {
+@test "succeeds with --env only (no --sops required)" {
+  # Issue #921: --sops is now optional
   run "$IMPORT_SCRIPT" \
-    --env "$FIXTURES_DIR/dot-env-complete" \
-    --age-key "$FIXTURES_DIR/age-keys.txt"
-  [ "$status" -ne 0 ]
-  echo "$output" | grep -q "Missing required argument"
+    --env "$FIXTURES_DIR/dot-env-for-env-only"
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "Starting Vault import"
 }
 
 @test "fails with missing --age-key argument" {
@@ -351,3 +351,68 @@ setup() {
   [ "$status" -ne 0 ]
   echo "$output" | grep -q "not found"
 }
+
+# --- Optional --sops argument tests (issue #921) ─────────────────────────────────
+
+@test "env-only import succeeds (no --sops)" {
+  run "$IMPORT_SCRIPT" \
+    --env "$FIXTURES_DIR/dot-env-for-env-only"
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "Starting Vault import"
+
+  # Verify forge path was written
+  run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
+    "${VAULT_ADDR}/v1/secret/data/disinto/shared/forge"
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "generic-forge-token"
+  echo "$output" | grep -q "generic-admin-token"
+}
+
+@test "env-only import warns about age-key without sops" {
+  run "$IMPORT_SCRIPT" \
+    --env "$FIXTURES_DIR/dot-env-for-env-only" \
+    --age-key "$FIXTURES_DIR/age-keys.txt"
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "WARNING.*--age-key given without --import-sops"
+}
+
+@test "sops-only import succeeds (no --env)" {
+  run "$IMPORT_SCRIPT" \
+    --sops "$FIXTURES_DIR/.env.vault.enc" \
+    --age-key "$FIXTURES_DIR/age-keys.txt"
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "Starting Vault import"
+
+  # Verify runner path was written (from sops)
+  run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
+    "${VAULT_ADDR}/v1/secret/data/disinto/runner/GITHUB_TOKEN"
+  [ "$status" -eq 0 ]
+  echo "$output" | jq -e '.data.data.value == "github-test-token-abc123"'
+}
+
+@test "sops without --age-key errors" {
+  run "$IMPORT_SCRIPT" \
+    --sops "$FIXTURES_DIR/.env.vault.enc"
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -q "requires --age-key"
+}
+
+@test "no arguments errors" {
+  run "$IMPORT_SCRIPT"
+  [ "$status" -ne 0 ]
+  echo "$output" | grep -q "must provide --import-env and/or --import-sops"
+}
+
+@test "env-only import with dry-run works" {
+  run "$IMPORT_SCRIPT" \
+    --env "$FIXTURES_DIR/dot-env-for-env-only" \
+    --dry-run
+  [ "$status" -eq 0 ]
+  echo "$output" | grep -q "DRY-RUN"
+  echo "$output" | grep -q "Import plan"
+
+  # Verify nothing was written to Vault
+  run curl -sf -H "X-Vault-Token: ${VAULT_TOKEN}" \
+    "${VAULT_ADDR}/v1/secret/data/disinto/shared/forge"
+  [ "$status" -ne 0 ]
+}