diff --git a/lib/hvault.sh b/lib/hvault.sh
index ec7fa7e..b82e4e3 100644
--- a/lib/hvault.sh
+++ b/lib/hvault.sh
@@ -38,6 +38,23 @@ _hvault_resolve_token() {
   return 1
 }
 
+# _hvault_default_env — set default VAULT_ADDR and resolve VAULT_TOKEN
+#
+# Sets VAULT_ADDR to http://127.0.0.1:8200 if not already set.
+# Resolves VAULT_TOKEN from /etc/vault.d/root.token if not in env.
+# Exports both variables.
+#
+# Usage: source hvault.sh; _hvault_default_env
+_hvault_default_env() {
+  VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+  export VAULT_ADDR
+
+  if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
+    VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+    export VAULT_TOKEN
+  fi
+}
+
 # _hvault_check_prereqs — validate VAULT_ADDR and VAULT_TOKEN are set
 # Args: caller function name
 _hvault_check_prereqs() {
diff --git a/lib/init/nomad/vault-engines.sh b/lib/init/nomad/vault-engines.sh
index 161c470..fec0959 100644
--- a/lib/init/nomad/vault-engines.sh
+++ b/lib/init/nomad/vault-engines.sh
@@ -75,15 +75,8 @@ for bin in curl jq; do
     || die "required binary not found: ${bin}"
 done
 
-# Default VAULT_ADDR if not set (fixes issue #2)
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# Resolve VAULT_TOKEN if not set (fixes issue #2)
-if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
-  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
-  export VAULT_TOKEN
-fi
+# Set default Vault environment (fixes issue #2)
+_hvault_default_env
 
 # Check Vault connectivity and unsealed status
 hvault_token_lookup >/dev/null \
diff --git a/tools/vault-apply-policies.sh b/tools/vault-apply-policies.sh
index cb7d51e..b9f8a26 100755
--- a/tools/vault-apply-policies.sh
+++ b/tools/vault-apply-policies.sh
@@ -94,15 +94,8 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-# Default VAULT_ADDR if not set (fixes issue #2)
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# Resolve VAULT_TOKEN if not set (fixes issue #2)
-if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
-  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
-  export VAULT_TOKEN
-fi
+# Set default Vault environment (fixes issue #2)
+_hvault_default_env
 
 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
diff --git a/tools/vault-apply-roles.sh b/tools/vault-apply-roles.sh
index 8ff4a23..835334c 100755
--- a/tools/vault-apply-roles.sh
+++ b/tools/vault-apply-roles.sh
@@ -219,15 +219,8 @@ if [ "$dry_run" = true ]; then
 fi
 
 # ── Live run: Vault connectivity check ───────────────────────────────────────
-# Default VAULT_ADDR if not set (fixes issue #2)
-VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
-export VAULT_ADDR
-
-# Resolve VAULT_TOKEN if not set (fixes issue #2)
-if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
-  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
-  export VAULT_TOKEN
-fi
+# Set default Vault environment (fixes issue #2)
+_hvault_default_env
 
 if ! hvault_token_lookup >/dev/null; then
   die "Vault auth probe failed — check VAULT_ADDR + VAULT_TOKEN"