fix(vault): read unseal key from init.json fallback

vault/entrypoint.sh

@@ -17,10 +17,16 @@ INITIALIZED=$(vault status -format=json 2>/dev/null | grep '"initialized"' | gre
 if [ "$INITIALIZED" != "1" ]; then
   echo "Vault not initialized, running operator init..."
   vault operator init -key-shares=1 -key-threshold=1 -format=json > /vault/data/init.json
-  VAULT_UNSEAL_KEY=$(cat /vault/data/init.json | grep -o '"unseal_keys_b64":\["[^"]*"' | grep -o '\["[^"]*"' | tr -d '["')
+  VAULT_UNSEAL_KEY=$(cat /vault/data/init.json | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p')
+  export VAULT_UNSEAL_KEY
   echo "Vault initialized. Unseal key saved to /vault/data/init.json"
 fi
 
+# If no env key, try to read from saved init.json
+if [ -z "$VAULT_UNSEAL_KEY" ] && [ -f /vault/data/init.json ]; then
+  VAULT_UNSEAL_KEY=$(cat /vault/data/init.json | sed -n 's/.*"unseal_keys_b64":\["\([^"]*\)".*/\1/p')
+fi
+
 # Auto-unseal
 if [ -n "$VAULT_UNSEAL_KEY" ]; then
   SEALED=$(vault status -format=json 2>/dev/null | grep '"sealed"' | grep -c 'true' || true)
@@ -32,7 +38,7 @@ if [ -n "$VAULT_UNSEAL_KEY" ]; then
     echo "Vault is already unsealed."
   fi
 else
-  echo "VAULT_UNSEAL_KEY not set, skipping auto-unseal."
+  echo "VAULT_UNSEAL_KEY not set and no init.json found, skipping auto-unseal."
 fi
 
 # Wait for Vault process