fix(vault): prevent CPU-burning init loop with marker file + idempotent checks

Root cause: init scripts ran repeatedly (on container restart) and tried
vault secrets enable / vault auth enable for already-existing paths.
Vault logged ERRORs and burned 40-84% CPU in the loop.

Fix:
- Marker file /vault/data/.init-complete skips re-initialization
- vault secrets list / vault auth list checks before enable calls
- No more "path already in use" errors on subsequent runs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

vault/init-pki.sh

@@ -34,7 +34,11 @@ mkdir -p /vault/certs
 # Step 1: Enable PKI Secrets Engine (Root CA)
 # ================================================
 echo "Enabling Root CA PKI engine..."
-vault secrets enable -path=pki pki 2>/dev/null || echo "PKI engine already enabled"
+if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki/"'; then
+  vault secrets enable -path=pki pki
+else
+  echo "PKI engine already enabled — skipping"
+fi
 
 # Set max lease TTL to 10 years for root CA
 vault secrets tune -max-lease-ttl=87600h pki
@@ -59,7 +63,11 @@ vault write pki/config/urls \
 # Step 2: Enable PKI Secrets Engine (Intermediate CA)
 # ================================================
 echo "Enabling Intermediate CA PKI engine..."
-vault secrets enable -path=pki_int pki 2>/dev/null || echo "Intermediate PKI engine already enabled"
+if ! vault secrets list -format=json 2>/dev/null | grep -q '"pki_int/"'; then
+  vault secrets enable -path=pki_int pki
+else
+  echo "Intermediate PKI engine already enabled — skipping"
+fi
 
 # Set max lease TTL to 5 years for intermediate
 vault secrets tune -max-lease-ttl=43800h pki_int
@@ -142,7 +150,11 @@ EOF
 # ================================================
 echo "Creating AppRole for certificate management..."
 
-vault auth enable approle 2>/dev/null || echo "AppRole already enabled"
+if ! vault auth list -format=json 2>/dev/null | grep -q '"approle/"'; then
+  vault auth enable approle
+else
+  echo "AppRole already enabled — skipping"
+fi
 
 # Create role for nginx certificate management
 vault write auth/approle/role/breakpilot-nginx \

vault/init-secrets.sh

@@ -24,8 +24,12 @@ done
 
 echo "Vault is ready. Initializing secrets..."
 
-# Enable KV v2 secrets engine at 'secret/' (usually enabled in dev mode)
-vault secrets enable -version=2 -path=secret kv 2>/dev/null || echo "KV engine already enabled"
+# Enable KV v2 secrets engine at 'secret/' (only if not already enabled)
+if ! vault secrets list -format=json 2>/dev/null | grep -q '"secret/"'; then
+  vault secrets enable -version=2 -path=secret kv
+else
+  echo "KV engine already enabled — skipping"
+fi
 
 # ================================================
 # API Keys (PLACEHOLDER - Replace in production!)

vault/init-vault.sh

@@ -4,6 +4,7 @@ set -e
 
 export VAULT_ADDR="http://vault:8200"
 KEYS_FILE="/vault/data/init-keys.json"
+INIT_MARKER="/vault/data/.init-complete"
 
 echo "=== Vault Init/Unseal ==="
 echo "Waiting for Vault to be ready..."
@@ -39,6 +40,12 @@ chmod 600 /vault/data/root-token
 
 echo "=== Vault ready (persistent file storage) ==="
 
+# Skip PKI + secrets init if already completed (prevents repeated mount-enable errors)
+if [ -f "$INIT_MARKER" ]; then
+  echo "PKI + secrets already initialized (marker: $INIT_MARKER). Skipping."
+  exit 0
+fi
+
 # Run PKI init
 if [ -f /vault/scripts/init-pki.sh ]; then
   echo "Running PKI initialization..."
@@ -50,3 +57,7 @@ if [ -f /vault/scripts/init-secrets.sh ]; then
   echo "Running secrets initialization..."
   sh /vault/scripts/init-secrets.sh
 fi
+
+# Mark initialization as complete
+touch "$INIT_MARKER"
+echo "Init marker written: $INIT_MARKER"