From c2a3a8244d7cd6bbd2541406b67cb68caa3d5563 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sat, 4 Apr 2026 06:44:31 -0300
Subject: [PATCH] hecate(vault): parse status JSON with kubectl preamble

---
 internal/cluster/orchestrator.go      |  8 +++++++-
 internal/cluster/orchestrator_test.go | 11 +++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/internal/cluster/orchestrator.go b/internal/cluster/orchestrator.go
index 6787912..1d1ce70 100644
--- a/internal/cluster/orchestrator.go
+++ b/internal/cluster/orchestrator.go
@@ -724,12 +724,18 @@ func parseVaultSealed(raw string) (bool, error) {
 	if trimmed == "" {
 		return false, fmt.Errorf("empty vault status output")
 	}
+	start := strings.Index(trimmed, "{")
+	end := strings.LastIndex(trimmed, "}")
+	if start < 0 || end < 0 || end < start {
+		return false, fmt.Errorf("vault status payload missing JSON object")
+	}
+	payload := trimmed[start : end+1]
 
 	type vaultStatus struct {
 		Sealed bool `json:"sealed"`
 	}
 	var st vaultStatus
-	if err := json.Unmarshal([]byte(trimmed), &st); err != nil {
+	if err := json.Unmarshal([]byte(payload), &st); err != nil {
 		return false, err
 	}
 	return st.Sealed, nil
diff --git a/internal/cluster/orchestrator_test.go b/internal/cluster/orchestrator_test.go
index 1dc1d35..09f6808 100644
--- a/internal/cluster/orchestrator_test.go
+++ b/internal/cluster/orchestrator_test.go
@@ -25,3 +25,14 @@ func TestParseVaultSealedRejectsEmpty(t *testing.T) {
 		t.Fatalf("expected parse error for empty status payload")
 	}
 }
+
+func TestParseVaultSealedWithKubectlPreamble(t *testing.T) {
+	raw := "Defaulted container \"vault\" out of: vault, setup-config (init)\n{\"sealed\":true,\"initialized\":true}\n"
+	sealed, err := parseVaultSealed(raw)
+	if err != nil {
+		t.Fatalf("parse with preamble: %v", err)
+	}
+	if !sealed {
+		t.Fatalf("expected sealed=true from payload with preamble")
+	}
+}