hecate(vault): parse status JSON with kubectl preamble

internal/cluster/orchestrator.go

@@ -724,12 +724,18 @@ func parseVaultSealed(raw string) (bool, error) {
 	if trimmed == "" {
 		return false, fmt.Errorf("empty vault status output")
 	}
+	start := strings.Index(trimmed, "{")
+	end := strings.LastIndex(trimmed, "}")
+	if start < 0 || end < 0 || end < start {
+		return false, fmt.Errorf("vault status payload missing JSON object")
+	}
+	payload := trimmed[start : end+1]
 
 	type vaultStatus struct {
 		Sealed bool `json:"sealed"`
 	}
 	var st vaultStatus
-	if err := json.Unmarshal([]byte(trimmed), &st); err != nil {
+	if err := json.Unmarshal([]byte(payload), &st); err != nil {
 		return false, err
 	}
 	return st.Sealed, nil

internal/cluster/orchestrator_test.go

@@ -25,3 +25,14 @@ func TestParseVaultSealedRejectsEmpty(t *testing.T) {
 		t.Fatalf("expected parse error for empty status payload")
 	}
 }
+
+func TestParseVaultSealedWithKubectlPreamble(t *testing.T) {
+	raw := "Defaulted container \"vault\" out of: vault, setup-config (init)\n{\"sealed\":true,\"initialized\":true}\n"
+	sealed, err := parseVaultSealed(raw)
+	if err != nil {
+		t.Fatalf("parse with preamble: %v", err)
+	}
+	if !sealed {
+		t.Fatalf("expected sealed=true from payload with preamble")
+	}
+}