fix: correct field from bao

pkgs/helpers/cli.py

@@ -128,8 +128,9 @@ def build_parser() -> argparse.ArgumentParser:
     init_host_parser = openbao_subparsers.add_parser("init-host", help="Create policy, AppRole, and bootstrap files.")
     init_host_parser.add_argument("--name", required=True, help="Host name, e.g. vps2.")
     init_host_parser.add_argument("--namespace", default="it", help="OpenBao namespace. Default: it.")
+    init_host_parser.add_argument("--kv-mount", default="kv", help="KV v2 mount name. Default: kv.")
     init_host_parser.add_argument("--secret-path", default="tailscale", help="Logical secret path. Default: tailscale.")
-    init_host_parser.add_argument("--field", default="auth_key", help="Secret field. Default: auth_key.")
+    init_host_parser.add_argument("--field", default="CLIENT_SECRET", help="Secret field. Default: CLIENT_SECRET.")
     init_host_parser.add_argument("--auth-path", default="auth/approle", help="AppRole auth mount. Default: auth/approle.")
     init_host_parser.add_argument("--policy-name", help="Policy name. Default: tailscale-<host>.")
     init_host_parser.add_argument("--role-name", help="AppRole name. Default: tailscale-<host>.")
@@ -351,7 +352,7 @@ def cmd_openbao_init_host(args: argparse.Namespace) -> int:
     role_id_path = output_dir / "var" / "lib" / "nodeiwest" / "openbao-approle-role-id"
     secret_id_path = output_dir / "var" / "lib" / "nodeiwest" / "openbao-approle-secret-id"
 
-    secret_data = bao_kv_get(args.namespace, args.secret_path)
+    secret_data = bao_kv_get(args.namespace, args.kv_mount, args.secret_path)
     fields = secret_data.get("data", {})
     if isinstance(fields.get("data"), dict):
         fields = fields["data"]
@@ -363,11 +364,12 @@ def cmd_openbao_init_host(args: argparse.Namespace) -> int:
     if args.kv_mount_path:
         policy_content = render_openbao_policy(args.kv_mount_path)
     else:
-        policy_content = derive_openbao_policy(args.namespace, args.secret_path)
+        policy_content = derive_openbao_policy(args.namespace, args.kv_mount, args.secret_path)
 
     role_command = build_approle_write_command(args.auth_path, role_name, policy_name, args.cidr)
 
     print(f"Namespace: {args.namespace}")
+    print(f"KV mount: {args.kv_mount}")
     print(f"Policy name: {policy_name}")
     print(f"Role name: {role_name}")
     print(f"Secret path: {args.secret_path}")
@@ -1022,13 +1024,13 @@ def ensure_bao_authenticated() -> None:
     )
 
 
-def bao_kv_get(namespace: str, secret_path: str) -> dict[str, Any]:
+def bao_kv_get(namespace: str, kv_mount: str, secret_path: str) -> dict[str, Any]:
     result = run_command(
-        ["bao", "kv", "get", "-format=json", secret_path],
+        ["bao", "kv", "get", f"-mount={kv_mount}", "-format=json", secret_path],
         env={"BAO_NAMESPACE": namespace},
         next_fix=(
-            "Check BAO_ADDR, BAO_NAMESPACE, and the logical secret path. "
-            "If the path or mount is ambiguous, re-run with --kv-mount-path."
+            "Check BAO_ADDR, BAO_NAMESPACE, the KV mount, and the logical secret path. "
+            "If the KV mount is not the default, re-run with --kv-mount."
         ),
     )
     try:
@@ -1037,12 +1039,13 @@ def bao_kv_get(namespace: str, secret_path: str) -> dict[str, Any]:
         raise NodeiwestError(f"Failed to parse `bao kv get` JSON output: {exc}") from exc
 
 
-def derive_openbao_policy(namespace: str, secret_path: str) -> str:
+def derive_openbao_policy(namespace: str, kv_mount: str, secret_path: str) -> str:
     result = run_command(
-        ["bao", "kv", "get", "-output-policy", secret_path],
+        ["bao", "kv", "get", f"-mount={kv_mount}", "-output-policy", secret_path],
         env={"BAO_NAMESPACE": namespace},
         next_fix=(
-            "Check BAO_ADDR, BAO_NAMESPACE, and the logical secret path. "
+            "Check BAO_ADDR, BAO_NAMESPACE, the KV mount, and the logical secret path. "
+            "If the KV mount is not the default, re-run with --kv-mount. "
             "If policy derivation still does not match your mount layout, re-run with --kv-mount-path."
         ),
     )
@@ -1220,8 +1223,8 @@ def infer_verify_failures(
         messages.append("Missing AppRole files on the host. Check /var/lib/nodeiwest/openbao-approle-role-id and ...secret-id.")
     if any(fragment in combined for fragment in ["invalid secret id", "permission denied", "approle", "failed to authenticate"]):
         messages.append("OpenBao AppRole authentication failed. Re-check the role, secret_id, namespace, and auth mount.")
-    if any(fragment in combined for fragment in ["auth_key", "timed out waiting for rendered tailscale auth key", "no data", "secret path"]):
-        messages.append("OpenBao rendered no Tailscale auth key. Check the secret path, KV mount path, and auth_key field.")
+    if any(fragment in combined for fragment in ["CLIENT_SECRET", "timed out waiting for rendered tailscale auth key", "no data", "secret path"]):
+        messages.append("OpenBao rendered no Tailscale auth key. Check the secret path, KV mount path, and CLIENT_SECRET field.")
     if tailscale_status.returncode != 0 or "logged out" in (tailscale_status.stdout or "").lower():
         messages.append("Tailscale autoconnect is blocked. Check tailscaled-autoconnect, the rendered auth key, and outbound access to Tailscale.")