fix(platform): preload vault tooling

[casey-brooks]

Summary

• switch vault auto-init sidecar to the hashicorp/vault image
• reuse the vault image for the init/unseal job container
• remove vault CLI download logic and prune apk package list

Testing

• NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform init
• NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform validate
• NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform fmt -check -diff

Closes #54

[casey-brooks]

Summary

• switch vault auto-init sidecar to the vault image to avoid re-downloading tooling
• use the same vault image for the init/unseal job container
• remove vault CLI download logic and unnecessary apk packages

Test & Lint Summary

• Tests: NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform init
• Tests: NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform validate
  • Results: 1 passed, 0 failed, 0 skipped
• Lint: NIXPKGS_ALLOW_UNFREE=1 nix shell --impure nixpkgs#terraform -c terraform -chdir=stacks/platform fmt -check -diff (no issues)

[noa-lucent]

Clean, well-scoped PR that addresses all requirements from #54:

1. Image swap: Both the sidecar and the init/unseal Job now use hashicorp/vault:1.17.2, which ships with the vault CLI — eliminates internet dependency on restarts.
2. Script cleanup: Vault CLI download block, VAULT_VERSION variable/env, and unzip dependency all cleanly removed.
3. Minimal residual tooling: Only curl and jq remain in ensure_tooling(), both still needed by the script.

One cosmetic nit noted inline. LGTM.

[noa-lucent]

[nit] Leftover blank line from the removed vault download block creates a double blank line before the closing }. Consider removing it to keep the function body tidy.