diff --git a/src/core/bootstrap/mod.rs b/src/core/bootstrap/mod.rs
index 758756641..ffe6c1bf6 100644
--- a/src/core/bootstrap/mod.rs
+++ b/src/core/bootstrap/mod.rs
@@ -1229,6 +1229,42 @@ meet        IN      A       127.0.0.1
         // Set VAULT_TOKEN for subsequent commands
         std::env::set_var("VAULT_TOKEN", &root_token);
 
+        // WRITE .env IMMEDIATELY so SecretsManager can work
+        info!("Writing .env file with Vault configuration...");
+        let env_content = format!(
+            r#"# BotServer Environment Configuration
+# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
+# All secrets are stored in Vault at the paths below:
+#   - gbo/tables     - PostgreSQL credentials
+#   - gbo/drive      - MinIO/S3 credentials
+#   - gbo/cache      - Redis credentials
+#   - gbo/directory  - Zitadel credentials
+#   - gbo/email      - Email credentials
+#   - gbo/llm        - LLM API keys
+#   - gbo/encryption - Encryption keys
+
+# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
+VAULT_ADDR={}
+VAULT_TOKEN={}
+
+# Vault uses HTTP for local development (TLS disabled in config.hcl)
+# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
+
+# Cache TTL for secrets (seconds)
+VAULT_CACHE_TTL=300
+"#,
+            vault_addr, root_token
+        );
+        fs::write(&env_file_path, &env_content)?;
+        info!("  * Created .env file with Vault configuration");
+
+        // Re-initialize SecretsManager now that .env exists
+        info!("Re-initializing SecretsManager with Vault credentials...");
+        match init_secrets_manager().await {
+            Ok(_) => info!("  * SecretsManager now connected to Vault"),
+            Err(e) => warn!("SecretsManager re-init warning: {}", e),
+        }
+
         // Enable KV secrets engine at gbo/ path
         info!("Enabling KV secrets engine...");
         let _ = std::process::Command::new("sh")
@@ -1313,36 +1349,6 @@ meet        IN      A       127.0.0.1
             .output()?;
         info!("  Generated and stored encryption key");
 
-        // Write .env file with ONLY Vault variables - NO LEGACY FALLBACK
-        info!("Writing .env file with Vault configuration...");
-        let env_content = format!(
-            r#"# BotServer Environment Configuration
-# Generated by bootstrap - DO NOT ADD OTHER SECRETS HERE
-# All secrets are stored in Vault at the paths below:
-#   - gbo/tables     - PostgreSQL credentials
-#   - gbo/drive      - MinIO/S3 credentials
-#   - gbo/cache      - Redis credentials
-#   - gbo/directory  - Zitadel credentials
-#   - gbo/email      - Email credentials
-#   - gbo/llm        - LLM API keys
-#   - gbo/encryption - Encryption keys
-
-# Vault Configuration - THESE ARE THE ONLY ALLOWED ENV VARS
-VAULT_ADDR={}
-VAULT_TOKEN={}
-
-# Vault uses HTTP for local development (TLS disabled in config.hcl)
-# In production, enable TLS and set VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY
-
-# Cache TTL for secrets (seconds)
-VAULT_CACHE_TTL=300
-"#,
-            vault_addr, root_token
-        );
-
-        fs::write(&env_file_path, env_content)?;
-        info!("  Created .env file with Vault configuration");
-
         info!("Vault setup complete!");
         info!("   Vault UI: {}/ui", vault_addr);
         info!("   Root token saved to: {}", vault_init_path.display());