fix: portable vault path resolution across Windows/Mac/Linux

Replace hardcoded D:/vault references with candidate-list pattern
that also checks $HOME/vault, ~/.vault, and respects VAULT_PATH
env var override. Fixes vault.sh lookup failures on Mac and
Howard's machine.

Affected: CLAUDE.md, syncro.md, get-token.sh, patch-tenant-admin-manifest.sh

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/CLAUDE.md

@@ -173,14 +173,23 @@ When user references previous work, use `/context` command. Never ask for info i
 
 ### Credential Access (SOPS Vault)
 
+Always resolve vault path portably — never hardcode `D:/vault`:
+
 ```bash
-bash D:/vault/scripts/vault.sh search "keyword"         # Search without decrypting
-bash D:/vault/scripts/vault.sh get-field <path> <field> # Get specific field
-bash D:/vault/scripts/vault.sh get <path>               # Decrypt full entry
-bash D:/vault/scripts/vault.sh list                     # List all entries
+VAULT_SH=""
+for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do
+  [[ -f "$_c" ]] && VAULT_SH="$_c" && break
+done
+[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault not found" >&2; exit 1; }
+
+bash "$VAULT_SH" search "keyword"         # Search without decrypting
+bash "$VAULT_SH" get-field <path> <field> # Get specific field
+bash "$VAULT_SH" get <path>               # Decrypt full entry
+bash "$VAULT_SH" list                     # List all entries
 ```
 
-Vault repo: `D:\vault` — structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
+Vault repo: cloned at `D:\vault` (Windows) or `~/vault` (Mac/Linux) — set `VAULT_PATH` env var to override.
+Structure: `infrastructure/`, `clients/`, `services/`, `projects/`, `msp-tools/`
 
 **1Password fallback:** service account token in `infrastructure/1password-service-account.sops.yaml`
 

.claude/commands/syncro.md

@@ -30,13 +30,21 @@ When invoked, use the Syncro REST API via `curl`. All requests include `?api_key
 ### Get API key
 
 ```bash
-API_KEY=$(bash D:/vault/scripts/vault.sh get-field msp-tools/syncro.sops.yaml credentials.credential)
+# Portable vault resolver — works on Windows (D:/vault), Mac (~/.vault or ~/vault), Linux
+VAULT_SH=""
+for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do
+  [[ -f "$_c" ]] && VAULT_SH="$_c" && break
+done
+[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault.sh not found" >&2; exit 1; }
+
+API_KEY=$(bash "$VAULT_SH" get-field msp-tools/syncro.sops.yaml credentials.credential)
 BASE="https://computerguru.syncromsp.com/api/v1"
 ```
 
 If `vault.sh get-field` fails (yq not installed), fall back to:
 ```bash
-API_KEY=$(sops -d D:/vault/msp-tools/syncro.sops.yaml | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])")
+VAULT_ROOT=$(dirname "$(dirname "$VAULT_SH")")
+API_KEY=$(sops -d "$VAULT_ROOT/msp-tools/syncro.sops.yaml" | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])")
 ```
 
 ### Endpoints reference

.claude/skills/remediation-tool/scripts/get-token.sh

@@ -81,12 +81,13 @@ if [[ -f "$CACHE_FILE" ]] && [[ $(find "$CACHE_FILE" -mmin -55 2>/dev/null) ]];
   exit 0
 fi
 
-# Locate vault repo
+# Locate vault repo — candidates cover Windows (D:/vault), Git Bash (/d/vault),
+# Mac/Linux ($HOME/vault), and optional override via VAULT_PATH env var.
 VAULT_ROOT=""
-for candidate in "D:/vault" "$HOME/vault" "/d/vault"; do
-  [[ -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
+for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do
+  [[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
 done
-[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: SOPS vault not found (tried D:/vault ~/vault /d/vault)" >&2; exit 3; }
+[[ -z "$VAULT_ROOT" ]] && { echo "ERROR: SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; }
 
 SOPS_FILE="$VAULT_ROOT/$VAULT_PATH"
 [[ ! -f "$SOPS_FILE" ]] && { echo "ERROR: vault file not found: $SOPS_FILE" >&2; exit 3; }

.claude/skills/remediation-tool/scripts/patch-tenant-admin-manifest.sh

@@ -18,10 +18,10 @@ GRAPH_RESOURCE_APP_ID="00000003-0000-0000-c000-000000000000"
 ROLE_MGMT_PERMISSION_ID="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
 
 VAULT_ROOT=""
-for candidate in "D:/vault" "$HOME/vault" "/d/vault"; do
-  [[ -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
+for candidate in "${VAULT_PATH:-}" "D:/vault" "$HOME/vault" "/d/vault" "$HOME/.vault"; do
+  [[ -n "$candidate" && -d "$candidate" ]] && VAULT_ROOT="$candidate" && break
 done
-[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] SOPS vault not found (tried D:/vault ~/vault /d/vault)" >&2; exit 3; }
+[[ -z "$VAULT_ROOT" ]] && { echo "[ERROR] SOPS vault not found (tried D:/vault ~/vault /d/vault ~/.vault; set VAULT_PATH to override)" >&2; exit 3; }
 
 # ── Step 1: Get Management app client secret ──────────────────────────────────
 echo "[INFO] Reading Management app secret from vault..."