fix: vault path from per-machine identity.json, not hardcoded paths

- Add .claude/scripts/vault.sh wrapper (reads vault_path from identity.json)
- get-token.sh + patch-tenant-admin-manifest.sh read identity.json for vault root
- syncro.md uses wrapper via CLAUDETOOLS_ROOT
- CLAUDE.md + ONBOARDING.md document the pattern and prompt for vault_path on onboarding
- identity.json now includes vault_path (D:/vault on DESKTOP-0O8A1RL)

Howard and Mac need vault_path added to their identity.json after pulling.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.claude/commands/syncro.md

@@ -30,20 +30,15 @@ When invoked, use the Syncro REST API via `curl`. All requests include `?api_key
 ### Get API key
 
 ```bash
-# Portable vault resolver — works on Windows (D:/vault), Mac (~/.vault or ~/vault), Linux
-VAULT_SH=""
-for _c in "D:/vault/scripts/vault.sh" "$HOME/vault/scripts/vault.sh" "/d/vault/scripts/vault.sh" "$HOME/.vault/scripts/vault.sh"; do
-  [[ -f "$_c" ]] && VAULT_SH="$_c" && break
-done
-[[ -z "$VAULT_SH" ]] && { echo "ERROR: vault.sh not found" >&2; exit 1; }
-
-API_KEY=$(bash "$VAULT_SH" get-field msp-tools/syncro.sops.yaml credentials.credential)
+# Vault path comes from .claude/identity.json (per-machine) via the ClaudeTools wrapper
+VAULT="$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh"
+API_KEY=$(bash "$VAULT" get-field msp-tools/syncro.sops.yaml credentials.credential)
 BASE="https://computerguru.syncromsp.com/api/v1"
 ```
 
 If `vault.sh get-field` fails (yq not installed), fall back to:
 ```bash
-VAULT_ROOT=$(dirname "$(dirname "$VAULT_SH")")
+VAULT_ROOT=$(bash "$VAULT" get msp-tools/syncro.sops.yaml 2>/dev/null | head -1 || python3 -c "import json; print(json.load(open('$CLAUDETOOLS_ROOT/.claude/identity.json'))['vault_path'])")
 API_KEY=$(sops -d "$VAULT_ROOT/msp-tools/syncro.sops.yaml" | py -c "import sys,yaml; print(yaml.safe_load(sys.stdin)['credentials']['credential'])")
 ```