fix(workstation): claude-auth-sync must merge, not overwrite, the shared Vault path

cas_backup did `vault kv put secret/workstation/claude-users/<user>`, a full
KV-v2 replace that rewrote the document with only its 3 OAuth keys. Because
`homelab vault setup` co-locates the user's vaultwarden_* credentials on that
same path, every six-hourly sync silently deleted them — so `homelab vault`
reported "not configured" within hours of each setup. (Reported as: homelab
vault "keeps getting reset / logged out", set up 3 times.)

Switch the backup to a merge: `kv patch -method=rw` (read+update, needs no
`patch` capability) when the path exists, and `kv put` only to create it on the
first backup. Add a regression test with a fake vault asserting a pre-existing
sibling key survives a backup, and document the merge requirement in the
renewal runbook.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/test-claude-auth-sync.sh

@@ -28,5 +28,61 @@ ok "accept own scoped Vault token" cas_vault_identity_ok token-devvm-claude-auth
 no "reject another user's token" cas_vault_identity_ok token-devvm-claude-auth-anca default,workstation-claude-anca
 no "reject wrong policy" cas_vault_identity_ok token-devvm-claude-auth-emo default,workstation-claude-anca
 
+# --- Regression: cas_backup must MERGE into the shared Vault path, preserving
+# sibling keys that other tools co-locate there (e.g. `homelab vault`'s
+# vaultwarden_* creds) — NOT overwrite the whole KV document. A blind `kv put`
+# wiped them every 6h (claude-auth-sync clobber, 2026-06-26).
+fakebin="$tmp/bin"; mkdir -p "$fakebin"
+store="$tmp/vault-store.json"
+cat > "$fakebin/vault" <<'FAKE'
+#!/usr/bin/env bash
+# Minimal KV-v2 fake backed by $VAULT_FAKE_STORE (a flat JSON object).
+[[ "$1" == kv ]] || { echo '{}'; exit 0; }   # token lookup etc. -> ignore
+op="$2"; shift 2
+store="$VAULT_FAKE_STORE"
+case "$op" in
+  get)
+    for a in "$@"; do [[ "$a" == -field=* ]] && field="${a#-field=}"; done
+    if [[ "$*" == *-format=json* ]]; then
+      [[ -f "$store" ]] || { echo "No value found"; exit 2; }
+      jq -n --argjson d "$(cat "$store")" '{data:{data:$d}}'; exit 0
+    fi
+    [[ -f "$store" ]] || exit 2                # bare get == existence check
+    if [[ -n "${field:-}" ]]; then
+      v="$(jq -r --arg k "$field" '.[$k] // empty' "$store")"; [[ -n "$v" ]] || exit 1
+      printf '%s' "$v"; exit 0
+    fi
+    exit 0 ;;
+  put)   echo '{}' > "$store" ;;                          # full replace
+  patch) [[ -f "$store" ]] || { echo "No value found"; exit 2; } ;;  # merge (rw)
+  *) exit 1 ;;
+esac
+for a in "$@"; do
+  case "$a" in
+    -*|secret/*) continue ;;                  # flags + the path arg
+    *=*) k="${a%%=*}"; v="${a#*=}"
+         t="$(mktemp)"; jq --arg k "$k" --arg v "$v" '.[$k]=$v' "$store" > "$t" && mv "$t" "$store" ;;
+  esac
+done
+exit 0
+FAKE
+chmod +x "$fakebin/vault"
+
+CAS_VAULT_PATH="secret/workstation/claude-users/test"
+CAS_CREDENTIALS="$tmp/credentials.json"
+CAS_STATE_DIR="$tmp/state"
+_oldpath="$PATH"; PATH="$fakebin:$PATH"; export VAULT_FAKE_STORE="$store"
+
+printf '{"vaultwarden_master_password":"keep-me"}\n' > "$store"   # pretend `homelab vault setup` ran
+ok "backup succeeds (existing doc)"   cas_backup
+eq "merge preserves sibling key"      keep-me "$(jq -r '.vaultwarden_master_password' "$store")"
+eq "merge writes claude oauth"        access  "$(jq -r '.claude_ai_oauth_json|fromjson|.accessToken' "$store")"
+
+rm -f "$store"                                                    # fresh user: no doc yet
+ok "backup succeeds (creates doc)"    cas_backup
+eq "create writes claude oauth"       access  "$(jq -r '.claude_ai_oauth_json|fromjson|.accessToken' "$store")"
+
+PATH="$_oldpath"; unset VAULT_FAKE_STORE
+
 printf '\n%d passed, %d failed\n' "$pass" "$fail"
 (( fail == 0 ))