fix(workstation): claude-auth-sync must merge, not overwrite, the shared Vault path

cas_backup did `vault kv put secret/workstation/claude-users/<user>`, a full
KV-v2 replace that rewrote the document with only its 3 OAuth keys. Because
`homelab vault setup` co-locates the user's vaultwarden_* credentials on that
same path, every six-hourly sync silently deleted them — so `homelab vault`
reported "not configured" within hours of each setup. (Reported as: homelab
vault "keeps getting reset / logged out", set up 3 times.)

Switch the backup to a merge: `kv patch -method=rw` (read+update, needs no
`patch` capability) when the path exists, and `kv put` only to create it on the
first backup. Add a regression test with a fake vault asserting a pre-existing
sibling key survives a backup, and document the merge requirement in the
renewal runbook.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

scripts/workstation/claude-auth-sync.sh

@@ -82,7 +82,17 @@ cas_backup() {
     return 1
   }
   expires="$(jq -r '.expiresAt' <<<"$oauth")"
-  vault kv put "$CAS_VAULT_PATH" \
+  # MERGE into the shared path so sibling keys other tools co-locate there
+  # (e.g. `homelab vault`'s vaultwarden_* creds) survive. `kv patch -method=rw`
+  # is read+update (needs no `patch` capability) but requires the secret to
+  # already exist, so create it with `kv put` on the very first backup only.
+  local -a write_cmd
+  if vault kv get "$CAS_VAULT_PATH" >/dev/null 2>&1; then
+    write_cmd=(vault kv patch -method=rw "$CAS_VAULT_PATH")
+  else
+    write_cmd=(vault kv put "$CAS_VAULT_PATH")
+  fi
+  "${write_cmd[@]}" \
     claude_ai_oauth_json="$oauth" \
     credential_expires_at_ms="$expires" \
     backed_up_at="$(date -Is)" >/dev/null || {