feat(CUST-WP-0021): multi-host repo path hardening — all 5 tasks complete

- T01 (done prior): registered host_paths for bnt-lap001 (14 repos) and
  COULOMBCORE (6 repos) via POST /repos/{slug}/paths/
- T02: validate_repo_adr now accepts repo_slug (not raw path); resolves
  local path via host_paths[hostname] → local_path; clear error for
  unregistered/missing paths
- T03: ingest_sbom_tool lockfile_path is now optional and relative to
  resolved repo root; absolute paths accepted with deprecation warning
- T04: check_repo_consistency pre-flight guard — fetches repo, resolves
  path, returns clear error before spawning subprocess if path missing
- T05: TOOLS.md — updated validate_repo_adr row (slug not path);
  added Multi-Host & Remote Agent Usage section documenting design
  boundary, remote agent workflow, and update_repo_path usage

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

mcp_server/TOOLS.md

@@ -76,7 +76,7 @@ Use `list_human_interventions()` at session start to see Bernd's action items.
 
 | Tool | Key Args | When to use |
 |------|----------|-------------|
-| `validate_repo_adr(repo_path, domain_slug?)` | `repo_path`: absolute path; `domain_slug?`: for orphan detection | Check a repo against ADR-001. Detects missing workplans/ dir, invalid frontmatter, stale workstream ID references, and DB-only orphan workstreams. Run before and after any workplan changes. |
+| `validate_repo_adr(repo_slug, domain_slug?)` | `repo_slug`: registered repo slug (e.g. `"the-custodian"`); `domain_slug?`: for orphan detection | Check a repo against ADR-001. Resolves the local path from the DB (uses this host's registered path). Detects missing workplans/ dir, invalid frontmatter, stale workstream ID references, and DB-only orphan workstreams. Always runs against the MCP server's copy — see Multi-Host section below. |
 
 ---
 
@@ -152,6 +152,52 @@ instruction set — load it and follow the instructions it contains.
 
 ---
 
+## Multi-Host & Remote Agent Usage
+
+Three tools access the **local filesystem** on the MCP server machine:
+
+| Tool | File-sys operation |
+|------|-------------------|
+| `validate_repo_adr` | Runs `validate_repo_adr.py` against the server's repo checkout |
+| `check_repo_consistency` | Runs `consistency_check.py` against the server's repo checkout |
+| `ingest_sbom_tool` | Runs `ingest_sbom.py` against the server's lockfiles |
+
+**Design boundary:** these tools always execute on the machine where the MCP server
+runs (`bnt-lap001`), against the path registered for that host. A remote agent
+calling them gets results from the server's checkout — not from its own working copy.
+
+### Implications for remote agents (e.g. workers on COULOMBCORE)
+
+- **Ahead of server on a branch?** Results will be based on the server's (older) copy.
+  Sync first: push your branch and pull it on the server, or accept the gap.
+- **Pure-API tools** (`get_state_summary`, `create_task`, `add_progress_event`, etc.)
+  work correctly from any host — they query the DB, not the filesystem.
+
+### Running file-sys scripts locally from a remote host
+
+```bash
+# From COULOMBCORE (tunnel maps remote :18000 → bnt-lap001 :8000):
+python scripts/consistency_check.py --repo the-custodian --api-base http://127.0.0.1:18000
+python scripts/validate_repo_adr.py /home/tegwick/the-custodian --api-base http://127.0.0.1:18000
+```
+
+### Registering a new host path
+
+```bash
+# Via MCP tool:
+update_repo_path("marki-docx", "/home/tegwick/marki-docx")   # defaults to current hostname
+
+# Via Makefile (on the machine where the path lives):
+make register-path REPO=marki-docx PATH=/home/tegwick/marki-docx
+
+# Via API directly:
+curl -X POST http://127.0.0.1:8000/repos/marki-docx/paths/ \
+  -H "Content-Type: application/json" \
+  -d '{"host": "your-hostname", "path": "/home/you/marki-docx"}'
+```
+
+---
+
 ## Domain Slugs
 
 Run `list_domains()` to get the live list. Default 6: `custodian` · `railiance` · `markitect` · `coulomb_social` · `personhood` · `foerster_capabilities`