Branch: agent-identity on c15r/sync-mcp

• resolveToken: inverted preference from room > agent > view to agent > room > view
• Added resolveAdminToken(userId, room): returns room admin token for privilege escalation

• ToolContext: added resolveAdminToken function
• Added withAdminEscalation helper: retries with admin token on scope_denied errors
• sync_register_action: uses escalation (agent token first, room token fallback)
• sync_register_view: uses escalation
• sync_join_room: uses escalation (creating agents needs admin authority)

• Updated context construction to pass resolveAdminToken

• from: null on messages → now shows agent identity
• ${self} scope writes → now resolve to agent ID
• set_status, update_objective → work via agent token
• Vocabulary registration → transparent escalation to admin token

• Auto-join (MCP client as agent)
• Multi-client identity (separate agents per MCP client)
• HTTP proxy overhead (still round-trips to sync.parc.land)
• Vault as shadow of agents table