fix: return database user ID from /api/auth/me instead of Logto sub

The /me endpoint was returning auth.sub (Logto's opaque string) as the
user ID, but the frontend and other API endpoints expect numeric DB IDs.
This caused "can't access property 'id', w[0] is undefined" after login.

Also documents Logto OIDC setup requirements (scopes, env vars) in
CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -109,13 +109,26 @@ Always use existing components instead of rebuilding with plain HTML. Check `src
 
 ## Authentication
 
-- **First run**: No users exist. Visit `/login` to create your admin account.
+- **OIDC via Logto**: Authentication is handled by an external Logto instance via `@hono/oidc-auth`. Users are redirected to Logto for login, and sessions are managed via OIDC cookies.
-- **Web UI**: Cookie-based sessions (`gearbox_session`), 30-day expiry, auto-refreshed.
 - **Programmatic access**: API keys created in Settings > API Keys. Pass via `X-API-Key` header.
 - **Public read**: All GET endpoints work without auth. POST/PUT/DELETE require auth.
-- **Auth routes**: `/api/auth/login`, `/api/auth/logout`, `/api/auth/setup`, `/api/auth/me`, `/api/auth/password`, `/api/auth/keys`.
+- **Auth routes**: `/api/auth/me`, `/api/auth/keys`, `/api/auth/profile`.
 - **MCP OAuth**: OAuth 2.1 + PKCE for Claude mobile/web. Endpoints at `/oauth/*`. Uses existing GearBox credentials.
 
+### Logto Setup
+
+The Logto application must be configured with the correct scopes. In the Logto admin console, go to the application settings and ensure the following **User Scopes** are granted: `openid`, `profile`, `email` (matching the `OIDC_SCOPES` env var).
+
+**Required env vars:**
+```bash
+OIDC_ISSUER=https://your-logto-domain/oidc    # Logto OIDC issuer URL
+OIDC_CLIENT_ID=<client-id>                     # From Logto app settings
+OIDC_CLIENT_SECRET=<client-secret>             # From Logto app settings
+OIDC_AUTH_SECRET=<random-32-char-hex>          # Session encryption key
+OIDC_SCOPES="openid profile email"             # Must match Logto app scopes
+OIDC_REDIRECT_URI=https://your-app/callback    # Must match Logto redirect URI
+```
+
 ## MCP Server
 
 GearBox includes a built-in MCP server for integration with Claude Code and Claude Desktop. Enabled by default, disable with `GEARBOX_MCP=false`. Authenticated via API key or OAuth 2.1 Bearer token.

src/server/routes/auth.ts

@@ -8,6 +8,7 @@ import { requireAuth } from "../middleware/auth.ts";
 import {
 	createApiKey,
 	deleteApiKey,
+	getOrCreateUser,
 	listApiKeys,
 } from "../services/auth.service.ts";
 import { updateProfile } from "../services/profile.service.ts";
@@ -23,8 +24,10 @@ const app = new Hono<Env>();
 app.get("/me", async (c) => {
 	const auth = await getAuth(c);
 	if (auth) {
+		const db = c.get("db");
+		const user = await getOrCreateUser(db, auth.sub);
 		return c.json({
-			user: { id: auth.sub, email: auth.email },
+			user: { id: user.id, email: auth.email },
 			authenticated: true,
 		});
 	}