docs: expand CLAUDE.md with auth details and MCP tool reference

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -53,7 +53,7 @@ bun run build               # Vite build → dist/client/
 - **Schema**: `schema.ts` — Drizzle table definitions for SQLite.
 - **Prices stored as cents** (`priceCents: integer`) to avoid float rounding.
 - **Timestamps**: stored as integers (unix epoch) with `{ mode: "timestamp" }`.
-- Tables: `categories`, `items`, `threads`, `threadCandidates`, `setups`, `setupItems`, `settings`.
+- Tables: `categories`, `items`, `threads`, `threadCandidates`, `setups`, `setupItems`, `settings`, `users`, `sessions`, `apiKeys`.
 
 ### Testing (`tests/`)
 - Bun test runner. Tests at service level and route level.
@@ -70,11 +70,47 @@ bun run build               # Vite build → dist/client/
 - **Image uploads**: `POST /api/images` saves to `./uploads/` with UUID filename, returned as `imageFilename` on item/candidate records.
 - **Image URL fetching**: `POST /api/images/from-url` fetches an image from a URL, saves locally, returns `{ filename, sourceUrl }`.
 - **Aggregates** (weight/cost totals): Computed via SQL on read, not stored on records.
-- **Authentication**: Public-read, authenticated-write. Cookie sessions for web UI, API keys for programmatic access. `POST /api/auth/setup` for first-time account creation.
+- **Authentication**: Public-read, authenticated-write. Cookie sessions for web UI, API keys (`X-API-Key` header) for programmatic access. `POST /api/auth/setup` for first-time account creation. Auth middleware protects all POST/PUT/DELETE on `/api/*` except `/api/auth/*`.
+
+## Authentication
+
+- **First run**: No users exist. Visit `/login` to create your admin account.
+- **Web UI**: Cookie-based sessions (`gearbox_session`), 30-day expiry, auto-refreshed.
+- **Programmatic access**: API keys created in Settings > API Keys. Pass via `X-API-Key` header.
+- **Public read**: All GET endpoints work without auth. POST/PUT/DELETE require auth.
+- **Auth routes**: `/api/auth/login`, `/api/auth/logout`, `/api/auth/setup`, `/api/auth/me`, `/api/auth/password`, `/api/auth/keys`.
 
 ## MCP Server
 
-GearBox includes a built-in MCP server for integration with Claude Code and Claude Desktop. Enabled by default, disable with `GEARBOX_MCP=false`.
+GearBox includes a built-in MCP server for integration with Claude Code and Claude Desktop. Enabled by default, disable with `GEARBOX_MCP=false`. Authenticated via API key.
+
+### Tools (19 total)
+
+| Tool | Description |
+|------|-------------|
+| `list_items` | List all items, optionally filter by category |
+| `get_item` | Get item details by ID |
+| `create_item` | Add item to collection (for decided items; use `create_thread` for research) |
+| `update_item` | Update item details |
+| `delete_item` | Remove item from collection |
+| `list_categories` | List all categories |
+| `create_category` | Create a new category |
+| `list_threads` | List research threads (recommended workflow for gear purchases) |
+| `get_thread` | Get thread with candidates |
+| `create_thread` | Start a research thread to compare gear options |
+| `resolve_thread` | Pick winning candidate, adds it to collection |
+| `add_candidate` | Add candidate to a research thread |
+| `update_candidate` | Update candidate details |
+| `remove_candidate` | Remove candidate from thread |
+| `list_setups` | List gear setups |
+| `get_setup` | Get setup with items and totals |
+| `create_setup` | Create a new setup |
+| `update_setup` | Update setup name or items |
+| `upload_image_from_url` | Fetch image from URL, save locally |
+
+### Resources
+
+- `gearbox://collection/summary` — Overview of collection: totals, items per category, active threads.
 
 ### Configuration