CLAUDE.md

@@ -10,7 +10,8 @@ MCIAS (Metacircular Identity and Access System) is a single-sign-on (SSO) and Id
 
 - **Language:** Go
 - **Database:** SQLite
-- **Logging/Utilities:** git.wntrmute.dev/kyle/goutils
+- **Module path:** git.wntrmute.dev/mc/mcias
+- **Shared library:** git.wntrmute.dev/mc/mcdsl (auth, config, CSRF, web server, health checks)
 - **Crypto:** Ed25519 (signatures), Argon2 (password hashing)
 - **Tokens:** JWT signed with Ed25519 (algorithm: EdDSA); always validate the `alg` header on receipt — never accept `none` or symmetric algorithms
 - **Auth:** Username/password + optional TOTP; future FIDO/Yubikey support
@@ -22,6 +23,12 @@ MCIAS (Metacircular Identity and Access System) is a single-sign-on (SSO) and Id
 - `mciasdb` — offline SQLite maintenance tool (schema, accounts, tokens, audit, pgcreds)
 - `mciasgrpcctl` — admin CLI for gRPC interface
 
+## Key Features
+
+- **SSO client management:** service registration, redirect URI configuration, per-client enable/disable, policy-gated CRUD (REST + gRPC + web UI)
+- **Security headers:** Content-Security-Policy on all UI and docs pages, HSTS (Strict-Transport-Security) on all responses, per-IP rate limiting on auth endpoints
+- **WebAuthn:** passwordless login via FIDO2/WebAuthn (registration and authentication flows)
+
 ## Development Workflow
 
 If PROGRESS.md does not yet exist, create it before proceeding. It is the source of truth for current state.