docs: update CLAUDE.md with Google OAuth architecture and gotchas
Document non-obvious details from Steps 1-5 implementation:
- adiuvAI: deep-link protocol workaround, requestSingleInstanceLock,
backup-key.ts device-bound key, loginWithOAuth fetch() vs get()
- api: _pending_states in-memory limitation, nullable password_hash,
OAUTH_REDIRECT_URI pointing to API not website, 409 unverified-email
guard, OAuth testing patterns with AsyncMock + monkeypatch
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
bc2c76d2bb