phase-8g: rate limiting and update readme doc

CLAUDE.md

@@ -163,7 +163,7 @@ ui/                      ← SvelteKit dashboard (lives inside this repo, not a
 
 market-calls.json        ← persisted market thesis calls (written by MarketCallRepository)
 portfolio.json           ← user's holdings: ticker, shares, costBasis, source, type
-.env                     ← SIMPLEFIN_ACCESS_URL or SIMPLEFIN_SETUP_TOKEN, ANTHROPIC_API_KEY
+.env                     ← SIMPLEFIN_ACCESS_URL or SIMPLEFIN_SETUP_TOKEN, ANTHROPIC_API_KEY, API_KEY (optional — enables Bearer auth on all routes)
 ```
 
 ---
@@ -626,9 +626,9 @@ Add one Fastify `inject()` smoke test per route using a fixture for `ScreenerEng
 
 `BenchmarkProvider`'s 1-hour cache is in-memory only — cold start after every restart adds 2–4s latency to the first request. Write the cached `MarketContext` to `.benchmark-cache.json` (or a single-row SQLite table). Read it on boot; only re-fetch if stale.
 
-#### 8g — Rate limiting + API key auth
+#### 8g — Rate limiting + API key auth ✅
 
-Add `@fastify/rate-limit` on `/api/screen` and `/api/analyze` (e.g. 10 req/min per IP). Add a simple `Authorization: Bearer <key>` check against an `API_KEY` env var as middleware in `server/app.ts`. Both are single-digit line additions.
+`@fastify/rate-limit` registered globally in `server/app.ts` (`global: false`, opt-in per route). `/api/screen`, `/api/screen/catalysts`, and `/api/analyze` each carry `config: { rateLimit: { max: 10, timeWindow: '1 minute' } }`. API key enforced via `onRequest` hook when `API_KEY` env var is set (`Authorization: Bearer <key>`); `/health` and OPTIONS are exempt. **Requires `npm install` after adding `@fastify/rate-limit` to dependencies (done in package.json).**
 
 #### 8h — Extract `CalendarService`