docs(CLAUDE.md): document Ghidra MCP + WireMCP availability

Adds a 'MCP servers (live tooling)' section after the cdb retail debugger. Ghidra MCP (LaurieWired v1.4 HTTP) on :8081 serving patchmem.gpr provides live decomp lookups by address/name/xref without dumping acclient_2013_pseudo_c.txt into context. WireMCP (stdio, Node, tshark wrapper) enables loopback capture against 127.0.0.1:9000 for ACE wire-protocol cross-checks (0xF61C, 0xF74A, 0xF7DE parsing). Both extend the static-decomp + cdb workflow with live introspection.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

CLAUDE.md

@@ -500,6 +500,66 @@ This toolchain was used to settle the L.5 steep-roof investigation:
 `set_collide` rate per minute. See commit history around 2026-04-30
 for the trace data and the decisions it drove.
 
+## MCP servers (live tooling)
+
+Two MCP servers extend the static decomp + cdb workflow with live
+introspection. **Ghidra MCP** requires Ghidra to be running with a
+CodeBrowser open in the target project; **WireMCP** auto-loads at
+Claude Code startup.
+
+### Ghidra MCP (LaurieWired v1.4, HTTP)
+
+Starts an HTTP server on **port 8080** (or **8081** if 8080 is
+taken — first-open-wins) when a CodeBrowser tool opens a program.
+Currently serving **`patchmem.gpr`** — the 2013 v11.4186 build with
+full PDB applied, same source as `docs/research/named-retail/`. Use
+this when grep'ing `acclient_2013_pseudo_c.txt` returns too much
+noise and you want the decomp for one specific function or address
+without dumping the whole file into context.
+
+Probe: `curl http://127.0.0.1:8081/methods?limit=3`
+
+Useful endpoints (GET unless noted):
+
+- `/methods?limit=N` — function names
+- `/list_functions?limit=N` — `Name at HHHHHHHH` lines
+- `/decompile_function?address=0xHHHHHHHH` — decompiled C for one function
+- `/function_xrefs?name=...` — callers / callees
+- `/classes`, `/namespaces`, `/strings`
+- POST `/rename_function_by_address`, POST `/set_decompiler_comment`
+
+NO endpoints for: signature setting, namespace setting, script
+execution, save-project. Those still require Ghidra's GUI or
+`analyzeHeadless`. Full endpoint catalog + Ghidra project layout in
+`memory/reference_ghidra_projects.md`.
+
+### WireMCP (stdio, Node, user-scope)
+
+Wraps `tshark` at `C:\Program Files\Wireshark\tshark.exe`
+(auto-detected via the Windows fallback path in `WireMCP/index.js`).
+Direct fit for ACE wire-protocol work — capture loopback
+(`127.0.0.1:9000`) to cross-check inbound message parsing (`0xF61C`
+movement, `0xF74A` pickup despawn, `0xF7DE` chat, etc.) against the
+actual bytes, or diff ACE's outbound vs. the holtburger reference.
+Replaces ad-hoc Wireshark sessions in the conversation.
+
+Tools exposed:
+
+- `capture_packets` — short live capture on an interface, returns JSON
+- `get_summary_stats` — protocol hierarchy stats
+- `get_conversations` — TCP/UDP conversation table
+- `analyze_pcap` — parse a saved `.pcap` file
+- `check_threats`, `check_ip_threats` — URLhaus / threat-feed lookups
+- `extract_credentials` — grep for creds across protocols (rarely relevant)
+
+Installed at `C:\Users\erikn\source\repos\WireMCP\` (clone of
+`0xKoda/WireMCP`). Registered via `claude mcp add wiremcp --scope user`.
+
+**When NOT to use WireMCP:** decoding the AC packet *format* — that
+lives in `holtburger`, ACE, and `Chorizite.ACProtocol`. WireMCP shows
+you the bytes on the wire; the reference repos tell you what they
+mean.
+
 ## Subagent policy
 
 Subagents are the primary tool for saving parent-context and keeping one