refactor: modularize codebase — deduplicate, extract, clean up

- Unify duplicate uTLS transports into shared internal/transport package
- Extract shared version constant into internal/version
- Move LoadDefaultCredentials from config to auth (remove config→auth import)
- Deduplicate handler.go: extract telemetry/error helpers (324→268 lines)
- Break up main.go::run() into initCredential/initEmbedded
- Eliminate logging.Config duplication (use config.LoggingConfig directly)
- Extract logWriter to embedded/log.go, SSE fixtures to consts in sniff.go
- Use uTLS client for usage polling (consistent TLS fingerprint)
- Handle sjson.SetBytes errors in sanitize.go instead of silently swallowing
- Document reverse-engineered magic values in billing.go
- Unexport Credential.CooldownUntil (internal state)
- Replace hardcoded auth bypass paths with map in server.go

internal/auth/types.go

@@ -13,7 +13,7 @@ type Credential struct {
 	RefreshToken     string
 	ExpiresAt        time.Time
 	FilePath         string
-	CooldownUntil    time.Time
+	cooldownUntil    time.Time
 	nextRefreshAfter time.Time
 	mu               sync.Mutex
 }
@@ -22,21 +22,21 @@ type Credential struct {
 func (c *Credential) IsOnCooldown() bool {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	return time.Now().Before(c.CooldownUntil)
+	return time.Now().Before(c.cooldownUntil)
 }
 
 // SetCooldown puts the credential on cooldown for the given duration.
 func (c *Credential) SetCooldown(duration time.Duration) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	c.CooldownUntil = time.Now().Add(duration)
+	c.cooldownUntil = time.Now().Add(duration)
 }
 
 // ClearCooldown removes any active cooldown on the credential.
 func (c *Credential) ClearCooldown() {
 	c.mu.Lock()
 	defer c.mu.Unlock()
-	c.CooldownUntil = time.Time{}
+	c.cooldownUntil = time.Time{}
 }
 
 // Token returns the current access token.