refactor: modularize codebase — deduplicate, extract, clean up

- Unify duplicate uTLS transports into shared internal/transport package
- Extract shared version constant into internal/version
- Move LoadDefaultCredentials from config to auth (remove config→auth import)
- Deduplicate handler.go: extract telemetry/error helpers (324→268 lines)
- Break up main.go::run() into initCredential/initEmbedded
- Eliminate logging.Config duplication (use config.LoggingConfig directly)
- Extract logWriter to embedded/log.go, SSE fixtures to consts in sniff.go
- Use uTLS client for usage polling (consistent TLS fingerprint)
- Handle sjson.SetBytes errors in sanitize.go instead of silently swallowing
- Document reverse-engineered magic values in billing.go
- Unexport Credential.CooldownUntil (internal state)
- Replace hardcoded auth bypass paths with map in server.go

internal/config/config_test.go

@@ -1,7 +1,6 @@
 package config
 
 import (
-	"encoding/json"
 	"os"
 	"path/filepath"
 	"strings"
@@ -269,81 +268,3 @@ func TestExportConfig_Enabled(t *testing.T) {
 		})
 	}
 }
-
-func TestDefaultCredentialPath(t *testing.T) {
-	path := DefaultCredentialPath()
-	if path == "" {
-		t.Skip("could not determine home directory")
-	}
-	if !strings.HasSuffix(path, "/.claude/.credentials.json") {
-		t.Errorf("DefaultCredentialPath() = %q, want suffix /.claude/.credentials.json", path)
-	}
-}
-
-func TestLoadDefaultCredentials_ValidFile(t *testing.T) {
-	// We can't easily override DefaultCredentialPath, so test the JSON parsing
-	// logic by creating a file at a temp location and calling the internal parsing
-	// directly. Instead, we test LoadDefaultCredentials indirectly by verifying
-	// it returns nil,nil when the default path doesn't exist (common in CI).
-	// For a full test, we create the credential file at the expected path.
-
-	// Test with the actual function — if the default credential file doesn't
-	// exist, it should return nil, nil.
-	creds, err := LoadDefaultCredentials()
-	path := DefaultCredentialPath()
-	if path == "" {
-		if creds != nil || err != nil {
-			t.Errorf("expected nil,nil when home dir unavailable, got %v, %v", creds, err)
-		}
-		return
-	}
-
-	if _, statErr := os.Stat(path); os.IsNotExist(statErr) {
-		// File doesn't exist — should return nil, nil
-		if creds != nil {
-			t.Errorf("expected nil creds for missing file, got %v", creds)
-		}
-		if err != nil {
-			t.Errorf("expected nil error for missing file, got %v", err)
-		}
-	}
-}
-
-func TestLoadDefaultCredentials_ParsesJSON(t *testing.T) {
-	// Test the JSON parsing by creating a temp credential file and using
-	// the claudeCredentialsJSON struct directly (white-box test).
-	jsonData := `{"claudeAiOauth":{"accessToken":"test-token","refreshToken":"test-refresh","expiresAt":1234567890,"subscriptionType":"pro"}}`
-
-	var cf claudeCredentialsJSON
-	if err := json.Unmarshal([]byte(jsonData), &cf); err != nil {
-		t.Fatalf("unmarshal: %v", err)
-	}
-
-	if cf.ClaudeAiOauth.AccessToken != "test-token" {
-		t.Errorf("AccessToken = %q, want test-token", cf.ClaudeAiOauth.AccessToken)
-	}
-	if cf.ClaudeAiOauth.RefreshToken != "test-refresh" {
-		t.Errorf("RefreshToken = %q, want test-refresh", cf.ClaudeAiOauth.RefreshToken)
-	}
-	if cf.ClaudeAiOauth.ExpiresAt != 1234567890 {
-		t.Errorf("ExpiresAt = %d, want 1234567890", cf.ClaudeAiOauth.ExpiresAt)
-	}
-	if cf.ClaudeAiOauth.SubscriptionType != "pro" {
-		t.Errorf("SubscriptionType = %q, want pro", cf.ClaudeAiOauth.SubscriptionType)
-	}
-}
-
-func TestLoadDefaultCredentials_EmptyAccessToken(t *testing.T) {
-	// Verify that an empty access token in the JSON produces an error.
-	// We test the parsing struct and logic path.
-	jsonData := `{"claudeAiOauth":{"accessToken":"","refreshToken":"r","expiresAt":1}}`
-
-	var cf claudeCredentialsJSON
-	if err := json.Unmarshal([]byte(jsonData), &cf); err != nil {
-		t.Fatalf("unmarshal: %v", err)
-	}
-	if cf.ClaudeAiOauth.AccessToken != "" {
-		t.Errorf("expected empty access token")
-	}
-	// The actual LoadDefaultCredentials would return an error here.
-}