refactor: modularize codebase — deduplicate, extract, clean up

- Unify duplicate uTLS transports into shared internal/transport package
- Extract shared version constant into internal/version
- Move LoadDefaultCredentials from config to auth (remove config→auth import)
- Deduplicate handler.go: extract telemetry/error helpers (324→268 lines)
- Break up main.go::run() into initCredential/initEmbedded
- Eliminate logging.Config duplication (use config.LoggingConfig directly)
- Extract logWriter to embedded/log.go, SSE fixtures to consts in sniff.go
- Use uTLS client for usage polling (consistent TLS fingerprint)
- Handle sjson.SetBytes errors in sanitize.go instead of silently swallowing
- Document reverse-engineered magic values in billing.go
- Unexport Credential.CooldownUntil (internal state)
- Replace hardcoded auth bypass paths with map in server.go

internal/server/server.go

@@ -138,10 +138,16 @@ func corsMiddleware() gin.HandlerFunc {
 	}
 }
 
+// authBypassPaths lists endpoints that do not require API key authentication.
+var authBypassPaths = map[string]bool{
+	"/healthz": true,
+	"/reload":  true,
+	"/metrics": true,
+}
+
 func (s *Server) authMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		path := c.Request.URL.Path
-		if path == "/healthz" || path == "/reload" || path == "/metrics" {
+		if authBypassPaths[c.Request.URL.Path] {
 			c.Next()
 			return
 		}