refactor: modularize codebase — deduplicate, extract, clean up

- Unify duplicate uTLS transports into shared internal/transport package
- Extract shared version constant into internal/version
- Move LoadDefaultCredentials from config to auth (remove config→auth import)
- Deduplicate handler.go: extract telemetry/error helpers (324→268 lines)
- Break up main.go::run() into initCredential/initEmbedded
- Eliminate logging.Config duplication (use config.LoggingConfig directly)
- Extract logWriter to embedded/log.go, SSE fixtures to consts in sniff.go
- Use uTLS client for usage polling (consistent TLS fingerprint)
- Handle sjson.SetBytes errors in sanitize.go instead of silently swallowing
- Document reverse-engineered magic values in billing.go
- Unexport Credential.CooldownUntil (internal state)
- Replace hardcoded auth bypass paths with map in server.go

main.go

@@ -21,6 +21,74 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+func initCredential() (*auth.Credential, error) {
+	creds, err := auth.LoadDefaultCredentials()
+	if err != nil {
+		return nil, fmt.Errorf("load credentials: %w", err)
+	}
+
+	var cred *auth.Credential
+	if len(creds) > 0 {
+		cred = creds[0]
+		// If token is expired, try refresh first
+		if !cred.ExpiresAt.IsZero() && time.Now().After(cred.ExpiresAt) {
+			log.Info().Msg("token expired, attempting refresh")
+			refreshCtx, refreshCancel := context.WithTimeout(context.Background(), 15*time.Second)
+			refreshErr := auth.RefreshToken(refreshCtx, cred)
+			refreshCancel()
+			if refreshErr != nil {
+				log.Warn().Err(refreshErr).Msg("refresh failed, initiating login")
+				cred = nil // fall through to login
+			} else {
+				log.Info().Msg("token refreshed")
+			}
+		}
+	}
+
+	if cred == nil {
+		fi, statErr := os.Stdin.Stat()
+		if statErr == nil && (fi.Mode()&os.ModeCharDevice) == 0 {
+			return nil, fmt.Errorf("no valid credentials found; run the proxy interactively for initial login")
+		}
+		log.Info().Msg("no credentials found, starting OAuth login")
+		cred, err = auth.Login(context.Background())
+		if err != nil {
+			return nil, fmt.Errorf("login failed: %w", err)
+		}
+	}
+
+	log.Info().Str("credential", cred.Email).Msg("credential loaded")
+	return cred, nil
+}
+
+func initEmbedded(cfg *config.Config) (cleanup func(), err error) {
+	if !cfg.Telemetry.Embedded.Enabled {
+		return func() {}, nil
+	}
+
+	var cleanups []func()
+
+	vm := embedded.NewVM(cfg.Telemetry.Embedded, cfg.Port)
+	if err := vm.Start(); err != nil {
+		log.Error().Err(err).Msg("failed to start victoria-metrics")
+	} else {
+		cleanups = append(cleanups, vm.Stop)
+	}
+
+	perses := embedded.NewPerses(cfg.Telemetry.Embedded, cfg.Port)
+	if err := perses.Start(); err != nil {
+		log.Error().Err(err).Msg("failed to start perses")
+	} else {
+		cleanups = append(cleanups, perses.Stop)
+	}
+
+	return func() {
+		for i := len(cleanups) - 1; i >= 0; i-- {
+			cleanups[i]()
+		}
+	}, nil
+}
+
 func run() error {
 	cfg, err := config.Load("config.yaml")
 	if err != nil {
@@ -48,54 +116,13 @@ func run() error {
 		extraWriters = append(extraWriters, logBridge)
 	}
 
-	logging.Setup(logging.Config{
-		Level:      cfg.Logging.Level,
-		File:       cfg.Logging.File,
-		MaxSizeMB:  cfg.Logging.MaxSizeMB,
-		MaxBackups: cfg.Logging.MaxBackups,
-		MaxAgeDays: cfg.Logging.MaxAgeDays,
-		Compress:   cfg.Logging.Compress,
-	}, extraWriters...)
+	logging.Setup(cfg.Logging, extraWriters...)
 
-	// Load credentials from ~/.claude/.credentials.json
-	creds, err := config.LoadDefaultCredentials()
+	cred, err := initCredential()
 	if err != nil {
-		return fmt.Errorf("load credentials: %w", err)
+		return err
 	}
 
-	var cred *auth.Credential
-	if len(creds) > 0 {
-		cred = creds[0]
-		// If token is expired, try refresh first
-		if !cred.ExpiresAt.IsZero() && time.Now().After(cred.ExpiresAt) {
-			log.Info().Msg("token expired, attempting refresh")
-			refreshCtx, refreshCancel := context.WithTimeout(context.Background(), 15*time.Second)
-			refreshErr := auth.RefreshToken(refreshCtx, cred)
-			refreshCancel()
-			if refreshErr != nil {
-				log.Warn().Err(refreshErr).Msg("refresh failed, initiating login")
-				cred = nil // fall through to login
-			} else {
-				log.Info().Msg("token refreshed")
-			}
-		}
-	}
-
-	if cred == nil {
-		// Non-TTY check: if stdin is not a terminal, can't do interactive login
-		fi, statErr := os.Stdin.Stat()
-		if statErr == nil && (fi.Mode()&os.ModeCharDevice) == 0 {
-			return fmt.Errorf("no valid credentials found; run the proxy interactively for initial login")
-		}
-		log.Info().Msg("no credentials found, starting OAuth login")
-		cred, err = auth.Login(context.Background())
-		if err != nil {
-			return fmt.Errorf("login failed: %w", err)
-		}
-	}
-
-	log.Info().Str("credential", cred.Email).Msg("credential loaded")
-
 	credForTracker = cred
 
 	pool := auth.NewPool([]*auth.Credential{cred})
@@ -116,24 +143,11 @@ func run() error {
 		}
 	}
 
-	// Start embedded observability stack (VM + Perses) if enabled
-	var vm *embedded.VM
-	var perses *embedded.Perses
-	if cfg.Telemetry.Embedded.Enabled {
-		vm = embedded.NewVM(cfg.Telemetry.Embedded, cfg.Port)
-		if err := vm.Start(); err != nil {
-			log.Error().Err(err).Msg("failed to start victoria-metrics")
-		} else {
-			defer vm.Stop()
-		}
-
-		perses = embedded.NewPerses(cfg.Telemetry.Embedded, cfg.Port)
-		if err := perses.Start(); err != nil {
-			log.Error().Err(err).Msg("failed to start perses")
-		} else {
-			defer perses.Stop()
-		}
+	embeddedCleanup, err := initEmbedded(cfg)
+	if err != nil {
+		return err
 	}
+	defer embeddedCleanup()
 
 	log.Info().Int("port", cfg.Port).Msg("starting server")
 	srv := server.New(cfg, pool, profile, tracker, metricsHandler)