Add request sanitizer, background token refresh, and OpenCode support

Sanitizer renames tool names and replaces system prompt patterns
that Anthropic fingerprints to detect non-Claude-Code clients.
Lowercase tool names (bash, read, glob, etc.) combined together
trigger rejection — renaming to PascalCase bypasses this.
Configurable via YAML sanitize rules for tools, system, and body.

Background OAuth token refresh every 30s with 5-minute pre-expiry
lead. Uses Chrome TLS fingerprint for refresh endpoint too.

Adds /messages route (without /v1 prefix) for OpenCode compat.

internal/auth/types.go

@@ -7,14 +7,15 @@ import (
 
 // Credential represents an Anthropic API credential loaded from a JSON file.
 type Credential struct {
-	ID            string
-	Email         string
-	AccessToken   string
-	RefreshToken  string
-	ExpiresAt     time.Time
-	FilePath      string
-	CooldownUntil time.Time
-	mu            sync.Mutex
+	ID                string
+	Email             string
+	AccessToken       string
+	RefreshToken      string
+	ExpiresAt         time.Time
+	FilePath          string
+	CooldownUntil     time.Time
+	nextRefreshAfter  time.Time
+	mu                sync.Mutex
 }
 
 // IsExpired returns true if the credential's access token has expired.