Add request sanitizer, background token refresh, and OpenCode support

Sanitizer renames tool names and replaces system prompt patterns
that Anthropic fingerprints to detect non-Claude-Code clients.
Lowercase tool names (bash, read, glob, etc.) combined together
trigger rejection — renaming to PascalCase bypasses this.
Configurable via YAML sanitize rules for tools, system, and body.

Background OAuth token refresh every 30s with 5-minute pre-expiry
lead. Uses Chrome TLS fingerprint for refresh endpoint too.

Adds /messages route (without /v1 prefix) for OpenCode compat.

internal/config/config.go

@@ -12,11 +12,28 @@ import (
 )
 
 type Config struct {
-	Port              int      `yaml:"port"`
-	APIKeys           []string `yaml:"api_keys"`
-	AuthDir           string   `yaml:"auth_dir"`
-	ClaudeCredentials string   `yaml:"claude_credentials"`
-	ClaudeBinary      string   `yaml:"claude_binary"`
+	Port              int             `yaml:"port"`
+	APIKeys           []string        `yaml:"api_keys"`
+	AuthDir           string          `yaml:"auth_dir"`
+	ClaudeCredentials string          `yaml:"claude_credentials"`
+	ClaudeBinary      string          `yaml:"claude_binary"`
+	Sanitize          SanitizeConfig  `yaml:"sanitize"`
+}
+
+type SanitizeConfig struct {
+	Tools   []RenameRule  `yaml:"tools"`
+	System  []ReplaceRule `yaml:"system"`
+	Body    []ReplaceRule `yaml:"body"`
+}
+
+type RenameRule struct {
+	From string `yaml:"from"`
+	To   string `yaml:"to"`
+}
+
+type ReplaceRule struct {
+	Match   string `yaml:"match"`
+	Replace string `yaml:"replace"`
 }
 
 type authFileJSON struct {