fix: update credential handling to prioritize primary service for token refresh

[errhythm]

Two bugs were found by analyzing debug logs from users hitting the "Claude Code credentials are unavailable or expired" error.

Bug 1 — macOS / keychain (hard failure)
Users with multiple Claude Code accounts have a suffixed active account (e.g. Claude Code-credentials-b28bbb7c). When the token expires, the Claude CLI is invoked to refresh it and succeeds, but the CLI writes the new token back to the primary Keychain entry (Claude Code-credentials), not the suffixed one. refreshAccount(target.source) re-reads the suffixed entry, which still holds the old expiresAt, the post-refresh validity check fails, and refresh_exhausted → credentials_unavailable is emitted. The user sees:

Claude Code credentials are unavailable or expired. Run claude to refresh them.

Fix: if the suffixed account re-read is still stale after a CLI refresh, fall back to reading the primary entry. The fallback is gated on target.source.startsWith(PRIMARY_SERVICE + "-") so it only fires for suffixed accounts.

Bug 2 — all platforms (infinite refresh loop) (Potentially fixes #89)

After refreshIfNeeded returns fresh credentials, getCachedCredentials stores them in accountCacheMap with a 30-second TTL. When the cache expires, getActiveAccount() returns the same ClaudeAccount object from allAccounts — whose credentials.expiresAt was never updated. So refreshIfNeeded sees the original stale expiry, runs another full CLI refresh, and the cycle repeats every 30 seconds indefinitely. Visible in logs as refresh_needed firing with the same expiresAt value on every cache miss, hours after the token was successfully refreshed.

Fix: after a successful refresh, target.credentials is updated in-place on the ClaudeAccount object so subsequent cache misses see the correct expiresAt.

Also now opencode auth login will show the user account details instead of just Claude Pro/Team/Max

◆ Select which Claude Code account to use:
│ ● Claude Pro: john.doe@gmail.com (Claude Code-credentials)
│ ○ Claude Team: john@acme.com

[errhythm]

@griffinmartin I see a lot of great changes made and I believe we can use some of the features we have here. Do you want me to update this?

[griffinmartin]

Hey @errhythm, yeah I'd love for you to update this! There's some really useful stuff here, especially the Bug 1 fix for suffixed keychain accounts and the email display in the account selector.

A few things to keep in mind for the rebase:

1. Bug 2 is already fixed on main — fix: eliminate idle token consumption via direct OAuth refresh #104 added a direct OAuth refresh path (refreshViaOAuth) and the in-place target.credentials update. So you can drop that part entirely. The main thing to be careful about is not overwriting the current refreshIfNeeded — your Bug 1 primary service fallback should slot in after the existing OAuth + CLI refresh flow, not replace it.

2. The CLAUDE_CONFIG_DIR tests (keychain.test.ts) don't actually exercise the production code — they just write a file to a temp dir and read it back with readFileSync. They should call the real readCredentialsFile or readAllClaudeAccounts with the env var set so they're testing actual behavior.

3. discoverConfigDirsForKeychain scans all of $HOME — could you scope it down to dotfiles (dirs starting with .) since Claude config dirs follow that convention? Doing existsSync on every entry in someone's home dir could be slow.

4. The hint change — you changed the account selector hint from showing the full keychain source name to just "active"/undefined. That's fine if every account has an email to distinguish it, but if readEmailFromConfigDir returns null for some accounts, users lose the ability to tell them apart. Maybe keep the source as a fallback when there's no email?

The Bug 1 fix, configDir passthrough, keychainSuffixForDir, and the regex tightening are all good to go as-is. Looking forward to the update!

[errhythm]

@griffinmartin Please review if it is correct.