fix(claude): follow-ups after #245

[ratulsarna]

Follow-up work on top of #245 (merged) to further reduce Claude OAuth/Keychain prompt storms and improve background behavior.

• Adds Claude OAuth keychain cooldown gate to avoid repeated prompts after denial
• Improves non-interactive keychain probes + caching/refresh behavior
• Refines Auto strategy selection/fallbacks
• Adds focused tests

Intended behaviour:

• OAuth is checked first in "Auto" mode.
• Ask for keychain access from Claude code-credentials once. If received, cache them. If denied, backoff for 6 hours.

Related: #108

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b20415806c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Re-detect Claude keychain changes before using cache

The cache is now returned immediately after only checking the credentials file fingerprint. If a user re-authenticates or switches Claude accounts in the CLI (which updates the Claude keychain but not the file), CodexBar will keep serving the cached access token from its own keychain/memory until it expires, so usage/identity can stay stuck on the old account. This used to be handled by invalidateCacheIfClaudeKeychainChanged() and is now missing, so account switches via keychain won’t be detected unless the cached token expires or the user manually clears it.

Useful? React with 👍 / 👎.