✨ Add Claude OAuth token discovery chain (closes #102)

[monkut]

Summary

Resolves #102 — askcc now resolves CLAUDE_CODE_OAUTH_TOKEN via an explicit discovery chain in ClaudeRunner.run() instead of inheriting whatever the parent process happens to provide. The first non-empty source wins; the chosen source is logged at INFO level so failures are diagnosable from the run log alone.

Discovery chain

1. CLAUDE_CODE_OAUTH_TOKEN env var — current behavior (no log when used; no regression for working installs).
2. CLAUDE_OAUTH_TOKEN_FILE env var → read the file at that path.
3. ~/.tokens/.claude-oauth-token — conventional headless token file.
4. ${XDG_CONFIG_HOME:-~/.config}/claude/oauth-token — XDG fallback.
5. ~/.claude/.credentials.json — last-resort parse of claudeAiOauth.accessToken (logs WARNING about staleness because Claude Code refreshes in RAM and may not write back).

If none of the sources produce a non-empty token, askcc raises OAuthTokenNotFoundError, the CLI logs an error listing every checked location, and exits non-zero before invoking claude — replacing the previous opaque 401 with a clear actionable error.

Edge cases handled

• PermissionError on a token file → WARNING + continue chain.
• Malformed ~/.claude/.credentials.json (or missing claudeAiOauth.accessToken) → WARNING + continue chain.
• Trailing whitespace/newline in token files → .strip()-ed before truthiness check.

Files changed

• askcc/runners.py — OAuthTokenNotFoundError, _resolve_oauth_token(), _read_token_file(), _read_credentials_json(), _xdg_token_path(); wired into ClaudeRunner.run() immediately after the existing env.pop("CLAUDECODE", ...).
• askcc/cli.py — wraps runner.run(...) in a try/except for OAuthTokenNotFoundError (preserves existing tempfile-cleanup finally:).
• tests/test_askcc.py — TestResolveOAuthToken (14 tests), TestClaudeRunnerOAuthIntegration (4 tests), TestMainOAuthExitPath (1 test). Existing runner test classes get an autouse fixture that sets CLAUDE_CODE_OAUTH_TOKEN so they remain isolated from host filesystem.
• README.md — adds the two new env vars to the table and an Authentication subsection documenting the discovery chain.

Out of scope (deferred per the issue)

• Pre-flight claude -p "ok" validation probe.
• ANTHROPIC_API_KEY handling.
• Token refresh / rotation.

Test plan

• uv run pytest -v — 256 passed
• uv run poe check — ruff clean
• uv run poe typecheck — pyright clean
• Unit tests cover env-var present, each fallback in isolation, malformed credentials.json, unreadable token file, trailing-newline stripping, all-sources-empty error path
• Runner integration tests assert token injection, INFO log on non-env source, WARNING on credentials.json source
• CLI exit-path test asserts SystemExit(1) and error in caplog

[monkut]

move function to Runner method

[monkut]

Done in 9c638ac — _read_token_file is now ClaudeRunner._read_token_file (instance method).

[monkut]

move function to Runner method

[monkut]

Done in 9c638ac — _read_credentials_json is now ClaudeRunner._read_credentials_json (instance method).

[monkut]

move function to Runner method

[monkut]

Done in 9c638ac — _xdg_token_path is now ClaudeRunner._xdg_token_path (instance method).

[monkut]

move function to Runner method

[monkut]

Done in 9c638ac — _resolve_oauth_token is now ClaudeRunner._resolve_oauth_token (instance method); call site in run() updated to self._resolve_oauth_token(). All 4 helpers now live on the runner; test patches updated to patch.object / patch("askcc.runners.ClaudeRunner._resolve_oauth_token"). pytest 256 passed, poe check and poe typecheck clean.