fix: read Claude live usage from ~/.claude/.credentials.json, not stale keychain

Root cause of the missing Claude 5h/7d usage windows: newer Claude Code
stores the active account's OAuth in ~/.claude/.credentials.json (a file
it refreshes in place), while CodeVetter only read the macOS keychain.
The keychain "Claude Code-credentials" entries are stale leftovers from an
older Claude Code version — expired for hours and never refreshed by
`/login` — so every live-usage call got a 401 and fell back to local
estimates.

read_full_credential now prefers the credentials file for the primary
account and falls back to the keychain. Verified live (sole-instance dev
build): the Claude Max card renders 5h ~0% / 7d ~22%, matching the API's
unified-ratelimit headers exactly.

Also adds a self-healing token refresh: if the stored access token is
expired (e.g. Claude Code idle >8h), CodeVetter refreshes it via the
stored refresh token against console.anthropic.com/v1/oauth/token and
writes the rotated pair back to wherever it came from (atomic file
replace, or keychain -U) — mirroring what Claude Code itself does, so the
two stay in sync. Refresh failures (incl. 429) surface gracefully as the
existing live-error hint; no write happens unless the refresh succeeds.

Bumps desktop app to 1.1.70.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: sarthakagrawal927

apps/desktop/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@code-reviewer/desktop",
-  "version": "1.1.69",
+  "version": "1.1.70",
   "private": true,
   "scripts": {
     "dev": "lsof -ti:1420 | xargs kill -9 2>/dev/null; vite",