refactor: remove keytar dependency and simplify token storage fallback mechanism

.claude/CLAUDE.md

@@ -82,12 +82,9 @@ Tool-calling strategy differs by provider: OpenAI/Anthropic use LangChain `bindT
 
 **Provider factory** (`llm.ts`): `gpt-4o-mini` (OpenAI), `claude-sonnet-4-20250514` (Anthropic), or ChatCopilot wrapper — all with `temperature: 0.3` and streaming enabled.
 
-**Token storage** (`token.ts`) — three-tier fallback:
-1. keytar (OS keychain) — preferred, encrypted per-user
-2. electron-store + `safeStorage` — encrypted at rest
-3. Plain electron-store — WSL fallback
-
-Keytar service name is `'adiuva'`. Once keytar fails, `keytarFailed` flag skips it for the session.
+**Token storage** (`token.ts`) — two-tier fallback:
+1. electron-store + `safeStorage` — encrypted at rest (preferred)
+2. Plain electron-store — last resort (e.g. WSL with no keyring)
 
 **AI approval pattern**: Tasks and checkpoints have `isAiSuggested` (bool) and `isApproved` (bool) columns. AI-suggested items appear in the UI pending user approval before being treated as real records.