Fix expired OAuth tokens in long-running agent loops (#223)

Add getApiKey hook to AgentLoopConfig that resolves API keys dynamically
before each LLM call. This allows short-lived OAuth tokens (e.g. GitHub
Copilot, Anthropic OAuth) to be refreshed between turns when tool
execution takes a long time.

Previously, the API key was resolved once when ProviderTransport.run()
was called and passed as a static string to the agent loop. If the loop
ran for longer than the token lifetime (e.g. 30 minutes for Copilot),
subsequent LLM calls would fail with expired token errors.

Changes:
- Add getApiKey hook to AgentLoopConfig (packages/ai)
- Call getApiKey before each LLM call in streamAssistantResponse
- Update ProviderTransport to pass getApiKey instead of static apiKey
- Update web-ui ProviderTransport with same pattern

packages/ai/src/agent/agent-loop.ts

@@ -174,7 +174,12 @@ async function streamAssistantResponse(
 
 	// Use custom stream function if provided, otherwise use default streamSimple
 	const streamFunction = streamFn || streamSimple;
-	const response = await streamFunction(config.model, processedContext, { ...config, signal });
+
+	// Resolve API key for every assistant response (important for expiring tokens)
+	const resolvedApiKey =
+		(config.getApiKey ? await config.getApiKey(config.model.provider) : undefined) || config.apiKey;
+
+	const response = await streamFunction(config.model, processedContext, { ...config, apiKey: resolvedApiKey, signal });
 
 	let partialMessage: AssistantMessage | null = null;
 	let addedPartial = false;