feat(config): add per-agent auth field to agent list config

[alexey-pelykh]

Context

Part of #415 Phase 1, item 2. Agents need a way to opt in/out of auth profile credential injection.

Design

Add auth field to agent list entries and defaults:

// In agent list config type
auth?: false | string | string[];

Semantics:

• false (default) — skip auth profile injection, rely on CLI-native auth / runtimeEnv / process.env
• "anthropic:default" — single profile, resolve key and inject as env var
• ["anthropic:key1", "anthropic:key2"] — round-robin rotation across invocations

Config examples:

agents:
  defaults:
    runtime: claude
    auth: "anthropic:default"    # default for all agents
  list:
    - id: agent_A
      auth: ["anthropic:key1", "anthropic:key2"]  # override: rotation
    - id: agent_B
      auth: false                                   # override: CLI-native

Scope

1. Add auth field to AgentListEntryConfig type (src/config/types.agent-defaults.ts or equivalent)
2. Add auth field to AgentDefaultsConfig type (for agents.defaults.auth)
3. Add to Zod schema for validation
4. Resolution: agent entry auth overrides agents.defaults.auth
5. auth: false is explicit opt-out (not the same as undefined/missing — undefined inherits from defaults)

Tests

• Schema validation accepts false, string, and string array
• Agent entry auth overrides defaults auth
• Missing auth inherits from defaults
• Explicit auth: false on entry overrides defaults even when defaults has a value

Depends on

• refactor(auth): relocate auth-profiles from src/agents/ to src/auth/ #419 — auth relocation (should land first or together)

Related

• feat: unified auth + multimodal AgentRuntime — implementation plan #415 — implementation plan (parent)
• Unblocks: Adapt onboarding wizard for unified auth system #417 (onboarding), Phase 1 items 3-4