fix(tui): use centralized auth module for subagent token propagation

[echobt]

Problem

When launching subagents (Task tool) in the TUI, users authenticated via OAuth (device code flow) were getting 401 Unauthorized errors:

ERROR cortex_engine::client::cortex: API request failed status=401 Unauthorized url=https://api.cortex.foundation
body={"code":"AUTH_REQUIRED","message":"Authentication required"}

This happened because the UnifiedToolExecutor and CortexConfig were only checking the CORTEX_AUTH_TOKEN environment variable for authentication. OAuth tokens are stored in the system keyring, not in environment variables.

Root Cause

In app_runner.rs, when creating the UnifiedToolExecutor:

let api_key = provider_manager.config().get_api_key(&provider);

And get_api_key only checked the env var:

pub fn get_api_key(&self, _provider_id: &str) -> Option<String> {
    std::env::var("CORTEX_AUTH_TOKEN").ok()
}

Fix

Use the centralized auth_token module which properly checks all authentication sources in priority order:

1. Instance token (if provided)
2. CORTEX_AUTH_TOKEN environment variable
3. System keyring (via cortex_login with auto-refresh)

This ensures subagent requests are authenticated the same way as the main session.

Changes

• app_runner.rs: Use cortex_engine::auth_token::get_auth_token(None) for the UnifiedToolExecutor
• config.rs: Update get_api_key, available_providers, and is_provider_available to use the centralized auth module

Testing

• cargo check passes
• cargo fmt --check passes
• cargo +nightly build -r passes
• Existing tests pass (except 2 pre-existing unrelated failures about file icons)