fix(design): disclose OpenAI key source

[jbetala7]

Fixes #1248

Summary

• report which auth source the design binary is using before it makes billed OpenAI requests
• preserve the existing priority order: ~/.gstack/openai.json first, then OPENAI_API_KEY
• warn when OPENAI_API_KEY matches .env / .env.local in the current directory, so users can see when a project-local key may be used for billing
• keep resolveApiKey() backward-compatible while adding source-aware auth metadata and tests

Root cause

Bun can populate process.env.OPENAI_API_KEY from the current working directory's .env before gstack's auth resolver runs. The resolver then treated that value like any other environment variable, so design generation gave no clue that billing might hit a project-specific OpenAI account.

Testing

• bun test design/test/auth.test.ts
• bun test design/test/auth.test.ts design/test/gallery.test.ts

Notes

I also attempted the broader local design test command including serve.test.ts and feedback-roundtrip.test.ts; this worktree hit unrelated environment failures (Bun.serve({ port: 0 }) failed to bind, and playwright was not resolvable from feedback-roundtrip.test.ts). The focused auth coverage and existing gallery tests pass.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews