Fix local API service auth file for access-token-only bindings

[luoyanglang]

Summary

• keep the local API service takeover profile on API-key auth when its bound OAuth account has no id_token
• preserve the existing OAuth auth projection when the bound OAuth account has a non-empty id_token
• add regression coverage for both access-token-only and full OAuth binding cases

Root Cause

Access-token-only OAuth imports can have an empty id_token. When the local API service runtime API-key account was bound to one of those OAuth accounts, the shared bundle writer wrote an OAuth-shaped auth.json first and then applied the local provider override.

That could leave the takeover profile with OPENAI_API_KEY: null and tokens.id_token: "", which the client rejects as an invalid ID token.

Validation

• cargo fmt -p cockpit-tools
• cargo test -p cockpit-tools --lib api_key_bundle_bound -- --nocapture
• cargo test -p cockpit-tools --lib build_auth_file_value -- --nocapture
• cargo test -p cockpit-tools --lib api_key_config_toml -- --nocapture
• cargo test -p cockpit-tools --lib codex_account -- --nocapture
• cargo test -p cockpit-tools --lib local_access_profile -- --nocapture
• cargo check -p cockpit-tools
• npm run typecheck

No user-facing configuration changed, so no public docs were updated.

Related

• Make Codex LB a managed CPTools provider #980 also changes local API service provider handling. This PR is limited to the auth file shape for access-token-only bound OAuth accounts and can be rebased if Make Codex LB a managed CPTools provider #980 lands first.
• [codex] fix local access probe URL #983 is in the local API service area but fixes probe URL construction, not auth file generation.