Route OpenAI catalog refresh by credential shape, not intent/token sniffing

The OpenAI catalog refresh re-derived the OAuth-vs-API-key discriminator
in two ways that could disagree with the chat path:

- refresh_openai_model_catalog_in_background sniffed the token string for
  an "sk-" prefix.
- prefetch_models branched on OpenAICredentialMode (the requested intent).

The chat/ws/compact paths use is_chatgpt_mode(credentials), i.e. the
loaded credential's *shape* (refresh_token/id_token presence). When the
catalog discriminator disagreed, the refresh hit the wrong endpoint and
got a 401. prefetch_models in particular missed the common Auto-mode case
where only OPENAI_API_KEY is set: the mode stays Auto, so it fell through
to the ChatGPT/Codex endpoint and 401'd.

Make credential shape the single source of truth for endpoint selection:
- refresh_openai_model_catalog_in_background takes an explicit
  is_chatgpt_mode flag from the caller's credentials.
- prefetch_models picks the endpoint via Self::is_chatgpt_mode.
- Drop the openai_catalog_token_looks_like_api_key string sniff and its
  test; add a regression test asserting catalog and chat endpoints agree
  on credential shape.

Intent (OpenAICredentialMode) still governs which credential to *load*
and the auth-method prefix on model switches; it no longer governs which
endpoint to call.