Make auth method (OAuth vs API key) accurate and visible in model switching

The model picker / header widget inferred the Claude/OpenAI auth method from
which credentials happened to be configured, so selecting Claude via OAuth could
later display 'API key' when an API key was also present. The picker-driven
credential-mode switch updated the provider's internal mode but never synced
JCODE_RUNTIME_PROVIDER, the env key those UI surfaces read as source of truth.

- set_credential_mode now writes the matching runtime-provider identity
  (claude/claude-api, openai/openai-api) so the displayed auth method always
  matches the credentials requests will actually use.
- Add Provider::active_auth_method_label() (resolved, not inferred) and surface
  it in the 'Switched to model' messages so the user sees 'via OAuth' / 'via API
  key'.
- Model picker selection notice now uses the human-readable method label.
- Add round-trip tests guarding the runtime-provider identity mapping.