fix: allow local providers (Ollama, LM Studio) without API keys in delegation

Local model servers running on localhost, 127.0.0.1, .local mDNS hostnames,
or RFC 1918 private networks don't require authentication. Previously,
_resolve_delegation_credentials() hard-required an API key for any base_url,
making it impossible to use Ollama or similar local servers for subagent
delegation without setting a dummy key.

Changes:
- Add _is_local_base_url() helper detecting localhost, loopback, .local,
  and RFC 1918 private network addresses
- base_url path: skip API key requirement for local endpoints, use
  'ollama' placeholder key (accepted by local servers)
- provider path: same logic — if resolve_runtime_provider returns an
  empty API key but the resolved base_url is local, use 'ollama' placeholder
- Remote endpoints still require a real API key (no security regression)
- Update existing test to use remote URL (was testing localhost which is
  now allowed)
- Add 19 new tests covering local provider credential resolution

tests/tools/test_delegate.py

@@ -656,10 +656,12 @@ class TestDelegationCredentialResolution(unittest.TestCase):
         self.assertEqual(creds["provider"], "custom")
 
     def test_direct_endpoint_does_not_fall_back_to_openrouter_api_key_env(self):
+        """Remote endpoint without OPENAI_API_KEY should raise ValueError,
+        even if OPENROUTER_API_KEY is set (only OPENAI_API_KEY is checked)."""
         parent = _make_mock_parent(depth=0)
         cfg = {
             "model": "qwen2.5-coder",
-            "base_url": "http://localhost:1234/v1",
+            "base_url": "https://api.example.com/v1",  # remote, not localhost
         }
         with patch.dict(
             os.environ,