feat: use SecretStr for inference provider auth credentials (#3724)

# What does this PR do?

use SecretStr for OpenAIMixin providers

- RemoteInferenceProviderConfig now has auth_credential: SecretStr
- the default alias is api_key (most common name)
- some providers override to use api_token (RunPod, vLLM, Databricks)
- some providers exclude it (Ollama, TGI, Vertex AI)

addresses #3517 

## Test Plan

ci w/ new tests

llama_stack/providers/remote/inference/watsonx/config.py

@@ -7,7 +7,7 @@
 import os
 from typing import Any
 
-from pydantic import BaseModel, ConfigDict, Field, SecretStr
+from pydantic import BaseModel, ConfigDict, Field
 
 from llama_stack.providers.utils.inference.model_registry import RemoteInferenceProviderConfig
 from llama_stack.schema_utils import json_schema_type
@@ -27,14 +27,6 @@ class WatsonXConfig(RemoteInferenceProviderConfig):
         default_factory=lambda: os.getenv("WATSONX_BASE_URL", "https://us-south.ml.cloud.ibm.com"),
         description="A base url for accessing the watsonx.ai",
     )
-    # This seems like it should be required, but none of the other remote inference
-    # providers require it, so this is optional here too for consistency.
-    # The OpenAIConfig uses default=None instead, so this is following that precedent.
-    api_key: SecretStr | None = Field(
-        default=None,
-        description="The watsonx.ai API key",
-    )
-    # As above, this is optional here too for consistency.
     project_id: str | None = Field(
         default=None,
         description="The watsonx.ai project ID",