feat: allow OpenAI apiKey to accept function for dynamic key rotation

[github-actions]

Motivation

The OpenAI SDK supports dynamic API key resolution through async functions, enabling use cases like credential rotation, secret manager integration, and per-request authentication. However, our SDK currently only accepts static strings for the apiKey parameter, preventing users from leveraging these capabilities.

Resolves: #4

Public API Changes

The OpenAIModelOptions.apiKey parameter now accepts either a string or an async function:

// Before: only string supported
const model = new OpenAIModel({
  modelId: 'gpt-4o',
  apiKey: 'sk-...'
})

// After: function also supported
const model = new OpenAIModel({
  modelId: 'gpt-4o',
  apiKey: async () => await secretManager.getApiKey()
})

The change is backward compatible—all existing string-based usage continues to work without modification. The function receives no arguments and must return a Promise<string>. The OpenAI SDK invokes the function before each request and validates the returned value.

[zastrowm]

/strands

update the Pull Request description. The Pull request description should:

• Be targeted as a Senior Software already familiar with the Python & TypeScript SDK
• Should document the public api changes, including a code sample
• It SHOULD NOT itemize every code change - leave that to the diff
• It should emphasize the WHY behind the change
• It should be concise and use text more than bullet-lists

After updating the pull-request, add a new file next to AGENT.md called PR.md which has guidance to the above. Use RFC format. Then reference that file from AGENT.md, adding a task that when creating PRs it should use the PR.md guidance

---

For example, this PR does not need:

• Type Definition Updates
• Error Message Update
• Test Coverage
• Implementation Notes
• Testing

sections