fix(mcp): restore x-api-key header for EXA websearch alongside query param

The header-based auth was removed during refactoring; some MCP server
implementations require it. Now sends both query param and header.

src/mcp/websearch.test.ts

@@ -65,15 +65,16 @@ describe("websearch MCP provider configuration", () => {
     expect(result.url).toContain(`exaApiKey=${encodeURIComponent(apiKey)}`)
   })
 
-  test("does not set x-api-key header when EXA_API_KEY is set", () => {
+  test("sets x-api-key header when EXA_API_KEY is set", () => {
     //#given
-    process.env.EXA_API_KEY = "test-exa-key-12345"
+    const apiKey = "test-exa-key-12345"
+    process.env.EXA_API_KEY = apiKey
 
     //#when
     const result = createWebsearchConfig()
 
     //#then
-    expect(result.headers).toBeUndefined()
+    expect(result.headers).toEqual({ "x-api-key": apiKey })
   })
 
   test("URL-encodes EXA_API_KEY when it contains special characters", () => {
@@ -126,7 +127,7 @@ describe("websearch MCP provider configuration", () => {
     //#then
     expect(result.url).toContain("mcp.exa.ai")
     expect(result.url).toContain(`exaApiKey=${encodeURIComponent(exaKey)}`)
-    expect(result.headers).toBeUndefined()
+    expect(result.headers).toEqual({ "x-api-key": exaKey })
   })
 
   test("Tavily config uses Authorization Bearer header format", () => {

src/mcp/websearch.ts

@@ -35,6 +35,7 @@ export function createWebsearchConfig(config?: WebsearchConfig): RemoteMcpConfig
       ? `https://mcp.exa.ai/mcp?tools=web_search_exa&exaApiKey=${encodeURIComponent(process.env.EXA_API_KEY)}`
       : "https://mcp.exa.ai/mcp?tools=web_search_exa",
     enabled: true,
+    ...(process.env.EXA_API_KEY ? { headers: { "x-api-key": process.env.EXA_API_KEY } } : {}),
     oauth: false as const,
   }
 }