Add token handler support for Auth Callout (refresh from file)

[rossanorbr]

What motivated this proposal?

Description:
Surveyor currently only supports static tokens (via CLI/env or config). When the token expires, Surveyor can’t reconnect because it has no way to refresh the token.

Expected behavior:
Surveyor should allow configuring a token handler (for example, read from a token file) and use nats.TokenHandler(...) instead of only a static Token.

Minimal repro:

1. Configure NATS with Auth Callout (requiring a bearer token).
2. Run Surveyor with a static token via --token.
3. Wait for token to expire.
4. Surveyor fails to reconnect, since it cannot refresh the token.

What is the proposed change?

Implementation idea:
Add a new flag like --token-file /path/to/file.
Internally, Surveyor could do something similar to:

nc, err := nats.Connect(
    url,
    nats.TokenHandler(func() string {
        // read token string from the given file each time
        return readTokenFromFile(tokenFile)
    }),
)

This way, Surveyor always reloads the token on reconnect, which is required for expiring tokens from Auth Callout.

Who benefits from this change?

Why this matters:
Without token handler support, Surveyor cannot reliably run in environments where Auth Callout uses short-lived or rotating tokens.

What alternatives have you evaluated?

No response