feat(api,web): Backend-only AI provider configuration and usage cost tracking

[shettydev]

Summary

• remove end-user API key management from web settings and move AI key configuration fully to backend admin endpoints
• add backend AI provider/model configuration with RBAC-protected admin APIs for providers and models
• support provider routing through a unified AI gateway for OpenAI, Anthropic (Claude), Gemini, and OpenRouter based on active model/provider config
• enforce model eligibility using active model + active provider checks for /ai/settings, /ai/models, conversation send, and dialogue send flows
• add deterministic cost calculation from configured model pricing and propagate prompt/completion/total tokens + cost into usage metadata

Backend changes

AI config and admin management

• added AiProviderConfig schema for encrypted server-side provider keys, active status, and key last4
• added AiModelConfig schema for public model id, provider mapping, provider model id, active status, and pricing
• added admin-only endpoints under /ai/admin for:
  • listing providers/models
  • setting provider keys
  • toggling provider/model active status
  • upserting model config
  • deleting model config

Consumer AI endpoints

• simplified /ai/settings response to user-facing fields only (activeModel, aiConfigured)
• simplified /ai/models response to active models from active providers
• removed BYOK /ai/openrouter-key and /ai/gemini-key flows

AI routing and usage accounting

• introduced AiGatewayService with provider adapters:
  • OpenAI
  • Anthropic
  • Gemini
  • OpenRouter
• refactored conversation queue and dialogue queue to use gateway routing instead of per-user BYOK logic
• ensured usage metadata records provider/model/tokens/cost consistently
• added deterministic cost utility:
  • costUsd = (promptTokens * promptUsdPer1M + completionTokens * completionUsdPer1M) / 1_000_000

Web changes

• removed OpenRouter and Gemini key UI sections from settings
• updated settings copy to indicate AI is configured on the server
• simplified web AI API/store to no longer call key management endpoints
• preserved active model selection + hydration behavior for conversation/canvas flows

Tests

• added tests for:
  • model filtering by active provider/model
  • active model validation (MODEL_NOT_ALLOWED cases)
  • cost calculation correctness
• updated impacted controller/service tests for new backend-only config flow

Notes

• no API keys are exposed to clients
• provider secrets continue to use AiSecretsService encryption at rest
• users with invalid/inactive stored model preferences are automatically normalized to a valid active model fallback