[feat/client-sdk] feat(pkg/client): add Go SDK client for cliproxyapi++ proxy API (#890)

* refactor: extract kiro auth module + migrate Qwen to BaseTokenStorage (#824)

* centralize provider alias normalization in cliproxyctl

* chore(airlock): track default workflow config

Co-authored-by: Codex <noreply@openai.com>

* chore(artifacts): remove stale AI tooling artifacts

Co-authored-by: Codex <noreply@openai.com>

* refactor: phase 2B decomposition - extract kiro auth module and migrate qwen to BaseTokenStorage

Phase 2B decomposition of cliproxyapi++ kiro_executor.go (4,691 LOC):

Core Changes:
- Created pkg/llmproxy/executor/kiro_auth.go: Extracted auth-specific functions from kiro_executor.go
  * kiroCredentials() - Extract access token and profile ARN from auth objects
  * getTokenKey() - Generate unique rate limiting keys from auth credentials
  * isIDCAuth() - Detect IDC vs standard auth methods
  * applyDynamicFingerprint() - Apply token-specific or static User-Agent headers
  * PrepareRequest() - Prepare HTTP requests with auth headers
  * HttpRequest() - Execute authenticated HTTP requests
  * Refresh() - Perform OAuth2 token refresh (SSO OIDC or Kiro OAuth)
  * persistRefreshedAuth() - Persist refreshed tokens to file (atomic write)
  * reloadAuthFromFile() - Reload auth from file for background refresh support
  * isTokenExpired() - Decode and check JWT token expiration

Auth Provider Migration:
- Migrated pkg/llmproxy/auth/qwen/qwen_token.go to use BaseTokenStorage
  * Reduced duplication by embedding auth.BaseTokenStorage
  * Removed redundant token management code (Save, Load, Clear)
  * Added NewQwenTokenStorage() constructor for consistent initialization
  * Preserved ResourceURL as Qwen-specific extension field
  * Refactored SaveTokenToFile() to use BaseTokenStorage.Save()

Design Rationale:
- Auth extraction into kiro_auth.go sets foundation for clean separation of concerns:
  * Core execution logic (kiro_executor.go)
  * Authentication flow (kiro_auth.go)
  * Streaming/SSE handling (future: kiro_streaming.go)
  * Request/response transformation (future: kiro_transform.go)
- Qwen migration demonstrates pattern for remaining providers (openrouter, xai, deepseek)
- BaseTokenStorage inheritance reduces maintenance burden and promotes consistency

Related Infrastructure:
- Graceful shutdown already implemented in cmd/server/main.go via signal.NotifyContext
- Server.Run() in SDK handles SIGINT/SIGTERM with proper HTTP server shutdown
- No changes needed for shutdown handling in this phase

Notes for Follow-up:
- Future commits should extract streaming logic from kiro_executor.go lines 1078-3615
- Transform logic extraction needed for lines 527-542 and related payload handling
- Consider kiro token.go for BaseTokenStorage migration (domain-specific fields: AuthMethod, Provider, ClientID)
- Complete vertex token migration (service account credentials pattern)

Testing:
- Code formatting verified (go fmt)
- No pre-existing build issues introduced
- Build failures are pre-existing in canonical main

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Airlock: auto-fixes from Lint & Format Fixes

---------

Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: extract streaming and transform modules from kiro_executor (#825)

Split the 4691-line kiro_executor.go into three focused files:

- kiro_transform.go (~470 LOC): endpoint config types, region resolution,
  payload builders (buildKiroPayloadForFormat, sanitizeKiroPayload),
  model mapping (mapModelToKiro), credential extraction (kiroCredentials),
  and auth-method helpers (getEffectiveProfileArnWithWarning, isIDCAuth).

- kiro_streaming.go (~2990 LOC): streaming execution (ExecuteStream,
  executeStreamWithRetry), AWS Event Stream parsing (parseEventStream,
  readEventStreamMessage, extractEventTypeFromBytes), channel-based
  streaming (streamToChannel), and the full web search MCP handler
  (handleWebSearchStream, handleWebSearch, callMcpAPI, etc.).

- kiro_executor.go (~1270 LOC): core executor struct (KiroExecutor),
  HTTP client pool, retry logic, Execute/executeWithRetry,
  CountTokens, Refresh, and token persistence helpers.

All functions remain in the same package; no public API changes.

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

* feat(pkg/client): add Go SDK client for cliproxyapi++ proxy API

Ports the cliproxy adapter responsibilities from thegent Python code
(cliproxy_adapter.py, cliproxy_error_utils.py, cliproxy_header_utils.py,
cliproxy_models_transform.py) into a canonical Go SDK package so consumers
no longer need to reimplement raw HTTP calls.

pkg/llmproxy/client/ provides:
- client.go  — Client with Health, ListModels, ChatCompletion, Responses
- types.go   — Request/response types + Option wiring
- client_test.go — 13 httptest-based unit tests (all green)

Handles both proxy-normalised {"models":[...]} and raw OpenAI
{"data":[...]} shapes, propagates x-models-etag, surfaces APIError
with status code and structured message, and enforces non-streaming on
all methods (streaming is left to callers via net/http directly).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Airlock: auto-fixes from Lint & Format Fixes

---------

Co-authored-by: Codex <noreply@openai.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Claude Agent <agent@anthropic.com>

Author: 4 people

pkg/llmproxy/client/types.go

@@ -113,9 +113,9 @@ func (e *APIError) Error() string {
 type Option func(*clientConfig)
 
 type clientConfig struct {
-	baseURL    string
-	apiKey     string
-	secretKey  string
+	baseURL     string
+	apiKey      string
+	secretKey   string
 	httpTimeout time.Duration
 }