Add custom headers support for LLM model pool

[Cluas]

Description

The LLM model pool currently supports api_key and base_url configuration, but has no way to attach custom HTTP headers. This is needed for gateway authentication, vendor-specific auth supplements, or routing headers required by self-hosted proxies.

What to do

1. Database — Add headers_encrypted (TEXT) column to llm_models table via Alembic migration
2. Security — Add encrypt_symmetric / decrypt_symmetric helpers (AES-GCM) to backend/app/core/security.py
3. Model — Add headers_encrypted: Mapped[str | None] field to LLMModel in backend/app/models/llm.py
4. Schemas — Add headers: dict | None = None to LLMModelCreate, LLMModelUpdate, LLMModelOut in backend/app/schemas/schemas.py
5. API — Encrypt on write and pass through in backend/app/api/enterprise.py
6. LLM Client — Accept and merge custom headers in LLMClient, OpenAICompatibleClient, AnthropicClient, create_llm_client, chat_complete, chat_stream
7. Call sites — Decrypt and forward headers in websocket.py, agent_tools.py, task_executor.py, heartbeat.py, scheduler.py, supervision_reminder.py
8. Frontend — Replace raw JSON textarea with a key-value row editor; mask values with type="password" inputs

Resources

• LLM model pool config: backend/app/models/llm.py
• Enterprise API: backend/app/api/enterprise.py
• LLM client: backend/app/services/llm_client.py
• Frontend settings page: frontend/src/pages/EnterpriseSettings.tsx
• Migrations: backend/alembic/versions/

[wisdomqin]

@yaojin3616