feat(gateway): rename auth header to AnyLLM-Key (RFC 6648)

[peteski22]

Summary

Rename the gateway's Bearer-authentication header from X-AnyLLM-Key to AnyLLM-Key, so the name follows RFC 6648 (no X- prefix). The gateway has no live deployments yet, so there is no backward-compatibility path — this is a simple rename.

What changes

• core/config.py: API_KEY_HEADER flips to "AnyLLM-Key", comment cites RFC 6648.
• api/deps.py: _extract_bearer_token and the three verify_* docstrings reference the new header name.
• main.py: the CORS allow_headers list uses the API_KEY_HEADER constant instead of a hard-coded string, matching how the constant is referenced elsewhere.
• tests/integration/test_client_args.py, tests/integration/test_provider_kwargs_override.py: hard-coded header literals replaced with API_KEY_HEADER so the tests track the rename.
• tests/unit/test_extract_bearer_token.py (new): unit tests of _extract_bearer_token covering every precedence pair among AnyLLM-Key/Authorization/x-api-key, malformed (non-Bearer) input on each Bearer-format header, and the missing-credentials 401.

History

Earlier revisions of this PR shipped a full RFC 6648 / 9745 / 8594 deprecation design (legacy header kept, Deprecation/Sunset response headers, DeprecationHeadersMiddleware). @tbille pointed out the gateway is not yet live, so there is no old name to deprecate; the branch was force-pushed to drop the deprecation machinery and keep only the rename + tests.

Commits

1. feat(gateway): rename API_KEY_HEADER from X-AnyLLM-Key to AnyLLM-Key
2. test(gateway): cover bearer-token extraction precedence and error paths

Test plan

• make test — 317 passed, 9 skipped, no regressions
• make lint — clean
• make typecheck — clean
• New unit tests (9) cover precedence and malformed-input branches for the Bearer-format headers plus missing credentials

[Copilot]

Pull request overview

Introduces AnyLLM-Key as the canonical gateway auth header while continuing to accept X-AnyLLM-Key (legacy) with explicit deprecation signaling for clients that still use it.

Changes:

• Update auth token extraction to prefer AnyLLM-Key over X-AnyLLM-Key, Authorization, then x-api-key, and emit a warning + request flag when legacy header is used.
• Add response middleware to attach Deprecation and Sunset headers for legacy-header requests; expand Vary and CORS allow-headers to include both gateway header names.
• Add unit + integration test coverage for precedence, malformed headers, deprecation signaling, Vary, and CORS allow-list behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
src/gateway/core/config.py	Defines canonical + legacy header constants and RFC-compliant deprecation/sunset constants.
src/gateway/api/deps.py	Implements precedence rules, legacy-header flagging, and warning logs in _extract_bearer_token.
src/gateway/main.py	Adds deprecation response middleware and updates Vary + CORS allow-headers.
tests/unit/test_extract_bearer_token.py	Unit tests covering header precedence, malformed inputs, and legacy flagging behavior.
tests/integration/test_auth_header_precedence.py	End-to-end tests for middleware-propagated Deprecation/Sunset, Vary, and CORS allow-list.
tests/integration/test_provider_kwargs_override.py	Updates integration tests to use canonical API_KEY_HEADER.
tests/integration/test_client_args.py	Updates integration tests to use canonical API_KEY_HEADER.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[tbille]

@peteski22 this looks great. Since the gateway with the platform is not yet live, no need to add all the deprecation code. Could you remove it?

[peteski22]

Force-pushed the branch with the deprecation code removed — PR is now a straight rename from X-AnyLLM-Key to AnyLLM-Key plus the unit tests that cover header-precedence and malformed-input branches. Title and summary updated to match.