2 Commits

  • feat: passthrough upstream response headers to clients
    CPA previously stripped ALL response headers from upstream AI provider
    APIs, preventing clients from seeing rate-limit info, request IDs,
    server-timing and other useful headers.
    
    Changes:
    - Add Headers field to Response and StreamResult structs
    - Add FilterUpstreamHeaders helper (hop-by-hop + security denylist)
    - Add WriteUpstreamHeaders helper (respects CPA-set headers)
    - ExecuteWithAuthManager/ExecuteCountWithAuthManager now return headers
    - ExecuteStreamWithAuthManager returns headers from initial connection
    - All 11 provider executors populate Response.Headers
    - All handler call sites write filtered upstream headers before response
    
    Filtered headers (not forwarded):
    - RFC 7230 hop-by-hop: Connection, Transfer-Encoding, Keep-Alive, etc.
    - Security: Set-Cookie
    - CPA-managed: Content-Length, Content-Encoding