fix(provider): scope AI Gateway token to workers-ai models

[ethulia]

Issue for this PR

Closes #32051

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

#32052 fixed #32051 (Workers AI models 401'd through the gateway) by passing apiKey to createUnified. This was an overcorrection. The Cloudflare API token used for AI Gateway was then passed as the upstream Authorization header on requests to third party models (OpenAI, Anthropic), causing it to 401 with Invalid API Key.

We should not pass the Cloudflare API token upstream, instead these models should use the credentials the user has stored in the AI Gateway (or Cloudflare's Unified Billing).

This makes token forwarding model-aware — the Cloudflare token is only attached for first-party workers-ai/ models (where the upstream is Cloudflare), and omitted for everything else:

createUnified(modelID.startsWith("workers-ai/") ? { apiKey } : {})

Applied in both the v1 provider path (provider.ts) and the v2 plugin path (core/.../cloudflare-ai-gateway.ts).
How did you verify your code works?
Added two tests in packages/opencode/test/provider/cf-ai-gateway-e2e.test.ts that capture the real upstream headers and assert both directions:

• No leak (fix(provider): pass apiKey to createUnified for Cloudflare AI Gateway #32052) — third-party models do not forward the Cloudflare token as the upstream Authorization header.
• Workers AI auth (cloudflare-ai-gateway provider returns 401 for Workers AI models #32051) — workers-ai/ models do forward the token.

cd packages/opencode
bun test test/provider/cf-ai-gateway-e2e.test.ts   # 5 pass
bun typecheck                                       # clean
Live end-to-end against a real AI Gateway:
export CLOUDFLARE_ACCOUNT_ID=<account-id>
export CLOUDFLARE_GATEWAY_ID=<gateway-id>
export CLOUDFLARE_API_TOKEN=<gateway-token>

# Workers AI path (token is forwarded)
echo "Reply with exactly: PONG" | \
  bun run dev run --model "cloudflare-ai-gateway/workers-ai/@cf/meta/llama-3.3-70b-instruct-fp8-fast"

# Third-party path (token must NOT be forwarded)
echo "Reply with exactly: PONG" | \
  bun run dev run --model "cloudflare-ai-gateway/openai/gpt-4o-mini"

Screenshots / recordings

N/A — no UI changes.

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[github-actions]

This pull request has been automatically closed because it was not updated to meet our contributing guidelines within the 2-hour window.

Feel free to open a new pull request that follows our guidelines.