feat: add config subcommand to manage API keys with hot-reload

[johnlanni]

Description

This PR adds a new config subcommand to get-ai-gateway.sh script for managing LLM provider API keys with hot-reload support.

Changes

New Commands

• config add --provider <provider> --key <api-key> - Add or update an API key
• config list - List all configured API keys (with masking for security)
• config remove --provider <provider> - Remove an API key

Features

• Hot-reload support: Updates take effect immediately without restarting the container
• Dual update: Both host config file (default.cfg) and container config (ai-proxy.internal.yaml) are updated
• Provider mapping: Friendly provider names (e.g., qwen → DASHSCOPE_API_KEY)
• API key masking: Secure display of sensitive keys (e.g., sk-ab***cd12)
• Python-based YAML editing: Reliable modification of ai-proxy configuration
• Clear error messages: Helpful guidance for users
• Updated help documentation: Complete usage examples

Implementation Details

The hot-reload mechanism works similar to route command:

1. Read ai-proxy.internal.yaml from container
2. Modify API key in the configuration
3. Copy updated config back to container
4. Touch the config file to trigger hot-reload

This approach mirrors the configureAutoRouting() pattern and ensures configuration changes take effect immediately without container restart.

Examples

# List all configured API keys
./get-ai-gateway.sh config list

# Add or update an API key (hot-reload, no restart needed)
./get-ai-gateway.sh config add --provider deepseek --key sk-xxx

# Remove an API key (hot-reload, no restart needed)
./get-ai-gateway.sh config remove --provider deepseek

Supported providers

• dashscope (qwen), deepseek, moonshot (kimi), zhipuai, openai, openrouter
• claude, gemini, groq, doubao, baichuan, yi, stepfun, minimax
• cohere, mistral, github, fireworks, togetherai, grok

Benefits

• Easier management of API keys without manual config file editing
• Better security with masked display of sensitive keys
• Hot-reload: No container restart required
• Improved user experience for updating credentials
• Consistent with existing route command pattern

Differences from previous implementation

This implementation addresses the issue with the previous PR:

• Hot-reload: Uses touch mechanism instead of stop/start
• Follows established patterns: Mirrors configureAutoRouting() and route commands
• Minimal disruption: Updates are instant without service interruption

Testing

• Syntax check passed (bash -n)
• Command parsing works correctly
• Help documentation updated with examples
• Follows existing code patterns

Related PR

• Replaces/revises previous PR feat: add config subcommand to manage API keys #231 which was reverted