Fixed issues related to AI runtime credential leakage and client resource release.

[KariHall619]

Problem Background

• Placing the API Key in plaintext in the request body poses a risk of interception or log leakage for the front-end.
• Backend runtime client caching incorporates the API Key into the hash, and the key-value pair may persist in memory or logs for a long time.
• The Universal HTTP client pool lacks a return mechanism, and connection handles cannot be released after running for a long time.
• Multiple instances of _ = client.Close() silently failing, making troubleshooting difficult.

Major changes

• The frontend was changed to only pass through the API Key via the X-Auth header, and the unit test was extended to ensure that the request body no longer contains the key.
• The plugin service securely extracts the API Key from gRPC metadata, uniformly encapsulates availability checks, and removes the logic of the key participating in the cache key from the Generator/Engine.
• The Universal client pool increases the reference count, truly releases idle connections when Close() is called, and logs errors.
• Manager/Generator/Engine logs failures when shutting down old clients or destroying the entire system to prevent resource leaks from being swallowed up.

Testing and Verification

• go test ./...
• npm run test -- run

Impacts and Risks

• Fixed security red line issues to prevent API key exposure; behavior remains compatible with existing calls.
  Adding new logs may increase I/O slightly, but it helps in locating resource leaks. If your business relies on old request body fields, you need to confirm that the client has been updated accordingly.

中文:
问题背景

• 前端把 API Key 明文放在请求体里，存在被拦截或日志泄露的风险。
• 后端运行时客户端缓存将 API Key 纳入 hash，键值可能在内存或日志中长期存在。
• Universal HTTP 客户端池缺少归还机制，长时间运行后连接句柄无法释放。
• 多处 _ = client.Close() 静默失败，排障困难。

主要改动

• 前端改为仅通过 X-Auth 头透传 API Key，并扩展单测确保请求体不再包含 key。
• 插件服务从 gRPC metadata 安全提取 API Key，统一封装可用性检查，且 Generator/Engine 移除了 key 参与缓存键的逻辑。
• Universal 客户端池增加引用计数，Close() 时真正释放空闲连接并在出错时打日志。
• Manager/Generator/Engine 在关闭旧客户端或整体销毁时记录失败日志，避免资源泄露被吞掉。

测试与验证

• go test ./...
• npm run test -- --run

影响与风险

• 修复安全红线问题，避免 API Key 暴露；行为对现有调用保持兼容。
• 新增日志可能增加少量 I/O，但有助于定位资源泄露。若业务依赖旧的请求体字段，需确认客户端已同步调整。