Add API key authentication for proxy endpoints.

Support multiple API keys from config, env, and CLI, enforce auth on non-public endpoints, and pass keys through remote deploy verification.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/deploy-remote.sh

@@ -23,6 +23,7 @@ Optional environment variables:
   LINGMA_MARKETPLACE_PUBLISHER=Alibaba-Cloud
   LINGMA_MARKETPLACE_EXTENSION=tongyi-lingma
   LINGMA_PROXY_MODEL=org_auto
+  LINGMA_PROXY_API_KEYS=
   VERIFY_PUBLIC=false
 EOF
 }
@@ -74,7 +75,9 @@ LINGMA_VSIX_URL="${LINGMA_VSIX_URL:-https://tongyi-code.oss-cn-hangzhou.aliyuncs
 LINGMA_MARKETPLACE_PUBLISHER="${LINGMA_MARKETPLACE_PUBLISHER:-Alibaba-Cloud}"
 LINGMA_MARKETPLACE_EXTENSION="${LINGMA_MARKETPLACE_EXTENSION:-tongyi-lingma}"
 LINGMA_PROXY_MODEL="${LINGMA_PROXY_MODEL:-org_auto}"
+LINGMA_PROXY_API_KEYS="${LINGMA_PROXY_API_KEYS:-}"
 VERIFY_PUBLIC="${VERIFY_PUBLIC:-false}"
+VERIFY_API_KEY="${LINGMA_PROXY_API_KEYS%%,*}"
 
 if [ "$REMOTE_BUILD_DIR" = "$REMOTE_DIR" ]; then
   echo "REMOTE_BUILD_DIR must be different from REMOTE_DIR" >&2
@@ -151,6 +154,7 @@ LINGMA_SESSION_BUNDLE_FILE=/secrets/lingma-session.b64
 LINGMA_PROXY_BACKEND=remote
 LINGMA_PROXY_SESSION_MODE=auto
 LINGMA_PROXY_MODEL=$LINGMA_PROXY_MODEL
+LINGMA_PROXY_API_KEYS=$LINGMA_PROXY_API_KEYS
 LINGMA_PROXY_TIMEOUT_SECONDS=0
 LINGMA_REMOTE_FALLBACK_ENABLED=true
 EOF
@@ -183,7 +187,11 @@ echo "==> Waiting for remote health endpoint"
 
 echo
 echo "==> Remote models"
-"${SSH_BASE[@]}" "curl -fsS http://127.0.0.1:$REMOTE_PUBLIC_PORT/v1/models"
+if [ -n "$VERIFY_API_KEY" ]; then
+  "${SSH_BASE[@]}" "curl -fsS -H 'Authorization: Bearer $VERIFY_API_KEY' http://127.0.0.1:$REMOTE_PUBLIC_PORT/v1/models"
+else
+  "${SSH_BASE[@]}" "curl -fsS http://127.0.0.1:$REMOTE_PUBLIC_PORT/v1/models"
+fi
 
 if [ "$VERIFY_PUBLIC" = "true" ]; then
   echo