Route AI requests through Drupal AI module (security: hide API keys from browser)

[jjroelofs]

Summary

Currently, the CKEditor AI Agent module passes API keys directly to the JavaScript plugin, which sends them in HTTP Authorization: Bearer headers to AI providers. This exposes API keys in the browser.

Proposed Change

Restructure the module to route all AI requests through a Drupal controller that uses the ai module's AiProviderPluginManager, following the same pattern as dxpr/dxpr_builder#4061.

Architecture: Frontend → Drupal Controller → ai module → ai_provider_dxpr → Kavya API

Implementation

1. Create src/Controller/AiChatController.php — proxy endpoint that routes requests through the ai module
2. Add route ckeditor_ai_agent.ai_chat at /api/ckeditor-ai-agent/ai/chat
3. Update getDynamicPluginConfig() in AiAgent.php and getCkEditorConfig() in AiAgentConfigurationManager.php to pass endpointUrl instead of apiKey when the ai module is available
4. Add ai and ai_provider_dxpr as module dependencies
5. The JS plugin already supports endpointUrl without apiKey (ckeditor5-ai-agent PR #174)

Benefits

• API keys are never exposed to the browser
• Centralized AI provider management through the ai module
• Consistent architecture with DXPR Builder