refactor(api): split Provider into ProviderGroup and APIKey models

Restructure the provider management system by separating the monolithic
Provider model into two distinct entities:

- ProviderGroup: defines shared upstream configuration (type, base_url,
  google settings, models, status)
- APIKey: represents individual credentials within a group (api_key,
  weight, status, auto_ban, ban settings)

This change also updates:
- Binding model to reference GroupID instead of RouteGroup string
- All CRUD handlers for the new provider-group and api-key endpoints
- Sync service to rebuild provider snapshots from joined tables
- Model registry to aggregate capabilities across group/key pairs
- Access handler to validate namespace existence and subset constraints
- Migration importer to handle the new schema structure
- All related tests to use the new model relationships

BREAKING CHANGE: Provider API endpoints replaced with /provider-groups
and /api-keys endpoints; Binding.RouteGroup replaced with Binding.GroupID

internal/api/handler.go

@@ -9,8 +9,6 @@ import (
 	"github.com/ez-api/ez-api/internal/dto"
 	"github.com/ez-api/ez-api/internal/model"
 	"github.com/ez-api/ez-api/internal/service"
-	groupx "github.com/ez-api/foundation/group"
-	"github.com/ez-api/foundation/provider"
 	"github.com/gin-gonic/gin"
 	"github.com/redis/go-redis/v9"
 	"gorm.io/gorm"
@@ -54,255 +52,6 @@ func (h *Handler) logBaseQuery() *gorm.DB {
 
 // CreateKey is now handled by MasterHandler
 
-// CreateProvider godoc
-// @Summary      Create a new provider
-// @Description  Register a new upstream AI provider
-// @Tags         admin
-// @Accept       json
-// @Produce      json
-// @Security     AdminAuth
-// @Param        provider  body      dto.ProviderDTO  true  "Provider Info"
-// @Success      201       {object}  model.Provider
-// @Failure      400       {object}  gin.H
-// @Failure      500       {object}  gin.H
-// @Router       /admin/providers [post]
-func (h *Handler) CreateProvider(c *gin.Context) {
-	var req dto.ProviderDTO
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	providerType := provider.NormalizeType(req.Type)
-	baseURL := strings.TrimSpace(req.BaseURL)
-	googleLocation := provider.DefaultGoogleLocation(providerType, req.GoogleLocation)
-
-	group := strings.TrimSpace(req.Group)
-	if group == "" {
-		group = "default"
-	}
-
-	status := strings.TrimSpace(req.Status)
-	if status == "" {
-		status = "active"
-	}
-	autoBan := true
-	if req.AutoBan != nil {
-		autoBan = *req.AutoBan
-	}
-
-	// CP-side defaults + validation to prevent DP runtime errors.
-	switch providerType {
-	case provider.TypeOpenAI:
-		if baseURL == "" {
-			baseURL = "https://api.openai.com/v1"
-		}
-	case provider.TypeAnthropic, provider.TypeClaude:
-		if baseURL == "" {
-			baseURL = "https://api.anthropic.com"
-		}
-	case provider.TypeCompatible:
-		if baseURL == "" {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "base_url required for compatible providers"})
-			return
-		}
-	default:
-		// Google SDK providers: base_url is not required.
-		if provider.IsVertexFamily(providerType) && strings.TrimSpace(googleLocation) == "" {
-			googleLocation = provider.DefaultGoogleLocation(providerType, "")
-		}
-		// For Gemini API providers, api_key is required.
-		if provider.IsGoogleFamily(providerType) && !provider.IsVertexFamily(providerType) && strings.TrimSpace(req.APIKey) == "" {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "api_key required for gemini api providers"})
-			return
-		}
-	}
-
-	provider := model.Provider{
-		Name:           req.Name,
-		Type:           strings.TrimSpace(req.Type),
-		BaseURL:        baseURL,
-		APIKey:         req.APIKey,
-		GoogleProject:  strings.TrimSpace(req.GoogleProject),
-		GoogleLocation: googleLocation,
-		Group:          group,
-		Models:         strings.Join(req.Models, ","),
-		Status:         status,
-		AutoBan:        autoBan,
-		BanReason:      req.BanReason,
-		Weight:         req.Weight,
-	}
-	if !req.BanUntil.IsZero() {
-		tu := req.BanUntil.UTC()
-		provider.BanUntil = &tu
-	}
-
-	if err := h.db.Create(&provider).Error; err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create provider", "details": err.Error()})
-		return
-	}
-
-	if err := h.sync.SyncProvider(&provider); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to sync provider", "details": err.Error()})
-		return
-	}
-	// Provider model list changes can affect binding upstream mappings; rebuild bindings snapshot.
-	if err := h.sync.SyncBindings(h.db); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to sync bindings", "details": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusCreated, provider)
-}
-
-// UpdateProvider godoc
-// @Summary      Update a provider
-// @Description  Update provider attributes including status/auto-ban flags
-// @Tags         admin
-// @Accept       json
-// @Produce      json
-// @Security     AdminAuth
-// @Param        id        path      int             true  "Provider ID"
-// @Param        provider  body      dto.ProviderDTO true  "Provider Info"
-// @Success      200       {object}  model.Provider
-// @Failure      400       {object}  gin.H
-// @Failure      404       {object}  gin.H
-// @Failure      500       {object}  gin.H
-// @Router       /admin/providers/{id} [put]
-func (h *Handler) UpdateProvider(c *gin.Context) {
-	idParam := c.Param("id")
-	id, err := strconv.Atoi(idParam)
-	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "invalid id"})
-		return
-	}
-
-	var existing model.Provider
-	if err := h.db.First(&existing, id).Error; err != nil {
-		c.JSON(http.StatusNotFound, gin.H{"error": "provider not found"})
-		return
-	}
-
-	var req dto.ProviderDTO
-	if err := c.ShouldBindJSON(&req); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
-		return
-	}
-
-	nextType := strings.TrimSpace(existing.Type)
-	if t := strings.TrimSpace(req.Type); t != "" {
-		nextType = t
-	}
-	nextTypeLower := provider.NormalizeType(nextType)
-	nextBaseURL := strings.TrimSpace(existing.BaseURL)
-	if strings.TrimSpace(req.BaseURL) != "" {
-		nextBaseURL = strings.TrimSpace(req.BaseURL)
-	}
-
-	update := map[string]any{}
-	if strings.TrimSpace(req.Name) != "" {
-		update["name"] = req.Name
-	}
-	if strings.TrimSpace(req.Type) != "" {
-		update["type"] = strings.TrimSpace(req.Type)
-	}
-	if strings.TrimSpace(req.BaseURL) != "" {
-		update["base_url"] = req.BaseURL
-	}
-	if req.APIKey != "" {
-		update["api_key"] = req.APIKey
-	}
-	if strings.TrimSpace(req.GoogleProject) != "" {
-		update["google_project"] = strings.TrimSpace(req.GoogleProject)
-	}
-	if strings.TrimSpace(req.GoogleLocation) != "" {
-		update["google_location"] = strings.TrimSpace(req.GoogleLocation)
-	} else if provider.IsVertexFamily(nextTypeLower) && strings.TrimSpace(existing.GoogleLocation) == "" {
-		update["google_location"] = provider.DefaultGoogleLocation(nextTypeLower, "")
-	}
-	if req.Models != nil {
-		update["models"] = strings.Join(req.Models, ",")
-	}
-	if req.Weight > 0 {
-		update["weight"] = req.Weight
-	}
-	if strings.TrimSpace(req.Group) != "" {
-		update["group"] = groupx.Normalize(req.Group)
-	}
-	if req.AutoBan != nil {
-		update["auto_ban"] = *req.AutoBan
-	}
-	if strings.TrimSpace(req.Status) != "" {
-		update["status"] = req.Status
-	}
-	if req.BanReason != "" || strings.TrimSpace(req.Status) == "active" {
-		update["ban_reason"] = req.BanReason
-	}
-	if !req.BanUntil.IsZero() {
-		tu := req.BanUntil.UTC()
-		update["ban_until"] = &tu
-	}
-	if req.BanUntil.IsZero() && strings.TrimSpace(req.Status) == "active" {
-		update["ban_until"] = nil
-	}
-
-	// Defaults/validation after considering intended type/base_url.
-	switch nextTypeLower {
-	case provider.TypeOpenAI:
-		if nextBaseURL == "" {
-			update["base_url"] = "https://api.openai.com/v1"
-		}
-	case provider.TypeAnthropic, provider.TypeClaude:
-		if nextBaseURL == "" {
-			update["base_url"] = "https://api.anthropic.com"
-		}
-	case provider.TypeCompatible:
-		if nextBaseURL == "" {
-			c.JSON(http.StatusBadRequest, gin.H{"error": "base_url required for compatible providers"})
-			return
-		}
-	default:
-		if provider.IsGoogleFamily(nextTypeLower) && !provider.IsVertexFamily(nextTypeLower) {
-			// Ensure Gemini API providers have api_key.
-			// If update does not include api_key, keep existing; otherwise require new one not empty.
-			apiKey := existing.APIKey
-			if req.APIKey != "" {
-				apiKey = req.APIKey
-			}
-			if strings.TrimSpace(apiKey) == "" {
-				c.JSON(http.StatusBadRequest, gin.H{"error": "api_key required for gemini api providers"})
-				return
-			}
-		}
-	}
-
-	if len(update) == 0 {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "no fields to update"})
-		return
-	}
-
-	if err := h.db.Model(&existing).Updates(update).Error; err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to update provider", "details": err.Error()})
-		return
-	}
-
-	if err := h.db.First(&existing, id).Error; err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to reload provider", "details": err.Error()})
-		return
-	}
-
-	if err := h.sync.SyncProvider(&existing); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to sync provider", "details": err.Error()})
-		return
-	}
-	if err := h.sync.SyncBindings(h.db); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to sync bindings", "details": err.Error()})
-		return
-	}
-
-	c.JSON(http.StatusOK, existing)
-}
-
 // CreateModel godoc
 // @Summary      Register a new model
 // @Description  Register a supported model with its capabilities