Add opt-in WP AI Gateway setup for OpenCode

[chubes4]

Summary

• Adds explicit --with-ai-gateway setup/upgrade plumbing for OpenCode runtimes, including gateway/provider plugin install, WP-CLI route configuration, token mint/reuse, and OpenCode provider/env configuration.
• Installs WP AI Gateway from the canonical Automattic repo: https://github.com/Automattic/wp-ai-gateway
• Keeps native OpenCode auth untouched unless gateway mode is opted in, and keeps token rotation explicit via --rotate-ai-gateway-token.
• Adds narrow wp-coding-agents-owned topology guards so OpenCode gateway mode cannot configure a backend route that points back to OpenCode/WP AI Gateway.

Closes #173.

Source checks

• Confirmed current OpenCode config shape from source: top-level provider map entries support npm, env, options.baseURL, options.apiKey/env keys, and custom models entries. This PR writes provider.wp-ai-gateway with @ai-sdk/openai-compatible, OPENAI_API_KEY, and ${OPENAI_BASE_URL}.
• Confirmed wp-ai-gateway WP-CLI surface provides wp ai-gateway configure <provider> <model>, wp ai-gateway token --porcelain, and wp ai-gateway status --format=json; gateway token output is one-time only, so setup stores/reuses the local env file rather than rotating by default.

Tests

• bash -n setup.sh upgrade.sh lib/ai-gateway.sh bridges/_dispatch.sh bridges/kimaki.sh tests/ai-gateway.sh
• ./tests/ai-gateway.sh
• ./tests/bridge-render.sh
• bash tests/repair-opencode-json.sh
• bash tests/opencode-wrapper-removal.sh
• bash tests/kimaki-agent-fallback.sh
• bash -c 'set -e; fail=0; while IFS= read -r -d "" f; do if ! bash -n "$f"; then echo "FAIL: $f"; fail=1; fi; done < <(find . -type f -name "*.sh" -not -path "./.git/*" -print0); exit "$fail"'
• SITE_DOMAIN=example.test EXISTING_WP=<tmp>/site ./setup.sh --existing --runtime opencode --with-ai-gateway --ai-gateway-provider openai --ai-gateway-model gpt-4o-mini --dry-run --no-chat
• EXISTING_WP=<tmp>/site ./upgrade.sh --local --wp-path <tmp>/site --runtime opencode --with-ai-gateway --ai-gateway-provider openai --ai-gateway-model gpt-4o-mini --dry-run --skip-plugins with output scanned for gateway/Kimaki token leaks
• SITE_DOMAIN=example.test EXISTING_WP=<tmp>/site ./setup.sh --existing --runtime opencode --with-ai-gateway --ai-gateway-provider wp-ai-gateway --dry-run --no-chat verified rejected
• After transfer update: bash -n lib/ai-gateway.sh setup.sh upgrade.sh tests/ai-gateway.sh && ./tests/ai-gateway.sh

Dependency status

• Support provider-owned custom request authentication WordPress/php-ai-client#237: open. Implementation PR Add provider-supplied request authentication WordPress/php-ai-client#238 is open.
• Add ChatGPT Codex OAuth provider WordPress/ai-provider-for-openai#30: open. Implementation PR Add ChatGPT Codex provider WordPress/ai-provider-for-openai#28 is open.
• Harden generic OpenAI-compatible gateway CLI, token, and model routing Automattic/wp-ai-gateway#1: closed. Implementation PR Harden generic OpenAI-compatible gateway setup Automattic/wp-ai-gateway#2 merged.

Risks

• Full live runtime smoke is still blocked by the open provider/auth dependency chain above.
• wp-ai-gateway has one-time token output only; this PR reuses the local .opencode/wp-ai-gateway.env token when present and only rotates with --rotate-ai-gateway-token.
• Local Kimaki launchd cannot use systemd-style EnvironmentFile, so the gateway env is rendered into launchd when gateway mode is opted in; diff output redacts secrets.

AI assistance

• AI assistance: Yes
• Tool(s): OpenCode (GPT-5.5)
• Used for: Drafting and testing the setup/upgrade integration, OpenCode config source review, regression tests, and PR description. Chris remains responsible for review and merge.