feat: add allow-byok option for ai-gateway (#24274)

## Summary                  
Adds `--ai-gateway-allow-byok` deployment option to control whether
users can use Bring Your Own Key (BYOK) mode with AI Gateway.
When disabled (`--ai-gateway-allow-byok=false`), BYOK requests are
rejected with a 403 and a message directing the admin to enable the
flag. Centralized key authentication works regardless of this setting.
Defaults to `true` (BYOK allowed).

---------

Co-authored-by: Danny Kopping <danny@coder.com>

cli/testdata/coder_server_--help.golden

@@ -100,6 +100,10 @@ OPTIONS:
           check is performed once per day.
 
 AI BRIDGE OPTIONS: 
+      --aibridge-allow-byok bool, $CODER_AIBRIDGE_ALLOW_BYOK (default: true)
+          Allow users to provide their own LLM API keys or subscriptions. When
+          disabled, only centralized key authentication is permitted.
+
       --aibridge-anthropic-base-url string, $CODER_AIBRIDGE_ANTHROPIC_BASE_URL (default: https://api.anthropic.com/)
           The base URL of the Anthropic API.
 

cli/testdata/server-config.yaml.golden

@@ -816,6 +816,10 @@ aibridge:
   # X-Ai-Bridge-Actor-Metadata-Username (their username).
   # (default: false, type: bool)
   send_actor_headers: false
+  # Allow users to provide their own LLM API keys or subscriptions. When disabled,
+  # only centralized key authentication is permitted.
+  # (default: true, type: bool)
+  allow_byok: true
   # Enable the circuit breaker to protect against cascading failures from upstream
   # AI provider rate limits (429, 503, 529 overloaded).
   # (default: false, type: bool)