fix: 增强 Claude 反代检测对抗能力

基于 Claude Code v2.1.88 源码分析，修复多个可被 Anthropic 检测的差距：

- 实现消息指纹算法（SHA256 盐值 + 字符索引），替代随机 buildHash
- billing header cc_version 从设备 profile 动态取版本号，不再硬编码
- billing header cc_entrypoint 从客户端 UA 解析，支持 cli/vscode/local-agent
- billing header 新增 cc_workload 支持（通过 X-CPA-Claude-Workload 头传入）
- 新增 X-Claude-Code-Session-Id 头（每 apiKey 缓存 UUID，TTL=1h）
- 新增 x-client-request-id 头（仅 api.anthropic.com，每请求 UUID）
- 补全 4 个缺失的 beta flags（structured-outputs/fast-mode/redact-thinking/token-efficient-tools）
- OAuth scope 对齐 Claude Code 2.1.88（移除 org:create_api_key，添加 sessions/mcp/file_upload）
- Anthropic-Dangerous-Direct-Browser-Access 仅在 API key 模式发送
- 响应头网关指纹清洗（剥离 litellm/helicone/portkey/cloudflare/kong/braintrust 前缀头）

sdk/api/handlers/header_filter.go

@@ -5,6 +5,18 @@ import (
 	"strings"
 )
 
+// gatewayHeaderPrefixes lists header name prefixes injected by known AI gateway
+// proxies. Claude Code's client-side telemetry detects these and reports the
+// gateway type, so we strip them from upstream responses to avoid detection.
+var gatewayHeaderPrefixes = []string{
+	"x-litellm-",
+	"helicone-",
+	"x-portkey-",
+	"cf-aig-",
+	"x-kong-",
+	"x-bt-",
+}
+
 // hopByHopHeaders lists RFC 7230 Section 6.1 hop-by-hop headers that MUST NOT
 // be forwarded by proxies, plus security-sensitive headers that should not leak.
 var hopByHopHeaders = map[string]struct{}{
@@ -40,6 +52,19 @@ func FilterUpstreamHeaders(src http.Header) http.Header {
 		if _, scoped := connectionScoped[canonicalKey]; scoped {
 			continue
 		}
+		// Strip headers injected by known AI gateway proxies to avoid
+		// Claude Code client-side gateway detection.
+		lowerKey := strings.ToLower(key)
+		gatewayMatch := false
+		for _, prefix := range gatewayHeaderPrefixes {
+			if strings.HasPrefix(lowerKey, prefix) {
+				gatewayMatch = true
+				break
+			}
+		}
+		if gatewayMatch {
+			continue
+		}
 		dst[key] = values
 	}
 	if len(dst) == 0 {