fix: reconcile with BuildUpstreamHeaders

Author: evgeniy-scherbina

provider/anthropic.go

@@ -121,18 +121,20 @@ func (p *Anthropic) CreateInterceptor(w http.ResponseWriter, r *http.Request, tr
 		//     WithAuthToken(), and clear the centralized key.
 		//   - X-Api-Key: <api-key> → personal API key. Overwrite the
 		//     centralized key with the user's key.
+		authHeaderName := p.AuthHeader()
 		if bearer := r.Header.Get("Authorization"); bearer != "" {
 			cfg.BYOKBearerToken = strings.TrimPrefix(bearer, "Bearer ")
 			cfg.Key = ""
+			authHeaderName = "Authorization"
 		} else if apiKey := r.Header.Get("X-Api-Key"); apiKey != "" {
 			cfg.Key = apiKey
 		}
 
 		var interceptor intercept.Interceptor
 		if req.Stream {
-			interceptor = messages.NewStreamingInterceptor(id, &req, payload, cfg, p.bedrockCfg, r.Header, p.AuthHeader(), tracer)
+			interceptor = messages.NewStreamingInterceptor(id, &req, payload, cfg, p.bedrockCfg, r.Header, authHeaderName, tracer)
 		} else {
-			interceptor = messages.NewBlockingInterceptor(id, &req, payload, cfg, p.bedrockCfg, r.Header, p.AuthHeader(), tracer)
+			interceptor = messages.NewBlockingInterceptor(id, &req, payload, cfg, p.bedrockCfg, r.Header, authHeaderName, tracer)
 		}
 		span.SetAttributes(interceptor.TraceAttributes(r)...)
 		return interceptor, nil

provider/anthropic_test.go

@@ -86,9 +86,9 @@ func TestAnthropic_CreateInterceptor(t *testing.T) {
 		body := `{"model": "claude-opus-4-5", "max_tokens": 1024, "messages": [{"role": "user", "content": "hello"}], "stream": false}`
 		req := httptest.NewRequest(http.MethodPost, routeMessages, bytes.NewBufferString(body))
 		req.Header.Set("Anthropic-Beta", betaHeader)
-		// Simulate a client sending its own auth credential, which must be replaced
-		// by aibridge with the configured provider key.
-		req.Header.Set("Authorization", "Bearer fake-client-bearer")
+		req.Header.Set("X-Custom-Header", "should-be-forwarded")
+		// In centralized mode, http.go strips Authorization and X-Api-Key
+		// before CreateInterceptor is called, so neither is set here.
 		w := httptest.NewRecorder()
 
 		interceptor, err := provider.CreateInterceptor(w, req, testTracer)
@@ -105,9 +105,12 @@ func TestAnthropic_CreateInterceptor(t *testing.T) {
 		// Verify the full Anthropic-Beta header (all betas) was forwarded unchanged.
 		assert.Equal(t, betaHeader, receivedHeaders.Get("Anthropic-Beta"), "Anthropic-Beta header must be forwarded unchanged to upstream")
 
-		// Verify aibridge's configured key was used and the client's auth credential was not forwarded.
+		// Verify aibridge's configured key was used.
 		assert.Equal(t, "test-key", receivedHeaders.Get("X-Api-Key"), "upstream must receive configured provider key")
-		assert.Empty(t, receivedHeaders.Get("Authorization"), "client Authorization header must not reach upstream")
+		assert.Empty(t, receivedHeaders.Get("Authorization"), "Authorization should not be set in centralized mode")
+
+		// Verify custom client headers are forwarded.
+		assert.Equal(t, "should-be-forwarded", receivedHeaders.Get("X-Custom-Header"), "custom client headers should be forwarded")
 	})
 
 	byokTests := []struct {