thv llm: localhost reverse proxy for proxy-mode tools

[yrobla]

Context

Part of #5016 (RFC: stacklok/toolhive-rfcs#70). Depends on #5028 (token lifecycle). Can be implemented in parallel with #5028 once #5027 is done.

Scope

• Localhost reverse proxy listening on http://localhost:<port>/v1
• Strips incoming Authorization header and injects a fresh OIDC bearer token from the token source
• Forwards requests to upstream gateway preserving original path, query string, headers, and body
• Passes through upstream responses faithfully: SSE streaming (chat completions), non-streaming JSON (embeddings, completions), error responses (4xx/5xx) — no buffering or body modification
• Loopback-only guard: reject startup if listen address is not a loopback interface
• Background process lifecycle management (start, stop, PID tracking)
• thv llm proxy start — foreground variant with full log output for debugging

Acceptance Criteria

• AT: Proxy accepts requests on http://localhost:<port>/v1, strips Authorization, injects fresh OIDC bearer token, forwards to upstream gateway — preserving path, query string, headers, and body
• AT: Proxy passes through SSE streaming, non-streaming JSON, and error responses (4xx/5xx) without buffering or modification
• Unit: Proxy rejects startup if listen address is not a loopback interface

Dependencies

• thv llm: package skeleton, cobra commands, and config management #5027 (foundation: package skeleton, config types)
• thv llm: OIDC token lifecycle and thv llm token command #5028 (token source, for token injection)

References

• Parent issue: thv llm subcommand for LLM gateway authentication #5016
• RFC: RFC-0070: thv llm subcommand for LLM gateway authentication toolhive-rfcs#70