aigw: split access logs and map request headers

[codefromthecrypt]

Description

Split stdout/file access logs by request type using CEL over request headers (x-ai-eg-model for LLM, x-ai-eg-mcp-backend for MCP) so MCP-only fields never appear on LLM logs and vice‑versa. This avoids relying on /mcp paths, which are not present on backend‑listener requests.

Add OTEL request-header mapping env vars for users: OTEL_AIGW_REQUEST_HEADER_ATTRIBUTES (base mapping) and OTEL_AIGW_LOG_REQUEST_HEADER_ATTRIBUTES (log override). These are merged and wired through ext_proc and the Envoy Gateway extension server so access logs can include session.id without per‑request app changes. MCP uses JSON‑RPC params._meta for POST requests, but GET streams have no JSON‑RPC payload, so compose examples also send HTTP headers for access-log mapping.

Rename access‑log keys to the OTEL‑style gen_ai.* and mcp.provider.name while preserving gateway‑specific metadata fields, add request.path to the common access‑log fields, and update examples, fixtures, and docs accordingly. Compose examples pass user/session IDs via compose args so log output can be verified end‑to‑end (append --debug to the aigw command for verbose logs).

Ensure original downstream paths are preserved in access logs by setting x-envoy-original-path and x-ai-eg-original-path from the incoming request path across LLM and MCP flows.

Related Issues/PRs (if applicable)

Related: #1303

Special notes for reviewers (if applicable)

Access log samples from docker compose runs (Envoy stdout):

{"bytes_received":126,"bytes_sent":311,"connection_termination_details":null,"downstream_local_address":"172.18.0.2:1975","downstream_remote_address":"172.18.0.3:36684","duration":118,"gen_ai.provider.name":"default/openai/route/aigw-run/rule/0/ref/0","gen_ai.request.model":"qwen2.5:0.5b","gen_ai.response.model":"qwen2.5:0.5b","gen_ai.usage.input_tokens":44,"gen_ai.usage.output_tokens":6,"method":"POST","request.path":"/v1/chat/completions","response_code":200,"session.id":"session-123","start_time":"2026-01-21T01:27:54.561Z","upstream_cluster":"httproute/default/aigw-run/rule/0","upstream_host":"192.168.5.2:11434","upstream_local_address":"172.18.0.2:38068","upstream_transport_failure_reason":null,"user-agent":"curl/8.14.1","x-envoy-origin-path":"/v1/chat/completions","x-request-id":"9c58c39a-d61f-48db-80e9-befb570f51d4"}
{"bytes_received":213,"bytes_sent":13623,"connection_termination_details":null,"downstream_local_address":"127.0.0.1:10088","downstream_remote_address":"127.0.0.1:56250","duration":1274,"jsonrpc.request.id":"3","mcp.method.name":"tools/call","mcp.provider.name":"kiwi","mcp.session.id":"d0234260-8c4e-49f5-8fb6-8e359194d7cc","method":"POST","request.path":"/","response_code":200,"session.id":"session-123","start_time":"2026-01-21T01:28:12.653Z","upstream_cluster":"httproute/default/ai-eg-mcp-br-mcp-route-kiwi/rule/0","upstream_host":"151.101.195.52:443","upstream_local_address":"172.18.0.2:37250","upstream_transport_failure_reason":null,"user-agent":"Go-http-client/1.1","x-envoy-origin-path":"/mcp","x-request-id":"2e7f4f6d-1b77-4f61-94b9-bc03a960ce9b"}
{"bytes_received":0,"bytes_sent":0,"connection_termination_details":null,"downstream_local_address":"127.0.0.1:10088","downstream_remote_address":"127.0.0.1:56238","duration":2561,"jsonrpc.request.id":null,"mcp.method.name":null,"mcp.provider.name":"kiwi","mcp.session.id":"d0234260-8c4e-49f5-8fb6-8e359194d7cc","method":"GET","request.path":"/","response_code":0,"session.id":"session-123","start_time":"2026-01-21T01:28:11.396Z","upstream_cluster":"httproute/default/ai-eg-mcp-br-mcp-route-kiwi/rule/0","upstream_host":"151.101.67.52:443","upstream_local_address":"172.18.0.2:41090","upstream_transport_failure_reason":null,"user-agent":"Go-http-client/1.1","x-envoy-origin-path":"/mcp","x-request-id":"ee852e6b-be32-4947-bedc-12e4215df52f"}

[codefromthecrypt]

@mathetake @nacx might be glitches here I need to look at again tomorrow, but hopefully the overall direction is sensible. if not, lemme know.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 85.10638% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.06%. Comparing base (5f98617) to head (17b07cd).

Files with missing lines	Patch %	Lines
internal/extensionserver/header_to_metadata.go	82.69%	9 Missing and 9 partials ⚠️
internal/extproc/processor_impl.go	80.43%	5 Missing and 4 partials ⚠️
internal/mcpproxy/mcpproxy.go	87.50%	3 Missing and 3 partials ⚠️
internal/extensionserver/post_translate_modify.go	0.00%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1797      +/-   ##
==========================================
+ Coverage   84.04%   84.06%   +0.02%     
==========================================
  Files         117      118       +1     
  Lines       12990    13213     +223     
==========================================
+ Hits        10917    11108     +191     
- Misses       1418     1433      +15     
- Partials      655      672      +17     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codefromthecrypt]

@nacx @mathetake once this is in, I can add OTLP access log from gateway in aigw/standalone mode without a massive PR

[mathetake]

/retest