fix: allow brave_search as valid API key provider

Split VALID_PROVIDERS (LLM only) from VALID_API_KEY_PROVIDERS (includes
brave_search) so Brave keys can be stored without allowing brave_search
as an admin LLM provider.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend/src/models/api_key.rs

@@ -20,7 +20,7 @@ pub struct UserApiKey {
     pub updated_at: DateTime<Utc>,
 }
 
-use crate::models::provider::VALID_PROVIDERS;
+use crate::models::provider::VALID_API_KEY_PROVIDERS;
 
 /// Request body for `POST /api/v1/user/api-keys`.
 ///
@@ -39,11 +39,11 @@ impl CreateApiKeyRequest {
         if provider.is_empty() {
             return Err("Provider name cannot be empty".into());
         }
-        if !VALID_PROVIDERS.contains(&provider) {
+        if !VALID_API_KEY_PROVIDERS.contains(&provider) {
             return Err(format!(
                 "Invalid provider '{}'. Must be one of: {}",
                 provider,
-                VALID_PROVIDERS.join(", ")
+                VALID_API_KEY_PROVIDERS.join(", ")
             ));
         }
 

backend/src/models/provider.rs

@@ -49,6 +49,9 @@ fn default_true() -> bool {
 /// Also used by `models::api_key` for validating user API key requests.
 pub const VALID_PROVIDERS: &[&str] = &["gemini", "openai", "anthropic"];
 
+/// Valid provider names for user API key storage (includes non-LLM services).
+pub const VALID_API_KEY_PROVIDERS: &[&str] = &["gemini", "openai", "anthropic", "brave_search"];
+
 impl CreateProviderRequest {
     /// Validate the provider creation request.
     ///