fix: move /change-model credentials from query params to request body

[zikunz]

The /change-model endpoint accepts api_key and password as URL query parameters (Query(...)). This means credentials appear in server access logs, browser history, proxy caches, and HTTP Referer headers. Sugar-AI is a children's education platform, making credential exposure especially sensitive.

Before:

POST /change-model?model=Qwen/Qwen2-1.5B-Instruct&api_key=sugarai2024&password=sugarai2024

After:

POST /change-model
Content-Type: application/json

{"model": "Qwen/Qwen2-1.5B-Instruct", "api_key": "sugarai2024", "password": "sugarai2024"}

Solution

• Add ChangeModelRequest Pydantic model with min_length=1 validation on all fields, consistent with the pattern used by PromptedLLMRequest
• Rewrite /change-model handler to read from the JSON request body instead of URL query parameters
• Update documentation in welcome.html and README.md to show JSON body usage
• Remove an orphaned </ul> tag in welcome.html that had no matching <ul> (pre-existing)
• Remove unused Query import and clean up trailing whitespace on blank lines in the handler

No changes to business logic, authentication flow, or response format.

Note: This is a breaking change for callers that pass credentials as query parameters. They will need to switch to sending a JSON request body. The deployed Sugar-AI instance currently has no known external callers of this admin-only endpoint beyond the development team.

Related: #87 applies the same pattern to the /debug endpoint. These two changes are independent and do not conflict.

Testing

Verified that:

• POST /change-model with JSON body {"model": "...", "api_key": "...", "password": "..."} works correctly
• Empty model, api_key, or password returns HTTP 422 with validation error
• Old query-parameter style requests no longer pass credentials through the URL