GitLab

The existing regex only matched the old format where account_uuid is
empty (account__session_). Real Claude Code clients and newer sub2api
generated user_ids use account_{uuid}_session_ which was silently
skipped, causing the original metadata.user_id to leak to upstream
when User-Agent is rewritten by an intermediate gateway.

Closes #766
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

perf(admin-usage): 优化 usage 大表分页，默认避免全量 COUNT(*)

fix(frontend): show real upstream payload in ops error detail modal

feat(gateway): 系统设置控制未分组 Key 调度 — Handler 层中间件拦截

fix(ops): 默认忽略 count_tokens 404 错误

- quota_limited 模式：返回 Key 级别的总额度、速率限制窗口用量和过期时间
- unrestricted 模式：返回订阅限额或钱包余额信息（向后兼容）
- 新增 model_stats 字段，支持 start_date/end_date 参数查询按模型用量统计
- 提取 buildUsageData/parseUsageDateRange 等辅助方法，减少主函数复杂度
- 新增 APIKeyService.GetRateLimitData 和 UsageService.GetAPIKeyModelStats

将中间件职责拆分为鉴权（Authentication）和计费执行（Billing Enforcement）两层：
- 鉴权层（disabled/IP/用户状态）始终执行
- 计费层（过期/配额/订阅/余额）用单一 skipBilling 守卫整块控制

/v1/usage 端点只需鉴权不需计费，skipBilling 仅出现 2 处（订阅加载错误处理 + 计费块守卫），
取代了之前 isUsageQuery 散布在 7 个 if 分支中的控制流。

新增系统设置 allow_ungrouped_key_scheduling（默认关闭），
未分组的 API Key 在网关请求时直接返回 403，
由 RequireGroupAssignment 中间件统一拦截，
支持 Anthropic / Google 两种错误格式响应。

全栈实现：常量 → 结构体 → 解析/更新/初始化 → DTO → 管理接口 →
中间件 → 路由注册 → 前端设置界面 + i18n。

Remove extra space before inline comment to pass golangci-lint gofmt check.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

将 IgnoreCountTokensErrors 默认值从 false 改为 true。

count_tokens 返回 404 是预期业务行为（上游不支持 endpoint，
客户端应 fallback 到本地 tokenizer 估算），不应被视为错误。
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- wire_gen_test.go: 补充 NewTokenRefreshService 缺失的 tempUnschedCache 参数
- config.go, token_refresh_service.go: 修复 gofmt 格式问题

fix: OAuth 401 不再永久锁死账号，改用临时不可调度实现自动恢复

PR #682 (release → main 全量同步) 将 Antigravity 和 Gemini CLI 的
OAuth client_secret 硬编码值替换为了 "GOCSPX-your-client-secret" 占位符，
导致未配置环境变量的部署环境中 token 刷新失败。

恢复内容：
- antigravity/oauth.go: 恢复真实 client_secret
- antigravity/oauth_test.go: 恢复测试断言中的真实值
- geminicli/constants.go: 恢复真实 client_secret

- Fix fileChecksum for 061 migration: use TrimSpace hash (66207e7a) instead
  of raw sha256sum (97bdd9a3), matching the actual runtime computation
- Add 222b4a09 as accepted DB checksum for 061 migration
- Add missing GetAPIKeyRateLimit/SetAPIKeyRateLimit/UpdateAPIKeyRateLimitUsage/
  InvalidateAPIKeyRateLimit methods to mock BillingCache in test stubs
- Fix NewBillingCacheService call in singleflight test (add apiKeyRepo param)

- Fix errcheck: properly handle rows.Close() error via named return + defer closure
- Fix gofmt: auto-format billing_cache.go, api_key_service.go, billing_cache_service.go
- Add missing rate limit interface methods to 4 test stubs (GetRateLimitData, IncrementRateLimitUsage, ResetRateLimitWindows)
- Fix NewBillingCacheService calls missing the new apiKeyRepo parameter

fix(gateway): 分组隔离 — 禁止未分组账号被跨组调度

perf(admin): 优化 Dashboard 大数据量加载（预聚合趋势+异步用户趋势）

fix(migrations): 061 迁移改为限时分批回填，避免启动阻塞导致 502

# Conflicts:

当 API Key 无分组时，调度仅从未分组账号池中选取。
修复 isAccountInGroup 在 groupID==nil 时的逻辑，
同时补全 scheduler_snapshot_service 和 gemini_compat_service
中的 SimpleMode 保护，确保分组隔离在所有调度路径生效。

新增 ListSchedulableUngroupedByPlatform/s 方法，
使用 Ent 的 Not(HasAccountGroups()) 谓词实现未分组账号隔离。
新增 17 个单元和端到端隔离测试，覆盖所有分支和边界条件。

fix(frontend): admin custom menu items not showing in sidebar

The public settings API filters out menu items with visibility='admin',
so customMenuItemsForAdmin was always empty when reading from
cachedPublicSettings. Fix by loading custom menu items from the admin
settings API (via adminSettingsStore) which returns all items unfiltered.

Changes:
- adminSettings store: store custom_menu_items from admin settings API
- AppSidebar: read admin menu items from adminSettingsStore instead of
  cachedPublicSettings
- CustomPageView: merge public and admin menu items so admin users can
  access admin-only custom pages

feat(gateway): 双模式用户消息队列 — 串行队列 + 软性限速

feat: custom menu pages with iframe embedding and CSP injection

Replaced by filterUserVisibleMenuItems which includes both array
validation and admin-item filtering.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

1. (Critical) Filter admin-only menu items from public API responses -
   both GetPublicSettings handler and GetPublicSettingsForInjection now
   exclude visibility=admin items, preventing unauthorized access to
   admin menu URLs.

2. (Medium) Validate JSON array structure in sanitizeCustomMenuItemsJSON -
   use json.Unmarshal into []json.RawMessage instead of json.Valid to
   reject non-array JSON values that would cause frontend runtime errors.

3. (Medium) Decouple router from business JSON parsing - move origin
   extraction logic from router.go to SettingService.GetFrameSrcOrigins,
   eliminating direct JSON parsing of custom_menu_items in the routing
   layer.

4. (Low) Restrict custom menu item ID charset to [a-zA-Z0-9_-] via
   regex validation, preventing route-breaking characters like / ? # or
   spaces.

5. (Low) Handle crypto/rand error in generateMenuItemID - return error
   instead of silently ignoring, preventing potential duplicate IDs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

- Add admin menu permission check in CustomPageView (visibility + role)
- Sanitize SVG content with DOMPurify before v-html rendering (XSS prevention)
- Decouple router.go from dto package using anonymous struct
- Consolidate duplicate parseCustomMenuItems into dto.ParseCustomMenuItems
- Enhance menu item validation (count, length, ID uniqueness limits)
- Add audit logging for purchase_subscription and custom_menu_items changes
- Update API contract test to include custom_menu_items field
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>