fix(extension-usage): 收紧用量看板访问权限

[Procyon-Nan]

概览

本 PR 收紧了 chatluna-usage 控制台看板的数据访问权限，避免未授权 console client 获取模型用量数据

改动内容

• 为 chatluna-usage DataService 和 RPC listener 增加 authority 限制
• 服务端在向 console client 推送数据前校验 auth、过期时间和权限等级
• 前端在未登录或权限不足时隐藏 usage home slot，并清理本地用量状态
• 失权时递增请求序号，防止未完成请求回写旧数据
• 在 package.json 的 Koishi service metadata 中补充可选 auth 服务

验证

• yarn workspace @root/chatluna-koishi fast-build extension-usage

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: cebe4336-e0fe-4a69-864b-d2581f1edd4b

📥 Commits

Reviewing files that changed from the base of the PR and between 0417cb3 and 3b7704c.

📒 Files selected for processing (2)

• packages/extension-usage/client/index.ts
• packages/extension-usage/src/index.ts

---

总体概述

此PR在客户端实现异步组件加载和基于状态的条件禁用，同时在服务器端为数据服务和控制台事件监听器添加权限验证配置。

变更

异步加载与权限验证

层级 / 文件	摘要
客户端异步插槽加载与禁用条件 packages/extension-usage/client/index.ts	主页插槽组件从静态改为 defineAsyncComponent 异步工厂，并行加载 home.vue 和 charts 模块，注册插件后返回组件；新增 disabled 条件基于 store.chatluna_usage。
服务器端权限验证配置 packages/extension-usage/src/index.ts	ChatLunaUsage 数据服务初始化添加 authority: 1；为 query、list、cleanup 的控制台事件监听器添加 authority: 1 权限选项。

代码审查工作量估计

🎯 2 (Simple) | ⏱️ ~10 minutes

诗

🐰 异步加载轻飘飘，
权限检验层层高，
组件缓存更聪慧，
访问控制有条款，
扩展功能更完备！

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	标题清晰准确地概括了主要改动：为 chatluna-usage 看板加强访问权限控制，与 PR 的核心目标一致。
Description check	✅ Passed	描述详细说明了权限收紧的具体措施，包括增加 authority 限制、服务端校验、前端隐藏等，与代码改动内容相符。
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces authentication and authority checks for the chatluna-usage extension, restricting access to the dashboard and its backend APIs to logged-in users with sufficient authority. The review feedback highlights that hard-coding the auth service dependency in ctx.inject and frontend state checks will break the dashboard in environments where the auth plugin is not enabled (such as local single-user setups). The reviewer suggests making the auth checks optional on both the backend and frontend so that the dashboard remains functional when the auth service is absent.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/extension-usage/client/state.ts`:
- Around line 41-44: loggedIn computed currently uses non-reactive Date.now(),
so expiration won't re-evaluate when time passes; fix by scheduling a timeout
when loggedIn becomes true to trigger re-evaluation/cleanup at user.expiredAt:
in the same module, track a timer id (clear previous on change), and when
loggedIn flips true compute delay = user.expiredAt - Date.now(), setTimeout to
either update a small reactive ref (e.g., now/tick) that loggedIn depends on or
dispatch the existing cleanup path (the watcher on loggedIn /
store.chatluna_usage clearing logic), and clear the timer when loggedIn becomes
false or user changes; reference: loggedIn computed, authStore.user.expiredAt,
the watch(loggedIn, ...) cleanup logic and store.chatluna_usage/list/loading so
the existing else branch runs when timeout fires.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 5cecc993-2ade-48c4-81a6-d2d66af893ab

📥 Commits

Reviewing files that changed from the base of the PR and between de6e77b and 0417cb3.

⛔ Files ignored due to path filters (1)

• packages/extension-usage/package.json is excluded by !**/*.json

📒 Files selected for processing (3)

• packages/extension-usage/client/index.ts
• packages/extension-usage/client/state.ts
• packages/extension-usage/src/index.ts

[dingyi222666]

我感觉这个 pr 彻底做错了，绝对不需要这么多变更，你多看看 ctx.slot 的方法参数呢？

[Procyon-Nan]

got it