fix(分组): 强化上下文分组可信校验

- 引入 Hydrated 标记限制复用来源

- 无效上下文分组允许被新值覆盖自愈

- 更新相关单测覆盖

backend/internal/server/middleware/api_key_auth.go

@@ -182,7 +182,7 @@ func setGroupContext(c *gin.Context, group *service.Group) {
 	if !service.IsGroupContextValid(group) {
 		return
 	}
-	if existing, ok := c.Request.Context().Value(ctxkey.Group).(*service.Group); ok && existing != nil && existing.ID == group.ID {
+	if existing, ok := c.Request.Context().Value(ctxkey.Group).(*service.Group); ok && existing != nil && existing.ID == group.ID && service.IsGroupContextValid(existing) {
 		return
 	}
 	ctx := context.WithValue(c.Request.Context(), ctxkey.Group, group)

backend/internal/server/middleware/api_key_auth_google_test.go

@@ -142,6 +142,7 @@ func TestApiKeyAuthWithSubscriptionGoogleSetsGroupContext(t *testing.T) {
 		Name:     "g1",
 		Status:   service.StatusActive,
 		Platform: service.PlatformGemini,
+		Hydrated: true,
 	}
 	user := &service.User{
 		ID:          7,

backend/internal/server/middleware/api_key_auth_test.go

@@ -26,6 +26,7 @@ func TestSimpleModeBypassesQuotaCheck(t *testing.T) {
 		ID:               42,
 		Name:             "sub",
 		Status:           service.StatusActive,
+		Hydrated:         true,
 		SubscriptionType: service.SubscriptionTypeSubscription,
 		DailyLimitUSD:    &limit,
 	}
@@ -119,6 +120,7 @@ func TestAPIKeyAuthSetsGroupContext(t *testing.T) {
 		Name:     "g1",
 		Status:   service.StatusActive,
 		Platform: service.PlatformAnthropic,
+		Hydrated: true,
 	}
 	user := &service.User{
 		ID:          7,