fix: 修复模型限制功能逻辑错误（从白名单改回黑名单）

问题原因：
- 在提交 7f9869ae 添加CCR支持时，错误地将模型限制从黑名单改成了白名单
- 前端UI显示"设置此API Key无法访问的模型"，明确表示这是黑名单
- 后端却将其当作白名单处理，导致逻辑完全相反

修复内容：
- 将判断逻辑从 !includes 改回 includes（黑名单逻辑）
- 更新注释和日志消息，明确这是"限制列表"而非"允许列表"
- 同时修复了 api.js 和 claudeRelayService.js 中的所有相关判断

影响范围：
- src/routes/api.js: 修复 /v1/messages 和 /v1/messages/count_tokens 端点的模型限制判断
- src/services/claudeRelayService.js: 修复流式和非流式请求的模型限制判断

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/routes/api.js

@@ -42,14 +42,14 @@ async function handleMessagesRequest(req, res) {
       })
     }
 
-    // 模型限制（允许列表）校验：统一在此处处理（去除供应商前缀）
+    // 模型限制（黑名单）校验：统一在此处处理（去除供应商前缀）
     if (
       req.apiKey.enableModelRestriction &&
       Array.isArray(req.apiKey.restrictedModels) &&
       req.apiKey.restrictedModels.length > 0
     ) {
       const effectiveModel = getEffectiveModel(req.body.model || '')
-      if (!req.apiKey.restrictedModels.includes(effectiveModel)) {
+      if (req.apiKey.restrictedModels.includes(effectiveModel)) {
         return res.status(403).json({
           error: {
             type: 'forbidden',
@@ -899,14 +899,14 @@ router.post('/v1/messages/count_tokens', authenticateApiKey, async (req, res) =>
 
     logger.info(`🔢 Processing token count request for key: ${req.apiKey.name}`)
 
-    // 模型限制（允许列表）校验：统一在此处处理（去除供应商前缀）
+    // 模型限制（黑名单）校验：统一在此处处理（去除供应商前缀）
     if (
       req.apiKey.enableModelRestriction &&
       Array.isArray(req.apiKey.restrictedModels) &&
       req.apiKey.restrictedModels.length > 0
     ) {
       const effectiveModel = getEffectiveModel(req.body.model || '')
-      if (!req.apiKey.restrictedModels.includes(effectiveModel)) {
+      if (req.apiKey.restrictedModels.includes(effectiveModel)) {
         return res.status(403).json({
           error: {
             type: 'forbidden',

src/services/claudeRelayService.js

@@ -87,12 +87,12 @@ class ClaudeRelayService {
       ) {
         const requestedModel = requestBody.model
         logger.info(
-          `🔒 Model restriction check - Requested model: ${requestedModel}, Allowed models: ${JSON.stringify(apiKeyData.restrictedModels)}`
+          `🔒 Model restriction check - Requested model: ${requestedModel}, Restricted models: ${JSON.stringify(apiKeyData.restrictedModels)}`
         )
 
-        if (requestedModel && !apiKeyData.restrictedModels.includes(requestedModel)) {
+        if (requestedModel && apiKeyData.restrictedModels.includes(requestedModel)) {
           logger.warn(
-            `🚫 Model restriction violation for key ${apiKeyData.name}: Attempted model ${requestedModel} not in allowed list`
+            `🚫 Model restriction violation for key ${apiKeyData.name}: Attempted to use restricted model ${requestedModel}`
           )
           return {
             statusCode: 403,
@@ -874,12 +874,12 @@ class ClaudeRelayService {
       ) {
         const requestedModel = requestBody.model
         logger.info(
-          `🔒 [Stream] Model restriction check - Requested model: ${requestedModel}, Allowed models: ${JSON.stringify(apiKeyData.restrictedModels)}`
+          `🔒 [Stream] Model restriction check - Requested model: ${requestedModel}, Restricted models: ${JSON.stringify(apiKeyData.restrictedModels)}`
         )
 
-        if (requestedModel && !apiKeyData.restrictedModels.includes(requestedModel)) {
+        if (requestedModel && apiKeyData.restrictedModels.includes(requestedModel)) {
           logger.warn(
-            `🚫 Model restriction violation for key ${apiKeyData.name}: Attempted model ${requestedModel} not in allowed list`
+            `🚫 Model restriction violation for key ${apiKeyData.name}: Attempted to use restricted model ${requestedModel}`
           )
 
           // 对于流式响应，需要写入错误并结束流