Usage record page renders context item content without an entity access check
## Problem Follow-up to: #3586294+s Parent: #3586310+s _**This issue should be verified prior to working on it to make sure it is valid.**_ `AiContextUsageRecordController` renders the full current content of the referenced context item via the entity view builder with no `access('view')` check. The route only requires `view ai context usage`, so a user with that permission alone can read the content of items they cannot view — notably items unpublished since the usage was recorded (viewing those requires `view any unpublished ai context item` or ownership). The same controller *does* check `$entity->access('view')` for the target entity, so this breaks the module's own privilege separation between usage viewers and context viewers. The item's label is also disclosed via `toLink()` in the summary table. This is the only review finding exposing actual item content across a privilege boundary — prioritize it. ## Proposed resolution Wrap the content render in `$context_item->access('view')` with a "Context item @id (no access)" fallback; gate the `toLink()` in the summary the same way. Add test coverage for a user with `view ai context usage` but without unpublished-view permission. ## AI usage - [x] AI assisted issue
issue