@marcusrbrown/infra 0.9.0 → 0.9.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@marcusrbrown/infra",
-  "version": "0.9.0",
+  "version": "0.9.2",
   "description": "Infrastructure management CLI — deploy automation, health checks, and MCP bridge",
   "keywords": [
     "infra",

package/src/commands/cliproxy/setup/validation.test.ts

@@ -251,6 +251,73 @@ describe('verifyModelsAvailable', () => {
     await expect(verifyModelsAvailable(BASE_URL, KEY, ['openai'], 'openai/gpt-5.4-mini')).resolves.toBeUndefined()
   })
 
+  it('regression: entries WITH owned_by openai still parse and are detected as OpenAI', async () => {
+    const fixture = {
+      data: [
+        {id: 'claude-sonnet-4-6', owned_by: 'anthropic'},
+        {id: 'gpt-5.4-mini', owned_by: 'openai'},
+      ],
+      object: 'list',
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(fixture))) as unknown as typeof fetch
+
+    await expect(verifyModelsAvailable(BASE_URL, KEY, ['openai'], 'openai/gpt-5.4-mini')).resolves.toBeUndefined()
+  })
+
+  it('v7 compatibility: entries omitting owned_by parse without error and OpenAI is detected via id prefix', async () => {
+    // CLIProxyAPI v7 may return entries without owned_by — these must not fail Zod parse,
+    // and an entry like {id: 'openai/gpt-5.4-mini'} should be detected as an OpenAI model.
+    const v7Fixture = {
+      data: [
+        {id: 'openai/gpt-5.4-mini', object: 'model'},
+        {id: 'anthropic/claude-sonnet-4-6', object: 'model'},
+      ],
+      object: 'list',
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(v7Fixture))) as unknown as typeof fetch
+
+    // Requesting a model that doesn't exist so we can observe which check throws.
+    // The error must be "not found on proxy" — not a Zod parse error or "No OpenAI models on proxy".
+    await expect(verifyModelsAvailable(BASE_URL, KEY, ['openai'], 'openai/nonexistent-model')).rejects.toThrow(
+      'not found on proxy',
+    )
+  })
+
+  it('v7 compatibility: mixed entries (some with owned_by, some without) resolve correctly', async () => {
+    const mixedFixture = {
+      data: [
+        {id: 'claude-sonnet-4-6', owned_by: 'anthropic'},
+        // v7-style OpenAI entry — no owned_by, id has openai/ prefix
+        {id: 'openai/gpt-5.4-mini', object: 'model'},
+      ],
+      object: 'list',
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(mixedFixture))) as unknown as typeof fetch
+
+    // Should detect OpenAI via id inference and pass the OpenAI presence check.
+    // The error must be "not found on proxy" — not a Zod parse error or "No OpenAI models on proxy".
+    await expect(
+      verifyModelsAvailable(BASE_URL, KEY, ['anthropic', 'openai'], 'openai/nonexistent-model'),
+    ).rejects.toThrow('not found on proxy')
+  })
+
+  it('v7 compatibility: entry with unrecognizable id and no owned_by does not crash (falls through as non-OpenAI)', async () => {
+    const unknownIdFixture = {
+      data: [
+        // No owned_by, id doesn't map to any known provider
+        {id: 'some-unknown-model', object: 'model'},
+        // A real OpenAI entry with owned_by — detection should succeed via this entry
+        {id: 'gpt-5.4-mini', owned_by: 'openai'},
+      ],
+      object: 'list',
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(unknownIdFixture))) as unknown as typeof fetch
+
+    // Should still pass — openai is detected via owned_by on the second entry,
+    // and the unknown entry does not cause a crash.
+    await expect(verifyModelsAvailable(BASE_URL, KEY, ['openai'], 'openai/gpt-5.4-mini')).resolves.toBeUndefined()
+  })
+
   it('error path: dual providers, no owned_by=openai entries — throws no-openai-models message', async () => {
     const anthropicOnlyData = {
       data: [
@@ -337,6 +404,94 @@ describe('validateSetupOptions — providers/model validation', () => {
   })
 })
 
+// ── FIX 1: owned_by:'' falls back to id inference ────────────────────────────
+
+describe('verifyModelsAvailable — owned_by empty string falls back to id inference', () => {
+  let originalFetch: typeof globalThis.fetch
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+  originalFetch = globalThis.fetch
+
+  it('entry with owned_by:"" and id "openai/gpt-5.4-mini" is detected as OpenAI (does not throw no-openai-models)', async () => {
+    const fixture = {
+      data: [{id: 'openai/gpt-5.4-mini', owned_by: ''}],
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(fixture))) as unknown as typeof fetch
+
+    // Must resolve — empty owned_by should fall back to id prefix inference
+    await expect(
+      verifyModelsAvailable('https://cliproxy.fro.bot', 'sk-test-key', ['openai'], 'openai/gpt-5.4-mini'),
+    ).resolves.toBeUndefined()
+  })
+})
+
+// ── FIX 2: v7-prefixed model presence ────────────────────────────────────────
+
+describe('verifyModelsAvailable — v7-prefixed model id matched without owned_by', () => {
+  let originalFetch: typeof globalThis.fetch
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+  originalFetch = globalThis.fetch
+
+  it('entry with id "openai/gpt-5.4-mini" (no owned_by) resolves when requesting "openai/gpt-5.4-mini"', async () => {
+    const fixture = {
+      data: [{id: 'openai/gpt-5.4-mini'}],
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(fixture))) as unknown as typeof fetch
+
+    await expect(
+      verifyModelsAvailable('https://cliproxy.fro.bot', 'sk-test-key', ['openai'], 'openai/gpt-5.4-mini'),
+    ).resolves.toBeUndefined()
+  })
+
+  it('model not found error lists requested model and available openai id but not anthropic ids', async () => {
+    const fixture = {
+      data: [{id: 'openai/gpt-5.4-mini'}, {id: 'anthropic/claude-sonnet-4-6'}],
+    }
+    globalThis.fetch = mock(async () => new Response(JSON.stringify(fixture))) as unknown as typeof fetch
+
+    let errorMessage = ''
+    try {
+      await verifyModelsAvailable('https://cliproxy.fro.bot', 'sk-test-key', ['openai'], 'openai/nonexistent')
+    } catch (error) {
+      errorMessage = error instanceof Error ? error.message : String(error)
+    }
+
+    expect(errorMessage).toContain('nonexistent')
+    expect(errorMessage).toContain('openai/gpt-5.4-mini')
+    expect(errorMessage).not.toContain('anthropic')
+    expect(errorMessage).not.toContain('claude')
+  })
+})
+
+// ── FIX 3: exact key redacted in /v1/models error body ───────────────────────
+
+describe('verifyModelsAvailable — exact key redacted in error body', () => {
+  let originalFetch: typeof globalThis.fetch
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+  originalFetch = globalThis.fetch
+
+  it('500 response body containing the raw key does not expose the key in thrown message', async () => {
+    const rawKey = 'my-plain-key-no-bearer-prefix'
+    const body = `Internal error: key=${rawKey} was invalid`
+    globalThis.fetch = mock(async () => new Response(body, {status: 500})) as unknown as typeof fetch
+
+    let errorMessage = ''
+    try {
+      await verifyModelsAvailable('https://cliproxy.fro.bot', rawKey, ['openai'], 'openai/gpt-5.4-mini')
+    } catch (error) {
+      errorMessage = error instanceof Error ? error.message : String(error)
+    }
+
+    expect(errorMessage).toContain('500')
+    expect(errorMessage).not.toContain(rawKey)
+  })
+})
+
 // ── assertProxyReachable (new TDD tests) ──────────────────────────────────────
 
 describe('assertProxyReachable', () => {
@@ -366,6 +521,19 @@ describe('assertProxyReachable', () => {
 
     await expect(assertProxyReachable('https://bad.example')).rejects.toThrow(/Proxy check failed/)
   })
+
+  it('probes /healthz: resolves when /healthz returns 200 and bare base returns 404', async () => {
+    const BASE = 'https://proxy.example'
+    let fetchedUrl: string | undefined
+    globalThis.fetch = mock(async (url: string) => {
+      fetchedUrl = url
+      if (url === `${BASE}/healthz`) return new Response('{"status":"ok"}', {status: 200})
+      return new Response('Not Found', {status: 404})
+    }) as unknown as typeof fetch
+
+    await expect(assertProxyReachable(BASE)).resolves.toBeUndefined()
+    expect(fetchedUrl).toBe(`${BASE}/healthz`)
+  })
 })
 
 // ── assertProxyKeyWorks (new TDD tests) ───────────────────────────────────────

package/src/commands/cliproxy/setup/validation.ts

@@ -4,11 +4,12 @@ import {z} from 'zod'
 
 import {parseProviders, type ProviderId} from './providers'
 
-// Permissive schema: unknown fields preserved via passthrough()
+// Permissive schema: unknown fields preserved via passthrough().
+// owned_by is optional — CLIProxyAPI v7 may omit it; provider is inferred from id instead.
 const modelEntrySchema = z
   .object({
     id: z.string(),
-    owned_by: z.string(),
+    owned_by: z.string().optional(),
   })
   .passthrough()
 
@@ -22,6 +23,32 @@ export const MODEL_ID_RE = /^(?:anthropic|openai)\/[a-z\d](?:[a-z\d.\-]*[a-z\d])
 
 const HTTP_TIMEOUT_MS = 10_000
 
+type ModelEntry = z.infer<typeof modelEntrySchema>
+
+// Known bare-id patterns per provider, used only when owned_by is absent
+// (e.g. CLIProxyAPI v7 omits owned_by from /v1/models entries).
+const PROVIDER_ID_PATTERNS: Record<string, RegExp> = {
+  openai: /^(?:gpt-|o1-|o3-|codex)/i,
+  anthropic: /^claude-/i,
+}
+
+/**
+ * Decides whether a /v1/models entry belongs to a provider.
+ * Prefers owned_by when present; falls back to id prefix / known bare-id
+ * patterns when absent. Display/validation-only — never an auth or trust signal.
+ */
+function entryMatchesProvider(entry: ModelEntry, provider: string): boolean {
+  if (entry.owned_by !== undefined && entry.owned_by.trim() !== '') {
+    return entry.owned_by === provider
+  }
+  const id = entry.id ?? ''
+  if (id.startsWith(`${provider}/`)) {
+    return true
+  }
+  const pattern = PROVIDER_ID_PATTERNS[provider]
+  return pattern === undefined ? false : pattern.test(id)
+}
+
 /** Local copy — avoids a circular import with setup.ts (validation → setup → validation). */
 function extractErrorMessage(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
@@ -97,8 +124,8 @@ export async function verifyModelsAvailable(
 
   if (!response.ok) {
     const rawBody = await response.text()
-    // Redact any Authorization headers or sk-* token-shaped strings that the server might echo
-    const redacted = rawBody
+    // Redact the literal key value, Authorization headers, and sk-* shaped tokens
+    const redacted = (key.length > 0 ? rawBody.replaceAll(key, '<redacted>') : rawBody)
       .replaceAll(/Bearer\s+[^\s"]+/g, 'Bearer <redacted>')
       .replaceAll(/sk-[\w.-]{8,}/g, 'sk-<redacted>')
     const excerpt = redacted.slice(0, 200)
@@ -120,9 +147,9 @@ export async function verifyModelsAvailable(
 
   const entries = parsed.data
 
-  // OpenAI presence check
+  // OpenAI presence check.
   if (providers.includes('openai')) {
-    const hasOpenAi = entries.some(e => e.owned_by === 'openai')
+    const hasOpenAi = entries.some(e => entryMatchesProvider(e, 'openai'))
     if (!hasOpenAi) {
       throw new Error('No OpenAI models on proxy — is the Codex token loaded? Try `cliproxy login codex`.')
     }
@@ -133,11 +160,11 @@ export async function verifyModelsAvailable(
   const bareId = slashIndex === -1 ? model : model.slice(slashIndex + 1)
   const providerPrefix = slashIndex >= 0 ? model.slice(0, slashIndex) : undefined
 
-  const modelPresent = entries.some(e => e.id === bareId)
+  const modelPresent = entries.some(e => e.id === bareId || e.id === model)
   if (!modelPresent) {
     // List available ids for the matching provider only
     const matchingIds = providerPrefix
-      ? entries.filter(e => e.owned_by === providerPrefix).map(e => e.id)
+      ? entries.filter(e => entryMatchesProvider(e, providerPrefix)).map(e => e.id)
       : entries.map(e => e.id)
     const available = matchingIds.length > 0 ? matchingIds.join(', ') : '(none)'
     throw new Error(`Model "${bareId}" not found on proxy. Available ${providerPrefix ?? 'models'}: ${available}`)
@@ -146,7 +173,7 @@ export async function verifyModelsAvailable(
 
 export async function assertProxyReachable(baseUrl: string): Promise<void> {
   try {
-    const response = await fetch(baseUrl, {
+    const response = await fetch(`${baseUrl}/healthz`, {
       signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
     })
 

package/src/commands/cliproxy/status.test.ts

@@ -8,6 +8,7 @@ import {
   cliproxyStatusAction,
   formatDurationMs,
   formatUsageSummaryLine,
+  getCliproxyStatusSummary,
   levelLabel,
   stripTrailingSlash,
   toNumber,
@@ -131,50 +132,54 @@ describe('cliproxy status helpers', () => {
   })
 
   describe('checkUsageStats', () => {
-    it('returns ok when failures are zero (nested usage object)', async () => {
+    it('returns ok for empty array (idle)', async () => {
       globalThis.fetch = createFetchImplementation(
-        async () =>
-          new Response(
-            JSON.stringify({failed_requests: 0, usage: {total_requests: 10, failure_count: 0, success_count: 10}}),
-            {status: 200, headers: {'content-type': 'application/json'}},
-          ),
+        async () => new Response('[]', {status: 200, headers: {'content-type': 'application/json'}}),
       )
 
       const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
 
       expect(result.level).toBe('ok')
-      expect(result.summary).toBe('total_requests=10, failure_count=0')
+      expect(result.summary).toMatch(/idle|recent: 0/)
     })
 
-    it('returns ok with flat payload (backwards compat)', async () => {
+    it('returns ok for all-success queue array', async () => {
+      const queue = [{status: 200}, {status: 201}, {status: 200}]
       globalThis.fetch = createFetchImplementation(
-        async () =>
-          new Response(JSON.stringify({total_requests: 10, failure_count: 0}), {
-            status: 200,
-            headers: {'content-type': 'application/json'},
-          }),
+        async () => new Response(JSON.stringify(queue), {status: 200, headers: {'content-type': 'application/json'}}),
       )
 
       const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
 
       expect(result.level).toBe('ok')
-      expect(result.summary).toBe('total_requests=10, failure_count=0')
+      expect(result.summary).toContain('recent: 3')
+    })
+
+    it('returns warning for queue with error-status records', async () => {
+      const queue = [{status: 200}, {status: 500}, {status: 200}]
+      globalThis.fetch = createFetchImplementation(
+        async () => new Response(JSON.stringify(queue), {status: 200, headers: {'content-type': 'application/json'}}),
+      )
+
+      const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
+
+      expect(result.level).toBe('warning')
+      expect(result.summary).toContain('recent: 3')
+      expect(result.summary).toContain('errors: 1')
     })
 
-    it('returns warning when token refresh is likely needed', async () => {
+    it('returns warning when usage-queue returns a non-array object', async () => {
       globalThis.fetch = createFetchImplementation(
         async () =>
-          new Response(
-            JSON.stringify({failed_requests: 3, usage: {total_requests: 10, failure_count: 3, success_count: 7}}),
-            {status: 200, headers: {'content-type': 'application/json'}},
-          ),
+          new Response(JSON.stringify({unexpected: 'object'}), {
+            status: 200,
+            headers: {'content-type': 'application/json'},
+          }),
       )
 
       const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
 
       expect(result.level).toBe('warning')
-      expect(result.summary).toContain('total_requests=10, failure_count=3')
-      expect(result.summary).toContain('token refresh likely needed')
     })
 
     it('returns warning when rate limited', async () => {
@@ -258,54 +263,54 @@ describe('cliproxy status helpers', () => {
   })
 
   describe('formatUsageSummaryLine', () => {
-    it('formats zero-failure summary', () => {
+    it('formats a recent-activity summary with no errors', () => {
       const result = formatUsageSummaryLine({
         title: 'Usage stats',
         level: 'ok',
-        summary: 'total_requests=10, failure_count=0',
+        summary: 'recent: 10',
       })
 
-      expect(result).toBe('Requests: 10 total, 0 failed (0.0% failure rate)')
+      expect(result).toBe('Recent requests: 10')
     })
 
-    it('formats non-zero failure summary with correct rate', () => {
+    it('formats a recent-activity summary with errors appended', () => {
       const result = formatUsageSummaryLine({
         title: 'Usage stats',
         level: 'warning',
-        summary: 'total_requests=10, failure_count=3 (token refresh likely needed)',
+        summary: 'recent: 10, errors: 3',
       })
 
-      expect(result).toBe('Requests: 10 total, 3 failed (30.0% failure rate)')
+      expect(result).toBe('Recent requests: 10, 3 errors')
     })
 
-    it('returns null when summary has no numeric fields', () => {
+    it('formats an idle recent summary', () => {
       const result = formatUsageSummaryLine({
         title: 'Usage stats',
-        level: 'warning',
-        summary: 'Rate limited by management API (HTTP 429). Retry in a few moments.',
+        level: 'ok',
+        summary: 'recent: 0 (idle)',
       })
 
-      expect(result).toBeNull()
+      expect(result).toBe('Recent requests: 0')
     })
 
-    it('returns null for error summaries without numeric fields', () => {
+    it('returns null when summary has no recent-activity field', () => {
       const result = formatUsageSummaryLine({
         title: 'Usage stats',
-        level: 'error',
-        summary: 'Unable to read usage stats: socket hang up',
+        level: 'warning',
+        summary: 'Rate limited by management API (HTTP 429). Retry in a few moments.',
       })
 
       expect(result).toBeNull()
     })
 
-    it('handles zero total requests without division by zero', () => {
+    it('returns null for error summaries without a recent field', () => {
       const result = formatUsageSummaryLine({
         title: 'Usage stats',
-        level: 'ok',
-        summary: 'total_requests=0, failure_count=0',
+        level: 'error',
+        summary: 'Unable to read usage stats: socket hang up',
       })
 
-      expect(result).toBe('Requests: 0 total, 0 failed (0.0% failure rate)')
+      expect(result).toBeNull()
     })
   })
 })
@@ -387,3 +392,328 @@ describe('cliproxyStatusAction (Tier-2 ctx capture)', () => {
     }
   })
 })
+
+describe('usage-queue migration', () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+
+  it('populated usage-queue returns recent-activity summary with correct total and error count', async () => {
+    const queue = [
+      {status: 200, model: 'claude-3-5-sonnet'},
+      {status: 500, model: 'claude-3-5-sonnet'},
+      {status: 200, model: 'claude-3-5-sonnet'},
+    ]
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/usage-queue')) {
+        return new Response(JSON.stringify(queue), {status: 200, headers: {'content-type': 'application/json'}})
+      }
+
+      throw new Error(`Unexpected fetch: ${url}`)
+    })
+
+    const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
+
+    expect(result.level).not.toBe('error')
+    expect(result.summary).toContain('recent: 3')
+    expect(result.summary).toContain('errors: 1')
+  })
+
+  it('empty usage-queue returns ok/idle result, not an error', async () => {
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/usage-queue')) {
+        return new Response('[]', {status: 200, headers: {'content-type': 'application/json'}})
+      }
+
+      throw new Error(`Unexpected fetch: ${url}`)
+    })
+
+    const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
+
+    expect(result.level).toBe('ok')
+    expect(result.summary).toMatch(/idle|recent: 0/)
+  })
+
+  it('malformed usage-queue response returns warning, not error, and does not throw', async () => {
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/usage-queue')) {
+        return new Response('{"not":"an-array"}', {status: 200, headers: {'content-type': 'application/json'}})
+      }
+
+      throw new Error(`Unexpected fetch: ${url}`)
+    })
+
+    const result = await checkUsageStats('https://cliproxy.example.com', 'secret')
+
+    expect(result.level).toBe('warning')
+  })
+
+  it('formatUsageSummaryLine returns a human-friendly line for recent-window summary', () => {
+    const result = formatUsageSummaryLine({
+      title: 'Usage stats',
+      level: 'ok',
+      summary: 'recent: 5, errors: 1',
+    })
+
+    expect(result).not.toBeNull()
+    expect(result).toContain('5')
+  })
+})
+
+describe('management auth failure surfaces in unified summary (FIX 4)', () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+
+  it('getCliproxyStatusSummary with a bad key (401) shows auth failure in version and usageStats, not "— (no key)"', async () => {
+    globalThis.fetch = createFetchImplementation(async (url, init) => {
+      const hdrs = init?.headers
+      const hasKey =
+        hdrs instanceof Headers
+          ? hdrs.has('x-management-key')
+          : hdrs !== null && hdrs !== undefined && typeof hdrs === 'object' && 'x-management-key' in hdrs
+      if (url.includes('/v0/management/') && hasKey) {
+        return new Response('Unauthorized', {status: 401})
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const summary = await getCliproxyStatusSummary('https://cliproxy.example.com', 'bad-key', false)
+
+    // Must NOT show the no-key sentinel — a bad key is distinct from no key
+    expect(summary.version).not.toBe('— (no key)')
+    expect(summary.usageStats).not.toBe('— (no key)')
+    // Must contain some error/auth indicator
+    expect(summary.version.toLowerCase()).toMatch(/error|auth|401|management|unauthorized/i)
+    expect(summary.usageStats.toLowerCase()).toMatch(/error|auth|401|management|unauthorized/i)
+  })
+})
+
+describe('ban body word-boundary detection (FIX 5)', () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+
+  it('403 with body {detail:"bandwidth exceeded"} is NOT treated as a ban (generic 403)', async () => {
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/config')) {
+        return new Response(JSON.stringify({detail: 'bandwidth exceeded'}), {
+          status: 403,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx, captured} = createCapturedCtx()
+    try {
+      await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: 'any-key'}, ctx)
+    } catch (error) {
+      if (!(error instanceof MockProcessExit)) throw error
+    }
+
+    const output = [...captured.stdout, ...captured.stderr].join('\n')
+    expect(output.toLowerCase()).not.toMatch(/ip.?ban/)
+  })
+
+  it('403 with body {error:"IP banned"} IS treated as a ban', async () => {
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/config')) {
+        return new Response(JSON.stringify({error: 'IP banned'}), {
+          status: 403,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx, captured} = createCapturedCtx()
+    try {
+      await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: 'any-key'}, ctx)
+    } catch (error) {
+      if (!(error instanceof MockProcessExit)) throw error
+    }
+
+    const output = [...captured.stdout, ...captured.stderr].join('\n')
+    expect(output.toLowerCase()).toMatch(/ip.?ban/)
+  })
+})
+
+describe('reachability probe targets /healthz liveness endpoint', () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+
+  it('cliproxyStatusAction reports HTTP reachable when /healthz returns 200 and bare base returns 404', async () => {
+    const BASE = 'https://cliproxy.example.com'
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url === `${BASE}/healthz`) return new Response('{"status":"ok"}', {status: 200})
+      if (url === BASE) return new Response('Not Found', {status: 404})
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx, captured} = createCapturedCtx()
+    await cliproxyStatusAction({url: BASE}, ctx)
+
+    const output = [...captured.stdout, ...captured.stderr].join('\n')
+    expect(output).toContain('OK')
+    expect(output).not.toMatch(/ERROR.*HTTP reachability|HTTP reachability.*ERROR/)
+  })
+
+  it('getCliproxyStatusSummary reports http ok when /healthz returns 200 and bare base returns 404', async () => {
+    const BASE = 'https://cliproxy.example.com'
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url === `${BASE}/healthz`) return new Response('{"status":"ok"}', {status: 200})
+      if (url === BASE) return new Response('Not Found', {status: 404})
+      return new Response('ok', {status: 200})
+    })
+
+    const summary = await getCliproxyStatusSummary(BASE, '', false)
+
+    expect(summary.http).toMatch(/^OK/)
+  })
+})
+
+describe('management auth probe (ban-awareness)', () => {
+  afterEach(() => {
+    globalThis.fetch = originalFetch
+  })
+
+  it('bad management key causes at most one management fetch and skips version+usage calls', async () => {
+    const managementFetchUrls: string[] = []
+
+    globalThis.fetch = createFetchImplementation(async (url, init) => {
+      const hdrs = init?.headers
+      const hasManagementKey =
+        hdrs instanceof Headers
+          ? hdrs.has('x-management-key')
+          : hdrs !== null && hdrs !== undefined && typeof hdrs === 'object' && 'x-management-key' in hdrs
+      if (url.includes('/v0/management/') && hasManagementKey) {
+        managementFetchUrls.push(url)
+        return new Response('Unauthorized', {status: 401})
+      }
+
+      if (url.includes('/healthz') || !url.includes('/v0/management/')) {
+        return new Response('ok', {status: 200})
+      }
+
+      throw new Error(`Unexpected fetch: ${url}`)
+    })
+
+    const {ctx} = createCapturedCtx()
+    // Auth failure yields error-level result → exit(1) → MockProcessExit thrown
+    try {
+      await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: 'bad-key'}, ctx)
+    } catch (error) {
+      if (!(error instanceof MockProcessExit)) throw error
+    }
+
+    expect(managementFetchUrls.length).toBe(1)
+    expect(managementFetchUrls[0]).toContain('/v0/management/config')
+  })
+
+  it('403 with ban body surfaces a distinct IP-banned message', async () => {
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/config')) {
+        return new Response(JSON.stringify({error: 'IP banned'}), {
+          status: 403,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx, captured} = createCapturedCtx()
+    // 403+ban → error level → exit(1)
+    try {
+      await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: 'any-key'}, ctx)
+    } catch (error) {
+      if (!(error instanceof MockProcessExit)) throw error
+    }
+
+    const output = [...captured.stdout, ...captured.stderr].join('\n')
+    expect(output.toLowerCase()).toMatch(/ip.?ban/)
+  })
+
+  it('auth error message does not contain the management key value', async () => {
+    const secretKey = 'super-secret-mgmt-key-12345'
+
+    globalThis.fetch = createFetchImplementation(async url => {
+      if (url.includes('/v0/management/config')) {
+        return new Response('Unauthorized', {status: 401})
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx, captured} = createCapturedCtx()
+    // 401 → error level → exit(1)
+    try {
+      await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: secretKey}, ctx)
+    } catch (error) {
+      if (!(error instanceof MockProcessExit)) throw error
+    }
+
+    const allOutput = [...captured.stdout, ...captured.stderr].join('\n')
+    expect(allOutput).not.toContain(secretKey)
+  })
+
+  it('successful probe allows version and usage checks to proceed in parallel', async () => {
+    const fetchedUrls: string[] = []
+
+    globalThis.fetch = createFetchImplementation(async url => {
+      fetchedUrls.push(url)
+      if (url.includes('/v0/management/config')) {
+        return new Response(JSON.stringify({config: 'ok'}), {
+          status: 200,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+
+      if (url.includes('/v0/management/usage-queue')) {
+        return new Response('[]', {status: 200, headers: {'content-type': 'application/json'}})
+      }
+
+      if (url.includes('/v0/management/latest-version')) {
+        return new Response(JSON.stringify({'latest-version': 'v7.1.31'}), {
+          status: 200,
+          headers: {'content-type': 'application/json'},
+        })
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    const {ctx} = createCapturedCtx()
+    await cliproxyStatusAction({url: 'https://cliproxy.example.com', key: 'valid-key'}, ctx)
+
+    expect(fetchedUrls.some(u => u.includes('/v0/management/latest-version'))).toBe(true)
+    expect(fetchedUrls.some(u => u.includes('/v0/management/usage-queue'))).toBe(true)
+  })
+
+  it('getCliproxyStatusSummary with bad key fires only one management fetch', async () => {
+    const managementFetchUrls: string[] = []
+
+    globalThis.fetch = createFetchImplementation(async (url, init) => {
+      const hdrs = init?.headers
+      const hasKey =
+        hdrs instanceof Headers
+          ? hdrs.has('x-management-key')
+          : hdrs !== null && hdrs !== undefined && typeof hdrs === 'object' && 'x-management-key' in hdrs
+      if (url.includes('/v0/management/') && hasKey) {
+        managementFetchUrls.push(url)
+        return new Response('Unauthorized', {status: 401})
+      }
+
+      return new Response('ok', {status: 200})
+    })
+
+    await getCliproxyStatusSummary('https://cliproxy.example.com', 'bad-key', false)
+
+    expect(managementFetchUrls.length).toBe(1)
+  })
+})

package/src/commands/cliproxy/status.ts

@@ -94,8 +94,34 @@ export async function checkHttpReachability(url: string, verbose: boolean): Prom
   }
 }
 
+/** Count records in a usage-queue array that look like errors/failures. Defensive: only counts when a recognizable field exists. */
+function countQueueErrors(records: unknown[]): number {
+  let count = 0
+  for (const record of records) {
+    if (record === null || typeof record !== 'object') {
+      continue
+    }
+
+    const rec = record as Record<string, unknown>
+
+    // Status field >= 400 indicates an HTTP-level error
+    const status = toNumber(rec.status)
+    if (status !== null && status >= 400) {
+      count++
+      continue
+    }
+
+    // Explicit error/failure markers
+    if (rec.error !== undefined || rec.failed === true || rec.failure === true) {
+      count++
+    }
+  }
+
+  return count
+}
+
 export async function checkUsageStats(baseUrl: string, key: string): Promise<CheckResult> {
-  const endpoint = `${baseUrl}/v0/management/usage`
+  const endpoint = `${baseUrl}/v0/management/usage-queue?count=50`
 
   try {
     const response = await fetch(endpoint, {
@@ -115,31 +141,35 @@ export async function checkUsageStats(baseUrl: string, key: string): Promise<Che
       return {
         title: 'Usage stats',
         level: 'error',
-        summary: `GET /v0/management/usage failed with HTTP ${response.status}`,
+        summary: `GET /v0/management/usage-queue failed with HTTP ${response.status}`,
       }
     }
 
     const payload = await parseJsonResponse(response)
-    const top = payload && typeof payload === 'object' ? (payload as Record<string, unknown>) : {}
-    const usage = top.usage && typeof top.usage === 'object' ? (top.usage as Record<string, unknown>) : top
-    const totalRequests = toNumber(usage.total_requests)
-    const failureCount = toNumber(usage.failure_count)
 
-    if (totalRequests === null || failureCount === null) {
+    if (!Array.isArray(payload)) {
       return {
         title: 'Usage stats',
         level: 'warning',
-        summary: 'Management usage payload is missing expected numeric fields.',
+        summary: 'Usage-queue response was not an array — cannot parse recent activity.',
+      }
+    }
+
+    const total = payload.length
+    const errors = countQueueErrors(payload)
+
+    if (total === 0) {
+      return {
+        title: 'Usage stats',
+        level: 'ok',
+        summary: 'recent: 0 (idle)',
       }
     }
 
     return {
       title: 'Usage stats',
-      level: failureCount > 0 ? 'warning' : 'ok',
-      summary:
-        failureCount > 0
-          ? `total_requests=${totalRequests}, failure_count=${failureCount} (token refresh likely needed)`
-          : `total_requests=${totalRequests}, failure_count=${failureCount}`,
+      level: errors > 0 ? 'warning' : 'ok',
+      summary: errors > 0 ? `recent: ${total}, errors: ${errors}` : `recent: ${total}`,
     }
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error)
@@ -196,6 +226,95 @@ export async function checkVersion(baseUrl: string, key: string): Promise<CheckR
   }
 }
 
+/**
+ * Probe the management API with a cheap auth check before issuing parallel calls.
+ * Returns null on success, or a CheckResult describing the auth failure.
+ * Never throws.
+ */
+async function probeManagementAuth(baseUrl: string, key: string): Promise<CheckResult | null> {
+  const endpoint = `${baseUrl}/v0/management/config`
+
+  try {
+    const response = await fetch(endpoint, {
+      headers: managementHeaders(key),
+      signal: AbortSignal.timeout(HTTP_TIMEOUT_MS),
+    })
+
+    if (response.ok) {
+      return null
+    }
+
+    if (response.status === 403) {
+      // Could be an IP ban — inspect body for ban-ish markers
+      const payload = await parseJsonResponse(response)
+      const isBanBody =
+        payload !== null &&
+        typeof payload === 'object' &&
+        Object.values(payload as Record<string, unknown>).some(
+          v => typeof v === 'string' && /\b(?:ip[- ]?)?bann?ed\b/i.test(v),
+        )
+
+      if (isBanBody) {
+        return {
+          title: 'Management access',
+          level: 'error',
+          summary: 'IP banned — stop retrying for ~30 min. Management checks skipped.',
+        }
+      }
+
+      return {
+        title: 'Management access',
+        level: 'error',
+        summary: 'Management API returned HTTP 403. Management checks skipped.',
+      }
+    }
+
+    if (response.status === 401) {
+      return {
+        title: 'Management access',
+        level: 'error',
+        summary: 'Management API returned HTTP 401 (invalid key). Management checks skipped.',
+      }
+    }
+
+    return {
+      title: 'Management access',
+      level: 'warning',
+      summary: `Management auth probe returned HTTP ${response.status}. Management checks skipped.`,
+    }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+    return {
+      title: 'Management access',
+      level: 'error',
+      summary: `Management auth probe failed: ${message}`,
+    }
+  }
+}
+
+type ManagementChecks =
+  | {kind: 'no-key'}
+  | {kind: 'auth-failure'; result: CheckResult}
+  | {kind: 'checks'; usage: CheckResult; version: CheckResult}
+
+/**
+ * Run management checks with single probe + parallel data fetches.
+ * Returns a discriminated union so callers handle no-key, auth-failure, and success distinctly.
+ */
+async function runManagementChecks(baseUrl: string, key: string | undefined): Promise<ManagementChecks> {
+  if (!key) {
+    return {kind: 'no-key'}
+  }
+
+  const authFailure = await probeManagementAuth(baseUrl, key)
+  if (authFailure !== null) {
+    return {kind: 'auth-failure', result: authFailure}
+  }
+
+  const [usage, version] = await Promise.all([checkUsageStats(baseUrl, key), checkVersion(baseUrl, key)])
+  return {kind: 'checks', usage, version}
+}
+
 function printCheckResult(result: CheckResult, ctx: ActionCtx): void {
   ctx.console.log(`[${levelLabel(result.level)}] ${result.title}`)
   ctx.console.log(`  ${result.summary}`)
@@ -212,37 +331,46 @@ function formatCheckSummary(result: CheckResult): string {
 }
 
 export function formatUsageSummaryLine(result: CheckResult): string | null {
-  const totalMatch = /total_requests=(\d+)/.exec(result.summary)
-  const failureMatch = /failure_count=(\d+)/.exec(result.summary)
-
-  if (!totalMatch || !failureMatch) {
+  // v7 recent-window format: "recent: N" or "recent: N, errors: M"
+  const recentMatch = /recent:\s*(\d+)/.exec(result.summary)
+  if (!recentMatch) {
     return null
   }
-
-  const total = Number(totalMatch[1])
-  const failed = Number(failureMatch[1])
-  const failureRate = total === 0 ? 0 : (failed / total) * 100
-
-  return `Requests: ${total} total, ${failed} failed (${failureRate.toFixed(1)}% failure rate)`
+  const total = Number(recentMatch[1])
+  const errorMatch = /errors:\s*(\d+)/.exec(result.summary)
+  const errors = errorMatch ? Number(errorMatch[1]) : 0
+  return `Recent requests: ${total}${errors > 0 ? `, ${errors} errors` : ''}`
 }
 
 export async function getCliproxyStatusSummary(baseUrl: string, key: string, verbose: boolean): Promise<StatusSummary> {
   const normalizedBaseUrl = stripTrailingSlash(baseUrl)
-  const httpPromise = checkHttpReachability(normalizedBaseUrl, verbose)
-  const managementResultsPromise = key
-    ? Promise.all([checkUsageStats(normalizedBaseUrl, key), checkVersion(normalizedBaseUrl, key)])
-    : Promise.resolve(null)
-
-  const [httpResult, managementResults] = await Promise.all([httpPromise, managementResultsPromise])
-  const [usageResult, versionResult] = managementResults ?? [null, null]
+  const [httpResult, mgmt] = await Promise.all([
+    checkHttpReachability(`${normalizedBaseUrl}/healthz`, verbose),
+    runManagementChecks(normalizedBaseUrl, key || undefined),
+  ])
+
+  let version: string
+  let usageStats: string
+
+  if (mgmt.kind === 'no-key') {
+    version = '— (no key)'
+    usageStats = '— (no key)'
+  } else if (mgmt.kind === 'auth-failure') {
+    const authSummary = formatCheckSummary(mgmt.result)
+    version = authSummary
+    usageStats = authSummary
+  } else {
+    version = formatCheckSummary(mgmt.version)
+    usageStats = formatCheckSummary(mgmt.usage)
+  }
 
   return {
     app: 'cliproxy',
     http: formatCheckSummary(httpResult),
     lastDeploy: '—',
-    version: versionResult ? formatCheckSummary(versionResult) : '— (no key)',
+    version,
     contentHash: '—',
-    usageStats: usageResult ? formatCheckSummary(usageResult) : '— (no key)',
+    usageStats,
   }
 }
 
@@ -262,25 +390,24 @@ export async function cliproxyStatusAction(options: StatusOptions, ctx: ActionCt
     ctx.console.log('CLIProxyAPI status')
     ctx.console.log('')
 
-    const results: CheckResult[] = [await checkHttpReachability(baseUrl, verbose)]
+    const results: CheckResult[] = [await checkHttpReachability(`${baseUrl}/healthz`, verbose)]
 
     let capturedUsageResult: CheckResult | undefined
 
-    if (managementKey) {
-      const [usageResult, versionResult] = await Promise.all([
-        checkUsageStats(baseUrl, managementKey),
-        checkVersion(baseUrl, managementKey),
-      ])
+    const mgmt = await runManagementChecks(baseUrl, managementKey)
 
-      capturedUsageResult = usageResult
-      results.push(usageResult, versionResult)
-    } else {
+    if (mgmt.kind === 'no-key') {
       results.push({
         title: 'Management checks',
         level: 'warning',
         summary:
           'CLIPROXY_MANAGEMENT_KEY is not set. Skipping usage stats and version checks. Provide --key or set env var.',
       })
+    } else if (mgmt.kind === 'auth-failure') {
+      results.push(mgmt.result)
+    } else {
+      capturedUsageResult = mgmt.usage
+      results.push(mgmt.usage, mgmt.version)
     }
 
     for (const result of results) {

package/src/commands/mcp.test.ts

@@ -150,12 +150,6 @@ describe('mcp integration (Tier-1, in-process)', () => {
   // Mode C: when a command returns structured data AND prints to stdout,
   // the CallToolResult must contain BOTH a stdout text block AND a
   // stringified return-value text block.
-  //
-  // Re-enable after Unit 4 lands (cliproxy keys list refactor to return
-  // structured data alongside ctx-printed text).
-
-  // Re-enable after Unit 4 lands (cliproxy keys list refactor to return
-  // structured data alongside ctx-printed text).
   test('cliproxy_keys_list returns BOTH stdout block AND structured return block (Mode C contract)', async () => {
     const originalFetch = globalThis.fetch
     const originalKey = process.env.CLIPROXY_MANAGEMENT_KEY