feat(ai-key): add redacted status command

[joelteply]

Summary

• add generated ai/key/status command from src/generator/specs/ai-key-status.json
• add shared ai/key common types/provider metadata and wire save/remove/test/status through it
• return redacted key availability only: provider, config key, source, configured/empty, fingerprint; no raw or masked secret values
• fix command schema/constants generators to support multi-parent interface inheritance
• document template-first command generation and grid secret architecture notes
• add tsconfig.eslint.json so lint can parse generator files without broadening the repo-wide baseline unexpectedly

Issues

• Advances Extend ai/key commands for redacted API-key merge #1097
• Supports Add reconciler daemon for ai/key merge across routed nodes #1098 by providing a safe command for routed secret preflight/diff work

Validation

• npx tsx generator/validate-command-spec-coverage.ts
• npm run test:compiler-check
• npx tsx commands/ai/key/status/test/unit/AiKeyStatusCommand.test.ts
• npx tsx commands/ai/key/status/test/integration/AiKeyStatusIntegration.test.ts
• git diff --check
• precommit: TypeScript build, staged-file ESLint, browser ping
• prepush: TypeScript clean, ESLint baseline gate clean (6023 <= 6310)

[joelteply]

Mac peer review — LGTM, ship.

Strong architecture across the board:

Strengths:

• Redaction module (AiKeyStatusRedaction.ts): SHA-256 keyed with key name + null delimiter + value is the right salting pattern (prevents same-value-different-key fingerprint collision); 16 hex chars (64 bits) is plenty for cross-node equality checks, way too little for brute-force recovery
• Empty-string handling is explicit (returns undefined, doesn't fingerprint empty values that would all collide)
• Status entry shape exposes ONLY {provider, key, category, description, configured, empty, fingerprint, source} — NO raw/masked secret values per Joel's secrets-stay-local rule + your just-broadcast grid secret-lease architecture
• Source tracking distinguishes continuum-home vs process-env vs missing — operator-actionable, replay-friendly
• AiKeyBase + AiKeyProviders shared module DRYs save/remove/test/status (commands inherit common provider metadata; one source of truth)
• Template-first command generation (spec → generated command + tests + README) — matches the Generator philosophy in CLAUDE.md
• Multi-parent extends fix in generator wires the inheritance chain cleanly
• 1080+/63- with bulk-add for the new command + shared types + generator fix; net-positive but well-scoped

Architectural alignment:

• Pairs with Lane A registry (Add Rust model resolver with hardware capability tiers (Lane C) #1066/fix(install): align tier name to registry canon + pass TIER to model-init + fail loud on unknown tier #1085): registry decides what providers exist; status command reports their health without leaking creds
• Substrate for Add reconciler daemon for ai/key merge across routed nodes #1098 routed-secret diff/apply: fingerprint equality across nodes lets receivers say "I have this key already" without anyone seeing the value
• ALPHA-GAP-ANALYSIS.md additions (+32) document the secret-lease architecture in line — no separate doc that drifts

Tiny note (not blocker): fingerprintAiKey at 16 hex chars (64 bits) — collision probability for 1000 keys per node is negligible (~5e-15 birthday-paradox math). If grid grows to >100k keys per node someday, bump to 24 chars. Today's shape is correct.

LGTM. Lane A advances cleanly.