feat(ui): implement public status endpoint and update UI components

* add public status handler and response types
* modify status API to restrict access and update client tracking
* adjust UI components to display public status information
* update routing to include public status endpoint

internal/app/status.go

@@ -29,8 +29,24 @@ type statusAPIResponse struct {
 	OAuthEnabled    bool                  `json:"oauth_enabled"`
 }
 
+type publicClientStatus struct {
+	KeyID          string    `json:"key_id"`
+	RequestCount   int       `json:"request_count"`
+	LastAccessedAt time.Time `json:"last_accessed_at"`
+}
+
+type publicStatusResponse struct {
+	ConnectedCount  int                  `json:"connected_count"`
+	ConnectedWindow string               `json:"connected_window"`
+	Entries         []publicClientStatus `json:"entries"`
+}
+
 func statusSnapshot(info buildinfo.Info, tracker *auth.AccessTracker, oauthEnabled bool, now time.Time) statusAPIResponse {
 	entries := tracker.Snapshot()
+	metrics := tracker.Metrics(20)
+	metrics.TopIPs = nil
+	metrics.TopAgents = nil
+	metrics.TopTools = nil
 	return statusAPIResponse{
 		Title:           "Avelon Memory Crystal Server (AMCS)",
 		Description:     "AMCS is a memory server that captures, links, and retrieves structured project thoughts for AI assistants using semantic search, summaries, and MCP tools.",
@@ -40,8 +56,8 @@ func statusSnapshot(info buildinfo.Info, tracker *auth.AccessTracker, oauthEnabl
 		ConnectedCount:  tracker.ConnectedCount(now, connectedWindow),
 		TotalKnown:      len(entries),
 		ConnectedWindow: "last 10 minutes",
-		Entries:         entries,
-		Metrics:         tracker.Metrics(20),
+		Entries:         nil,
+		Metrics:         metrics,
 		OAuthEnabled:    oauthEnabled,
 	}
 }
@@ -55,7 +71,7 @@ func fallback(value, defaultValue string) string {
 
 func statusAPIHandler(info buildinfo.Info, tracker *auth.AccessTracker, oauthEnabled bool) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if r.URL.Path != "/api/status" && r.URL.Path != "/status" {
+		if r.URL.Path != "/api/status" {
 			http.NotFound(w, r)
 			return
 		}
@@ -75,6 +91,47 @@ func statusAPIHandler(info buildinfo.Info, tracker *auth.AccessTracker, oauthEna
 	}
 }
 
+func publicStatusHandler(tracker *auth.AccessTracker) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/status" {
+			http.NotFound(w, r)
+			return
+		}
+		if r.Method != http.MethodGet && r.Method != http.MethodHead {
+			w.Header().Set("Allow", "GET, HEAD")
+			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+			return
+		}
+
+		now := time.Now()
+		cutoff := now.UTC().Add(-connectedWindow)
+		snapshot := tracker.Snapshot()
+		entries := make([]publicClientStatus, 0, len(snapshot))
+		for _, item := range snapshot {
+			if item.LastAccessedAt.Before(cutoff) {
+				continue
+			}
+			entries = append(entries, publicClientStatus{
+				KeyID:          item.KeyID,
+				RequestCount:   item.RequestCount,
+				LastAccessedAt: item.LastAccessedAt,
+			})
+		}
+
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		w.WriteHeader(http.StatusOK)
+		if r.Method == http.MethodHead {
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(publicStatusResponse{
+			ConnectedCount:  len(entries),
+			ConnectedWindow: "last 10 minutes",
+			Entries:         entries,
+		})
+	}
+}
+
 func homeHandler(_ buildinfo.Info, _ *auth.AccessTracker, _ bool) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if r.Method != http.MethodGet && r.Method != http.MethodHead {