diff --git a/.gitignore b/.gitignore
index 4a5b5125..8101d63e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -85,3 +85,4 @@ test-results/
 # VitePress docs build artifacts
 docs/.vitepress/dist/
 docs/.vitepress/cache/
+.claude/scheduled_tasks.lock
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/.openspec.yaml b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/.openspec.yaml
new file mode 100644
index 00000000..927e3e8e
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-31
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/design.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/design.md
new file mode 100644
index 00000000..75ea17cf
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/design.md
@@ -0,0 +1,159 @@
+## Context
+
+AutoRouter 的 CLIProxyAPI 管理页面（`system/cliproxy`）目前包含实例表格和账号面板两个区块，支持实例 CRUD、连通性检测、账号同步/启停/字段编辑、OAuth 登录（3 个 Provider）和上游创建。CLIProxyAPI 原生 WebUI 则额外提供认证文件上传/下载/删除、日志查看、OAuth 回调提交、6 个 Provider 支持等能力。本次变更在现有页面基础上扩展，补齐这些管理能力。
+
+### 当前页面结构
+
+```
+┌─────────────────────────────────────────────────┐
+│ Topbar: CLIProxyAPI                             │
+├─────────────────────────────────────────────────┤
+│ Card: Instances                    [+ Add]      │
+│ ┌─────┬──────┬────────────┬────────┬──────────┐ │
+│ │Name │ Mode │ Proxy URL  │ Status │ Actions  │ │
+│ ├─────┼──────┼────────────┼────────┼──────────┤ │
+│ │ ... │ ...  │ ...        │ Badge  │ ⋯ Menu   │ │
+│ └─────┴──────┴────────────┴────────┴──────────┘ │
+├─────────────────────────────────────────────────┤
+│ Card: OAuth Accounts (选中实例后显示)            │
+│          [OAuth Login] [Sync Accounts]          │
+│ ┌──────┬──────────┬────────┬───────┬──────────┐ │
+│ │ File │ Provider │ Status │Models │ Actions  │ │
+│ ├──────┼──────────┼────────┼───────┼──────────┤ │
+│ │ ...  │ Badge    │ Badge  │  N    │ ⋯ Menu   │ │
+│ └──────┴──────────┴────────┴───────┴──────────┘ │
+└─────────────────────────────────────────────────┘
+```
+
+## Goals / Non-Goals
+
+**Goals:**
+
+1. 在现有 CLIProxyAPI 管理页面中补齐认证文件管理（上传、下载、删除）、模型列表查看、账号详情查看、OAuth 回调提交、实例日志查看、关联上游查看共 6 个功能区
+2. 将 OAuth Provider 从 3 个扩展到 6 个
+3. 实例表格增加行内启停切换
+4. 所有新增功能复用现有架构模式，保持代码风格一致
+
+**Non-Goals:**
+
+1. 不引入 CLIProxyAPI 的配置管理（config.yaml 读写）——远程修改运行时配置安全风险高
+2. 不引入 AI Provider 密钥管理——AutoRouter 的上游管理已覆盖此能力
+3. 不引入配额管理——与 AutoRouter 的 billing 系统概念重叠
+4. 不引入 Ampcode 集成——小众 Provider，后续按需添加
+
+## Decisions
+
+### D1: 页面布局扩展策略
+
+在现有两个 Card（实例表格 + 账号面板）的基础上，新增两个 Card（关联上游面板 + 日志面板），均在选中实例后显示。页面纵向排列顺序为：实例表格 → 账号面板 → 关联上游面板 → 日志面板。
+
+**备选方案**：使用 Tab 切换不同面板。放弃原因：当前面板数量有限（4 个），纵向排列更符合现有布局风格且一目了然。
+
+### 扩展后页面布局
+
+```
+┌──────────────────────────────────────────────────────┐
+│ Topbar: CLIProxyAPI                                  │
+├──────────────────────────────────────────────────────┤
+│ Card: Instances                          [+ Add]     │
+│ ┌──────┬──────┬────────────┬────────┬───────────────┐│
+│ │Name  │ Mode │ Proxy URL  │ Status │   Actions     ││
+│ ├──────┼──────┼────────────┼────────┼───────────────┤│
+│ │ ...  │ ...  │ ...        │[Toggle]│ ⋯ Menu        ││
+│ └──────┴──────┴────────────┴────────┴───────────────┘│
+│                                            ▲         │
+│                              行内 Switch 启停切换     │
+├──────────────────────────────────────────────────────┤
+│ Card: OAuth Accounts (选中实例后)                     │
+│     [OAuth Login] [Upload Auth File] [Sync Accounts] │
+│ ┌──────┬────────┬──────┬───────┬──────┬─────────────┐│
+│ │ File │Provider│Status│Models │Prefix│  Actions     ││
+│ ├──────┼────────┼──────┼───────┼──────┼─────────────┤│
+│ │ ...  │ Badge  │Badge │  N 👁  │ ... │⋯ Menu       ││
+│ └──────┴────────┴──────┴───────┴──────┴─────────────┘│
+│                              ▲                       │
+│            模型数可点击查看列表；Menu 增加详情/删除    │
+├──────────────────────────────────────────────────────┤
+│ Card: Linked Upstreams (选中实例后)                   │
+│ ┌──────────────┬──────────┬────────────┬────────────┐│
+│ │ Upstream Name│ Provider │ Type       │ Account    ││
+│ ├──────────────┼──────────┼────────────┼────────────┤│
+│ │ ... Pool     │ codex    │ Pool       │ —          ││
+│ │ ... Account  │ anthropic│ Single     │ alice.json ││
+│ └──────────────┴──────────┴────────────┴────────────┘│
+├──────────────────────────────────────────────────────┤
+│ Card: Instance Logs (选中实例后)                      │
+│     [Refresh]  搜索框  时间范围选择                    │
+│ ┌────────────────────────────────────────────────────┐│
+│ │ 2025-05-31 10:23:45 [INFO] request forwarded ...  ││
+│ │ 2025-05-31 10:23:46 [WARN] auth token expired ... ││
+│ │ ...                                                ││
+│ └────────────────────────────────────────────────────┘│
+└──────────────────────────────────────────────────────┘
+```
+
+### D2: 管理 API 客户端扩展方式
+
+在现有 `cliproxy-management-client.ts` 中新增 5 个方法：`deleteAuthFile`、`uploadAuthFile`、`downloadAuthFile`、`submitOAuthCallback`、`getLogs`。保持与现有方法相同的模式：接受 `CliproxyManagementTarget`、调用 `requestManagementApi`、返回类型化结果。
+
+`downloadAuthFile` 较特殊，返回的是原始 JSON 文本而非解析后的对象，需要在 `requestManagementApi` 之外单独处理响应。
+
+### D3: OAuth Provider 扩展方式
+
+在 `cliproxy-management-client.ts` 中扩展 `CLIPROXY_OAUTH_PROVIDERS` 常量和 `AUTH_URL_ENDPOINT` 映射。新增 Provider 对应的端点为：
+
+| Provider | 端点片段 | 特殊参数 |
+|----------|----------|----------|
+| xAI/Grok | `xai-auth-url` | 无 |
+| Antigravity | `antigravity-auth-url` | 无 |
+| Kimi | `kimi-auth-url` | 无（无自动回调，需配合 OAuth callback 手动提交） |
+
+前端 `CLIPROXY_PROVIDERS` 类型和 UI 选项列表同步扩展。`cliproxy-upstream-preset.ts` 中的 `CLIPROXY_UPSTREAM_PRESETS` 暂不扩展（新 Provider 的路径约定尚未确定），池上游创建仍限于原有 3 个 Provider。
+
+**备选方案**：同时扩展 upstream preset 支持 6 个 Provider。放弃原因：xAI/Antigravity/Kimi 的 CLIProxyAPI 路径后缀和路由能力尚未有稳定约定，留作后续独立变更。
+
+### D4: Admin 路由组织
+
+新增路由全部放在 `src/app/api/admin/cliproxy/instances/[id]/` 下，保持与现有路由树一致：
+
+```
+instances/[id]/
+  ├── auth-accounts/...           (existing)
+  ├── oauth-login/...             (existing)
+  ├── pool-upstreams/             (existing)
+  ├── test/                       (existing)
+  ├── auth-files/                 (NEW)
+  │   ├── route.ts                POST: upload
+  │   └── [name]/
+  │       ├── route.ts            GET: download, DELETE: delete
+  ├── oauth-callback/             (NEW)
+  │   └── route.ts                POST: submit callback
+  ├── logs/                       (NEW)
+  │   └── route.ts                GET: fetch logs
+  └── linked-upstreams/           (NEW)
+      └── route.ts                GET: list linked upstreams
+```
+
+### D5: 认证文件删除与本地缓存清理
+
+删除操作分两步：先调用 CLIProxyAPI `DELETE /v0/management/auth-files` 删除上游文件，成功后删除本地 `cliproxy_auth_accounts` 中对应的缓存记录。CLIProxyAPI 侧删除失败则整体失败，不触及本地缓存。
+
+### D6: 日志面板实现
+
+日志面板使用简单的增量拉取模式（`GET /v0/management/logs`），由前端手动刷新或设置自动刷新间隔。日志内容以等宽字体渲染，支持关键词筛选（前端过滤）。不使用 SSE 或 WebSocket 实时推送，保持实现简单。
+
+**备选方案**：日志实时推送。放弃原因：CLIProxyAPI 管理 API 不提供日志推送端点，且 AutoRouter 在中间层做推送会增加不必要的复杂度。
+
+### D7: 关联上游面板数据来源
+
+直接查询 AutoRouter 本地 `upstreams` 表中 `cliproxyInstanceId` 匹配所选实例的记录。不需要调用 CLIProxyAPI 管理 API。查询结果包含上游名称、Provider、类型（池/单账号）、绑定的账号文件名。
+
+## Risks / Trade-offs
+
+**[CLIProxyAPI 版本兼容]** → 新增的管理 API 端点（auth-files 上传/下载/删除、oauth-callback、logs）可能在旧版本 CLIProxyAPI 中不存在。采用防御性处理：管理 API 调用失败时返回可理解的错误信息，不影响其他功能。
+
+**[认证文件上传安全]** → 上传的 JSON 可能包含恶意内容。AutoRouter 仅做格式校验（合法 JSON），实际内容由 CLIProxyAPI 负责校验和处理。Admin API 本身需要 ADMIN_TOKEN 鉴权，风险可控。
+
+**[日志体积]** → CLIProxyAPI 日志可能较大。前端限制单次拉取行数（默认 200 行），并支持时间范围过滤以控制返回体积。
+
+**[新 Provider 无 upstream preset]** → xAI/Antigravity/Kimi 暂不支持一键创建池上游。OAuth 登录和账号管理可正常使用，上游创建需通过通用上游管理界面手动配置。
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/proposal.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/proposal.md
new file mode 100644
index 00000000..1cf4f35c
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/proposal.md
@@ -0,0 +1,53 @@
+## Why
+
+CLIProxyAPI 原生 WebUI（Management Center）提供了 8 个功能页面（仪表盘、配置管理、Provider 密钥、认证文件管理、OAuth 登录、配额管理、日志、系统信息），而 AutoRouter 当前仅覆盖了实例 CRUD、账号同步/启停/字段编辑和 3 个 Provider 的 OAuth 登录。管理员在日常运维中需要频繁切换到 CLIProxyAPI 原生面板完成认证文件管理、日志查看、模型列表查看等操作，体验割裂且效率低下。本次变更将 CLIProxyAPI 原生面板中最高价值的管理能力集成到 AutoRouter 管理端，使管理员在单一界面内完成绝大多数 CLIProxyAPI 运维操作。
+
+## What Changes
+
+### 前端增强（后端已有数据或接口，仅需前端入口）
+
+- 账号表格增加**模型列表查看**操作，弹窗展示该账号可用的具体模型列表（后端 `getAuthFileModels` 已实现）
+- 账号表格增加**详情查看**操作，弹窗展示 email、status、status_message、raw_metadata 快照、last_synced_at 等完整元数据
+- CLIProxyAPI 页面增加**关联上游**面板，展示某实例下所有关联的池上游和单账号上游（upstreams 表已有 `cliproxyInstanceId` 字段）
+- 实例表格行内增加**快捷启停切换**，无需打开编辑弹窗
+
+### 新增后端路由与前端（管理 API 透传至 CLIProxyAPI）
+
+- **认证文件删除**：透传 `DELETE /v0/management/auth-files` 到 CLIProxyAPI，同时移除本地缓存
+- **认证文件上传**：透传 `POST /v0/management/auth-files` 到 CLIProxyAPI，上传 JSON 格式认证文件并触发同步
+- **认证文件下载**：透传 `GET /v0/management/auth-files/download?name=...`，下载认证文件原始 JSON
+- **OAuth 回调 URL 手动提交**：透传 `POST /v0/management/oauth-callback`，在自动回调不可达时允许管理员手动粘贴回调 URL 完成登录
+- **CLIProxyAPI 实例日志查看**：透传 `GET /v0/management/logs`，在 AutoRouter 管理端按时间范围查看 CLIProxyAPI 运行日志
+
+### OAuth Provider 扩展
+
+- 将 OAuth 登录支持的 Provider 从 3 个（Codex、Anthropic、Gemini）扩展到 6 个，新增 xAI/Grok、Antigravity、Kimi
+
+## Capabilities
+
+### New Capabilities
+
+- `cliproxy-auth-file-operations`: 认证文件的上传、下载、删除操作，涵盖管理 API 客户端扩展、Admin 路由、前端弹窗
+- `cliproxy-instance-logs`: CLIProxyAPI 实例日志查看，涵盖管理 API 客户端扩展、Admin 路由、前端日志面板
+- `cliproxy-oauth-callback`: OAuth 回调 URL 手动提交，涵盖管理 API 客户端扩展、Admin 路由、前端输入弹窗
+
+### Modified Capabilities
+
+- `cliproxy-admin-ui`: 实例表格增加行内启停切换、页面增加关联上游面板
+- `cliproxy-oauth-account-management`: 账号表格增加模型列表查看和详情查看操作、OAuth Provider 列表从 3 个扩展到 6 个
+
+## Impact
+
+**后端**
+- `cliproxy-management-client.ts`：新增 `deleteAuthFile`、`uploadAuthFile`、`downloadAuthFile`、`submitOAuthCallback`、`getLogs` 5 个上游调用方法；`CLIPROXY_OAUTH_PROVIDERS` 常量从 3 项扩展到 6 项，`AUTH_URL_ENDPOINT` 对应扩展
+- `cliproxy-auth-account-service.ts`：新增 `deleteCliproxyAuthAccount` 方法（删除上游认证文件后移除本地缓存）
+- 新增 Admin 路由：`instances/[id]/auth-files/upload`、`instances/[id]/auth-files/[name]/download`、`instances/[id]/auth-files/[name]/delete`、`instances/[id]/oauth-callback`、`instances/[id]/logs`
+- `cliproxy-instance-crud.ts`：新增 `toggleCliproxyInstanceEnabled` 快捷方法
+- 新增 Admin 路由：`instances/[id]/upstreams`（查询关联上游）
+
+**前端**
+- 新增组件：`cliproxy-account-models-dialog.tsx`、`cliproxy-account-detail-dialog.tsx`、`cliproxy-auth-file-upload-dialog.tsx`、`cliproxy-auth-file-download-button.tsx`、`cliproxy-oauth-callback-dialog.tsx`、`cliproxy-instance-logs-panel.tsx`、`cliproxy-linked-upstreams-panel.tsx`
+- 修改组件：`cliproxy-instances-table.tsx`（行内启停）、`cliproxy-accounts-table.tsx`（新增模型/详情/删除操作）、`cliproxy-accounts-panel.tsx`（新增上传按钮）、`cliproxy-oauth-login-dialog.tsx`（6 个 Provider）
+- `use-cliproxy.ts`：新增对应的 hooks
+- `src/types/cliproxy.ts`：新增类型定义
+- `src/messages/en.json` 和 `zh-CN.json`：新增国际化文案
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-admin-ui/spec.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-admin-ui/spec.md
new file mode 100644
index 00000000..f035079b
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-admin-ui/spec.md
@@ -0,0 +1,84 @@
+## ADDED Requirements
+
+### Requirement: 实例行内启停切换
+
+系统 SHALL 在实例表格的状态列中以 Switch 组件替代原有的纯 Badge 展示，允许管理员直接在行内切换实例的启用/停用状态。切换 MUST 调用实例更新 API 仅修改 `enabled` 字段，成功后刷新实例列表并提示成功，失败时回滚 Switch 状态并提示错误。
+
+#### Scenario: 启用实例
+
+- **WHEN** 管理员将某停用实例的 Switch 切换为启用
+- **THEN** 系统调用实例更新 API 将 enabled 设为 true，成功后实例状态更新
+
+#### Scenario: 停用实例
+
+- **WHEN** 管理员将某启用实例的 Switch 切换为停用
+- **THEN** 系统调用实例更新 API 将 enabled 设为 false，成功后实例状态更新
+
+#### Scenario: 切换失败回滚
+
+- **WHEN** 实例更新 API 调用失败
+- **THEN** Switch 组件回滚到切换前状态，界面提示错误
+
+### Requirement: 关联上游面板
+
+系统 SHALL 在选中 CLIProxyAPI 实例后展示关联上游面板，列出该实例下所有关联的池上游和单账号上游。面板数据 MUST 来源于 AutoRouter 本地 `upstreams` 表中 `cliproxyInstanceId` 匹配所选实例的记录。每行 MUST 展示上游名称、服务商、类型（池上游/单账号上游）和绑定的账号文件名（如有）。
+
+#### Scenario: 展示关联上游
+
+- **WHEN** 管理员选中某实例且该实例存在关联上游
+- **THEN** 关联上游面板展示该实例下所有关联上游的列表
+
+#### Scenario: 无关联上游
+
+- **WHEN** 管理员选中某实例且该实例无关联上游
+- **THEN** 面板展示"暂无关联上游"提示
+
+#### Scenario: 区分上游类型
+
+- **WHEN** 关联上游列表包含池上游和单账号上游
+- **THEN** 列表以不同标签区分两种类型，单账号上游额外展示绑定的账号文件名
+
+### Requirement: 关联上游查询 Admin API
+
+系统 SHALL 提供关联上游查询 Admin API `GET /api/admin/cliproxy/instances/:id/linked-upstreams`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 查询 `upstreams` 表中 `cliproxyInstanceId` 等于指定实例 ID 的记录，并返回上游名称、ID、服务商、类型和绑定的账号文件名。
+
+#### Scenario: 查询关联上游
+
+- **WHEN** 管理员请求某实例的关联上游列表
+- **THEN** 系统返回该实例下所有关联上游的信息
+
+#### Scenario: 实例无关联上游
+
+- **WHEN** 请求的实例无关联上游
+- **THEN** 系统返回空数组
+
+## MODIFIED Requirements
+
+### Requirement: OAuth 登录流程界面
+
+系统 SHALL 提供 OAuth 登录流程界面，以弹窗形式发起 Codex、Claude、Gemini、xAI、Antigravity、Kimi 的 OAuth 登录。弹窗 MUST 展示发起登录接口返回的授权地址，并提供在新标签页打开授权地址与复制授权地址的操作。系统 SHALL 按固定间隔轮询登录状态。由于发起登录接口不返回过期时间，系统 MUST 以客户端固定超时上限作为轮询的硬性截止。登录成功时 MUST 关闭弹窗并刷新账号列表；失败或达到超时上限时 MUST 停止轮询并展示可理解的错误、重新发起入口以及手动提交回调 URL 的入口。
+
+#### Scenario: 发起 OAuth 登录
+
+- **WHEN** 管理员为某实例发起某服务商的 OAuth 登录
+- **THEN** 弹窗展示授权地址，并开始轮询登录状态
+
+#### Scenario: 登录成功
+
+- **WHEN** 轮询到登录完成
+- **THEN** 弹窗关闭，账号列表刷新，界面提示登录成功
+
+#### Scenario: 登录超时
+
+- **WHEN** 轮询达到客户端固定超时上限仍未完成
+- **THEN** 停止轮询，展示超时错误、重新发起登录的入口以及手动提交回调 URL 的输入区域
+
+#### Scenario: 关闭弹窗停止轮询
+
+- **WHEN** 管理员在登录完成前主动关闭弹窗
+- **THEN** 轮询停止
+
+#### Scenario: 服务商选项覆盖六个 Provider
+
+- **WHEN** 管理员打开 OAuth 登录弹窗的服务商选择器
+- **THEN** 列出 Codex、Claude、Gemini、xAI、Antigravity、Kimi 六个选项
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-auth-file-operations/spec.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-auth-file-operations/spec.md
new file mode 100644
index 00000000..e7466844
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-auth-file-operations/spec.md
@@ -0,0 +1,97 @@
+## ADDED Requirements
+
+### Requirement: 管理 API 客户端认证文件操作
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增三个方法：上传认证文件、下载认证文件、删除认证文件。三个方法 MUST 复用现有的鉴权、超时和错误处理机制。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 调用上传认证文件方法，传入目标实例和 JSON 内容
+- **THEN** 客户端向 CLIProxyAPI 发送 `POST /v0/management/auth-files`，请求体为 JSON 内容
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 调用下载认证文件方法，传入目标实例和账号文件名
+- **THEN** 客户端向 CLIProxyAPI 发送 `GET /v0/management/auth-files/download?name=<文件名>`，返回原始 JSON 文本
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 调用删除认证文件方法，传入目标实例和账号文件名
+- **THEN** 客户端向 CLIProxyAPI 发送 `DELETE /v0/management/auth-files`，请求体包含 `{ name: <文件名> }`
+
+### Requirement: 认证文件删除服务
+
+系统 SHALL 提供认证文件删除服务方法，先调用 CLIProxyAPI 删除上游文件，成功后删除本地 `cliproxy_auth_accounts` 缓存表中对应的记录。CLIProxyAPI 侧删除失败时 MUST 整体失败，MUST NOT 触及本地缓存。
+
+#### Scenario: 删除成功并清理缓存
+
+- **WHEN** 管理员请求删除某实例下的某个认证文件
+- **THEN** 系统先调用 CLIProxyAPI 删除该文件，成功后从本地缓存表中移除对应记录
+
+#### Scenario: CLIProxyAPI 删除失败
+
+- **WHEN** CLIProxyAPI 删除认证文件请求返回错误
+- **THEN** 系统返回错误，本地缓存保持不变
+
+#### Scenario: 本地无缓存记录
+
+- **WHEN** CLIProxyAPI 删除成功，但本地缓存表中无对应记录
+- **THEN** 系统正常返回成功，不报错
+
+### Requirement: 认证文件管理 Admin API
+
+系统 SHALL 提供认证文件管理 Admin API，包含上传、下载、删除三个端点。所有端点 MUST 复用既有 Admin 鉴权机制（Bearer ADMIN_TOKEN）。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 管理员向 `POST /api/admin/cliproxy/instances/:id/auth-files` 提交 JSON 内容
+- **THEN** 系统将内容透传至 CLIProxyAPI 上传端点，成功后触发该实例的账号同步并返回同步结果
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 管理员请求 `GET /api/admin/cliproxy/instances/:id/auth-files/:name`
+- **THEN** 系统从 CLIProxyAPI 下载该文件并以 `application/json` 返回原始内容
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 管理员请求 `DELETE /api/admin/cliproxy/instances/:id/auth-files/:name`
+- **THEN** 系统调用删除服务方法，成功后返回已删除的文件名
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+#### Scenario: 缺少管理鉴权
+
+- **WHEN** 请求未携带有效的 ADMIN_TOKEN Bearer 凭据
+- **THEN** 系统返回 401 鉴权失败错误
+
+### Requirement: 认证文件管理前端
+
+系统 SHALL 在账号面板中提供认证文件上传按钮，点击后打开上传弹窗。上传弹窗 MUST 接受 JSON 文件选择或 JSON 文本粘贴。系统 SHALL 在账号行操作菜单中提供下载和删除操作。下载 MUST 触发浏览器文件下载。删除 MUST 经确认弹窗确认后执行。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 管理员在上传弹窗中选择 JSON 文件或粘贴 JSON 文本并提交
+- **THEN** 系统调用上传 API，成功后刷新账号列表并提示成功
+
+#### Scenario: 上传无效 JSON
+
+- **WHEN** 管理员提交的内容不是合法 JSON
+- **THEN** 前端阻止提交并提示格式错误
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 管理员在某账号行选择下载
+- **THEN** 浏览器下载该账号的原始 JSON 文件，文件名为账号文件名
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 管理员在某账号行选择删除并在确认弹窗中确认
+- **THEN** 系统调用删除 API，成功后刷新账号列表并提示成功
+
+#### Scenario: 取消删除
+
+- **WHEN** 管理员在确认弹窗中取消
+- **THEN** 不执行删除操作
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-instance-logs/spec.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-instance-logs/spec.md
new file mode 100644
index 00000000..775e6519
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-instance-logs/spec.md
@@ -0,0 +1,68 @@
+## ADDED Requirements
+
+### Requirement: 管理 API 客户端日志查询
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增日志查询方法。该方法 MUST 调用 `GET /v0/management/logs`，支持可选的时间戳参数用于增量拉取。响应 MUST 解析为日志条目数组。
+
+#### Scenario: 查询全部日志
+
+- **WHEN** 调用日志查询方法且不传入时间戳参数
+- **THEN** 客户端向 CLIProxyAPI 发送不带时间戳过滤的日志查询请求
+
+#### Scenario: 增量查询日志
+
+- **WHEN** 调用日志查询方法并传入起始时间戳
+- **THEN** 客户端在请求中携带时间戳参数，仅返回该时间点之后的日志
+
+#### Scenario: CLIProxyAPI 不支持日志端点
+
+- **WHEN** CLIProxyAPI 返回 404 或其他不支持的状态
+- **THEN** 客户端返回可识别的服务错误，不抛出未分类异常
+
+### Requirement: 实例日志 Admin API
+
+系统 SHALL 提供实例日志查询 Admin API `GET /api/admin/cliproxy/instances/:id/logs`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 支持 `since` 查询参数（ISO 时间戳），将其透传至 CLIProxyAPI 日志查询端点。
+
+#### Scenario: 查询实例日志
+
+- **WHEN** 管理员请求某实例的日志
+- **THEN** 系统从 CLIProxyAPI 拉取日志并返回日志条目数组
+
+#### Scenario: 带时间范围查询
+
+- **WHEN** 管理员在请求中携带 `since` 时间戳
+- **THEN** 系统仅返回该时间点之后的日志
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+### Requirement: 实例日志查看前端
+
+系统 SHALL 在 CLIProxyAPI 页面选中实例后展示日志面板 Card。日志面板 MUST 以等宽字体渲染日志文本。面板 SHALL 提供手动刷新按钮和关键词搜索输入框（前端过滤）。面板 SHALL 在首次显示时自动拉取一次日志。
+
+#### Scenario: 查看实例日志
+
+- **WHEN** 管理员选中某实例
+- **THEN** 日志面板自动拉取并展示该实例的最新日志
+
+#### Scenario: 手动刷新
+
+- **WHEN** 管理员点击刷新按钮
+- **THEN** 面板重新拉取日志并更新显示
+
+#### Scenario: 关键词搜索
+
+- **WHEN** 管理员在搜索框中输入关键词
+- **THEN** 日志列表仅显示包含该关键词的行
+
+#### Scenario: 日志为空
+
+- **WHEN** CLIProxyAPI 返回空日志
+- **THEN** 面板展示"暂无日志"提示
+
+#### Scenario: 切换实例
+
+- **WHEN** 管理员切换到另一个实例
+- **THEN** 日志面板清空并拉取新实例的日志
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-account-management/spec.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-account-management/spec.md
new file mode 100644
index 00000000..7f5fdea0
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-account-management/spec.md
@@ -0,0 +1,112 @@
+## ADDED Requirements
+
+### Requirement: 账号模型列表查看
+
+系统 SHALL 在前端账号表格中提供每个账号的模型列表查看入口。点击后 MUST 调用后端 API 获取该账号在 CLIProxyAPI 侧的可用模型列表，并以弹窗或展开行形式展示。模型列表 MUST 展示模型 ID 和显示名称。
+
+#### Scenario: 查看账号模型列表
+
+- **WHEN** 管理员点击某账号的模型数量或模型查看操作
+- **THEN** 系统从 CLIProxyAPI 实时查询该账号的可用模型列表并展示
+
+#### Scenario: 模型查询失败
+
+- **WHEN** 模型列表查询调用 CLIProxyAPI 失败
+- **THEN** 弹窗展示可理解的错误信息
+
+#### Scenario: 账号无可用模型
+
+- **WHEN** CLIProxyAPI 返回空模型列表
+- **THEN** 弹窗展示"该账号暂无可用模型"提示
+
+### Requirement: 账号模型列表 Admin API
+
+系统 SHALL 提供账号模型列表查询 Admin API `GET /api/admin/cliproxy/instances/:id/auth-accounts/:name/models`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 调用 CLIProxyAPI 管理 API 客户端的 `getAuthFileModels` 方法查询指定账号的模型列表。
+
+#### Scenario: 查询账号模型列表
+
+- **WHEN** 管理员请求某实例下某账号的模型列表
+- **THEN** 系统从 CLIProxyAPI 查询并返回该账号的可用模型数组
+
+#### Scenario: CLIProxyAPI 查询失败
+
+- **WHEN** CLIProxyAPI 模型查询端点返回错误
+- **THEN** 系统返回对应的管理 API 错误
+
+### Requirement: 账号详情查看
+
+系统 SHALL 在前端账号表格的行操作菜单中提供详情查看入口。详情弹窗 MUST 展示账号的全部元数据：账号文件名、服务商、邮箱、CLIProxyAPI 侧状态（status 字段）、启用/停用状态、前缀、优先级、备注、模型数量、原始元数据快照（raw_metadata 中的各字段）、最近同步时间、创建时间、更新时间。
+
+#### Scenario: 查看账号详情
+
+- **WHEN** 管理员在某账号行选择查看详情
+- **THEN** 弹窗展示该账号的全部元数据
+
+#### Scenario: 元数据字段为空
+
+- **WHEN** 某些可选字段（email、status、prefix、note 等）为空
+- **THEN** 弹窗中对应位置展示占位符或"未设置"标记
+
+### Requirement: 账号表格信息增强
+
+系统 SHALL 在账号表格中增加 email 列的展示。email 列 MUST 展示账号的邮箱地址，为空时显示占位符。
+
+#### Scenario: 展示账号邮箱
+
+- **WHEN** 账号存在邮箱地址
+- **THEN** 表格中 email 列展示该邮箱
+
+#### Scenario: 邮箱为空
+
+- **WHEN** 账号邮箱为空
+- **THEN** 表格中 email 列展示"—"占位符
+
+## MODIFIED Requirements
+
+### Requirement: CLIProxyAPI 管理 API 客户端
+
+系统 SHALL 提供单一的 CLIProxyAPI 管理 API 客户端模块，集中封装本能力所需的全部管理端点调用。客户端 MUST 使用 `Authorization: Bearer` 形式注入管理密钥，MUST 为请求设置超时上限，并 MUST 对响应缺失字段做容错解析。封装范围 SHALL 覆盖列出 auth-files、查询某 auth-file 的模型、更新账号启用状态、更新账号字段、获取 OAuth 授权地址、查询 OAuth 登录状态、上传认证文件、下载认证文件、删除认证文件、提交 OAuth 回调、查询实例日志。
+
+#### Scenario: 携带管理密钥调用管理 API
+
+- **WHEN** 客户端调用任一管理端点
+- **THEN** 请求头以 `Authorization: Bearer` 形式携带该实例的管理密钥明文
+
+#### Scenario: 管理 API 调用超时
+
+- **WHEN** 某次管理 API 调用在超时上限内未返回
+- **THEN** 客户端中止请求并返回可识别的超时错误
+
+#### Scenario: 响应字段缺失容错
+
+- **WHEN** CLIProxyAPI 返回的 auth-files 条目缺少部分可选字段
+- **THEN** 客户端按缺省值解析，不因可选字段缺失而抛出异常
+
+### Requirement: OAuth 登录流程
+
+系统 SHALL 允许管理员从管理端发起 Codex、Claude、Gemini、xAI、Antigravity、Kimi 的 OAuth 登录。发起登录时系统 MUST 调用 CLIProxyAPI 对应的授权地址端点并默认携带 `is_webui=true`，将返回的授权地址与会话标识返回管理端。系统 SHALL 提供登录状态查询，透传 CLIProxyAPI 的登录状态。当登录状态为成功时，系统 MUST 触发该实例的账号同步。系统 MUST NOT 在自身持久化 OAuth 登录会话。
+
+#### Scenario: 发起 OAuth 登录
+
+- **WHEN** 管理员对某实例选择服务商并发起 OAuth 登录
+- **THEN** 系统返回 CLIProxyAPI 给出的授权地址与会话标识
+
+#### Scenario: 轮询登录进行中
+
+- **WHEN** 管理员持会话标识查询登录状态且 CLIProxyAPI 返回进行中
+- **THEN** 系统返回进行中状态，供管理端继续轮询
+
+#### Scenario: 登录成功触发同步
+
+- **WHEN** 登录状态查询返回成功
+- **THEN** 系统触发该实例的账号同步，使新登录账号进入缓存表
+
+#### Scenario: 登录失败返回错误
+
+- **WHEN** CLIProxyAPI 返回登录失败
+- **THEN** 系统返回失败状态与错误信息
+
+#### Scenario: 六个 Provider 均可发起
+
+- **WHEN** 管理员选择 xAI、Antigravity 或 Kimi 发起登录
+- **THEN** 系统使用对应的授权地址端点发起登录，流程与既有三个 Provider 一致
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-callback/spec.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-callback/spec.md
new file mode 100644
index 00000000..aec1b1e5
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/specs/cliproxy-oauth-callback/spec.md
@@ -0,0 +1,53 @@
+## ADDED Requirements
+
+### Requirement: 管理 API 客户端 OAuth 回调提交
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增 OAuth 回调 URL 提交方法。该方法 MUST 调用 `POST /v0/management/oauth-callback`，请求体包含 `provider` 和 `redirect_url` 字段。
+
+#### Scenario: 提交回调 URL
+
+- **WHEN** 调用 OAuth 回调提交方法，传入 Provider 和回调 URL
+- **THEN** 客户端向 CLIProxyAPI 发送包含 provider 和 redirect_url 的 POST 请求
+
+#### Scenario: CLIProxyAPI 返回错误
+
+- **WHEN** CLIProxyAPI 拒绝回调 URL（例如格式错误或 state 过期）
+- **THEN** 客户端返回可识别的服务错误
+
+### Requirement: OAuth 回调 Admin API
+
+系统 SHALL 提供 OAuth 回调提交 Admin API `POST /api/admin/cliproxy/instances/:id/oauth-callback`。请求体 MUST 包含 `provider` 和 `redirect_url` 字段。端点 SHALL 将回调透传至 CLIProxyAPI，成功后触发该实例的账号同步。
+
+#### Scenario: 提交回调成功
+
+- **WHEN** 管理员提交有效的回调 URL
+- **THEN** 系统透传至 CLIProxyAPI，成功后触发账号同步并返回同步结果
+
+#### Scenario: 缺少必填字段
+
+- **WHEN** 请求体缺少 provider 或 redirect_url
+- **THEN** 系统返回 400 参数校验错误
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+### Requirement: OAuth 回调提交前端
+
+系统 SHALL 在 OAuth 登录弹窗中提供手动提交回调 URL 的入口。当 OAuth 登录超时或失败时，弹窗 MUST 展示回调 URL 输入区域，允许管理员粘贴从浏览器地址栏获取的回调 URL。提交后 MUST 刷新账号列表。
+
+#### Scenario: 超时后展示回调输入
+
+- **WHEN** OAuth 登录轮询超时或返回错误
+- **THEN** 弹窗展示回调 URL 输入框和提交按钮
+
+#### Scenario: 手动提交回调成功
+
+- **WHEN** 管理员粘贴回调 URL 并提交
+- **THEN** 系统调用回调 API，成功后关闭弹窗、刷新账号列表并提示成功
+
+#### Scenario: 提交空回调 URL
+
+- **WHEN** 管理员未填写回调 URL 即提交
+- **THEN** 前端阻止提交并提示必填
diff --git a/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/tasks.md b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/tasks.md
new file mode 100644
index 00000000..d10cc334
--- /dev/null
+++ b/openspec/changes/archive/2026-05-31-enhance-cliproxy-management/tasks.md
@@ -0,0 +1,68 @@
+## 1. 管理 API 客户端扩展
+
+- [x] 1.1 在 `cliproxy-management-client.ts` 中扩展 `CLIPROXY_OAUTH_PROVIDERS` 和 `AUTH_URL_ENDPOINT`，新增 xAI、Antigravity、Kimi 三个 Provider；同步更新前端 `src/types/cliproxy.ts` 中的 `CliproxyProvider` 类型和 `CLIPROXY_PROVIDERS` 常量；编写对应的单元测试验证 `isCliproxyOAuthProvider` 对新 Provider 的识别
+- [x] 1.2 在 `cliproxy-management-client.ts` 中新增 `deleteAuthFile`、`uploadAuthFile`、`downloadAuthFile` 三个方法；编写单元测试覆盖成功、鉴权失败、超时三种情况
+- [x] 1.3 在 `cliproxy-management-client.ts` 中新增 `submitOAuthCallback` 方法；编写单元测试
+- [x] 1.4 在 `cliproxy-management-client.ts` 中新增 `getLogs` 方法（支持可选 `since` 参数）；编写单元测试
+
+## 2. 后端服务层扩展
+
+- [x] 2.1 在 `cliproxy-auth-account-service.ts` 中新增 `deleteCliproxyAuthAccount`、`uploadCliproxyAuthFile`、`downloadCliproxyAuthFile`、`listCliproxyAccountModels` 服务方法；新增 `cliproxy-instance-logs-service.ts` 与 `cliproxy-linked-upstreams-service.ts` 两个独立服务；编写单元测试覆盖删除成功/失败/无缓存、上传后同步、下载、模型查询、日志获取、关联上游分类等场景
+- [x] 2.2 在 `cliproxy-oauth-login-service.ts` 中新增 `submitCliproxyOAuthCallback`；OAuth Provider 通过 `isCliproxyOAuthProvider` 已自动覆盖新增的 xAI/Antigravity/Kimi，无需单独改动 Error 类型
+
+## 3. Admin API 路由
+
+- [x] 3.1 新增 `instances/[id]/auth-files/route.ts`（POST: 上传认证文件，上传后触发同步并返回同步结果）；编写路由测试
+- [x] 3.2 新增 `instances/[id]/auth-files/[name]/route.ts`（GET: 下载认证文件，DELETE: 删除认证文件）；编写路由测试
+- [x] 3.3 新增 `instances/[id]/oauth-callback/route.ts`（POST: 提交回调 URL，成功后触发同步）；编写路由测试
+- [x] 3.4 新增 `instances/[id]/logs/route.ts`（GET: 查询实例日志，支持 `since` 查询参数）；编写路由测试
+- [x] 3.5 新增 `instances/[id]/linked-upstreams/route.ts`（GET: 查询关联上游列表）；编写路由测试
+- [x] 3.6 新增 `instances/[id]/auth-accounts/[accountName]/models/route.ts`（GET: 查询账号模型列表）；编写路由测试
+
+## 4. 前端 hooks 与类型
+
+- [x] 4.1 在 `use-cliproxy.ts` 中新增 `useUploadCliproxyAuthFile`、`useDownloadCliproxyAuthFile`、`useDeleteCliproxyAuthFile` 三个 mutation hooks
+- [x] 4.2 在 `use-cliproxy.ts` 中新增 `useCliproxyAccountModels` query hook（按账号名查询模型列表）
+- [x] 4.3 在 `use-cliproxy.ts` 中新增 `useSubmitCliproxyOAuthCallback` mutation hook
+- [x] 4.4 在 `use-cliproxy.ts` 中新增 `useCliproxyInstanceLogs` query hook（支持 `since` 参数）和 `useCliproxyLinkedUpstreams` query hook
+- [x] 4.5 在 `use-cliproxy.ts` 中新增 `useToggleCliproxyInstanceEnabled` mutation hook（调用实例更新 API 仅修改 enabled 字段）
+- [x] 4.6 在 `src/types/cliproxy.ts` 中新增 `CliproxyAuthFileModel`、`CliproxyLogEntry`、`CliproxyLinkedUpstream` 等类型定义
+
+## 5. 前端组件：实例表格增强与关联上游
+
+- [x] 5.1 修改 `cliproxy-instances-table.tsx`，将状态列的 Badge 替换为 Switch 组件，实现行内启停切换；启停 mutation 由 `useToggleCliproxyInstanceEnabled` 提供
+- [x] 5.2 新增 `cliproxy-linked-upstreams-panel.tsx`，展示关联上游列表（上游名称、服务商、类型、绑定账号、状态）；在 `page.tsx` 中挂载该面板，选中实例后显示
+- [x] 5.3 编写 `cliproxy-linked-upstreams-panel` 组件测试
+
+## 6. 前端组件：账号管理增强
+
+- [x] 6.1 新增 `cliproxy-account-models-dialog.tsx`，弹窗展示账号可用模型列表（模型 ID、显示名称）；在 `cliproxy-accounts-table.tsx` 的模型数量列添加可点击入口
+- [x] 6.2 新增 `cliproxy-account-detail-dialog.tsx`，弹窗展示账号全部元数据（email、status、raw_metadata、last_synced_at 等）；在 `cliproxy-accounts-table.tsx` 行菜单中添加"详情"操作
+- [x] 6.3 修改 `cliproxy-accounts-table.tsx`，新增 email 列展示；在行菜单中新增"详情/模型/下载/删除"四个操作入口
+- [x] 6.4 编写 `cliproxy-account-models-dialog` 和 `cliproxy-account-detail-dialog` 组件测试
+
+## 7. 前端组件：认证文件操作
+
+- [x] 7.1 新增 `cliproxy-auth-file-upload-dialog.tsx`，支持 JSON 文件选择和 JSON 文本粘贴两种上传方式，提交前校验 JSON 合法性；在 `cliproxy-accounts-panel.tsx` 中添加上传按钮
+- [x] 7.2 新增 `cliproxy-delete-auth-file-dialog.tsx`，确认弹窗删除认证文件；下载功能在账号面板的 handleDownload 中通过 useDownloadCliproxyAuthFile 触发浏览器原生下载
+- [x] 7.3 编写上传弹窗组件测试（删除弹窗逻辑简单，覆盖在路由测试中）
+
+## 8. 前端组件：OAuth 回调与 Provider 扩展
+
+- [x] 8.1 OAuth Provider 已通过 Task 1 的类型扩展自动覆盖 6 个选项；OAuth 登录弹窗在登录超时/失败状态区域追加了手动回调 URL 输入框与提交按钮
+- [x] 8.2 OAuth 登录弹窗现有测试已适配新增的 useSubmitCliproxyOAuthCallback hook
+
+## 9. 前端组件：日志面板
+
+- [x] 9.1 新增 `cliproxy-instance-logs-panel.tsx`，包含刷新按钮、关键词搜索输入框、等宽字体日志显示区域；在 `page.tsx` 中挂载该面板，选中实例后显示
+- [x] 9.2 编写日志面板组件测试
+
+## 10. 国际化
+
+- [x] 10.1 在 `en.json` 和 `zh-CN.json` 的 `cliproxy` 命名空间中补充所有新增功能的国际化文案，覆盖新 Provider 名称、认证文件操作、日志面板、关联上游面板、账号详情、账号模型、OAuth 回调等全部新增 UI 文案
+
+## 11. 集成验证
+
+- [x] 11.1 运行 `pnpm lint` 和 `pnpm exec tsc --noEmit` 确保代码质量
+- [x] 11.2 运行 `pnpm test:run` 确保全部测试通过（27 个 cliproxy 测试文件、214 个测试全部通过）
+- [ ] 11.3 启动开发服务器，在浏览器中验证所有新增功能的完整交互流程（留待人工验证）
diff --git a/openspec/specs/cliproxy-admin-ui/spec.md b/openspec/specs/cliproxy-admin-ui/spec.md
index 5f9cd616..f2325243 100644
--- a/openspec/specs/cliproxy-admin-ui/spec.md
+++ b/openspec/specs/cliproxy-admin-ui/spec.md
@@ -67,7 +67,7 @@ TBD - created by archiving change cliproxy-admin-ui. Update Purpose after archiv
 
 ### Requirement: OAuth 登录流程界面
 
-系统 SHALL 提供 OAuth 登录流程界面，以弹窗形式发起 Codex、Claude、Gemini 的 OAuth 登录。弹窗 MUST 展示发起登录接口返回的授权地址，并提供在新标签页打开授权地址与复制授权地址的操作。系统 SHALL 按固定间隔轮询登录状态。由于发起登录接口不返回过期时间，系统 MUST 以客户端固定超时上限作为轮询的硬性截止。登录成功时 MUST 关闭弹窗并刷新账号列表；失败或达到超时上限时 MUST 停止轮询并展示可理解的错误与重新发起入口。
+系统 SHALL 提供 OAuth 登录流程界面，以弹窗形式发起 Codex、Claude、Gemini、xAI、Antigravity、Kimi 的 OAuth 登录。弹窗 MUST 展示发起登录接口返回的授权地址，并提供在新标签页打开授权地址与复制授权地址的操作。系统 SHALL 按固定间隔轮询登录状态。由于发起登录接口不返回过期时间，系统 MUST 以客户端固定超时上限作为轮询的硬性截止。登录成功时 MUST 关闭弹窗并刷新账号列表；失败或达到超时上限时 MUST 停止轮询并展示可理解的错误、重新发起入口以及手动提交回调 URL 的入口。
 
 #### Scenario: 发起 OAuth 登录
 
@@ -82,13 +82,18 @@ TBD - created by archiving change cliproxy-admin-ui. Update Purpose after archiv
 #### Scenario: 登录超时
 
 - **WHEN** 轮询达到客户端固定超时上限仍未完成
-- **THEN** 停止轮询，展示超时错误与重新发起登录的入口
+- **THEN** 停止轮询，展示超时错误、重新发起登录的入口以及手动提交回调 URL 的输入区域
 
 #### Scenario: 关闭弹窗停止轮询
 
 - **WHEN** 管理员在登录完成前主动关闭弹窗
 - **THEN** 轮询停止
 
+#### Scenario: 服务商选项覆盖六个 Provider
+
+- **WHEN** 管理员打开 OAuth 登录弹窗的服务商选择器
+- **THEN** 列出 Codex、Claude、Gemini、xAI、Antigravity、Kimi 六个选项
+
 ### Requirement: CLI OAuth 上游创建入口
 
 系统 SHALL 在实例行操作中提供按服务商一键创建池上游的入口，在账号行操作中提供将单个账号固定映射为上游的入口。两类创建操作 MUST 经确认后执行，成功后 MUST 提示成功。
@@ -103,3 +108,55 @@ TBD - created by archiving change cliproxy-admin-ui. Update Purpose after archiv
 - **WHEN** 管理员在某账号行选择映射为上游并确认
 - **THEN** 系统调用单账号上游创建 API，成功后提示成功
 
+### Requirement: 实例行内启停切换
+
+系统 SHALL 在实例表格的状态列中以 Switch 组件替代原有的纯 Badge 展示，允许管理员直接在行内切换实例的启用/停用状态。切换 MUST 调用实例更新 API 仅修改 `enabled` 字段，成功后刷新实例列表并提示成功，失败时回滚 Switch 状态并提示错误。
+
+#### Scenario: 启用实例
+
+- **WHEN** 管理员将某停用实例的 Switch 切换为启用
+- **THEN** 系统调用实例更新 API 将 enabled 设为 true，成功后实例状态更新
+
+#### Scenario: 停用实例
+
+- **WHEN** 管理员将某启用实例的 Switch 切换为停用
+- **THEN** 系统调用实例更新 API 将 enabled 设为 false，成功后实例状态更新
+
+#### Scenario: 切换失败回滚
+
+- **WHEN** 实例更新 API 调用失败
+- **THEN** Switch 组件回滚到切换前状态，界面提示错误
+
+### Requirement: 关联上游面板
+
+系统 SHALL 在选中 CLIProxyAPI 实例后展示关联上游面板，列出该实例下所有关联的池上游和单账号上游。面板数据 MUST 来源于 AutoRouter 本地 `upstreams` 表中 `cliproxyInstanceId` 匹配所选实例的记录。每行 MUST 展示上游名称、服务商、类型（池上游/单账号上游）和绑定的账号文件名（如有）。
+
+#### Scenario: 展示关联上游
+
+- **WHEN** 管理员选中某实例且该实例存在关联上游
+- **THEN** 关联上游面板展示该实例下所有关联上游的列表
+
+#### Scenario: 无关联上游
+
+- **WHEN** 管理员选中某实例且该实例无关联上游
+- **THEN** 面板展示"暂无关联上游"提示
+
+#### Scenario: 区分上游类型
+
+- **WHEN** 关联上游列表包含池上游和单账号上游
+- **THEN** 列表以不同标签区分两种类型，单账号上游额外展示绑定的账号文件名
+
+### Requirement: 关联上游查询 Admin API
+
+系统 SHALL 提供关联上游查询 Admin API `GET /api/admin/cliproxy/instances/:id/linked-upstreams`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 查询 `upstreams` 表中 `cliproxyInstanceId` 等于指定实例 ID 的记录，并返回上游名称、ID、服务商、类型和绑定的账号文件名。
+
+#### Scenario: 查询关联上游
+
+- **WHEN** 管理员请求某实例的关联上游列表
+- **THEN** 系统返回该实例下所有关联上游的信息
+
+#### Scenario: 实例无关联上游
+
+- **WHEN** 请求的实例无关联上游
+- **THEN** 系统返回空数组
+
diff --git a/openspec/specs/cliproxy-auth-file-operations/spec.md b/openspec/specs/cliproxy-auth-file-operations/spec.md
new file mode 100644
index 00000000..c648be57
--- /dev/null
+++ b/openspec/specs/cliproxy-auth-file-operations/spec.md
@@ -0,0 +1,101 @@
+# cliproxy-auth-file-operations Specification
+
+## Purpose
+TBD - created by archiving change enhance-cliproxy-management. Update Purpose after archive.
+## Requirements
+### Requirement: 管理 API 客户端认证文件操作
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增三个方法：上传认证文件、下载认证文件、删除认证文件。三个方法 MUST 复用现有的鉴权、超时和错误处理机制。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 调用上传认证文件方法，传入目标实例和 JSON 内容
+- **THEN** 客户端向 CLIProxyAPI 发送 `POST /v0/management/auth-files`，请求体为 JSON 内容
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 调用下载认证文件方法，传入目标实例和账号文件名
+- **THEN** 客户端向 CLIProxyAPI 发送 `GET /v0/management/auth-files/download?name=<文件名>`，返回原始 JSON 文本
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 调用删除认证文件方法，传入目标实例和账号文件名
+- **THEN** 客户端向 CLIProxyAPI 发送 `DELETE /v0/management/auth-files`，请求体包含 `{ name: <文件名> }`
+
+### Requirement: 认证文件删除服务
+
+系统 SHALL 提供认证文件删除服务方法，先调用 CLIProxyAPI 删除上游文件，成功后删除本地 `cliproxy_auth_accounts` 缓存表中对应的记录。CLIProxyAPI 侧删除失败时 MUST 整体失败，MUST NOT 触及本地缓存。
+
+#### Scenario: 删除成功并清理缓存
+
+- **WHEN** 管理员请求删除某实例下的某个认证文件
+- **THEN** 系统先调用 CLIProxyAPI 删除该文件，成功后从本地缓存表中移除对应记录
+
+#### Scenario: CLIProxyAPI 删除失败
+
+- **WHEN** CLIProxyAPI 删除认证文件请求返回错误
+- **THEN** 系统返回错误，本地缓存保持不变
+
+#### Scenario: 本地无缓存记录
+
+- **WHEN** CLIProxyAPI 删除成功，但本地缓存表中无对应记录
+- **THEN** 系统正常返回成功，不报错
+
+### Requirement: 认证文件管理 Admin API
+
+系统 SHALL 提供认证文件管理 Admin API，包含上传、下载、删除三个端点。所有端点 MUST 复用既有 Admin 鉴权机制（Bearer ADMIN_TOKEN）。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 管理员向 `POST /api/admin/cliproxy/instances/:id/auth-files` 提交 JSON 内容
+- **THEN** 系统将内容透传至 CLIProxyAPI 上传端点，成功后触发该实例的账号同步并返回同步结果
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 管理员请求 `GET /api/admin/cliproxy/instances/:id/auth-files/:name`
+- **THEN** 系统从 CLIProxyAPI 下载该文件并以 `application/json` 返回原始内容
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 管理员请求 `DELETE /api/admin/cliproxy/instances/:id/auth-files/:name`
+- **THEN** 系统调用删除服务方法，成功后返回已删除的文件名
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+#### Scenario: 缺少管理鉴权
+
+- **WHEN** 请求未携带有效的 ADMIN_TOKEN Bearer 凭据
+- **THEN** 系统返回 401 鉴权失败错误
+
+### Requirement: 认证文件管理前端
+
+系统 SHALL 在账号面板中提供认证文件上传按钮，点击后打开上传弹窗。上传弹窗 MUST 接受 JSON 文件选择或 JSON 文本粘贴。系统 SHALL 在账号行操作菜单中提供下载和删除操作。下载 MUST 触发浏览器文件下载。删除 MUST 经确认弹窗确认后执行。
+
+#### Scenario: 上传认证文件
+
+- **WHEN** 管理员在上传弹窗中选择 JSON 文件或粘贴 JSON 文本并提交
+- **THEN** 系统调用上传 API，成功后刷新账号列表并提示成功
+
+#### Scenario: 上传无效 JSON
+
+- **WHEN** 管理员提交的内容不是合法 JSON
+- **THEN** 前端阻止提交并提示格式错误
+
+#### Scenario: 下载认证文件
+
+- **WHEN** 管理员在某账号行选择下载
+- **THEN** 浏览器下载该账号的原始 JSON 文件，文件名为账号文件名
+
+#### Scenario: 删除认证文件
+
+- **WHEN** 管理员在某账号行选择删除并在确认弹窗中确认
+- **THEN** 系统调用删除 API，成功后刷新账号列表并提示成功
+
+#### Scenario: 取消删除
+
+- **WHEN** 管理员在确认弹窗中取消
+- **THEN** 不执行删除操作
+
diff --git a/openspec/specs/cliproxy-instance-logs/spec.md b/openspec/specs/cliproxy-instance-logs/spec.md
new file mode 100644
index 00000000..e70ac373
--- /dev/null
+++ b/openspec/specs/cliproxy-instance-logs/spec.md
@@ -0,0 +1,72 @@
+# cliproxy-instance-logs Specification
+
+## Purpose
+TBD - created by archiving change enhance-cliproxy-management. Update Purpose after archive.
+## Requirements
+### Requirement: 管理 API 客户端日志查询
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增日志查询方法。该方法 MUST 调用 `GET /v0/management/logs`，支持可选的时间戳参数用于增量拉取。响应 MUST 解析为日志条目数组。
+
+#### Scenario: 查询全部日志
+
+- **WHEN** 调用日志查询方法且不传入时间戳参数
+- **THEN** 客户端向 CLIProxyAPI 发送不带时间戳过滤的日志查询请求
+
+#### Scenario: 增量查询日志
+
+- **WHEN** 调用日志查询方法并传入起始时间戳
+- **THEN** 客户端在请求中携带时间戳参数，仅返回该时间点之后的日志
+
+#### Scenario: CLIProxyAPI 不支持日志端点
+
+- **WHEN** CLIProxyAPI 返回 404 或其他不支持的状态
+- **THEN** 客户端返回可识别的服务错误，不抛出未分类异常
+
+### Requirement: 实例日志 Admin API
+
+系统 SHALL 提供实例日志查询 Admin API `GET /api/admin/cliproxy/instances/:id/logs`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 支持 `since` 查询参数（ISO 时间戳），将其透传至 CLIProxyAPI 日志查询端点。
+
+#### Scenario: 查询实例日志
+
+- **WHEN** 管理员请求某实例的日志
+- **THEN** 系统从 CLIProxyAPI 拉取日志并返回日志条目数组
+
+#### Scenario: 带时间范围查询
+
+- **WHEN** 管理员在请求中携带 `since` 时间戳
+- **THEN** 系统仅返回该时间点之后的日志
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+### Requirement: 实例日志查看前端
+
+系统 SHALL 在 CLIProxyAPI 页面选中实例后展示日志面板 Card。日志面板 MUST 以等宽字体渲染日志文本。面板 SHALL 提供手动刷新按钮和关键词搜索输入框（前端过滤）。面板 SHALL 在首次显示时自动拉取一次日志。
+
+#### Scenario: 查看实例日志
+
+- **WHEN** 管理员选中某实例
+- **THEN** 日志面板自动拉取并展示该实例的最新日志
+
+#### Scenario: 手动刷新
+
+- **WHEN** 管理员点击刷新按钮
+- **THEN** 面板重新拉取日志并更新显示
+
+#### Scenario: 关键词搜索
+
+- **WHEN** 管理员在搜索框中输入关键词
+- **THEN** 日志列表仅显示包含该关键词的行
+
+#### Scenario: 日志为空
+
+- **WHEN** CLIProxyAPI 返回空日志
+- **THEN** 面板展示"暂无日志"提示
+
+#### Scenario: 切换实例
+
+- **WHEN** 管理员切换到另一个实例
+- **THEN** 日志面板清空并拉取新实例的日志
+
diff --git a/openspec/specs/cliproxy-oauth-account-management/spec.md b/openspec/specs/cliproxy-oauth-account-management/spec.md
index 9ad72427..15e5c4f7 100644
--- a/openspec/specs/cliproxy-oauth-account-management/spec.md
+++ b/openspec/specs/cliproxy-oauth-account-management/spec.md
@@ -5,7 +5,7 @@ TBD - created by archiving change cliproxy-oauth-account-management. Update Purp
 ## Requirements
 ### Requirement: CLIProxyAPI 管理 API 客户端
 
-系统 SHALL 提供单一的 CLIProxyAPI 管理 API 客户端模块，集中封装本能力所需的全部管理端点调用。客户端 MUST 使用 `Authorization: Bearer` 形式注入管理密钥，MUST 为请求设置超时上限，并 MUST 对响应缺失字段做容错解析。封装范围 SHALL 覆盖列出 auth-files、查询某 auth-file 的模型、更新账号启用状态、更新账号字段、获取 OAuth 授权地址、查询 OAuth 登录状态。
+系统 SHALL 提供单一的 CLIProxyAPI 管理 API 客户端模块，集中封装本能力所需的全部管理端点调用。客户端 MUST 使用 `Authorization: Bearer` 形式注入管理密钥，MUST 为请求设置超时上限，并 MUST 对响应缺失字段做容错解析。封装范围 SHALL 覆盖列出 auth-files、查询某 auth-file 的模型、更新账号启用状态、更新账号字段、获取 OAuth 授权地址、查询 OAuth 登录状态、上传认证文件、下载认证文件、删除认证文件、提交 OAuth 回调、查询实例日志。
 
 #### Scenario: 携带管理密钥调用管理 API
 
@@ -57,7 +57,7 @@ TBD - created by archiving change cliproxy-oauth-account-management. Update Purp
 
 ### Requirement: OAuth 登录流程
 
-系统 SHALL 允许管理员从管理端发起 Codex、Claude、Gemini 的 OAuth 登录。发起登录时系统 MUST 调用 CLIProxyAPI 对应的授权地址端点并默认携带 `is_webui=true`，将返回的授权地址与会话标识返回管理端。系统 SHALL 提供登录状态查询，透传 CLIProxyAPI 的登录状态。当登录状态为成功时，系统 MUST 触发该实例的账号同步。系统 MUST NOT 在自身持久化 OAuth 登录会话。
+系统 SHALL 允许管理员从管理端发起 Codex、Claude、Gemini、xAI、Antigravity、Kimi 的 OAuth 登录。发起登录时系统 MUST 调用 CLIProxyAPI 对应的授权地址端点并默认携带 `is_webui=true`，将返回的授权地址与会话标识返回管理端。系统 SHALL 提供登录状态查询，透传 CLIProxyAPI 的登录状态。当登录状态为成功时，系统 MUST 触发该实例的账号同步。系统 MUST NOT 在自身持久化 OAuth 登录会话。
 
 #### Scenario: 发起 OAuth 登录
 
@@ -79,6 +79,11 @@ TBD - created by archiving change cliproxy-oauth-account-management. Update Purp
 - **WHEN** CLIProxyAPI 返回登录失败
 - **THEN** 系统返回失败状态与错误信息
 
+#### Scenario: 六个 Provider 均可发起
+
+- **WHEN** 管理员选择 xAI、Antigravity 或 Kimi 发起登录
+- **THEN** 系统使用对应的授权地址端点发起登录，流程与既有三个 Provider 一致
+
 ### Requirement: OAuth 账号启停与字段管理
 
 系统 SHALL 允许管理员启停某个 OAuth 账号，以及设置账号的前缀、出站代理、优先级、备注。启停 MUST 调用 CLIProxyAPI 的账号状态端点，字段设置 MUST 调用 CLIProxyAPI 的账号字段端点。操作在 CLIProxyAPI 成功后，系统 SHALL 同步更新本地缓存表对应字段。
@@ -126,3 +131,64 @@ TBD - created by archiving change cliproxy-oauth-account-management. Update Purp
 - **WHEN** 管理员对一个不存在的实例发起账号同步或 OAuth 登录
 - **THEN** 系统返回实例不存在错误
 
+### Requirement: 账号模型列表查看
+
+系统 SHALL 在前端账号表格中提供每个账号的模型列表查看入口。点击后 MUST 调用后端 API 获取该账号在 CLIProxyAPI 侧的可用模型列表，并以弹窗或展开行形式展示。模型列表 MUST 展示模型 ID 和显示名称。
+
+#### Scenario: 查看账号模型列表
+
+- **WHEN** 管理员点击某账号的模型数量或模型查看操作
+- **THEN** 系统从 CLIProxyAPI 实时查询该账号的可用模型列表并展示
+
+#### Scenario: 模型查询失败
+
+- **WHEN** 模型列表查询调用 CLIProxyAPI 失败
+- **THEN** 弹窗展示可理解的错误信息
+
+#### Scenario: 账号无可用模型
+
+- **WHEN** CLIProxyAPI 返回空模型列表
+- **THEN** 弹窗展示"该账号暂无可用模型"提示
+
+### Requirement: 账号模型列表 Admin API
+
+系统 SHALL 提供账号模型列表查询 Admin API `GET /api/admin/cliproxy/instances/:id/auth-accounts/:name/models`。该端点 MUST 复用既有 Admin 鉴权机制。端点 SHALL 调用 CLIProxyAPI 管理 API 客户端的 `getAuthFileModels` 方法查询指定账号的模型列表。
+
+#### Scenario: 查询账号模型列表
+
+- **WHEN** 管理员请求某实例下某账号的模型列表
+- **THEN** 系统从 CLIProxyAPI 查询并返回该账号的可用模型数组
+
+#### Scenario: CLIProxyAPI 查询失败
+
+- **WHEN** CLIProxyAPI 模型查询端点返回错误
+- **THEN** 系统返回对应的管理 API 错误
+
+### Requirement: 账号详情查看
+
+系统 SHALL 在前端账号表格的行操作菜单中提供详情查看入口。详情弹窗 MUST 展示账号的全部元数据：账号文件名、服务商、邮箱、CLIProxyAPI 侧状态（status 字段）、启用/停用状态、前缀、优先级、备注、模型数量、原始元数据快照（raw_metadata 中的各字段）、最近同步时间、创建时间、更新时间。
+
+#### Scenario: 查看账号详情
+
+- **WHEN** 管理员在某账号行选择查看详情
+- **THEN** 弹窗展示该账号的全部元数据
+
+#### Scenario: 元数据字段为空
+
+- **WHEN** 某些可选字段（email、status、prefix、note 等）为空
+- **THEN** 弹窗中对应位置展示占位符或"未设置"标记
+
+### Requirement: 账号表格信息增强
+
+系统 SHALL 在账号表格中增加 email 列的展示。email 列 MUST 展示账号的邮箱地址，为空时显示占位符。
+
+#### Scenario: 展示账号邮箱
+
+- **WHEN** 账号存在邮箱地址
+- **THEN** 表格中 email 列展示该邮箱
+
+#### Scenario: 邮箱为空
+
+- **WHEN** 账号邮箱为空
+- **THEN** 表格中 email 列展示"—"占位符
+
diff --git a/openspec/specs/cliproxy-oauth-callback/spec.md b/openspec/specs/cliproxy-oauth-callback/spec.md
new file mode 100644
index 00000000..9aee47f8
--- /dev/null
+++ b/openspec/specs/cliproxy-oauth-callback/spec.md
@@ -0,0 +1,57 @@
+# cliproxy-oauth-callback Specification
+
+## Purpose
+TBD - created by archiving change enhance-cliproxy-management. Update Purpose after archive.
+## Requirements
+### Requirement: 管理 API 客户端 OAuth 回调提交
+
+系统 SHALL 在 CLIProxyAPI 管理 API 客户端中新增 OAuth 回调 URL 提交方法。该方法 MUST 调用 `POST /v0/management/oauth-callback`，请求体包含 `provider` 和 `redirect_url` 字段。
+
+#### Scenario: 提交回调 URL
+
+- **WHEN** 调用 OAuth 回调提交方法，传入 Provider 和回调 URL
+- **THEN** 客户端向 CLIProxyAPI 发送包含 provider 和 redirect_url 的 POST 请求
+
+#### Scenario: CLIProxyAPI 返回错误
+
+- **WHEN** CLIProxyAPI 拒绝回调 URL（例如格式错误或 state 过期）
+- **THEN** 客户端返回可识别的服务错误
+
+### Requirement: OAuth 回调 Admin API
+
+系统 SHALL 提供 OAuth 回调提交 Admin API `POST /api/admin/cliproxy/instances/:id/oauth-callback`。请求体 MUST 包含 `provider` 和 `redirect_url` 字段。端点 SHALL 将回调透传至 CLIProxyAPI，成功后触发该实例的账号同步。
+
+#### Scenario: 提交回调成功
+
+- **WHEN** 管理员提交有效的回调 URL
+- **THEN** 系统透传至 CLIProxyAPI，成功后触发账号同步并返回同步结果
+
+#### Scenario: 缺少必填字段
+
+- **WHEN** 请求体缺少 provider 或 redirect_url
+- **THEN** 系统返回 400 参数校验错误
+
+#### Scenario: 操作不存在的实例
+
+- **WHEN** 请求指向不存在的实例 ID
+- **THEN** 系统返回 404 实例不存在错误
+
+### Requirement: OAuth 回调提交前端
+
+系统 SHALL 在 OAuth 登录弹窗中提供手动提交回调 URL 的入口。当 OAuth 登录超时或失败时，弹窗 MUST 展示回调 URL 输入区域，允许管理员粘贴从浏览器地址栏获取的回调 URL。提交后 MUST 刷新账号列表。
+
+#### Scenario: 超时后展示回调输入
+
+- **WHEN** OAuth 登录轮询超时或返回错误
+- **THEN** 弹窗展示回调 URL 输入框和提交按钮
+
+#### Scenario: 手动提交回调成功
+
+- **WHEN** 管理员粘贴回调 URL 并提交
+- **THEN** 系统调用回调 API，成功后关闭弹窗、刷新账号列表并提示成功
+
+#### Scenario: 提交空回调 URL
+
+- **WHEN** 管理员未填写回调 URL 即提交
+- **THEN** 前端阻止提交并提示必填
+
diff --git a/src/app/[locale]/(dashboard)/system/cliproxy/page.tsx b/src/app/[locale]/(dashboard)/system/cliproxy/page.tsx
index dac74048..09c5281b 100644
--- a/src/app/[locale]/(dashboard)/system/cliproxy/page.tsx
+++ b/src/app/[locale]/(dashboard)/system/cliproxy/page.tsx
@@ -13,6 +13,8 @@ import { DeleteCliproxyInstanceDialog } from "@/components/admin/delete-cliproxy
 import { CliproxyConnectionTestDialog } from "@/components/admin/cliproxy-connection-test-dialog";
 import { CliproxyAccountsPanel } from "@/components/admin/cliproxy-accounts-panel";
 import { CliproxyPoolUpstreamDialog } from "@/components/admin/cliproxy-pool-upstream-dialog";
+import { CliproxyLinkedUpstreamsPanel } from "@/components/admin/cliproxy-linked-upstreams-panel";
+import { CliproxyInstanceLogsPanel } from "@/components/admin/cliproxy-instance-logs-panel";
 import { useCliproxyInstances } from "@/hooks/use-cliproxy";
 import type { CliproxyInstance } from "@/types/cliproxy";
 
@@ -77,7 +79,11 @@ export default function CliproxyPage() {
         </Card>
 
         {selectedInstance ? (
-          <CliproxyAccountsPanel instance={selectedInstance} />
+          <>
+            <CliproxyAccountsPanel instance={selectedInstance} />
+            <CliproxyLinkedUpstreamsPanel instance={selectedInstance} />
+            <CliproxyInstanceLogsPanel instance={selectedInstance} />
+          </>
         ) : instances && instances.length > 0 ? (
           <Card variant="outlined">
             <CardContent className="p-6">
diff --git a/src/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route.ts b/src/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route.ts
new file mode 100644
index 00000000..9aec5f9d
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route.ts
@@ -0,0 +1,36 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import { listCliproxyAccountModels } from "@/lib/services/cliproxy-auth-account-service";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-account-models");
+
+type RouteContext = { params: Promise<{ id: string; accountName: string }> };
+
+/**
+ * GET /api/admin/cliproxy/instances/:id/auth-accounts/:accountName/models -
+ * 查询账号在 CLIProxyAPI 侧的可用模型列表。
+ *
+ * 本端点为只读窗口，不写入任何本地缓存。
+ */
+export async function GET(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id, accountName } = await context.params;
+
+  try {
+    const models = await listCliproxyAccountModels(id, decodeURIComponent(accountName));
+    return NextResponse.json({ data: models });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to list CLIProxyAPI auth account models");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route.ts b/src/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route.ts
new file mode 100644
index 00000000..a1f096de
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route.ts
@@ -0,0 +1,81 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import {
+  deleteCliproxyAuthAccount,
+  downloadCliproxyAuthFile,
+} from "@/lib/services/cliproxy-auth-account-service";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-auth-files");
+
+type RouteContext = { params: Promise<{ id: string; name: string }> };
+
+/**
+ * 按 RFC 6266 构造 Content-Disposition 头。
+ *
+ * 文件名先过滤 CR/LF 与控制字符，避免响应头被拆分；同时输出
+ * `filename`（ASCII fallback）与 `filename*`（UTF-8 百分号编码）两种形式，
+ * 让任意字符的认证文件名都能被浏览器安全保存。
+ */
+function buildContentDisposition(filename: string): string {
+  const sanitized = filename.replace(/[\r\n\x00-\x1f]/g, "_");
+  const asciiFallback = sanitized.replace(/[^\x20-\x7e]/g, "?").replace(/[\\"]/g, "_");
+  const utf8Encoded = encodeURIComponent(sanitized);
+  return `attachment; filename="${asciiFallback}"; filename*=UTF-8''${utf8Encoded}`;
+}
+
+/**
+ * GET /api/admin/cliproxy/instances/:id/auth-files/:name - 下载认证文件原始 JSON。
+ */
+export async function GET(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id, name } = await context.params;
+  const authFileName = decodeURIComponent(name);
+
+  try {
+    const content = await downloadCliproxyAuthFile(id, authFileName);
+    return new NextResponse(JSON.stringify(content), {
+      status: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Disposition": buildContentDisposition(authFileName),
+      },
+    });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to download CLIProxyAPI auth file");
+    return errorResponse("Internal server error", 500);
+  }
+}
+
+/**
+ * DELETE /api/admin/cliproxy/instances/:id/auth-files/:name - 删除认证文件并清理本地缓存。
+ */
+export async function DELETE(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id, name } = await context.params;
+  const authFileName = decodeURIComponent(name);
+
+  try {
+    await deleteCliproxyAuthAccount(id, authFileName);
+    return NextResponse.json({ data: { name: authFileName } });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to delete CLIProxyAPI auth file");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/auth-files/route.ts b/src/app/api/admin/cliproxy/instances/[id]/auth-files/route.ts
new file mode 100644
index 00000000..746ff9f0
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/auth-files/route.ts
@@ -0,0 +1,61 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import { uploadCliproxyAuthFile } from "@/lib/services/cliproxy-auth-account-service";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-auth-files");
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+/**
+ * 认证文件请求体的字节上限。
+ *
+ * CLIProxyAPI 的 auth-file 是单个 OAuth 账号的 JSON 凭据，
+ * 实际负载远小于 512 KiB；超出该阈值的请求直接拒绝，避免被
+ * 异常大的请求体绑架管理端进程内存。
+ */
+const MAX_AUTH_FILE_BYTES = 512 * 1024;
+
+/**
+ * POST /api/admin/cliproxy/instances/:id/auth-files - 上传认证文件至 CLIProxyAPI。
+ *
+ * 请求体为认证文件的完整 JSON 对象，由调用方构造。
+ * 上传成功后立即触发该实例的账号同步，返回同步结果。
+ */
+export async function POST(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const declaredLength = Number(request.headers.get("content-length") ?? "");
+  if (Number.isFinite(declaredLength) && declaredLength > MAX_AUTH_FILE_BYTES) {
+    return errorResponse("Auth file is too large", 413);
+  }
+
+  const { id } = await context.params;
+
+  let rawBody: unknown;
+  try {
+    rawBody = await request.json();
+  } catch {
+    return errorResponse("Invalid JSON body", 400);
+  }
+
+  if (!rawBody || typeof rawBody !== "object" || Array.isArray(rawBody)) {
+    return errorResponse("Request body must be a JSON object", 400);
+  }
+
+  try {
+    const syncResult = await uploadCliproxyAuthFile(id, rawBody as Record<string, unknown>);
+    return NextResponse.json({ data: syncResult }, { status: 201 });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to upload CLIProxyAPI auth file");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route.ts b/src/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route.ts
new file mode 100644
index 00000000..a5162527
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route.ts
@@ -0,0 +1,45 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import { listCliproxyLinkedUpstreams } from "@/lib/services/cliproxy-linked-upstreams-service";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-linked-upstreams");
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+/**
+ * GET /api/admin/cliproxy/instances/:id/linked-upstreams - 查询实例下的关联上游列表。
+ *
+ * 数据来源于本地 upstreams 表中 `cliproxyInstanceId` 匹配的记录，不需要访问 CLIProxyAPI。
+ * 单账号上游通过 `cliproxyAuthFileName` 非空识别，其余视为池上游。
+ */
+export async function GET(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id } = await context.params;
+
+  try {
+    const upstreams = await listCliproxyLinkedUpstreams(id);
+    const data = upstreams.map((row) => ({
+      id: row.id,
+      name: row.name,
+      provider: row.provider,
+      kind: row.kind,
+      auth_file_name: row.authFileName,
+      is_active: row.isActive,
+      created_at: row.createdAt.toISOString(),
+    }));
+    return NextResponse.json({ data });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to list CLIProxyAPI linked upstreams");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/logs/route.ts b/src/app/api/admin/cliproxy/instances/[id]/logs/route.ts
new file mode 100644
index 00000000..fa28cb2a
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/logs/route.ts
@@ -0,0 +1,37 @@
+import { NextRequest, NextResponse } from "next/server";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import { listCliproxyInstanceLogs } from "@/lib/services/cliproxy-instance-logs-service";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-logs");
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+/**
+ * GET /api/admin/cliproxy/instances/:id/logs?since=ISO_TIMESTAMP - 查询实例日志。
+ *
+ * 透传到 CLIProxyAPI 的 `/v0/management/logs` 端点。`since` 为可选的 ISO 时间戳，
+ * 用于增量拉取；未传时返回上游默认窗口内的全部日志。
+ */
+export async function GET(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id } = await context.params;
+  const since = new URL(request.url).searchParams.get("since") ?? undefined;
+
+  try {
+    const entries = await listCliproxyInstanceLogs(id, since);
+    return NextResponse.json({ data: entries });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to fetch CLIProxyAPI instance logs");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/oauth-callback/route.ts b/src/app/api/admin/cliproxy/instances/[id]/oauth-callback/route.ts
new file mode 100644
index 00000000..7da2ea66
--- /dev/null
+++ b/src/app/api/admin/cliproxy/instances/[id]/oauth-callback/route.ts
@@ -0,0 +1,73 @@
+import { NextRequest, NextResponse } from "next/server";
+import { z } from "zod";
+import { validateAdminAuth } from "@/lib/utils/auth";
+import { errorResponse } from "@/lib/utils/api-auth";
+import { submitCliproxyOAuthCallback } from "@/lib/services/cliproxy-oauth-login-service";
+import { CLIPROXY_OAUTH_PROVIDERS } from "@/lib/services/cliproxy-management-client";
+import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
+import { createLogger } from "@/lib/utils/logger";
+
+const log = createLogger("admin-cliproxy-oauth-callback");
+
+type RouteContext = { params: Promise<{ id: string }> };
+
+/** 允许的回调 URL 协议；其它 scheme 一律拒绝以避免被透传出去触发非预期行为。 */
+const ALLOWED_REDIRECT_PROTOCOLS = new Set(["http:", "https:"]);
+
+const callbackSchema = z.object({
+  provider: z.enum(CLIPROXY_OAUTH_PROVIDERS),
+  redirect_url: z
+    .string()
+    .trim()
+    .min(1)
+    .max(4096)
+    .refine(
+      (value) => {
+        try {
+          return ALLOWED_REDIRECT_PROTOCOLS.has(new URL(value).protocol);
+        } catch {
+          return false;
+        }
+      },
+      { message: "redirect_url must be an http(s) URL" }
+    ),
+});
+
+/**
+ * POST /api/admin/cliproxy/instances/:id/oauth-callback - 手动提交 OAuth 回调 URL。
+ */
+export async function POST(request: NextRequest, context: RouteContext): Promise<Response> {
+  if (!validateAdminAuth(request.headers.get("authorization"))) {
+    return errorResponse("Unauthorized", 401);
+  }
+
+  const { id } = await context.params;
+
+  let rawBody: unknown;
+  try {
+    rawBody = await request.json();
+  } catch {
+    return errorResponse("Invalid JSON body", 400);
+  }
+
+  const parsed = callbackSchema.safeParse(rawBody);
+  if (!parsed.success) {
+    return errorResponse(parsed.error.issues[0]?.message ?? "Invalid request body", 400);
+  }
+
+  try {
+    const result = await submitCliproxyOAuthCallback(
+      id,
+      parsed.data.provider,
+      parsed.data.redirect_url
+    );
+    return NextResponse.json({ data: result });
+  } catch (err) {
+    const mapped = handleCliproxyRouteError(err);
+    if (mapped) {
+      return mapped;
+    }
+    log.error({ err }, "Failed to submit CLIProxyAPI OAuth callback");
+    return errorResponse("Internal server error", 500);
+  }
+}
diff --git a/src/app/api/admin/cliproxy/instances/[id]/pool-upstreams/route.ts b/src/app/api/admin/cliproxy/instances/[id]/pool-upstreams/route.ts
index 56ebbe49..38f08b84 100644
--- a/src/app/api/admin/cliproxy/instances/[id]/pool-upstreams/route.ts
+++ b/src/app/api/admin/cliproxy/instances/[id]/pool-upstreams/route.ts
@@ -6,13 +6,14 @@ import { createCliproxyPoolUpstream } from "@/lib/services/cliproxy-upstream-pre
 import { transformUpstreamToApi } from "@/lib/utils/api-transformers";
 import { handleCliproxyRouteError } from "@/lib/utils/cliproxy-route-errors";
 import { createLogger } from "@/lib/utils/logger";
+import { CLIPROXY_UPSTREAM_PROVIDERS } from "@/types/cliproxy";
 
 const log = createLogger("admin-cliproxy-pool-upstreams");
 
 type RouteContext = { params: Promise<{ id: string }> };
 
 const createPoolUpstreamSchema = z.object({
-  provider: z.enum(["codex", "anthropic", "gemini"]),
+  provider: z.enum(CLIPROXY_UPSTREAM_PROVIDERS),
   name: z.string().trim().min(1).max(255).optional(),
   weight: z.number().int().min(0).optional(),
   priority: z.number().int().min(0).optional(),
diff --git a/src/components/admin/cliproxy-account-detail-dialog.tsx b/src/components/admin/cliproxy-account-detail-dialog.tsx
new file mode 100644
index 00000000..6b975b12
--- /dev/null
+++ b/src/components/admin/cliproxy-account-detail-dialog.tsx
@@ -0,0 +1,142 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+import { Badge } from "@/components/ui/badge";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import type { CliproxyAuthAccount } from "@/types/cliproxy";
+
+interface CliproxyAccountDetailDialogProps {
+  account: CliproxyAuthAccount;
+  open: boolean;
+  onClose: () => void;
+}
+
+/** 将可空字符串渲染为占位符。 */
+function renderText(value: string | null | undefined, placeholder: string): React.ReactNode {
+  if (value === null || value === undefined || value === "") {
+    return <span className="text-muted-foreground">{placeholder}</span>;
+  }
+  return value;
+}
+
+/** 将 ISO 时间戳渲染为本地格式。 */
+function renderTimestamp(value: string | null, placeholder: string): React.ReactNode {
+  if (!value) {
+    return <span className="text-muted-foreground">{placeholder}</span>;
+  }
+  const date = new Date(value);
+  return Number.isNaN(date.getTime()) ? value : date.toLocaleString();
+}
+
+/**
+ * 展示 OAuth 账号的完整元数据：邮箱、上游状态、前缀、备注、模型数、原始快照、时间戳等。
+ */
+export function CliproxyAccountDetailDialog({
+  account,
+  open,
+  onClose,
+}: CliproxyAccountDetailDialogProps) {
+  const t = useTranslations("cliproxy");
+  const tCommon = useTranslations("common");
+  const placeholder = t("accountDetailEmpty");
+  const status = account.status;
+  const statusMessage =
+    account.raw_metadata && typeof account.raw_metadata.status_message === "string"
+      ? (account.raw_metadata.status_message as string)
+      : null;
+
+  return (
+    <Dialog open={open} onOpenChange={(next) => !next && onClose()}>
+      <DialogContent className="max-w-2xl">
+        <DialogHeader>
+          <DialogTitle>{t("accountDetailDialogTitle")}</DialogTitle>
+          <DialogDescription>
+            {t("accountFileLabel")}: {account.auth_file_name}
+          </DialogDescription>
+        </DialogHeader>
+
+        <div className="max-h-96 space-y-3 overflow-y-auto py-2">
+          <DetailRow label={t("columnProvider")}>
+            <Badge variant="info">{account.provider}</Badge>
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelEmail")}>
+            {renderText(account.email, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelStatus")}>
+            {status ? <Badge variant="secondary">{status}</Badge> : renderText(null, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelStatusMessage")}>
+            {renderText(statusMessage, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("columnStatus")}>
+            <Badge variant={account.disabled ? "secondary" : "success"}>
+              {account.disabled ? t("accountStatusDisabled") : t("accountStatusEnabled")}
+            </Badge>
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelPrefix")}>
+            {account.prefix ? (
+              <code className="type-body-small font-mono">{account.prefix}</code>
+            ) : (
+              renderText(null, placeholder)
+            )}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelPriority")}>
+            {account.priority === null || account.priority === undefined
+              ? renderText(null, placeholder)
+              : String(account.priority)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelNote")}>
+            {renderText(account.note, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelModelCount")}>{account.model_count}</DetailRow>
+          <DetailRow label={t("accountDetailLabelLastSyncedAt")}>
+            {renderTimestamp(account.last_synced_at, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelCreatedAt")}>
+            {renderTimestamp(account.created_at, placeholder)}
+          </DetailRow>
+          <DetailRow label={t("accountDetailLabelUpdatedAt")}>
+            {renderTimestamp(account.updated_at, placeholder)}
+          </DetailRow>
+
+          {account.raw_metadata ? (
+            <div className="space-y-1 pt-2">
+              <span className="type-label-large text-muted-foreground">
+                {t("accountDetailLabelRawMetadata")}
+              </span>
+              <pre className="overflow-x-auto rounded-cf-sm border border-border bg-surface-200 p-3 type-body-small font-mono">
+                {JSON.stringify(account.raw_metadata, null, 2)}
+              </pre>
+            </div>
+          ) : null}
+        </div>
+
+        <DialogFooter>
+          <Button onClick={onClose}>{tCommon("close")}</Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+interface DetailRowProps {
+  label: string;
+  children: React.ReactNode;
+}
+
+function DetailRow({ label, children }: DetailRowProps) {
+  return (
+    <div className="grid grid-cols-3 items-center gap-3 rounded-cf-sm border border-border p-2">
+      <span className="type-label-large text-muted-foreground">{label}</span>
+      <div className="col-span-2 type-body-medium">{children}</div>
+    </div>
+  );
+}
diff --git a/src/components/admin/cliproxy-account-models-dialog.tsx b/src/components/admin/cliproxy-account-models-dialog.tsx
new file mode 100644
index 00000000..5fe45eca
--- /dev/null
+++ b/src/components/admin/cliproxy-account-models-dialog.tsx
@@ -0,0 +1,98 @@
+"use client";
+
+import { Loader2 } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "@/components/ui/table";
+import { useCliproxyAccountModels } from "@/hooks/use-cliproxy";
+
+interface CliproxyAccountModelsDialogProps {
+  instanceId: string;
+  authFileName: string;
+  open: boolean;
+  onClose: () => void;
+}
+
+/**
+ * 展示某 OAuth 账号在 CLIProxyAPI 侧的可用模型列表。
+ *
+ * 模型列表为只读窗口，数据每次打开时实时从上游拉取，不写入本地缓存。
+ */
+export function CliproxyAccountModelsDialog({
+  instanceId,
+  authFileName,
+  open,
+  onClose,
+}: CliproxyAccountModelsDialogProps) {
+  const t = useTranslations("cliproxy");
+  const tCommon = useTranslations("common");
+  const { data: models, isLoading, isError } = useCliproxyAccountModels(instanceId, authFileName);
+
+  return (
+    <Dialog open={open} onOpenChange={(next) => !next && onClose()}>
+      <DialogContent className="max-w-lg">
+        <DialogHeader>
+          <DialogTitle>{t("accountModelsDialogTitle")}</DialogTitle>
+          <DialogDescription>
+            {t("accountFileLabel")}: {authFileName}
+          </DialogDescription>
+        </DialogHeader>
+
+        <div className="max-h-96 overflow-y-auto py-2">
+          {isLoading ? (
+            <div className="flex items-center justify-center gap-2 py-8 text-muted-foreground">
+              <Loader2 className="h-4 w-4 animate-spin" aria-hidden />
+              <span className="type-body-small">{tCommon("loading")}</span>
+            </div>
+          ) : isError ? (
+            <p className="py-8 text-center type-body-medium text-destructive">
+              {t("accountModelsLoadFailed")}
+            </p>
+          ) : !models || models.length === 0 ? (
+            <p className="py-8 text-center type-body-medium text-muted-foreground">
+              {t("accountModelsEmpty")}
+            </p>
+          ) : (
+            <Table>
+              <TableHeader>
+                <TableRow>
+                  <TableHead>ID</TableHead>
+                  <TableHead>{t("columnName")}</TableHead>
+                </TableRow>
+              </TableHeader>
+              <TableBody>
+                {models.map((model) => (
+                  <TableRow key={model.id}>
+                    <TableCell>
+                      <code className="type-body-small font-mono">{model.id}</code>
+                    </TableCell>
+                    <TableCell>{model.display_name ?? "—"}</TableCell>
+                  </TableRow>
+                ))}
+              </TableBody>
+            </Table>
+          )}
+        </div>
+
+        <DialogFooter>
+          <Button onClick={onClose}>{tCommon("close")}</Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/src/components/admin/cliproxy-accounts-panel.tsx b/src/components/admin/cliproxy-accounts-panel.tsx
index 287bf2d7..1c633283 100644
--- a/src/components/admin/cliproxy-accounts-panel.tsx
+++ b/src/components/admin/cliproxy-accounts-panel.tsx
@@ -1,38 +1,49 @@
 "use client";
 
 import { useState } from "react";
-import { LogIn, RefreshCw } from "lucide-react";
+import { LogIn, RefreshCw, Upload } from "lucide-react";
 import { useTranslations } from "next-intl";
 import { Button } from "@/components/ui/button";
 import { Card, CardContent } from "@/components/ui/card";
 import { Skeleton } from "@/components/ui/skeleton";
 import {
   useCliproxyAuthAccounts,
+  useDownloadCliproxyAuthFile,
   useSetCliproxyAuthAccountStatus,
   useSyncCliproxyAuthAccounts,
 } from "@/hooks/use-cliproxy";
 import type { CliproxyAuthAccount, CliproxyInstance } from "@/types/cliproxy";
 import { CliproxyAccountsTable } from "./cliproxy-accounts-table";
 import { CliproxyAccountFieldsDialog } from "./cliproxy-account-fields-dialog";
+import { CliproxyAccountModelsDialog } from "./cliproxy-account-models-dialog";
+import { CliproxyAccountDetailDialog } from "./cliproxy-account-detail-dialog";
 import { CliproxyOAuthLoginDialog } from "./cliproxy-oauth-login-dialog";
 import { CliproxyAccountUpstreamDialog } from "./cliproxy-account-upstream-dialog";
+import { CliproxyAuthFileUploadDialog } from "./cliproxy-auth-file-upload-dialog";
+import { CliproxyDeleteAuthFileDialog } from "./cliproxy-delete-auth-file-dialog";
 
 interface CliproxyAccountsPanelProps {
   instance: CliproxyInstance;
 }
 
 /**
- * 选中实例后展示其 OAuth 账号列表的内联面板，提供同步、启停与字段编辑。
+ * 选中实例后展示其 OAuth 账号列表的内联面板，提供 OAuth 登录、上传文件、同步、
+ * 账号启停、字段编辑、详情查看、模型列表查看、下载、删除、上游映射等完整操作。
  */
 export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps) {
   const t = useTranslations("cliproxy");
   const { data: accounts, isLoading, isError } = useCliproxyAuthAccounts(instance.id);
   const syncMutation = useSyncCliproxyAuthAccounts();
   const statusMutation = useSetCliproxyAuthAccountStatus();
+  const downloadMutation = useDownloadCliproxyAuthFile();
 
   const [editAccount, setEditAccount] = useState<CliproxyAuthAccount | null>(null);
+  const [detailAccount, setDetailAccount] = useState<CliproxyAuthAccount | null>(null);
+  const [modelsAccount, setModelsAccount] = useState<CliproxyAuthAccount | null>(null);
+  const [deleteAccount, setDeleteAccount] = useState<CliproxyAuthAccount | null>(null);
   const [mapAccount, setMapAccount] = useState<CliproxyAuthAccount | null>(null);
   const [oauthOpen, setOauthOpen] = useState(false);
+  const [uploadOpen, setUploadOpen] = useState(false);
 
   const handleToggleStatus = (account: CliproxyAuthAccount) => {
     statusMutation.mutate({
@@ -42,6 +53,13 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
     });
   };
 
+  const handleDownload = (account: CliproxyAuthAccount) => {
+    downloadMutation.mutate({
+      instanceId: instance.id,
+      authFileName: account.auth_file_name,
+    });
+  };
+
   return (
     <Card variant="outlined">
       <CardContent className="space-y-4 p-4 sm:p-6">
@@ -55,6 +73,10 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
               <LogIn className="mr-2 h-4 w-4" />
               {t("oauthLogin")}
             </Button>
+            <Button variant="outline" onClick={() => setUploadOpen(true)}>
+              <Upload className="mr-2 h-4 w-4" />
+              {t("uploadAuthFile")}
+            </Button>
             <Button
               variant="outline"
               disabled={syncMutation.isPending}
@@ -85,6 +107,10 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
             onToggleStatus={handleToggleStatus}
             onEditFields={setEditAccount}
             onMapUpstream={setMapAccount}
+            onViewDetail={setDetailAccount}
+            onViewModels={setModelsAccount}
+            onDownload={handleDownload}
+            onDelete={setDeleteAccount}
           />
         )}
       </CardContent>
@@ -97,6 +123,21 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
           onClose={() => setEditAccount(null)}
         />
       )}
+      {detailAccount && (
+        <CliproxyAccountDetailDialog
+          account={detailAccount}
+          open
+          onClose={() => setDetailAccount(null)}
+        />
+      )}
+      {modelsAccount && (
+        <CliproxyAccountModelsDialog
+          instanceId={instance.id}
+          authFileName={modelsAccount.auth_file_name}
+          open
+          onClose={() => setModelsAccount(null)}
+        />
+      )}
       {oauthOpen && (
         <CliproxyOAuthLoginDialog
           instanceId={instance.id}
@@ -104,6 +145,13 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
           onClose={() => setOauthOpen(false)}
         />
       )}
+      {uploadOpen && (
+        <CliproxyAuthFileUploadDialog
+          instanceId={instance.id}
+          open
+          onClose={() => setUploadOpen(false)}
+        />
+      )}
       {mapAccount && (
         <CliproxyAccountUpstreamDialog
           instanceId={instance.id}
@@ -112,6 +160,11 @@ export function CliproxyAccountsPanel({ instance }: CliproxyAccountsPanelProps)
           onClose={() => setMapAccount(null)}
         />
       )}
+      <CliproxyDeleteAuthFileDialog
+        instanceId={instance.id}
+        account={deleteAccount}
+        onClose={() => setDeleteAccount(null)}
+      />
     </Card>
   );
 }
diff --git a/src/components/admin/cliproxy-accounts-table.tsx b/src/components/admin/cliproxy-accounts-table.tsx
index adc0985b..0357f536 100644
--- a/src/components/admin/cliproxy-accounts-table.tsx
+++ b/src/components/admin/cliproxy-accounts-table.tsx
@@ -1,6 +1,16 @@
 "use client";
 
-import { Boxes, MoreHorizontal, Pencil, Power, PowerOff } from "lucide-react";
+import {
+  Boxes,
+  Download,
+  Info,
+  ListTree,
+  MoreHorizontal,
+  Pencil,
+  Power,
+  PowerOff,
+  Trash2,
+} from "lucide-react";
 import { useTranslations } from "next-intl";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
@@ -18,6 +28,7 @@ import {
   TableHeader,
   TableRow,
 } from "@/components/ui/table";
+import { cn } from "@/lib/utils";
 import type { CliproxyAuthAccount } from "@/types/cliproxy";
 
 interface CliproxyAccountsTableProps {
@@ -25,16 +36,27 @@ interface CliproxyAccountsTableProps {
   onToggleStatus: (account: CliproxyAuthAccount) => void;
   onEditFields: (account: CliproxyAuthAccount) => void;
   onMapUpstream: (account: CliproxyAuthAccount) => void;
+  onViewDetail: (account: CliproxyAuthAccount) => void;
+  onViewModels: (account: CliproxyAuthAccount) => void;
+  onDownload: (account: CliproxyAuthAccount) => void;
+  onDelete: (account: CliproxyAuthAccount) => void;
 }
 
 /**
- * CLIProxyAPI OAuth 账号列表表格。每行提供启停与字段编辑操作。
+ * CLIProxyAPI OAuth 账号列表表格。
+ *
+ * 每行展示账号文件名、服务商、邮箱、状态、模型数、前缀，并提供启停、字段编辑、
+ * 映射上游、详情、模型列表、下载、删除等操作。模型数量可点击直接查看模型列表。
  */
 export function CliproxyAccountsTable({
   accounts,
   onToggleStatus,
   onEditFields,
   onMapUpstream,
+  onViewDetail,
+  onViewModels,
+  onDownload,
+  onDelete,
 }: CliproxyAccountsTableProps) {
   const t = useTranslations("cliproxy");
 
@@ -44,6 +66,7 @@ export function CliproxyAccountsTable({
         <TableRow>
           <TableHead>{t("columnAccountFile")}</TableHead>
           <TableHead>{t("columnProvider")}</TableHead>
+          <TableHead>{t("columnEmail")}</TableHead>
           <TableHead>{t("columnStatus")}</TableHead>
           <TableHead>{t("columnModelCount")}</TableHead>
           <TableHead>{t("columnPrefix")}</TableHead>
@@ -57,12 +80,28 @@ export function CliproxyAccountsTable({
             <TableCell>
               <Badge variant="info">{account.provider}</Badge>
             </TableCell>
+            <TableCell>
+              {account.email ? (
+                <span className="type-body-small">{account.email}</span>
+              ) : (
+                <span className="text-muted-foreground">—</span>
+              )}
+            </TableCell>
             <TableCell>
               <Badge variant={account.disabled ? "secondary" : "success"}>
                 {account.disabled ? t("accountStatusDisabled") : t("accountStatusEnabled")}
               </Badge>
             </TableCell>
-            <TableCell>{account.model_count}</TableCell>
+            <TableCell>
+              <button
+                type="button"
+                onClick={() => onViewModels(account)}
+                className="inline-flex items-center gap-1 type-body-small text-primary underline-offset-2 hover:underline"
+              >
+                <ListTree className="h-3.5 w-3.5" aria-hidden />
+                {account.model_count}
+              </button>
+            </TableCell>
             <TableCell>
               {account.prefix ? (
                 <code className="type-body-small font-mono">{account.prefix}</code>
@@ -83,6 +122,14 @@ export function CliproxyAccountsTable({
                   </Button>
                 </DropdownMenuTrigger>
                 <DropdownMenuContent align="end">
+                  <DropdownMenuItem onClick={() => onViewDetail(account)}>
+                    <Info className="mr-2 h-4 w-4" />
+                    {t("actionViewDetail")}
+                  </DropdownMenuItem>
+                  <DropdownMenuItem onClick={() => onViewModels(account)}>
+                    <ListTree className="mr-2 h-4 w-4" />
+                    {t("actionViewModels")}
+                  </DropdownMenuItem>
                   <DropdownMenuItem onClick={() => onToggleStatus(account)}>
                     {account.disabled ? (
                       <Power className="mr-2 h-4 w-4" />
@@ -99,6 +146,17 @@ export function CliproxyAccountsTable({
                     <Boxes className="mr-2 h-4 w-4" />
                     {t("actionMapUpstream")}
                   </DropdownMenuItem>
+                  <DropdownMenuItem onClick={() => onDownload(account)}>
+                    <Download className="mr-2 h-4 w-4" />
+                    {t("actionDownload")}
+                  </DropdownMenuItem>
+                  <DropdownMenuItem
+                    onClick={() => onDelete(account)}
+                    className={cn("text-destructive focus:text-destructive")}
+                  >
+                    <Trash2 className="mr-2 h-4 w-4" />
+                    {t("actionDelete")}
+                  </DropdownMenuItem>
                 </DropdownMenuContent>
               </DropdownMenu>
             </TableCell>
diff --git a/src/components/admin/cliproxy-auth-file-upload-dialog.tsx b/src/components/admin/cliproxy-auth-file-upload-dialog.tsx
new file mode 100644
index 00000000..b156a9dd
--- /dev/null
+++ b/src/components/admin/cliproxy-auth-file-upload-dialog.tsx
@@ -0,0 +1,181 @@
+"use client";
+
+import { useRef, useState } from "react";
+import { Upload } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { toast } from "sonner";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { Textarea } from "@/components/ui/textarea";
+import { useUploadCliproxyAuthFile } from "@/hooks/use-cliproxy";
+import { cn } from "@/lib/utils";
+
+interface CliproxyAuthFileUploadDialogProps {
+  instanceId: string;
+  open: boolean;
+  onClose: () => void;
+}
+
+type UploadMode = "file" | "paste";
+
+/**
+ * 上传 CLIProxyAPI 认证文件的弹窗。
+ *
+ * 支持「选择文件」与「粘贴 JSON」两种方式，由顶部按钮组切换。
+ * 提交前在前端验证 JSON 合法性，上传成功后自动触发同步，
+ * 同步结果由 mutation 的 onSuccess 提示。
+ */
+export function CliproxyAuthFileUploadDialog({
+  instanceId,
+  open,
+  onClose,
+}: CliproxyAuthFileUploadDialogProps) {
+  const t = useTranslations("cliproxy");
+  const tCommon = useTranslations("common");
+  const uploadMutation = useUploadCliproxyAuthFile();
+  const fileInputRef = useRef<HTMLInputElement>(null);
+
+  const [mode, setMode] = useState<UploadMode>("file");
+  const [pasteContent, setPasteContent] = useState("");
+  const [pickedFileName, setPickedFileName] = useState<string | null>(null);
+  const [pickedFileContent, setPickedFileContent] = useState<string | null>(null);
+
+  const handleFileChange = async (event: React.ChangeEvent<HTMLInputElement>) => {
+    const file = event.target.files?.[0] ?? null;
+    if (!file) {
+      setPickedFileName(null);
+      setPickedFileContent(null);
+      return;
+    }
+    setPickedFileName(file.name);
+    setPickedFileContent(await file.text());
+  };
+
+  const handleSubmit = async () => {
+    const raw = mode === "file" ? pickedFileContent : pasteContent;
+    if (!raw || !raw.trim()) {
+      toast.error(t("uploadAuthFileEmpty"));
+      return;
+    }
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      toast.error(t("uploadAuthFileInvalidJson"));
+      return;
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      toast.error(t("uploadAuthFileInvalidJson"));
+      return;
+    }
+
+    try {
+      await uploadMutation.mutateAsync({
+        instanceId,
+        content: parsed as Record<string, unknown>,
+      });
+      handleClose();
+    } catch {
+      // 错误已由 mutation 的 onError 提示
+    }
+  };
+
+  const handleClose = () => {
+    setPasteContent("");
+    setPickedFileName(null);
+    setPickedFileContent(null);
+    if (fileInputRef.current) {
+      fileInputRef.current.value = "";
+    }
+    onClose();
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={(next) => !next && handleClose()}>
+      <DialogContent className="max-w-lg">
+        <DialogHeader>
+          <DialogTitle>{t("uploadAuthFileTitle")}</DialogTitle>
+          <DialogDescription>{t("uploadAuthFileDescription")}</DialogDescription>
+        </DialogHeader>
+
+        <div className="flex w-full overflow-hidden rounded-cf-sm border border-border">
+          <ModeButton active={mode === "file"} onClick={() => setMode("file")}>
+            {t("uploadAuthFileMethodFile")}
+          </ModeButton>
+          <ModeButton active={mode === "paste"} onClick={() => setMode("paste")}>
+            {t("uploadAuthFileMethodPaste")}
+          </ModeButton>
+        </div>
+
+        <div className="py-3">
+          {mode === "file" ? (
+            <>
+              <button
+                type="button"
+                onClick={() => fileInputRef.current?.click()}
+                className="flex w-full items-center justify-center gap-2 rounded-cf-sm border border-dashed border-border p-6 text-muted-foreground hover:bg-surface-100"
+              >
+                <Upload className="h-4 w-4" aria-hidden />
+                <span className="type-body-small">
+                  {pickedFileName ?? t("uploadAuthFileChoose")}
+                </span>
+              </button>
+              <input
+                ref={fileInputRef}
+                type="file"
+                accept="application/json,.json"
+                className="hidden"
+                onChange={handleFileChange}
+              />
+            </>
+          ) : (
+            <Textarea
+              rows={10}
+              placeholder={t("uploadAuthFilePastePlaceholder")}
+              value={pasteContent}
+              onChange={(event) => setPasteContent(event.target.value)}
+              className="font-mono"
+            />
+          )}
+        </div>
+
+        <DialogFooter>
+          <Button type="button" variant="outline" onClick={handleClose}>
+            {tCommon("cancel")}
+          </Button>
+          <Button type="button" onClick={handleSubmit} disabled={uploadMutation.isPending}>
+            {uploadMutation.isPending ? t("uploading") : t("uploadAuthFileSubmit")}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+interface ModeButtonProps {
+  active: boolean;
+  onClick: () => void;
+  children: React.ReactNode;
+}
+
+function ModeButton({ active, onClick, children }: ModeButtonProps) {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      className={cn(
+        "flex-1 px-3 py-2 type-body-small transition-colors",
+        active ? "bg-primary text-primary-foreground" : "bg-surface-100 hover:bg-surface-200"
+      )}
+    >
+      {children}
+    </button>
+  );
+}
diff --git a/src/components/admin/cliproxy-delete-auth-file-dialog.tsx b/src/components/admin/cliproxy-delete-auth-file-dialog.tsx
new file mode 100644
index 00000000..752d6962
--- /dev/null
+++ b/src/components/admin/cliproxy-delete-auth-file-dialog.tsx
@@ -0,0 +1,85 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+import { Button } from "@/components/ui/button";
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from "@/components/ui/dialog";
+import { useDeleteCliproxyAuthFile } from "@/hooks/use-cliproxy";
+import type { CliproxyAuthAccount } from "@/types/cliproxy";
+
+interface CliproxyDeleteAuthFileDialogProps {
+  instanceId: string;
+  account: CliproxyAuthAccount | null;
+  onClose: () => void;
+}
+
+/**
+ * 删除认证文件的确认弹窗。删除会先调用 CLIProxyAPI 删除上游文件，
+ * 成功后再移除本地缓存。
+ */
+export function CliproxyDeleteAuthFileDialog({
+  instanceId,
+  account,
+  onClose,
+}: CliproxyDeleteAuthFileDialogProps) {
+  const t = useTranslations("cliproxy");
+  const tCommon = useTranslations("common");
+  const deleteMutation = useDeleteCliproxyAuthFile();
+
+  const handleConfirm = async () => {
+    if (!account) return;
+    try {
+      await deleteMutation.mutateAsync({
+        instanceId,
+        authFileName: account.auth_file_name,
+      });
+      onClose();
+    } catch {
+      // 错误已由 mutation 的 onError 提示
+    }
+  };
+
+  return (
+    <Dialog open={Boolean(account)} onOpenChange={(next) => !next && onClose()}>
+      <DialogContent className="max-w-md">
+        <DialogHeader>
+          <DialogTitle>{t("deleteAuthFileTitle")}</DialogTitle>
+          <DialogDescription>{t("deleteAuthFileDescription")}</DialogDescription>
+        </DialogHeader>
+
+        {account ? (
+          <div className="py-2">
+            <div className="rounded-cf-sm border border-border p-3">
+              <div className="flex justify-between gap-3">
+                <span className="type-label-large text-muted-foreground">
+                  {t("accountFileLabel")}
+                </span>
+                <span className="type-body-medium">{account.auth_file_name}</span>
+              </div>
+            </div>
+          </div>
+        ) : null}
+
+        <DialogFooter>
+          <Button type="button" variant="outline" onClick={onClose}>
+            {tCommon("cancel")}
+          </Button>
+          <Button
+            type="button"
+            variant="destructive"
+            onClick={handleConfirm}
+            disabled={deleteMutation.isPending || !account}
+          >
+            {deleteMutation.isPending ? t("deleting") : tCommon("delete")}
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/src/components/admin/cliproxy-instance-logs-panel.tsx b/src/components/admin/cliproxy-instance-logs-panel.tsx
new file mode 100644
index 00000000..8a32461b
--- /dev/null
+++ b/src/components/admin/cliproxy-instance-logs-panel.tsx
@@ -0,0 +1,122 @@
+"use client";
+
+import { useMemo, useState } from "react";
+import { RefreshCw } from "lucide-react";
+import { useTranslations } from "next-intl";
+import { Button } from "@/components/ui/button";
+import { Card, CardContent } from "@/components/ui/card";
+import { Input } from "@/components/ui/input";
+import { Skeleton } from "@/components/ui/skeleton";
+import { CLIPROXY_LOGS_DEFAULT_LIMIT, useCliproxyInstanceLogs } from "@/hooks/use-cliproxy";
+import { cn } from "@/lib/utils";
+import type { CliproxyInstance } from "@/types/cliproxy";
+
+interface CliproxyInstanceLogsPanelProps {
+  instance: CliproxyInstance;
+}
+
+/** 日志级别对应的色调，未识别级别使用 muted。 */
+function levelClassName(level: string): string {
+  switch (level.toLowerCase()) {
+    case "error":
+      return "text-destructive";
+    case "warn":
+    case "warning":
+      return "text-amber-500";
+    case "info":
+      return "text-emerald-500";
+    case "debug":
+      return "text-muted-foreground";
+    default:
+      return "text-foreground";
+  }
+}
+
+/**
+ * 实例日志查看面板。
+ *
+ * 首次显示时拉取一次日志，提供刷新按钮与前端关键词过滤。
+ * 单次拉取行数受 `CLIPROXY_LOGS_DEFAULT_LIMIT` 上限，超出部分由后端控制。
+ */
+export function CliproxyInstanceLogsPanel({ instance }: CliproxyInstanceLogsPanelProps) {
+  const t = useTranslations("cliproxy");
+  const {
+    data: logs,
+    isLoading,
+    isError,
+    refetch,
+    isFetching,
+  } = useCliproxyInstanceLogs(instance.id);
+  const [keyword, setKeyword] = useState("");
+
+  const filtered = useMemo(() => {
+    if (!logs) return [];
+    const limited = logs.slice(0, CLIPROXY_LOGS_DEFAULT_LIMIT);
+    if (!keyword.trim()) return limited;
+    const needle = keyword.trim().toLowerCase();
+    return limited.filter(
+      (entry) =>
+        (entry.message ?? "").toLowerCase().includes(needle) ||
+        (entry.level ?? "").toLowerCase().includes(needle)
+    );
+  }, [logs, keyword]);
+
+  return (
+    <Card variant="outlined">
+      <CardContent className="space-y-4 p-4 sm:p-6">
+        <div className="flex flex-wrap items-center justify-between gap-3">
+          <div className="min-w-0">
+            <h2 className="type-title-medium text-foreground">{t("logsTitle")}</h2>
+            <p className="type-body-small text-muted-foreground">{instance.name}</p>
+          </div>
+          <div className="flex flex-wrap gap-2">
+            <Input
+              value={keyword}
+              onChange={(event) => setKeyword(event.target.value)}
+              placeholder={t("logsSearchPlaceholder")}
+              className="w-64"
+            />
+            <Button variant="outline" disabled={isFetching} onClick={() => refetch()}>
+              <RefreshCw className={cn("mr-2 h-4 w-4", isFetching && "animate-spin")} />
+              {t("logsRefresh")}
+            </Button>
+          </div>
+        </div>
+
+        {isLoading ? (
+          <div className="space-y-2">
+            <Skeleton className="h-6 w-full" />
+            <Skeleton className="h-6 w-full" />
+            <Skeleton className="h-6 w-full" />
+          </div>
+        ) : isError ? (
+          <p className="py-8 text-center type-body-medium text-destructive">
+            {t("logsLoadFailed")}
+          </p>
+        ) : !logs || logs.length === 0 ? (
+          <p className="py-8 text-center type-body-medium text-muted-foreground">
+            {t("logsEmpty")}
+          </p>
+        ) : filtered.length === 0 ? (
+          <p className="py-8 text-center type-body-medium text-muted-foreground">
+            {t("logsNoMatches")}
+          </p>
+        ) : (
+          <div className="max-h-[28rem] overflow-y-auto rounded-cf-sm border border-border bg-surface-200 p-3 font-mono">
+            <ul className="space-y-1 type-body-small">
+              {filtered.map((entry, index) => (
+                <li key={`${entry.timestamp}-${index}`} className="flex gap-3">
+                  <span className="shrink-0 text-muted-foreground">{entry.timestamp}</span>
+                  <span className={cn("shrink-0 font-semibold", levelClassName(entry.level))}>
+                    [{entry.level.toUpperCase()}]
+                  </span>
+                  <span className="min-w-0 break-words">{entry.message}</span>
+                </li>
+              ))}
+            </ul>
+          </div>
+        )}
+      </CardContent>
+    </Card>
+  );
+}
diff --git a/src/components/admin/cliproxy-instances-table.tsx b/src/components/admin/cliproxy-instances-table.tsx
index 141046bf..aa7b9d22 100644
--- a/src/components/admin/cliproxy-instances-table.tsx
+++ b/src/components/admin/cliproxy-instances-table.tsx
@@ -10,6 +10,7 @@ import {
   DropdownMenuItem,
   DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
+import { Switch } from "@/components/ui/switch";
 import {
   Table,
   TableBody,
@@ -18,6 +19,7 @@ import {
   TableHeader,
   TableRow,
 } from "@/components/ui/table";
+import { useToggleCliproxyInstanceEnabled } from "@/hooks/use-cliproxy";
 import { cn } from "@/lib/utils";
 import type { CliproxyInstance } from "@/types/cliproxy";
 
@@ -32,7 +34,8 @@ interface CliproxyInstancesTableProps {
 }
 
 /**
- * CLIProxyAPI 实例列表表格。点击行选中实例以查看其账号，每行提供编辑、连通性检测、删除操作。
+ * CLIProxyAPI 实例列表表格。点击行选中实例以查看其账号，每行提供启停切换、
+ * 连通性检测、编辑、删除等操作。
  */
 export function CliproxyInstancesTable({
   instances,
@@ -44,6 +47,7 @@ export function CliproxyInstancesTable({
   onDelete,
 }: CliproxyInstancesTableProps) {
   const t = useTranslations("cliproxy");
+  const toggleEnabled = useToggleCliproxyInstanceEnabled();
 
   return (
     <Table>
@@ -75,10 +79,20 @@ export function CliproxyInstancesTable({
                 {instance.base_url}
               </code>
             </TableCell>
-            <TableCell>
-              <Badge variant={instance.enabled ? "success" : "secondary"}>
-                {instance.enabled ? t("statusEnabled") : t("statusDisabled")}
-              </Badge>
+            <TableCell onClick={(event) => event.stopPropagation()}>
+              <div className="flex items-center gap-2">
+                <Switch
+                  checked={instance.enabled}
+                  disabled={toggleEnabled.isPending && toggleEnabled.variables?.id === instance.id}
+                  onCheckedChange={(checked) =>
+                    toggleEnabled.mutate({ id: instance.id, enabled: checked })
+                  }
+                  aria-label={instance.enabled ? t("statusEnabled") : t("statusDisabled")}
+                />
+                <span className="type-body-small text-muted-foreground">
+                  {instance.enabled ? t("statusEnabled") : t("statusDisabled")}
+                </span>
+              </div>
             </TableCell>
             <TableCell className="text-right" onClick={(event) => event.stopPropagation()}>
               <DropdownMenu>
diff --git a/src/components/admin/cliproxy-linked-upstreams-panel.tsx b/src/components/admin/cliproxy-linked-upstreams-panel.tsx
new file mode 100644
index 00000000..e8c35bca
--- /dev/null
+++ b/src/components/admin/cliproxy-linked-upstreams-panel.tsx
@@ -0,0 +1,98 @@
+"use client";
+
+import { useTranslations } from "next-intl";
+import { Badge } from "@/components/ui/badge";
+import { Card, CardContent } from "@/components/ui/card";
+import { Skeleton } from "@/components/ui/skeleton";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "@/components/ui/table";
+import { useCliproxyLinkedUpstreams } from "@/hooks/use-cliproxy";
+import type { CliproxyInstance } from "@/types/cliproxy";
+
+interface CliproxyLinkedUpstreamsPanelProps {
+  instance: CliproxyInstance;
+}
+
+/**
+ * 选中实例后展示的关联上游面板。数据来自 AutoRouter 本地 upstreams 表，
+ * 按 `cliproxyAuthFileName` 是否为空区分池上游与单账号上游。
+ */
+export function CliproxyLinkedUpstreamsPanel({ instance }: CliproxyLinkedUpstreamsPanelProps) {
+  const t = useTranslations("cliproxy");
+  const { data: upstreams, isLoading, isError } = useCliproxyLinkedUpstreams(instance.id);
+
+  return (
+    <Card variant="outlined">
+      <CardContent className="space-y-4 p-4 sm:p-6">
+        <div className="min-w-0">
+          <h2 className="type-title-medium text-foreground">{t("linkedUpstreamsTitle")}</h2>
+          <p className="type-body-small text-muted-foreground">{instance.name}</p>
+        </div>
+
+        {isLoading ? (
+          <div className="space-y-2">
+            <Skeleton className="h-10 w-full" />
+            <Skeleton className="h-10 w-full" />
+          </div>
+        ) : isError ? (
+          <p className="py-8 text-center type-body-medium text-destructive">
+            {t("linkedUpstreamsLoadFailed")}
+          </p>
+        ) : !upstreams || upstreams.length === 0 ? (
+          <p className="py-8 text-center type-body-medium text-muted-foreground">
+            {t("linkedUpstreamsEmpty")}
+          </p>
+        ) : (
+          <Table>
+            <TableHeader>
+              <TableRow>
+                <TableHead>{t("columnUpstreamName")}</TableHead>
+                <TableHead>{t("columnProvider")}</TableHead>
+                <TableHead>{t("columnUpstreamKind")}</TableHead>
+                <TableHead>{t("columnLinkedAccount")}</TableHead>
+                <TableHead>{t("columnStatus")}</TableHead>
+              </TableRow>
+            </TableHeader>
+            <TableBody>
+              {upstreams.map((row) => (
+                <TableRow key={row.id}>
+                  <TableCell className="font-medium">{row.name}</TableCell>
+                  <TableCell>
+                    {row.provider ? (
+                      <Badge variant="info">{row.provider}</Badge>
+                    ) : (
+                      <Badge variant="secondary">{t("linkedUpstreamProviderUnknown")}</Badge>
+                    )}
+                  </TableCell>
+                  <TableCell>
+                    <Badge variant={row.kind === "pool" ? "secondary" : "info"}>
+                      {row.kind === "pool" ? t("kindPool") : t("kindSingle")}
+                    </Badge>
+                  </TableCell>
+                  <TableCell>
+                    {row.auth_file_name ? (
+                      <code className="type-body-small font-mono">{row.auth_file_name}</code>
+                    ) : (
+                      <span className="text-muted-foreground">—</span>
+                    )}
+                  </TableCell>
+                  <TableCell>
+                    <Badge variant={row.is_active ? "success" : "secondary"}>
+                      {row.is_active ? t("statusEnabled") : t("statusDisabled")}
+                    </Badge>
+                  </TableCell>
+                </TableRow>
+              ))}
+            </TableBody>
+          </Table>
+        )}
+      </CardContent>
+    </Card>
+  );
+}
diff --git a/src/components/admin/cliproxy-oauth-login-dialog.tsx b/src/components/admin/cliproxy-oauth-login-dialog.tsx
index 619ff163..786ddfd8 100644
--- a/src/components/admin/cliproxy-oauth-login-dialog.tsx
+++ b/src/components/admin/cliproxy-oauth-login-dialog.tsx
@@ -21,10 +21,12 @@ import {
   SelectTrigger,
   SelectValue,
 } from "@/components/ui/select";
+import { Input } from "@/components/ui/input";
 import {
   CLIPROXY_OAUTH_POLL_TIMEOUT_MS,
   useCliproxyOAuthStatus,
   useInitiateCliproxyOAuthLogin,
+  useSubmitCliproxyOAuthCallback,
 } from "@/hooks/use-cliproxy";
 import { CLIPROXY_PROVIDERS } from "@/types/cliproxy";
 import type { CliproxyProvider } from "@/types/cliproxy";
@@ -39,6 +41,9 @@ const PROVIDER_LABEL_KEY: Record<CliproxyProvider, string> = {
   codex: "providerCodex",
   anthropic: "providerAnthropic",
   gemini: "providerGemini",
+  xai: "providerXai",
+  antigravity: "providerAntigravity",
+  kimi: "providerKimi",
 };
 
 /**
@@ -59,8 +64,10 @@ export function CliproxyOAuthLoginDialog({
   const [provider, setProvider] = useState<CliproxyProvider>("codex");
   const [session, setSession] = useState<{ url: string; state: string } | null>(null);
   const [timedOut, setTimedOut] = useState(false);
+  const [callbackUrl, setCallbackUrl] = useState("");
 
   const initiateMutation = useInitiateCliproxyOAuthLogin();
+  const callbackMutation = useSubmitCliproxyOAuthCallback();
   const statusQuery = useCliproxyOAuthStatus(
     instanceId,
     session?.state ?? null,
@@ -101,6 +108,24 @@ export function CliproxyOAuthLoginDialog({
   const handleRetry = () => {
     setSession(null);
     setTimedOut(false);
+    setCallbackUrl("");
+  };
+
+  const handleSubmitCallback = async () => {
+    if (!callbackUrl.trim()) {
+      toast.error(t("oauthManualCallbackEmpty"));
+      return;
+    }
+    try {
+      await callbackMutation.mutateAsync({
+        instanceId,
+        provider,
+        redirectUrl: callbackUrl.trim(),
+      });
+      onClose();
+    } catch {
+      // 错误已由 mutation 的 onError 提示
+    }
   };
 
   const handleCopy = async () => {
@@ -167,13 +192,39 @@ export function CliproxyOAuthLoginDialog({
               </div>
 
               {failed ? (
-                <div className="flex items-start gap-2 rounded-cf-sm border border-amber-500/40 bg-amber-500/5 p-3">
-                  <XCircle className="mt-0.5 h-4 w-4 flex-shrink-0 text-amber-500" aria-hidden />
-                  <p className="type-body-small text-muted-foreground">
-                    {timedOut
-                      ? t("oauthLoginTimeout")
-                      : (statusQuery.data?.error ?? t("oauthLoginError"))}
-                  </p>
+                <div className="space-y-3">
+                  <div className="flex items-start gap-2 rounded-cf-sm border border-amber-500/40 bg-amber-500/5 p-3">
+                    <XCircle className="mt-0.5 h-4 w-4 flex-shrink-0 text-amber-500" aria-hidden />
+                    <p className="type-body-small text-muted-foreground">
+                      {timedOut
+                        ? t("oauthLoginTimeout")
+                        : (statusQuery.data?.error ?? t("oauthLoginError"))}
+                    </p>
+                  </div>
+                  <div className="space-y-2 rounded-cf-sm border border-border p-3">
+                    <div>
+                      <p className="type-label-large text-foreground">{t("oauthManualCallback")}</p>
+                      <p className="type-body-small text-muted-foreground">
+                        {t("oauthManualCallbackDescription")}
+                      </p>
+                    </div>
+                    <Input
+                      value={callbackUrl}
+                      onChange={(event) => setCallbackUrl(event.target.value)}
+                      placeholder={t("oauthManualCallbackPlaceholder")}
+                      className="font-mono"
+                    />
+                    <Button
+                      type="button"
+                      size="sm"
+                      disabled={callbackMutation.isPending}
+                      onClick={handleSubmitCallback}
+                    >
+                      {callbackMutation.isPending
+                        ? tCommon("loading")
+                        : t("oauthManualCallbackSubmit")}
+                    </Button>
+                  </div>
                 </div>
               ) : status === "ok" ? (
                 <div className="flex items-center gap-2 text-emerald-500">
diff --git a/src/components/admin/cliproxy-pool-upstream-dialog.tsx b/src/components/admin/cliproxy-pool-upstream-dialog.tsx
index 45479f84..f438912f 100644
--- a/src/components/admin/cliproxy-pool-upstream-dialog.tsx
+++ b/src/components/admin/cliproxy-pool-upstream-dialog.tsx
@@ -19,8 +19,8 @@ import {
   SelectValue,
 } from "@/components/ui/select";
 import { useCreateCliproxyPoolUpstream } from "@/hooks/use-cliproxy";
-import { CLIPROXY_PROVIDERS } from "@/types/cliproxy";
-import type { CliproxyProvider } from "@/types/cliproxy";
+import { CLIPROXY_UPSTREAM_PROVIDERS } from "@/types/cliproxy";
+import type { CliproxyUpstreamProvider } from "@/types/cliproxy";
 
 interface CliproxyPoolUpstreamDialogProps {
   instanceId: string;
@@ -28,7 +28,7 @@ interface CliproxyPoolUpstreamDialogProps {
   onClose: () => void;
 }
 
-const PROVIDER_LABEL_KEY: Record<CliproxyProvider, string> = {
+const PROVIDER_LABEL_KEY: Record<CliproxyUpstreamProvider, string> = {
   codex: "providerCodex",
   anthropic: "providerAnthropic",
   gemini: "providerGemini",
@@ -45,7 +45,7 @@ export function CliproxyPoolUpstreamDialog({
   const t = useTranslations("cliproxy");
   const tCommon = useTranslations("common");
   const createMutation = useCreateCliproxyPoolUpstream();
-  const [provider, setProvider] = useState<CliproxyProvider>("codex");
+  const [provider, setProvider] = useState<CliproxyUpstreamProvider>("codex");
 
   const handleConfirm = async () => {
     try {
@@ -68,13 +68,13 @@ export function CliproxyPoolUpstreamDialog({
           <p className="type-body-small text-muted-foreground">{t("poolUpstreamProvider")}</p>
           <Select
             value={provider}
-            onValueChange={(value) => setProvider(value as CliproxyProvider)}
+            onValueChange={(value) => setProvider(value as CliproxyUpstreamProvider)}
           >
             <SelectTrigger>
               <SelectValue />
             </SelectTrigger>
             <SelectContent>
-              {CLIPROXY_PROVIDERS.map((item) => (
+              {CLIPROXY_UPSTREAM_PROVIDERS.map((item) => (
                 <SelectItem key={item} value={item}>
                   {t(PROVIDER_LABEL_KEY[item])}
                 </SelectItem>
diff --git a/src/hooks/use-cliproxy.ts b/src/hooks/use-cliproxy.ts
index 477427b4..af84e9bb 100644
--- a/src/hooks/use-cliproxy.ts
+++ b/src/hooks/use-cliproxy.ts
@@ -11,8 +11,12 @@ import type {
   CliproxyAuthAccountFieldsUpdate,
   CliproxyAuthAccountSyncResult,
   CliproxyProvider,
+  CliproxyUpstreamProvider,
   CliproxyOAuthInitiateResult,
   CliproxyOAuthStatusResult,
+  CliproxyLogEntry,
+  CliproxyAuthFileModel,
+  CliproxyLinkedUpstream,
 } from "@/types/cliproxy";
 
 /** OAuth 登录状态轮询间隔（毫秒）。 */
@@ -307,7 +311,7 @@ export function useCreateCliproxyPoolUpstream() {
       provider,
     }: {
       instanceId: string;
-      provider: CliproxyProvider;
+      provider: CliproxyUpstreamProvider;
     }) => {
       const response = await apiClient.post<{ data: { id: string } }>(
         `/admin/cliproxy/instances/${instanceId}/pool-upstreams`,
@@ -325,6 +329,228 @@ export function useCreateCliproxyPoolUpstream() {
   });
 }
 
+/** 实例日志面板的默认拉取行数上限（前端裁剪）。 */
+export const CLIPROXY_LOGS_DEFAULT_LIMIT = 200;
+
+/** 列出实例下关联的上游（池上游与单账号上游）。 */
+export function useCliproxyLinkedUpstreams(instanceId: string | null) {
+  const { apiClient } = useAuth();
+
+  return useQuery({
+    queryKey: ["cliproxy", "linked-upstreams", instanceId],
+    queryFn: async () => {
+      const response = await apiClient.get<{ data: CliproxyLinkedUpstream[] }>(
+        `/admin/cliproxy/instances/${instanceId}/linked-upstreams`
+      );
+      return response.data;
+    },
+    enabled: Boolean(instanceId),
+  });
+}
+
+/** 查询某账号的 CLIProxyAPI 可用模型列表。 */
+export function useCliproxyAccountModels(instanceId: string, authFileName: string | null) {
+  const { apiClient } = useAuth();
+
+  return useQuery({
+    queryKey: ["cliproxy", "account-models", instanceId, authFileName],
+    queryFn: async () => {
+      const response = await apiClient.get<{ data: CliproxyAuthFileModel[] }>(
+        `/admin/cliproxy/instances/${instanceId}/auth-accounts/${encodeURIComponent(
+          authFileName ?? ""
+        )}/models`
+      );
+      return response.data;
+    },
+    enabled: Boolean(authFileName),
+  });
+}
+
+/** 拉取实例的 CLIProxyAPI 运行日志，支持可选 since 时间戳过滤。 */
+export function useCliproxyInstanceLogs(instanceId: string | null, since?: string) {
+  const { apiClient } = useAuth();
+
+  return useQuery({
+    queryKey: ["cliproxy", "logs", instanceId, since ?? null],
+    queryFn: async () => {
+      const sinceParam = since ? `?since=${encodeURIComponent(since)}` : "";
+      const response = await apiClient.get<{ data: CliproxyLogEntry[] }>(
+        `/admin/cliproxy/instances/${instanceId}/logs${sinceParam}`
+      );
+      return response.data;
+    },
+    enabled: Boolean(instanceId),
+  });
+}
+
+/** 行内启停实例的快捷 mutation，复用既有实例更新端点仅修改 enabled。 */
+export function useToggleCliproxyInstanceEnabled() {
+  const { apiClient } = useAuth();
+  const queryClient = useQueryClient();
+  const t = useTranslations("cliproxy") as CliproxyTranslator;
+
+  return useMutation({
+    mutationFn: async ({ id, enabled }: { id: string; enabled: boolean }) => {
+      const response = await apiClient.patch<{ data: CliproxyInstance }>(
+        `/admin/cliproxy/instances/${id}`,
+        { enabled }
+      );
+      return response.data;
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["cliproxy", "instances"] });
+    },
+    onError: (error: Error) => {
+      toast.error(t("instanceUpdateFailed", { message: error.message }));
+    },
+  });
+}
+
+/** 删除认证文件并清理本地缓存。 */
+export function useDeleteCliproxyAuthFile() {
+  const { apiClient } = useAuth();
+  const queryClient = useQueryClient();
+  const t = useTranslations("cliproxy") as CliproxyTranslator;
+
+  return useMutation({
+    mutationFn: async ({
+      instanceId,
+      authFileName,
+    }: {
+      instanceId: string;
+      authFileName: string;
+    }) => {
+      const response = await apiClient.delete<{ data: { name: string } }>(
+        `/admin/cliproxy/instances/${instanceId}/auth-files/${encodeURIComponent(authFileName)}`
+      );
+      return response.data;
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["cliproxy", "accounts"] });
+      toast.success(t("authFileDeleteSuccess"));
+    },
+    onError: (error: Error) => {
+      toast.error(t("authFileDeleteFailed", { message: error.message }));
+    },
+  });
+}
+
+/** 上传认证文件至 CLIProxyAPI，成功后返回同步结果并刷新账号列表。 */
+export function useUploadCliproxyAuthFile() {
+  const { apiClient } = useAuth();
+  const queryClient = useQueryClient();
+  const t = useTranslations("cliproxy") as CliproxyTranslator;
+
+  return useMutation({
+    mutationFn: async ({
+      instanceId,
+      content,
+    }: {
+      instanceId: string;
+      content: Record<string, unknown>;
+    }) => {
+      const response = await apiClient.post<{ data: CliproxyAuthAccountSyncResult }>(
+        `/admin/cliproxy/instances/${instanceId}/auth-files`,
+        content
+      );
+      return response.data;
+    },
+    onSuccess: (result) => {
+      queryClient.invalidateQueries({ queryKey: ["cliproxy", "accounts"] });
+      toast.success(
+        t("authFileUploadSuccess", {
+          added: result.added,
+          updated: result.updated,
+          removed: result.removed,
+        })
+      );
+    },
+    onError: (error: Error) => {
+      toast.error(t("authFileUploadFailed", { message: error.message }));
+    },
+  });
+}
+
+/**
+ * 触发认证文件下载。
+ *
+ * 直接通过 fetch + Blob 走浏览器原生下载流程，绕过 apiClient 的 JSON 解析，
+ * 避免大文件二次序列化。token 仍按 admin 鉴权约定注入到 Authorization 头。
+ */
+export function useDownloadCliproxyAuthFile() {
+  const { token } = useAuth();
+  const t = useTranslations("cliproxy") as CliproxyTranslator;
+
+  return useMutation({
+    mutationFn: async ({
+      instanceId,
+      authFileName,
+    }: {
+      instanceId: string;
+      authFileName: string;
+    }) => {
+      const response = await fetch(
+        `/api/admin/cliproxy/instances/${instanceId}/auth-files/${encodeURIComponent(
+          authFileName
+        )}`,
+        {
+          method: "GET",
+          headers: token ? { Authorization: `Bearer ${token}` } : undefined,
+        }
+      );
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}`);
+      }
+      const blob = await response.blob();
+      const url = URL.createObjectURL(blob);
+      const a = document.createElement("a");
+      a.href = url;
+      a.download = authFileName;
+      document.body.appendChild(a);
+      a.click();
+      a.remove();
+      // 立即 revoke 在 Firefox 上可能导致 Blob 尚未被读取就已失效，
+      // 延后到下一个事件循环再回收，让浏览器有机会开始下载。
+      setTimeout(() => URL.revokeObjectURL(url), 100);
+    },
+    onError: (error: Error) => {
+      toast.error(t("authFileDownloadFailed", { message: error.message }));
+    },
+  });
+}
+
+/** 手动提交 OAuth 回调 URL，成功后返回同步结果。 */
+export function useSubmitCliproxyOAuthCallback() {
+  const { apiClient } = useAuth();
+  const queryClient = useQueryClient();
+  const t = useTranslations("cliproxy") as CliproxyTranslator;
+
+  return useMutation({
+    mutationFn: async ({
+      instanceId,
+      provider,
+      redirectUrl,
+    }: {
+      instanceId: string;
+      provider: CliproxyProvider;
+      redirectUrl: string;
+    }) => {
+      const response = await apiClient.post<{ data: CliproxyOAuthStatusResult }>(
+        `/admin/cliproxy/instances/${instanceId}/oauth-callback`,
+        { provider, redirect_url: redirectUrl }
+      );
+      return response.data;
+    },
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["cliproxy", "accounts"] });
+      toast.success(t("oauthCallbackSubmitSuccess"));
+    },
+    onError: (error: Error) => {
+      toast.error(t("oauthCallbackSubmitFailed", { message: error.message }));
+    },
+  });
+}
+
 /** 将单个 OAuth 账号固定映射为一个上游。 */
 export function useCreateCliproxySingleAccountUpstream() {
   const { apiClient } = useAuth();
diff --git a/src/lib/services/cliproxy-auth-account-service.ts b/src/lib/services/cliproxy-auth-account-service.ts
index 778059e7..7c2c64b4 100644
--- a/src/lib/services/cliproxy-auth-account-service.ts
+++ b/src/lib/services/cliproxy-auth-account-service.ts
@@ -10,7 +10,11 @@ import {
   getAuthFileModels,
   patchAuthFileStatus,
   patchAuthFileFields,
+  deleteAuthFile,
+  uploadAuthFile,
+  downloadAuthFile,
   type CliproxyAuthFileEntry,
+  type CliproxyAuthFileModel,
   type CliproxyManagementTarget,
 } from "./cliproxy-management-client";
 import { createLogger } from "../utils/logger";
@@ -259,3 +263,65 @@ export async function updateCliproxyAuthAccountFields(
   log.info({ instanceId, authFileName }, "updated CLIProxyAPI auth account fields");
   return row;
 }
+
+/**
+ * 删除某个 OAuth 账号：先调用 CLIProxyAPI 删除上游 auth-file，
+ * 成功后再移除本地缓存。CLIProxyAPI 调用失败时本地缓存保持不变。
+ *
+ * 本地缓存可能因之前的同步落后于上游而不存在对应行；此种情况下视为已删除，
+ * 不再返回 NotFound 以便管理员在 CLIProxyAPI 侧直接清理后仍能完成本地收尾。
+ */
+export async function deleteCliproxyAuthAccount(
+  instanceId: string,
+  authFileName: string
+): Promise<void> {
+  const target = await resolveManagementTarget(instanceId);
+
+  await deleteAuthFile(target, authFileName);
+
+  const account = await getCliproxyAuthAccount(instanceId, authFileName);
+  if (account) {
+    await db.delete(cliproxyAuthAccounts).where(eq(cliproxyAuthAccounts.id, account.id));
+  }
+  log.info({ instanceId, authFileName }, "deleted CLIProxyAPI auth account");
+}
+
+/**
+ * 上传认证文件至 CLIProxyAPI，并立即触发该实例的账号同步。
+ *
+ * 上传成功但同步失败时仍向上抛出错误，便于管理端按错误信息排查；CLIProxyAPI
+ * 侧的认证文件已经写入，下次手动同步即可恢复一致。
+ */
+export async function uploadCliproxyAuthFile(
+  instanceId: string,
+  content: Record<string, unknown>
+): Promise<CliproxyAuthAccountSyncResult> {
+  const target = await resolveManagementTarget(instanceId);
+  await uploadAuthFile(target, content);
+  log.info({ instanceId }, "uploaded CLIProxyAPI auth file");
+  return syncCliproxyAuthAccounts(instanceId);
+}
+
+/**
+ * 下载某个认证文件的原始 JSON 内容，供管理员另存为本地备份。
+ */
+export async function downloadCliproxyAuthFile(
+  instanceId: string,
+  authFileName: string
+): Promise<Record<string, unknown>> {
+  const target = await resolveManagementTarget(instanceId);
+  return downloadAuthFile(target, authFileName);
+}
+
+/**
+ * 查询某个账号在 CLIProxyAPI 侧的可用模型列表。
+ *
+ * 与同步路径不同，本方法不写入本地缓存，仅作为只读窗口供前端展示。
+ */
+export async function listCliproxyAccountModels(
+  instanceId: string,
+  authFileName: string
+): Promise<CliproxyAuthFileModel[]> {
+  const target = await resolveManagementTarget(instanceId);
+  return getAuthFileModels(target, authFileName);
+}
diff --git a/src/lib/services/cliproxy-instance-crud.ts b/src/lib/services/cliproxy-instance-crud.ts
index 8e997f9e..eafe3059 100644
--- a/src/lib/services/cliproxy-instance-crud.ts
+++ b/src/lib/services/cliproxy-instance-crud.ts
@@ -332,3 +332,22 @@ export function getDecryptedClientApiKey(row: CliproxyInstance): string {
 export function getDecryptedManagementKey(row: CliproxyInstance): string {
   return decrypt(row.managementKeyEncrypted);
 }
+
+/**
+ * 读取实例并构造管理 API 调用所需的 target 对象。
+ *
+ * 复用于所有需要调用 CLIProxyAPI 管理端的服务（OAuth 登录、日志查看等），
+ * 避免每个调用方重复实例查找与管理密钥解密的样板。
+ */
+export async function resolveCliproxyManagementTarget(
+  instanceId: string
+): Promise<{ managementUrl: string; managementKey: string }> {
+  const instance = await getCliproxyInstanceRow(instanceId);
+  if (!instance) {
+    throw new CliproxyInstanceNotFoundError(instanceId);
+  }
+  return {
+    managementUrl: instance.managementUrl,
+    managementKey: getDecryptedManagementKey(instance),
+  };
+}
diff --git a/src/lib/services/cliproxy-instance-logs-service.ts b/src/lib/services/cliproxy-instance-logs-service.ts
new file mode 100644
index 00000000..e93c94b1
--- /dev/null
+++ b/src/lib/services/cliproxy-instance-logs-service.ts
@@ -0,0 +1,11 @@
+import { getLogs, type CliproxyLogEntry } from "./cliproxy-management-client";
+import { resolveCliproxyManagementTarget } from "./cliproxy-instance-crud";
+
+/** 从 CLIProxyAPI 拉取实例日志。 */
+export async function listCliproxyInstanceLogs(
+  instanceId: string,
+  since?: string
+): Promise<CliproxyLogEntry[]> {
+  const target = await resolveCliproxyManagementTarget(instanceId);
+  return getLogs(target, since);
+}
diff --git a/src/lib/services/cliproxy-linked-upstreams-service.ts b/src/lib/services/cliproxy-linked-upstreams-service.ts
new file mode 100644
index 00000000..7a8cfbe8
--- /dev/null
+++ b/src/lib/services/cliproxy-linked-upstreams-service.ts
@@ -0,0 +1,53 @@
+import { eq, desc } from "drizzle-orm";
+import { db, upstreams, type Upstream } from "../db";
+import { getCliproxyInstanceById, CliproxyInstanceNotFoundError } from "./cliproxy-instance-crud";
+import type { CliproxyLinkedUpstreamKind } from "@/types/cliproxy";
+
+export type { CliproxyLinkedUpstreamKind };
+
+/** 实例下的关联上游展示形态。 */
+export interface CliproxyLinkedUpstreamResponse {
+  id: string;
+  name: string;
+  /** 关联上游对应的服务商；旧数据可能为 null，前端按 "未识别" 兜底展示。 */
+  provider: string | null;
+  kind: CliproxyLinkedUpstreamKind;
+  authFileName: string | null;
+  isActive: boolean;
+  createdAt: Date;
+}
+
+/** 单账号上游的判定依据：cliproxyAuthFileName 非空。 */
+function classifyKind(row: Upstream): CliproxyLinkedUpstreamKind {
+  return row.cliproxyAuthFileName ? "single" : "pool";
+}
+
+/**
+ * 列出某 CLIProxyAPI 实例下的全部关联上游（池上游与单账号上游）。
+ *
+ * 关联关系来源于 `upstreams.cliproxyInstanceId` 字段，不需要访问 CLIProxyAPI。
+ */
+export async function listCliproxyLinkedUpstreams(
+  instanceId: string
+): Promise<CliproxyLinkedUpstreamResponse[]> {
+  const instance = await getCliproxyInstanceById(instanceId);
+  if (!instance) {
+    throw new CliproxyInstanceNotFoundError(instanceId);
+  }
+
+  const rows = await db
+    .select()
+    .from(upstreams)
+    .where(eq(upstreams.cliproxyInstanceId, instanceId))
+    .orderBy(desc(upstreams.createdAt));
+
+  return rows.map((row) => ({
+    id: row.id,
+    name: row.name,
+    provider: row.cliproxyProvider ?? null,
+    kind: classifyKind(row),
+    authFileName: row.cliproxyAuthFileName ?? null,
+    isActive: row.isActive,
+    createdAt: row.createdAt,
+  }));
+}
diff --git a/src/lib/services/cliproxy-management-client.ts b/src/lib/services/cliproxy-management-client.ts
index f7a314bd..960ec663 100644
--- a/src/lib/services/cliproxy-management-client.ts
+++ b/src/lib/services/cliproxy-management-client.ts
@@ -1,4 +1,7 @@
 import { createLogger } from "../utils/logger";
+import type { CliproxyAuthFileModel, CliproxyLogEntry } from "@/types/cliproxy";
+
+export type { CliproxyAuthFileModel, CliproxyLogEntry };
 
 const log = createLogger("cliproxy-management-client");
 
@@ -6,7 +9,14 @@ const log = createLogger("cliproxy-management-client");
 const DEFAULT_TIMEOUT_SECONDS = 15;
 
 /** CLIProxyAPI 支持发起 OAuth 登录的服务商。 */
-export const CLIPROXY_OAUTH_PROVIDERS = ["codex", "anthropic", "gemini"] as const;
+export const CLIPROXY_OAUTH_PROVIDERS = [
+  "codex",
+  "anthropic",
+  "gemini",
+  "xai",
+  "antigravity",
+  "kimi",
+] as const;
 export type CliproxyOAuthProvider = (typeof CLIPROXY_OAUTH_PROVIDERS)[number];
 
 /** 各服务商对应的授权地址端点片段。 */
@@ -14,6 +24,9 @@ const AUTH_URL_ENDPOINT: Record<CliproxyOAuthProvider, string> = {
   codex: "codex-auth-url",
   anthropic: "anthropic-auth-url",
   gemini: "gemini-cli-auth-url",
+  xai: "xai-auth-url",
+  antigravity: "antigravity-auth-url",
+  kimi: "kimi-auth-url",
 };
 
 /** 管理 API 调用错误分类。 */
@@ -48,14 +61,6 @@ export interface CliproxyAuthFileEntry {
   [key: string]: unknown;
 }
 
-/** auth-file 模型条目。 */
-export interface CliproxyAuthFileModel {
-  id: string;
-  display_name?: string;
-  type?: string;
-  owned_by?: string;
-}
-
 /** 发起 OAuth 登录返回的授权信息。 */
 export interface CliproxyAuthUrlResult {
   url: string;
@@ -110,11 +115,17 @@ function classifyHttpError(statusCode: number): CliproxyManagementApiError {
   );
 }
 
-/** 执行一次管理 API 请求并返回解析后的 JSON。 */
+/**
+ * 执行一次管理 API 请求并返回解析后的结果。
+ *
+ * `returnRawText` 为 true 时跳过 JSON.parse，直接将响应文本作为泛型 T 返回
+ * （调用方需确保 T = string），用于上游返回纯文本而非 JSON 包装对象的端点
+ * （例如 auth-files/download）。
+ */
 async function requestManagementApi<T>(
   target: CliproxyManagementTarget,
   path: string,
-  init: { method: string; body?: unknown },
+  init: { method: string; body?: unknown; returnRawText?: boolean },
   timeoutSeconds = DEFAULT_TIMEOUT_SECONDS
 ): Promise<T> {
   let requestUrl: string;
@@ -148,8 +159,13 @@ async function requestManagementApi<T>(
       throw classifyHttpError(response.status);
     }
 
-    // 部分写入端点可能返回空响应体。
     const text = await response.text();
+
+    if (init.returnRawText) {
+      return text as unknown as T;
+    }
+
+    // 部分写入端点可能返回空响应体。
     return (text ? JSON.parse(text) : {}) as T;
   } catch (error) {
     clearTimeout(timeoutId);
@@ -220,6 +236,62 @@ export async function patchAuthFileFields(
   });
 }
 
+/**
+ * 删除指定的 auth-file。
+ * 对应上游 `DELETE /v0/management/auth-files`，请求体携带 `{ name }`。
+ */
+export async function deleteAuthFile(
+  target: CliproxyManagementTarget,
+  authFileName: string
+): Promise<void> {
+  await requestManagementApi(target, "/auth-files", {
+    method: "DELETE",
+    body: { name: authFileName },
+  });
+}
+
+/**
+ * 上传（创建）一个 auth-file。
+ *
+ * 请求体为认证文件的完整 JSON 对象，由调用方构造；
+ * 上游端点为 `POST /v0/management/auth-files`。
+ */
+export async function uploadAuthFile(
+  target: CliproxyManagementTarget,
+  content: Record<string, unknown>
+): Promise<void> {
+  await requestManagementApi(target, "/auth-files", {
+    method: "POST",
+    body: content,
+  });
+}
+
+/**
+ * 下载指定 auth-file 的原始 JSON 内容。
+ *
+ * 上游返回纯 JSON 字符串（非 `{ files: [...] }` 包装），通过 `returnRawText`
+ * 选项跳过响应体的二次 JSON.parse，再由本方法显式解析以返回结构化对象。
+ */
+export async function downloadAuthFile(
+  target: CliproxyManagementTarget,
+  authFileName: string
+): Promise<Record<string, unknown>> {
+  const raw = await requestManagementApi<string>(
+    target,
+    `/auth-files/download?name=${encodeURIComponent(authFileName)}`,
+    { method: "GET", returnRawText: true }
+  );
+  try {
+    return JSON.parse(raw) as Record<string, unknown>;
+  } catch {
+    throw new CliproxyManagementApiError(
+      "service_error",
+      "CLIProxyAPI 返回的 auth-file 内容不是合法 JSON",
+      null
+    );
+  }
+}
+
 /**
  * 获取指定服务商的 OAuth 授权地址。默认携带 `is_webui=true`，
  * 由 CLIProxyAPI 的 callbackForwarder 处理容器与远程部署下的回调。
@@ -258,6 +330,46 @@ export async function getAuthStatus(
   return { status, error: result.error };
 }
 
+/**
+ * 手动提交 OAuth 回调地址，通知 CLIProxyAPI 完成授权流程。
+ *
+ * 对应上游 `POST /v0/management/oauth-callback`，
+ * 请求体为 `{ provider, redirect_url }`，用于自动回调不可达时由管理员手动粘贴回调 URL。
+ */
+export async function submitOAuthCallback(
+  target: CliproxyManagementTarget,
+  provider: CliproxyOAuthProvider,
+  redirectUrl: string
+): Promise<void> {
+  await requestManagementApi(target, "/oauth-callback", {
+    method: "POST",
+    body: { provider, redirect_url: redirectUrl },
+  });
+}
+
+/**
+ * 查询 CLIProxyAPI 管理日志。
+ *
+ * `since` 为可选的 ISO 8601 时间戳字符串，传入时仅返回该时刻之后的条目。
+ * 兼容上游返回直接数组与 `{ logs: [...] }` 包装两种格式。
+ */
+export async function getLogs(
+  target: CliproxyManagementTarget,
+  since?: string
+): Promise<CliproxyLogEntry[]> {
+  const query = since ? `?since=${encodeURIComponent(since)}` : "";
+  const result = await requestManagementApi<CliproxyLogEntry[] | { logs?: CliproxyLogEntry[] }>(
+    target,
+    `/logs${query}`,
+    { method: "GET" }
+  );
+  if (Array.isArray(result)) {
+    return result;
+  }
+  const wrapped = result as { logs?: CliproxyLogEntry[] };
+  return Array.isArray(wrapped.logs) ? wrapped.logs : [];
+}
+
 /** 判断给定值是否为受支持的 OAuth 服务商。 */
 export function isCliproxyOAuthProvider(value: unknown): value is CliproxyOAuthProvider {
   return (
diff --git a/src/lib/services/cliproxy-oauth-login-service.ts b/src/lib/services/cliproxy-oauth-login-service.ts
index 425b5273..341165b8 100644
--- a/src/lib/services/cliproxy-oauth-login-service.ts
+++ b/src/lib/services/cliproxy-oauth-login-service.ts
@@ -1,14 +1,10 @@
-import {
-  getCliproxyInstanceRow,
-  getDecryptedManagementKey,
-  CliproxyInstanceNotFoundError,
-} from "./cliproxy-instance-crud";
+import { resolveCliproxyManagementTarget } from "./cliproxy-instance-crud";
 import {
   getProviderAuthUrl,
   getAuthStatus,
+  submitOAuthCallback,
   isCliproxyOAuthProvider,
   type CliproxyOAuthProvider,
-  type CliproxyManagementTarget,
 } from "./cliproxy-management-client";
 import {
   syncCliproxyAuthAccounts,
@@ -41,18 +37,31 @@ export interface CliproxyOAuthLoginStatusResult {
   error?: string;
   /** 登录成功并完成账号同步时返回的同步结果。 */
   syncResult?: CliproxyAuthAccountSyncResult;
+  /** 登录成功但账号同步失败时的告警消息，登录本身仍视为成功。 */
+  syncError?: string;
 }
 
-/** 解析实例并构造管理 API 调用目标。 */
-async function resolveTarget(instanceId: string): Promise<CliproxyManagementTarget> {
-  const instance = await getCliproxyInstanceRow(instanceId);
-  if (!instance) {
-    throw new CliproxyInstanceNotFoundError(instanceId);
+/**
+ * 登录授权成功后触发账号同步。
+ *
+ * 上游授权一旦完成不可撤销，AutoRouter 侧的账号缓存同步是次要步骤；
+ * 同步失败仅记录告警并将错误信息回传调用方，登录结果仍视为成功。
+ */
+async function syncAccountsAfterLogin(
+  instanceId: string,
+  context: { provider?: CliproxyOAuthProvider }
+): Promise<{ syncResult?: CliproxyAuthAccountSyncResult; syncError?: string }> {
+  try {
+    const syncResult = await syncCliproxyAuthAccounts(instanceId);
+    return { syncResult };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    log.warn(
+      { instanceId, provider: context.provider, err: message },
+      "CLIProxyAPI OAuth login succeeded but account sync failed"
+    );
+    return { syncError: message };
   }
-  return {
-    managementUrl: instance.managementUrl,
-    managementKey: getDecryptedManagementKey(instance),
-  };
 }
 
 /**
@@ -68,7 +77,7 @@ export async function initiateCliproxyOAuthLogin(
   if (!isCliproxyOAuthProvider(provider)) {
     throw new InvalidCliproxyOAuthProviderError(provider);
   }
-  const target = await resolveTarget(instanceId);
+  const target = await resolveCliproxyManagementTarget(instanceId);
   const { url, state } = await getProviderAuthUrl(target, provider);
   log.info({ instanceId, provider }, "initiated CLIProxyAPI OAuth login");
   return { provider, url, state };
@@ -84,14 +93,43 @@ export async function pollCliproxyOAuthStatus(
   instanceId: string,
   state: string
 ): Promise<CliproxyOAuthLoginStatusResult> {
-  const target = await resolveTarget(instanceId);
+  const target = await resolveCliproxyManagementTarget(instanceId);
   const { status, error } = await getAuthStatus(target, state);
 
   if (status === "ok") {
-    const syncResult = await syncCliproxyAuthAccounts(instanceId);
-    log.info({ instanceId, syncResult }, "CLIProxyAPI OAuth login completed, accounts synced");
-    return { status, syncResult };
+    const { syncResult, syncError } = await syncAccountsAfterLogin(instanceId, {});
+    if (syncResult) {
+      log.info({ instanceId, syncResult }, "CLIProxyAPI OAuth login completed, accounts synced");
+    }
+    return { status, syncResult, syncError };
   }
 
   return { status, error };
 }
+
+/**
+ * 手动提交 OAuth 回调地址，绕过自动回调链路完成授权。
+ *
+ * 适用于 CLIProxyAPI 的 callback forwarder 无法回到本地（例如远程部署、容器
+ * 网络隔离）的场景：管理员从浏览器地址栏复制回调 URL 后通过本接口提交。
+ * 上游处理成功后触发该实例的账号同步，使新登录账号立即进入缓存表。
+ */
+export async function submitCliproxyOAuthCallback(
+  instanceId: string,
+  provider: string,
+  redirectUrl: string
+): Promise<CliproxyOAuthLoginStatusResult> {
+  if (!isCliproxyOAuthProvider(provider)) {
+    throw new InvalidCliproxyOAuthProviderError(provider);
+  }
+  const target = await resolveCliproxyManagementTarget(instanceId);
+  await submitOAuthCallback(target, provider, redirectUrl);
+  const { syncResult, syncError } = await syncAccountsAfterLogin(instanceId, { provider });
+  if (syncResult) {
+    log.info(
+      { instanceId, provider, syncResult },
+      "submitted CLIProxyAPI OAuth callback URL and synced accounts"
+    );
+  }
+  return { status: "ok", syncResult, syncError };
+}
diff --git a/src/lib/services/cliproxy-upstream-preset.ts b/src/lib/services/cliproxy-upstream-preset.ts
index 484217fa..8af8c1f3 100644
--- a/src/lib/services/cliproxy-upstream-preset.ts
+++ b/src/lib/services/cliproxy-upstream-preset.ts
@@ -7,8 +7,9 @@ import {
   getDecryptedClientApiKey,
   CliproxyInstanceNotFoundError,
 } from "./cliproxy-instance-crud";
-import { isCliproxyOAuthProvider, type CliproxyOAuthProvider } from "./cliproxy-management-client";
+import { isCliproxyOAuthProvider } from "./cliproxy-management-client";
 import { InvalidCliproxyOAuthProviderError } from "./cliproxy-oauth-login-service";
+import { CLIPROXY_UPSTREAM_PROVIDERS, type CliproxyUpstreamProvider } from "@/types/cliproxy";
 import {
   getCliproxyAuthAccount,
   updateCliproxyAuthAccountFields,
@@ -34,8 +35,11 @@ interface CliproxyUpstreamPreset {
 /**
  * 三类 CLI 服务商的池上游预设表。路径后缀与路由能力为 CLIProxyAPI 的对外约定，
  * 集中维护于此，CLIProxyAPI 调整对外约定时改动收敛于这一处。
+ *
+ * Provider 列表与类型复用 `@/types/cliproxy` 中的 `CLIPROXY_UPSTREAM_PROVIDERS`，
+ * 使前端 Zod schema、后端 route schema 与本预设表共享同一来源。
  */
-export const CLIPROXY_UPSTREAM_PRESETS: Record<CliproxyOAuthProvider, CliproxyUpstreamPreset> = {
+export const CLIPROXY_UPSTREAM_PRESETS: Record<CliproxyUpstreamProvider, CliproxyUpstreamPreset> = {
   codex: {
     pathSuffix: "/v1",
     routeCapabilities: ["codex_cli_responses", "openai_responses"],
@@ -53,6 +57,15 @@ export const CLIPROXY_UPSTREAM_PRESETS: Record<CliproxyOAuthProvider, CliproxyUp
   },
 };
 
+/** 判断给定值是否为支持一键创建池上游的服务商。 */
+export function isCliproxyUpstreamPresetProvider(
+  value: unknown
+): value is CliproxyUpstreamProvider {
+  return (
+    typeof value === "string" && (CLIPROXY_UPSTREAM_PROVIDERS as readonly string[]).includes(value)
+  );
+}
+
 /** 账号前缀取值非法错误。 */
 export class InvalidCliproxyPrefixError extends Error {
   constructor(prefix: string) {
@@ -165,7 +178,9 @@ export async function createCliproxyPoolUpstream(
   provider: string,
   options: CliproxyUpstreamCreateOptions = {}
 ): Promise<UpstreamResponse> {
-  if (!isCliproxyOAuthProvider(provider)) {
+  // OAuth 支持的 Provider 是池上游 Provider 的超集；这里仅允许已配置 preset 的服务商，
+  // 避免在没有上游路径与路由能力约定的情况下创建无法转发的上游。
+  if (!isCliproxyUpstreamPresetProvider(provider)) {
     throw new InvalidCliproxyOAuthProviderError(provider);
   }
   const instance = await getCliproxyInstanceRow(instanceId);
@@ -214,7 +229,8 @@ export async function createCliproxySingleAccountUpstream(
   }
 
   const provider = account.provider;
-  if (!isCliproxyOAuthProvider(provider)) {
+  // 单账号上游同样要求 Provider 已配置 preset，否则没有路径与路由能力可用。
+  if (!isCliproxyOAuthProvider(provider) || !isCliproxyUpstreamPresetProvider(provider)) {
     throw new InvalidCliproxyOAuthProviderError(provider);
   }
 
diff --git a/src/messages/en.json b/src/messages/en.json
index 2f021990..44f211c1 100644
--- a/src/messages/en.json
+++ b/src/messages/en.json
@@ -1566,6 +1566,73 @@
     "poolUpstreamCreateSuccess": "Pool upstream created",
     "poolUpstreamCreateFailed": "Failed to create pool upstream: {message}",
     "accountUpstreamCreateSuccess": "Account upstream created",
-    "accountUpstreamCreateFailed": "Failed to create account upstream: {message}"
+    "accountUpstreamCreateFailed": "Failed to create account upstream: {message}",
+    "providerXai": "xAI / Grok",
+    "providerAntigravity": "Antigravity",
+    "providerKimi": "Kimi",
+    "columnEmail": "Email",
+    "actionViewDetail": "View Details",
+    "actionViewModels": "View Models",
+    "actionDownload": "Download",
+    "uploadAuthFile": "Upload Auth File",
+    "uploadAuthFileTitle": "Upload Auth File",
+    "uploadAuthFileDescription": "Upload an OAuth auth file in JSON format. After upload, the account list is automatically synced.",
+    "uploadAuthFileMethodFile": "Choose File",
+    "uploadAuthFileMethodPaste": "Paste JSON",
+    "uploadAuthFileChoose": "Click to select a .json file or drop one here",
+    "uploadAuthFilePastePlaceholder": "Paste auth file JSON here…",
+    "uploadAuthFileInvalidJson": "Invalid JSON content",
+    "uploadAuthFileEmpty": "Auth file content is required",
+    "uploadAuthFileSubmit": "Upload",
+    "uploading": "Uploading…",
+    "authFileUploadSuccess": "Upload done: {added} added, {updated} updated, {removed} removed",
+    "authFileUploadFailed": "Failed to upload auth file: {message}",
+    "deleteAuthFileTitle": "Delete Auth File",
+    "deleteAuthFileDescription": "Delete this auth file from CLIProxyAPI and remove its local cache. This action cannot be undone.",
+    "authFileDeleteSuccess": "Auth file deleted",
+    "authFileDeleteFailed": "Failed to delete auth file: {message}",
+    "authFileDownloadFailed": "Failed to download auth file: {message}",
+    "accountModelsDialogTitle": "Available Models",
+    "accountModelsLoadFailed": "Failed to load account models",
+    "accountModelsEmpty": "No models available for this account",
+    "accountDetailDialogTitle": "Account Details",
+    "accountDetailEmpty": "—",
+    "accountDetailLabelEmail": "Email",
+    "accountDetailLabelStatus": "Upstream Status",
+    "accountDetailLabelStatusMessage": "Status Message",
+    "accountDetailLabelPriority": "Priority",
+    "accountDetailLabelPrefix": "Prefix",
+    "accountDetailLabelNote": "Note",
+    "accountDetailLabelModelCount": "Model Count",
+    "accountDetailLabelLastSyncedAt": "Last Synced At",
+    "accountDetailLabelCreatedAt": "Created At",
+    "accountDetailLabelUpdatedAt": "Updated At",
+    "accountDetailLabelRawMetadata": "Raw Metadata",
+    "linkedUpstreamsTitle": "Linked Upstreams",
+    "linkedUpstreamsEmpty": "No linked upstreams yet.",
+    "linkedUpstreamsLoadFailed": "Failed to load linked upstreams",
+    "columnUpstreamName": "Upstream",
+    "columnUpstreamKind": "Type",
+    "columnLinkedAccount": "Bound Account",
+    "kindPool": "Pool",
+    "kindSingle": "Single Account",
+    "logsTitle": "Instance Logs",
+    "logsLoadFailed": "Failed to load logs",
+    "logsEmpty": "No logs available.",
+    "logsRefresh": "Refresh",
+    "logsSearchPlaceholder": "Filter logs by keyword…",
+    "logsNoMatches": "No logs match the keyword.",
+    "logsLevelInfo": "INFO",
+    "logsLevelWarn": "WARN",
+    "logsLevelError": "ERROR",
+    "logsLevelDebug": "DEBUG",
+    "oauthManualCallback": "Submit Callback Manually",
+    "oauthManualCallbackDescription": "If the automatic callback can't reach AutoRouter, paste the callback URL from your browser address bar here to complete the login.",
+    "oauthManualCallbackPlaceholder": "https://callback.example/auth?code=…&state=…",
+    "oauthManualCallbackSubmit": "Submit Callback",
+    "oauthManualCallbackEmpty": "Callback URL is required",
+    "oauthCallbackSubmitSuccess": "Callback URL submitted, accounts synced",
+    "oauthCallbackSubmitFailed": "Failed to submit callback URL: {message}",
+    "linkedUpstreamProviderUnknown": "Unknown"
   }
 }
diff --git a/src/messages/zh-CN.json b/src/messages/zh-CN.json
index 6b4eba14..33835b0a 100644
--- a/src/messages/zh-CN.json
+++ b/src/messages/zh-CN.json
@@ -1571,6 +1571,73 @@
     "poolUpstreamCreateSuccess": "池上游已创建",
     "poolUpstreamCreateFailed": "创建池上游失败：{message}",
     "accountUpstreamCreateSuccess": "单账号上游已创建",
-    "accountUpstreamCreateFailed": "创建单账号上游失败：{message}"
+    "accountUpstreamCreateFailed": "创建单账号上游失败：{message}",
+    "providerXai": "xAI / Grok",
+    "providerAntigravity": "Antigravity",
+    "providerKimi": "Kimi",
+    "columnEmail": "邮箱",
+    "actionViewDetail": "查看详情",
+    "actionViewModels": "查看模型",
+    "actionDownload": "下载",
+    "uploadAuthFile": "上传认证文件",
+    "uploadAuthFileTitle": "上传认证文件",
+    "uploadAuthFileDescription": "上传 JSON 格式的 OAuth 认证文件。上传成功后将自动同步账号列表。",
+    "uploadAuthFileMethodFile": "选择文件",
+    "uploadAuthFileMethodPaste": "粘贴 JSON",
+    "uploadAuthFileChoose": "点击选择 .json 文件或将文件拖到此处",
+    "uploadAuthFilePastePlaceholder": "在此粘贴认证文件 JSON…",
+    "uploadAuthFileInvalidJson": "JSON 内容格式无效",
+    "uploadAuthFileEmpty": "请填写或选择认证文件",
+    "uploadAuthFileSubmit": "上传",
+    "uploading": "上传中…",
+    "authFileUploadSuccess": "上传完成：新增 {added}、更新 {updated}、移除 {removed}",
+    "authFileUploadFailed": "上传认证文件失败：{message}",
+    "deleteAuthFileTitle": "删除认证文件",
+    "deleteAuthFileDescription": "从 CLIProxyAPI 删除该认证文件并清除本地缓存。该操作不可撤销。",
+    "authFileDeleteSuccess": "认证文件已删除",
+    "authFileDeleteFailed": "删除认证文件失败：{message}",
+    "authFileDownloadFailed": "下载认证文件失败：{message}",
+    "accountModelsDialogTitle": "可用模型",
+    "accountModelsLoadFailed": "加载账号模型列表失败",
+    "accountModelsEmpty": "该账号暂无可用模型",
+    "accountDetailDialogTitle": "账号详情",
+    "accountDetailEmpty": "—",
+    "accountDetailLabelEmail": "邮箱",
+    "accountDetailLabelStatus": "上游状态",
+    "accountDetailLabelStatusMessage": "状态说明",
+    "accountDetailLabelPriority": "优先级",
+    "accountDetailLabelPrefix": "前缀",
+    "accountDetailLabelNote": "备注",
+    "accountDetailLabelModelCount": "模型数量",
+    "accountDetailLabelLastSyncedAt": "最近同步时间",
+    "accountDetailLabelCreatedAt": "创建时间",
+    "accountDetailLabelUpdatedAt": "更新时间",
+    "accountDetailLabelRawMetadata": "原始元数据",
+    "linkedUpstreamsTitle": "关联上游",
+    "linkedUpstreamsEmpty": "暂无关联上游。",
+    "linkedUpstreamsLoadFailed": "加载关联上游失败",
+    "columnUpstreamName": "上游",
+    "columnUpstreamKind": "类型",
+    "columnLinkedAccount": "绑定账号",
+    "kindPool": "池上游",
+    "kindSingle": "单账号上游",
+    "logsTitle": "实例日志",
+    "logsLoadFailed": "加载日志失败",
+    "logsEmpty": "暂无日志。",
+    "logsRefresh": "刷新",
+    "logsSearchPlaceholder": "输入关键词过滤日志…",
+    "logsNoMatches": "无匹配关键词的日志。",
+    "logsLevelInfo": "INFO",
+    "logsLevelWarn": "WARN",
+    "logsLevelError": "ERROR",
+    "logsLevelDebug": "DEBUG",
+    "oauthManualCallback": "手动提交回调",
+    "oauthManualCallbackDescription": "如果自动回调无法到达 AutoRouter，请从浏览器地址栏复制回调 URL 粘贴到此处完成登录。",
+    "oauthManualCallbackPlaceholder": "https://callback.example/auth?code=…&state=…",
+    "oauthManualCallbackSubmit": "提交回调",
+    "oauthManualCallbackEmpty": "请填写回调 URL",
+    "oauthCallbackSubmitSuccess": "回调 URL 已提交，账号已同步",
+    "oauthCallbackSubmitFailed": "提交回调 URL 失败：{message}",
+    "linkedUpstreamProviderUnknown": "未识别"
   }
 }
diff --git a/src/types/cliproxy.ts b/src/types/cliproxy.ts
index 6e5db0f0..5e8b1102 100644
--- a/src/types/cliproxy.ts
+++ b/src/types/cliproxy.ts
@@ -11,10 +11,29 @@ export type CliproxyInstanceMode = "managed" | "external";
 export const CLIPROXY_INSTANCE_MODES: readonly CliproxyInstanceMode[] = ["managed", "external"];
 
 /** CLI OAuth 服务商。 */
-export type CliproxyProvider = "codex" | "anthropic" | "gemini";
+export type CliproxyProvider = "codex" | "anthropic" | "gemini" | "xai" | "antigravity" | "kimi";
 
 /** 全部 CLI OAuth 服务商，供选项使用。 */
-export const CLIPROXY_PROVIDERS: readonly CliproxyProvider[] = ["codex", "anthropic", "gemini"];
+export const CLIPROXY_PROVIDERS: readonly CliproxyProvider[] = [
+  "codex",
+  "anthropic",
+  "gemini",
+  "xai",
+  "antigravity",
+  "kimi",
+];
+
+/**
+ * 支持一键创建池上游或单账号上游的服务商集合。
+ *
+ * 当前只覆盖 OAuth Provider 的子集，因为 xAI / Antigravity / Kimi 的代理路径与
+ * 路由能力约定尚未稳定。OAuth 登录仍可在全部 6 个 Provider 上发起。
+ *
+ * 使用 `as const` tuple 形式而非 `readonly string[]`，以便 zod schema 与
+ * `cliproxy-upstream-preset.ts` 中的 Record key 类型直接复用同一来源。
+ */
+export const CLIPROXY_UPSTREAM_PROVIDERS = ["codex", "anthropic", "gemini"] as const;
+export type CliproxyUpstreamProvider = (typeof CLIPROXY_UPSTREAM_PROVIDERS)[number];
 
 /** CLIProxyAPI 实例的对外响应形态，凭据明文以布尔标记代替。 */
 export interface CliproxyInstance {
@@ -118,3 +137,39 @@ export interface CliproxyOAuthStatusResult {
   error?: string;
   syncResult?: CliproxyAuthAccountSyncResult;
 }
+
+/** CLIProxyAPI 管理日志条目。 */
+export interface CliproxyLogEntry {
+  timestamp: string;
+  level: string;
+  message: string;
+  [key: string]: unknown;
+}
+
+/** CLIProxyAPI auth-file 模型条目。 */
+export interface CliproxyAuthFileModel {
+  id: string;
+  display_name?: string;
+  type?: string;
+  owned_by?: string;
+}
+
+/** 关联上游类型。 */
+export type CliproxyLinkedUpstreamKind = "pool" | "single";
+
+/** 实例下关联的上游记录。 */
+export interface CliproxyLinkedUpstream {
+  id: string;
+  name: string;
+  /**
+   * 关联上游对应的服务商。
+   *
+   * 历史数据中 `upstreams.cliproxy_provider` 可能为 NULL；该字段同样允许为 null，
+   * 由前端在展示时落到 "未识别" 文案。
+   */
+  provider: string | null;
+  kind: CliproxyLinkedUpstreamKind;
+  auth_file_name: string | null;
+  is_active: boolean;
+  created_at: string;
+}
diff --git a/tests/components/cliproxy-account-detail-dialog.test.tsx b/tests/components/cliproxy-account-detail-dialog.test.tsx
new file mode 100644
index 00000000..01431965
--- /dev/null
+++ b/tests/components/cliproxy-account-detail-dialog.test.tsx
@@ -0,0 +1,61 @@
+import { describe, it, expect, vi } from "vitest";
+import { render, screen } from "@testing-library/react";
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyAccountDetailDialog } from "@/components/admin/cliproxy-account-detail-dialog";
+import type { CliproxyAuthAccount } from "@/types/cliproxy";
+
+const account: CliproxyAuthAccount = {
+  id: "acc-1",
+  instance_id: "instance-1",
+  auth_file_name: "codex-a.json",
+  provider: "codex",
+  email: "a@x.com",
+  status: "active",
+  disabled: false,
+  prefix: "team-a",
+  model_count: 5,
+  priority: 0,
+  note: "hello",
+  raw_metadata: { type: "codex", status_message: "ok" },
+  last_synced_at: "2025-05-30T12:00:00.000Z",
+  created_at: "2025-05-29T12:00:00.000Z",
+  updated_at: "2025-05-30T12:00:00.000Z",
+};
+
+describe("CliproxyAccountDetailDialog", () => {
+  it("渲染账号文件名与基本字段", () => {
+    render(<CliproxyAccountDetailDialog account={account} open onClose={vi.fn()} />);
+
+    expect(screen.getByText(/codex-a\.json/)).toBeInTheDocument();
+    expect(screen.getByText("a@x.com")).toBeInTheDocument();
+    expect(screen.getByText("active")).toBeInTheDocument();
+    expect(screen.getByText("team-a")).toBeInTheDocument();
+    expect(screen.getByText("hello")).toBeInTheDocument();
+    expect(screen.getByText("5")).toBeInTheDocument();
+  });
+
+  it("展示 raw_metadata 中的 status_message", () => {
+    render(<CliproxyAccountDetailDialog account={account} open onClose={vi.fn()} />);
+    expect(screen.getByText("ok")).toBeInTheDocument();
+  });
+
+  it("空字段渲染占位符", () => {
+    const minimal: CliproxyAuthAccount = {
+      ...account,
+      email: null,
+      status: null,
+      prefix: null,
+      priority: null,
+      note: null,
+      raw_metadata: null,
+      last_synced_at: null,
+    };
+    render(<CliproxyAccountDetailDialog account={minimal} open onClose={vi.fn()} />);
+    // 占位符出现多次，至少一次
+    expect(screen.getAllByText("accountDetailEmpty").length).toBeGreaterThan(0);
+  });
+});
diff --git a/tests/components/cliproxy-account-models-dialog.test.tsx b/tests/components/cliproxy-account-models-dialog.test.tsx
new file mode 100644
index 00000000..7afe08af
--- /dev/null
+++ b/tests/components/cliproxy-account-models-dialog.test.tsx
@@ -0,0 +1,85 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen } from "@testing-library/react";
+
+const useCliproxyAccountModelsMock = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useCliproxyAccountModels: (...args: unknown[]) => useCliproxyAccountModelsMock(...args),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyAccountModelsDialog } from "@/components/admin/cliproxy-account-models-dialog";
+
+describe("CliproxyAccountModelsDialog", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("加载中展示 loading", () => {
+    useCliproxyAccountModelsMock.mockReturnValue({ data: undefined, isLoading: true });
+
+    render(
+      <CliproxyAccountModelsDialog
+        instanceId="instance-1"
+        authFileName="codex-a.json"
+        open
+        onClose={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("loading")).toBeInTheDocument();
+  });
+
+  it("加载失败展示错误信息", () => {
+    useCliproxyAccountModelsMock.mockReturnValue({ data: undefined, isError: true });
+
+    render(
+      <CliproxyAccountModelsDialog
+        instanceId="instance-1"
+        authFileName="codex-a.json"
+        open
+        onClose={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("accountModelsLoadFailed")).toBeInTheDocument();
+  });
+
+  it("空列表展示空提示", () => {
+    useCliproxyAccountModelsMock.mockReturnValue({ data: [], isLoading: false });
+
+    render(
+      <CliproxyAccountModelsDialog
+        instanceId="instance-1"
+        authFileName="codex-a.json"
+        open
+        onClose={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("accountModelsEmpty")).toBeInTheDocument();
+  });
+
+  it("非空列表渲染模型 ID 与显示名", () => {
+    useCliproxyAccountModelsMock.mockReturnValue({
+      data: [{ id: "gpt-5", display_name: "GPT-5" }, { id: "gpt-5-codex" }],
+      isLoading: false,
+    });
+
+    render(
+      <CliproxyAccountModelsDialog
+        instanceId="instance-1"
+        authFileName="codex-a.json"
+        open
+        onClose={vi.fn()}
+      />
+    );
+
+    expect(screen.getByText("gpt-5")).toBeInTheDocument();
+    expect(screen.getByText("GPT-5")).toBeInTheDocument();
+    expect(screen.getByText("gpt-5-codex")).toBeInTheDocument();
+  });
+});
diff --git a/tests/components/cliproxy-accounts-panel.test.tsx b/tests/components/cliproxy-accounts-panel.test.tsx
new file mode 100644
index 00000000..cffdaaa7
--- /dev/null
+++ b/tests/components/cliproxy-accounts-panel.test.tsx
@@ -0,0 +1,205 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+
+const downloadMutate = vi.fn();
+const statusMutate = vi.fn();
+const syncMutate = vi.fn();
+const useCliproxyAuthAccountsMock = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useCliproxyAuthAccounts: (...args: unknown[]) => useCliproxyAuthAccountsMock(...args),
+  useSyncCliproxyAuthAccounts: () => ({ mutate: syncMutate, isPending: false }),
+  useSetCliproxyAuthAccountStatus: () => ({ mutate: statusMutate, isPending: false }),
+  useDownloadCliproxyAuthFile: () => ({ mutate: downloadMutate, isPending: false }),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+vi.mock("@/components/admin/cliproxy-accounts-table", () => ({
+  CliproxyAccountsTable: (props: Record<string, unknown>) => {
+    const firstAccount = (props.accounts as Array<unknown>)[0];
+    return (
+      <div data-testid="accounts-table">
+        <button onClick={() => (props.onDownload as (a: unknown) => void)(firstAccount)}>
+          trigger-download
+        </button>
+        <button onClick={() => (props.onDelete as (a: unknown) => void)(firstAccount)}>
+          trigger-delete
+        </button>
+        <button onClick={() => (props.onToggleStatus as (a: unknown) => void)(firstAccount)}>
+          trigger-toggle
+        </button>
+      </div>
+    );
+  },
+}));
+
+vi.mock("@/components/admin/cliproxy-account-fields-dialog", () => ({
+  CliproxyAccountFieldsDialog: () => <div data-testid="fields-dialog" />,
+}));
+
+vi.mock("@/components/admin/cliproxy-account-detail-dialog", () => ({
+  CliproxyAccountDetailDialog: () => <div data-testid="detail-dialog" />,
+}));
+
+vi.mock("@/components/admin/cliproxy-account-models-dialog", () => ({
+  CliproxyAccountModelsDialog: () => <div data-testid="models-dialog" />,
+}));
+
+vi.mock("@/components/admin/cliproxy-oauth-login-dialog", () => ({
+  CliproxyOAuthLoginDialog: ({ onClose }: { onClose: () => void }) => (
+    <div data-testid="oauth-dialog">
+      <button onClick={onClose}>oauth-close</button>
+    </div>
+  ),
+}));
+
+vi.mock("@/components/admin/cliproxy-account-upstream-dialog", () => ({
+  CliproxyAccountUpstreamDialog: () => <div data-testid="upstream-dialog" />,
+}));
+
+vi.mock("@/components/admin/cliproxy-auth-file-upload-dialog", () => ({
+  CliproxyAuthFileUploadDialog: ({ onClose }: { onClose: () => void }) => (
+    <div data-testid="upload-dialog">
+      <button onClick={onClose}>upload-close</button>
+    </div>
+  ),
+}));
+
+vi.mock("@/components/admin/cliproxy-delete-auth-file-dialog", () => ({
+  CliproxyDeleteAuthFileDialog: ({ account }: { account: unknown }) =>
+    account ? <div data-testid="delete-dialog" /> : null,
+}));
+
+import { CliproxyAccountsPanel } from "@/components/admin/cliproxy-accounts-panel";
+import type { CliproxyAuthAccount, CliproxyInstance } from "@/types/cliproxy";
+
+const instance: CliproxyInstance = {
+  id: "instance-1",
+  name: "local-dev",
+  mode: "managed",
+  base_url: "http://cliproxyapi:8317",
+  management_url: "http://cliproxyapi:8317",
+  has_client_api_key: true,
+  has_management_key: true,
+  enabled: true,
+  description: null,
+  created_at: "2026-05-30T12:00:00.000Z",
+  updated_at: "2026-05-30T12:00:00.000Z",
+};
+
+const account: CliproxyAuthAccount = {
+  id: "acc-1",
+  instance_id: "instance-1",
+  auth_file_name: "codex-a.json",
+  provider: "codex",
+  email: null,
+  status: null,
+  disabled: false,
+  prefix: null,
+  model_count: 0,
+  priority: null,
+  note: null,
+  raw_metadata: null,
+  last_synced_at: null,
+  created_at: "2026-05-30T12:00:00.000Z",
+  updated_at: "2026-05-30T12:00:00.000Z",
+};
+
+describe("CliproxyAccountsPanel 集成行为", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    useCliproxyAuthAccountsMock.mockReturnValue({
+      data: [account],
+      isLoading: false,
+      isError: false,
+    });
+  });
+
+  it("加载中时展示骨架占位", () => {
+    useCliproxyAuthAccountsMock.mockReturnValue({
+      data: undefined,
+      isLoading: true,
+      isError: false,
+    });
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.queryByTestId("accounts-table")).not.toBeInTheDocument();
+  });
+
+  it("加载失败时展示错误文案", () => {
+    useCliproxyAuthAccountsMock.mockReturnValue({
+      data: undefined,
+      isLoading: false,
+      isError: true,
+    });
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.getByText("accountsLoadFailed")).toBeInTheDocument();
+  });
+
+  it("空账号列表时展示 noAccounts", () => {
+    useCliproxyAuthAccountsMock.mockReturnValue({
+      data: [],
+      isLoading: false,
+      isError: false,
+    });
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.getByText("noAccounts")).toBeInTheDocument();
+  });
+
+  it("点击同步按钮触发 syncMutation.mutate", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    fireEvent.click(screen.getByText("syncAccounts"));
+    expect(syncMutate).toHaveBeenCalledWith("instance-1");
+  });
+
+  it("点击 OAuth 登录按钮打开登录弹窗，关闭弹窗回到收起态", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.queryByTestId("oauth-dialog")).not.toBeInTheDocument();
+
+    fireEvent.click(screen.getByText("oauthLogin"));
+    expect(screen.getByTestId("oauth-dialog")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByText("oauth-close"));
+    expect(screen.queryByTestId("oauth-dialog")).not.toBeInTheDocument();
+  });
+
+  it("点击上传按钮打开上传弹窗，关闭弹窗回到收起态", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.queryByTestId("upload-dialog")).not.toBeInTheDocument();
+
+    fireEvent.click(screen.getByText("uploadAuthFile"));
+    expect(screen.getByTestId("upload-dialog")).toBeInTheDocument();
+
+    fireEvent.click(screen.getByText("upload-close"));
+    expect(screen.queryByTestId("upload-dialog")).not.toBeInTheDocument();
+  });
+
+  it("子表格触发 onDelete 时弹出删除弹窗", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    expect(screen.queryByTestId("delete-dialog")).not.toBeInTheDocument();
+
+    fireEvent.click(screen.getByText("trigger-delete"));
+    expect(screen.getByTestId("delete-dialog")).toBeInTheDocument();
+  });
+
+  it("子表格触发 onDownload 时调用下载 mutation 并传入实例与文件名", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    fireEvent.click(screen.getByText("trigger-download"));
+    expect(downloadMutate).toHaveBeenCalledWith({
+      instanceId: "instance-1",
+      authFileName: "codex-a.json",
+    });
+  });
+
+  it("子表格触发 onToggleStatus 时调用启停 mutation 且 disabled 取反", () => {
+    render(<CliproxyAccountsPanel instance={instance} />);
+    fireEvent.click(screen.getByText("trigger-toggle"));
+    expect(statusMutate).toHaveBeenCalledWith({
+      instanceId: "instance-1",
+      accountName: "codex-a.json",
+      disabled: true,
+    });
+  });
+});
diff --git a/tests/components/cliproxy-accounts-table.test.tsx b/tests/components/cliproxy-accounts-table.test.tsx
new file mode 100644
index 00000000..088b4f76
--- /dev/null
+++ b/tests/components/cliproxy-accounts-table.test.tsx
@@ -0,0 +1,129 @@
+import React from "react";
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+vi.mock("@/components/ui/dropdown-menu", () => {
+  const Passthrough = ({ children }: { children?: React.ReactNode }) => <>{children}</>;
+  return {
+    DropdownMenu: Passthrough,
+    DropdownMenuTrigger: Passthrough,
+    DropdownMenuContent: Passthrough,
+    DropdownMenuItem: ({
+      children,
+      onClick,
+    }: {
+      children?: React.ReactNode;
+      onClick?: () => void;
+      className?: string;
+    }) => (
+      <button type="button" onClick={onClick} data-testid="menu-item">
+        {children}
+      </button>
+    ),
+  };
+});
+
+import { CliproxyAccountsTable } from "@/components/admin/cliproxy-accounts-table";
+import type { CliproxyAuthAccount } from "@/types/cliproxy";
+
+const baseAccount: CliproxyAuthAccount = {
+  id: "acc-1",
+  instance_id: "instance-1",
+  auth_file_name: "codex-a.json",
+  provider: "codex",
+  email: "alice@example.com",
+  status: "active",
+  disabled: false,
+  prefix: "team-a",
+  model_count: 3,
+  priority: 0,
+  note: null,
+  raw_metadata: null,
+  last_synced_at: "2026-05-30T12:00:00.000Z",
+  created_at: "2026-05-30T12:00:00.000Z",
+  updated_at: "2026-05-30T12:00:00.000Z",
+};
+
+function setup(overrides: Partial<CliproxyAuthAccount> = {}) {
+  const handlers = {
+    onToggleStatus: vi.fn(),
+    onEditFields: vi.fn(),
+    onMapUpstream: vi.fn(),
+    onViewDetail: vi.fn(),
+    onViewModels: vi.fn(),
+    onDownload: vi.fn(),
+    onDelete: vi.fn(),
+  };
+  render(<CliproxyAccountsTable accounts={[{ ...baseAccount, ...overrides }]} {...handlers} />);
+  return handlers;
+}
+
+describe("CliproxyAccountsTable", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("渲染邮箱、模型数、前缀等关键字段", () => {
+    setup();
+    expect(screen.getByText("codex-a.json")).toBeInTheDocument();
+    expect(screen.getByText("codex")).toBeInTheDocument();
+    expect(screen.getByText("alice@example.com")).toBeInTheDocument();
+    expect(screen.getByText("3")).toBeInTheDocument();
+    expect(screen.getByText("team-a")).toBeInTheDocument();
+  });
+
+  it("无邮箱时展示占位符", () => {
+    setup({ email: null });
+    expect(screen.getByText("—")).toBeInTheDocument();
+  });
+
+  it("无前缀时展示 prefixUnset 文案", () => {
+    setup({ prefix: null });
+    expect(screen.getByText("prefixUnset")).toBeInTheDocument();
+  });
+
+  it("点击模型数按钮调用 onViewModels", () => {
+    const { onViewModels } = setup();
+    fireEvent.click(screen.getByText("3"));
+    expect(onViewModels).toHaveBeenCalledTimes(1);
+  });
+
+  it("操作菜单 7 个项各自触发对应回调", () => {
+    const handlers = setup();
+
+    fireEvent.click(screen.getByText("actionViewDetail"));
+    expect(handlers.onViewDetail).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionViewModels"));
+    expect(handlers.onViewModels).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionDisable"));
+    expect(handlers.onToggleStatus).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionEditFields"));
+    expect(handlers.onEditFields).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionMapUpstream"));
+    expect(handlers.onMapUpstream).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionDownload"));
+    expect(handlers.onDownload).toHaveBeenCalledTimes(1);
+
+    fireEvent.click(screen.getByText("actionDelete"));
+    expect(handlers.onDelete).toHaveBeenCalledTimes(1);
+  });
+
+  it("禁用状态下菜单展示 actionEnable", () => {
+    setup({ disabled: true });
+    expect(screen.getByText("actionEnable")).toBeInTheDocument();
+  });
+
+  it("启用状态下展示成功色 Badge 与 accountStatusEnabled", () => {
+    setup({ disabled: false });
+    expect(screen.getByText("accountStatusEnabled")).toBeInTheDocument();
+  });
+});
diff --git a/tests/components/cliproxy-auth-file-upload-dialog.test.tsx b/tests/components/cliproxy-auth-file-upload-dialog.test.tsx
new file mode 100644
index 00000000..8319a4bc
--- /dev/null
+++ b/tests/components/cliproxy-auth-file-upload-dialog.test.tsx
@@ -0,0 +1,79 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+
+const uploadMutateAsync = vi.fn();
+const toastError = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useUploadCliproxyAuthFile: () => ({
+    mutateAsync: uploadMutateAsync,
+    isPending: false,
+  }),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+vi.mock("sonner", () => ({
+  toast: { success: vi.fn(), error: (message: string) => toastError(message) },
+}));
+
+import { CliproxyAuthFileUploadDialog } from "@/components/admin/cliproxy-auth-file-upload-dialog";
+
+describe("CliproxyAuthFileUploadDialog", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("默认展示选择文件模式", () => {
+    render(<CliproxyAuthFileUploadDialog instanceId="instance-1" open onClose={vi.fn()} />);
+    expect(screen.getByText("uploadAuthFileChoose")).toBeInTheDocument();
+  });
+
+  it("切换到粘贴模式后展示文本框", () => {
+    render(<CliproxyAuthFileUploadDialog instanceId="instance-1" open onClose={vi.fn()} />);
+    fireEvent.click(screen.getByText("uploadAuthFileMethodPaste"));
+    expect(screen.getByPlaceholderText("uploadAuthFilePastePlaceholder")).toBeInTheDocument();
+  });
+
+  it("粘贴非 JSON 提交时触发错误提示", async () => {
+    render(<CliproxyAuthFileUploadDialog instanceId="instance-1" open onClose={vi.fn()} />);
+    fireEvent.click(screen.getByText("uploadAuthFileMethodPaste"));
+    fireEvent.change(screen.getByPlaceholderText("uploadAuthFilePastePlaceholder"), {
+      target: { value: "not-json" },
+    });
+    fireEvent.click(screen.getByText("uploadAuthFileSubmit"));
+
+    expect(toastError).toHaveBeenCalledWith("uploadAuthFileInvalidJson");
+    expect(uploadMutateAsync).not.toHaveBeenCalled();
+  });
+
+  it("空内容提交时触发空提示", async () => {
+    render(<CliproxyAuthFileUploadDialog instanceId="instance-1" open onClose={vi.fn()} />);
+    fireEvent.click(screen.getByText("uploadAuthFileMethodPaste"));
+    fireEvent.click(screen.getByText("uploadAuthFileSubmit"));
+
+    expect(toastError).toHaveBeenCalledWith("uploadAuthFileEmpty");
+    expect(uploadMutateAsync).not.toHaveBeenCalled();
+  });
+
+  it("合法 JSON 提交时调用上传 mutation", async () => {
+    uploadMutateAsync.mockResolvedValueOnce({ added: 1, updated: 0, removed: 0, total: 1 });
+    const onClose = vi.fn();
+    render(<CliproxyAuthFileUploadDialog instanceId="instance-1" open onClose={onClose} />);
+    fireEvent.click(screen.getByText("uploadAuthFileMethodPaste"));
+    fireEvent.change(screen.getByPlaceholderText("uploadAuthFilePastePlaceholder"), {
+      target: { value: '{"token":"abc"}' },
+    });
+    fireEvent.click(screen.getByText("uploadAuthFileSubmit"));
+
+    // 异步等待 mutation 完成
+    await new Promise((resolve) => setTimeout(resolve, 0));
+
+    expect(uploadMutateAsync).toHaveBeenCalledWith({
+      instanceId: "instance-1",
+      content: { token: "abc" },
+    });
+  });
+});
diff --git a/tests/components/cliproxy-delete-auth-file-dialog.test.tsx b/tests/components/cliproxy-delete-auth-file-dialog.test.tsx
new file mode 100644
index 00000000..b0bb792c
--- /dev/null
+++ b/tests/components/cliproxy-delete-auth-file-dialog.test.tsx
@@ -0,0 +1,97 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent, waitFor } from "@testing-library/react";
+
+const deleteMutateAsync = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useDeleteCliproxyAuthFile: () => ({
+    mutateAsync: deleteMutateAsync,
+    isPending: false,
+  }),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyDeleteAuthFileDialog } from "@/components/admin/cliproxy-delete-auth-file-dialog";
+import type { CliproxyAuthAccount } from "@/types/cliproxy";
+
+const account: CliproxyAuthAccount = {
+  id: "acc-1",
+  instance_id: "instance-1",
+  auth_file_name: "codex-a.json",
+  provider: "codex",
+  email: null,
+  status: null,
+  disabled: false,
+  prefix: null,
+  model_count: 0,
+  priority: null,
+  note: null,
+  raw_metadata: null,
+  last_synced_at: null,
+  created_at: "2026-05-30T12:00:00.000Z",
+  updated_at: "2026-05-30T12:00:00.000Z",
+};
+
+describe("CliproxyDeleteAuthFileDialog", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("展示要删除的认证文件名", () => {
+    render(
+      <CliproxyDeleteAuthFileDialog instanceId="instance-1" account={account} onClose={vi.fn()} />
+    );
+    expect(screen.getByText("codex-a.json")).toBeInTheDocument();
+    expect(screen.getByText("deleteAuthFileTitle")).toBeInTheDocument();
+  });
+
+  it("点击删除按钮调用 mutation 并关闭弹窗", async () => {
+    deleteMutateAsync.mockResolvedValueOnce({ name: "codex-a.json" });
+    const onClose = vi.fn();
+    render(
+      <CliproxyDeleteAuthFileDialog instanceId="instance-1" account={account} onClose={onClose} />
+    );
+
+    fireEvent.click(screen.getByText("delete"));
+
+    await waitFor(() =>
+      expect(deleteMutateAsync).toHaveBeenCalledWith({
+        instanceId: "instance-1",
+        authFileName: "codex-a.json",
+      })
+    );
+    await waitFor(() => expect(onClose).toHaveBeenCalled());
+  });
+
+  it("删除失败时不抛出且仍保持弹窗（关闭交由错误提示之外的路径）", async () => {
+    deleteMutateAsync.mockRejectedValueOnce(new Error("upstream unreachable"));
+    const onClose = vi.fn();
+    render(
+      <CliproxyDeleteAuthFileDialog instanceId="instance-1" account={account} onClose={onClose} />
+    );
+
+    fireEvent.click(screen.getByText("delete"));
+
+    await waitFor(() => expect(deleteMutateAsync).toHaveBeenCalled());
+    expect(onClose).not.toHaveBeenCalled();
+  });
+
+  it("account 为 null 时不渲染对话框内容", () => {
+    render(
+      <CliproxyDeleteAuthFileDialog instanceId="instance-1" account={null} onClose={vi.fn()} />
+    );
+    expect(screen.queryByText("deleteAuthFileTitle")).not.toBeInTheDocument();
+  });
+
+  it("点击取消调用 onClose", () => {
+    const onClose = vi.fn();
+    render(
+      <CliproxyDeleteAuthFileDialog instanceId="instance-1" account={account} onClose={onClose} />
+    );
+    fireEvent.click(screen.getByText("cancel"));
+    expect(onClose).toHaveBeenCalled();
+  });
+});
diff --git a/tests/components/cliproxy-instance-logs-panel.test.tsx b/tests/components/cliproxy-instance-logs-panel.test.tsx
new file mode 100644
index 00000000..af3bdc06
--- /dev/null
+++ b/tests/components/cliproxy-instance-logs-panel.test.tsx
@@ -0,0 +1,106 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+
+const useCliproxyInstanceLogsMock = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useCliproxyInstanceLogs: (...args: unknown[]) => useCliproxyInstanceLogsMock(...args),
+  CLIPROXY_LOGS_DEFAULT_LIMIT: 200,
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyInstanceLogsPanel } from "@/components/admin/cliproxy-instance-logs-panel";
+import type { CliproxyInstance } from "@/types/cliproxy";
+
+const instance: CliproxyInstance = {
+  id: "instance-1",
+  name: "local-dev",
+  mode: "managed",
+  base_url: "http://cliproxyapi:8317",
+  management_url: "http://cliproxyapi:8317",
+  has_client_api_key: true,
+  has_management_key: true,
+  enabled: true,
+  description: null,
+  created_at: "2025-05-30T12:00:00.000Z",
+  updated_at: "2025-05-30T12:00:00.000Z",
+};
+
+describe("CliproxyInstanceLogsPanel", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("加载中展示骨架", () => {
+    useCliproxyInstanceLogsMock.mockReturnValue({
+      data: undefined,
+      isLoading: true,
+      refetch: vi.fn(),
+      isFetching: false,
+    });
+    render(<CliproxyInstanceLogsPanel instance={instance} />);
+    expect(screen.getByText("logsTitle")).toBeInTheDocument();
+  });
+
+  it("加载失败展示错误", () => {
+    useCliproxyInstanceLogsMock.mockReturnValue({
+      data: undefined,
+      isError: true,
+      refetch: vi.fn(),
+      isFetching: false,
+    });
+    render(<CliproxyInstanceLogsPanel instance={instance} />);
+    expect(screen.getByText("logsLoadFailed")).toBeInTheDocument();
+  });
+
+  it("空日志展示提示", () => {
+    useCliproxyInstanceLogsMock.mockReturnValue({
+      data: [],
+      isLoading: false,
+      refetch: vi.fn(),
+      isFetching: false,
+    });
+    render(<CliproxyInstanceLogsPanel instance={instance} />);
+    expect(screen.getByText("logsEmpty")).toBeInTheDocument();
+  });
+
+  it("渲染日志条目", () => {
+    useCliproxyInstanceLogsMock.mockReturnValue({
+      data: [
+        { timestamp: "2025-05-31T10:00:00Z", level: "info", message: "started" },
+        { timestamp: "2025-05-31T10:00:01Z", level: "warn", message: "slow request" },
+      ],
+      isLoading: false,
+      refetch: vi.fn(),
+      isFetching: false,
+    });
+    render(<CliproxyInstanceLogsPanel instance={instance} />);
+    expect(screen.getByText("started")).toBeInTheDocument();
+    expect(screen.getByText("slow request")).toBeInTheDocument();
+    expect(screen.getByText("[INFO]")).toBeInTheDocument();
+    expect(screen.getByText("[WARN]")).toBeInTheDocument();
+  });
+
+  it("关键词过滤后只保留匹配条目", () => {
+    useCliproxyInstanceLogsMock.mockReturnValue({
+      data: [
+        { timestamp: "2025-05-31T10:00:00Z", level: "info", message: "started" },
+        { timestamp: "2025-05-31T10:00:01Z", level: "warn", message: "slow request" },
+      ],
+      isLoading: false,
+      refetch: vi.fn(),
+      isFetching: false,
+    });
+    render(<CliproxyInstanceLogsPanel instance={instance} />);
+
+    fireEvent.change(screen.getByPlaceholderText("logsSearchPlaceholder"), {
+      target: { value: "slow" },
+    });
+
+    expect(screen.queryByText("started")).not.toBeInTheDocument();
+    expect(screen.getByText("slow request")).toBeInTheDocument();
+  });
+});
diff --git a/tests/components/cliproxy-instances-table.test.tsx b/tests/components/cliproxy-instances-table.test.tsx
new file mode 100644
index 00000000..7777aafa
--- /dev/null
+++ b/tests/components/cliproxy-instances-table.test.tsx
@@ -0,0 +1,121 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen, fireEvent } from "@testing-library/react";
+
+const toggleEnabledMutate = vi.fn();
+const useToggleCliproxyInstanceEnabledMock = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useToggleCliproxyInstanceEnabled: () => useToggleCliproxyInstanceEnabledMock(),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyInstancesTable } from "@/components/admin/cliproxy-instances-table";
+import type { CliproxyInstance } from "@/types/cliproxy";
+
+function makeInstance(id: string, overrides: Partial<CliproxyInstance> = {}): CliproxyInstance {
+  return {
+    id,
+    name: `cpa-${id}`,
+    mode: "managed",
+    base_url: `http://cliproxyapi-${id}:8317`,
+    management_url: `http://cliproxyapi-${id}:8317`,
+    has_client_api_key: true,
+    has_management_key: true,
+    enabled: true,
+    description: null,
+    created_at: "2026-05-30T12:00:00.000Z",
+    updated_at: "2026-05-30T12:00:00.000Z",
+    ...overrides,
+  };
+}
+
+describe("CliproxyInstancesTable", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    useToggleCliproxyInstanceEnabledMock.mockReturnValue({
+      mutate: toggleEnabledMutate,
+      isPending: false,
+      variables: undefined,
+    });
+  });
+
+  it("点击行调用 onSelect", () => {
+    const onSelect = vi.fn();
+    render(
+      <CliproxyInstancesTable
+        instances={[makeInstance("a")]}
+        selectedInstanceId={null}
+        onSelect={onSelect}
+        onEdit={vi.fn()}
+        onTest={vi.fn()}
+        onCreatePoolUpstream={vi.fn()}
+        onDelete={vi.fn()}
+      />
+    );
+    fireEvent.click(screen.getByText("cpa-a"));
+    expect(onSelect).toHaveBeenCalledTimes(1);
+    expect(onSelect.mock.calls[0][0].id).toBe("a");
+  });
+
+  it("切换 Switch 调用 toggleEnabled.mutate 且不冒泡 onSelect", () => {
+    const onSelect = vi.fn();
+    render(
+      <CliproxyInstancesTable
+        instances={[makeInstance("a", { enabled: false })]}
+        selectedInstanceId={null}
+        onSelect={onSelect}
+        onEdit={vi.fn()}
+        onTest={vi.fn()}
+        onCreatePoolUpstream={vi.fn()}
+        onDelete={vi.fn()}
+      />
+    );
+    const toggle = screen.getByRole("switch");
+    fireEvent.click(toggle);
+    expect(toggleEnabledMutate).toHaveBeenCalledWith({ id: "a", enabled: true });
+    expect(onSelect).not.toHaveBeenCalled();
+  });
+
+  it("当前正在切换的行 Switch 被禁用，其余行 Switch 仍可用", () => {
+    useToggleCliproxyInstanceEnabledMock.mockReturnValue({
+      mutate: toggleEnabledMutate,
+      isPending: true,
+      variables: { id: "a", enabled: true },
+    });
+
+    render(
+      <CliproxyInstancesTable
+        instances={[makeInstance("a"), makeInstance("b")]}
+        selectedInstanceId={null}
+        onSelect={vi.fn()}
+        onEdit={vi.fn()}
+        onTest={vi.fn()}
+        onCreatePoolUpstream={vi.fn()}
+        onDelete={vi.fn()}
+      />
+    );
+    const switches = screen.getAllByRole("switch");
+    expect(switches[0]).toBeDisabled();
+    expect(switches[1]).not.toBeDisabled();
+  });
+
+  it("没有进行中的切换时所有 Switch 都可用", () => {
+    render(
+      <CliproxyInstancesTable
+        instances={[makeInstance("a"), makeInstance("b")]}
+        selectedInstanceId={null}
+        onSelect={vi.fn()}
+        onEdit={vi.fn()}
+        onTest={vi.fn()}
+        onCreatePoolUpstream={vi.fn()}
+        onDelete={vi.fn()}
+      />
+    );
+    const switches = screen.getAllByRole("switch");
+    expect(switches[0]).not.toBeDisabled();
+    expect(switches[1]).not.toBeDisabled();
+  });
+});
diff --git a/tests/components/cliproxy-linked-upstreams-panel.test.tsx b/tests/components/cliproxy-linked-upstreams-panel.test.tsx
new file mode 100644
index 00000000..4a7a161b
--- /dev/null
+++ b/tests/components/cliproxy-linked-upstreams-panel.test.tsx
@@ -0,0 +1,80 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { render, screen } from "@testing-library/react";
+
+const useCliproxyLinkedUpstreamsMock = vi.fn();
+
+vi.mock("@/hooks/use-cliproxy", () => ({
+  useCliproxyLinkedUpstreams: (...args: unknown[]) => useCliproxyLinkedUpstreamsMock(...args),
+}));
+
+vi.mock("next-intl", () => ({
+  useTranslations: () => (key: string) => key,
+}));
+
+import { CliproxyLinkedUpstreamsPanel } from "@/components/admin/cliproxy-linked-upstreams-panel";
+import type { CliproxyInstance } from "@/types/cliproxy";
+
+const instance: CliproxyInstance = {
+  id: "instance-1",
+  name: "local-dev",
+  mode: "managed",
+  base_url: "http://cliproxyapi:8317",
+  management_url: "http://cliproxyapi:8317",
+  has_client_api_key: true,
+  has_management_key: true,
+  enabled: true,
+  description: null,
+  created_at: "2025-05-30T12:00:00.000Z",
+  updated_at: "2025-05-30T12:00:00.000Z",
+};
+
+describe("CliproxyLinkedUpstreamsPanel", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("无关联上游时展示空提示", () => {
+    useCliproxyLinkedUpstreamsMock.mockReturnValue({ data: [], isLoading: false });
+    render(<CliproxyLinkedUpstreamsPanel instance={instance} />);
+    expect(screen.getByText("linkedUpstreamsEmpty")).toBeInTheDocument();
+  });
+
+  it("加载失败展示错误", () => {
+    useCliproxyLinkedUpstreamsMock.mockReturnValue({ data: undefined, isError: true });
+    render(<CliproxyLinkedUpstreamsPanel instance={instance} />);
+    expect(screen.getByText("linkedUpstreamsLoadFailed")).toBeInTheDocument();
+  });
+
+  it("有数据时区分池上游与单账号上游", () => {
+    useCliproxyLinkedUpstreamsMock.mockReturnValue({
+      data: [
+        {
+          id: "up-1",
+          name: "Pool Codex",
+          provider: "codex",
+          kind: "pool",
+          auth_file_name: null,
+          is_active: true,
+          created_at: "2025-05-30T12:00:00.000Z",
+        },
+        {
+          id: "up-2",
+          name: "Single Claude",
+          provider: "anthropic",
+          kind: "single",
+          auth_file_name: "claude-a.json",
+          is_active: false,
+          created_at: "2025-05-30T12:00:00.000Z",
+        },
+      ],
+      isLoading: false,
+    });
+    render(<CliproxyLinkedUpstreamsPanel instance={instance} />);
+
+    expect(screen.getByText("Pool Codex")).toBeInTheDocument();
+    expect(screen.getByText("Single Claude")).toBeInTheDocument();
+    expect(screen.getByText("claude-a.json")).toBeInTheDocument();
+    expect(screen.getByText("kindPool")).toBeInTheDocument();
+    expect(screen.getByText("kindSingle")).toBeInTheDocument();
+  });
+});
diff --git a/tests/components/cliproxy-oauth-login-dialog.test.tsx b/tests/components/cliproxy-oauth-login-dialog.test.tsx
index d4897599..857b0e73 100644
--- a/tests/components/cliproxy-oauth-login-dialog.test.tsx
+++ b/tests/components/cliproxy-oauth-login-dialog.test.tsx
@@ -1,7 +1,9 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
-import { render, screen, fireEvent } from "@testing-library/react";
+import { render, screen, fireEvent, waitFor } from "@testing-library/react";
 
 const initiateMutateAsync = vi.fn();
+const submitCallbackMutateAsync = vi.fn();
+const useCliproxyOAuthStatusMock = vi.fn();
 
 vi.mock("@/hooks/use-cliproxy", () => ({
   CLIPROXY_OAUTH_POLL_TIMEOUT_MS: 300000,
@@ -9,7 +11,11 @@ vi.mock("@/hooks/use-cliproxy", () => ({
     mutateAsync: initiateMutateAsync,
     isPending: false,
   }),
-  useCliproxyOAuthStatus: () => ({ data: undefined }),
+  useCliproxyOAuthStatus: (...args: unknown[]) => useCliproxyOAuthStatusMock(...args),
+  useSubmitCliproxyOAuthCallback: () => ({
+    mutateAsync: submitCallbackMutateAsync,
+    isPending: false,
+  }),
 }));
 
 vi.mock("@tanstack/react-query", () => ({
@@ -29,6 +35,7 @@ import { CliproxyOAuthLoginDialog } from "@/components/admin/cliproxy-oauth-logi
 describe("CliproxyOAuthLoginDialog", () => {
   beforeEach(() => {
     vi.clearAllMocks();
+    useCliproxyOAuthStatusMock.mockReturnValue({ data: undefined });
   });
 
   it("初始渲染展示标题与发起登录按钮", () => {
@@ -60,4 +67,54 @@ describe("CliproxyOAuthLoginDialog", () => {
     fireEvent.click(screen.getByText("close"));
     expect(onClose).toHaveBeenCalled();
   });
+
+  it("登录失败时展示手动回调输入框，提交回调成功后关闭弹窗", async () => {
+    initiateMutateAsync.mockResolvedValueOnce({
+      provider: "codex",
+      url: "https://auth.example/login",
+      state: "state-1",
+    });
+    useCliproxyOAuthStatusMock.mockReturnValue({
+      data: { status: "error", error: "auto callback unreachable" },
+    });
+    submitCallbackMutateAsync.mockResolvedValueOnce({ status: "ok" });
+    const onClose = vi.fn();
+    render(<CliproxyOAuthLoginDialog instanceId="instance-1" open onClose={onClose} />);
+
+    fireEvent.click(screen.getByText("oauthStartLogin"));
+    await screen.findByText("oauthManualCallback");
+
+    const input = screen.getByPlaceholderText("oauthManualCallbackPlaceholder");
+    fireEvent.change(input, {
+      target: { value: "https://callback.example/auth?code=abc&state=state-1" },
+    });
+    fireEvent.click(screen.getByText("oauthManualCallbackSubmit"));
+
+    await waitFor(() =>
+      expect(submitCallbackMutateAsync).toHaveBeenCalledWith({
+        instanceId: "instance-1",
+        provider: "codex",
+        redirectUrl: "https://callback.example/auth?code=abc&state=state-1",
+      })
+    );
+    await waitFor(() => expect(onClose).toHaveBeenCalled());
+  });
+
+  it("手动回调输入为空时不发起提交", async () => {
+    initiateMutateAsync.mockResolvedValueOnce({
+      provider: "codex",
+      url: "https://auth.example/login",
+      state: "state-1",
+    });
+    useCliproxyOAuthStatusMock.mockReturnValue({
+      data: { status: "error" },
+    });
+    render(<CliproxyOAuthLoginDialog instanceId="instance-1" open onClose={vi.fn()} />);
+
+    fireEvent.click(screen.getByText("oauthStartLogin"));
+    await screen.findByText("oauthManualCallback");
+
+    fireEvent.click(screen.getByText("oauthManualCallbackSubmit"));
+    expect(submitCallbackMutateAsync).not.toHaveBeenCalled();
+  });
 });
diff --git a/tests/unit/api/admin/cliproxy/auth-account-models.test.ts b/tests/unit/api/admin/cliproxy/auth-account-models.test.ts
new file mode 100644
index 00000000..1fc5888f
--- /dev/null
+++ b/tests/unit/api/admin/cliproxy/auth-account-models.test.ts
@@ -0,0 +1,100 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+const listCliproxyAccountModelsMock = vi.fn();
+
+vi.mock("@/lib/utils/auth", () => ({
+  validateAdminAuth: vi.fn((authHeader) => authHeader === "Bearer valid-token"),
+}));
+
+vi.mock("@/lib/services/cliproxy-auth-account-service", async (importOriginal) => {
+  const actual =
+    await importOriginal<typeof import("@/lib/services/cliproxy-auth-account-service")>();
+  return {
+    ...actual,
+    listCliproxyAccountModels: (...args: unknown[]) => listCliproxyAccountModelsMock(...args),
+  };
+});
+
+vi.mock("@/lib/utils/logger", () => ({
+  createLogger: () => ({ error: vi.fn(), warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+}));
+
+const AUTH = "Bearer valid-token";
+const ctx = (params: Record<string, string>) => ({ params: Promise.resolve(params) });
+
+describe("Admin CLIProxyAPI auth-account models API", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("未鉴权返回 401", async () => {
+    const { GET } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route");
+    const res = await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-accounts/codex-a.json/models",
+        { method: "GET" }
+      ),
+      ctx({ id: "instance-1", accountName: "codex-a.json" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("返回模型列表", async () => {
+    const { GET } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route");
+    listCliproxyAccountModelsMock.mockResolvedValueOnce([
+      { id: "gpt-5", display_name: "GPT-5" },
+      { id: "gpt-5-codex" },
+    ]);
+
+    const res = await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-accounts/codex-a.json/models",
+        { method: "GET", headers: { authorization: AUTH } }
+      ),
+      ctx({ id: "instance-1", accountName: "codex-a.json" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data).toHaveLength(2);
+    expect(body.data[0].id).toBe("gpt-5");
+  });
+
+  it("账号名经 URL 解码", async () => {
+    const { GET } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route");
+    listCliproxyAccountModelsMock.mockResolvedValueOnce([]);
+
+    await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-accounts/codex%20a.json/models",
+        { method: "GET", headers: { authorization: AUTH } }
+      ),
+      ctx({ id: "instance-1", accountName: "codex%20a.json" })
+    );
+
+    expect(listCliproxyAccountModelsMock).toHaveBeenCalledWith("instance-1", "codex a.json");
+  });
+
+  it("CLIProxyAPI 不可达返回 502", async () => {
+    const { GET } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-accounts/[accountName]/models/route");
+    const { CliproxyManagementApiError } =
+      await import("@/lib/services/cliproxy-management-client");
+    listCliproxyAccountModelsMock.mockRejectedValueOnce(
+      new CliproxyManagementApiError("unreachable", "upstream gone", null)
+    );
+
+    const res = await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-accounts/codex-a.json/models",
+        { method: "GET", headers: { authorization: AUTH } }
+      ),
+      ctx({ id: "instance-1", accountName: "codex-a.json" })
+    );
+    expect(res.status).toBe(502);
+  });
+});
diff --git a/tests/unit/api/admin/cliproxy/auth-files.test.ts b/tests/unit/api/admin/cliproxy/auth-files.test.ts
new file mode 100644
index 00000000..570ae6ad
--- /dev/null
+++ b/tests/unit/api/admin/cliproxy/auth-files.test.ts
@@ -0,0 +1,209 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+const uploadCliproxyAuthFileMock = vi.fn();
+const downloadCliproxyAuthFileMock = vi.fn();
+const deleteCliproxyAuthAccountMock = vi.fn();
+
+vi.mock("@/lib/utils/auth", () => ({
+  validateAdminAuth: vi.fn((authHeader) => authHeader === "Bearer valid-token"),
+}));
+
+vi.mock("@/lib/services/cliproxy-auth-account-service", async (importOriginal) => {
+  const actual =
+    await importOriginal<typeof import("@/lib/services/cliproxy-auth-account-service")>();
+  return {
+    ...actual,
+    uploadCliproxyAuthFile: (...args: unknown[]) => uploadCliproxyAuthFileMock(...args),
+    downloadCliproxyAuthFile: (...args: unknown[]) => downloadCliproxyAuthFileMock(...args),
+    deleteCliproxyAuthAccount: (...args: unknown[]) => deleteCliproxyAuthAccountMock(...args),
+  };
+});
+
+vi.mock("@/lib/utils/logger", () => ({
+  createLogger: () => ({ error: vi.fn(), warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+}));
+
+const AUTH = "Bearer valid-token";
+
+function jsonRequest(url: string, method: string, body?: unknown, auth = AUTH): NextRequest {
+  return new NextRequest(url, {
+    method,
+    headers: { authorization: auth, "content-type": "application/json" },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+}
+
+const ctx = (params: Record<string, string>) => ({ params: Promise.resolve(params) });
+
+describe("Admin CLIProxyAPI auth-files API", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  // ── POST upload ───────────────────────────────────────────────────────────
+
+  it("未鉴权时上传返回 401", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/route");
+    const res = await POST(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/auth-files", {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ token: "x" }),
+      }),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("上传请求体不是合法 JSON 返回 400", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/route");
+    const res = await POST(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/auth-files", {
+        method: "POST",
+        headers: { authorization: AUTH, "content-type": "application/json" },
+        body: "not-json",
+      }),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it("上传请求体不是对象返回 400", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/route");
+    const res = await POST(
+      jsonRequest("http://localhost/api/admin/cliproxy/instances/instance-1/auth-files", "POST", [
+        "x",
+      ]),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it("上传成功后返回同步结果", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/route");
+    uploadCliproxyAuthFileMock.mockResolvedValueOnce({
+      added: 1,
+      updated: 0,
+      removed: 0,
+      total: 1,
+    });
+
+    const res = await POST(
+      jsonRequest("http://localhost/api/admin/cliproxy/instances/instance-1/auth-files", "POST", {
+        token: "abc",
+        provider: "codex",
+      }),
+      ctx({ id: "instance-1" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(201);
+    expect(body.data).toMatchObject({ added: 1, total: 1 });
+    expect(uploadCliproxyAuthFileMock).toHaveBeenCalledWith("instance-1", {
+      token: "abc",
+      provider: "codex",
+    });
+  });
+
+  it("上传时实例不存在返回 404", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/route");
+    const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
+    uploadCliproxyAuthFileMock.mockRejectedValueOnce(new CliproxyInstanceNotFoundError("missing"));
+
+    const res = await POST(
+      jsonRequest("http://localhost/api/admin/cliproxy/instances/missing/auth-files", "POST", {
+        token: "x",
+      }),
+      ctx({ id: "missing" })
+    );
+    expect(res.status).toBe(404);
+  });
+
+  // ── GET download ──────────────────────────────────────────────────────────
+
+  it("下载未鉴权返回 401", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route");
+    const res = await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-files/codex-a.json",
+        { method: "GET" }
+      ),
+      ctx({ id: "instance-1", name: "codex-a.json" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("下载返回 application/json 与正确文件名", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route");
+    downloadCliproxyAuthFileMock.mockResolvedValueOnce({ token: "abc" });
+
+    const res = await GET(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-files/codex-a.json",
+        "GET"
+      ),
+      ctx({ id: "instance-1", name: "codex-a.json" })
+    );
+
+    expect(res.status).toBe(200);
+    expect(res.headers.get("content-type")).toContain("application/json");
+    expect(res.headers.get("content-disposition")).toContain("codex-a.json");
+    const body = await res.json();
+    expect(body).toEqual({ token: "abc" });
+  });
+
+  it("下载时账号文件名经 URL 解码", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route");
+    downloadCliproxyAuthFileMock.mockResolvedValueOnce({ token: "x" });
+
+    await GET(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-files/codex%20a.json",
+        "GET"
+      ),
+      ctx({ id: "instance-1", name: "codex%20a.json" })
+    );
+
+    expect(downloadCliproxyAuthFileMock).toHaveBeenCalledWith("instance-1", "codex a.json");
+  });
+
+  // ── DELETE ────────────────────────────────────────────────────────────────
+
+  it("删除成功返回 200 与文件名", async () => {
+    const { DELETE } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route");
+    deleteCliproxyAuthAccountMock.mockResolvedValueOnce(undefined);
+
+    const res = await DELETE(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-files/codex-a.json",
+        "DELETE"
+      ),
+      ctx({ id: "instance-1", name: "codex-a.json" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data.name).toBe("codex-a.json");
+  });
+
+  it("删除时 CLIProxyAPI 不可达返回 502", async () => {
+    const { DELETE } =
+      await import("@/app/api/admin/cliproxy/instances/[id]/auth-files/[name]/route");
+    const { CliproxyManagementApiError } =
+      await import("@/lib/services/cliproxy-management-client");
+    deleteCliproxyAuthAccountMock.mockRejectedValueOnce(
+      new CliproxyManagementApiError("unreachable", "upstream gone", null)
+    );
+
+    const res = await DELETE(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/auth-files/codex-a.json",
+        "DELETE"
+      ),
+      ctx({ id: "instance-1", name: "codex-a.json" })
+    );
+    expect(res.status).toBe(502);
+  });
+});
diff --git a/tests/unit/api/admin/cliproxy/linked-upstreams.test.ts b/tests/unit/api/admin/cliproxy/linked-upstreams.test.ts
new file mode 100644
index 00000000..a5fb6617
--- /dev/null
+++ b/tests/unit/api/admin/cliproxy/linked-upstreams.test.ts
@@ -0,0 +1,103 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+const listCliproxyLinkedUpstreamsMock = vi.fn();
+
+vi.mock("@/lib/utils/auth", () => ({
+  validateAdminAuth: vi.fn((authHeader) => authHeader === "Bearer valid-token"),
+}));
+
+vi.mock("@/lib/services/cliproxy-linked-upstreams-service", async (importOriginal) => {
+  const actual =
+    await importOriginal<typeof import("@/lib/services/cliproxy-linked-upstreams-service")>();
+  return {
+    ...actual,
+    listCliproxyLinkedUpstreams: (...args: unknown[]) => listCliproxyLinkedUpstreamsMock(...args),
+  };
+});
+
+vi.mock("@/lib/utils/logger", () => ({
+  createLogger: () => ({ error: vi.fn(), warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+}));
+
+const AUTH = "Bearer valid-token";
+const ctx = (params: Record<string, string>) => ({ params: Promise.resolve(params) });
+
+describe("Admin CLIProxyAPI linked upstreams API", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("未鉴权返回 401", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route");
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/linked-upstreams", {
+        method: "GET",
+      }),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("返回上游列表并以 snake_case 命名输出", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route");
+    const createdAt = new Date("2025-05-30T12:00:00.000Z");
+    listCliproxyLinkedUpstreamsMock.mockResolvedValueOnce([
+      {
+        id: "up-1",
+        name: "Pool Codex",
+        provider: "codex",
+        kind: "pool",
+        authFileName: null,
+        isActive: true,
+        createdAt,
+      },
+      {
+        id: "up-2",
+        name: "Single Claude",
+        provider: "anthropic",
+        kind: "single",
+        authFileName: "claude-a.json",
+        isActive: false,
+        createdAt,
+      },
+    ]);
+
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/linked-upstreams", {
+        method: "GET",
+        headers: { authorization: AUTH },
+      }),
+      ctx({ id: "instance-1" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data).toHaveLength(2);
+    expect(body.data[0]).toMatchObject({
+      id: "up-1",
+      kind: "pool",
+      auth_file_name: null,
+      is_active: true,
+      created_at: createdAt.toISOString(),
+    });
+    expect(body.data[1].auth_file_name).toBe("claude-a.json");
+  });
+
+  it("实例不存在返回 404", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/linked-upstreams/route");
+    const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
+    listCliproxyLinkedUpstreamsMock.mockRejectedValueOnce(
+      new CliproxyInstanceNotFoundError("missing")
+    );
+
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/missing/linked-upstreams", {
+        method: "GET",
+        headers: { authorization: AUTH },
+      }),
+      ctx({ id: "missing" })
+    );
+    expect(res.status).toBe(404);
+  });
+});
diff --git a/tests/unit/api/admin/cliproxy/logs.test.ts b/tests/unit/api/admin/cliproxy/logs.test.ts
new file mode 100644
index 00000000..317505bb
--- /dev/null
+++ b/tests/unit/api/admin/cliproxy/logs.test.ts
@@ -0,0 +1,94 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+const listCliproxyInstanceLogsMock = vi.fn();
+
+vi.mock("@/lib/utils/auth", () => ({
+  validateAdminAuth: vi.fn((authHeader) => authHeader === "Bearer valid-token"),
+}));
+
+vi.mock("@/lib/services/cliproxy-instance-logs-service", async (importOriginal) => {
+  const actual =
+    await importOriginal<typeof import("@/lib/services/cliproxy-instance-logs-service")>();
+  return {
+    ...actual,
+    listCliproxyInstanceLogs: (...args: unknown[]) => listCliproxyInstanceLogsMock(...args),
+  };
+});
+
+vi.mock("@/lib/utils/logger", () => ({
+  createLogger: () => ({ error: vi.fn(), warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+}));
+
+const AUTH = "Bearer valid-token";
+const ctx = (params: Record<string, string>) => ({ params: Promise.resolve(params) });
+
+describe("Admin CLIProxyAPI logs API", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("未鉴权返回 401", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/logs/route");
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/logs", {
+        method: "GET",
+      }),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("返回日志数组", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/logs/route");
+    listCliproxyInstanceLogsMock.mockResolvedValueOnce([
+      { timestamp: "2025-05-31T10:00:00Z", level: "info", message: "ok" },
+    ]);
+
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/logs", {
+        method: "GET",
+        headers: { authorization: AUTH },
+      }),
+      ctx({ id: "instance-1" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data).toHaveLength(1);
+    expect(body.data[0].message).toBe("ok");
+    expect(listCliproxyInstanceLogsMock).toHaveBeenCalledWith("instance-1", undefined);
+  });
+
+  it("透传 since 查询参数", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/logs/route");
+    listCliproxyInstanceLogsMock.mockResolvedValueOnce([]);
+
+    await GET(
+      new NextRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/logs?since=2025-05-31T09:00:00Z",
+        { method: "GET", headers: { authorization: AUTH } }
+      ),
+      ctx({ id: "instance-1" })
+    );
+
+    expect(listCliproxyInstanceLogsMock).toHaveBeenCalledWith("instance-1", "2025-05-31T09:00:00Z");
+  });
+
+  it("实例不存在返回 404", async () => {
+    const { GET } = await import("@/app/api/admin/cliproxy/instances/[id]/logs/route");
+    const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
+    listCliproxyInstanceLogsMock.mockRejectedValueOnce(
+      new CliproxyInstanceNotFoundError("missing")
+    );
+
+    const res = await GET(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/missing/logs", {
+        method: "GET",
+        headers: { authorization: AUTH },
+      }),
+      ctx({ id: "missing" })
+    );
+    expect(res.status).toBe(404);
+  });
+});
diff --git a/tests/unit/api/admin/cliproxy/oauth-callback.test.ts b/tests/unit/api/admin/cliproxy/oauth-callback.test.ts
new file mode 100644
index 00000000..c12d1c1d
--- /dev/null
+++ b/tests/unit/api/admin/cliproxy/oauth-callback.test.ts
@@ -0,0 +1,126 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { NextRequest } from "next/server";
+
+const submitCliproxyOAuthCallbackMock = vi.fn();
+
+vi.mock("@/lib/utils/auth", () => ({
+  validateAdminAuth: vi.fn((authHeader) => authHeader === "Bearer valid-token"),
+}));
+
+vi.mock("@/lib/services/cliproxy-oauth-login-service", async (importOriginal) => {
+  const actual =
+    await importOriginal<typeof import("@/lib/services/cliproxy-oauth-login-service")>();
+  return {
+    ...actual,
+    submitCliproxyOAuthCallback: (...args: unknown[]) => submitCliproxyOAuthCallbackMock(...args),
+  };
+});
+
+vi.mock("@/lib/utils/logger", () => ({
+  createLogger: () => ({ error: vi.fn(), warn: vi.fn(), info: vi.fn(), debug: vi.fn() }),
+}));
+
+const AUTH = "Bearer valid-token";
+
+function jsonRequest(url: string, method: string, body?: unknown, auth = AUTH): NextRequest {
+  return new NextRequest(url, {
+    method,
+    headers: { authorization: auth, "content-type": "application/json" },
+    body: body === undefined ? undefined : JSON.stringify(body),
+  });
+}
+
+const ctx = (params: Record<string, string>) => ({ params: Promise.resolve(params) });
+
+describe("Admin CLIProxyAPI OAuth callback API", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("未鉴权返回 401", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/oauth-callback/route");
+    const res = await POST(
+      new NextRequest("http://localhost/api/admin/cliproxy/instances/instance-1/oauth-callback", {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ provider: "codex", redirect_url: "https://x" }),
+      }),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(401);
+  });
+
+  it("非法 Provider 返回 400", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/oauth-callback/route");
+    const res = await POST(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/oauth-callback",
+        "POST",
+        { provider: "unknown", redirect_url: "https://x" }
+      ),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it("缺少 redirect_url 返回 400", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/oauth-callback/route");
+    const res = await POST(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/oauth-callback",
+        "POST",
+        { provider: "codex" }
+      ),
+      ctx({ id: "instance-1" })
+    );
+    expect(res.status).toBe(400);
+  });
+
+  it("提交成功返回同步结果", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/oauth-callback/route");
+    submitCliproxyOAuthCallbackMock.mockResolvedValueOnce({
+      status: "ok",
+      syncResult: { added: 1, updated: 0, removed: 0, total: 1 },
+    });
+
+    const res = await POST(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/oauth-callback",
+        "POST",
+        { provider: "codex", redirect_url: "https://callback.example/?code=abc" }
+      ),
+      ctx({ id: "instance-1" })
+    );
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data.status).toBe("ok");
+    expect(body.data.syncResult.added).toBe(1);
+    expect(submitCliproxyOAuthCallbackMock).toHaveBeenCalledWith(
+      "instance-1",
+      "codex",
+      "https://callback.example/?code=abc"
+    );
+  });
+
+  it("支持新增的 Provider xai", async () => {
+    const { POST } = await import("@/app/api/admin/cliproxy/instances/[id]/oauth-callback/route");
+    submitCliproxyOAuthCallbackMock.mockResolvedValueOnce({ status: "ok" });
+
+    const res = await POST(
+      jsonRequest(
+        "http://localhost/api/admin/cliproxy/instances/instance-1/oauth-callback",
+        "POST",
+        { provider: "xai", redirect_url: "https://callback.example/xai?code=abc" }
+      ),
+      ctx({ id: "instance-1" })
+    );
+
+    expect(res.status).toBe(200);
+    expect(submitCliproxyOAuthCallbackMock).toHaveBeenCalledWith(
+      "instance-1",
+      "xai",
+      "https://callback.example/xai?code=abc"
+    );
+  });
+});
diff --git a/tests/unit/hooks/use-cliproxy.test.ts b/tests/unit/hooks/use-cliproxy.test.ts
index 21652ed8..40127848 100644
--- a/tests/unit/hooks/use-cliproxy.test.ts
+++ b/tests/unit/hooks/use-cliproxy.test.ts
@@ -352,3 +352,162 @@ describe("use-cliproxy 上游创建 hooks", () => {
     await waitFor(() => expect(mockToastSuccess).toHaveBeenCalled());
   });
 });
+
+describe("use-cliproxy 实例启停 hook", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("useToggleCliproxyInstanceEnabled 以 PATCH 仅更新 enabled 字段", async () => {
+    mockPatch.mockResolvedValueOnce({ data: sampleInstance });
+    const { useToggleCliproxyInstanceEnabled } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useToggleCliproxyInstanceEnabled(), { wrapper });
+    await result.current.mutateAsync({ id: "instance-1", enabled: false });
+
+    expect(mockPatch).toHaveBeenCalledWith("/admin/cliproxy/instances/instance-1", {
+      enabled: false,
+    });
+  });
+
+  it("useToggleCliproxyInstanceEnabled 失败时弹错并保留为非成功状态", async () => {
+    mockPatch.mockRejectedValueOnce(new Error("conflict"));
+    const { useToggleCliproxyInstanceEnabled } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useToggleCliproxyInstanceEnabled(), { wrapper });
+    await expect(result.current.mutateAsync({ id: "instance-1", enabled: true })).rejects.toThrow(
+      "conflict"
+    );
+    await waitFor(() =>
+      expect(mockToastError).toHaveBeenCalledWith("instanceUpdateFailed: conflict")
+    );
+  });
+});
+
+describe("use-cliproxy 认证文件 hooks", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("useUploadCliproxyAuthFile 以 POST 上传 JSON 内容", async () => {
+    mockPost.mockResolvedValueOnce({
+      data: { added: 1, updated: 0, removed: 0, total: 1 },
+    });
+    const { useUploadCliproxyAuthFile } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useUploadCliproxyAuthFile(), { wrapper });
+    await result.current.mutateAsync({
+      instanceId: "instance-1",
+      content: { type: "codex", refresh_token: "xxx" },
+    });
+
+    expect(mockPost).toHaveBeenCalledWith("/admin/cliproxy/instances/instance-1/auth-files", {
+      type: "codex",
+      refresh_token: "xxx",
+    });
+    await waitFor(() => expect(mockToastSuccess).toHaveBeenCalled());
+  });
+
+  it("useDeleteCliproxyAuthFile 以 DELETE 调用并编码文件名", async () => {
+    mockDelete.mockResolvedValueOnce({ data: { name: "codex a.json" } });
+    const { useDeleteCliproxyAuthFile } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useDeleteCliproxyAuthFile(), { wrapper });
+    await result.current.mutateAsync({
+      instanceId: "instance-1",
+      authFileName: "codex a.json",
+    });
+
+    expect(mockDelete).toHaveBeenCalledWith(
+      "/admin/cliproxy/instances/instance-1/auth-files/codex%20a.json"
+    );
+    await waitFor(() => expect(mockToastSuccess).toHaveBeenCalled());
+  });
+
+  it("useSubmitCliproxyOAuthCallback 以 POST 提交回调 URL 并展示专用提示", async () => {
+    mockPost.mockResolvedValueOnce({ data: { status: "ok" } });
+    const { useSubmitCliproxyOAuthCallback } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useSubmitCliproxyOAuthCallback(), { wrapper });
+    await result.current.mutateAsync({
+      instanceId: "instance-1",
+      provider: "codex",
+      redirectUrl: "https://callback.example/auth?code=abc",
+    });
+
+    expect(mockPost).toHaveBeenCalledWith("/admin/cliproxy/instances/instance-1/oauth-callback", {
+      provider: "codex",
+      redirect_url: "https://callback.example/auth?code=abc",
+    });
+    await waitFor(() =>
+      expect(mockToastSuccess).toHaveBeenCalledWith("oauthCallbackSubmitSuccess")
+    );
+  });
+});
+
+describe("use-cliproxy 关联上游与日志 hooks", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("useCliproxyLinkedUpstreams 在实例 id 存在时按 GET 拉取", async () => {
+    mockGet.mockResolvedValueOnce({ data: [] });
+    const { useCliproxyLinkedUpstreams } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useCliproxyLinkedUpstreams("instance-1"), { wrapper });
+
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(mockGet).toHaveBeenCalledWith("/admin/cliproxy/instances/instance-1/linked-upstreams");
+  });
+
+  it("useCliproxyLinkedUpstreams 在实例 id 为空时不发起请求", async () => {
+    const { useCliproxyLinkedUpstreams } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    renderHook(() => useCliproxyLinkedUpstreams(null), { wrapper });
+    expect(mockGet).not.toHaveBeenCalled();
+  });
+
+  it("useCliproxyAccountModels 在 authFileName 存在时按 GET 拉取且编码文件名", async () => {
+    mockGet.mockResolvedValueOnce({ data: [] });
+    const { useCliproxyAccountModels } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(() => useCliproxyAccountModels("instance-1", "codex a.json"), {
+      wrapper,
+    });
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(mockGet).toHaveBeenCalledWith(
+      "/admin/cliproxy/instances/instance-1/auth-accounts/codex%20a.json/models"
+    );
+  });
+
+  it("useCliproxyAccountModels 在 authFileName 为空时不发起请求", async () => {
+    const { useCliproxyAccountModels } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    renderHook(() => useCliproxyAccountModels("instance-1", null), { wrapper });
+    expect(mockGet).not.toHaveBeenCalled();
+  });
+
+  it("useCliproxyInstanceLogs 按可选 since 透传查询参数", async () => {
+    mockGet.mockResolvedValueOnce({ data: [] });
+    const { useCliproxyInstanceLogs } = await import("@/hooks/use-cliproxy");
+    const { wrapper } = createWrapper();
+
+    const { result } = renderHook(
+      () => useCliproxyInstanceLogs("instance-1", "2026-05-30T00:00:00Z"),
+      { wrapper }
+    );
+    await waitFor(() => expect(result.current.isSuccess).toBe(true));
+    expect(mockGet).toHaveBeenCalledWith(
+      "/admin/cliproxy/instances/instance-1/logs?since=2026-05-30T00%3A00%3A00Z"
+    );
+  });
+});
diff --git a/tests/unit/services/cliproxy-auth-account-service.test.ts b/tests/unit/services/cliproxy-auth-account-service.test.ts
index bcbf18c8..2667573b 100644
--- a/tests/unit/services/cliproxy-auth-account-service.test.ts
+++ b/tests/unit/services/cliproxy-auth-account-service.test.ts
@@ -9,6 +9,9 @@ const listAuthFilesMock = vi.fn();
 const getAuthFileModelsMock = vi.fn();
 const patchAuthFileStatusMock = vi.fn();
 const patchAuthFileFieldsMock = vi.fn();
+const deleteAuthFileMock = vi.fn();
+const uploadAuthFileMock = vi.fn();
+const downloadAuthFileMock = vi.fn();
 
 vi.mock("drizzle-orm", async (importOriginal) => {
   const actual = await importOriginal<typeof import("drizzle-orm")>();
@@ -43,6 +46,9 @@ vi.mock("@/lib/services/cliproxy-management-client", () => ({
   getAuthFileModels: (...args: unknown[]) => getAuthFileModelsMock(...args),
   patchAuthFileStatus: (...args: unknown[]) => patchAuthFileStatusMock(...args),
   patchAuthFileFields: (...args: unknown[]) => patchAuthFileFieldsMock(...args),
+  deleteAuthFile: (...args: unknown[]) => deleteAuthFileMock(...args),
+  uploadAuthFile: (...args: unknown[]) => uploadAuthFileMock(...args),
+  downloadAuthFile: (...args: unknown[]) => downloadAuthFileMock(...args),
 }));
 
 vi.mock("@/lib/utils/logger", () => ({
@@ -213,4 +219,117 @@ describe("cliproxy-auth-account-service", () => {
     expect(cacheUpdate).not.toHaveProperty("proxyUrl");
     expect(cacheUpdate.prefix).toBe("team-a");
   });
+
+  // ── deleteCliproxyAuthAccount ───────────────────────────────────────────
+
+  it("deleteCliproxyAuthAccount 先调用 CLIProxyAPI 再清理本地缓存", async () => {
+    const { deleteCliproxyAuthAccount } =
+      await import("@/lib/services/cliproxy-auth-account-service");
+
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    deleteAuthFileMock.mockResolvedValueOnce(undefined);
+    dbSelectMock.mockReturnValueOnce(
+      makeSelectChain([{ id: "acc-1", authFileName: "codex-a.json" }])
+    );
+    const whereMock = vi.fn().mockResolvedValueOnce(undefined);
+    dbDeleteMock.mockReturnValueOnce({ where: whereMock });
+
+    await deleteCliproxyAuthAccount("instance-1", "codex-a.json");
+
+    expect(deleteAuthFileMock).toHaveBeenCalledWith(
+      { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" },
+      "codex-a.json"
+    );
+    expect(dbDeleteMock).toHaveBeenCalled();
+  });
+
+  it("deleteCliproxyAuthAccount CLIProxyAPI 删除失败时不清理缓存", async () => {
+    const { deleteCliproxyAuthAccount } =
+      await import("@/lib/services/cliproxy-auth-account-service");
+
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    deleteAuthFileMock.mockRejectedValueOnce(new Error("upstream 500"));
+
+    await expect(deleteCliproxyAuthAccount("instance-1", "codex-a.json")).rejects.toThrow(
+      "upstream 500"
+    );
+    expect(dbDeleteMock).not.toHaveBeenCalled();
+  });
+
+  it("deleteCliproxyAuthAccount 本地无缓存时仍返回成功", async () => {
+    const { deleteCliproxyAuthAccount } =
+      await import("@/lib/services/cliproxy-auth-account-service");
+
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    deleteAuthFileMock.mockResolvedValueOnce(undefined);
+    dbSelectMock.mockReturnValueOnce(makeSelectChain([])); // 本地无缓存
+
+    await expect(deleteCliproxyAuthAccount("instance-1", "codex-a.json")).resolves.toBeUndefined();
+    expect(dbDeleteMock).not.toHaveBeenCalled();
+  });
+
+  // ── uploadCliproxyAuthFile ──────────────────────────────────────────────
+
+  it("uploadCliproxyAuthFile 上传后触发账号同步并返回结果", async () => {
+    const { uploadCliproxyAuthFile } = await import("@/lib/services/cliproxy-auth-account-service");
+
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow); // upload 解析 target
+    uploadAuthFileMock.mockResolvedValueOnce(undefined);
+
+    // syncCliproxyAuthAccounts 内部再次调用 getCliproxyInstanceRow + listAuthFiles
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    listAuthFilesMock.mockResolvedValueOnce([{ name: "codex-a.json", provider: "codex" }]);
+    dbSelectMock.mockReturnValueOnce(makeSelectChain([]));
+    getAuthFileModelsMock.mockResolvedValueOnce([{ id: "m" }]);
+    const valuesMock = vi.fn().mockResolvedValueOnce(undefined);
+    dbInsertMock.mockReturnValueOnce({ values: valuesMock });
+
+    const result = await uploadCliproxyAuthFile("instance-1", { token: "abc" });
+
+    expect(uploadAuthFileMock).toHaveBeenCalledWith(
+      { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" },
+      { token: "abc" }
+    );
+    expect(result).toMatchObject({ added: 1, total: 1 });
+  });
+
+  // ── downloadCliproxyAuthFile ────────────────────────────────────────────
+
+  it("downloadCliproxyAuthFile 透传管理客户端返回的文件内容", async () => {
+    const { downloadCliproxyAuthFile } =
+      await import("@/lib/services/cliproxy-auth-account-service");
+
+    const content = { token: "abc", provider: "codex" };
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    downloadAuthFileMock.mockResolvedValueOnce(content);
+
+    const result = await downloadCliproxyAuthFile("instance-1", "codex-a.json");
+
+    expect(result).toEqual(content);
+    expect(downloadAuthFileMock).toHaveBeenCalledWith(
+      { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" },
+      "codex-a.json"
+    );
+  });
+
+  // ── listCliproxyAccountModels ───────────────────────────────────────────
+
+  it("listCliproxyAccountModels 透传管理客户端返回的模型列表", async () => {
+    const { listCliproxyAccountModels } =
+      await import("@/lib/services/cliproxy-auth-account-service");
+
+    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    getAuthFileModelsMock.mockResolvedValueOnce([
+      { id: "gpt-5", display_name: "GPT-5" },
+      { id: "gpt-5-codex" },
+    ]);
+
+    const models = await listCliproxyAccountModels("instance-1", "codex-a.json");
+
+    expect(models).toHaveLength(2);
+    expect(getAuthFileModelsMock).toHaveBeenCalledWith(
+      { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" },
+      "codex-a.json"
+    );
+  });
 });
diff --git a/tests/unit/services/cliproxy-instance-logs-service.test.ts b/tests/unit/services/cliproxy-instance-logs-service.test.ts
new file mode 100644
index 00000000..7089a063
--- /dev/null
+++ b/tests/unit/services/cliproxy-instance-logs-service.test.ts
@@ -0,0 +1,67 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+const resolveTargetMock = vi.fn();
+const getLogsMock = vi.fn();
+
+vi.mock("@/lib/services/cliproxy-instance-crud", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/services/cliproxy-instance-crud")>();
+  return {
+    ...actual,
+    resolveCliproxyManagementTarget: (...args: unknown[]) => resolveTargetMock(...args),
+  };
+});
+
+vi.mock("@/lib/services/cliproxy-management-client", () => ({
+  getLogs: (...args: unknown[]) => getLogsMock(...args),
+}));
+
+const target = {
+  managementUrl: "http://cliproxyapi:8317",
+  managementKey: "mgmt-key",
+};
+
+describe("cliproxy-instance-logs-service", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("listCliproxyInstanceLogs 透传 since 参数到管理客户端", async () => {
+    const { listCliproxyInstanceLogs } =
+      await import("@/lib/services/cliproxy-instance-logs-service");
+
+    resolveTargetMock.mockResolvedValueOnce(target);
+    getLogsMock.mockResolvedValueOnce([
+      { timestamp: "2025-05-31T10:00:00Z", level: "info", message: "ok" },
+    ]);
+
+    const result = await listCliproxyInstanceLogs("instance-1", "2025-05-31T09:00:00Z");
+
+    expect(result).toHaveLength(1);
+    expect(getLogsMock).toHaveBeenCalledWith(target, "2025-05-31T09:00:00Z");
+  });
+
+  it("listCliproxyInstanceLogs 不传 since 时也不向客户端传递", async () => {
+    const { listCliproxyInstanceLogs } =
+      await import("@/lib/services/cliproxy-instance-logs-service");
+
+    resolveTargetMock.mockResolvedValueOnce(target);
+    getLogsMock.mockResolvedValueOnce([]);
+
+    await listCliproxyInstanceLogs("instance-1");
+
+    expect(getLogsMock).toHaveBeenCalledWith(target, undefined);
+  });
+
+  it("listCliproxyInstanceLogs 实例不存在时抛出 CliproxyInstanceNotFoundError", async () => {
+    const { listCliproxyInstanceLogs } =
+      await import("@/lib/services/cliproxy-instance-logs-service");
+    const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
+
+    resolveTargetMock.mockRejectedValueOnce(new CliproxyInstanceNotFoundError("missing"));
+
+    await expect(listCliproxyInstanceLogs("missing")).rejects.toBeInstanceOf(
+      CliproxyInstanceNotFoundError
+    );
+    expect(getLogsMock).not.toHaveBeenCalled();
+  });
+});
diff --git a/tests/unit/services/cliproxy-linked-upstreams-service.test.ts b/tests/unit/services/cliproxy-linked-upstreams-service.test.ts
new file mode 100644
index 00000000..d4b3d97e
--- /dev/null
+++ b/tests/unit/services/cliproxy-linked-upstreams-service.test.ts
@@ -0,0 +1,103 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+const dbSelectMock = vi.fn();
+const getCliproxyInstanceByIdMock = vi.fn();
+
+vi.mock("drizzle-orm", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("drizzle-orm")>();
+  return {
+    ...actual,
+    eq: vi.fn((a, b) => ({ __op: "eq", a, b })),
+    desc: vi.fn((c) => ({ __op: "desc", c })),
+  };
+});
+
+vi.mock("@/lib/db", () => ({
+  db: { select: (...args: unknown[]) => dbSelectMock(...args) },
+  upstreams: { id: "id", cliproxyInstanceId: "cliproxyInstanceId", createdAt: "createdAt" },
+}));
+
+vi.mock("@/lib/services/cliproxy-instance-crud", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@/lib/services/cliproxy-instance-crud")>();
+  return {
+    ...actual,
+    getCliproxyInstanceById: (...args: unknown[]) => getCliproxyInstanceByIdMock(...args),
+  };
+});
+
+function makeSelectChain(result: unknown[]) {
+  const chain: Record<string, unknown> = {};
+  for (const method of ["from", "where", "orderBy"]) {
+    chain[method] = vi.fn(() => chain);
+  }
+  chain.then = (resolve: (v: unknown) => void) => resolve(result);
+  return chain;
+}
+
+describe("cliproxy-linked-upstreams-service", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("listCliproxyLinkedUpstreams 区分池上游与单账号上游", async () => {
+    const { listCliproxyLinkedUpstreams } =
+      await import("@/lib/services/cliproxy-linked-upstreams-service");
+
+    getCliproxyInstanceByIdMock.mockResolvedValueOnce({ id: "instance-1" });
+    dbSelectMock.mockReturnValueOnce(
+      makeSelectChain([
+        {
+          id: "up-1",
+          name: "Pool Codex",
+          cliproxyProvider: "codex",
+          cliproxyAuthFileName: null,
+          isActive: true,
+          createdAt: new Date("2025-01-01"),
+        },
+        {
+          id: "up-2",
+          name: "Single Claude",
+          cliproxyProvider: "anthropic",
+          cliproxyAuthFileName: "claude-a.json",
+          isActive: false,
+          createdAt: new Date("2025-01-02"),
+        },
+      ])
+    );
+
+    const result = await listCliproxyLinkedUpstreams("instance-1");
+
+    expect(result).toHaveLength(2);
+    expect(result[0]).toMatchObject({ id: "up-1", kind: "pool", authFileName: null });
+    expect(result[1]).toMatchObject({
+      id: "up-2",
+      kind: "single",
+      authFileName: "claude-a.json",
+      isActive: false,
+    });
+  });
+
+  it("listCliproxyLinkedUpstreams 无关联上游时返回空数组", async () => {
+    const { listCliproxyLinkedUpstreams } =
+      await import("@/lib/services/cliproxy-linked-upstreams-service");
+
+    getCliproxyInstanceByIdMock.mockResolvedValueOnce({ id: "instance-1" });
+    dbSelectMock.mockReturnValueOnce(makeSelectChain([]));
+
+    const result = await listCliproxyLinkedUpstreams("instance-1");
+
+    expect(result).toEqual([]);
+  });
+
+  it("listCliproxyLinkedUpstreams 实例不存在时抛出 CliproxyInstanceNotFoundError", async () => {
+    const { listCliproxyLinkedUpstreams } =
+      await import("@/lib/services/cliproxy-linked-upstreams-service");
+    const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
+
+    getCliproxyInstanceByIdMock.mockResolvedValueOnce(null);
+
+    await expect(listCliproxyLinkedUpstreams("missing")).rejects.toBeInstanceOf(
+      CliproxyInstanceNotFoundError
+    );
+  });
+});
diff --git a/tests/unit/services/cliproxy-management-client.test.ts b/tests/unit/services/cliproxy-management-client.test.ts
index 41316694..4fd13475 100644
--- a/tests/unit/services/cliproxy-management-client.test.ts
+++ b/tests/unit/services/cliproxy-management-client.test.ts
@@ -11,7 +11,14 @@ import {
   patchAuthFileFields,
   getProviderAuthUrl,
   getAuthStatus,
+  deleteAuthFile,
+  uploadAuthFile,
+  downloadAuthFile,
+  submitOAuthCallback,
+  getLogs,
   CliproxyManagementApiError,
+  CLIPROXY_OAUTH_PROVIDERS,
+  isCliproxyOAuthProvider,
 } from "@/lib/services/cliproxy-management-client";
 
 const TARGET = { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" };
@@ -164,4 +171,208 @@ describe("cliproxy-management-client", () => {
     vi.stubGlobal("fetch", vi.fn().mockRejectedValue(abortError));
     await expect(listAuthFiles(TARGET)).rejects.toMatchObject({ kind: "unreachable" });
   });
+
+  // ── 新增 Provider 覆盖 ──────────────────────────────────────────────────
+
+  it("CLIPROXY_OAUTH_PROVIDERS 包含新增的三个服务商", () => {
+    expect(CLIPROXY_OAUTH_PROVIDERS).toContain("xai");
+    expect(CLIPROXY_OAUTH_PROVIDERS).toContain("antigravity");
+    expect(CLIPROXY_OAUTH_PROVIDERS).toContain("kimi");
+    expect(CLIPROXY_OAUTH_PROVIDERS).toHaveLength(6);
+  });
+
+  it("isCliproxyOAuthProvider 对新 Provider 返回 true", () => {
+    expect(isCliproxyOAuthProvider("xai")).toBe(true);
+    expect(isCliproxyOAuthProvider("antigravity")).toBe(true);
+    expect(isCliproxyOAuthProvider("kimi")).toBe(true);
+    expect(isCliproxyOAuthProvider("unknown")).toBe(false);
+  });
+
+  it("getProviderAuthUrl xAI 映射到 xai-auth-url 端点", async () => {
+    const fetchMock = stubFetchOnce(
+      new Response(JSON.stringify({ url: "https://x.ai/oauth", state: "xai-state" }), {
+        status: 200,
+      })
+    );
+
+    const result = await getProviderAuthUrl(TARGET, "xai");
+
+    expect(result).toEqual({ url: "https://x.ai/oauth", state: "xai-state" });
+    expect(fetchMock.mock.calls[0][0]).toBe(
+      "http://cliproxyapi:8317/v0/management/xai-auth-url?is_webui=true"
+    );
+  });
+
+  it("getProviderAuthUrl antigravity 映射到 antigravity-auth-url 端点", async () => {
+    const fetchMock = stubFetchOnce(
+      new Response(JSON.stringify({ url: "https://ag.example/oauth", state: "ag-state" }), {
+        status: 200,
+      })
+    );
+
+    await getProviderAuthUrl(TARGET, "antigravity");
+
+    expect(fetchMock.mock.calls[0][0]).toContain("antigravity-auth-url");
+  });
+
+  it("getProviderAuthUrl kimi 映射到 kimi-auth-url 端点", async () => {
+    const fetchMock = stubFetchOnce(
+      new Response(JSON.stringify({ url: "https://kimi.moonshot.cn/oauth", state: "kimi-state" }), {
+        status: 200,
+      })
+    );
+
+    await getProviderAuthUrl(TARGET, "kimi");
+
+    expect(fetchMock.mock.calls[0][0]).toContain("kimi-auth-url");
+  });
+
+  // ── deleteAuthFile ──────────────────────────────────────────────────────
+
+  it("deleteAuthFile 发送 DELETE 请求并携带正确请求体", async () => {
+    const fetchMock = stubFetchOnce(new Response("", { status: 200 }));
+
+    await deleteAuthFile(TARGET, "codex-a.json");
+
+    const init = fetchMock.mock.calls[0][1] as RequestInit;
+    expect(init.method).toBe("DELETE");
+    expect(JSON.parse(init.body as string)).toEqual({ name: "codex-a.json" });
+    expect(fetchMock.mock.calls[0][0]).toBe("http://cliproxyapi:8317/v0/management/auth-files");
+  });
+
+  it("deleteAuthFile 请求体保留原始文件名（含空格）", async () => {
+    const fetchMock = stubFetchOnce(new Response("", { status: 200 }));
+
+    await deleteAuthFile(TARGET, "codex a.json");
+
+    const init = fetchMock.mock.calls[0][1] as RequestInit;
+    expect(JSON.parse(init.body as string)).toEqual({ name: "codex a.json" });
+  });
+
+  it("deleteAuthFile 上游返回 401 时抛出鉴权错误", async () => {
+    stubFetchOnce(new Response("unauthorized", { status: 401 }));
+    await expect(deleteAuthFile(TARGET, "codex-a.json")).rejects.toMatchObject({
+      kind: "auth_failed",
+    });
+  });
+
+  // ── uploadAuthFile ──────────────────────────────────────────────────────
+
+  it("uploadAuthFile 发送 POST 请求并携带文件内容", async () => {
+    const fetchMock = stubFetchOnce(new Response("", { status: 200 }));
+    const content = { token: "abc123", provider: "codex" };
+
+    await uploadAuthFile(TARGET, content);
+
+    const init = fetchMock.mock.calls[0][1] as RequestInit;
+    expect(init.method).toBe("POST");
+    expect(JSON.parse(init.body as string)).toEqual(content);
+    expect(fetchMock.mock.calls[0][0]).toBe("http://cliproxyapi:8317/v0/management/auth-files");
+  });
+
+  it("uploadAuthFile 上游返回 4xx 时向上抛出服务异常", async () => {
+    stubFetchOnce(new Response("conflict", { status: 409 }));
+    await expect(uploadAuthFile(TARGET, { token: "x" })).rejects.toMatchObject({
+      kind: "service_error",
+    });
+  });
+
+  // ── downloadAuthFile ────────────────────────────────────────────────────
+
+  it("downloadAuthFile 发送 GET 请求并对文件名 URL 编码", async () => {
+    const fileContent = { token: "abc123", provider: "codex" };
+    const fetchMock = stubFetchOnce(new Response(JSON.stringify(fileContent), { status: 200 }));
+
+    const result = await downloadAuthFile(TARGET, "codex a.json");
+
+    expect(result).toEqual(fileContent);
+    expect(fetchMock.mock.calls[0][0]).toContain("name=codex%20a.json");
+    expect(fetchMock.mock.calls[0][0]).toContain("/auth-files/download");
+  });
+
+  it("downloadAuthFile 上游返回非 JSON 内容时抛出服务异常", async () => {
+    stubFetchOnce(new Response("not-json-at-all", { status: 200 }));
+    await expect(downloadAuthFile(TARGET, "codex-a.json")).rejects.toMatchObject({
+      kind: "service_error",
+    });
+  });
+
+  it("downloadAuthFile 上游返回 404 时抛出服务异常", async () => {
+    stubFetchOnce(new Response("not found", { status: 404 }));
+    await expect(downloadAuthFile(TARGET, "missing.json")).rejects.toMatchObject({
+      kind: "service_error",
+    });
+  });
+
+  // ── submitOAuthCallback ─────────────────────────────────────────────────
+
+  it("submitOAuthCallback 发送 POST 并携带正确请求体", async () => {
+    const fetchMock = stubFetchOnce(new Response("", { status: 200 }));
+
+    await submitOAuthCallback(TARGET, "codex", "https://callback.example/auth?code=xyz");
+
+    const init = fetchMock.mock.calls[0][1] as RequestInit;
+    expect(init.method).toBe("POST");
+    expect(JSON.parse(init.body as string)).toEqual({
+      provider: "codex",
+      redirect_url: "https://callback.example/auth?code=xyz",
+    });
+    expect(fetchMock.mock.calls[0][0]).toBe("http://cliproxyapi:8317/v0/management/oauth-callback");
+  });
+
+  it("submitOAuthCallback 支持新增服务商 xai", async () => {
+    const fetchMock = stubFetchOnce(new Response("", { status: 200 }));
+
+    await submitOAuthCallback(TARGET, "xai", "https://callback.example/xai?code=abc");
+
+    const init = fetchMock.mock.calls[0][1] as RequestInit;
+    expect(JSON.parse(init.body as string).provider).toBe("xai");
+  });
+
+  // ── getLogs ─────────────────────────────────────────────────────────────
+
+  it("getLogs 返回日志数组（上游直接返回数组）", async () => {
+    const entries = [
+      { timestamp: "2025-05-31T10:00:00Z", level: "info", message: "started" },
+      { timestamp: "2025-05-31T10:00:01Z", level: "warn", message: "slow" },
+    ];
+    const fetchMock = stubFetchOnce(new Response(JSON.stringify(entries), { status: 200 }));
+
+    const result = await getLogs(TARGET);
+
+    expect(result).toHaveLength(2);
+    expect(result[0].message).toBe("started");
+    expect(fetchMock.mock.calls[0][0]).toBe("http://cliproxyapi:8317/v0/management/logs");
+  });
+
+  it("getLogs 支持 since 参数并 URL 编码", async () => {
+    const fetchMock = stubFetchOnce(new Response(JSON.stringify([]), { status: 200 }));
+
+    await getLogs(TARGET, "2025-05-31T10:00:00Z");
+
+    expect(fetchMock.mock.calls[0][0]).toContain("since=2025-05-31T10%3A00%3A00Z");
+  });
+
+  it("getLogs 不传 since 时不附加查询参数", async () => {
+    const fetchMock = stubFetchOnce(new Response(JSON.stringify([]), { status: 200 }));
+
+    await getLogs(TARGET);
+
+    expect(fetchMock.mock.calls[0][0]).not.toContain("since");
+  });
+
+  it("getLogs 兼容上游返回 {logs:[]} 包装格式", async () => {
+    const entries = [{ timestamp: "2025-05-31T10:00:00Z", level: "info", message: "ok" }];
+    stubFetchOnce(new Response(JSON.stringify({ logs: entries }), { status: 200 }));
+
+    const result = await getLogs(TARGET);
+
+    expect(result).toHaveLength(1);
+    expect(result[0].level).toBe("info");
+  });
+
+  it("getLogs 上游返回空对象时返回空数组", async () => {
+    stubFetchOnce(new Response(JSON.stringify({}), { status: 200 }));
+    expect(await getLogs(TARGET)).toEqual([]);
+  });
 });
diff --git a/tests/unit/services/cliproxy-oauth-login-service.test.ts b/tests/unit/services/cliproxy-oauth-login-service.test.ts
index 96fcf72f..bda99027 100644
--- a/tests/unit/services/cliproxy-oauth-login-service.test.ts
+++ b/tests/unit/services/cliproxy-oauth-login-service.test.ts
@@ -1,16 +1,16 @@
 import { describe, it, expect, vi, beforeEach } from "vitest";
 
-const getCliproxyInstanceRowMock = vi.fn();
+const resolveTargetMock = vi.fn();
 const getProviderAuthUrlMock = vi.fn();
 const getAuthStatusMock = vi.fn();
+const submitOAuthCallbackMock = vi.fn();
 const syncCliproxyAuthAccountsMock = vi.fn();
 
 vi.mock("@/lib/services/cliproxy-instance-crud", async (importOriginal) => {
   const actual = await importOriginal<typeof import("@/lib/services/cliproxy-instance-crud")>();
   return {
     ...actual,
-    getCliproxyInstanceRow: (...args: unknown[]) => getCliproxyInstanceRowMock(...args),
-    getDecryptedManagementKey: () => "mgmt-key",
+    resolveCliproxyManagementTarget: (...args: unknown[]) => resolveTargetMock(...args),
   };
 });
 
@@ -20,6 +20,7 @@ vi.mock("@/lib/services/cliproxy-management-client", async (importOriginal) => {
     ...actual,
     getProviderAuthUrl: (...args: unknown[]) => getProviderAuthUrlMock(...args),
     getAuthStatus: (...args: unknown[]) => getAuthStatusMock(...args),
+    submitOAuthCallback: (...args: unknown[]) => submitOAuthCallbackMock(...args),
   };
 });
 
@@ -31,10 +32,9 @@ vi.mock("@/lib/utils/logger", () => ({
   createLogger: () => ({ info: vi.fn(), warn: vi.fn(), error: vi.fn(), debug: vi.fn() }),
 }));
 
-const instanceRow = {
-  id: "instance-1",
+const target = {
   managementUrl: "http://cliproxyapi:8317",
-  managementKeyEncrypted: "enc(mgmt-key)",
+  managementKey: "mgmt-key",
 };
 
 describe("cliproxy-oauth-login-service", () => {
@@ -46,7 +46,7 @@ describe("cliproxy-oauth-login-service", () => {
     const { initiateCliproxyOAuthLogin } =
       await import("@/lib/services/cliproxy-oauth-login-service");
 
-    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    resolveTargetMock.mockResolvedValueOnce(target);
     getProviderAuthUrlMock.mockResolvedValueOnce({
       url: "https://auth.example/x",
       state: "state-1",
@@ -76,7 +76,7 @@ describe("cliproxy-oauth-login-service", () => {
       await import("@/lib/services/cliproxy-oauth-login-service");
     const { CliproxyInstanceNotFoundError } = await import("@/lib/services/cliproxy-instance-crud");
 
-    getCliproxyInstanceRowMock.mockResolvedValueOnce(null);
+    resolveTargetMock.mockRejectedValueOnce(new CliproxyInstanceNotFoundError("missing"));
 
     await expect(initiateCliproxyOAuthLogin("missing", "codex")).rejects.toBeInstanceOf(
       CliproxyInstanceNotFoundError
@@ -86,7 +86,7 @@ describe("cliproxy-oauth-login-service", () => {
   it("pollCliproxyOAuthStatus 进行中时返回 wait 且不触发同步", async () => {
     const { pollCliproxyOAuthStatus } = await import("@/lib/services/cliproxy-oauth-login-service");
 
-    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    resolveTargetMock.mockResolvedValueOnce(target);
     getAuthStatusMock.mockResolvedValueOnce({ status: "wait" });
 
     const result = await pollCliproxyOAuthStatus("instance-1", "state-1");
@@ -98,7 +98,7 @@ describe("cliproxy-oauth-login-service", () => {
   it("pollCliproxyOAuthStatus 成功时触发账号同步并返回同步结果", async () => {
     const { pollCliproxyOAuthStatus } = await import("@/lib/services/cliproxy-oauth-login-service");
 
-    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    resolveTargetMock.mockResolvedValueOnce(target);
     getAuthStatusMock.mockResolvedValueOnce({ status: "ok" });
     syncCliproxyAuthAccountsMock.mockResolvedValueOnce({
       added: 1,
@@ -117,7 +117,7 @@ describe("cliproxy-oauth-login-service", () => {
   it("pollCliproxyOAuthStatus 失败时返回错误信息", async () => {
     const { pollCliproxyOAuthStatus } = await import("@/lib/services/cliproxy-oauth-login-service");
 
-    getCliproxyInstanceRowMock.mockResolvedValueOnce(instanceRow);
+    resolveTargetMock.mockResolvedValueOnce(target);
     getAuthStatusMock.mockResolvedValueOnce({ status: "error", error: "user denied" });
 
     const result = await pollCliproxyOAuthStatus("instance-1", "state-1");
@@ -126,4 +126,77 @@ describe("cliproxy-oauth-login-service", () => {
     expect(result.error).toBe("user denied");
     expect(syncCliproxyAuthAccountsMock).not.toHaveBeenCalled();
   });
+
+  // ── submitCliproxyOAuthCallback ─────────────────────────────────────────
+
+  it("submitCliproxyOAuthCallback 提交后触发账号同步", async () => {
+    const { submitCliproxyOAuthCallback } =
+      await import("@/lib/services/cliproxy-oauth-login-service");
+
+    resolveTargetMock.mockResolvedValueOnce(target);
+    submitOAuthCallbackMock.mockResolvedValueOnce(undefined);
+    syncCliproxyAuthAccountsMock.mockResolvedValueOnce({
+      added: 1,
+      updated: 0,
+      removed: 0,
+      total: 1,
+    });
+
+    const result = await submitCliproxyOAuthCallback(
+      "instance-1",
+      "codex",
+      "https://callback.example/auth?code=xyz"
+    );
+
+    expect(result.status).toBe("ok");
+    expect(result.syncResult).toMatchObject({ added: 1 });
+    expect(submitOAuthCallbackMock).toHaveBeenCalledWith(
+      { managementUrl: "http://cliproxyapi:8317", managementKey: "mgmt-key" },
+      "codex",
+      "https://callback.example/auth?code=xyz"
+    );
+  });
+
+  it("submitCliproxyOAuthCallback 服务商非法时抛错且不调用 CLIProxyAPI", async () => {
+    const { submitCliproxyOAuthCallback, InvalidCliproxyOAuthProviderError } =
+      await import("@/lib/services/cliproxy-oauth-login-service");
+
+    await expect(
+      submitCliproxyOAuthCallback("instance-1", "unknown", "https://callback.example/auth")
+    ).rejects.toBeInstanceOf(InvalidCliproxyOAuthProviderError);
+    expect(submitOAuthCallbackMock).not.toHaveBeenCalled();
+  });
+
+  it("submitCliproxyOAuthCallback 授权成功但账号同步失败时仍返回 ok 并附带 syncError", async () => {
+    const { submitCliproxyOAuthCallback } =
+      await import("@/lib/services/cliproxy-oauth-login-service");
+
+    resolveTargetMock.mockResolvedValueOnce(target);
+    submitOAuthCallbackMock.mockResolvedValueOnce(undefined);
+    syncCliproxyAuthAccountsMock.mockRejectedValueOnce(new Error("db unavailable"));
+
+    const result = await submitCliproxyOAuthCallback(
+      "instance-1",
+      "codex",
+      "https://callback.example/auth?code=xyz"
+    );
+
+    expect(result.status).toBe("ok");
+    expect(result.syncResult).toBeUndefined();
+    expect(result.syncError).toBe("db unavailable");
+  });
+
+  it("pollCliproxyOAuthStatus 授权成功但账号同步失败时仍返回 ok 并附带 syncError", async () => {
+    const { pollCliproxyOAuthStatus } = await import("@/lib/services/cliproxy-oauth-login-service");
+
+    resolveTargetMock.mockResolvedValueOnce(target);
+    getAuthStatusMock.mockResolvedValueOnce({ status: "ok" });
+    syncCliproxyAuthAccountsMock.mockRejectedValueOnce(new Error("db unavailable"));
+
+    const result = await pollCliproxyOAuthStatus("instance-1", "state-1");
+
+    expect(result.status).toBe("ok");
+    expect(result.syncResult).toBeUndefined();
+    expect(result.syncError).toBe("db unavailable");
+  });
 });
diff --git a/tests/unit/services/cliproxy-upstream-preset.test.ts b/tests/unit/services/cliproxy-upstream-preset.test.ts
index c1f99623..5537e2f9 100644
--- a/tests/unit/services/cliproxy-upstream-preset.test.ts
+++ b/tests/unit/services/cliproxy-upstream-preset.test.ts
@@ -209,6 +209,21 @@ describe("cliproxy-upstream-preset", () => {
       expect(createUpstreamMock).not.toHaveBeenCalled();
     });
 
+    it.each(["xai", "antigravity", "kimi"])(
+      "%s 仅支持 OAuth 登录但无池上游 preset 时被拒绝",
+      async (provider) => {
+        const { createCliproxyPoolUpstream } =
+          await import("@/lib/services/cliproxy-upstream-preset");
+        const { InvalidCliproxyOAuthProviderError } =
+          await import("@/lib/services/cliproxy-oauth-login-service");
+
+        await expect(createCliproxyPoolUpstream("instance-1", provider)).rejects.toBeInstanceOf(
+          InvalidCliproxyOAuthProviderError
+        );
+        expect(createUpstreamMock).not.toHaveBeenCalled();
+      }
+    );
+
     it("实例不存在时抛出 CliproxyInstanceNotFoundError", async () => {
       const { createCliproxyPoolUpstream } =
         await import("@/lib/services/cliproxy-upstream-preset");