@evident-ai/cli 3.0.0 → 3.0.1-dev.284117a

package/dist/index.js

@@ -32,10 +32,10 @@ function setTunnelUrl(url) {
   tunnelOverride = url ? url.replace(/\/+$/, "") : void 0;
 }
 function getApiUrl() {
-  return process.env.EVIDENT_API_URL ?? endpointOverride ?? defaults.apiUrl;
+  return endpointOverride ?? process.env.EVIDENT_API_URL ?? defaults.apiUrl;
 }
 function getTunnelUrl() {
-  return process.env.EVIDENT_TUNNEL_URL ?? tunnelOverride ?? defaults.tunnelUrl;
+  return tunnelOverride ?? process.env.EVIDENT_TUNNEL_URL ?? defaults.tunnelUrl;
 }
 var config = new Conf({
   projectName: "evident",
@@ -54,19 +54,28 @@ function getApiUrlConfig() {
 function getTunnelUrlConfig() {
   return getTunnelUrl();
 }
+function credentialsKey() {
+  return getApiUrl();
+}
 function getCredentials() {
-  return {
-    token: credentials.get("token"),
-    user: credentials.get("user"),
-    expiresAt: credentials.get("expiresAt")
-  };
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  return byEndpoint[credentialsKey()] ?? {};
 }
 function setCredentials(creds) {
-  if (creds.token) credentials.set("token", creds.token);
-  if (creds.user) credentials.set("user", creds.user);
-  if (creds.expiresAt) credentials.set("expiresAt", creds.expiresAt);
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  byEndpoint[credentialsKey()] = {
+    token: creds.token,
+    user: creds.user,
+    expiresAt: creds.expiresAt
+  };
+  credentials.set("byEndpoint", byEndpoint);
 }
 function clearCredentials() {
+  const byEndpoint = credentials.get("byEndpoint") ?? {};
+  delete byEndpoint[credentialsKey()];
+  credentials.set("byEndpoint", byEndpoint);
+}
+function clearAllCredentials() {
   credentials.clear();
 }
 function getCliName() {
@@ -176,7 +185,6 @@ var api = {
 
 // src/lib/keychain.ts
 var SERVICE_NAME = "evident-cli";
-var ACCOUNT_NAME = "default";
 async function getKeytar() {
   try {
     const keytar = await import("keytar");
@@ -188,10 +196,13 @@ async function getKeytar() {
     return null;
   }
 }
+function keychainAccount() {
+  return getApiUrlConfig();
+}
 async function storeToken(credentials2) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.setPassword(SERVICE_NAME, ACCOUNT_NAME, JSON.stringify(credentials2));
+    await keytar.setPassword(SERVICE_NAME, keychainAccount(), JSON.stringify(credentials2));
   } else {
     setCredentials({
       token: credentials2.token,
@@ -203,12 +214,13 @@ async function storeToken(credentials2) {
 async function getToken() {
   const keytar = await getKeytar();
   if (keytar) {
-    const stored = await keytar.getPassword(SERVICE_NAME, ACCOUNT_NAME);
+    const account = keychainAccount();
+    const stored = await keytar.getPassword(SERVICE_NAME, account);
     if (stored) {
       try {
         return JSON.parse(stored);
       } catch {
-        await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+        await keytar.deletePassword(SERVICE_NAME, account);
         return null;
       }
     }
@@ -223,12 +235,26 @@ async function getToken() {
   }
   return null;
 }
-async function deleteToken() {
+async function deleteToken(options = {}) {
   const keytar = await getKeytar();
   if (keytar) {
-    await keytar.deletePassword(SERVICE_NAME, ACCOUNT_NAME);
+    if (options.all) {
+      const all = await keytar.findCredentials(SERVICE_NAME).catch(() => []);
+      await Promise.all(
+        all.map(
+          (entry) => keytar.deletePassword(SERVICE_NAME, entry.account).catch(() => {
+          })
+        )
+      );
+    } else {
+      await keytar.deletePassword(SERVICE_NAME, keychainAccount());
+    }
+  }
+  if (options.all) {
+    clearAllCredentials();
+  } else {
+    clearCredentials();
   }
-  clearCredentials();
 }
 
 // src/utils/ui.ts
@@ -396,25 +422,32 @@ async function login(options) {
 }
 
 // src/commands/logout.ts
-async function logout() {
+async function logout(options = {}) {
+  if (options.all) {
+    await deleteToken({ all: true });
+    printSuccess("Logged out of all endpoints.");
+    return;
+  }
   const credentials2 = await getToken();
   if (!credentials2) {
-    printWarning("You are not logged in.");
+    printWarning(`You are not logged in to ${getApiUrlConfig()}.`);
     return;
   }
   await deleteToken();
-  printSuccess("Logged out successfully.");
+  printSuccess(`Logged out of ${getApiUrlConfig()}.`);
 }
 
 // src/commands/whoami.ts
 import chalk3 from "chalk";
 async function whoami() {
+  const apiUrl = getApiUrlConfig();
   const credentials2 = await getToken();
   if (!credentials2) {
-    printError("Not logged in. Run the `login` command to authenticate.");
+    printError(`Not logged in to ${apiUrl}. Run the \`login\` command to authenticate.`);
     process.exit(1);
   }
   blank();
+  console.log(keyValue("Endpoint", apiUrl));
   console.log(keyValue("User", chalk3.bold(credentials2.user.email)));
   console.log(keyValue("User ID", credentials2.user.id));
   if (credentials2.expiresAt) {
@@ -449,6 +482,7 @@ var TelemetryEventTypes = {
 
 // ../../packages/types/src/tunnel/index.ts
 var MAX_FRAME_BYTES = 256 * 1024;
+var TUNNEL_DRAIN_PING_PATH = "/__evident/drain";
 
 // src/lib/telemetry.ts
 var CLI_VERSION = process.env.npm_package_version || "unknown";
@@ -940,14 +974,59 @@ async function promptOpenCodeInstall(interactive) {
 }
 
 // src/lib/opencode/session.ts
-async function createOpenCodeSession(port) {
-  const response = await fetch(`http://localhost:${port}/session`, {
+function opencodeBase(port) {
+  return `http://127.0.0.1:${port}`;
+}
+async function getOpenCodeDirectory(port) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/path`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    const dir = typeof body.directory === "string" && body.directory || typeof body.worktree === "string" && body.worktree || typeof body.path?.cwd === "string" && body.path.cwd || typeof body.path?.directory === "string" && body.path.directory || null;
+    return dir && dir.trim() ? dir.trim() : null;
+  } catch {
+    return null;
+  }
+}
+function roleOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  if (typeof m.role === "string") return m.role;
+  const infoRole = m.info?.role;
+  return typeof infoRole === "string" ? infoRole : void 0;
+}
+function completedOf(m) {
+  if (!m || typeof m !== "object") return void 0;
+  return m.info?.time?.completed;
+}
+async function getSessionMessages(port, sessionId) {
+  try {
+    const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`);
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body) ? body : null;
+  } catch {
+    return null;
+  }
+}
+function isTurnComplete(messages) {
+  if (!messages || messages.length === 0) return false;
+  const last = messages[messages.length - 1];
+  if (roleOf(last) !== "assistant") return false;
+  return completedOf(last) != null;
+}
+async function createOpenCodeSession(port, directory) {
+  const url = new URL(`${opencodeBase(port)}/session`);
+  if (directory && directory.trim()) {
+    url.searchParams.set("directory", directory.trim());
+  }
+  const response = await fetch(url, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
     body: JSON.stringify({})
   });
   if (!response.ok) {
-    throw new Error(`Failed to create session: HTTP ${response.status}`);
+    const text = await response.text().catch(() => "");
+    throw new Error(`Failed to create session: HTTP ${response.status}${text ? `: ${text}` : ""}`);
   }
   const data = await response.json();
   return data.id;
@@ -977,7 +1056,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
       if (pollDone) break;
       if (hooks?.onQuestion) {
         try {
-          const res = await fetch(`http://localhost:${port}/question`);
+          const res = await fetch(`${opencodeBase(port)}/question`);
           if (res.ok) {
             const questions = await res.json();
             for (const q of questions) {
@@ -992,7 +1071,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
       }
       if (hooks?.onPermission) {
         try {
-          const res = await fetch(`http://localhost:${port}/permission`);
+          const res = await fetch(`${opencodeBase(port)}/permission`);
           if (res.ok) {
             const permissions = await res.json();
             for (const p of permissions) {
@@ -1011,7 +1090,7 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
     const controller = new AbortController();
     const timer = setTimeout(() => controller.abort(), maxWaitMs);
     try {
-      const res = await fetch(`http://localhost:${port}/session/${sessionId}/message`, {
+      const res = await fetch(`${opencodeBase(port)}/session/${sessionId}/message`, {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify(body),
@@ -1021,11 +1100,14 @@ async function sendMessageToOpenCode(port, sessionId, content, options, hooks, m
         const text = await res.text().catch(() => "");
         throw new Error(`OpenCode message failed: HTTP ${res.status}${text ? `: ${text}` : ""}`);
       }
-      const sessionRes = await fetch(`http://localhost:${port}/session/${sessionId}`).catch(
+      const sessionRes = await fetch(`${opencodeBase(port)}/session/${sessionId}`).catch(
         () => null
       );
       const session = sessionRes?.ok ? await sessionRes.json() : null;
-      return { title: session?.title };
+      const reportedInteraction = reportedQuestions.size > 0 || reportedPermissions.size > 0;
+      const turnComplete = isTurnComplete(await getSessionMessages(port, sessionId));
+      const awaitingInteraction = reportedInteraction && !turnComplete;
+      return { title: session?.title, awaitingInteraction };
     } catch (err) {
       if (err instanceof Error && err.name === "AbortError") {
         throw new Error("Message processing timed out");
@@ -1108,6 +1190,12 @@ var StreamForwarder = class {
   }
   async handleOpen(frame) {
     const { sid, method, path, headers, has_body } = frame;
+    if (path === TUNNEL_DRAIN_PING_PATH) {
+      this.callbacks.onDrainPing?.();
+      this.send({ type: "head", sid, status: 204, headers: {} });
+      this.send({ type: "res_end", sid });
+      return;
+    }
     const ac = new AbortController();
     let bodyPromise;
     let pushBody;
@@ -1224,7 +1312,8 @@ function connectTunnel(options) {
     onError,
     onRequest,
     onResponse,
-    onInfo
+    onInfo,
+    onDrainPing
   } = options;
   const tunnelUrl = getTunnelUrlConfig();
   const url = `${tunnelUrl}/tunnel/${agentId}/connect`;
@@ -1237,6 +1326,7 @@ function connectTunnel(options) {
     const streamStartTimes = /* @__PURE__ */ new Map();
     const forwarder = new StreamForwarder(ws, port, {
       onOpen: (sid, method, path) => {
+        if (path === TUNNEL_DRAIN_PING_PATH) return;
         streamStartTimes.set(sid, Date.now());
         onRequest?.(method, path, sid);
       },
@@ -1244,7 +1334,8 @@ function connectTunnel(options) {
         const startedAt = streamStartTimes.get(sid);
         streamStartTimes.delete(sid);
         onResponse?.(status, startedAt ? Date.now() - startedAt : 0, sid);
-      }
+      },
+      onDrainPing: () => onDrainPing?.()
     });
     const connectionTimeout = setTimeout(() => {
       ws.close();
@@ -1386,6 +1477,7 @@ var RunnerConnection = class {
           },
           onError: (error2) => events.onError?.(error2),
           onResponse: () => events.onResponse?.(),
+          onDrainPing: () => events.onDrainPing?.(),
           onInfo: (message) => events.onInfo?.(message)
         });
         return;
@@ -1411,6 +1503,8 @@ var DEFAULT_RETRY_POLICY = {
   baseDelayMs: 500,
   maxDelayMs: 3e4
 };
+var DEFAULT_PAUSED_POLL_INTERVAL_MS = 2e3;
+var DEFAULT_PAUSED_MAX_WAIT_MS = 10 * 60 * 1e3;
 var ChannelAuthError = class extends Error {
   constructor(message) {
     super(message);
@@ -1435,8 +1529,24 @@ var ChannelDriver = class {
   log;
   fetchImpl;
   sleep;
+  pausedPollIntervalMs;
+  pausedMaxWaitMs;
   /** Cache of conversationId → opencode sessionId. */
   sessions = /* @__PURE__ */ new Map();
+  /**
+   * Outstanding paused-session watchers, keyed by `message.id` (WI-2-CLI).
+   * Single-flight per message: while a watcher is live for a message we never
+   * start a second one. The message stays `processing` for the watcher's lifetime
+   * so the `?status=pending` drain cannot double-claim it.
+   */
+  watchers = /* @__PURE__ */ new Map();
+  /**
+   * Cache of the opencode root directory (from `GET /path`). Resolved lazily on
+   * first session creation so drain-created sessions are rooted at the project
+   * directory and thus visible in `opencode web`'s session list. `undefined` =
+   * not yet resolved; `null` = resolved-but-unavailable (don't keep retrying).
+   */
+  opencodeDirectory = void 0;
   /** Serialises drains so a reconnect during a drain doesn't double-process. */
   draining = false;
   constructor(config2) {
@@ -1450,6 +1560,8 @@ var ChannelDriver = class {
     });
     this.fetchImpl = config2.fetchImpl ?? fetch;
     this.sleep = config2.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
+    this.pausedPollIntervalMs = config2.pausedPollIntervalMs ?? DEFAULT_PAUSED_POLL_INTERVAL_MS;
+    this.pausedMaxWaitMs = config2.pausedMaxWaitMs ?? DEFAULT_PAUSED_MAX_WAIT_MS;
   }
   /** The IPv4-loopback base URL for the local `opencode serve`. */
   get opencodeBase() {
@@ -1471,6 +1583,13 @@ var ChannelDriver = class {
     let processed = 0;
     try {
       const conversations = await this.getPendingConversations();
+      if (conversations.length > 0) {
+        const total = conversations.reduce((sum, c) => sum + (c.pending_message_count ?? 0), 0);
+        this.log({
+          level: "info",
+          message: `Found ${total} pending message(s) across ${conversations.length} conversation(s) \u2014 draining`
+        });
+      }
       for (const conv of conversations) {
         processed += await this.processConversation(conv);
       }
@@ -1479,6 +1598,18 @@ var ChannelDriver = class {
     }
     return processed;
   }
+  /**
+   * Await all outstanding paused-session watchers (WI-2-CLI).
+   *
+   * In production the watchers are deliberately started-not-awaited so the drain
+   * loop never blocks on them and process exit is not held up (the cron recovers
+   * any abandoned ones). This helper exists primarily for deterministic tests
+   * that need to observe the watcher's effect (the `done` PATCH or its giving up)
+   * after a non-blocking `drainPending`. Watchers never reject, so this resolves.
+   */
+  async flushPausedWatchers() {
+    await Promise.all([...this.watchers.values()]);
+  }
   // -------------------------------------------------------------------------
   // Conversation processing
   // -------------------------------------------------------------------------
@@ -1498,7 +1629,13 @@ var ChannelDriver = class {
         continue;
       }
       try {
-        await sendMessageToOpenCode(
+        this.log({
+          level: "info",
+          message: `Sending queued message ${message.id.slice(0, 8)} to OpenCode (session ${sessionId.slice(0, 8)})`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        const result = await sendMessageToOpenCode(
           this.port,
           sessionId,
           message.content,
@@ -1511,6 +1648,16 @@ var ChannelDriver = class {
             onPermission: (permission) => this.reportInteraction(conv.id, "permission", permission)
           }
         );
+        if (result.awaitingInteraction) {
+          this.log({
+            level: "info",
+            message: `Message ${message.id.slice(0, 8)} paused awaiting interaction \u2014 watching session for completion`,
+            conversation_id: conv.id,
+            message_id: message.id
+          });
+          this.startPausedWatcher(conv, message, sessionId);
+          continue;
+        }
         await this.confirmCompletion(sessionId);
         await this.markDone(conv.id, message.id, sessionId);
         processed += 1;
@@ -1541,32 +1688,136 @@ var ChannelDriver = class {
       this.sessions.set(conv.id, conv.opencode_session_id);
       return conv.opencode_session_id;
     }
-    const sessionId = await createOpenCodeSession(this.port);
+    const directory = await this.resolveOpenCodeDirectory();
+    const sessionId = await createOpenCodeSession(this.port, directory);
     this.sessions.set(conv.id, sessionId);
     await this.persistSession(conv.id, sessionId).catch(() => {
     });
     return sessionId;
   }
   /**
-   * Local reconcile: re-query `GET /session/:id` and check `time.completed`.
-   * Best-effort — if opencode is unreachable or the field is absent we proceed
-   * to mark done anyway (the blocking call already returned).
+   * Lazily resolve (and cache) opencode's root directory via `GET /path`.
+   * Resolved once per driver: `undefined` until first lookup, then the directory
+   * string or `null` if unavailable (we don't keep retrying a missing `/path`).
+   */
+  async resolveOpenCodeDirectory() {
+    if (this.opencodeDirectory !== void 0) return this.opencodeDirectory;
+    this.opencodeDirectory = await getOpenCodeDirectory(this.port);
+    if (!this.opencodeDirectory) {
+      this.log({
+        level: "info",
+        message: "Could not determine opencode directory (GET /path) \u2014 new sessions may not appear in opencode web"
+      });
+    }
+    return this.opencodeDirectory;
+  }
+  /**
+   * Local reconcile: re-query `GET /session/:id/message` and check whether the
+   * last assistant message is message-level complete (`isTurnComplete`).
+   *
+   * This is a PURE OBSERVABILITY probe on the normal (non-paused) path: the
+   * blocking POST already returned, and `markDone` causes the server to re-fetch
+   * the messages itself (via `extractTextFromMessages`) when delivering the
+   * reply — so this round-trip never gates delivery. We keep it only to surface a
+   * truthful diagnostic when opencode hasn't yet recorded a completed assistant
+   * turn at reconcile time, then proceed to `markDone` regardless. Uses the
+   * injected `fetchImpl` and reuses only the pure `isTurnComplete` predicate.
    */
   async confirmCompletion(sessionId) {
     try {
-      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}`);
+      const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
       if (!res.ok) return;
-      const session = await res.json();
-      if (session.time && session.time.completed == null) {
+      const body = await res.json();
+      const messages = Array.isArray(body) ? body : null;
+      if (!isTurnComplete(messages)) {
         this.log({
           level: "info",
-          message: `Session ${sessionId.slice(0, 8)} not marked completed on reconcile \u2014 delivering anyway`
+          message: `Session ${sessionId.slice(0, 8)} messages do not yet show a completed assistant turn on reconcile \u2014 delivering anyway`
         });
       }
     } catch {
     }
   }
   // -------------------------------------------------------------------------
+  // Paused-session watcher (WI-2-CLI)
+  // -------------------------------------------------------------------------
+  /**
+   * Start (but do NOT await) a watcher that resumes a paused turn to completion.
+   *
+   * Single-flight per message: if a watcher is already live for this message we
+   * skip. The returned watcher promise is tracked in `this.watchers` and removed
+   * when it settles; it never rejects (the body is fully guarded), so a failed
+   * poll/markDone can never crash the run loop — the cron stays as the safety net.
+   */
+  startPausedWatcher(conv, message, sessionId) {
+    if (this.watchers.has(message.id)) return;
+    const watcher = this.watchPausedSession(conv, message, sessionId).finally(() => {
+      this.watchers.delete(message.id);
+    });
+    this.watchers.set(message.id, watcher);
+  }
+  /**
+   * Poll `GET /session/:id/message` until the SAME paused turn is message-level
+   * complete — the last message is an ASSISTANT message whose
+   * `info.time.completed` is set (the user answered the question/permission in
+   * opencode web and opencode finished the turn) — then complete it via the
+   * EXISTING `markDone` PATCH — NO re-send of the original message. The server
+   * re-fetches the assistant messages on completion, so the watcher does not
+   * pass any reply text.
+   *
+   * Fetch seam: the poll uses the injected `this.fetchImpl` (preserving the
+   * tests' injection) and reuses only the pure `isTurnComplete` predicate from
+   * `session.ts` — we do NOT call `getSessionMessages` (which uses the global
+   * `fetch`) here.
+   *
+   * Bounded by `pausedMaxWaitMs` (default 10 min, strictly < the 15-min cron
+   * reset): on timeout we STOP and leave the message `processing` so the cron
+   * remains the last-resort safety net. The whole body is wrapped so any
+   * poll/markDone failure is logged and swallowed — a watcher MUST NEVER throw
+   * out of the run loop.
+   */
+  async watchPausedSession(conv, message, sessionId) {
+    const deadline = Date.now() + this.pausedMaxWaitMs;
+    try {
+      while (Date.now() < deadline) {
+        await this.sleep(this.pausedPollIntervalMs);
+        let completed = false;
+        try {
+          const res = await this.fetchImpl(`${this.opencodeBase}/session/${sessionId}/message`);
+          if (res.ok) {
+            const body = await res.json();
+            const messages = Array.isArray(body) ? body : null;
+            completed = isTurnComplete(messages);
+          }
+        } catch {
+          continue;
+        }
+        if (!completed) continue;
+        this.log({
+          level: "info",
+          message: `Paused session ${sessionId.slice(0, 8)} completed \u2014 marking message ${message.id.slice(0, 8)} done`,
+          conversation_id: conv.id,
+          message_id: message.id
+        });
+        await this.markDone(conv.id, message.id, sessionId);
+        return;
+      }
+      this.log({
+        level: "info",
+        message: `Paused session ${sessionId.slice(0, 8)} did not complete within the watch window \u2014 leaving message ${message.id.slice(0, 8)} for the cron safety net`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    } catch (err) {
+      this.log({
+        level: "error",
+        message: `Paused-session watcher failed for message ${message.id.slice(0, 8)}: ${err instanceof Error ? err.message : String(err)}`,
+        conversation_id: conv.id,
+        message_id: message.id
+      });
+    }
+  }
+  // -------------------------------------------------------------------------
   // Evident API calls (combinedAuth thread routes)
   // -------------------------------------------------------------------------
   async getPendingConversations() {
@@ -1848,23 +2099,45 @@ Port ${port} is already in use.`));
       spinner.fail("Failed to start OpenCode");
       throw new Error("OpenCode failed to start");
     }
-    spinner.succeed(
-      `OpenCode running on port ${port}${health.version ? ` (v${health.version})` : ""}`
-    );
+    spinner.stop();
     return { port, process: proc, version: health.version ?? null };
   }
   return { port, process: null, version: null };
 }
 
 // src/commands/agent-lookup.ts
+async function readErrorMessage(response) {
+  const text = await response.text().catch(() => "");
+  if (!text) return response.statusText || void 0;
+  try {
+    const data = JSON.parse(text);
+    const message = data.message ?? data.error;
+    if (typeof message === "string" && message.trim()) {
+      return message;
+    }
+  } catch {
+  }
+  return text.trim() || response.statusText || void 0;
+}
+function authFailureHint(apiUrl, serverMessage) {
+  const reason = serverMessage ? `: ${serverMessage}` : "";
+  return `Authentication failed${reason}. Your credentials were rejected by ${apiUrl}. This usually means you logged in against a different environment, or your session expired \u2014 log in again pointing at this endpoint and retry.`;
+}
 async function resolveAgentIdFromKey(authHeader) {
   const apiUrl = getApiUrlConfig();
   try {
     const response = await fetch(`${apiUrl}/me`, {
       headers: { Authorization: authHeader }
     });
+    if (response.status === 401) {
+      const serverMessage = await readErrorMessage(response);
+      return { error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
     if (!response.ok) {
-      return { error: `Failed to resolve agent from key: HTTP ${response.status}` };
+      const serverMessage = await readErrorMessage(response);
+      return {
+        error: `Failed to resolve agent from key (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
     }
     const data = await response.json();
     if (data.auth_type === "agent_key" && data.agent_id) {
@@ -1884,14 +2157,27 @@ async function getAgentInfo(agentId, authHeader) {
     const response = await fetch(`${apiUrl}/agents/${agentId}`, {
       headers: { Authorization: authHeader }
     });
-    if (response.status === 404) {
-      return { valid: false, error: "Agent not found" };
-    }
     if (response.status === 401) {
-      return { valid: false, error: "Authentication failed", authFailed: true };
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: authFailureHint(apiUrl, serverMessage), authFailed: true };
+    }
+    if (response.status === 403) {
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: serverMessage ?? "You do not have access to this agent (it may belong to a different team or organization)."
+      };
+    }
+    if (response.status === 404) {
+      const serverMessage = await readErrorMessage(response);
+      return { valid: false, error: serverMessage ?? `Agent ${agentId} not found` };
     }
     if (!response.ok) {
-      return { valid: false, error: `API error: ${response.status}` };
+      const serverMessage = await readErrorMessage(response);
+      return {
+        valid: false,
+        error: `API error (HTTP ${response.status})${serverMessage ? `: ${serverMessage}` : ""}`
+      };
     }
     const agent = await response.json();
     if (agent.agent_type !== "local") {
@@ -2258,7 +2544,22 @@ async function run(options) {
           emitAgentConnected(state.agentId, { port: state.port });
           if (!isReconnect) tunnelSpinner?.succeed("Tunnel connected");
           if (state.interactive) displayStatus(state);
-          channelDriver.drainPending().catch(() => {
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on connect`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on connect: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
           });
         },
         onDisconnected: (code, reason) => {
@@ -2278,6 +2579,32 @@ async function run(options) {
         onResponse: () => {
           state.opencodeConnected = true;
         },
+        // A channel message was queued and the api-worker pinged us over the
+        // tunnel to drain immediately instead of waiting for the next poll tick.
+        // Best-effort + non-fatal: mirror the on-connect drain block. A failed
+        // drain here is logged and swallowed — the steady-state poll retries, so
+        // a lost/failed ping can never orphan a message (§2 invariant).
+        onDrainPing: () => {
+          if (!state.running) return;
+          logActivity(state, { type: "info", message: "Drain ping received \u2014 draining" });
+          channelDriver.drainPending().then((processed) => {
+            if (processed > 0) {
+              state.messageCount += processed;
+              logActivity(state, {
+                type: "info",
+                message: `Drained ${processed} queued message(s) on ping`
+              });
+              if (state.interactive) displayStatus(state);
+            }
+          }).catch((error2) => {
+            const message = error2 instanceof Error ? error2.message : String(error2);
+            logActivity(state, {
+              type: "error",
+              error: `Failed to drain queued messages on ping: ${message}`
+            });
+            if (state.interactive) displayStatus(state);
+          });
+        },
         onInfo: (message) => logActivity(state, { type: "info", message })
       }
     });
@@ -2288,9 +2615,7 @@ async function run(options) {
       if (error2.message === "Unauthorized") tunnelSpinner?.fail("Unauthorized");
       throw error2;
     }
-    if (interactive && !state.json) {
-      displayStatus(state);
-    } else {
+    if (!interactive || state.json) {
       log(state, "Driving channel messages...");
     }
     await driveChannels(state, channelDriver);
@@ -2339,7 +2664,7 @@ program.name("evident").description("Run OpenCode locally and connect it to Evid
   }
 });
 program.command("login").description("Authenticate with Evident").option("--token", "Use token-based authentication (for CI/CD)").option("--no-browser", "Do not open the browser automatically").action(login);
-program.command("logout").description("Remove stored credentials").action(logout);
+program.command("logout").description("Remove stored credentials for the current endpoint").option("--all", "Remove stored credentials for all endpoints").action((options) => logout({ all: options.all }));
 program.command("whoami").description("Show the currently logged in user").action(whoami);
 program.command("run").description("Connect to Evident and process messages").option("-a, --agent [id]", "Agent ID to connect to (optional when EVIDENT_AGENT_KEY is set)").option("-p, --port <port>", "OpenCode port (default: 4096)", "4096").option("-v, --verbose", "Show detailed request/response information").option("-c, --conversation <id>", "Process only this specific conversation").option("--idle-timeout <seconds>", "Exit after N seconds idle").option("--json", "Output in JSON format").action(
   (options) => {