eightstatecli 0.4.0__tar.gz → 0.4.2__tar.gz

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: eightstatecli
-Version: 0.4.0
+Version: 0.4.2
 Summary: Eightstate CLI — unified AI services from the command line
 Project-URL: Homepage, https://github.com/eight-state/eightstate
 Project-URL: Repository, https://github.com/eight-state/eightstate

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "eightstatecli"
-version = "0.4.0"
+version = "0.4.2"
 description = "Eightstate CLI — unified AI services from the command line"
 readme = "README.md"
 requires-python = ">=3.10"

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/__init__.py

@@ -17,7 +17,7 @@ AGENT INSTRUCTIONS:
   - Exit codes: 0=success, 1=error, 2=usage
 """
 
-__version__ = "0.4.0"
+__version__ = "0.4.1"
 
 import argparse
 import base64
@@ -111,6 +111,7 @@ def get_profile(name: str = None) -> dict:
     return {
         "name": name,
         "api_key": profile.get("api_key") or os.environ.get("ESCLI_API_KEY", ""),
+        "cli_token": profile.get("cli_token", ""),
         "endpoint": profile.get("endpoint") or os.environ.get("ESCLI_BASE_URL", ENDPOINT),
         "label": profile.get("label", name),
     }
@@ -142,12 +143,24 @@ def delete_profile(name):
 def list_profiles():
     cfg = _load_config()
     active = cfg.get("active_profile", "default")
-    return [{
-        "name": n, "label": d.get("label", n),
-        "key": f"{d.get('api_key','')[:8]}...{d.get('api_key','')[-4:]}" if len(d.get("api_key","")) > 12 else "***",
-        "endpoint": d.get("endpoint", ENDPOINT),
-        "active": n == active, "created": d.get("created", ""),
-    } for n, d in cfg.get("profiles", {}).items()]
+    result = []
+    for n, d in cfg.get("profiles", {}).items():
+        api_key = d.get("api_key", "")
+        cli_token = d.get("cli_token", "")
+        if api_key and len(api_key) > 12:
+            key_display = f"{api_key[:8]}...{api_key[-4:]}"
+        elif cli_token:
+            key_display = "gate"
+        else:
+            key_display = "***"
+        result.append({
+            "name": n, "label": d.get("label", n),
+            "key": key_display,
+            "auth_type": "gate" if cli_token else "api_key",
+            "endpoint": d.get("endpoint", ENDPOINT),
+            "active": n == active, "created": d.get("created", ""),
+        })
+    return result
 
 
 def resolve_api_key(args):
@@ -212,8 +225,15 @@ def open_file(path):
     elif sys.platform == "win32":
         os.startfile(str(path))
 
-def ensure_authed(args):
+def ensure_authed(args, service: str = "image"):
     api_key, base_url = resolve_api_key(args), resolve_endpoint(args)
+    if not api_key:
+        # Try credential vending via gate (device-flow auth stores cli_token, not api_key)
+        from .services.credentials import vend_key
+        result = vend_key(service)
+        if result:
+            api_key = result["api_key"]
+            base_url = result.get("base_url", ENDPOINT)
     if not api_key:
         log(f"\n  {CROSS} not authenticated\n  {ARROW} run: escli auth login\n", getattr(args, 'quiet', False))
         sys.exit(1)
@@ -370,16 +390,25 @@ def cmd_auth_logout(args):
 def cmd_auth_status(args):
     profile = get_profile()
     has_key = bool(profile["api_key"])
+    has_token = bool(profile["cli_token"])
+    authenticated = has_key or has_token
     if args.json:
-        r = {"authenticated": has_key, "profile": profile["name"], "endpoint": profile["endpoint"],
+        r = {"authenticated": authenticated, "profile": profile["name"],
+             "auth_type": "gate" if has_token else "api_key",
+             "endpoint": profile["endpoint"],
              "config_path": str(CONFIG_FILE)}
         if has_key: r["key"] = mask_key(profile["api_key"])
         print(jsonlib.dumps(r))
     else:
-        if has_key:
-            print(box(f"{CHECK} authenticated", [f"profile   {profile['name']}",
-                                                  f"key       {mask_key(profile['api_key'])}",
-                                                  f"endpoint  {profile['endpoint']}"]))
+        if authenticated:
+            lines = [f"profile   {profile['name']}"]
+            if has_token:
+                lines.append(f"auth      gate (credential vending)")
+                lines.append(f"gate      {profile['endpoint']}")
+            else:
+                lines.append(f"key       {mask_key(profile['api_key'])}")
+                lines.append(f"endpoint  {profile['endpoint']}")
+            print(box(f"{CHECK} authenticated", lines))
         else: print(f"\n  {CROSS} not authenticated\n  {ARROW} run: escli auth login\n")
     return 0
 
@@ -412,9 +441,9 @@ def cmd_auth_switch(args):
 
 
 def cmd_image_generate(args):
-    api_key, base_url = ensure_authed(args)
+    from .services.credentials import call_with_retry, ServiceCallError, VendedKey
+
     OpenAI = require_openai()
-    client = OpenAI(base_url=base_url, api_key=api_key, timeout=args.timeout)
     prompt = " ".join(args.prompt)
     if not prompt: print(f"  {CROSS} prompt required", file=sys.stderr); sys.exit(1)
 
@@ -438,15 +467,38 @@ def cmd_image_generate(args):
     if args.compression is not None: extra_body["output_compression"] = args.compression
     if args.moderation: extra_body["moderation"] = args.moderation
 
-    t0 = time.time()
-    try:
+    def do_generate(key):
+        base_url = key.base_url or ENDPOINT
+        client = OpenAI(base_url=base_url, api_key=key.api_key, timeout=args.timeout)
         kwargs = dict(model=args.model, prompt=prompt, size=size, quality=args.quality, response_format="b64_json")
         if extra_body: kwargs["extra_body"] = extra_body
-        resp = client.images.generate(**kwargs)
-    except Exception as e:
-        if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
-        else: log(f"  {CROSS} {e}", args.quiet)
-        sys.exit(1)
+        return client.images.generate(**kwargs)
+
+    t0 = time.time()
+
+    # Try explicit key first, then gate-vended keys with retry
+    explicit_key = resolve_api_key(args)
+    if explicit_key:
+        try:
+            resp = do_generate(VendedKey(explicit_key, "explicit", resolve_endpoint(args)))
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} {e}", args.quiet)
+            sys.exit(1)
+    else:
+        try:
+            resp = call_with_retry("image", do_generate)
+        except ServiceCallError as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} all keys exhausted: {e}", args.quiet)
+            sys.exit(1)
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} {e}", args.quiet)
+            sys.exit(1)
+        if resp is None:
+            log(f"\n  {CROSS} not authenticated\n  {ARROW} run: escli auth login\n", args.quiet)
+            sys.exit(1)
 
     elapsed = round(time.time() - t0, 1)
     raw = base64.b64decode(resp.data[0].b64_json)
@@ -474,7 +526,8 @@ def cmd_image_generate(args):
 
 
 def cmd_image_edit(args):
-    api_key, base_url = ensure_authed(args)
+    from .services.credentials import call_with_retry, ServiceCallError, VendedKey
+
     httpx = require_httpx()
     prompt = " ".join(args.prompt)
     if not prompt: print(f"  {CROSS} prompt required", file=sys.stderr); sys.exit(1)
@@ -506,16 +559,38 @@ def cmd_image_edit(args):
     if args.compression is not None: body["output_compression"] = args.compression
     if args.fidelity: body["input_fidelity"] = args.fidelity
 
-    t0 = time.time()
-    try:
+    def do_edit(key):
+        base_url = key.base_url or ENDPOINT
         r = httpx.post(f"{base_url}/images/edits",
-                       headers={"Authorization": f"Bearer {api_key}", "Content-Type": "application/json"},
+                       headers={"Authorization": f"Bearer {key.api_key}", "Content-Type": "application/json"},
                        json=body, timeout=args.timeout)
-        r.raise_for_status(); data = r.json()
-    except Exception as e:
-        if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
-        else: log(f"  {CROSS} {e}", args.quiet)
-        sys.exit(1)
+        r.raise_for_status()
+        return r.json()
+
+    t0 = time.time()
+
+    explicit_key = resolve_api_key(args)
+    if explicit_key:
+        try:
+            data = do_edit(VendedKey(explicit_key, "explicit", resolve_endpoint(args)))
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} {e}", args.quiet)
+            sys.exit(1)
+    else:
+        try:
+            data = call_with_retry("image", do_edit)
+        except ServiceCallError as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} all keys exhausted: {e}", args.quiet)
+            sys.exit(1)
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: log(f"  {CROSS} {e}", args.quiet)
+            sys.exit(1)
+        if data is None:
+            log(f"\n  {CROSS} not authenticated\n  {ARROW} run: escli auth login\n", args.quiet)
+            sys.exit(1)
 
     elapsed = round(time.time() - t0, 1)
     raw = base64.b64decode(data["data"][0]["b64_json"])
@@ -536,14 +611,37 @@ def cmd_image_edit(args):
 
 
 def cmd_models(args):
-    api_key, base_url = ensure_authed(args)
+    from .services.credentials import call_with_retry, ServiceCallError, VendedKey
+
     OpenAI = require_openai()
-    try:
-        models = OpenAI(base_url=base_url, api_key=api_key, timeout=30).models.list()
-    except Exception as e:
-        if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
-        else: print(f"  {CROSS} {e}", file=sys.stderr)
-        sys.exit(1)
+
+    def do_list(key):
+        base_url = key.base_url or ENDPOINT
+        return OpenAI(base_url=base_url, api_key=key.api_key, timeout=30).models.list()
+
+    explicit_key = resolve_api_key(args)
+    if explicit_key:
+        try:
+            models = do_list(VendedKey(explicit_key, "explicit", resolve_endpoint(args)))
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: print(f"  {CROSS} {e}", file=sys.stderr)
+            sys.exit(1)
+    else:
+        try:
+            models = call_with_retry("image", do_list)
+        except ServiceCallError as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: print(f"  {CROSS} all keys exhausted: {e}", file=sys.stderr)
+            sys.exit(1)
+        except Exception as e:
+            if args.json: print(jsonlib.dumps({"error": str(e), "success": False}))
+            else: print(f"  {CROSS} {e}", file=sys.stderr)
+            sys.exit(1)
+        if models is None:
+            print(f"\n  {CROSS} not authenticated\n  {ARROW} run: escli auth login\n", file=sys.stderr)
+            sys.exit(1)
+
     model_list = sorted([m.id for m in models.data])
     if args.json:
         print(jsonlib.dumps({"success": True, "models": model_list, "count": len(model_list)}))
@@ -807,6 +905,13 @@ agent example:
 # Main
 # ─────────────────────────────────────────────────────────────────────
 def main():
+    # Windows consoles default to cp1252 which can't encode our box-drawing/symbol chars
+    import io as _io
+    for _stream in ("stdout", "stderr"):
+        _s = getattr(sys, _stream)
+        if hasattr(_s, "buffer") and _s.encoding and _s.encoding.lower().replace("-", "") != "utf8":
+            setattr(sys, _stream, _io.TextIOWrapper(_s.buffer, encoding="utf-8", errors="replace"))
+
     parser = build_parser()
     args = parser.parse_args()
     for attr in ("json", "quiet"):

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/commands/audio.py

@@ -42,7 +42,7 @@ import pathlib
 import sys
 import time
 
-from ..services.credentials import get_key_for_service, report_key
+from ..services.credentials import get_key_for_service, report_key, call_with_retry, ServiceCallError, VendedKey
 
 AAI_BASE = "https://api.assemblyai.com"
 POLL_INTERVAL = 3.0
@@ -243,15 +243,35 @@ def _format_output(data: dict, fmt: str, args) -> str:
 
 def cmd_transcribe(args):
     """Upload (if local file), create transcript, poll, return result."""
-    api_key = _get_api_key()
     source = args.source
     t0 = time.time()
 
-    # Determine audio URL
+    # Determine audio URL — if local file, upload first with retry
     if source.startswith("http://") or source.startswith("https://"):
         audio_url = source
+        # Still need a key for the submit call
+        api_key = _get_api_key()
     else:
-        audio_url = _upload_file(source, api_key, args.quiet)
+        # Upload with key rotation
+        def do_upload(key):
+            url = _upload_file(source, key.api_key, args.quiet)
+            return {"url": url, "api_key": key.api_key}
+
+        try:
+            result = call_with_retry("assemblyai", do_upload, env_var="ASSEMBLYAI_API_KEY")
+        except ServiceCallError as e:
+            if args.json:
+                print(json.dumps({"success": False, "error": str(e)}))
+            else:
+                print(f"  ✗ all keys exhausted: {e}", file=sys.stderr)
+            return 1
+
+        if result is None:
+            print("  ✗ no AssemblyAI API key. Set ASSEMBLYAI_API_KEY or add one via the dashboard.", file=sys.stderr)
+            return 1
+
+        audio_url = result["url"]
+        api_key = result["api_key"]
 
     # Build and submit
     body = _build_transcript_body(args, audio_url)

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/commands/docs.py

@@ -22,7 +22,7 @@ import pathlib
 import sys
 import time
 
-from ..services.credentials import get_key_for_service, report_key
+from ..services.credentials import get_key_for_service, report_key, call_with_retry, ServiceCallError
 
 CTX7_API = "https://context7.com/api"
 CACHE_DIR = pathlib.Path(os.environ.get("ESCLI_CACHE_DIR", pathlib.Path.home() / ".escli" / "cache"))
@@ -94,12 +94,10 @@ def _request(url: str, api_key: str | None = None) -> dict:
             tier=tier,
         )
 
-    if resp.status_code == 429:
-        print("  ✗ rate limited. try again later.", file=sys.stderr)
-        sys.exit(1)
+    # Let retryable errors propagate for call_with_retry to handle
+    resp.raise_for_status()
     if resp.status_code == 404:
         return {"_status": 404}
-    resp.raise_for_status()
     return resp.json()
 
 
@@ -120,9 +118,20 @@ def cmd_search(args):
             _print_search(cached, args, from_cache=True)
             return 0
 
-    api_key = _get_api_key()
     url = f"{CTX7_API}/v2/libs/search?libraryName={urllib.parse.quote(name)}&query={urllib.parse.quote(query)}"
-    data = _request(url, api_key)
+
+    try:
+        data = call_with_retry(
+            "context7",
+            lambda key: _request(url, key.api_key),
+            env_var="CONTEXT7_API_KEY",
+        )
+        if data is None:
+            # No key — try unauthenticated
+            data = _request(url)
+    except ServiceCallError:
+        # All keys exhausted — try unauthenticated
+        data = _request(url)
 
     if data.get("_status") == 404:
         if args.json:
@@ -183,9 +192,18 @@ def cmd_get(args):
             library_id = cached.get("id")
 
     if not library_id:
-        api_key = _get_api_key()
         url = f"{CTX7_API}/v2/libs/search?libraryName={urllib.parse.quote(name)}&query={urllib.parse.quote(query)}"
-        data = _request(url, api_key)
+
+        try:
+            data = call_with_retry(
+                "context7",
+                lambda key: _request(url, key.api_key),
+                env_var="CONTEXT7_API_KEY",
+            )
+            if data is None:
+                data = _request(url)
+        except ServiceCallError:
+            data = _request(url)
 
         if data.get("_status") == 404:
             if args.json:
@@ -234,7 +252,6 @@ def _fetch_docs(library_id: str, query: str, args) -> int:
             _print_docs(cached, args, library_id, query, from_cache=True)
             return 0
 
-    api_key = _get_api_key()
     url = f"{CTX7_API}/v2/context?libraryId={urllib.parse.quote(library_id)}&query={urllib.parse.quote(query)}&type=txt"
 
     if tokens:
@@ -244,7 +261,16 @@ def _fetch_docs(library_id: str, query: str, args) -> int:
     if topic:
         url += f"&topic={urllib.parse.quote(topic)}"
 
-    resp = _request_raw(url, api_key)
+    try:
+        resp = call_with_retry(
+            "context7",
+            lambda key: _request_raw(url, key.api_key),
+            env_var="CONTEXT7_API_KEY",
+        )
+        if resp is None:
+            resp = _request_raw(url)
+    except ServiceCallError:
+        resp = _request_raw(url)
 
     if resp.status_code == 404:
         if args.json:
@@ -279,9 +305,9 @@ def _request_raw(url: str, api_key: str | None = None):
             reset=reset, tier=tier,
         )
 
-    if resp.status_code == 429:
-        print("  ✗ rate limited. try again later.", file=sys.stderr)
-        sys.exit(1)
+    # Let retryable errors propagate for call_with_retry to handle
+    if resp.status_code not in (200, 404):
+        resp.raise_for_status()
 
     return resp
 

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/commands/research.py

@@ -27,13 +27,27 @@ import urllib.request
 import urllib.error
 from datetime import datetime, timezone
 
-from ..services.credentials import get_key_for_service
+from ..services.credentials import (
+    get_key_for_service,
+    call_with_retry,
+    vend_key,
+    ServiceCallError,
+    CONFIG_DIR,
+)
 
 API_BASE = "https://api.parallel.ai"
 SSE_BETA = "events-sse-2025-07-24"
 MAX_POLL_WAIT = 7200  # 2 hours (ultra8x can take up to 2h)
 POLL_INTERVAL = 10
 
+# Local cache mapping run_id → fingerprint of the issuing key.
+# Used so --status / --result vend the same key that created the run.
+_RUN_OWNERS_FILE = CONFIG_DIR / "parallel-run-owners.json"
+
+# Max times we'll re-vend trying to land on the issuing fingerprint
+# before giving up and using whatever we got.
+_STICKY_VEND_ATTEMPTS = 6
+
 PROCESSORS = [
     "lite", "base", "core", "core2x", "pro", "ultra",
     "ultra2x", "ultra4x", "ultra8x",
@@ -42,6 +56,70 @@ PROCESSORS = [
 ]
 
 
+# ── Run-owner cache ──────────────────────────────────────────────
+
+def _load_run_owners() -> dict:
+    if _RUN_OWNERS_FILE.exists():
+        try:
+            return json.loads(_RUN_OWNERS_FILE.read_text())
+        except (json.JSONDecodeError, OSError):
+            return {}
+    return {}
+
+
+def _remember_run_owner(run_id: str, fingerprint: str) -> None:
+    """Persist {run_id -> fingerprint} so later --status/--result can reuse the key."""
+    if not run_id or not fingerprint or fingerprint == "env":
+        return
+    try:
+        CONFIG_DIR.mkdir(parents=True, exist_ok=True)
+        owners = _load_run_owners()
+        owners[run_id] = fingerprint
+        # Cap entries (keep last 500) to bound file size
+        if len(owners) > 500:
+            owners = dict(list(owners.items())[-500:])
+        _RUN_OWNERS_FILE.write_text(json.dumps(owners))
+    except OSError:
+        pass
+
+
+def _recall_run_owner(run_id: str) -> str | None:
+    return _load_run_owners().get(run_id)
+
+
+def _get_key_for_run(run_id: str) -> str | None:
+    """
+    Vend a key suitable for operating on run_id.
+
+    If PARALLEL_API_KEY is set, use it (single-key mode).
+    Otherwise vend from gate. If we remember the issuing fingerprint for this
+    run, retry vending until it matches (gate is headroom-rotated, so we may
+    have to vend a few times). If we can't land on the right key, fall back
+    to whatever vended and warn — caller will see a 404 if it's the wrong org.
+    """
+    env_key = os.environ.get("PARALLEL_API_KEY")
+    if env_key:
+        return env_key
+
+    target = _recall_run_owner(run_id)
+    last_key = None
+    for _ in range(_STICKY_VEND_ATTEMPTS):
+        result = vend_key("parallel")
+        if not result:
+            return None
+        last_key = result["api_key"]
+        if target is None or result["fingerprint"] == target:
+            return last_key
+
+    if target is not None:
+        print(
+            f"  [warn] could not vend issuing key for {run_id} "
+            f"(wanted fingerprint {target[:8]}…); response may 404",
+            file=sys.stderr,
+        )
+    return last_key
+
+
 def _get_api_key() -> str:
     key = get_key_for_service("parallel", "PARALLEL_API_KEY")
     if not key:
@@ -51,7 +129,8 @@ def _get_api_key() -> str:
 
 
 def _api_request(method: str, path: str, api_key: str,
-                 body: dict | None = None, extra_headers: dict | None = None) -> dict:
+                 body: dict | None = None, extra_headers: dict | None = None,
+                 raise_on_error: bool = False) -> dict:
     url = f"{API_BASE}{path}"
     hdrs = {"x-api-key": api_key, "Content-Type": "application/json"}
     if extra_headers:
@@ -70,6 +149,8 @@ def _api_request(method: str, path: str, api_key: str,
             err_body = {"error": {"message": str(e)}}
 
         msg = err_body.get("error", {}).get("message", str(e))
+        if raise_on_error:
+            raise
         if e.code == 401:
             print(f"  ✗ auth failed (401): {msg}", file=sys.stderr); sys.exit(1)
         elif e.code == 429:
@@ -77,12 +158,31 @@ def _api_request(method: str, path: str, api_key: str,
         else:
             print(f"  ✗ API error ({e.code}): {msg}", file=sys.stderr); sys.exit(2)
     except urllib.error.URLError as e:
+        if raise_on_error:
+            raise
         print(f"  ✗ network error: {e.reason}", file=sys.stderr); sys.exit(2)
 
 
 # ── SSE streaming ────────────────────────────────────────────────
 
+def _sse_error_message(payload: dict) -> str:
+    """Pull a readable message out of a Parallel error payload."""
+    err = payload.get("error") if isinstance(payload, dict) else None
+    if isinstance(err, dict):
+        return err.get("message") or err.get("detail") or json.dumps(err)
+    return payload.get("message") or json.dumps(payload)
+
+
 def _stream_sse(api_key: str, run_id: str, quiet: bool = False) -> dict | None:
+    """
+    Stream task progress over SSE.
+
+    Returns:
+        dict   — task output (terminal state: completed)
+        None   — stream ended without terminal state; caller should poll
+    Exits:
+        2 — definitive error (task failed, run not found, wrong-org key)
+    """
     url = f"{API_BASE}/v1beta/tasks/runs/{run_id}/events"
     seen = set()
 
@@ -98,20 +198,45 @@ def _stream_sse(api_key: str, run_id: str, quiet: bool = False) -> dict | None:
 
         try:
             resp = urllib.request.urlopen(req, timeout=600)
+        except urllib.error.HTTPError as e:
+            try:
+                err_payload = json.loads(e.read().decode(errors="replace"))
+                msg = _sse_error_message(err_payload)
+            except Exception:
+                msg = str(e)
+            print(f"  ✗ SSE error ({e.code}): {msg}", file=sys.stderr)
+            sys.exit(2)
         except Exception as e:
             if not quiet:
-                print(f"  [sse] failed: {e}", file=sys.stderr)
+                print(f"  [sse] connect failed: {e}", file=sys.stderr)
             return None
 
+        # Detect non-SSE responses (HTTP 200 + JSON error body).
+        # Parallel returns this when the API key doesn't own the run_id, or
+        # when the run_id is malformed. The Content-Type is still
+        # `text/event-stream` so we can't rely on the header — instead we
+        # buffer non-SSE lines and, if we exit the loop without ever seeing
+        # a real SSE event, treat the buffer as a JSON error body.
+        saw_sse_event = False
+        non_sse_buffer: list[str] = []
+
         try:
             for raw_line in resp:
                 line = raw_line.decode("utf-8", errors="replace").rstrip("\n\r")
+                if not line:
+                    continue
                 if not line.startswith("data: "):
+                    # SSE comments start with ':' and field lines may be
+                    # `event:` / `id:` / `retry:` — ignore those, but capture
+                    # anything that looks like raw content for error-detect.
+                    if line[:1] not in (":",) and not line.startswith(("event:", "id:", "retry:")):
+                        non_sse_buffer.append(line)
                     continue
                 try:
                     event = json.loads(line[6:])
                 except json.JSONDecodeError:
                     continue
+                saw_sse_event = True
 
                 etype = event.get("type", "")
 
@@ -139,12 +264,27 @@ def _stream_sse(api_key: str, run_id: str, quiet: bool = False) -> dict | None:
                         sys.exit(2)
 
                 elif etype == "error":
-                    return None
+                    msg = _sse_error_message(event)
+                    print(f"  ✗ SSE error event: {msg}", file=sys.stderr)
+                    sys.exit(2)
         except Exception:
             pass
         finally:
             resp.close()
 
+        # If the stream produced zero SSE events but had body content,
+        # it's almost certainly an error response (wrong-org key, bad run_id).
+        # Surface it and bail rather than silently reconnecting 25 times.
+        if not saw_sse_event and non_sse_buffer:
+            body = "\n".join(non_sse_buffer)
+            try:
+                payload = json.loads(body)
+                msg = _sse_error_message(payload)
+            except json.JSONDecodeError:
+                msg = body[:300]
+            print(f"  ✗ SSE refused: {msg}", file=sys.stderr)
+            sys.exit(2)
+
     return None
 
 
@@ -269,7 +409,6 @@ def _render_table(lines: list[str], items: list[dict]):
 
 def cmd_run(args):
     """Create and execute a research task."""
-    api_key = _get_api_key()
     query = " ".join(args.query)
     processor = args.processor
 
@@ -341,12 +480,62 @@ def cmd_run(args):
     if getattr(args, "follow_up", None):
         body["previous_interaction_id"] = args.follow_up
 
-    # Submit
+    # Submit with retry — vend key, submit task, retry on 402/429.
+    # Capture the issuing VendedKey so SSE + polling use the SAME key.
+    # Without this, gate may vend a different org's key for the followup
+    # GET/SSE calls, causing the streamed run_id to look "not found".
     headers = {"parallel-beta": SSE_BETA}
-    task = _api_request("POST", "/v1/tasks/runs", api_key, body=body, extra_headers=headers)
+    captured: dict = {"key": None}
+
+    def submit(key):
+        captured["key"] = key
+        return _api_request("POST", "/v1/tasks/runs", key.api_key,
+                            body=body, extra_headers=headers, raise_on_error=True)
+
+    try:
+        task = call_with_retry("parallel", submit, env_var="PARALLEL_API_KEY")
+    except ServiceCallError as e:
+        if args.json:
+            print(json.dumps({"success": False, "error": str(e)}))
+        else:
+            print(f"  ✗ all keys exhausted: {e}", file=sys.stderr)
+        return 1
+    except urllib.error.HTTPError as e:
+        try:
+            err_body = json.loads(e.read().decode())
+        except Exception:
+            err_body = {"error": {"message": str(e)}}
+        msg = err_body.get("error", {}).get("message", str(e))
+        if args.json:
+            print(json.dumps({"success": False, "error": msg}))
+        else:
+            print(f"  ✗ API error ({e.code}): {msg}", file=sys.stderr)
+        return 1
+    except Exception as e:
+        if args.json:
+            print(json.dumps({"success": False, "error": str(e)}))
+        else:
+            print(f"  ✗ {e}", file=sys.stderr)
+        return 1
+
+    if task is None:
+        if args.json:
+            print(json.dumps({"success": False, "error": "no Parallel API key"}))
+        else:
+            print("  ✗ no Parallel API key. Set PARALLEL_API_KEY or add one via the dashboard.", file=sys.stderr)
+        return 1
+
+    # Reuse the SAME key that submitted the task for SSE + polling.
+    vended = captured["key"]
+    api_key = vended.api_key if vended is not None else _get_api_key()
     run_id = task["run_id"]
     created_at = task.get("created_at", "")
 
+    # Remember which gate-vended key owns this run, so later
+    # `escli research --status/--result <run_id>` can vend the same one.
+    if vended is not None:
+        _remember_run_owner(run_id, vended.fingerprint)
+
     if not args.quiet:
         print(f"  · run_id: {run_id}", file=sys.stderr)
 
@@ -393,7 +582,7 @@ def cmd_run(args):
 
 def cmd_status(args):
     """Check task run status."""
-    api_key = _get_api_key()
+    api_key = _get_key_for_run(args.run_id) or _get_api_key()
     result = _api_request("GET", f"/v1/tasks/runs/{args.run_id}", api_key)
 
     if args.json:
@@ -468,7 +657,7 @@ def cmd_processors(args):
 
 def cmd_result(args):
     """Fetch completed task result."""
-    api_key = _get_api_key()
+    api_key = _get_key_for_run(args.run_id) or _get_api_key()
 
     # Check status first
     run = _api_request("GET", f"/v1/tasks/runs/{args.run_id}", api_key)

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/commands/search.py

@@ -18,7 +18,7 @@ import sys
 import time
 import uuid
 
-from ..services.credentials import get_key_for_service
+from ..services.credentials import call_with_retry, ServiceCallError
 
 MCP_ENDPOINT = "https://search.parallel.ai/mcp"
 REST_ENDPOINT = "https://api.parallel.ai/v1"
@@ -120,25 +120,33 @@ def cmd_search(args):
     if not args.quiet:
         print(f"  ▸ searching: {objective}", file=sys.stderr)
 
-    # Try REST API with key first (better quality), fall back to MCP (free)
-    api_key = get_key_for_service("parallel", "PARALLEL_API_KEY")
-
+    # Try REST API with key rotation, fall back to free MCP
+    data = None
     try:
-        if api_key:
-            data = _call_rest_search(objective, queries, api_key)
-        else:
+        result = call_with_retry(
+            "parallel",
+            lambda key: _call_rest_search(objective, queries, key.api_key),
+            env_var="PARALLEL_API_KEY",
+        )
+        if result is not None:
+            data = result
+    except ServiceCallError:
+        pass  # All keys exhausted, fall through to MCP
+
+    if data is None:
+        try:
             session = _session_id()
             data = _call_mcp("web_search", {
                 "objective": objective,
                 "search_queries": queries,
                 "session_id": session,
             })
-    except Exception as e:
-        if args.json:
-            print(json.dumps({"success": False, "error": str(e)}))
-        else:
-            print(f"  ✗ search failed: {e}", file=sys.stderr)
-        return 1
+        except Exception as e:
+            if args.json:
+                print(json.dumps({"success": False, "error": str(e)}))
+            else:
+                print(f"  ✗ search failed: {e}", file=sys.stderr)
+            return 1
 
     elapsed = round(time.time() - t0, 1)
     results = data.get("results", [])
@@ -188,12 +196,21 @@ def cmd_fetch(args):
     if not args.quiet:
         print(f"  ▸ fetching {len(urls)} URL(s)...", file=sys.stderr)
 
-    api_key = get_key_for_service("parallel", "PARALLEL_API_KEY")
-
+    # Try REST API with key rotation, fall back to free MCP
+    data = None
     try:
-        if api_key:
-            data = _call_rest_extract(urls, objective, full, api_key)
-        else:
+        result = call_with_retry(
+            "parallel",
+            lambda key: _call_rest_extract(urls, objective, full, key.api_key),
+            env_var="PARALLEL_API_KEY",
+        )
+        if result is not None:
+            data = result
+    except ServiceCallError:
+        pass  # All keys exhausted, fall through to MCP
+
+    if data is None:
+        try:
             session = _session_id()
             mcp_args: dict = {"urls": urls, "session_id": session}
             if objective:
@@ -201,12 +218,12 @@ def cmd_fetch(args):
             if full:
                 mcp_args["full_content"] = True
             data = _call_mcp("web_fetch", mcp_args)
-    except Exception as e:
-        if args.json:
-            print(json.dumps({"success": False, "error": str(e)}))
-        else:
-            print(f"  ✗ fetch failed: {e}", file=sys.stderr)
-        return 1
+        except Exception as e:
+            if args.json:
+                print(json.dumps({"success": False, "error": str(e)}))
+            else:
+                print(f"  ✗ fetch failed: {e}", file=sys.stderr)
+            return 1
 
     elapsed = round(time.time() - t0, 1)
     results = data.get("results", [])

{eightstatecli-0.4.0 → eightstatecli-0.4.2}/src/escli/commands/social.py

@@ -17,7 +17,7 @@ import json
 import sys
 import time
 
-from ..services.credentials import get_key_for_service
+from ..services.credentials import call_with_retry, ServiceCallError
 
 TAVILY_API = "https://api.tavily.com"
 
@@ -69,7 +69,6 @@ def cmd_social(args):
     """Search social media platforms."""
     import httpx
 
-    api_key = _get_api_key()
     query = " ".join(args.query)
     if not query:
         print("  ✗ search query required", file=sys.stderr)
@@ -103,18 +102,33 @@ def cmd_social(args):
     if country:
         body["country"] = country
 
-    try:
+    def do_search(key):
         resp = httpx.post(
             f"{TAVILY_API}/search",
             json=body,
             headers={
-                "Authorization": f"Bearer {api_key}",
+                "Authorization": f"Bearer {key.api_key}",
                 "Content-Type": "application/json",
             },
             timeout=30,
         )
         resp.raise_for_status()
-        data = resp.json()
+        return resp.json()
+
+    try:
+        data = call_with_retry("tavily", do_search, env_var="TAVILY_API_KEY")
+        if data is None:
+            if args.json:
+                print(json.dumps({"ok": False, "data": None, "error": {"code": "tavily.no_key", "message": "no Tavily API key"}, "meta": {}}))
+            else:
+                print("  ✗ no Tavily API key. Set TAVILY_API_KEY or add one via the dashboard.", file=sys.stderr)
+            return 1
+    except ServiceCallError as e:
+        if args.json:
+            print(json.dumps({"ok": False, "data": None, "error": {"code": f"tavily.{e.status_code}", "message": str(e)}, "meta": {}}))
+        else:
+            print(f"  ✗ all keys exhausted: {e}", file=sys.stderr)
+        return 1
     except httpx.HTTPStatusError as e:
         error_msg = str(e)
         try:

eightstatecli-0.4.2/src/escli/services/credentials.py

@@ -0,0 +1,215 @@
+"""
+Credential service — vends API keys from gate (internal.eightstate.co).
+
+If the user is authenticated via `escli auth login`, keys are fetched from
+the gate service with headroom-aware rotation. Otherwise falls back to
+local env vars or config.
+
+Retry support:
+  call_with_retry(service, fn) vends a key, calls fn, and on credit/rate
+  errors (402, 429) reports the failure to gate and retries with the next
+  key from the pool. Gate cooldowns the failed key so the next vend returns
+  a different one.
+"""
+
+import json
+import os
+import pathlib
+import sys
+import time
+
+GATE_URL = os.environ.get("ESCLI_GATE_URL", "https://internal.eightstate.co")
+CONFIG_DIR = pathlib.Path(os.environ.get("ESCLI_CONFIG_DIR", pathlib.Path.home() / ".escli"))
+CONFIG_FILE = CONFIG_DIR / "config.json"
+
+RETRYABLE_STATUSES = frozenset({402, 429})
+
+
+# ── Config ────────────────────────────────────────────────────────
+
+def _load_config() -> dict:
+    if CONFIG_FILE.exists():
+        try:
+            return json.loads(CONFIG_FILE.read_text())
+        except (json.JSONDecodeError, OSError):
+            return {}
+    return {}
+
+
+def get_cli_token() -> str | None:
+    """Get the stored CLI token from config."""
+    cfg = _load_config()
+    profile = cfg.get("active_profile", "default")
+    return cfg.get("profiles", {}).get(profile, {}).get("cli_token")
+
+
+# ── Vending & reporting ───────────────────────────────────────────
+
+def vend_key(service: str) -> dict | None:
+    """
+    Fetch an API key for a service from gate.
+    Returns {"api_key": str, "fingerprint": str, "base_url": str | None} or None.
+    """
+    token = get_cli_token()
+    if not token:
+        return None
+
+    try:
+        import httpx
+        resp = httpx.post(
+            f"{GATE_URL}/api/keys/vend",
+            json={"service": service},
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=10,
+        )
+        if resp.status_code == 200:
+            data = resp.json()
+            if data.get("success"):
+                return {
+                    "api_key": data["api_key"],
+                    "fingerprint": data["fingerprint"],
+                    "base_url": data.get("base_url"),
+                }
+    except Exception:
+        pass
+
+    return None
+
+
+def report_key(service: str, fingerprint: str, status: int,
+               remaining: int | None = None, limit: int | None = None,
+               reset: str | None = None, retry_after: int | None = None,
+               tier: str | None = None,
+               tokens_in: int | None = None, tokens_out: int | None = None,
+               audio_seconds: float | None = None,
+               usage_units: float | None = None, usage_sku: str | None = None):
+    """Report rate limit state and usage metadata back to gate."""
+    token = get_cli_token()
+    if not token:
+        return
+
+    try:
+        import httpx
+        httpx.post(
+            f"{GATE_URL}/api/keys/report",
+            json={
+                "service": service,
+                "fingerprint": fingerprint,
+                "status": status,
+                "remaining": remaining,
+                "limit": limit,
+                "reset": reset,
+                "retry_after": retry_after,
+                "tier": tier,
+                "tokens_in": tokens_in,
+                "tokens_out": tokens_out,
+                "audio_seconds": audio_seconds,
+                "usage_units": usage_units,
+                "usage_sku": usage_sku,
+            },
+            headers={"Authorization": f"Bearer {token}"},
+            timeout=5,
+        )
+    except Exception:
+        pass
+
+
+def get_key_for_service(service: str, env_var: str | None = None) -> str | None:
+    """
+    Get an API key for a service. Priority:
+    1. Environment variable (if specified)
+    2. Gate credential vending
+    3. None
+    """
+    if env_var:
+        key = os.environ.get(env_var)
+        if key:
+            return key
+
+    result = vend_key(service)
+    if result:
+        return result["api_key"]
+
+    return None
+
+
+# ── Retry wrapper ─────────────────────────────────────────────────
+
+class VendedKey:
+    """Credential vended from gate (or from env var)."""
+    __slots__ = ("api_key", "fingerprint", "base_url")
+
+    def __init__(self, api_key: str, fingerprint: str, base_url: str | None = None):
+        self.api_key = api_key
+        self.fingerprint = fingerprint
+        self.base_url = base_url
+
+
+class ServiceCallError(Exception):
+    """All vended keys exhausted after retries."""
+    def __init__(self, status_code: int, message: str = ""):
+        self.status_code = status_code
+        self.message = message
+        super().__init__(f"keys exhausted (last status {status_code}): {message}")
+
+
+def _extract_status(exc: Exception) -> int | None:
+    """Extract HTTP status code from various exception types."""
+    # httpx.HTTPStatusError
+    resp = getattr(exc, "response", None)
+    if resp is not None and hasattr(resp, "status_code"):
+        return resp.status_code
+    # urllib.error.HTTPError
+    if hasattr(exc, "code") and isinstance(getattr(exc, "code"), int):
+        return exc.code
+    # openai.APIStatusError
+    if hasattr(exc, "status_code") and isinstance(exc.status_code, int):
+        return exc.status_code
+    return None
+
+
+def call_with_retry(service: str, fn, max_attempts: int = 3,
+                    env_var: str | None = None):
+    """
+    Vend key → call fn(VendedKey) → retry on credit/rate errors.
+
+    On 402/429 from fn, reports the failure to gate (which cooldowns /
+    disables the key) then vends the next key and retries.
+
+    Returns:
+        fn result on success.
+        None if no keys available at all (no pool, no env var).
+    Raises:
+        ServiceCallError if all keys exhausted after max_attempts.
+        Any non-retryable exception from fn propagates as-is.
+    """
+    # Env var bypass — user-provided key, no retry
+    if env_var:
+        key = os.environ.get(env_var)
+        if key:
+            return fn(VendedKey(api_key=key, fingerprint="env"))
+
+    last_error = None
+    for _ in range(max_attempts):
+        result = vend_key(service)
+        if not result:
+            break
+
+        vended = VendedKey(
+            api_key=result["api_key"],
+            fingerprint=result["fingerprint"],
+            base_url=result.get("base_url"),
+        )
+        try:
+            return fn(vended)
+        except Exception as e:
+            status = _extract_status(e)
+            if status is not None and status in RETRYABLE_STATUSES:
+                report_key(service, vended.fingerprint, status)
+                last_error = ServiceCallError(status, str(e)[:200])
+                continue
+            raise
+
+    if last_error:
+        raise last_error
+    return None

eightstatecli-0.4.0/src/escli/services/credentials.py

@@ -1,117 +0,0 @@
-"""
-Credential service — vends API keys from gate (internal.eightstate.co).
-
-If the user is authenticated via `escli auth login`, keys are fetched from
-the gate service with headroom-aware rotation. Otherwise falls back to
-local env vars or config.
-"""
-
-import json
-import os
-import pathlib
-import sys
-import time
-
-GATE_URL = os.environ.get("ESCLI_GATE_URL", "https://internal.eightstate.co")
-CONFIG_DIR = pathlib.Path(os.environ.get("ESCLI_CONFIG_DIR", pathlib.Path.home() / ".escli"))
-CONFIG_FILE = CONFIG_DIR / "config.json"
-
-
-def _load_config() -> dict:
-    if CONFIG_FILE.exists():
-        try:
-            return json.loads(CONFIG_FILE.read_text())
-        except (json.JSONDecodeError, OSError):
-            return {}
-    return {}
-
-
-def get_cli_token() -> str | None:
-    """Get the stored CLI token from config."""
-    cfg = _load_config()
-    profile = cfg.get("active_profile", "default")
-    return cfg.get("profiles", {}).get(profile, {}).get("cli_token")
-
-
-def vend_key(service: str) -> dict | None:
-    """
-    Fetch an API key for a service from gate.
-    Returns {"api_key": str, "fingerprint": str} or None.
-    """
-    token = get_cli_token()
-    if not token:
-        return None
-
-    try:
-        import httpx
-        resp = httpx.post(
-            f"{GATE_URL}/api/keys/vend",
-            json={"service": service},
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=10,
-        )
-        if resp.status_code == 200:
-            data = resp.json()
-            if data.get("success"):
-                return {"api_key": data["api_key"], "fingerprint": data["fingerprint"]}
-    except Exception:
-        pass
-
-    return None
-
-
-def report_key(service: str, fingerprint: str, status: int,
-               remaining: int | None = None, limit: int | None = None,
-               reset: str | None = None, retry_after: int | None = None,
-               tier: str | None = None,
-               tokens_in: int | None = None, tokens_out: int | None = None,
-               audio_seconds: float | None = None,
-               usage_units: float | None = None, usage_sku: str | None = None):
-    """Report rate limit state and usage metadata back to gate."""
-    token = get_cli_token()
-    if not token:
-        return
-
-    try:
-        import httpx
-        httpx.post(
-            f"{GATE_URL}/api/keys/report",
-            json={
-                "service": service,
-                "fingerprint": fingerprint,
-                "status": status,
-                "remaining": remaining,
-                "limit": limit,
-                "reset": reset,
-                "retry_after": retry_after,
-                "tier": tier,
-                "tokens_in": tokens_in,
-                "tokens_out": tokens_out,
-                "audio_seconds": audio_seconds,
-                "usage_units": usage_units,
-                "usage_sku": usage_sku,
-            },
-            headers={"Authorization": f"Bearer {token}"},
-            timeout=5,
-        )
-    except Exception:
-        pass
-
-
-def get_key_for_service(service: str, env_var: str | None = None) -> str | None:
-    """
-    Get an API key for a service. Priority:
-    1. Environment variable (if specified)
-    2. Gate credential vending
-    3. None
-    """
-    if env_var:
-        key = os.environ.get(env_var)
-        if key:
-            return key
-
-    result = vend_key(service)
-    if result:
-        return result["api_key"]
-
-    return None