fix(credentials): translate auth errors and require OneCLI for spawn

Two related fixes for the case where credentials aren't usable:

1. Replace Claude Code's "Not logged in / Invalid API key · Please run
   /login" output with a host-aware message. The user can't run /login
   from chat, so the raw text is unhelpful. Provider gains an optional
   isAuthRequired() classifier; the poll-loop substitutes the message
   on both result-text and error paths.

2. Treat OneCLI gateway failure as a transient hard error instead of
   spawning a credential-less container. The catch in container-runner
   now propagates; router and host-sweep wrap wakeContainer to log and
   leave the inbound row pending so the next 60s sweep tick retries.
   Router also stops the typing indicator on failure.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/host-sweep.ts

@@ -168,7 +168,14 @@ async function sweepSession(session: Session): Promise<void> {
     const dueCount = countDueMessages(inDb);
     if (dueCount > 0 && !isContainerRunning(session.id)) {
       log.info('Waking container for due messages', { sessionId: session.id, count: dueCount });
-      await wakeContainer(session);
+      try {
+        await wakeContainer(session);
+      } catch (err) {
+        // Transient spawn failure (e.g. OneCLI gateway down). Leave messages
+        // pending so the next sweep tick retries; don't abort the rest of
+        // the sweep cycle for other sessions.
+        log.warn('wakeContainer failed — will retry on next sweep', { sessionId: session.id, err });
+      }
     }
 
     const alive = isContainerRunning(session.id);