fix(auth): stop replaying invalid Nous refresh tokens

Quarantine Nous OAuth state when refresh fails with terminal invalid_grant/invalid_token errors. Clear local and shared refresh material across runtime, managed access-token, proxy, and credential-pool paths so Hermes stops retrying revoked refresh sessions.
2026-06-08 08:11:38 +00:00 · 2026-05-17 15:41:03 +10:00 · 2026-05-17 15:41:03 +10:00 · c905562623
commit c905562623
parent 4c46c35ed0
6 changed files with 338 additions and 14 deletions
--- a/hermes_cli/proxy/adapters/nous_portal.py
+++ b/hermes_cli/proxy/adapters/nous_portal.py
@ -16,8 +16,11 @@ import threading
 from typing import Any, Dict, FrozenSet, Optional

 from hermes_cli.auth import (
+    AuthError,
    DEFAULT_NOUS_INFERENCE_URL,
    _load_auth_store,
+    _is_terminal_nous_refresh_error,
+    _quarantine_nous_oauth_state,
    _save_auth_store,
    _write_shared_nous_state,
    refresh_nous_oauth_from_state,
@ -81,6 +84,17 @@ class NousPortalAdapter(UpstreamAdapter):

            try:
                refreshed = refresh_nous_oauth_from_state(state)
+            except AuthError as exc:
+                if _is_terminal_nous_refresh_error(exc):
+                    _quarantine_nous_oauth_state(
+                        state,
+                        exc,
+                        reason="proxy_refresh_failure",
+                    )
+                    self._save_state(state)
+                raise RuntimeError(
+                    f"Failed to refresh Nous Portal credentials: {exc}"
+                ) from exc
            except Exception as exc:
                raise RuntimeError(
                    f"Failed to refresh Nous Portal credentials: {exc}"