fix: validate nous auth status against runtime credentials

tests/hermes_cli/test_auth_nous_provider.py

@@ -198,12 +198,82 @@ def test_get_nous_auth_status_auth_store_fallback(tmp_path, monkeypatch):
     hermes_home = tmp_path / "hermes"
     _setup_nous_auth(hermes_home, access_token="at-123")
     monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+    monkeypatch.setattr(
+        "hermes_cli.auth.resolve_nous_runtime_credentials",
+        lambda min_key_ttl_seconds=60: {
+            "base_url": "https://inference.example.com/v1",
+            "expires_at": "2099-01-01T00:00:00+00:00",
+            "key_id": "key-1",
+            "source": "cache",
+        },
+    )
 
     status = get_nous_auth_status()
     assert status["logged_in"] is True
     assert status["portal_base_url"] == "https://portal.example.com"
 
 
+def test_get_nous_auth_status_prefers_runtime_auth_store_over_stale_pool(tmp_path, monkeypatch):
+    from hermes_cli.auth import get_nous_auth_status
+    from agent.credential_pool import PooledCredential, load_pool
+
+    hermes_home = tmp_path / "hermes"
+    _setup_nous_auth(hermes_home, access_token="at-fresh")
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    pool = load_pool("nous")
+    stale = PooledCredential.from_dict("nous", {
+        "access_token": "at-stale",
+        "refresh_token": "rt-stale",
+        "portal_base_url": "https://portal.stale.example.com",
+        "inference_base_url": "https://inference.stale.example.com/v1",
+        "agent_key": "agent-stale",
+        "agent_key_expires_at": "2020-01-01T00:00:00+00:00",
+        "expires_at": "2020-01-01T00:00:00+00:00",
+        "label": "dashboard device_code",
+        "auth_type": "oauth",
+        "source": "manual:dashboard_device_code",
+        "base_url": "https://inference.stale.example.com/v1",
+        "priority": 0,
+    })
+    pool.add_entry(stale)
+
+    monkeypatch.setattr(
+        "hermes_cli.auth.resolve_nous_runtime_credentials",
+        lambda min_key_ttl_seconds=60: {
+            "base_url": "https://inference.example.com/v1",
+            "expires_at": "2099-01-01T00:00:00+00:00",
+            "key_id": "key-fresh",
+            "source": "portal",
+        },
+    )
+
+    status = get_nous_auth_status()
+    assert status["logged_in"] is True
+    assert status["portal_base_url"] == "https://portal.example.com"
+    assert status["inference_base_url"] == "https://inference.example.com/v1"
+    assert status["source"] == "runtime:portal"
+
+
+def test_get_nous_auth_status_reports_revoked_refresh_session(tmp_path, monkeypatch):
+    from hermes_cli.auth import get_nous_auth_status
+
+    hermes_home = tmp_path / "hermes"
+    _setup_nous_auth(hermes_home, access_token="at-123")
+    monkeypatch.setenv("HERMES_HOME", str(hermes_home))
+
+    def _boom(min_key_ttl_seconds=60):
+        raise AuthError("Refresh session has been revoked", provider="nous", relogin_required=True)
+
+    monkeypatch.setattr("hermes_cli.auth.resolve_nous_runtime_credentials", _boom)
+
+    status = get_nous_auth_status()
+    assert status["logged_in"] is False
+    assert status["relogin_required"] is True
+    assert "revoked" in status["error"].lower()
+    assert status["portal_base_url"] == "https://portal.example.com"
+
+
 def test_get_nous_auth_status_empty_returns_not_logged_in(tmp_path, monkeypatch):
     """get_nous_auth_status() returns logged_in=False when both pool
     and auth store are empty.

tests/hermes_cli/test_status.py

@@ -42,3 +42,40 @@ def test_show_status_termux_gateway_section_skips_systemctl(monkeypatch, capsys,
     assert "Manager:      Termux / manual process" in output
     assert "Start with:   hermes gateway" in output
     assert "systemd (user)" not in output
+
+
+def test_show_status_reports_nous_auth_error(monkeypatch, capsys, tmp_path):
+    from hermes_cli import status as status_mod
+    import hermes_cli.auth as auth_mod
+    import hermes_cli.gateway as gateway_mod
+
+    monkeypatch.setattr(status_mod, "get_env_path", lambda: tmp_path / ".env", raising=False)
+    monkeypatch.setattr(status_mod, "get_hermes_home", lambda: tmp_path, raising=False)
+    monkeypatch.setattr(status_mod, "load_config", lambda: {"model": "gpt-5.4"}, raising=False)
+    monkeypatch.setattr(status_mod, "resolve_requested_provider", lambda requested=None: "openai-codex", raising=False)
+    monkeypatch.setattr(status_mod, "resolve_provider", lambda requested=None, **kwargs: "openai-codex", raising=False)
+    monkeypatch.setattr(status_mod, "provider_label", lambda provider: "OpenAI Codex", raising=False)
+    monkeypatch.setattr(
+        auth_mod,
+        "get_nous_auth_status",
+        lambda: {
+            "logged_in": False,
+            "portal_base_url": "https://portal.nousresearch.com",
+            "access_expires_at": "2026-04-20T01:00:51+00:00",
+            "agent_key_expires_at": "2026-04-20T04:54:24+00:00",
+            "has_refresh_token": True,
+            "error": "Refresh session has been revoked",
+        },
+        raising=False,
+    )
+    monkeypatch.setattr(auth_mod, "get_codex_auth_status", lambda: {}, raising=False)
+    monkeypatch.setattr(auth_mod, "get_qwen_auth_status", lambda: {}, raising=False)
+    monkeypatch.setattr(gateway_mod, "find_gateway_pids", lambda exclude_pids=None: [], raising=False)
+
+    status_mod.show_status(SimpleNamespace(all=False, deep=False))
+
+    output = capsys.readouterr().out
+    assert "Nous Portal   ✗ not logged in (run: hermes auth add nous --type oauth)" in output
+    assert "Error:      Refresh session has been revoked" in output
+    assert "Access exp:" in output
+    assert "Key exp:" in output