fix: clarify auth retry guidance

tests/hermes_cli/test_auth_commands.py

@@ -654,10 +654,45 @@ def test_auth_list_shows_exhausted_cooldown(monkeypatch, capsys):
     auth_list_command(_Args())
 
     out = capsys.readouterr().out
-    assert "exhausted (429)" in out
+    assert "rate-limited (429)" in out
     assert "59m 30s left" in out
 
 
+def test_auth_list_shows_auth_failure_when_exhausted_entry_is_unauthorized(monkeypatch, capsys):
+    from hermes_cli.auth_commands import auth_list_command
+
+    class _Entry:
+        id = "cred-1"
+        label = "primary"
+        auth_type = "oauth"
+        source = "manual:device_code"
+        last_status = "exhausted"
+        last_error_code = 401
+        last_error_reason = "invalid_token"
+        last_error_message = "Access token expired or revoked."
+        last_status_at = 1000.0
+
+    class _Pool:
+        def entries(self):
+            return [_Entry()]
+
+        def peek(self):
+            return None
+
+    monkeypatch.setattr("hermes_cli.auth_commands.load_pool", lambda provider: _Pool())
+    monkeypatch.setattr("hermes_cli.auth_commands.time.time", lambda: 1030.0)
+
+    class _Args:
+        provider = "openai-codex"
+
+    auth_list_command(_Args())
+
+    out = capsys.readouterr().out
+    assert "auth failed invalid_token (401)" in out
+    assert "re-auth may be required" in out
+    assert "left" not in out
+
+
 def test_auth_list_prefers_explicit_reset_time(monkeypatch, capsys):
     from hermes_cli.auth_commands import auth_list_command