fix(auxiliary): refresh Nous runtime credentials after aux 401s

[helix4u]

What does this PR do?

Fixes a real auth gap between the main Nous chat path and the auxiliary Nous path.

Before this change, the main agent could recover from Nous 401s by calling resolve_nous_runtime_credentials() and minting a fresh agent key, but auxiliary calls in agent/auxiliary_client.py still built Nous clients from raw stored auth state. That meant vision and other side-task calls could fail on stale Nous credentials even while the main chat path kept working.

This PR aligns the auxiliary path with the main runtime auth flow and makes auxiliary Nous retries rebuild the cached client after a 401.

Related Issue

Fixes #

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✅ Tests (adding or improving test coverage)

Changes Made

• Updated agent/auxiliary_client.py so _try_nous() prefers fresh runtime credentials from resolve_nous_runtime_credentials() instead of relying only on raw stored auth state.
• Added a Nous-specific auxiliary 401 recovery path for both call_llm() and async_call_llm().
• Rebuilt and replaced the cached auxiliary Nous client after a 401 so stale cached clients do not keep failing until process restart.
• Added regression tests in tests/agent/test_auxiliary_client.py covering fresh runtime credential preference and both sync/async 401 retry behavior.

How to Test

1. Configure Hermes with Nous Portal auth and force the auxiliary path to use an expired or stale Nous agent key while the refresh token is still valid.
2. Trigger an auxiliary Nous call such as vision or session search and verify Hermes refreshes Nous runtime credentials and retries instead of hard-failing on the first 401.
3. Run:
   • scripts/run_tests.sh
   • scripts/run_tests.sh tests/agent/test_crossloop_client_cache.py
   • scripts/run_tests.sh tests/agent/test_auxiliary_client.py tests/run_agent/test_provider_parity.py tests/hermes_cli/test_auth_nous_provider.py

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: Ubuntu/Linux

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Regression Notes

• The refresh path only activates for auxiliary calls that are already routed to Nous and fail with a 401.
• The cache replacement is intentionally scoped to the auxiliary Nous client path so other provider cache behavior stays unchanged.
• Main regression areas to watch are async auxiliary retries (session_search, web_extract, vision_tools) and any provider-selection flow that explicitly pins auxiliary.*.provider: nous.

Screenshots / Logs

Local test status:

• scripts/run_tests.sh was run with the repo's 4-worker wrapper and is currently red in this checkout due to unrelated existing failures outside this patch. The full run finished with 27 failed, 14151 passed, 39 skipped.
• The failures from this patch's cache-helper refactor were fixed before push.
• scripts/run_tests.sh tests/agent/test_crossloop_client_cache.py -> 5 passed
• scripts/run_tests.sh tests/agent/test_auxiliary_client.py tests/run_agent/test_provider_parity.py tests/hermes_cli/test_auth_nous_provider.py -> 179 passed