fix: validate nous auth status against runtime credentials

[mssteuer]

Summary

• make get_nous_auth_status() prefer auth-store provider state over stale credential-pool entries
• validate Nous auth by resolving runtime credentials so revoked refresh sessions no longer show as logged in
• surface the actual Nous auth error in hermes status

Test Plan

• python -m pytest -q -o addopts='' tests/hermes_cli/test_auth_nous_provider.py tests/hermes_cli/test_status.py tests/hermes_cli/test_nous_subscription.py

Why

A revoked Nous refresh session could leave hermes status claiming the user was logged in because it only saw token-shaped data on disk. In one real case, stale credential-pool data also overrode fresher auth-store data, so status showed the wrong expiries after re-auth.

This change makes the status path use the same source of truth as runtime credential minting and report the failure honestly.

[teknium1]

This fix has already landed on main — closing as implemented.

Automated hermes-sweeper review.

The exact changes from this PR were squash-merged into main as part of PR #15120 ("fix(credential-pool): correctness + rotation + cross-process sync"):

• hermes_cli/auth.py — get_nous_auth_status() (line 3232) now prefers auth-store provider state over credential-pool entries and validates via resolve_nous_runtime_credentials(), surfacing AuthError as logged_in: False with an error field. Commit: cd221080e
• hermes_cli/status.py — error surfacing for revoked/failed Nous auth is live (line 185)
• Test coverage from test_auth_nous_provider.py and test_status.py was included in the merge

Thanks for the solid fix, @mssteuer — the P1 label was well-earned and the change made it in quickly.