fix(nous-oauth): preserve obtained_at in pool + actionable message on RT reuse

[teknium1]

Closes #15099.

What this PR does

Two narrow Nous OAuth fixes, both motivated by @camelludo's #15099 report. After tracing the refresh-token persistence path end-to-end I couldn't find the 'client silently drops rotated RT' bug the report hypothesised — the pool + singleton write-back machinery is actually correct. What IS broken is narrower, and the report gives us enough evidence to fix both issues completely.

Fix 1: _seed_from_singletons() preserves mint/refresh timestamps

When the pool is seeded from the providers.nous singleton, the upsert payload was missing obtained_at, agent_key_obtained_at, expires_in, agent_key_expires_in, agent_key_id, and agent_key_reused. Fresh credentials showed up with obtained_at: None, which breaks freshness-sensitive consumers (self-heal hooks, pool pruning by age) — they treat just-minted credentials as older than they are. @camelludo explicitly called this out as the 'secondary issue' in the report.

Fix 2: Actionable message on invalid_grant: refresh token reuse detected

The Nous Portal server implements OAuth 2.1 RT rotation and returns invalid_grant: Refresh token reuse detected when a rotated RT gets used a second time. In real-world reports this almost always means an external process (monitoring script, custom self-heal hook, another install sharing ~/.hermes/auth.json) called POST /api/oauth/token with Hermes's RT without persisting the rotated value back. The generic reuse message gave users no clue about the external-process cause, so they reported it as a Hermes persistence bug.

The PR detects that specific error signature and rewrites it to:

Nous Portal detected refresh-token reuse and revoked this session.
This usually means an external process (monitoring script, custom self-heal hook, or another Hermes install sharing ~/.hermes/auth.json) called POST /api/oauth/token with Hermes's refresh token without persisting the rotated token back.
Nous refresh tokens are single-use — only Hermes may call the refresh endpoint. For health checks, use hermes auth status instead.
Re-authenticate with: hermes auth add nous

Generic invalid_grant errors (e.g. Refresh session has been revoked) keep their original server descriptions untouched.

Note on the reporter's primary diagnosis

@camelludo's report hypothesised that Hermes wasn't persisting the rotated RT. I traced this carefully and the persistence is working correctly:

• refresh_nous_oauth_pure() persists the new RT into state (line 2118)
• resolve_nous_runtime_credentials() holds _auth_store_lock() across the HTTP call and _persist_state()s immediately after rotation (lines 2359, 2426)
• pool._refresh_entry() calls _sync_device_code_entry_to_auth_store() so the pool and singleton stay in sync

Their own comment 2 describes the actual trigger: a systemd-timer-triggered aliveness script POSTing to /api/oauth/token with each profile's RT, explicitly discarding the response. That's RT reuse — their script consumed RT1, got RT2, threw RT2 away, and the gateway's next refresh with RT1 triggered the OAuth server's reuse detection. Fix 2 makes that specific failure mode unmistakable in the error message so future reports can self-diagnose.

Validation

• tests/agent/test_credential_pool.py — 45/45 pass (1 new)
• tests/hermes_cli/test_auth_nous_provider.py — 12/12 pass (2 new)
• E2E-verified: seeded singleton with obtained_at → pool entry keeps it; fake 400-with-reuse response → actionable rewritten message; fake 400-without-reuse → original description unchanged