fix(auxiliary): fallback on auth errors in auto mode

[qWaitCrypto]

What does this PR do?

Fixes an auxiliary runtime fallback gap where 401 authentication failures did not trigger the auto-provider fallback chain.

In agent/auxiliary_client.py, auxiliary calls already fall back on payment errors, connection errors, and rate limits when the resolved provider is auto. But 401 auth errors were excluded from should_fallback, so auxiliary tasks like compression could fail outright after an auth error instead of trying another provider.

This PR adds auth errors to the fallback trigger in both call_llm() and async_call_llm(), while preserving the existing execution order:

1. Nous-specific auth refresh still runs first when applicable.
2. Explicit provider credential refresh still runs first for explicitly selected providers.
3. Only after those refresh paths are inapplicable or unsuccessful does auto mode fall back to another provider.

Note: _try_payment_fallback() is historical naming. It now handles multiple fallback reasons, but renaming it would be a wider refactor and is intentionally out of scope for this PR.

Related Issue

Fixes #21165

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• Added _is_auth_error(first_err) to the should_fallback condition in sync auxiliary calls in agent/auxiliary_client.py.
• Added _is_auth_error(first_err) to the should_fallback condition in async auxiliary calls in agent/auxiliary_client.py.
• Added reason = "auth error" logging/dispatch branch for sync and async fallback paths.
• Added regression tests in tests/agent/test_auxiliary_client.py covering 401 auth failures in auto mode for both sync and async auxiliary calls.
• Documented the auth-error fallback path in the surrounding code comments.

How to Test

1. Run python3 -m py_compile agent/auxiliary_client.py tests/agent/test_auxiliary_client.py.
2. Run python3 -m pytest -q tests/agent/test_auxiliary_client.py.
3. Verify the new regression coverage passes for both sync and async 401 auth-error fallback paths in auto mode.

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: WSL2 Ubuntu

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

Validation run:

python3 -m py_compile agent/auxiliary_client.py tests/agent/test_auxiliary_client.py
python3 -m pytest -q tests/agent/test_auxiliary_client.py
# 136 passed