fix(testing): isolate env-sensitive provider and pairing state

[bobashopcashier]

What does this PR do?

Separates shared stability fixes into their own focused PR instead of carrying them inside unrelated feature branches:

1. isolates env-sensitive provider, audio-gateway, and approval tests from ambient machine state
2. scopes gateway pairing storage to the active Hermes home instead of an import-time global path
3. ignores expired Codex pool tokens when resolving auxiliary auth so stale local credentials do not mask test and runtime state

Related Issue

Related: #6729
Related: #6315
Context: this is extracted from follow-on branch hardening work, not a user-facing feature PR

Type of Change

• 🐛 Bug fix (non-breaking change that fixes an issue)
• ✨ New feature (non-breaking change that adds functionality)
• 🔒 Security fix
• 📝 Documentation update
• ✅ Tests (adding or improving test coverage)
• ♻️ Refactor (no behavior change)
• 🎯 New skill (bundled or hub)

Changes Made

• cleared env-sensitive provider credentials in affected tests so auto-provider detection and managed audio gateway coverage do not inherit unrelated local credentials
• disabled local-command fallback explicitly in the affected transcription tests so they assert the intended cloud/no-cloud behavior instead of PATH-dependent behavior
• updated gateway approval E2E tests to declare gateway mode explicitly instead of depending on leaked process env
• updated agent/auxiliary_client.py to ignore expired Codex pool tokens instead of refreshing through ambient CLI auth during auxiliary credential lookup
• updated gateway/pairing.py so PairingStore resolves storage under the active Hermes home instead of a stale module-global path
• updated gateway/run.py to pass the active Hermes home pairing directory into PairingStore, which fixes pairing/rate-limit state leaking across homes and stabilizes unauthorized-DM behavior

How to Test

1. Run .venv/bin/python -m pytest tests/agent/test_auxiliary_client.py -n0 -k 'ReadCodexAccessToken or ExpiredCodexTokenFallback' -q
2. Run .venv/bin/python -m pytest tests/tools/test_approval.py tests/tools/test_managed_media_gateways.py tests/gateway/test_approve_deny_commands.py -n0 -q
3. Run .venv/bin/python -m pytest tests/ -q
4. Verify an unauthorized DM still receives a pairing message when the gateway is pointed at a temporary HERMES_HOME
5. Verify provider auto-detection and managed audio gateway tests are unaffected by unrelated local credentials

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits (fix(scope):, feat(scope):, etc.)
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature (no unrelated commits)
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes (required for bug fixes, strongly encouraged for features)
• I've tested on my platform: macOS 26.4

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows — or N/A
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

Screenshots / Logs

• .venv/bin/python -m pytest tests/agent/test_auxiliary_client.py -n0 -k 'ReadCodexAccessToken or ExpiredCodexTokenFallback' -q → 9 passed, 89 deselected
• .venv/bin/python -m pytest tests/tools/test_approval.py tests/tools/test_managed_media_gateways.py tests/gateway/test_approve_deny_commands.py -n0 -q → 127 passed
• .venv/bin/python -m pytest tests/ -q → 9788 passed, 73 skipped, 1 xfailed

[teknium1]

Merged via #7654 with authorship preserved. Thanks for the contribution!