fix: rotate credential pool on 403 (Forbidden) responses

[YueLich]

Summary

• _handle_credential_pool_error handled 401, 402, and 429 but silently ignored 403
• When a provider returns 403 for a revoked credential (e.g. a Nous agent_key invalidated by a newer login), the pool was never rotated — every subsequent request kept hitting the same failing credential
• Treat 403 like 402: immediately mark the current entry exhausted and rotate to the next pool entry, since a Forbidden response won't resolve with a retry

Root cause

Nous (and other OAuth providers) invalidate older agent keys when new ones are minted. If a user has multiple credential pool entries (accumulated via repeated hermes auth add nous), the oldest entry (lowest priority, selected first by fill_first) may be revoked. Without 403 rotation, the pool is stuck on that entry indefinitely.

Test plan

• Verify that a 403 response from the inference API causes the pool to rotate to the next available credential
• Verify that when all pool entries are exhausted after 403s, the error surfaces correctly to the user
• Existing 401/402/429 rotation behaviour is unchanged

🤖 Generated with Claude Code

[teknium1]

Thanks for the fix, @YueLich! 🤖 This is an automated hermes-sweeper review.

The change proposed here is already on main — it appears the commit from this PR's branch landed directly:

• Commit: 6fcaf5ebc — "fix: rotate credential pool on 403 (Forbidden) responses"
• File: run_agent.py line 5686 now reads elif status_code in (401, 403):, exactly matching this PR's diff
• Verified: git branch --all --contains 6fcaf5ebc confirms the commit is reachable from main

Closing as implemented on main.