eca2d355f6
The credential pool intentionally does NOT refresh Nous entries during selection — that would trigger network calls in non-runtime contexts like 'hermes auth list'. But resolve_runtime_provider() was returning the pool entry's stale agent_key (~30 min TTL) without checking whether it had expired, causing the inference API to reject requests. Now, when the pool returns a Nous entry, we check _agent_key_is_usable() before using it. If the key is expired or missing, pool_api_key is cleared so the existing fallthrough to resolve_nous_runtime_credentials() handles the access_token refresh + agent_key mint cycle.