From 6fcaf5ebc26714f261f0762b02e362b1a3fc20bf Mon Sep 17 00:00:00 2001
From: YueLich <yue.gu2023@gmail.com>
Date: Sun, 12 Apr 2026 12:30:02 +0300
Subject: [PATCH] fix: rotate credential pool on 403 (Forbidden) responses

Previously _handle_credential_pool_error handled 401, 402, and 429
but silently ignored 403. When a provider returns 403 for a revoked or
unauthorised credential (e.g. Nous agent_key invalidated by a newer
login), the pool was never rotated and every subsequent request
continued to use the same failing credential.

Treat 403 the same as 402: immediately mark the current credential
exhausted and rotate to the next pool entry, since a Forbidden response
will not resolve itself with a retry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 run_agent.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/run_agent.py b/run_agent.py
index 47cf1ac6a..fe4dbc68c 100644
--- a/run_agent.py
+++ b/run_agent.py
@@ -5303,7 +5303,7 @@ class AIAgent:
                 effective_reason = FailoverReason.billing
             elif status_code == 429:
                 effective_reason = FailoverReason.rate_limit
-            elif status_code == 401:
+            elif status_code in (401, 403):
                 effective_reason = FailoverReason.auth
 
         if effective_reason == FailoverReason.billing: