feat(auth): improve unauthorized error handling for refresh and auto-refresh

- Added `isUnauthorizedError` and `hasUnauthorizedAuthFailure` to classify and handle unauthorized errors.
- Introduced `refreshErrorFromError` to map errors to standardized unauthorized responses.
- Modified refresh logic to stop auto-refresh retries for unauthorized errors.
- Updated tests to verify unauthorized error handling and refresh retry prevention.

internal/runtime/executor/helps/home_refresh.go

@@ -78,7 +78,7 @@ func RefreshAuthViaHome(ctx context.Context, cfg *config.Config, auth *cliproxya
 		if msg == "" {
 			msg = "home returned error"
 		}
-		return nil, true, homeStatusErr{code: http.StatusBadGateway, msg: msg}
+		return nil, true, homeStatusErr{code: statusFromHomeErrorCode(code), msg: msg}
 	}
 
 	var updated cliproxyauth.Auth
@@ -89,3 +89,14 @@ func RefreshAuthViaHome(ctx context.Context, cfg *config.Config, auth *cliproxya
 	updated.EnsureIndex()
 	return &updated, true, nil
 }
+
+func statusFromHomeErrorCode(code string) int {
+	switch strings.ToLower(strings.TrimSpace(code)) {
+	case "authentication_error", "unauthorized":
+		return http.StatusUnauthorized
+	case "model_not_found":
+		return http.StatusNotFound
+	default:
+		return http.StatusBadGateway
+	}
+}

internal/runtime/executor/helps/home_refresh_test.go

@@ -0,0 +1,15 @@
+package helps
+
+import (
+	"net/http"
+	"testing"
+)
+
+func TestStatusFromHomeErrorCodeMapsAuthenticationErrorToUnauthorized(t *testing.T) {
+	if got := statusFromHomeErrorCode("authentication_error"); got != http.StatusUnauthorized {
+		t.Fatalf("statusFromHomeErrorCode(authentication_error) = %d, want %d", got, http.StatusUnauthorized)
+	}
+	if got := statusFromHomeErrorCode("unauthorized"); got != http.StatusUnauthorized {
+		t.Fatalf("statusFromHomeErrorCode(unauthorized) = %d, want %d", got, http.StatusUnauthorized)
+	}
+}