fix(models): sync auth-profiles before availability checks

src/agents/pi-auth-json.ts

@@ -2,6 +2,7 @@ import fs from "node:fs/promises";
 import path from "node:path";
 import { ensureAuthProfileStore } from "./auth-profiles.js";
 import type { AuthProfileCredential } from "./auth-profiles/types.js";
+import { normalizeProviderId } from "./model-selection.js";
 
 type AuthJsonCredential =
   | {
@@ -50,6 +51,13 @@ function convertCredential(cred: AuthProfileCredential): AuthJsonCredential | nu
     if (!token) {
       return null;
     }
+    const expires =
+      typeof (cred as { expires?: unknown }).expires === "number"
+        ? (cred as { expires: number }).expires
+        : Number.NaN;
+    if (Number.isFinite(expires) && expires > 0 && Date.now() >= expires) {
+      return null;
+    }
     return { type: "api_key", key: token };
   }
 
@@ -114,7 +122,7 @@ export async function ensurePiAuthJsonFromAuthProfiles(agentDir: string): Promis
   const providerCredentials = new Map<string, AuthJsonCredential>();
 
   for (const [, cred] of Object.entries(store.profiles)) {
-    const provider = cred.provider;
+    const provider = normalizeProviderId(String(cred.provider ?? "")).trim();
     if (!provider || providerCredentials.has(provider)) {
       continue;
     }