Add hasRefreshToken guard to token refresh middleware (#13858)

`addTokenRefreshMiddleware` was calling `oauth.refreshAccessToken()` on
every 401, including unauthenticated requests, causing
`_surfaceError('No refresh token available.')` to fire as noise on
normal 401 responses.

## Changes

- **`OAuth.hasRefreshToken` getter** — cheap boolean check on
`tokenStore?.refreshToken`
- **Middleware guard** — short-circuits on 401 before attempting refresh
when `hasRefreshToken` is false, avoiding the noisy error callback
entirely
- **Test coverage** — asserts `refreshAccessToken` is never called when
`hasRefreshToken` is false

```ts
// Before: refreshAccessToken() called on every 401 → _surfaceError fired for unauthenticated clients
// After: guard skips refresh entirely when no token is stored
if (!oauth.hasRefreshToken) {
  return context.response
}
```

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent
pull requests. You can protect all pull requests by enabling Advanced
Security for your repositories. [Learn more about Advanced
Security.](https://gh.io/cca-advanced-security)

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: rickyrombo <3690498+rickyrombo@users.noreply.github.com>

Author: Copilot

packages/sdk/src/sdk/middleware/addTokenRefreshMiddleware.test.ts

@@ -13,9 +13,11 @@ function mockResponse(status: number, body?: object): Response {
 }
 
 function createMockOAuth(
-  refreshBehaviour: () => Promise<string | null>
+  refreshBehaviour: () => Promise<string | null>,
+  hasRefreshToken = true
 ): OAuth {
   return {
+    hasRefreshToken,
     refreshAccessToken: refreshBehaviour
   } as unknown as OAuth
 }
@@ -40,6 +42,23 @@ describe('addTokenRefreshMiddleware', () => {
     expect(result).toBe(response)
   })
 
+  it('passes through 401 without calling refreshAccessToken when unauthenticated', async () => {
+    const refreshFn = vi.fn()
+    const oauth = createMockOAuth(refreshFn, false)
+    const mw = addTokenRefreshMiddleware({ oauth })
+    const response = mockResponse(401)
+
+    const result = await mw.post!({
+      fetch,
+      url: 'https://api.example.com/v1/users/me',
+      init: {},
+      response
+    })
+
+    expect(result).toBe(response)
+    expect(refreshFn).not.toHaveBeenCalled()
+  })
+
   it('passes through 401 when refresh returns null (no refresh token)', async () => {
     const oauth = createMockOAuth(async () => null)
     const mw = addTokenRefreshMiddleware({ oauth })

packages/sdk/src/sdk/middleware/addTokenRefreshMiddleware.ts

@@ -8,6 +8,9 @@ import type { OAuth } from '../oauth/OAuth'
  * `OAuth.refreshAccessToken()` which checks for a refresh token, performs the
  * HTTP exchange, and updates the token store.  On success the original request
  * is retried with the fresh access token.  On failure the 401 propagates.
+ *
+ * When the client is unauthenticated (no refresh token stored) the middleware
+ * short-circuits immediately, avoiding noisy error callbacks.
  */
 export const addTokenRefreshMiddleware = ({
   oauth
@@ -22,6 +25,11 @@ export const addTokenRefreshMiddleware = ({
         return context.response
       }
 
+      // Skip refresh when unauthenticated to avoid noisy error callbacks.
+      if (!oauth.hasRefreshToken) {
+        return context.response
+      }
+
       // Coalesce concurrent 401s into a single refresh call.
       if (!refreshInFlight) {
         refreshInFlight = oauth

packages/sdk/src/sdk/oauth/OAuth.ts

@@ -483,6 +483,14 @@ export class OAuth {
     }
   }
 
+  /**
+   * Returns true if a refresh token is currently stored and a refresh
+   * exchange could be attempted.
+   */
+  get hasRefreshToken(): boolean {
+    return !!(this.config.tokenStore?.refreshToken)
+  }
+
   /**
    * Refresh the access token using the stored refresh token.
    * Updates the token store on success.