fix(test): hoist auth patches out of per-thread bodies (mock thread-safety)

`test_isolated_session_separate_threads_get_separate_clients` failed
intermittently on the 3.10 lane (passed 3.11/3.12) with KeyError: 2 —
the assertion `clients[1] is not clients[2]` couldn't find the second
slot because thread 2 had errored mid-flight.

Root cause: each thread independently entered a
`with patch('services.auth.auth_service.get_auth_details', ...)`
block.  `unittest.mock.patch` is not thread-safe — its __enter__ saves
the original attribute and __exit__ restores it, with no locking
between threads.  When t1's __exit__ races with t2's __enter__ (or
vice versa), the real `get_auth_details` ends up callable for a brief
window, raising MissingCredentialsError on the unauthenticated CI
runner.  That exception killed thread 2 silently, leaving the
clients[2] slot unset, which produced the KeyError on the
post-join assertion (instead of surfacing the actual error).

Two changes:

1. Hoist both patches (`get_auth_details` and `refresh_tokens`) out of
   the per-thread function so they wrap the entire join window.  The
   threads see a stable mock auth surface for their full lifetime, no
   patch/unpatch racing.

2. Capture per-thread exceptions in an `errors` dict, asserted before
   the slot comparison.  When this test ever does fail in the future
   for an unrelated reason, the failure message will name the real
   exception instead of just "KeyError".

Verified locally: passes 5/5 reruns of the targeted test, plus the full
suite stays green (`pytest tests/ -q --ignore=tests/test_live_smoke.py`
→ 100%).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CrispStrobe

tests/test_webdav_misc.py

@@ -201,25 +201,41 @@ def test_get_content_writes_error_message_to_returned_bytesio():
 # ---------- isolated session: 'no refresh' variant honors thread-local boundary ----------
 
 def test_isolated_session_separate_threads_get_separate_clients():
-    """Thread-local design: different threads get different clients."""
+    """Thread-local design: different threads get different clients.
+
+    Both auth-service patches are hoisted out of the threaded body —
+    `unittest.mock.patch` is not thread-safe, and races between
+    `__enter__` / `__exit__` would let real auth code leak into one of
+    the threads, raise MissingCredentialsError, and leave the
+    `clients[2]` slot unpopulated → KeyError on the assertion.  Patching
+    once for the whole test gives both threads a stable mocked auth
+    surface for the entire window in which they call _get_isolated_session.
+    """
     import threading
 
     api = WebDAVAPIClient()
     fake_creds = {'token': 't', 'newToken': 'nt', 'user': {'email': 'u'}}
 
     clients = {}
+    errors = {}
+
     def grab_client(thread_id):
-        with patch('services.auth.auth_service.get_auth_details',
-                   return_value=fake_creds), \
-             patch('services.auth.auth_service.refresh_tokens'):
+        try:
             clients[thread_id] = api._get_isolated_session()
+        except Exception as e:  # surface, don't silently lose the slot
+            errors[thread_id] = e
 
-    t1 = threading.Thread(target=grab_client, args=(1,))
-    t2 = threading.Thread(target=grab_client, args=(2,))
-    t1.start()
-    t2.start()
-    t1.join()
-    t2.join()
-
+    with patch('services.auth.auth_service.get_auth_details',
+               return_value=fake_creds), \
+         patch('services.auth.auth_service.refresh_tokens'):
+        t1 = threading.Thread(target=grab_client, args=(1,))
+        t2 = threading.Thread(target=grab_client, args=(2,))
+        t1.start()
+        t2.start()
+        t1.join()
+        t2.join()
+
+    # Surface in-thread errors so the failure is the actual cause, not KeyError.
+    assert not errors, f"thread errors: {errors}"
     # Each thread got its own ApiClient
     assert clients[1] is not clients[2]