fix(cloud-agent-next): fail closed on GitLab access revocation

Access-revocation reasons (no_integration_found, invalid_org_id) now
throw BAD_REQUEST instead of falling back to the stored token, so the
session cannot keep using a managed GitLab token after the integration
or org access was removed. Transient failures retain the last-known
token fallback.

Author: eshurakov

services/cloud-agent-next/src/persistence/CloudAgentSession.ts

@@ -2271,10 +2271,15 @@ export class CloudAgentSession extends DurableObject<WorkerEnv> {
 
   /**
    * Refresh a managed GitLab token via GIT_TOKEN_SERVICE. Logs and returns
-   * the current value if the refresh fails so callers can keep running with
-   * the last-known token (best effort). Successful refreshes are persisted
-   * to metadata so a later refresh failure falls back to the most recent
-   * working token rather than a stale prepare-time token.
+   * the current value if the refresh fails with a transient reason so callers
+   * can keep running with the last-known token (best effort). Successful
+   * refreshes are persisted to metadata so a later refresh failure falls back
+   * to the most recent working token rather than a stale prepare-time token.
+   *
+   * Access-revocation reasons (`no_integration_found`, `invalid_org_id`) fail
+   * closed by throwing `BAD_REQUEST`: the stored token is no longer authorized
+   * (integration was removed, or user lost access to the org) and continuing
+   * to use it would bypass revocation.
    *
    * `gitlabTokenManaged === false` (explicitly set during prepare when the
    * caller supplied their own PAT) skips refresh. `undefined` — i.e. sessions
@@ -2299,6 +2304,12 @@ export class CloudAgentSession extends DurableObject<WorkerEnv> {
       }
       return result.token;
     }
+    if (result.reason === 'no_integration_found' || result.reason === 'invalid_org_id') {
+      throw new TRPCError({
+        code: 'BAD_REQUEST',
+        message: 'No GitLab integration found. Please connect your GitLab account first.',
+      });
+    }
     logger
       .withFields({ reason: result.reason, sessionId: metadata.sessionId })
       .warn('Managed GitLab token refresh failed; using last-known value');