fix(auth): clear stale failure counters on token rotation

Delete prior refresh-token failure state when updateFromAuth rotates tokens, and add regression coverage.

Author: ndycode

lib/accounts.ts

@@ -758,9 +758,13 @@ export class AccountManager {
 	}
 
 	updateFromAuth(account: ManagedAccount, auth: OAuthAuthDetails): void {
+		const previousRefreshToken = account.refreshToken;
 		account.refreshToken = auth.refresh;
 		account.access = auth.access;
 		account.expires = auth.expires;
+		if (previousRefreshToken !== account.refreshToken) {
+			this.authFailuresByRefreshToken.delete(previousRefreshToken);
+		}
 		const tokenAccountId = extractAccountId(auth.access);
 		if (
 			tokenAccountId &&

test/accounts.test.ts

@@ -1064,6 +1064,37 @@ describe("AccountManager", () => {
       expect(account.accountId).toBe("org-selected-id");
       expect(account.accountIdSource).toBe("org");
     });
+
+    it("clears stale auth failure state when refresh token rotates", () => {
+      const now = Date.now();
+      const stored = {
+        version: 3 as const,
+        activeIndex: 0,
+        accounts: [
+          { refreshToken: "old-token", addedAt: now, lastUsed: now },
+        ],
+      };
+
+      const manager = new AccountManager(undefined, stored);
+      const account = manager.getCurrentAccount()!;
+      expect(manager.incrementAuthFailures(account)).toBe(1);
+
+      const newAuth: OAuthAuthDetails = {
+        type: "oauth",
+        access: "new-access",
+        refresh: "new-refresh",
+        expires: now + 3600000,
+      };
+
+      manager.updateFromAuth(account, newAuth);
+
+      const failuresByRefreshToken = Reflect.get(
+        manager,
+        "authFailuresByRefreshToken",
+      ) as Map<string, number>;
+      expect(failuresByRefreshToken.has("old-token")).toBe(false);
+      expect(manager.incrementAuthFailures(account)).toBe(1);
+    });
   });
 
   describe("toAuthDetails", () => {