fix(worker): log fail-closed permission cleanup

When the account-driven permission syncer's catch fires (401/403/410/
token-refresh), it silently wipes the account's AccountToRepoPermission
rows before re-throwing. Operators can see the upstream error in three
sinks already, but there's no signal that the *cleanup* itself ran —
forcing a before/after row count to verify behavior.

Switch the cleanup to a direct `accountToRepoPermission.deleteMany` so
we get the deleted row count, and emit a warn log with the account id,
user email, which predicate matched, the count, and the original error
message. Behavior is equivalent to the prior `account.update` form
(same DELETE WHERE accountId=...).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: msukkari

packages/backend/src/ee/accountPermissionSyncer.ts

@@ -195,20 +195,19 @@ export class AccountPermissionSyncer {
             // on is gone (e.g. Bitbucket Cloud's CHANGE-2770), clear the
             // account's existing permission rows so the read-side filter stops
             // matching through them.
-            if (
-                isUnauthorized(error) ||
-                isForbidden(error) ||
-                isGone(error) ||
-                error instanceof RefreshTokenError
-            ) {
-                await this.db.account.update({
-                    where: { id: account.id },
-                    data: {
-                        accessibleRepos: {
-                            deleteMany: {},
-                        },
-                    },
+            const reason =
+                error instanceof RefreshTokenError ? 'token refresh failure' :
+                isUnauthorized(error) ? 'HTTP 401 Unauthorized' :
+                isForbidden(error) ? 'HTTP 403 Forbidden' :
+                isGone(error) ? 'HTTP 410 Gone' :
+                null;
+
+            if (reason !== null) {
+                const { count } = await this.db.accountToRepoPermission.deleteMany({
+                    where: { accountId: account.id },
                 });
+                const message = error instanceof Error ? error.message : String(error);
+                logger.warn(`Cleared ${count} permission row(s) for account ${account.id} (user ${account.user.email ?? 'unknown'}) — fail-closed cleanup triggered by ${reason}: ${message}`);
             }
             throw error;
         }