Address PR re-review findings:
- Only a 401 on the replay falls through to logout; other DioExceptions
(timeout, connection drop, 5xx) now propagate so a flaky network can't
wipe a valid session and callers see the real error.
- Skip the refresh when the failed request's bearer no longer matches the
stored one (a concurrent refresh already rotated it) and replay directly.
- Guard _logout() with a _loggingOut flag so the auth-failed callback fires
once per burst rather than once per concurrent caller.
Add unit tests (fake Dio adapter + mocked prefs) covering the retry guard,
single-flight refresh, and non-401 replay propagation paths.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>