231d800b47
Address PR re-review findings: - Only a 401 on the replay falls through to logout; other DioExceptions (timeout, connection drop, 5xx) now propagate so a flaky network can't wipe a valid session and callers see the real error. - Skip the refresh when the failed request's bearer no longer matches the stored one (a concurrent refresh already rotated it) and replay directly. - Guard _logout() with a _loggingOut flag so the auth-failed callback fires once per burst rather than once per concurrent caller. Add unit tests (fake Dio adapter + mocked prefs) covering the retry guard, single-flight refresh, and non-401 replay propagation paths. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>