fix(astrolabe): handle OAuth refresh token rotation

Fixes 401 errors after first token refresh when using IdPs that
implement refresh token rotation (Keycloak, modern OAuth providers).

**Root Cause**:
McpTokenStorage::getAccessToken() was discarding the new refresh token
returned by the IdP after successful refresh, always keeping the old one.
This caused:
- First refresh: works (uses original refresh token)
- Second refresh: fails with 401 (old refresh token invalidated by IdP)

**Solution**:
Use new refresh token from IdP response if provided, fall back to old
token for providers that don't rotate refresh tokens.

**Changed**:
- lib/Service/McpTokenStorage.php:184
  From: $token['refresh_token']  // Always old token
  To:   $newTokenData['refresh_token'] ?? $token['refresh_token']

**Verified**:
ApiController already handles rotation correctly using the same pattern.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

third_party/astroglobe/lib/Service/McpTokenStorage.php

@@ -177,10 +177,11 @@ class McpTokenStorage {
 
 					if ($newTokenData && isset($newTokenData['access_token'])) {
 						// Store refreshed token
+						// Use new refresh token if provided (rotation), otherwise keep old one
 						$this->storeUserToken(
 							$userId,
 							$newTokenData['access_token'],
-							$token['refresh_token'], // Keep same refresh token
+							$newTokenData['refresh_token'] ?? $token['refresh_token'],
 							time() + ($newTokenData['expires_in'] ?? 3600)
 						);