fix: harden cache policy deserialization and await clearAuth in tests

BugBot #9: Wrap CachePolicy.fromObject() and related calls in try-catch
inside getCachedResponse(). A corrupted or version-incompatible policy
object now triggers a cache miss (and best-effort cleanup of the broken
entry) instead of crashing the API request.

BugBot #10: Add missing `await` to clearAuth() calls in project/list
tests at lines 1080 and 1362 to prevent floating promises.

Author: BYK

src/lib/response-cache.ts

@@ -336,16 +336,25 @@ export async function getCachedResponse(
     return;
   }
 
-  const policy = CachePolicy.fromObject(entry.policy);
-  if (!isEntryFresh(policy, entry, requestHeaders, url)) {
+  try {
+    const policy = CachePolicy.fromObject(entry.policy);
+    if (!isEntryFresh(policy, entry, requestHeaders, url)) {
+      return;
+    }
+
+    const responseHeaders = buildResponseHeaders(policy, entry);
+    return new Response(JSON.stringify(entry.body), {
+      status: entry.status,
+      headers: responseHeaders,
+    });
+  } catch {
+    // Corrupted or version-incompatible policy object — treat as cache miss.
+    // Delete the broken entry so it doesn't keep failing on every request.
+    await unlink(cacheFilePath(key)).catch(() => {
+      // Best-effort cleanup
+    });
     return;
   }
-
-  const responseHeaders = buildResponseHeaders(policy, entry);
-  return new Response(JSON.stringify(entry.body), {
-    status: entry.status,
-    headers: responseHeaders,
-  });
 }
 
 /**

test/commands/project/list.test.ts

@@ -1077,7 +1077,7 @@ describe("fetchOrgProjectsSafe", () => {
 
   test("propagates AuthError when not authenticated", async () => {
     // Clear auth token so the API client throws AuthError before making any request
-    clearAuth();
+    await clearAuth();
 
     await expect(fetchOrgProjectsSafe("myorg")).rejects.toThrow(AuthError);
   });
@@ -1359,7 +1359,7 @@ describe("handleAutoDetect", () => {
   test("fast path: AuthError still propagates", async () => {
     await setDefaults("test-org");
     // Clear auth so getAuthToken() throws AuthError before any fetch
-    clearAuth();
+    await clearAuth();
     const { writer } = createCapture();
 
     await expect(