Long-running persona-sati connections currently rely on process restart after bearer-token expiry. Add an explicit refresh/reconnect path without attempting to make an Agent Identity Blueprint act as an OAuth public client.
Acceptance criteria:
- Expired authentication is detected and surfaced.
- The client refreshes credentials or reconnects using the supported confidential-client model.
- Recovery does not require restarting the Entrabot host process.
- Tokens and assertions never appear in logs.
- Tests cover expiry, refresh failure, and successful recovery.
Long-running persona-sati connections currently rely on process restart after bearer-token expiry. Add an explicit refresh/reconnect path without attempting to make an Agent Identity Blueprint act as an OAuth public client.
Acceptance criteria: