[login] revoke superseded auth tokens on relogin

[cooper-oai]

Summary

• revoke previously stored managed ChatGPT tokens after a successful re-login
• keep the new login successful even when revocation is unavailable or fails
• cover the shared persistence path used by browser and device-code login flows

Why

A new codex login currently overwrites existing managed ChatGPT credentials without attempting to revoke the superseded tokens, leaving old credentials valid longer than necessary.

Validation

• just fmt
• CARGO_HOME=/tmp/cargo-home cargo test -p codex-login

Notes

• Initial local Cargo validation hit a corrupt existing crate cache in the default CARGO_HOME; rerunning with a clean temporary CARGO_HOME passed.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: dc78546c9e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[cooper-oai]

[codex] Local review loop completed for 3b24a654a80edaec40ec89923d3e6d767abe9f79.

• Backend: local Codex CLI review
• Result: clean for the current PR diff
• GitHub Codex Connector review: not requested for the final clean signal

Review findings handled:

Priority	Source	Finding	Disposition	Change or Rationale
P1	GitHub Codex Connector	Re-login could revoke a refresh token that was reused and just persisted again	Addressed	Skip revocation when the previously revocable managed token matches the newly stored token; added regression coverage for the reused-refresh-token case.

Proceeding to CI babysitting.