H1K0
12d4dbcbb2
Cover the refresh-token flow (works, not usable as an access token, and revokes the rotated-away access token), non-owner denial on object ACLs / file tags / import, and immediate session revocation on user block. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>