Track token flow and auth disconnect reason-code updates

[chrisnestrud]

This tracks token flow hardening and auth UX behavior updates prepared in fork PR:
chrisnestrud#6

Scope covered by that PR:

• add auth_reason codes on auth-related disconnect packets
• prevent refresh token consumption on username mismatch
• make refresh failures reconnectable instead of forcing immediate return-to-login
• add client one-time password fallback after refresh failure
• add/adjust regression tests and regenerate packet schemas

Please use the linked PR for code review and cherry-pick or merge strategy.