fix(android-sdk): invalidate unauthenticated sign-out and keep omitted refresh tokens

[xiaoyijun]

Summary

Mirrors to master the two credential-guard hardenings that landed on the v2.x backport PR #264, so the branches stay in lockstep:

• Invalidate unauthenticated sign-out flows (ports abbd42b from fix(android-sdk): discard in-flight token responses after sign-out #264): signOut / clearCredentials called while not authenticated used to early-return without bumping the credential generation, so a sign-in whose code exchange was still in flight would complete and sign the user in after they had expressed sign-out intent. Both early returns now invalidate pending flows first (new no-arg CredentialGuard.invalidate() overload).
• Keep the refresh token when a refresh response omits it (the Copilot finding on fix(android-sdk): discard in-flight token responses after sign-out #264): the refresh path now falls back to the token the request was made with (refreshedToken.refreshToken ?: tokenForRefresh), per RFC 6749 §6. The code-exchange path is intentionally unchanged — a sign-in response without a refresh token still clears any previous one. Unreachable against Logto's own OP (which always returns a refresh token on the refresh grant), but correct per spec and keeps the token-persistence code identical across branches.

Testing

unit tests — three new: sign-out-during-unauthenticated-sign-in (both signOut and clearCredentials entry points) and refresh-response-without-refresh-token. Red-check verified: exactly these 3 fail on current master, all 45 pass with the fix.

Checklist

• .changeset (N/A — this repo uses release-please)
• unit tests
• integration tests (N/A)
• necessary KDoc comments (N/A — no public API changes)

🤖 Generated with Claude Code