Preserve MCP OAuth manager credentials on reread errors

[GraciousGazelles]

Summary

• Port the relevant behavior from upstream branch dev/stevenlee/mcp-oauth-stack-6-auto-read-errors / commit 2b64cf47db in downstream-shaped form.
• Keep refresh rereads pinned to the already resolved credential backend, so keyring reread errors fail closed instead of clearing active request credentials.
• Add a regression test proving the RMCP manager still has the request-only access token after a keyring reread failure aborts refresh.

Validation

• rustfmt --check codex-rs/rmcp-client/src/oauth.rs
• git diff --check
• cargo test -p codex-rmcp-client --lib oauth::tests::refresh_transaction_keeps_manager_credentials_on_keyring_reread_error -- --exact

Upstream harvest note

• The earlier OAuth stack PRs were already covered by [codex] Serialize MCP OAuth credential refreshes #347. A refreshed harvest also found upstream branch dev/stevenlee/mcp-oauth-stack-6-auto-read-errors with no open PR at the time of inspection; this PR lands the relevant downstream-compatible regression coverage and refresh reread seam.

[gemini-code-assist]

Code Review

This pull request refactors the OAuth token refresh mechanism to support a generic keyring store, improving testability. It introduces a helper function for loading tokens during refresh and adds a unit test to verify credential retention on keyring reread errors. The review feedback suggests ensuring proper initialization of the AuthorizationManager in the test helper by calling initialize_from_store and simplifying redundant type paths.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.