- initMatrix.ts: import the shared Session type; when a session has a refresh
token + oidc metadata, wire a LotusOidcTokenRefresher via createClient's
refreshToken + tokenRefreshFunction (reactive 401 refresh). Rust crypto is
unaffected (still keyed on userId/deviceId).
- client/oidcTokenRefresher.ts: OidcTokenRefresher subclass that persists rotated
tokens back to the fallback session.
- client/oidcLogout.ts + logoutClient: best-effort revoke access+refresh tokens at
the issuer's revocation_endpoint on logout (tolerant of failure).
- settings/account/OidcManageAccount.tsx: MSC2965 "Manage account" deep-link,
shown only when authMetadata is present (OIDC servers); mirrors OtherDevices.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>