@hienlh/ppm 0.8.25 → 0.8.26

package/CHANGELOG.md

@@ -1,12 +1,13 @@
 # Changelog
 
-## [0.8.25] - 2026-03-24
+## [0.8.26] - 2026-03-24
 
 ### Changed
 - **Temporary export/import**: Exported accounts no longer include refresh tokens — imported accounts are temporary (~1h access-only). Prevents token rotation conflicts between machines.
 - **Temporary account UI**: Shows "Temporary" badge for accounts without refresh token, "Expired" badge when expired. Expired temporary accounts cannot be re-enabled.
 - **Auto-cleanup**: Expired temporary accounts (no refresh token) are automatically deleted after 7 days.
 - **Export warning**: Export dialog now explains that exported accounts are temporary and the importing machine should login directly for permanent access.
+- **Invalid refresh token cleanup**: When refresh fails with `invalid_grant`, clears the refresh token so the account becomes temporary (same lifecycle rules apply: can't re-enable when expired, auto-deleted after 7 days)
 
 ## [0.8.24] - 2026-03-24
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hienlh/ppm",
-  "version": "0.8.25",
+  "version": "0.8.26",
   "description": "Personal Project Manager — mobile-first web IDE with AI assistance",
   "author": "hienlh",
   "license": "MIT",

package/src/services/account.service.ts

@@ -530,6 +530,11 @@ class AccountService {
     if (!res.ok) {
       const errorBody = await res.text().catch(() => "");
       console.error(`[accounts] Refresh failed for ${accountId}: ${res.status} ${errorBody}`);
+      // invalid_grant = refresh token permanently dead → clear it so account becomes temporary
+      if (errorBody.includes("invalid_grant")) {
+        console.log(`[accounts] Clearing invalid refresh token for ${account.email ?? accountId} — account is now temporary`);
+        updateAccount(accountId, { refresh_token: encrypt("") });
+      }
       if (disableOnFail) {
         this.setDisabled(accountId);
       }