the error we see in the logs is:

```
2025/10/27 09:26:44 WARN auth server request failed request=token-refresh statusCode=400 body="map[error:invalid_grant error_description:Session expired]"
2025/10/27 09:26:44 failed to create pull comment failed to refresh OAuth tokens: token refresh failed: auth server request failed (HTTP 400): invalid_grant
```

which is caused by the access token expiring. we are using indigo's go oauth
SDK, which suggests the following when performing authenticated requests:

```go
sess, err := oauthApp.ResumeSession(ctx, did, sessionID)

c := sess.APIClient()

c.Post(ctx, "com.atproto.repo.createRecord", ...)
```

and we do a similar thing:

1. [create an authorized client via `ResumeSession` followed by
`sess.APIClient`](https://tangled.org/@tangled.org/core/blob/master/appview/oauth/oauth.go#L178)
2. [employ this in handlers to make authorized
requests](https://tangled.org/@tangled.org/core/blob/master/appview/strings/strings.go#L252)

`ClientApp.ResumeSession` seems to handle just fetching session data, but not
refreshing, this was my misunderstanding from reading this portion of
[doc.go](https://github.com/bluesky-social/indigo/blob/main/atproto/auth/oauth/doc.go#L123):

> The [ClientSession] will handle nonce updates and token refreshes, and
> persist the results in the [ClientAuthStore].

It seems `ClientSession.RefreshTokens` is only ever called with performing an
authorized request. We should be calling this ourselves somewhere.