Returns a refreshed token state if a refresh happened (the executor uses it immediately for the in-flight request), or undefined if no refresh was needed or possible. Must not throw — refresh failures are caught internally and reported via undefined so the caller falls back to the existing token.
OAuth2 refresh_token-grant TokenRefresher. Refresh failures are logged and swallowed — the caller falls back to the existing (possibly stale) token rather than aborting the tool call.