fix(admin-web): save new refresh token after token rotation

refreshAccessToken() was discarding the new refresh token returned by
/auth/refresh, reusing the old (now-invalidated) one on next expiry.
This caused the second refresh to return 401, kicking the user to login
after just 15 minutes (two access token lifetimes).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/admin-web/src/infrastructure/http/http.client.ts

@@ -93,11 +93,13 @@ class HttpClient {
         });
         const newAccessToken: string = resp.data?.data?.accessToken ?? resp.data?.accessToken;
         if (!newAccessToken) throw new Error('No access token in refresh response');
+        // 同时保存新的 refresh token（rotating refresh token — 不保存会导致下次 refresh 失败）
+        const newRefreshToken: string | undefined = resp.data?.data?.refreshToken ?? resp.data?.refreshToken;
 
-        console.log('[HttpClient] Got new access token, updating storage...');
-        // 更新 localStorage 中的 token（Zustand store 下次读取时自动感知）
+        console.log('[HttpClient] Got new tokens, updating storage...');
         const updated = JSON.parse(raw);
         updated.state.token = newAccessToken;
+        if (newRefreshToken) updated.state.refreshToken = newRefreshToken;
         localStorage.setItem('gcx-admin-auth', JSON.stringify(updated));
 
         return newAccessToken;