Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/backend/src/bitbucket.ts`:
- Around line 55-58: The current errorconstruction reads the full response with
response.clone().text() and interpolates it into the Error.message via
Object.assign(new Error(`Bitbucket API ${response.status}: ${body}`), { status:
response.status }), which can leak payloads and create huge logs; change this to
keep the Error.message concise (e.g. `Bitbucket API ${response.status}`), attach
the full body to a non-message property (e.g. error.body or error.responseBody)
and if needed store a truncated/redacted excerpt (limit to a small length)
rather than embedding the entire body, while still preserving the status
property; update the throw site where Object.assign and new Error are used so
logs capture the short message and developers can inspect error.body if
necessary.

In `@packages/backend/src/ee/accountPermissionSyncer.ts`:
- Around line 196-199: The fail-closed branch checking
isUnauthorized/isForbidden/RefreshTokenError is bypassed because
syncAccountPermissions() wraps GitHub 401/403 into a plain Error; update the
error handling in syncAccountPermissions to either preserve the original HTTP
status when creating the wrapped error (e.g., copy status/statusCode onto the
new Error) or avoid wrapping and rethrow the original error after adding
context, so isUnauthorized/isForbidden will detect revoked GitHub tokens; ensure
the change touches the error creation/throwing site and keeps
isUnauthorized/isForbidden/RefreshTokenError checks working as-is.
- Around line 188-211: The try/catch around this.syncAccountPermissions
currently swallows non-auth errors so runJob()/onJobCompleted() mark the job
COMPLETED even when sync failed; modify the catch to rethrow any error that is
not handled by the auth checks by adding a throw error after the
unauthorized/forbidden/RefreshTokenError handling (or remove the catch and only
handle auth errors explicitly), ensuring syncAccountPermissions failures
propagate to runJob() and trigger onJobFailed().

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/backend/src/ee/accountPermissionSyncer.ts`:
- Around line 223-237: The current catch around ensureFreshAccountToken(account,
this.db) indiscriminately wraps all errors as RefreshTokenError, causing
transient failures to trigger permission deletion in runJob; change this so you
only convert to RefreshTokenError when the underlying error clearly indicates an
invalid grant (e.g., inspect error.response?.data?.error === 'invalid_grant',
error.message contains 'invalid_grant', or a specific OAuth error code), and
rethrow the original error for all other cases so ordinary job failures bubble
up; update the catch in accountPermissionSyncer.ts accordingly (referencing
ensureFreshAccountToken and RefreshTokenError and how runJob treats
RefreshTokenError).
- Around line 191-211: The catch block in accountPermissionSyncer currently only
clears accessibleRepos for isUnauthorized, isForbidden, or RefreshTokenError;
extend the fail-closed logic to also treat token-scope errors from
syncAccountPermissions as permanent authorization failures by including the
scope-check error classification here (or by mapping those scope errors to a
typed auth error earlier). Update the condition that checks
isUnauthorized/isForbidden/RefreshTokenError to also check the scope-loss
predicate (or the new AuthScopeError type) so that this.db.account.update({
where: { id: account.id }, data: { accessibleRepos: { deleteMany: {} } } }) runs
for scope-loss cases as well before rethrowing the error. Ensure you reference
the same symbols: isUnauthorized, isForbidden, RefreshTokenError,
syncAccountPermissions, accessibleRepos and preserve rethrowing the original
error after clearing.