fix(sync): auto-trigger auth flow on unauthenticated sync actions (#120)

Problem: running a sync action (e.g. `:Pending gtasks push`) without
being authenticated would silently abort with a warning, requiring
the user to manually run `:Pending auth` first.

Solution: `oauth.with_token()` now auto-triggers the browser auth flow
when no token exists (for non-bundled credentials) and resumes the
original action on success. `auth()` and `_exchange_code()` now call
`on_complete(ok)` on all exit paths. S3 backends run
`aws sts get-caller-identity` before every sync action, auto-triggering
SSO login on expired sessions.

doc/pending.txt

@@ -1143,6 +1143,21 @@ Shared utilities for backend authors are provided by `sync/util.lua`:
 
 Backend-specific configuration goes under `sync.<name>` in |pending-config|.
 
+Auto-auth: ~
+                                                      *pending-sync-auto-auth*
+Running a sync action (`:Pending <name> push/pull/sync`) without valid
+credentials automatically triggers authentication before proceeding:
+
+- OAuth backends (gcal, gtasks): if real credentials are configured but no
+  token exists, the browser-based auth flow starts automatically. On
+  success, the original action continues. Bundled placeholder credentials
+  cannot auto-auth and require the setup wizard via `:Pending auth`.
+- S3: `aws sts get-caller-identity` runs before every sync action. If SSO
+  is expired, `aws sso login` is triggered automatically. Missing
+  credentials abort with an error pointing to |pending-s3|.
+
+On auth failure, the sync action is aborted with an error message.
+
 ==============================================================================
 GOOGLE CALENDAR                                                 *pending-gcal*