fix: DynamicBearer auth, retry on 500/429, upload resilience

- DynamicBearer AuthMethod: La Suite clients resolve tokens fresh
  per-request from cache file, surviving token expiry mid-session
- Retry with exponential backoff on all Drive API calls (create_child,
  upload_ended) — up to 5 retries on 429/500/502/503
- Token refresh triggered on 500 before retry (handles expired SSO)
- S3 upload retry with backoff (up to 3 retries on 502/503)
- Connection pooling: reuse DriveClient HTTP client for S3 PUTs
- Folder/file dedup: skip existing items on re-upload

sunbeam-sdk/src/auth/mod.rs

@@ -674,6 +674,16 @@ pub fn get_gitea_token() -> Result<String> {
     })
 }
 
+/// Get cached SSO access token synchronously (reads from cache file).
+/// If the token was recently refreshed by the async `get_token()`, this
+/// returns the fresh one. Used by DynamicBearer for per-request auth.
+pub fn get_token_sync() -> Result<String> {
+    let cached = read_cache().map_err(|_| {
+        SunbeamError::identity("Not logged in. Run `sunbeam auth login` first.")
+    })?;
+    Ok(cached.access_token)
+}
+
 /// Get cached OIDC id_token (JWT).
 pub fn get_id_token() -> Result<String> {
     let tokens = read_cache().map_err(|_| {