Because:
- Sync needs the wrapped sync keys (kB) to complete OAuth, which require a
fresh authPW after a passwordless passkey signin.
- The fallback page existed but had no backend integration or entry route.
This commit:
- Wires SigninPasskeyFallback to /session/reauth?keys=true via
authClient.sessionReauth, routes it at /signin_passkey_fallback, and
hydrates from cached session on refresh.
- Suppresses redundant signin notifications when /session/reauth runs on a
passkey-verified session (the passkey signin already fired them).
- Adds auth-client methods for the passkey authentication ceremony.
- Fixes a pre-existing bug in /passkey/authentication/finish where
sessionToken.id (HKDF-derived) was returned in place of sessionToken.data.
- Adds unit and integration tests and a browser-driven Playwright spec
covering the full Sync OAuth, passkey, fallback flow.