fix(oauth): resolve re-auth deadlock and improve flow robustness (#87)

* fix(oauth): resolve re-auth deadlock and improve flow robustness

Problem: in-flight TCP server held port 18392 for up to 120 seconds.
Calling `auth()` again caused `bind()` to fail silently — the browser
opened but no listener could receive the OAuth callback. `_wipe()` on
exchange failure also destroyed credentials, forcing full re-setup.

Solution: `_active_close` at module scope cancels any in-flight server
when `auth()` or `clear_tokens()` is called. Binding is guarded with
`pcall`; the browser only opens after the server is listening. Swapped
`_wipe()` for `clear_tokens()` in `_exchange_code` to preserve
credentials on failure. Added `select_account` to `prompt` so Google
always shows the account picker on re-auth.

* test(oauth): isolate bundled-credentials fallback from real filesystem

Problem: `resolve_credentials` reads from `vim.fn.stdpath('data')`,
the real Neovim data dir. The test passed only because `_wipe()` was
incidentally deleting the user's credential file mid-run.

Solution: stub `oauth.load_json_file` for the duration of the test so
real credential files cannot interfere with the fallback assertion.

* ci: format

spec/oauth_spec.lua

@@ -142,8 +142,13 @@ describe('oauth', function()
     it('falls back to bundled credentials', function()
       config.reset()
       vim.g.pending = { data_path = tmpdir .. '/tasks.json' }
+      local orig_load = oauth.load_json_file
+      oauth.load_json_file = function()
+        return nil
+      end
       local c = oauth.new({ name = 'gtasks', scope = 'x', port = 0, config_key = 'gtasks' })
       local creds = c:resolve_credentials()
+      oauth.load_json_file = orig_load
       assert.equals(oauth._BUNDLED_CLIENT_ID, creds.client_id)
       assert.equals(oauth._BUNDLED_CLIENT_SECRET, creds.client_secret)
     end)