fix(sync): auth and health UX improvements

Problem: Failed token exchange left credential files on disk, trapping
users in a broken auth loop with no way back to setup. The `auth`
prompt used raw backend names and a terse prompt string. The `health`
action appeared in `:Pending gcal health` tab completion but silently
no-oped outside `:checkhealth`. gcal health omitted the token check
that gtasks had.

Solution: `_exchange_code` now calls `_wipe()` on both failure paths,
clearing the token and credentials files so the next `:Pending auth`
routes back through `setup()`. Prompt uses full service names and
"Authenticate with:". `health` is filtered from sync subcommand
completion and dispatch — its home is `:checkhealth pending`. gcal
health now checks for tokens.

lua/pending/init.lua

@@ -550,7 +550,7 @@ local function run_sync(backend_name, action)
   if not action or action == '' then
     local actions = {}
     for k, v in pairs(backend) do
-      if type(v) == 'function' and k:sub(1, 1) ~= '_' then
+      if type(v) == 'function' and k:sub(1, 1) ~= '_' and k ~= 'health' then
         table.insert(actions, k)
       end
     end
@@ -558,7 +558,7 @@ local function run_sync(backend_name, action)
     log.info(backend_name .. ' actions: ' .. table.concat(actions, ', '))
     return
   end
-  if type(backend[action]) ~= 'function' then
+  if action == 'health' or type(backend[action]) ~= 'function' then
     log.error(backend_name .. " backend has no '" .. action .. "' action")
     return
   end
@@ -831,8 +831,8 @@ end
 ---@return nil
 function M.auth()
   local oauth = require('pending.sync.oauth')
-  vim.ui.select({ 'gtasks', 'gcal', 'both' }, {
-    prompt = 'Authenticate:',
+  vim.ui.select({ 'Google Tasks', 'Google Calendar', 'Google Tasks and Google Calendar' }, {
+    prompt = 'Authenticate with:',
   }, function(choice)
     if not choice then
       return

lua/pending/sync/gcal.lua

@@ -234,6 +234,12 @@ end
 ---@return nil
 function M.health()
   oauth.health(M.name)
+  local tokens = oauth.google_client:load_tokens()
+  if tokens and tokens.refresh_token then
+    vim.health.ok('gcal tokens found')
+  else
+    vim.health.info('no gcal tokens — run :Pending auth')
+  end
 end
 
 return M

lua/pending/sync/oauth.lua

@@ -470,12 +470,14 @@ function OAuthClient:_exchange_code(creds, code, code_verifier, port, on_complet
   }, { text = true })
 
   if result.code ~= 0 then
+    self:_wipe()
     log.error('Token exchange failed.')
     return
   end
 
   local ok, decoded = pcall(vim.json.decode, result.stdout or '')
   if not ok or not decoded.access_token then
+    self:_wipe()
     log.error('Invalid token response.')
     return
   end
@@ -488,6 +490,12 @@ function OAuthClient:_exchange_code(creds, code, code_verifier, port, on_complet
   end
 end
 
+---@return nil
+function OAuthClient:_wipe()
+  os.remove(self:token_path())
+  os.remove(vim.fn.stdpath('data') .. '/pending/google_credentials.json')
+end
+
 ---@param opts { name: string, scope: string, port: integer, config_key: string }
 ---@return pending.OAuthClient
 function M.new(opts)

plugin/pending.lua

@@ -216,7 +216,7 @@ end, {
       end
       local actions = {}
       for k, v in pairs(mod) do
-        if type(v) == 'function' and k:sub(1, 1) ~= '_' then
+        if type(v) == 'function' and k:sub(1, 1) ~= '_' and k ~= 'health' then
           table.insert(actions, k)
         end
       end