fix: Google Drive picks fail with 404 — call setAppId on Picker

[aalemayhu]

What

Adds `.setAppId(projectNumber)` to the Picker builder chain in `useGooglePicker.ts`. `projectNumber` is derived at runtime from the existing `REACT_APP_GOOGLE_CLIENT_ID` (numeric prefix of the client ID), so no new env var is needed.

Why

With the `drive.file` OAuth scope (the narrowest, picked-files-only scope we chose in #2306), Google Picker only binds the picked file to our OAuth client when `setAppId` is called. Without it, the user can pick a file in the UI but the server's `GET https://www.googleapis.com/drive/v3/files/?alt=media` with the bearer token returns 404 File not found. Every Drive pick on prod was failing with "Error handling Google Drive files" until this fix.

Verified on prod logs:
```
2|server | google drive upload success
2|server | POST /api/upload/google_drive 400
...
status: 404, message: "File not found: 1Gxh9TSApii4ErELl0jePIGUVMldsgSRe"
```

How

• One-line change in the builder chain: `.setAppId(projectNumber)` between the constructor and the rest of the chain.
• `projectNumber` is derived as `clientId().split('-')[0]` — the OAuth client ID has the shape `-.apps.googleusercontent.com`. Engineer trio call: derive instead of adding a third env var, because two vars that must stay in sync is a deployment footgun.
• Test mock updated with a `setAppId` stub. Added an assertion that the derived project number reaches `setAppId`.
• Changelog entry added for the user-visible fix.

Testing

• 6/6 `useGooglePicker` unit tests pass (was 5; +1 for the setAppId assertion).
• `/check`: server tsc clean, web typecheck clean, 484 Vitest tests pass, Biome lint clean.

Risks

• Rollback: revert this commit. The tab returns to the broken state from before this PR, no other surface affected.
• The `drive.file` scope still requires the Picker API enabled on the GCP project (already enabled — Picker UI opens on prod).

Trio synthesis

• PM: Ship the 1-line fix now. Severity high — 100% of Drive clicks fail post-feat: Google Drive tab on upload form #2306. Forward fix is cleaner than rolling back.
• Designer: Hide tab if env vars missing. No copy changes (generic error state is fine for a hotfix).
• Engineer: Derive project number from the OAuth client ID; no new env var. Insert `setAppId` in the chain. Mock needs the stub.
• Conflict: PM and Designer both assumed a new env var `REACT_APP_GOOGLE_PROJECT_NUMBER`. Engineer pointed out it's derivable. Resolution: derive it, no new env var, no drift risk.

Goal alignment

Closes the deploy-blocking bug from #2306 so the Drive tab actually works for the user base that needs it. Critical for the 300K-user goal — without this fix, the Drive tab is visible but every click fails.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud