Fix Google OAuth: explicit IAM policy + strip OIDC scopes from credentials

src/lambdas/oauth-handler/handler.py

@@ -174,7 +174,7 @@ def handle_callback(params: dict) -> dict:
         'token_uri': 'https://oauth2.googleapis.com/token',
         'client_id': client_id,
         'client_secret': client_secret,
-        'scopes': SCOPES.split(),
+        'scopes': [s for s in SCOPES.split() if s.startswith('https://')],
         'email': user_email,
         'user_email': user_email,
     }