multi-tenant Phase 2: per-user Google OAuth

- workspace-mcp: add proxy.py (port 8080) that reads X-Actor-Id header,
  fetches per-user Google credentials from Secrets Manager, writes creds
  file, sets USER_GOOGLE_EMAIL, proxies to workspace-mcp on port 8081
- workspace-mcp: update bootstrap to start workspace-mcp on 8081 + proxy on 8080
- workspace-mcp: update Dockerfile to include proxy.py
- oauth-handler Lambda: new Lambda with /oauth/start + /oauth/callback
  routes; exchanges Google auth code, stores tokens in Secrets Manager
  at agent-claw/google-credentials/{actor_id_safe}, updates DynamoDB
- CDK: add OAuthHandler Lambda + GET /oauth/start + /oauth/callback routes
- CDK: remove shared google-workspace-credentials secret; add per-user
  secret IAM grants (agent-claw/google-credentials/*) for workspace-mcp
  role, runtime1 role, and oauth-handler role
- CDK: output OAuthStartUrl + OAuthRedirectUri
- agent-runner: pass google_email in user_profile payload
- main.py: pass actor_id as X-Actor-Id header in workspace-mcp MCP calls;
  skip workspace-mcp if user has no google_email; add connect_google_account
  tool that generates OAuth URL for the current user
- main.py: include google_email in user_context for system prompt
- agentcore.json: add OAUTH_START_URL env var for agent runtime

cdk/cdk.out/AgentClawStack.assets.json

@@ -16,31 +16,46 @@
         }
       }
     },
-    "7053cd1618f5f520a7aac409588128f920d8fe76791c1dbcc65610454d1a5387": {
+    "6f6fdf79f33a947f3e50ffd783a72d04ab5f29ba299a5d51b3ecd2c2eb311370": {
       "displayName": "AgentRunner/Code",
       "source": {
-        "path": "asset.7053cd1618f5f520a7aac409588128f920d8fe76791c1dbcc65610454d1a5387",
+        "path": "asset.6f6fdf79f33a947f3e50ffd783a72d04ab5f29ba299a5d51b3ecd2c2eb311370",
         "packaging": "zip"
       },
       "destinations": {
-        "495395224548-us-east-1-63ace858": {
+        "495395224548-us-east-1-ab491e35": {
           "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
-          "objectKey": "7053cd1618f5f520a7aac409588128f920d8fe76791c1dbcc65610454d1a5387.zip",
+          "objectKey": "6f6fdf79f33a947f3e50ffd783a72d04ab5f29ba299a5d51b3ecd2c2eb311370.zip",
           "region": "us-east-1",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
         }
       }
     },
-    "2765094d543818b111d837ea62bad41260a47615c5b99bc608a58e99f24d5b85": {
+    "5be87975e51a6859dfad098b3d998a0bcd09a4f9a437bbf38923338fb559eb9e": {
+      "displayName": "OAuthHandler/Code",
+      "source": {
+        "path": "asset.5be87975e51a6859dfad098b3d998a0bcd09a4f9a437bbf38923338fb559eb9e",
+        "packaging": "zip"
+      },
+      "destinations": {
+        "495395224548-us-east-1-23c3d77a": {
+          "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
+          "objectKey": "5be87975e51a6859dfad098b3d998a0bcd09a4f9a437bbf38923338fb559eb9e.zip",
+          "region": "us-east-1",
+          "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
+        }
+      }
+    },
+    "fdf1ff81e9e0ded898f1c1d03a2bb8bbe0bbf63689426c24072f179b49b527c6": {
       "displayName": "AgentClawStack Template",
       "source": {
         "path": "AgentClawStack.template.json",
         "packaging": "file"
       },
       "destinations": {
-        "495395224548-us-east-1-b10aaf8d": {
+        "495395224548-us-east-1-9bba4277": {
           "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
-          "objectKey": "2765094d543818b111d837ea62bad41260a47615c5b99bc608a58e99f24d5b85.json",
+          "objectKey": "fdf1ff81e9e0ded898f1c1d03a2bb8bbe0bbf63689426c24072f179b49b527c6.json",
           "region": "us-east-1",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
         }