feat(auth): require recovery PIN and strip identifying metadata from Drive backups

[barrydeen]

Summary

External review of the new "Continue with Google" / Drive backup flow surfaced several issues. This PR addresses the security and privacy ones; the unreleased feature lets us land them without a migration path.

What changed

• Recovery PIN required. Backups are now encrypted with a key derived from PBKDF2-HMAC-SHA256 (600k iterations) over a 4–8 digit numeric PIN that the user sets at first sign-in, salted by HMAC(sub). Compromising the Google account alone no longer decrypts the nsec.
• Use the signed sub claim, not parsed.id. GoogleIdTokenCredential.id is the user's email and can change (Workspace renames). The JWT sub is the stable Google account ID.
• Opaque Drive filenames. Files are now wisp_bk_<uuid>.bin. The npub is no longer leaked to Drive and is recovered by decrypting. The delete-then-upload race in the old code is gone — each new account creates a fresh file.
• Decoy pubkeys in the profile fetch. The chooser still enriches accounts with name + avatar, but the REQ now mixes the real backup pubkeys with 10 random kind-0 pubkeys pulled from a popular relay first, so the relay can't see which pubkeys are actually on this device.

UX changes

• New SetupPin flow (enter → confirm → mismatch retry) on first sign-in, with a "if you forget this PIN your Nostr key is gone forever" warning.
• New EnterPinForRestore flow when backups are found; wrong PIN surfaces inline and lets the user retry.

Notes

• Unreleased feature, so the old wisp_nsec_<npub>.bin filename / email-based key derivation is dropped entirely with no migration path. Any orphaned files in testers' appDataFolder will not be listed and can be cleaned up manually.
• 600k PBKDF2 iterations costs ~200–400ms on a phone; the derivation runs at most twice per sign-in.

Test plan

• Fresh sign-in with no existing backups → SetupPin (Enter → Confirm) → account created and backup uploaded
• Confirm-step mismatch → returns to Enter with mismatch error
• Re-sign-in with one backup → EnterPinForRestore → correct PIN → chooser shows the account with name/avatar
• Wrong PIN → "Incorrect PIN. Try again." with retry
• From chooser, "Create another account" → uploads a second backup under the same PIN
• Re-sign-in with two backups → correct PIN → both accounts appear in chooser
• Verify Drive appDataFolder contains only wisp_bk_<uuid>.bin files (filenames don't contain npub)