[codex] Wire Atlas Google Docs service account env

[lafawnduh1966]

Summary

• update dev with latest origin/main before branching, resolving the Quay version conflict in favor of v0.3.37
• generate a deployment-owned auth/atlas-runtime.env from deploy.values.yaml and source it before the preserved Atlas secrets env
• wire Atlas Google Docs auth through ATLAS_GOOGLE_SERVICE_ACCOUNT_FILE, defaulting to auth/otto-google-sa.json
• extend installer verification and tests for the runtime env, service-account file ownership/mode, wrapper/profile sourcing, and systemd EnvironmentFile wiring

Validation

• scripts/run_tests.sh tests/hermes_cli/test_setup_hermes_script.py
• scripts/run_tests.sh tests/ops/test_atlas_as_hermes_wrapper.py tests/ops/test_setup_hermes_verify.py
• bash -n installer/setup-hermes.sh ops/atlas-as-hermes ops/profile.d/atlas-env.sh
• git diff --check

Notes

• Existing auth/atlas.env remains reserved for staged secrets like GITBOOK_API_TOKEN; generated auth/atlas-runtime.env carries values-derived runtime configuration.
• Live krustentier testing showed google-sa-key.json failed Google JWT validation, while otto-google-sa.json successfully minted a Drive token and moved Atlas from auth failure to normal Drive 404 behavior on a fake doc.