🐛 Fix cross-workspace credential theft via preview endpoint (#2430)

## Summary
- **Fixes
[GHSA-cq66-9cwr-x8jr](https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr)**
— the previous fix for GHSA-4xc5-wfwc-jw47 was incomplete: the
bot-engine runtime still allowed any authenticated user to exfiltrate
credentials from any workspace via the preview endpoint by passing
`workspaceId: ""`
- Invert the falsy check in `getCredentials()` so that missing or empty
`workspaceId` **denies** access instead of skipping validation
- Add `z.string().min(1)` on the typebot schema's `workspaceId` to
reject empty strings at the Zod validation layer
- Tighten `getGoogleSpreadsheet` param type from `string | undefined` to
`string`

## Test plan
- [x] Typecheck passes on `credentials`, `bot-engine`, `whatsapp`
- [x] All tests pass (lint, bot-engine, whatsapp, results, lib,
rich-text, emails, builder)
- [ ] Verify that preview mode still works correctly with valid
workspaceId
- [ ] Verify that forged blocks, Google Sheets, and streaming endpoints
still load credentials for legitimate users

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>