fix: use routed gateway endpoints with bearer token auth for Codex

Three issues found from CI logs:
1. /sse endpoint returned 404 - gateway uses /mcp/<server> routed paths
2. [mcp_servers.gateway.headers] silently ignored by Codex (not a valid field)
3. Without bearer_token_env_var, Codex falls back to OAuth which requires
   D-Bus keyring (unavailable in container)

Fix: Create per-server entries (playwright, safeoutputs, tavily) each
pointing to the gateway's routed endpoint with bearer_token_env_var.
Add AWF_GATEWAY_TOKEN env var (not in exclude list) to pass the API key
into the AWF container via --env-all.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lpcox