fix(mcp): configure Codex remote auth env

[anombyte93]

Summary

• Configure OpenAI Codex remote MCP installs with bearer_token_env_var = "RAILWAY_API_TOKEN".
• Treat Codex remote MCP entries that only set url = "https://mcp.railway.com" as incomplete so railway setup agent --remote / railway mcp install --remote --agent codex can repair them.
• Add tests for writing the Codex remote config and detecting URL-only remote config as incomplete.

Why

Codex supports bearer-token env vars for streamable HTTP MCP servers. A URL-only remote Railway MCP config can leave Codex with an unauthenticated remote MCP server until a separate OAuth login happens. Using RAILWAY_API_TOKEN matches Railway's documented account/workspace token environment variable and works for headless/agent/tmux launches where OAuth state is not available.

Testing

• cargo fmt --check
• cargo test codex_remote
• Manual temp-home check:
  • HOME=$(mktemp -d) cargo run --quiet -- mcp install --agent codex --remote
  • verified generated .codex/config.toml contains bearer_token_env_var = "RAILWAY_API_TOKEN" and the remote MCP URL

[anombyte93]

The release-label check is failing because this fork PR has no release label. I do not have permission to add labels on railwayapp/cli; this should be release/patch and probably bug.