[codex] Add Slack-authenticated MCP tool runners

[Zygimantass]

Summary

This adds a first pass at Centaur MCP + SSO using Slack-issued bearer tokens and principal-scoped persistent tool runners.

• Add MCP Streamable HTTP endpoints in api-rs, including protected-resource metadata, tools/list, tools/call, and bearer-token authentication.
• Add DB-backed MCP tokens with hashed storage, expiration, last-used tracking, and Slack/admin issuance endpoints.
• Teach slackbotv2 to issue an MCP token from a DM or bot mention while refusing to print secrets into normal shared-channel messages.
• Route proxied Centaur tools through a persistent per-principal sandbox runner instead of starting one sandbox per tool call.
• Bind each runner sandbox to the authenticated iron-control principal so tool secrets still flow through the per-principal iron-proxy path.
• Enable the local dev console in values.dev.yaml, because local iron-proxy mode now needs iron-control wiring.

ELI10

Centaur now gives a Slack user a special key. When Amp uses that key to call Centaur's MCP server, Centaur can tell whose tools it should use.

The first real tool call starts a small sandbox for that person. That sandbox has the normal Centaur tool shims and its own iron-proxy. Later tool calls from the same person reuse the same sandbox, so we avoid the slow "start a new sandbox every time" path. The tools still do not get raw secrets; the proxy injects only what that principal is allowed to use.

Validation

• cargo fmt --check
• cargo check -p centaur-api-server
• cargo test -p centaur-session-runtime persistent_tool_runner_command_preserves_sandbox_entrypoint_for_tool_setup
• cargo test -p centaur-api-server mcp_
• cargo test -p centaur-session-sqlx mcp_tokens_have_expected_prefix_and_hash_without_leaking_secret
• pnpm install --frozen-lockfile
• pnpm --dir services/slackbotv2 test
• pnpm --dir services/slackbotv2 check:types
• git diff --cached --check
• Local smoke before moving to this worktree: just build-one api-rs, just deploy, /healthz, and two proxied MCP slack.list_channels calls using one local MCP token. Both calls returned isError:false, and logs showed one persistent_tool_runner_created plus one running centaur.ai/component=mcp-tool-runner pod.