[codex] Validate workflow response token

[caydyan]

Summary

• Gate POST /workflows/response with the SWWF_RESKEY environment token before processing the response body.
• Accept x-api-token, x-swwf-reskey, or Authorization: Bearer ... so the endpoint can work with existing project header conventions while satisfying the token-header requirement.
• Return 500 when the server token is not configured and 401 when the request token is missing or invalid.
• Add workflow response token validation coverage and refresh the generated Database mock with GetBountyByUnlockCode so the handlers package compiles.

Fixes #1930

Validation

• go test ./handlers -run '^TestHandleWorkflowResponseTokenValidation$' -count=1\n- go test ./routes -run 'TestWorkflowRoutes' -count=1\n- go test ./... -run TestNonExistent -count=0\n\n## Note\n- go test ./handlers -run 'TestHandleWorkflowResponse|TestHandleWorkflowResponseTokenValidation' -count=1 requires the local test Postgres on localhost:5532; in this environment it failed with connection refused after the package compiled.

[caydyan]

Current-head validation rerun on 0db528d:

• go test ./handlers -run TestHandleWorkflowResponseTokenValidation -count=1 -v passed, including all 5 token-validation subtests.
• go test ./... -run ^$ passed as a compile/no-test package sweep.
• git diff --check origin/master...HEAD passed.

I also attempted broader go test ./handlers -run Test.*Workflow -count=1 -v; it is blocked locally by the documented test Postgres not running on localhost:5532. Docker is installed here, but the daemon API returns 500 on docker ps, so I could not start docker/testdb-docker-compose.yml in this environment.