fix: Gemini engine passes unsupported --mcp-config flag to Gemini CLI

## Bug

The Gemini engine compiler generates a CLI invocation with `--mcp-config`, which the Gemini CLI does not support:

```bash
gemini --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --output-format json --prompt "..."
```

Gemini CLI rejects this immediately:

```
Unknown arguments: mcp-config, mcpConfig
```

### Reproduction

Triggered `Smoke Gemini` workflow on `gh-aw-firewall` after merging https://github.com/github/gh-aw-firewall/pull/974:

- **Failed run**: https://github.com/github/gh-aw-firewall/actions/runs/22202278807
- **Gemini CLI version**: `@google/gemini-cli@0.29.0`
- **gh-aw version**: v0.47.0

### Root Cause

The compiled lock file (line 1373) passes `--mcp-config` as a CLI flag:

```yaml
gemini --mcp-config /tmp/gh-aw/mcp-config/mcp-servers.json --output-format json --prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"
```

Gemini CLI does **not** have a `--mcp-config` flag. Instead, it reads MCP server configuration from `settings.json` files:

- **Global**: `~/.gemini/settings.json`
- **Project**: `.gemini/settings.json`

The `mcpServers` key in `settings.json` supports `command`, `url`, or `httpUrl` transports. See: https://geminicli.com/docs/tools/mcp-server/

### Impact

- Agent never starts (0 turns, 0 tokens)
- All downstream jobs (detection, safe_outputs) are skipped
- The firewall itself works correctly — only the CLI invocation is broken

### Suggested Fix

In the Gemini engine command builder (`pkg/workflow/gemini_engine.go` or equivalent):

1. Instead of passing `--mcp-config <path>`, write the MCP config to `.gemini/settings.json` (project-level) as a pre-step before invoking the Gemini CLI
2. The `settings.json` format uses `mcpServers` key with server entries containing `command`/`url`/`httpUrl`
3. Remove `--mcp-config` from the generated command

### Comparison with Other Engines

| Engine | MCP Config Method |
|--------|------------------|
| Claude | `--mcp-config <path>` CLI flag |
| Copilot | `--mcp-config-file <path>` or `~/.copilot/mcp-config.json` |
| Codex | `--mcp-config <path>` CLI flag |
| Gemini | `~/.gemini/settings.json` or `.gemini/settings.json` file |

### Audit Data

```
gh aw audit 22202278807
```

- 1 error, 0 warnings
- Agent job: failure
- Duration: 3.8m (mostly container build time)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: Gemini engine passes unsupported --mcp-config flag to Gemini CLI #16933

Bug

Reproduction

Root Cause

Impact

Suggested Fix

Comparison with Other Engines

Audit Data

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Engine	MCP Config Method
Claude	`--mcp-config <path>` CLI flag
Copilot	`--mcp-config-file <path>` or `~/.copilot/mcp-config.json`
Codex	`--mcp-config <path>` CLI flag
Gemini	`~/.gemini/settings.json` or `.gemini/settings.json` file

fix: Gemini engine passes unsupported --mcp-config flag to Gemini CLI #16933

Description

Bug

Reproduction

Root Cause

Impact

Suggested Fix

Comparison with Other Engines

Audit Data

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions