fix(#365): fix coordinator CI bandit config and pip upgrade

Three fixes for the coordinator pipeline:

1. Use bandit.yaml config file (-c bandit.yaml) so global skips
   and exclude_dirs are respected in CI.
2. Upgrade pip to >=25.3 in the install step so pip-audit doesn't
   fail on the stale pip 24.0 bundled with python:3.11-slim.
3. Clean up nosec inline comments to bare "# nosec BXXX" format,
   moving explanations to a separate comment line above. This
   prevents bandit from misinterpreting trailing text as test IDs.

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/coordinator/src/config.py

@@ -21,7 +21,8 @@ class Settings(BaseSettings):
     anthropic_api_key: str
 
     # Server Configuration
-    host: str = "0.0.0.0"  # nosec B104 — Container-bound: listen on all interfaces inside Docker
+    # Container-bound: listen on all interfaces inside Docker
+    host: str = "0.0.0.0"  # nosec B104
     port: int = 8000
 
     # Logging

apps/coordinator/src/telemetry.py

@@ -139,7 +139,8 @@ class TelemetryService:
         if self._tracer is None:
             # Initialize if not already done
             self.initialize()
-        assert self._tracer is not None  # nosec B101 — Type narrowing after None guard
+        # Type narrowing after None guard
+        assert self._tracer is not None  # nosec B101
         return self._tracer
 
     def shutdown(self) -> None: