fix(#365): fix ruff, mypy, pip, and bandit issues in coordinator

- Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501
  (line length), F401 (unused imports), UP045 (Optional -> X | None),
  I001 (import sorting)
- Fix mypy error: wrap slowapi rate limit handler with
  Exception-compatible signature for add_exception_handler
- Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703)
- Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable)
- Add nosec B101 to telemetry.py (assert for type narrowing)
- Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/coordinator/src/main.py

@@ -8,11 +8,13 @@ from contextlib import asynccontextmanager
 from pathlib import Path
 from typing import Any
 
-from fastapi import FastAPI, Request
+from fastapi import FastAPI
 from pydantic import BaseModel
 from slowapi import Limiter, _rate_limit_exceeded_handler
 from slowapi.errors import RateLimitExceeded
 from slowapi.util import get_remote_address
+from starlette.requests import Request
+from starlette.responses import Response
 
 from .config import settings
 from .coordinator import Coordinator
@@ -141,7 +143,16 @@ if os.getenv("OTEL_ENABLED", "true").lower() != "false":
 
 # Register rate limiter
 app.state.limiter = limiter
-app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+
+
+def _rate_limit_handler(request: Request, exc: Exception) -> Response:
+    """Wrapper for slowapi handler with Exception-compatible signature."""
+    if not isinstance(exc, RateLimitExceeded):
+        return Response(content="Rate limit error", status_code=429)
+    return _rate_limit_exceeded_handler(request, exc)
+
+
+app.add_exception_handler(RateLimitExceeded, _rate_limit_handler)
 
 
 class HealthResponse(BaseModel):