fix(#365): fix ruff, mypy, pip, and bandit issues in coordinator

- Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501
  (line length), F401 (unused imports), UP045 (Optional -> X | None),
  I001 (import sorting)
- Fix mypy error: wrap slowapi rate limit handler with
  Exception-compatible signature for add_exception_handler
- Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703)
- Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable)
- Add nosec B101 to telemetry.py (assert for type narrowing)
- Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/coordinator/src/security.py

@@ -4,7 +4,6 @@ import hashlib
 import hmac
 import logging
 import re
-from typing import Optional
 
 logger = logging.getLogger(__name__)
 
@@ -33,11 +32,14 @@ INJECTION_PATTERNS = [
 ]
 
 # XML-like tags that could be used for injection
-DANGEROUS_TAG_PATTERN = re.compile(r"<\s*(instructions?|prompt|context|system|user|assistant)\s*>", re.IGNORECASE)
+DANGEROUS_TAG_PATTERN = re.compile(
+    r"<\s*(instructions?|prompt|context|system|user|assistant)\s*>",
+    re.IGNORECASE,
+)
 
 
 def sanitize_for_prompt(
-    content: Optional[str],
+    content: str | None,
     max_length: int = DEFAULT_MAX_PROMPT_LENGTH
 ) -> str:
     """