fix(#365): fix ruff, mypy, pip, and bandit issues in coordinator

- Fix 20 ruff errors: UP035 (Callable import), UP042 (StrEnum), E501
  (line length), F401 (unused imports), UP045 (Optional -> X | None),
  I001 (import sorting)
- Fix mypy error: wrap slowapi rate limit handler with
  Exception-compatible signature for add_exception_handler
- Pin pip >= 25.3 in Dockerfile (CVE-2025-8869, CVE-2026-1703)
- Add nosec B104 to config.py (container-bound 0.0.0.0 is acceptable)
- Add nosec B101 to telemetry.py (assert for type narrowing)
- Create bandit.yaml to suppress B404/B607/B603 in gates/ tooling

Fixes #365

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/coordinator/tests/test_telemetry.py

@@ -1,7 +1,9 @@
 """Tests for OpenTelemetry telemetry initialization."""
 
+from unittest.mock import MagicMock, patch
+
 import pytest
-from unittest.mock import MagicMock, patch, ANY
+
 from src.telemetry import TelemetryService, get_tracer
 
 
@@ -171,7 +173,10 @@ class TestGetTracer:
         self, mock_set_provider: MagicMock, mock_get_tracer_func: MagicMock, reset_telemetry
     ) -> None:
         """Test that get_tracer uses the correct service name."""
-        with patch.dict("os.environ", {"OTEL_SERVICE_NAME": "test-service", "OTEL_ENABLED": "true"}):
+        with patch.dict(
+            "os.environ",
+            {"OTEL_SERVICE_NAME": "test-service", "OTEL_ENABLED": "true"},
+        ):
             # Reset global state
             import src.telemetry
             src.telemetry._telemetry_service = None