fix(#337): Add API key authentication for orchestrator-coordinator communication

- Add COORDINATOR_API_KEY config option to orchestrator.config.ts
- Include X-API-Key header in coordinator requests when configured
- Log security warning if COORDINATOR_API_KEY not configured in production
- Log security warning if coordinator URL uses HTTP in production
- Add tests verifying API key inclusion in requests and warning behavior

Refs #337

apps/orchestrator/src/config/orchestrator.config.ts

@@ -32,6 +32,7 @@ export const orchestratorConfig = registerAs("orchestrator", () => ({
     url: process.env.COORDINATOR_URL ?? "http://localhost:8000",
     timeout: parseInt(process.env.COORDINATOR_TIMEOUT_MS ?? "30000", 10),
     retries: parseInt(process.env.COORDINATOR_RETRIES ?? "3", 10),
+    apiKey: process.env.COORDINATOR_API_KEY,
   },
   yolo: {
     enabled: process.env.YOLO_MODE === "true",