fix(#338): Warn when VALKEY_PASSWORD not set

- Log security warning when Valkey password not configured
- Prominent warning in production environment
- Tests verify warning behavior for SEC-ORCH-15

Refs #338

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/orchestrator/src/valkey/valkey.service.ts

@@ -33,6 +33,23 @@ export class ValkeyService implements OnModuleDestroy {
     const password = this.configService.get<string>("orchestrator.valkey.password");
     if (password) {
       config.password = password;
+    } else {
+      // SEC-ORCH-15: Warn when Valkey password is not configured
+      const nodeEnv = this.configService.get<string>("NODE_ENV", "development");
+      const isProduction = nodeEnv === "production";
+
+      if (isProduction) {
+        this.logger.warn(
+          "SECURITY WARNING: VALKEY_PASSWORD is not configured in production environment. " +
+            "Valkey connections without authentication are insecure. " +
+            "Set VALKEY_PASSWORD environment variable to secure your Valkey instance."
+        );
+      } else {
+        this.logger.warn(
+          "VALKEY_PASSWORD is not configured. " +
+            "Consider setting VALKEY_PASSWORD for secure Valkey connections."
+        );
+      }
     }
 
     this.client = new ValkeyClient(config);