fix(security): refuse plaintext bearer-token transmission (Phase C, C1)

[yairfalse]

Monster Phase C — item C1 (audit S1, High) from docs/audit-2026-05-22.md.

The Team Mode bearer token was sent with no scheme check: Sykli.HTTP.ssl_opts/1 returns [] for non-HTTPS, and Coordinator.Client sent Authorization: Bearer <token> regardless — so a http:// coordinator leaked the token in cleartext to any on-path observer (an in-scope adversary per docs/team-mode-security.md).

Fix

• New Sykli.HTTP.check_token_transport/1: :ok for HTTPS, loopback hosts, or an explicit SYKLI_COORDINATOR_INSECURE=1 opt-in; otherwise {:error, :insecure_transport}.
• Coordinator.Client.request_json/5 refuses (returns {:error, {:insecure_transport, url}} + logs an error) before sending; warns loudly when the opt-in carries a plaintext send. All token-bearing paths — work/run/gate clients and daemon join — route through this client, so one guard covers them.

Scope note

Phase C is split for focused review. This PR is C1 only. Remaining (with decisions locked):

• C2 per-team coordinator authz → enforce per-team tokens (own PR — auth-model change)
• C3 mask file/OIDC-resolved secrets (own PR)
• C4 SSRF allowlist on gate webhook_url (connect_timeout already present)
• C5 Shell-runtime trust ADR + Add fluent Go SDK API #4 rewrite (document Shell = trusted only)

Verification

mix format / mix credo (clean) / mix test (1752, 0 failures, +6 HTTP tests) / mix escript.build; black-box team-sync + COORD cases pass (loopback allowed).

🤖 Generated with Claude Code