Add ISSUE_CORE_API_KEY auth to IssueCoreRestSink

Issue-core requires a shared ingestion key on POST /issues/. The REST sink
now sends Authorization: Bearer using ISSUE_CORE_API_KEY and fails fast
when the key is missing under ISSUE_SINK_TYPE=rest.

Updates .env.example, emission boundary docs, and unit tests for the
header contract and missing-key error.

docs/issue-core-emission-boundary.md

@@ -11,7 +11,9 @@ The current authoritative boundary is the issue-core REST API:
 POST {ISSUE_CORE_URL}/issues/
 ```
 
-`IssueCoreRestSink` sends this payload:
+`IssueCoreRestSink` authenticates with the shared `ISSUE_CORE_API_KEY` env var
+(same value as the issue-core server) via `Authorization: Bearer <key>` and
+sends this payload:
 
 ```json
 {
@@ -52,7 +54,7 @@ task reference before it can replace `IssueCoreRestSink`.
 
 Weekly SBOM staleness is safe to evaluate in dry-run mode because the rule
 contract is deterministic and tested. Do not enable it against the real REST sink
-until issue-core credentials, endpoint reachability, and duplicate-handling are
+until `ISSUE_CORE_API_KEY`, endpoint reachability, and duplicate-handling are
 verified in the target environment.
 
 ## Verification