Add ISSUE_CORE_API_KEY auth to IssueCoreRestSink

Issue-core requires a shared ingestion key on POST /issues/. The REST sink
now sends Authorization: Bearer using ISSUE_CORE_API_KEY and fails fast
when the key is missing under ISSUE_SINK_TYPE=rest.

Updates .env.example, emission boundary docs, and unit tests for the
header contract and missing-key error.

tests/test_issue_sink.py

@@ -34,7 +34,7 @@ def test_issue_core_rest_sink_posts_task_contract(monkeypatch) -> None:
 
     monkeypatch.setattr(httpx, "post", fake_post)
 
-    ref = IssueCoreRestSink("http://issue-core.test/").emit(TaskSpec(
+    ref = IssueCoreRestSink("http://issue-core.test/", api_key="test-key").emit(TaskSpec(
         title="Run SBOM rescan for activity-core",
         description="SBOM is older than 30 days.",
         target_repo="activity-core",
@@ -67,12 +67,30 @@ def test_issue_core_rest_sink_posts_task_contract(monkeypatch) -> None:
                 "triggering_event_id": "scheduled",
                 "activity_definition_id": "activity-1",
             },
+            "headers": {"Authorization": "Bearer test-key"},
             "timeout": 10.0,
         }
     ]
     assert "review_required" not in posts[0]["json"]
 
 
+def test_issue_core_rest_sink_requires_api_key() -> None:
+    sink = IssueCoreRestSink("http://issue-core.test/", api_key="")
+    with pytest.raises(RuntimeError, match="ISSUE_CORE_API_KEY"):
+        sink.emit(TaskSpec(
+            title="t",
+            description="",
+            target_repo="activity-core",
+            priority="low",
+            labels=[],
+            due_in_days=None,
+            source_type="rule",
+            source_id="r",
+            triggering_event_id="e",
+            activity_definition_id="a",
+        ))
+
+
 @pytest.mark.asyncio
 async def test_emit_tasks_raises_when_sink_fails(monkeypatch) -> None:
     class FailingSink: