fix(client): restore OST_API_KEY flow to Authorization header

[spideystreet]

Summary

Regression fix — merged PR #4 accidentally dropped the `Authorization: Bearer` header on every outbound request. `getConfig()` still validated that `OST_API_KEY` is set at startup, but then dropped it from the return value, and `OSTClient` lost its `apiKey` field. Net effect: every MCP request was unauthenticated → 401'd by the backend → surfaced as a misleading "Invalid or missing OST_API_KEY" in the MCP client.

Caught by a manual stdio smoke before `@opensource-together/mcp@0.2.0` was published to npm. Not user-facing yet.

What this PR does

• `src/config.ts` — `getConfig()` now returns `{ apiUrl, apiKey }` (was just `{ apiUrl }`).
• `src/client.ts` — `OSTClient` constructor takes `(baseUrl, apiKey)` again; private `apiKey` field restored; `request()` attaches `Authorization: Bearer ${apiKey}` header on every `fetch`.
• `src/index.ts` — pass `config.apiKey` into the client.
• `tests/config.test.ts` — assert `apiKey` comes back from `getConfig()`.
• `tests/client.test.ts` — assert the `Authorization` header shape on successful requests.

Verification

• `npm run build` ✅
• `npm run lint` ✅
• `npm test` → 24 passed (24) ✅
• Real stdio smoke: `list_categories` + `list_techstacks` against live backend (`:4000`) proxying to live `ost-linker-api` (`:8000`) → both returned real taxonomy data.

Ship this before cutting the v0.2.0 release.

Test plan

• `npm install && npm run build && npm test` all green.
• Configure an MCP client with `OST_API_KEY` + a running backend + linker, invoke any tool, see real data.
• Double-check no regression on 401/429/5xx error messages (tests cover it).