feat: exposition Traefik + provisioning auth (v0.21.0)

Backend exposé via Traefik+TLS (réseau traefik-public externe, labels,
CHLOVA_DOMAIN) — surface unique. Script provision-auth (hash scrypt +
TOTP otpauth + JWT). .env.example section API/UI. security.md : surface
exposée Phase 4. Compose revalidé.

Palier de risque : privilégié (exposition réseau) — non déployé ; auth
requise pour activer l'API.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

orchestrator/package.json

@@ -13,7 +13,8 @@
     "start": "node dist/index.js",
     "typecheck": "tsc -p tsconfig.json",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "provision-auth": "tsx scripts/provision-auth.ts"
   },
   "dependencies": {
     "@fastify/cors": "11.2.0",