feat(client): add API key authentication for /authz endpoint (#294)

## Summary

- Add `WithAPIKey(key string)` option to `PrivilegeHandler`
- When set, `Fetch()` sends `Authorization: Bearer <key>` header
- Backward compatible: no key = no header (existing behavior)

## Test plan

- [x] Unit test verifying Authorization header is sent
- [x] Unit test verifying no header without key
- [x] Existing tests still pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #294

client_test.go

@@ -251,6 +251,39 @@ func TestPrivilegeHandler_IsAllowed_Return_True_If_Privilege_Exists(t *testing.T
 	assert.True(t, result)
 }
 
+func TestPrivilegeHandler_Fetch_Sends_Authorization_Header_When_APIKey_Set(t *testing.T) {
+	var receivedAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer server.Close()
+
+	handler := New(
+		WithBaseURL(server.URL),
+		WithAPIKey("my-secret-key"),
+	)
+
+	err := handler.Fetch()
+	assert.NoError(t, err)
+	assert.Equal(t, "Bearer my-secret-key", receivedAuth)
+}
+
+func TestPrivilegeHandler_Fetch_No_Authorization_Header_Without_APIKey(t *testing.T) {
+	var receivedAuth string
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedAuth = r.Header.Get("Authorization")
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer server.Close()
+
+	handler := New(WithBaseURL(server.URL))
+
+	err := handler.Fetch()
+	assert.NoError(t, err)
+	assert.Empty(t, receivedAuth)
+}
+
 func TestPrivilegeHandler_Fetch_Error_Response(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(500)