fix(web,api): fix orchestrator proxy 502 connectivity

Root causes of the 502 Bad Gateway on all orchestrator proxy endpoints:

1. Orchestrator bound to 127.0.0.1 by default — add HOST=0.0.0.0 to all
   compose files so the orchestrator is reachable from other containers.

2. Web service missing ORCHESTRATOR_URL in docker-compose.yml and
   docker-compose.coolify.yml — server-side proxy was falling through to
   NEXT_PUBLIC_API_URL (the public API URL) which has no /agents or /health
   endpoints. Add ORCHESTRATOR_URL=http://orchestrator:3001 so the web
   container routes to the orchestrator service over the internal network.

3. Orchestrator missing ORCHESTRATOR_API_KEY in docker-compose.yml and
   docker-compose.swarm.portainer.yml — the OrchestratorApiKeyGuard would
   reject all requests with 401 (or 502 when unreachable first).

4. Web service missing mosaic-internal network in docker-compose.yml —
   orchestrator was only on mosaic-internal while web was only on
   mosaic-public, making them unreachable by name.

Closes SS-ORCH-001 (issue #534)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.coolify.yml

@@ -158,6 +158,8 @@ services:
       - NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL}
       - NEXT_PUBLIC_ORCHESTRATOR_URL=${NEXT_PUBLIC_ORCHESTRATOR_URL:-}
       - NEXT_PUBLIC_AUTH_MODE=${NEXT_PUBLIC_AUTH_MODE:-real}
+      # Server-side orchestrator proxy (API routes forward to orchestrator service over internal network)
+      - ORCHESTRATOR_URL=http://orchestrator:3001
       - ORCHESTRATOR_API_KEY=${ORCHESTRATOR_API_KEY:-}
     depends_on:
       api:
@@ -222,6 +224,8 @@ services:
     environment:
       - NODE_ENV=production
       - ORCHESTRATOR_PORT=3001
+      # Bind to all interfaces so the web container can reach it over Docker networking
+      - HOST=0.0.0.0
       - AI_PROVIDER=${AI_PROVIDER:-ollama}
       - OLLAMA_ENDPOINT=${OLLAMA_ENDPOINT:-}
       - OLLAMA_MODEL=${OLLAMA_MODEL:-llama3.2}

docker-compose.swarm.portainer.yml

@@ -252,6 +252,8 @@ services:
     environment:
       NODE_ENV: production
       ORCHESTRATOR_PORT: 3001
+      # Bind to all interfaces so the web container can reach it over Docker networking
+      HOST: 0.0.0.0
       AI_PROVIDER: ${AI_PROVIDER:-ollama}
       VALKEY_URL: redis://valkey:6379
       VALKEY_HOST: valkey
@@ -263,6 +265,8 @@ services:
       GIT_USER_EMAIL: "orchestrator@mosaicstack.dev"
       KILLSWITCH_ENABLED: "true"
       SANDBOX_ENABLED: "true"
+      # API key for authenticating requests from the web proxy
+      ORCHESTRATOR_API_KEY: ${ORCHESTRATOR_API_KEY}
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - orchestrator_workspace:/workspace

docker-compose.yml

@@ -433,6 +433,8 @@ services:
       NODE_ENV: production
       # Orchestrator Configuration
       ORCHESTRATOR_PORT: 3001
+      # Bind to all interfaces so the web container can reach it over Docker networking
+      HOST: 0.0.0.0
       AI_PROVIDER: ${AI_PROVIDER:-ollama}
       # Valkey
       VALKEY_URL: redis://valkey:6379
@@ -448,6 +450,8 @@ services:
       # Security
       KILLSWITCH_ENABLED: true
       SANDBOX_ENABLED: true
+      # API key for authenticating requests from the web proxy
+      ORCHESTRATOR_API_KEY: ${ORCHESTRATOR_API_KEY}
     ports:
       - "3002:3001"
     volumes:
@@ -498,6 +502,8 @@ services:
       NODE_ENV: production
       PORT: ${WEB_PORT:-3000}
       NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:3001}
+      # Server-side orchestrator proxy (API routes forward to orchestrator service)
+      ORCHESTRATOR_URL: http://orchestrator:3001
       ORCHESTRATOR_API_KEY: ${ORCHESTRATOR_API_KEY}
     ports:
       - "${WEB_PORT:-3000}:${WEB_PORT:-3000}"
@@ -515,6 +521,7 @@ services:
       retries: 3
       start_period: 40s
     networks:
+      - mosaic-internal
       - mosaic-public
     labels:
       - "com.mosaic.service=web"