FIX [OPS] Stabilize lab-api behind Cloudflare Tunnel (localhost ingress)

[AdaInTheLab]

🧠 What changed

This PR stabilizes the lab-api backend when served behind a Cloudflare Tunnel by
aligning production behavior with a localhost-only ingress model.

The API is now explicitly designed to be reached via:

Cloudflare → cloudflared tunnel → localhost:8001

…and not via the server’s public IP.

---

🐛 Problem

Production was intermittently returning 503 / connection refused errors due to
components attempting to reach the API at:

173.236.223.89:8001

That port is intentionally not exposed publicly and is only reachable on
127.0.0.1. Any proxy or rewrite path using the public IP would fail.

---

✅ Resolution

• Confirmed API is healthy and stable on localhost:8001
• Ensured /health and core routes function correctly under tunnel ingress
• Aligned backend behavior with Cloudflare Tunnel expectations
• Removed reliance on public-IP access for internal routing

The API is now production-safe when accessed exclusively via:

https://api.thehumanpatternlab.com

---

🔍 Verification

• curl http://127.0.0.1:8001/health → 200 OK
• curl https://api.thehumanpatternlab.com/health → 200 OK
• curl http://<public-ip>:8001 → expected failure
• No 503s observed after tunnel alignment

---

📌 Notes

• This PR pairs with frontend changes that update VITE_API_BASE_URL
  to the api. subdomain.
• Any remaining /api usage on the main domain should be handled
  via redirects, not reverse proxies.

---

🦊 Backend is now correctly tunnel-native and no longer haunted by public IP routing.