fix(training): bundle reference content + use docker bridge gateway

The Style Studio's curator-prompt + chat features read reference docs
from disk at runtime. Two issues from the initial production run:

1. Dockerfile + .dockerignore excluded .claude/, docs/, and most of
   skills/. Now COPY the four specific files the new endpoints need:
     - .claude/agents/hermes-curator.md
     - skills/decision/SKILL.md
     - docs/legal-decision-lessons.md
     - docs/corpus-analysis.md
   .dockerignore opens whitelists for just those files.

2. Coolify's custom_docker_run_options=--add-host=host.docker.internal:host-gateway
   is not honored on dockerimage build_pack apps (ExtraHosts stayed []).
   Switch chat_proxy.py default to http://10.0.1.1:8770 — the docker0
   bridge gateway, same pattern Paperclip uses for 3100. Bind the host
   pm2 service to 0.0.0.0:8770 so the container can reach it via the
   bridge IP. Oracle Cloud's security list keeps the port unreachable
   from the public internet.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

scripts/legal-chat-service.config.cjs

@@ -31,7 +31,13 @@ module.exports = {
       // Run the in-package server via the venv interpreter so all
       // imports (claude_session, etc) resolve.
       script: "/home/chaim/legal-ai/mcp-server/.venv/bin/python",
-      args: "-m legal_mcp.chat_service.server --port 8770",
+      // Bind to 0.0.0.0 so the legal-ai container can reach the service
+      // via the docker bridge gateway (10.0.1.1:8770). Oracle Cloud's
+      // security list keeps port 8770 closed to the public internet;
+      // ufw is inactive but iptables INPUT default ACCEPT is fine here
+      // because the cloud-level firewall is the actual perimeter (same
+      // pattern paperclip uses for its 0.0.0.0:3100 binding).
+      args: "-m legal_mcp.chat_service.server --port 8770 --host 0.0.0.0",
       // claude CLI looks up credentials under HOME — make sure it
       // sees Daphna's session, not an empty container HOME.
       env: {