refactor: remove Traefik exposure from Pastel API

Removed all Traefik labels from pastel_api service since the API
is now only accessed internally by pastel_ui via Docker network.

Changes:
- Removed traefik.enable and all HTTP/HTTPS router configurations
- Removed path prefix routing (/api)
- Kept only Watchtower label for auto-updates
- API now accessible only at http://pastel_api:3000 internally

This simplifies the configuration and improves security by not
exposing the API endpoint externally.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

kit/compose.yaml

@@ -90,21 +90,6 @@ services:
     networks:
       - compose_network
     labels:
-      - 'traefik.enable=${KIT_TRAEFIK_ENABLED}'
-      # HTTP to HTTPS redirect
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-redirect-web-secure.redirectscheme.scheme=https'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web.middlewares=${KIT_COMPOSE_PROJECT_NAME}-pastel-api-redirect-web-secure'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web.rule=Host(`${KIT_PASTEL_TRAEFIK_HOST}`) && PathPrefix(`/api`)'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web.entrypoints=web'
-      # HTTPS router
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web-secure.rule=Host(`${KIT_PASTEL_TRAEFIK_HOST}`) && PathPrefix(`/api`)'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web-secure.tls.certresolver=resolver'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web-secure.entrypoints=web-secure'
-      - 'traefik.http.middlewares.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-compress.compress=true'
-      - 'traefik.http.routers.${KIT_COMPOSE_PROJECT_NAME}-pastel-api-web-secure.middlewares=${KIT_COMPOSE_PROJECT_NAME}-pastel-api-compress,security-headers@file'
-      # Service
-      - 'traefik.http.services.${KIT_COMPOSE_PROJECT_NAME}-pastel-api.loadbalancer.server.port=3000'
-      - 'traefik.docker.network=${NETWORK_NAME}'
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'