fix(agent): isolate compose project networks per project

[ivanbenko]

Summary

• Each compose project now gets its own opsen-{client}-{project}-internal network instead of sharing opsen-{client}-internal across all of a client's projects, so projects can no longer reach each other by docker DNS.
• Cross-project communication must now go through ingress (Caddy already reaches services via the host port binding, so public routes are unaffected).
• Existing deployments are migrated automatically: a netmodel=v2 line in policyHash flags every existing project stale, the reconciler redeploys each onto its own network, and removeLegacyClientNetwork cleans up the shared opsen-{client}-internal network best-effort after every successful deploy/redeploy.

Test plan

• go test ./... in packages/agent/go (compose + ingress suites green)
• New TestHardenCompose_NetworkIsProjectScoped asserts the network name format and that two projects of one client get distinct networks
• pnpm ts:check passes
• Verify on test.local that an existing deploy migrates onto a per-project network on next reconcile tick and the legacy network is removed once the last project has migrated
• Verify a service in project A cannot resolve a service in project B over docker DNS, but can still reach it via the public ingress hostname

🤖 Generated with Claude Code