Fix Dockerfile to copy all server/*.js modules; refresh vendor to v0.2.0

The runtime crash on v0.2.3:

  Error [ERR_MODULE_NOT_FOUND]: Cannot find module '/app/server/util.js'
  imported from /app/server/index.js

happened because the Dockerfile's stage-2 COPY only listed server/
index.js + server/license.js explicitly. When I started extracting
modules in v0.2.3 (util.js, gemini-helpers.js, audio.js, ytdlp.js,
cookies.js, config.js, license-middleware.js, history.js, library.js)
I forgot to update the COPY list, so those files were never copied
into the runner image. Local 'node' tests passed because the modules
exist on disk; the .s9pk container had only the two original files
and crashed on first import.

Fix:

  COPY server/*.js ./server/

Glob picks up all top-level .js files automatically, including any
future extractions, while still skipping server/test/ and server/
node_modules/. This is the simplest forward-compatible form.

Bonus: refresh the vendored @keysat/licensing-client from 0.1.0 to
0.2.0. The new SDK adds:

  • policySlug field on StartPurchaseOptions (so we can drive Core/
    Pro tier selection programmatically from our backend)
  • client.listPublicPolicies(productSlug) for fetching the tier
    cards' data without auth

Both are prerequisites for the in-app buy flow planned in
~/.claude/plans/in-app-buy-flow.md. The vendor's own node_modules
(@noble/ed25519, @noble/hashes) is gitignored as before — Docker
builds re-install via `npm install --omit=dev --ignore-scripts` in
the vendor dir during stage 1.

Also includes the license-middleware update from earlier in the day:
a 30s license-file poll so a key set via the "Set Recap License"
StartOS action is picked up within seconds (instead of waiting for
the 6h scheduled validateOnline tick).

vendor/keysat-licensing-client/dist/index.cjs

@@ -368,7 +368,8 @@ var Client = class {
       buyer_email: opts.buyerEmail,
       buyer_note: opts.buyerNote,
       redirect_url: opts.redirectUrl,
-      code: opts.code
+      code: opts.code,
+      policy_slug: opts.policySlug
     });
     return {
       invoiceId: raw.invoice_id,
@@ -378,6 +379,46 @@ var Client = class {
       pollUrl: raw.poll_url
     };
   }
+  /**
+   * List public, buyer-visible policies (tiers) for a product. No
+   * auth — same data the licensing service's `/buy/<slug>` page
+   * uses server-side. Use this to render an in-app tier picker
+   * that stays in sync with the operator's admin-side tier setup.
+   *
+   * Returns each policy's slug, display name, price (in the
+   * product's listed currency's smallest unit — sats or cents),
+   * entitlements, recurring/trial flags. Internal fields (id,
+   * tip recipients, raw metadata) are deliberately omitted.
+   */
+  async listPublicPolicies(productSlug) {
+    const raw = await this.get(
+      `/v1/products/${encodeURIComponent(productSlug)}/policies`
+    );
+    const product = raw.product;
+    const policies = raw.policies ?? [];
+    return {
+      product: {
+        slug: product.slug,
+        name: product.name,
+        description: product.description ?? "",
+        basePriceSats: product.base_price_sats
+      },
+      policies: policies.map((p) => ({
+        slug: p.slug,
+        name: p.name,
+        description: p.description ?? "",
+        priceSats: p.price_sats,
+        durationSeconds: p.duration_seconds ?? 0,
+        maxMachines: p.max_machines ?? 1,
+        isTrial: !!p.is_trial,
+        entitlements: p.entitlements ?? [],
+        highlighted: !!p.highlighted,
+        isRecurring: !!p.is_recurring,
+        renewalPeriodDays: p.renewal_period_days ?? 0,
+        trialDays: p.trial_days ?? 0
+      }))
+    };
+  }
   /**
    * Redeem a `free_license` code: bypass BTCPay entirely and receive the
    * signed license key directly. Throws if the code is unknown / disabled