fix: regenerate lavamoat policy for both dev and Docker environments

The lavamoat policy was out of date, causing Docker runtime failures:

1. Dev vs prod dependency mismatch: The policy was generated against dev
   node_modules, but Docker uses production-only deps (npm ci
   --only=production), which resolve shared transitive packages (e.g.,
   call-bind, get-intrinsic) through different parent chains.

2. Dynamic config loading: settings.js loads config.js via a computed
   require(), so lavamoat's static analysis never discovered its imports
   (yargs and its transitive deps), causing runtime errors on first
   HTTP request.

Fix: Generated policies from both dev and production node_modules (using
config.js.docker as the config source for both), then merged them so
the policy covers both dependency resolution paths.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: andreabadesso