Phase 3 refinement of #427. Builds on #433/#434.

The original Phase 3 page was mode-specific: it inlined "Create a pod"
and "Sign in" buttons based on the seed-time singleUser/idp flags. Two
problems showed up in practice:

1. The seeded /index.html went stale on mode change. Once seeded by a
   --single-user run, every later run (any mode) served the same HTML
   because of skip-if-exists, so a multi-user restart still showed
   "Mode: single-user" and a non-functional Sign-in button.
2. "Sign in" linked to /idp, which 404s when IDP isn't enabled. The
   button always rendered (we worked it out at write time), so a mode
   change to no-IDP left the page promising something the server no
   longer offers.

Refinement: render once, adapt at load.

- The page is now mode-agnostic: same headline, same explainer, same
  primary "Get started" CTA pointing at jss.live/docs/getting-started/.
- Sign up + Sign in anchors are emitted but `hidden` by default. An
  inline script does HEAD /idp/register on load:
    200 → reveal both Sign up and Sign in (multi-user + IDP, open)
    403 → reveal Sign in only (single-user — registration disabled)
    404 / network error → leave both hidden (no IDP)
  Same seeded HTML keeps working when the operator switches modes.
- The live server URL is filled in client-side from
  window.location.origin, so the page shows whichever host the visitor
  actually used (works behind reverse proxies, across localhost /
  127.0.0.1 / LAN-IP, without re-rendering the file).
- Tone tightened: no emoji headline, sentence case, brief paragraph
  about Solid for visitors landing on a public pod for the first time.
  Polished enough to leave as a public landing on an IDP / multi-user
  deployment without it looking like a first-run celebration screen.
- Footer carries the GitHub link and a single-line customise hint.

The seed model itself is unchanged: still skip-if-exists for
/index.html, /.acl, and /index.html.acl. Operator-written files are
preserved. The .acl seeds (relative './' / './index.html' from #434)
keep an operator-uploaded /index.html publicly readable without the
operator having to write WAC by hand.

Tests: server-root.test.js rewritten for the new model.
- 14 tests: same set of capabilities, refocused on the mode-agnostic
  behaviour (one render, all modes), the Get started link, hidden
  Sign-up/Sign-in anchors with the right data-cond attributes, the
  HEAD probe + live-URL scripts, version interpolation + escape, and
  the footer hints.
- The previous mode-specific render assertions (Create a pod text,
  Personal-pod-for-name subtitle, $-pattern and {{token}} re-scan
  regressions) drop with the values they were guarding — none of
  those interpolated values exist in the new template.

813/813 tests pass.

Refs #435.

Docusaurus 3 doesn't auto-generate a category index page, so
/docs/getting-started/ 404s on jss.live. The canonical URL for the
intro page is /docs/getting-started/introduction — point the landing's
primary CTA there.

Three concrete fixes from the review thread.

1. .btn { display: inline-block } overrode the UA stylesheet's
   [hidden] { display: none } (equal specificity, author rule wins
   because it's later in the cascade). Sign up / Sign in would have
   flashed visible before the HEAD probe finished. Add an explicit
   [hidden] { display: none !important } so the attribute stays
   authoritative; new test pins the rule down.

2. The mode pill and feature-pills row were rendered into the seeded
   HTML at first start. Skip-if-exists then froze them — a mode change
   later would have left the seeded copy showing the old mode and
   feature flags even though the rest of the page is meant to adapt
   without regeneration. Drop both from the seeded template; the CLI
   banner already lists them at startup. The renderer drops the
   listFeatures helper and the singleUser/enabled context inputs.

3. The HEAD-decision matrix was only verified by regex checks on the
   inline script's text — a wrong-button regression for 200/403/404
   would have slipped through. Extract the matrix into a pure helper,
   `decideRevealForRegisterStatus(status)`, and unit-test the five
   cases. The inline script implements the same matrix literally;
   the regex test still pins the literals so they don't drift silently.

819/819 tests pass.

The dropped-pills explanatory comment pointed at '#436 review' but
that's this PR, not the issue. The issue being closed is #435 —
update the reference so the rationale is traceable from the seeded
file.

Address Copilot pickup on #436. The Sign up / Sign in anchor hrefs
and the inline HEAD probe used origin-root absolute paths (/idp...).
Behind a reverse proxy at e.g. https://example/jss/, these would
escape the mount point and hit the proxy origin (/idp) instead of
the JSS-mounted server (/jss/idp).

Switch all three to page-relative (./idp...). Anchor hrefs and the
fetch() URL both resolve against document.baseURI, so they stay
inside whatever path prefix the server is mounted under. Same
rationale as the relative ACL targets from #428.

Tests assert both the new ./ form and the absence of the old
absolute form (so a regression to /idp would fail loud).

819/819 tests pass.

Address Copilot pickup on #436. window.location.origin drops any
reverse-proxy path prefix the server is mounted under: a JSS instance
at https://example.com/jss/ would have displayed (and linked to)
'https://example.com/' for the live-URL line, escaping the mount.

Switch to new URL('./', window.location.href).href, which resolves to
the directory of the current document — i.e. the JSS server root,
prefix included. Same path-prefix-safe treatment as the IdP links and
ACL targets in the rest of this PR.

Test asserts both presence of the new pattern and absence of the
origin-only form.

819/819 tests pass.

Two more Copilot pickups on #436.

1. The version was still seed-time. Same skip-if-exists trap as the
   mode and feature pills already dropped — an upgrade wouldn't refresh
   the displayed version. Operators relying on it would silently see
   the old number forever. Drop the version row entirely; the CLI
   banner already shows it at startup, and `npm view` is one shell
   command away.

   With version gone, the info box has nothing left to show; remove
   the whole .info block plus its CSS. The renderer no longer has any
   dynamic values to substitute — collapses to a static readFileSync.
   Drop the template-substitution machinery (single-pass replacer)
   and the escape() helper that only existed to sanitise version.

2. The live-URL anchor's fallback href was "/" (origin-root absolute).
   If the inline script doesn't run (CSP, JS disabled, error before
   it executes), clicking the link would escape any reverse-proxy
   mount prefix. Switch to "./" so the fallback stays inside the
   mount, matching every other URL in this template.

Tests: dropped the version interpolation + injection-escape tests
(no longer applicable — no version is rendered, no values substituted).
Renamed the byte-equality test to make the static-HTML guarantee
explicit. Added a regression test asserting the page-relative
fallback href.

819/819 tests pass.