Fix CSP-blocked inline onclick handlers

- Remove onclick from API key recovery modal Copy button (templates/pages/index.html)
- Event listener already exists in app.js (line 295)
- Remove onclick from server-rendered API key display (src/index.ts line 207)
- Remove onclick from billing success page Copy button (src/routes/billing.ts line 181)
- Create public/copy-helper.js to handle all [data-copy] elements via external JS
- All copy functionality now CSP-compliant (script-src 'self')

public/copy-helper.js

@@ -0,0 +1,38 @@
+// Copy helper for server-rendered pages
+// Attaches click handlers to all [data-copy] elements (CSP-compliant)
+
+document.addEventListener('DOMContentLoaded', function() {
+  // Handle buttons with data-copy attribute
+  document.querySelectorAll('button[data-copy]').forEach(function(btn) {
+    btn.addEventListener('click', function() {
+      const textToCopy = this.getAttribute('data-copy');
+      const originalText = this.textContent;
+      
+      navigator.clipboard.writeText(textToCopy).then(function() {
+        btn.textContent = 'Copied!';
+        setTimeout(function() {
+          btn.textContent = originalText;
+        }, 1500);
+      }).catch(function(err) {
+        console.error('Copy failed:', err);
+      });
+    });
+  });
+  
+  // Handle clickable divs with data-copy attribute (for key-box)
+  document.querySelectorAll('div[data-copy]').forEach(function(div) {
+    div.style.cursor = 'pointer';
+    div.addEventListener('click', function() {
+      const textToCopy = this.getAttribute('data-copy');
+      
+      navigator.clipboard.writeText(textToCopy).then(function() {
+        div.style.borderColor = '#5eead4';
+        setTimeout(function() {
+          div.style.borderColor = '#34d399';
+        }, 1500);
+      }).catch(function(err) {
+        console.error('Copy failed:', err);
+      });
+    });
+  });
+});