chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides

Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0.
Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core,
range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6).
Major migrations with no code changes (API-audited): fastify 4 to 5 across
server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1),
vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities.
Suites green: contracts 29, server 599, coder 589, control 175, ion 104.

apps/coder/package.json

@@ -17,12 +17,12 @@
     "@agentclientprotocol/sdk": "^0.22.1",
     "@anthropic-ai/claude-agent-sdk": "^0.3.159",
     "@boocode/server": "workspace:*",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/websocket": "^11.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "@opencode-ai/sdk": "~1.15.0",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -30,7 +30,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.0.0"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }