chore(deps): clear all 27 advisories via fastify 5, vite 6, transitive overrides

Direct bumps: ws 8.21.0, vitest 3.2.6 (critical UI-server RCE), js-yaml 4.2.0.
Root pnpm.overrides: hono, undici, qs, fast-uri, react-router(-dom), @babel/core,
range-scoped esbuild, and a global vite pin (forces vitest onto Vite 6).
Major migrations with no code changes (API-audited): fastify 4 to 5 across
server/coder/control/booterm (+@fastify/websocket 11, @fastify/static 9.1.1),
vite 5 to 6 +@vitejs/plugin-react 4.7 in web. pnpm audit: no known vulnerabilities.
Suites green: contracts 29, server 599, coder 589, control 175, ion 104.

apps/server/package.json

@@ -89,14 +89,14 @@
     "@ai-sdk/deepseek": "^2.0.35",
     "@ai-sdk/openai-compatible": "^2.0.47",
     "@boocode/contracts": "workspace:*",
-    "@fastify/static": "^7.0.4",
-    "@fastify/websocket": "^10.0.1",
+    "@fastify/static": "^9.1.1",
+    "@fastify/websocket": "^11.0.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "ai": "^6.0.190",
-    "fastify": "^4.28.1",
+    "fastify": "^5.8.3",
     "node-html-markdown": "^1.3.0",
     "postgres": "^3.4.4",
-    "ws": "^8.18.0",
+    "ws": "^8.21.0",
     "zod": "^3.23.8"
   },
   "devDependencies": {
@@ -104,7 +104,7 @@
     "@types/ws": "^8.5.10",
     "tsx": "^4.16.2",
     "typescript": "^5.5.0",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.6"
   },
   "license": "MIT"
 }