fix(github): adopt DateCtor + vendor fixed acorn-wasm

Two changes from the latest prim-audit pass:

* `github.ts:1043` — `new Date(Number(resetTimeStr) * 1000)` switched to `new DateCtor(...)`. This site became visible in the audit only after the acorn-wasm parser bug fix (next item) made the AST faithful enough to walk function bodies all the way through. The site is in `fetchGitHub`'s rate-limit-error branch, which the audit had previously been missing entirely.

* `vendor/acorn-wasm/acorn_wasm.wasm` — rebuilt from ultrathink commit 32ab26c70 ("fix(acorn-rust): use heap-allocated body for non-empty BlockStatement"). The previous wasm had a sequential-encoding bug in the BlockStatement AST node that caused the serializer to emit one statement plus garbage from sub-node ID slots, producing an AST where most function-body content was silently elided. Concretely: a tool walking `parse('http-request.ts')` would see 0 NewExpression nodes despite the source having ~30 of them.

  After this rebuild, the same audit finds:
    NewExpression: 0 → 19 (target ~30, npm-acorn ground truth)
    CallExpression: 6 → 100 (target ~147)
    IfStatement: 6 → 49 (target ~58)
    ArrowFunctionExpression: 0 → 14 (target ~29)

  The fix is partial — same sequential-encoding pattern exists for ~13 other AST node kinds (ObjectExpression properties, CallExpression arguments, NewExpression arguments, VariableDeclaration declarations, SwitchCase consequent, TemplateLiteral quasis, etc.). Each of those needs the same shape of fix: heap-allocated `<X>Data` struct + `<x>_with_<children>` builder + flag-bit dispatch in the serializer + parser callsite update. Tracked as a follow-up; the partial fix is committed now because it dramatically improves audit coverage immediately and the architectural pattern for the remainder is now proven.

  Vendor sync: `acorn_wasm.wasm` swapped (3343907 → 3344723 bytes, +816 from the heap-allocation code path). `acorn_wasm.cjs` and `acorn_wasm.d.ts` are byte-identical to the previous vendor copy because the JS bindings didn't change in this commit.

Author: jdalton

src/github.ts

@@ -28,7 +28,7 @@ import { getGhToken, getGithubToken } from './env/github'
 import { getSocketCliGithubToken } from './env/socket-cli'
 import { errorMessage } from './errors'
 import { httpRequest } from './http-request'
-import { ErrorCtor, JSONParse, JSONStringify } from './primordials'
+import { DateCtor, ErrorCtor, JSONParse, JSONStringify } from './primordials'
 import { spawn } from './spawn'
 
 import type { TtlCache } from './cache-with-ttl'
@@ -1040,7 +1040,7 @@ export async function fetchGitHub<T = unknown>(
         const resetTimeStr =
           typeof resetTime === 'string' ? resetTime : resetTime?.[0]
         const resetDate = resetTimeStr
-          ? new Date(Number(resetTimeStr) * 1000)
+          ? new DateCtor(Number(resetTimeStr) * 1000)
           : undefined
         const error = new ErrorCtor(
           `GitHub API rate limit exceeded${resetDate ? `. Resets at ${resetDate.toLocaleString()}` : ''}. Use GITHUB_TOKEN environment variable to increase rate limit.`,