fix: resolve security vulnerabilities via npm audit fix

Updates transitive dependencies to fix 11 vulnerabilities:
- @modelcontextprotocol/sdk 1.25.3 → 1.28.0 (fixes cross-client data leak)
- path-to-regexp 8.3.0 → 8.4.0 (fixes ReDoS)
- undici → 7.24.6 (fixes WebSocket and smuggling issues)
- hono → 4.12.9 (fixes XSS, cache deception, prototype pollution)
- rollup → 4.60.0 (fixes path traversal)
- picomatch → 2.3.2/4.0.4 (fixes method injection)
- flatted → 3.4.2 (fixes DoS and prototype pollution)
- qs, ajv, brace-expansion (moderate fixes)

Remaining: minimatch (dev-only, requires breaking @typescript-eslint upgrade)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: freema