Fix draw UI audit dependency chain

Move the draw UI off the Excalidraw 0.18.0 dependency chain that pulls in the
vulnerable Mermaid and DOMPurify versions flagged by npm audit.

Use the audit-safe upstream combination of Excalidraw 0.17.6 with React 18,
and update the app imports to match the older package layout.

Checks: npm audit, npx tsc --noEmit, npm run build

Co-authored-by: Codex <noreply@openai.com>

Author: jbeckwith-oai