chore(deps): bump hono + postcss to clear 3 moderate Dependabot alerts (#39)

- hono ^4.12.15 → ^4.12.16 (4.12.18 resolved). Clears:
      • CVE: bodyLimit() bypass for chunked / unknown-length requests
      • CVE: hono/jsx HTML injection via unvalidated JSX tag names
  - postcss override pinned ≥ 8.5.10 (8.5.14 resolved via tsup transitive).
    Clears: PostCSS XSS via unescaped </style> in CSS Stringify Output.

postcss is a transitive (tsup → postcss-load-config → postcss). Used a
pnpm override (`postcss@<8.5.10`: ^8.5.10) so any future tsup or sibling
that pulls in older postcss is auto-bumped, instead of relying on tsup
to ship a new release.

867/867 tests still passing; typecheck + build clean.

Author: drewstone

package.json

@@ -88,7 +88,7 @@
     "@ax-llm/ax": "^19.0.25",
     "@hono/node-server": "^2.0.0",
     "@tangle-network/tcloud": "^0.4.6",
-    "hono": "^4.12.15",
+    "hono": "^4.12.16",
     "zod": "^4.3.6"
   },
   "devDependencies": {
@@ -98,6 +98,11 @@
     "typescript": "^5.7.0",
     "vitest": "^3.0.0"
   },
+  "pnpm": {
+    "overrides": {
+      "postcss@<8.5.10": "^8.5.10"
+    }
+  },
   "engines": {
     "node": ">=20"
   },