chore(deps): consolidate all 23 open Dependabot bumps

[agjs]

Summary

Consolidates all 23 open Dependabot PRs (#128–#150) into a single PR. Every package.json bump is applied, the three per-app bun.lock files are regenerated together, and two cross-PR incompatibilities that would have broken the merged tree are resolved.

Dependency bumps

GitHub Actions (#128, #129, #140)

• actions/checkout 6.0.2 → 6.0.3 (23 workflows)
• codecov/codecov-action 6.0.1 → 7.0.0
• changesets/action 1.8.0 → 1.9.0

apps/api (#134, #136, #138, #141, #144, #148, #149, #150)

• @anthropic-ai/sdk 0.98.0 → 0.100.1, openai 6.39.0 → 6.39.1
• @sentry/bun 10.53.1 → 10.55.0, stripe 22.1.1 → 22.2.0
• nodemailer 8.0.8 → 8.0.10, bullmq 5.77.3 → 5.77.6
• eslint 10.4.0 → 10.4.1, eslint-plugin-prettier 5.5.5 → 5.5.6
• @boring-stack-pkg/eslint-plugin-jwt-cookies 0.1.1 → 0.1.2, @boring-stack-pkg/eslint-plugin-module-boundaries 0.1.1 → 0.1.2

apps/ui (#130, #133, #139, #142, #143, #145, #146, #147)

• @sentry/react 10.53.1 → 10.55.0, react-hook-form 7.75.0 → 7.77.0, react-router-dom 7.15.1 → 7.16.0, lucide-react 1.16.0 → 1.17.0
• lint-staged 17.0.5 → 17.0.7, tsx 4.22.3 → 4.22.4
• @eslint/json 1.2.0 → 2.0.0, eslint 10.4.0 → 10.4.1, eslint-import-resolver-typescript 4.4.4 → 4.4.5
• @boring-stack-pkg/eslint-plugin-module-boundaries 0.1.1 → 0.1.2

apps/docs (#131, #132, #135, #137)

• astro 6.3.7 → 6.4.2, @astrojs/react 5.0.5 → 5.0.6, @astrojs/sitemap 3.7.2 → 3.7.3, wrangler 4.94.0 → 4.95.0

Two conflicts that only surface when bumps are combined

1. ioredis held at 5.10.1 (deviates from #134's group).
bullmq@5.77.6 pins ioredis to an exact 5.10.1. Bumping the top-level ioredis to 5.11.0 (the other half of #134's group) creates two un-dedupable copies whose Connector/AbstractConnector types are structurally incompatible (TS2769 in the OAuth-state tests). #134's own lockfile has the same split. Resolution: take the bullmq bump, keep ioredis at 5.10.1 so the copies dedupe (matching main's working state). Defer the standalone ioredis bump until bullmq advances its pin.

2. @astrojs/markdown-remark override added (apps/docs).
astro@6.4.2 pins @astrojs/markdown-remark@7.2.0 — only that version exposes the unified subpath export astro's prerender runtime imports. Starlight pulls the 7.1.x range transitively, and the hoisted 7.1.x copy shadows astro's nested 7.2.0, so astro build fails with "does not provide an export named 'unified'". #132's own lockfile has the same split; it passes Dependabot CI only because docs build:ci isn't enforced in GitHub CI (it is run by the local pre-push gate). Resolution: pin @astrojs/markdown-remark to 7.2.0 in overrides (Starlight's ^7.1.1 is satisfied), with rationale documented in the //overrides block.

Verification

• apps/api bun run check ✅ (typecheck, lint, lint:meta, RULES.md, knip)
• apps/ui bun run check ✅ + bun run build ✅
• apps/docs bun run build:ci ✅ (astro build + fragment check)
• Security pre-push (gitleaks, semgrep, osv-scanner) ✅ clean on all three regenerated lockfiles — no vulnerabilities in the bumped versions
• All three bun.lock files regenerated and committed (frozen-install safe)

The Docker-backed smoke/Playwright stage and the Redis/Postgres integration tests (5 OAuth-state tests that need a live Valkey on :6379) were not run locally — no Docker daemon in this environment. GitHub CI provides those service containers and will run them on this PR.

Closes

Supersedes and closes #128, #129, #130, #131, #132, #133, #134, #135, #136, #137, #138, #139, #140, #141, #142, #143, #144, #145, #146, #147, #148, #149, #150.