[codex] resolve Dependabot alerts for staging

[aron23]

What changed

• refreshed ts/package-lock.json to bring all alerting transitive npm packages onto patched releases
• upgraded the infra example CDK stack packages to a peer-compatible set: @theory-cloud/apptheory-cdk@0.19.0, aws-cdk-lib@2.244.0, and constructs@10.6.0
• updated the SSG/ISR stack snapshot to match the new synthesized template output

Why

GitHub currently reports 14 open Dependabot alerts on the default branch. The affected lockfiles in this change now pin patched versions for all alerting packages:

• ts/package-lock.json: picomatch, fast-xml-parser, flatted, undici, devalue, rollup
• infra/apptheory-ssr-site/package-lock.json: minimatch
• infra/apptheory-ssg-isr-site/package-lock.json: fast-xml-parser, minimatch

Impact

• clears the current open Dependabot alert set covered by these npm lockfiles
• keeps the infra examples on a peer-consistent AppTheory/CDK combination
• is conflict-free to merge into staging, and premain is also an ancestor of this branch

Validation

• npm audit --json in ts -> 0 vulnerabilities
• npm test in ts
• npm run typecheck in ts
• npm test in infra/apptheory-ssr-site
• npm test in infra/apptheory-ssg-isr-site
• git merge-base --is-ancestor origin/staging HEAD
• git merge-base --is-ancestor origin/premain HEAD

Residual note

The infra example packages still show moderate npm audit findings from bundled yaml and brace-expansion inside aws-cdk-lib@2.244.0. Those are outside the current GitHub Dependabot alert set fixed here and would require a newer compatible @theory-cloud/apptheory-cdk release (or a custom patched CDK tarball) to remove cleanly.