fix: resolve dependency and secret alerts

[santoshkumarradha]

Summary

• refresh the web client lockfiles to move vulnerable transitive glob, lodash, and yaml resolutions onto patched versions
• pin the TypeScript SDK test toolchain to vite@^6.4.2 and vitest@^3.2.4, updating the npm lockfile away from vulnerable vite/esbuild entries while keeping the Node 18-compatible Vite 6 line
• remove the leaked OpenRouter API key from the simulation engine example notebook and switch it to OPENROUTER_API_KEY

Verification

• parsed the updated JSON lockfiles, package manifest, and notebook with Node
• parsed control-plane/web/client/pnpm-lock.yaml with Ruby YAML
• confirmed the targeted vulnerable version strings and raw sk-or-v1- secrets are absent from the touched files
• ran git diff --check

Notes

• full npm/pnpm install-based verification was not possible here because registry access from the sandboxed package managers timed out / was unavailable

[github-actions]

Performance

SDK	Memory	Δ	Latency	Δ	Tests	Status
TS	445 B	+27%	3.62 µs	+81%	✓	✗

⚠ Regression detected:

• TypeScript memory: 350 B → 445 B (+27%)