Fix audit advisories and harden npm uninstall execution

[webup]

What

• remediate the current npm audit advisories by updating the resolved postcss and @langchain/core dependency paths and overriding langsmith to a non-vulnerable version
• harden the global uninstall flow to use argv-based npm execution instead of string shell commands
• add regression tests for secure uninstall invocation and ws/wss websocket URL generation
• comment on PR Add MseeP.ai badge #148 to separate the badge PR from the actual security remediation work

Closes #149.

Why

PR #148 surfaced real dependency advisories, but the code change in that PR only adds a README badge. The actual remediation needed to happen in a separate change that clears audit findings and removes the most obvious command-execution scanner signal.

How

• bumped @langchain/core to ^1.1.45 in root, backend, and the managed memory plugin
• bumped postcss to ^8.5.14 in the web workspace
• added a root overrides entry for langsmith so CI resolves a fixed transitive version consistently
• switched npmUninstallGlobalRobust() to call execNpmCommand() with argument arrays for npm uninstall -g and npm root -g
• added a backend unit test to verify the uninstall path rejects unsupported package names and uses argv-based execution
• added web tests proving websocket URLs resolve to wss:// under https: and ws:// under http:

Verification

• npm audit --json
• npm audit --workspace=@openclaw-manager/backend --json
• npm audit --workspace=@openclaw-manager/web --json
• npm run build
• npm test

Screenshots

• No UI changes.