fix: refresh native dependency lockfile

[code-yeongyu]

Summary

• Refresh package-lock.json so @earendil-works/gondolin resolves nested undici to patched 6.27.0.
• Add missing darwin-arm64 optional native package entries that npm needs for local macOS package-manager verification snapshots.

Why

The latest failed npm audit run on main (27899366299, head 356319841) reported high-severity undici <=6.26.0 advisories under node_modules/@earendil-works/gondolin/node_modules/undici. Current main had already moved the top-level undici to 8.5.0, but the Gondolin nested lock entry was still 6.26.0.

Recent Upstream Agent Merge scheduled runs are green; earlier failures were from merge conflicts / PR check gating and are already addressed on current main.

QA Evidence

Saved under local-ignore/qa-evidence/20260622-npm-audit-undici/:

• npm-ci.txt: npm ci --ignore-scripts --no-audit --no-fund
• npm-audit.txt: npm audit --omit=dev --audit-level=moderate -> found 0 vulnerabilities
• npm-audit-signatures.txt: npm audit signatures --omit=dev -> 193 registry signatures, 32 attestations
• npm-check.txt: npm run check
• npm-verify-pms.txt: npm run verify:pms -> ✓ npm, ✓ bun, ✓ pnpm

The commit hook also reran npm run check, npm run verify:pms, and browser smoke successfully before commit.

---

Summary by cubic

Refreshes package-lock.json to patch nested undici in @earendil-works/gondolin and add missing macOS arm64 optional native bindings. Fixes the npm audit failure and makes local package-manager verification consistent.

• Dependencies
  • Bumps nested undici to 6.27.0 under @earendil-works/gondolin.
  • Adds darwin-arm64 optional entries for @earendil-works/gondolin-krun-runner, @napi-rs/canvas, @parcel/watcher, @rolldown/binding, @tailwindcss/oxide, and lightningcss.

^{Written for commit 7a33069. Summary will update on new commits.}