build(deps): bump ui dependencies to clear security advisories

Bumps @modelcontextprotocol/ext-apps from ^1.0.0 to ^1.7.2 (which pulls
in newer @modelcontextprotocol/sdk and hono), and runs npm audit fix to
update the transitive vite/rollup/postcss/picomatch/lodash chain.

Closes the following GHSAs (all reachable only through /ui build deps):
- hono: GHSA-xh87-mx6m-69f3, and the SSR/cookie/serveStatic family
- fast-uri: GHSA path-traversal/host-confusion
- ip-address, express-rate-limit, path-to-regexp, picomatch
- vite path-traversal + dev-server WebSocket file-read
- rollup arbitrary file write, postcss XSS, lodash prototype pollution

No source changes required: the ext-apps React API we consume
(useApp / App / ontoolresult / ontoolinput) is unchanged; typecheck
and the full vite build pass.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamMorrowDrums