chore(security): update vulnerable dependencies

[richardgetz]

Summary

• Update Rust dependencies and lockfiles for actionable Dependabot alerts, including gix, jsonwebtoken, tar, actix-http, openssl, and rand.
• Enable jsonwebtoken 10's rust_crypto provider feature so existing JWT verification paths keep working without global crypto-provider initialization.
• Add pnpm resolutions for vulnerable transitive NPM packages and refresh pnpm-lock.yaml.
• Refresh MODULE.bazel.lock using the direct Bazel equivalent with writable cache overrides.
• Resolve constrained alerts separately by dismissal: fix(mcp): add config flag to disable approvals #1 lru and Add continuous thread control mode #18 hickory-proto as vulnerable code not used, Refresh stable on official rust-v0.122.0 #19 hickory-proto as tolerable risk pending a larger rama stack migration.

Tests

• just fmt
• git diff --check
• direct bazel mod deps --lockfile_mode=update with writable cache overrides
• direct bazel mod deps --lockfile_mode=error with writable cache overrides
• cargo check -p codex-agent-identity -p codex-login -p codex-app-server-transport -p codex-git-utils -p codex-core-plugins
• just test -p codex-agent-identity -p codex-app-server-transport -p codex-login (235 passed plus bench-smoke)
• just test -p codex-agent-identity -p codex-login -p codex-app-server-transport -p codex-git-utils -p codex-core-plugins -p codex-network-proxy -p codex-secrets (634 passed plus bench-smoke)
• corepack pnpm install --lockfile-only --frozen-lockfile
• independent post-change review with two spawned reviewers: no actionable findings

Note: the repo just bazel-lock-update/bazel-lock-check recipes were blocked locally by .bazelrc cache paths under ~/.cache, so I ran the equivalent Bazel commands directly with sandbox-writable cache locations.