[codex] fix release audit vulnerabilities

[Junnyyy]

TL;DR

Fixed release-blocking supply-chain audit failures by upgrading Vite and pinning vulnerable transitive paths to patched versions.

What changed?

• Upgraded demo app Vite pins from 8.0.14 to 8.0.16
• Added root pnpm overrides for vulnerable Vite 8 patch ranges and undici 7.x transitive paths
• Regenerated pnpm-lock.yaml
• Added an AGENTS.md project learning for the release-audit dependency posture

How to test?

1. CI=true pnpm install --frozen-lockfile
2. pnpm audit --audit-level moderate
3. pnpm build
4. pnpm test
5. pnpm typecheck
6. pnpm lint

Why make this change?

This clears the P0 release audit failure while preserving the repo pinned dependency style. The patched graph resolves to vite@8.0.16 and undici@7.28.0; pnpm audit --audit-level moderate passes with only one low advisory remaining below the requested threshold.

---

^{Need help on this PR? Tag @codesmith with what you need. Autofix is disabled.}

---

Note

Low Risk
Dev-only dependency and lockfile pinning with no runtime product code changes; main risk is minor dev/build toolchain behavior shifts from Vite and rolldown bumps.

Overview
Addresses release-blocking supply-chain audit failures by moving demo apps off vulnerable Vite 8.0.14 and forcing patched transitive versions across the lockfile.

Vite is bumped from 8.0.14 to 8.0.16 in mf-host, mf-remote-dashboard, mf-remote-settings, and playground. Root pnpm-workspace.yaml overrides pin any vite@>=8.0.0 <=8.0.15 to 8.0.16 and any undici@>=7.0.0 <7.28.0 to 7.28.0, so module-federation, Vitest, and jsdom paths resolve consistently. The lockfile refresh also pulls rolldown 1.0.3 as part of the Vite 8.0.16 graph.

AGENTS.md documents keeping demo Vite at 8.0.16+ and these overrides until upstream catches up, with the expectation that pnpm audit --audit-level moderate stays clean aside from acceptable low advisories.

^{Reviewed by Cursor Bugbot for commit 9dfd097. Bugbot is set up for automated code reviews on this repo. Configure here.}