fix(ci): close two CI regressions from Phase 3 + Phase 5

Phase 3 added @playwright/test@^1.49.0 to web/package.json and
Phase 5 added orval@^7.0.0, both without regenerating
web/package-lock.json. CI's npm ci in both the Frontend Build job
and the Dockerfile frontend stage failed:

    npm error Missing: @playwright/test@1.60.0 from lock file
    npm error Missing: orval ... from lock file

Regenerate web/package-lock.json with:

    cd web && npm install --package-lock-only --no-audit

(+6990 / -1893 lines — orval pulls a deep transitive graph). No
node_modules download required; lockfile-only mode keeps the
operation light. Verified clean with 'npm ci --dry-run' (612
packages would install).

Phase 2's SEC-H3 fail-closed branch (CERTCTL_DEMO_MODE_ACK_TS
required when CERTCTL_DEMO_MODE_ACK=true) broke four pre-existing
tests in internal/config/config_test.go that set DemoModeAck=true
without setting DemoModeAckTS:

    TestValidate_AuthTypeNone_NonLoopback_AckPasses          (l.722)
    TestValidate_Bundle2_PlaceholderAuthSecret_DemoAckExempt (l.1799)
    TestValidate_Bundle2_PlaceholderEncryptionKey_DemoAckExempt (l.1832)
    TestValidate_Bundle2_CORSWildcard_DemoAckExempt          (l.1879)

Each test now sets DemoModeAckTS alongside DemoModeAck=true:

    DemoModeAckTS: strconv.FormatInt(time.Now().Unix(), 10)

strconv + time were already imported in config_test.go. Verified
locally: 'go test ./internal/config/... -count=1' passes clean
(0.700s), gofmt clean, go vet clean.

Root cause was the sandbox 'disk-full' constraint that forced
deferring npm install to the operator's workstation — but CI runs
npm ci before any workstation operation. Lockfile-only regen
(this commit) is the right fix; works in low-disk environments
because no node_modules download happens.

internal/config/config_test.go

@@ -714,7 +714,7 @@ func TestValidate_AuthTypeNone_NonLoopback_AckPasses(t *testing.T) {
 		Server:    srv,
 		Database:  DatabaseConfig{URL: "postgres://localhost/certctl", MaxConnections: 25},
 		Log:       LogConfig{Level: "info", Format: "json"},
-		Auth:      AuthConfig{Type: "none", Secret: "", DemoModeAck: true},
+		Auth:      AuthConfig{Type: "none", Secret: "", DemoModeAck: true, DemoModeAckTS: strconv.FormatInt(time.Now().Unix(), 10)},
 		Keygen:    KeygenConfig{Mode: "agent"},
 		Scheduler: validSchedulerConfig(),
 	}
@@ -1794,6 +1794,7 @@ func TestValidate_Bundle2_PlaceholderAuthSecret_DemoAckExempt(t *testing.T) {
 	cfg.Auth.Type = "api-key"
 	cfg.Auth.Secret = "change-me-in-production"
 	cfg.Auth.DemoModeAck = true
+	cfg.Auth.DemoModeAckTS = strconv.FormatInt(time.Now().Unix(), 10)
 
 	if err := cfg.Validate(); err != nil {
 		t.Errorf("Validate() returned %v with DemoModeAck=true; demo path must accept placeholder secret", err)
@@ -1827,6 +1828,7 @@ func TestValidate_Bundle2_PlaceholderEncryptionKey_DemoAckExempt(t *testing.T) {
 	cfg := validBaseConfigForEncryption(t)
 	cfg.Encryption.ConfigEncryptionKey = "change-me-32-char-encryption-key"
 	cfg.Auth.DemoModeAck = true
+	cfg.Auth.DemoModeAckTS = strconv.FormatInt(time.Now().Unix(), 10)
 
 	if err := cfg.Validate(); err != nil {
 		t.Errorf("Validate() returned %v with DemoModeAck=true; demo path must accept placeholder encryption key", err)
@@ -1874,6 +1876,7 @@ func TestValidate_Bundle2_CORSWildcard_DemoAckExempt(t *testing.T) {
 	cfg := validBaseConfigForEncryption(t)
 	cfg.CORS.AllowedOrigins = []string{"*"}
 	cfg.Auth.DemoModeAck = true
+	cfg.Auth.DemoModeAckTS = strconv.FormatInt(time.Now().Unix(), 10)
 
 	if err := cfg.Validate(); err != nil {
 		t.Errorf("Validate() returned %v with DemoModeAck=true; demo path must accept wildcard CORS", err)