deps(web): upgrade vite ^8.0.0 → ^8.0.10 (3 Dependabot alerts)

Closes Dependabot alerts #12 (CVE — arbitrary file read via Vite dev
server WebSocket), #13 (CVE-2026-39364 — server.fs.deny bypassed with
?raw / ?import&raw / ?import&url&inline query suffixes), and #14 (path
traversal in optimized-deps .map handling). All three live in the vite
DEV server only — vite build (production output) is unaffected. All
three share the same advisory range '>= 8.0.0, <= 8.0.4' → fixed in
8.0.5; npm picked the latest 8.x patch (8.0.10).

Real-world exposure for certctl was low: web/package.json's 'dev: vite'
script has no --host flag, so the default binding is localhost
(127.0.0.1). Devs who manually run 'vite --host' for cross-machine
testing were exposed to the same-LAN attack vector; this closes it.

Manifest change: bumped the constraint from '^8.0.0' to '^8.0.10' to
document the security floor in package.json itself (the caret already
permitted 8.0.10, but pinning the floor higher prevents an accidental
downgrade if a future 'npm install' somehow re-resolves to a vulnerable
8.0.0-8.0.4). Lockfile change: 17 packages removed + 18 changed —
mostly transitive vite-internal modules (rolldown, oxc-* etc.) that
shifted around between 8.0.0 and 8.0.10.

Verified locally:
  - 'npm install vite@^8.0.5 --save-dev' completed cleanly.
  - 'vite build' produces the same web/dist/ output (668 modules
    transformed, 35.30 kB CSS / 918.04 kB JS — same shape as pre-
    upgrade).
  - vitest run wasn't completed in the sandbox (test runner hung in
    the disk-pressure environment); CI will run it on push.

Engineering history: this is a cross-cutting deps bump that lives
outside the ACME-Server-N phase plan.

web/package.json

@@ -28,7 +28,7 @@
     "postcss": "^8.5.8",
     "tailwindcss": "^3.4.19",
     "typescript": "^5.9.3",
-    "vite": "^8.0.0",
+    "vite": "^8.0.10",
     "vitest": "^4.1.0"
   }
 }