Follow-up to 9e558c3. Runs `npm install` with the new nodejs_22 + npm
toolchain that just landed in iris's container (approval dfae406),
which generates the lockfile + node_modules tree. Only the lockfile
is checked in; node_modules/ stays in .gitignore.
Pinned versions (resolved by npm from the package.json constraints):
- chart.js 4.4.4 (replaces the jsDelivr CDN script on stats.html)
- marked 4.3.0 (replaces hive-fr0nt/assets/marked.umd.js)
- esbuild 0.25.5 (bumped from 0.24.0 to clear an audit warning
about the dev-server CSRF advisory; bundling
behaviour is unaffected)
Validated locally:
npm install — 0 vulnerabilities reported
npm run build — both workspace builds succeed
dashboard: dist/{app.js (149kb), dashboard.css (33kb), index.html}
agent: dist/{app.js (114kb), stats.js (435kb), agent.css (16kb),
index.html, stats.html, screen.html}
Stripped-comment diff of dist/dashboard.css vs the runtime concat
(BASE_CSS + TERMINAL_CSS + assets/dashboard.css) shows only
whitespace + comment-strip differences — selectors/properties match.
Hermetic-build wiring (the Nix `buildNpmPackage` derivation that
consumes this lockfile) lands in Phase 2 on a follow-up commit.
Refs #273.
