chore(deps): npm audit fix --force — closes 12 deferred vulnerabilities

User explicitly authorized the major-version bump after the loop
flagged it as deferred. Two breaking-change upgrades land:

- electron-builder: 25.1.8 → 26.8.1
- electron:         33.4.11 → 41.3.0

Plus the transitive cleanup that the audit chain (@tootallnate/once,
http-proxy-agent, make-fetch-happen, node-gyp, @electron/rebuild,
app-builder-lib, dmg-builder, electron-builder-squirrel-windows, tar,
cacache, brace-expansion, @xmldom/xmldom) required.

Vulnerability count: 12 → 0.
35 packages added, 138 removed, 39 changed.

Verified: 126/126 unit tests still green. NSIS+portable build runs
end-to-end on the new toolchain (artifacts ~100 MB each due to the
electron 41 baseline). Renderer is Chromium-based as before; no
behaviour change expected on the user side, just a more current
runtime + signed-build pipeline.

package.json

@@ -16,8 +16,8 @@
     "ws": "^8.19.0"
   },
   "devDependencies": {
-    "electron": "^33.0.0",
-    "electron-builder": "^25.0.0",
+    "electron": "^41.3.0",
+    "electron-builder": "^26.8.1",
     "eslint": "^10.1.0",
     "eslint-plugin-security": "^4.0.0",
     "rcedit": "^4.0.1"