fix(deps): bump next 15.0.3 → 16.2.6 to clear trivy CVEs

trivy fs scan failed the M0.2 CI gate on the skeleton commit because
next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in
middleware, plus 7 HIGH advisories). 16.2.6 is current latest and
covers every fixed-version range trivy listed.

Side effects of the major bump:
- next 16 dropped 'next lint' — switched the lint script to call eslint
  directly ('eslint . --max-warnings 0').
- eslint-config-next 16 ships flat-config exports natively, so
  eslint.config.mjs imports core-web-vitals + typescript directly
  (no FlatCompat shim, no @eslint/eslintrc dep).
- Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy
  stricter tuple inference under the new types.

All 4 gates green locally:
  pnpm lint / typecheck / test --coverage (100% on src/lib) / build

Refs: M5.1 (skeleton)

src/lib/tenant-registry.test.ts

@@ -54,9 +54,11 @@ describe("fetchTenantBySlug", () => {
   });
 
   test("encodes slug to defend against weird input", async () => {
-    const fetchSpy = vi.fn(async () => new Response("", { status: 404 }));
+    const fetchSpy = vi.fn<typeof fetch>(async () => new Response("", { status: 404 }));
     globalThis.fetch = fetchSpy;
     await fetchTenantBySlug("a/b c");
-    expect(fetchSpy.mock.calls[0][0]).toBe("http://test:1234/v1/tenants/by-slug/a%2Fb%20c");
+    const firstCall = fetchSpy.mock.calls[0];
+    expect(firstCall).toBeDefined();
+    expect(firstCall![0]).toBe("http://test:1234/v1/tenants/by-slug/a%2Fb%20c");
   });
 });