fix(deps): bump next 15.0.3 → 16.2.6 to clear trivy CVEs

trivy fs scan failed the M0.2 CI gate on the skeleton commit because
next 15.0.3 has 9 known vulns (CRITICAL CVE-2025-29927 auth bypass in
middleware, plus 7 HIGH advisories). 16.2.6 is current latest and
covers every fixed-version range trivy listed.

Side effects of the major bump:
- next 16 dropped 'next lint' — switched the lint script to call eslint
  directly ('eslint . --max-warnings 0').
- eslint-config-next 16 ships flat-config exports natively, so
  eslint.config.mjs imports core-web-vitals + typescript directly
  (no FlatCompat shim, no @eslint/eslintrc dep).
- Typed vi.fn<typeof fetch>() in tenant-registry.test to satisfy
  stricter tuple inference under the new types.

All 4 gates green locally:
  pnpm lint / typecheck / test --coverage (100% on src/lib) / build

Refs: M5.1 (skeleton)

package.json

@@ -2,7 +2,7 @@
   "name": "@breakpilot/portal",
   "version": "0.0.0",
   "private": true,
-  "description": "Customer-facing portal + platform-staff backstage. Next.js 15 + Auth.js v5.",
+  "description": "Customer-facing portal + platform-staff backstage. Next.js + Auth.js v5.",
   "license": "UNLICENSED",
   "engines": {
     "node": ">=20",
@@ -12,24 +12,23 @@
     "dev": "next dev --port 3000",
     "build": "next build",
     "start": "next start --port 3000",
-    "lint": "next lint --max-warnings 0",
+    "lint": "eslint . --max-warnings 0",
     "typecheck": "tsc --noEmit",
     "test": "vitest run --coverage"
   },
   "dependencies": {
-    "next": "15.0.3",
+    "next": "16.2.6",
     "next-auth": "5.0.0-beta.25",
     "react": "19.0.0",
     "react-dom": "19.0.0"
   },
   "devDependencies": {
-    "@eslint/eslintrc": "^3.3.5",
     "@types/node": "20.16.10",
     "@types/react": "19.0.1",
     "@types/react-dom": "19.0.1",
     "@vitest/coverage-v8": "2.1.8",
     "eslint": "9.15.0",
-    "eslint-config-next": "15.0.3",
+    "eslint-config-next": "16.2.6",
     "typescript": "5.7.2",
     "vitest": "2.1.8"
   }