Dependabot Cleanup + Tanuj-Intent Port — Removed 3 Unused Deps, Forced 4 Transitive CVE Patches, Ported Explicit Save Flow

Two-commit cleanup that eliminates the bulk of the 28 open Dependabot alerts on this repo and absorbs the intent of TanujKS's August 2025 work (which we force-pushed past in 2026-05-01_02 — his commits are archived on the auto-rescued `feature/save-all-citations` branch). First commit removes fastify, @modelcontextprotocol/sdk, and zod (zero imports across src/ and main.ts since they were added in 644582d) and forces patch/minor bumps on four surviving dev-tool transitive CVEs via pnpm.overrides. Second commit ports the explicit save flow — `autoSaveUrlCitations` setting (default off), 'Save All Hex Citations' command, modal-level 'Save All Hex (N)' button, per-citation 'Save to Citations' button — without any of his `any` types. Build clean throughout.