fix: address dependabot alerts

Direct dep bumps:
- bytes 1.6.1 -> 1.11.1 (fixes BytesMut::reserve integer overflow)
- tracing-subscriber 0.3.18 -> 0.3.20 (fixes ANSI escape log poisoning)
- libsql 0.6.0 -> 0.9.30 (with default-features = false, features = ["remote", "tls"])
- maud 0.26 -> 0.27 (required by warp 0.4; drops the "warp" feature since
  maud 0.27 still pins warp 0.3 internally)
- warp 0.3.7 -> 0.4.2 (eliminates vulnerable tungstenite 0.21 / rand 0.8.6 path)

Transitive: tokio 1.44.2 -> 1.52.1, rustls-webpki (newer-path) -> 0.103.x,
rand 0.9.0 -> 0.9.4 via cargo update.

flake.lock bumped to pull rustc 1.95 (required by new ICU transitive deps).

Code changes for warp 0.4:
- Added top-level render(Markup) -> warp::reply::Html<String> helper and
  wrapped every handler site that returned bare Markup as impl Reply, since
  maud 0.27 does not implement warp 0.4's Reply trait for Markup.
- statics::send_file now wraps file.contents() in bytes::Bytes::from_static,
  since warp 0.4's Body no longer implements From<&[u8]>.

Remaining alerts (libsql-sqlite3-parser, rustls-webpki 0.102.8, rand 0.8.6
build-dep via phf_codegen) are blocked on libsql upstream and have been
dismissed on GitHub. Tracking tursodatabase/libsql#2224
for the rustls-webpki fix.

Author: frectonz