fix: repair failing CI tests and critical npm audit advisories

[vcnainala]

Summary

CI on development has been red for a while: the Tests & Coverage (PHP 8.4) job fails with 3 errors + 8 failures, and the JS Lint & Security job started failing on npm audit --audit-level=high once new advisories were published. This PR fixes all of them. These same failures also bleed into every open PR's checks (e.g. #1425).

Test fixes

• ApplicationController::renderProjectForRequest now accepts a nullable project. Studies and datasets published without a parent project previously hit a TypeError (null passed to a Project type hint); they now render Public/Sample/Show / Public/Sample/Dataset as the tests expect, with a 404 guard for project-level tabs without a project.
• MoleculeEnrichmentInspector::needingEnrichmentQuery treats empty strings as missing for text columns. molecules.molecular_formula is NOT NULL in the schema (stored as '' when unknown), so the old whereNull checks could never match and the tests inserting null violated the constraint. Tests updated to use ''.
• Cookie consent middleware disabled in tests (COOKIE_CONSENT_ENABLED=false in phpunit.xml). Spatie's middleware rewrites the response HTML via setContent(), which replaces the original View object with a string and makes Inertia's assertInertia() always fail with "Not a valid Inertia response". This unblocks TextSearchPageTest and the compounds-scope test (and likely explains why this repo grew the manual assertInertiaPageComponent helper).
• RepairMissingCompoundInfoCommandTest fakes the nested Artisan::call with a proxy partial mock wrapping the live kernel. The previous Artisan::shouldReceive replaced the whole console kernel with a full mock, so the test runner's own outer Kernel::call had no matching expectation.
• ProjectModelTest / PublicProjectWorkspacePropsTest aligned with owner-first role resolution: userProjectRole() returns 'owner' for the project owner before consulting membership pivots, so the obsolete userWithEmail mock expectation and the 'creator' assertion were stale.

Security fixes

• Override shell-quote to >=1.8.4 (GHSA-w7jw-789q-3m8p, critical, via concurrently).
• Bump the existing instantsearch.js → qs override to 6.15.2 (GHSA-q8mj-m7cp-5q26).
• Remaining advisories are moderate-only (vite ≤6.4.1 via vitepress, no fix available) and do not trip the --audit-level=high gate.

Test plan

• php artisan test — full suite green locally: 2266 passed, 24 skipped, 0 failures
• npm audit --audit-level=high exits clean
• npm run build succeeds with the bumped dependencies
• vendor/bin/pint --dirty passes

[codecov]

Codecov Report

❌ Patch coverage is 60.00000% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 75.78%. Comparing base (69edb6c) to head (8e60b54).
⚠️ Report is 109 commits behind head on development.

Files with missing lines	Patch %	Lines
app/Http/Controllers/ApplicationController.php	54.54%	5 Missing ⚠️
.../Support/Molecules/MoleculeEnrichmentInspector.php	64.28%	5 Missing ⚠️

Additional details and impacted files

@@                Coverage Diff                 @@
##             development    #1433       +/-   ##
==================================================
+ Coverage          56.63%   75.78%   +19.14%     
- Complexity          2268     3446     +1178     
==================================================
  Files                207      240       +33     
  Lines               8733    12912     +4179     
==================================================
+ Hits                4946     9785     +4839     
+ Misses              3787     3127      -660     

Flag	Coverage Δ
unittests	75.78% <60.00%> (+19.14%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.