fix(deps): enforce Node 22 version for @types/node and lockfile consistency

[rocketstack-matt]

Problem

The root package-lock.json currently resolves @types/node@25.2.0 at the hoisted root level, despite every workspace declaring @types/node@^22.x or @types/node@^20.x. No workspace declares ^25.

This was introduced in commit 36a3be37 ("chore: recreate package-lock files from linux"), where npm install was run on a machine with Node 25 installed. Transitive dependencies with loose constraints (>=18, *) allowed npm to hoist @types/node@25 to the root node_modules/.

Impact

1. PR #2110 is failing because the lockfile was generated with Node 25, causing native bindings (@tailwindcss/oxide, @swc/core) to resolve for Node 25's ABI. CI runs Node 22, so the native bindings are incompatible.

2. PR #2122 (Renovate security update) appears to "downgrade" @types/node from 25.2.0 → 22.19.9 as a side-effect of npmDedupe in renovate.json. This is actually correct deduplication, but it produces a noisy diff and masks the real problem.

3. Type safety risk: @types/node@25 includes APIs that don't exist in Node 22. TypeScript won't catch usage of Node 25-only APIs when the types are wrong for the target runtime.

Root cause

There is no enforcement preventing developers from generating lockfiles with a different Node version than CI uses (Node 22). The engines field exists ("node": "^22.14.0 || >=24.10.0") but is not enforced by npm by default.

Proposed fix

1. Add .nvmrc pinning to Node 22, so developers using nvm auto-switch to the correct version
2. Add .npmrc with engine-strict=true so npm install refuses to run on unsupported Node versions
3. Add @types/node override in root package.json ("@types/node": "^22.0.0") to prevent transitive deps from pulling in a different major version
4. Add Renovate allowedVersions constraint for @types/node (<23.0.0) to prevent automated major bumps
5. Run npm dedupe on main to sync the lockfile baseline and fix the current v25 pollution