Hono bump fixes CORS credential reflection (CVE-2026-54290)

Patch Changes

• f9b94e1: fix(devtools): bump hono to ^4.12.25 to resolve CVE-2026-54290

  hono's CORS Middleware reflected any request Origin together with Access-Control-Allow-Credentials: true when credentials: true was set and origin was left at the default wildcard, allowing any site to make credentialed cross-origin requests and read the responses (CVE-2026-54290, CVSS 7.1). Bumped hono from ^4.6.14 to ^4.12.25, the first patched release.