chore(deps): bump all first-party deps to latest

[TeoSlayer]

Summary

• Bumped github.com/pilot-protocol/app-store to v1.0.1-beta.1 (latest pre-release, kept as-is)
• Bumped golang.org/x/crypto v0.52.0 → v0.53.0 (via go mod tidy)
• Bumped golang.org/x/sys v0.45.0 → v0.46.0 (indirect, via go mod tidy)
• Fixed go directive from 1.25.0 → 1.25.10 to match workspace toolchain

Test plan

• Build passes: GOWORK=off go build ./... ✓ (verified locally, excluding pre-existing WIP files not part of this PR)
• CI test workflow passes

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[TeoSlayer]

Failing on security/snyk. A "bump all first-party deps" PR tripping Snyk usually means one of the bumped deps introduced (or newly surfaced) a known advisory. Recommendation: check the Snyk report, pin/replace the offending dep, or document the exception — don't merge past a red Snyk gate on a dep-bump PR.