Bump turborepo to 2.9.14 to pick up security fixes

What Happened

• The PR updates the project dependency `turbo` from 2.9.8 to 2.9.14, with Turborepo 2.9.14 explicitly calling out security fixes (including a high-severity VS Code command-injection issue plus additional auth/session/Yarn-detection issues). The primary tracked change is security hardening via version upgrade, not API or feature additions.
• The PR updates the project dependency `turbo` from 2.9.8 to 2.9.14, with Turborepo 2.9.14 explicitly calling out security fixes (including a high-severity VS Code command-injection issue plus additional auth/session/Yarn-detection issues). The primary tracked change is security hardening via version upgrade, not API or feature additions.
• 1 evidence item attached for review.

What is Different

Why Track This

What To Watch Next

• Watch whether turbo becomes a repeated pattern.
• Track follow-up changes around AI Security.
• Compare future signals against this evidence trail.
• Re-check risk flags: monitor_ci_and_editor_workflow_after_upgrade, verify_no_regressions_in_yarn_detection_path.