fix: remove third-party cdns

[yaythomas]

Description of changes:
The theme and its defaults were pulling several assets off-origin:

• Zensical 0.0.35 added a GLightbox extension that lazy-loads glightbox.min.js and glightbox.min.css from unpkg.com whenever window.GLightbox is undefined (pp() in the theme bundle).
• The theme unconditionally injects a to fonts.googleapis.com and a preconnect to fonts.gstatic.com when [project.theme].font is not disabled.
• CI ran pip install zensical unpinned, so upgrades like 0.0.34 to 0.0.35 silently introduced new off-origin loads without a review signal.

Changes:

• Add scripts/vendor_glightbox.py and scripts/vendor_glightbox.toml, mirroring the existing Mermaid vendoring. The script downloads the pinned glightbox build from cdn.jsdelivr.net and verifies SHA-256 for both the JS and CSS.
• Vendor glightbox@3.3.1 into docs/assets/javascripts/glightbox.min.js and docs/assets/stylesheets/glightbox.min.css. Loading the UMD via extra_javascript defines window.GLightbox before the theme checks for it, short-circuiting the unpkg fetch. The CSS ships via extra_css.
• Disable the theme's default Google Fonts by setting font = false in [project.theme]. The site falls back to the system font stack already wired into the theme CSS.
• Pin zensical==0.0.40 in .github/workflows/docs.yml with a comment warning reviewers to audit for new unbundled js/css before bumping.
• Extend .gitattributes so docs/assets/stylesheets/** is binary, symmetric with the existing docs/assets/javascripts/** rule.
• Add a "Verify vendored GLightbox" step to the docs workflow so drift between the committed files and the pinned SHA-256 values fails CI.
• Document the new vendored dependency and its upgrade procedure in CONTRIBUTING.md, next to the existing Mermaid entry.

Issue #, if available:

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.