fix(deps): forward-resolve cryptography, python-multipart, starlette & pygments vulns (#123)

Bump four transitive dependencies in uv.lock to their first patched
versions to clear all open Dependabot alerts:

- cryptography 46.0.7 -> 49.0.0 (GHSA-537c-gmf6-5ccf, high)
- python-multipart 0.0.27 -> 0.0.32 (GHSA-5rvq-cxj2-64vf, high + 2 low)
- starlette 1.0.1 -> 1.3.1 (GHSA-wqp7/82w8/x746/jp82, 2 high/med/low)
- pygments 2.19.2 -> 2.20.0 (GHSA-5239-wwwm-4pmq, low, dev-only)

pyjwt is intentionally left at 2.13.0: the #121 bump removed vulns
(GHSA-752w high, GHSA-fhv5 low and the 2026-06-15 batch); reverting it
would reintroduce them.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamMorrowDrums