Manage Python with uv + 7-day minimum release age

[akan72]

Summary

Manage Python with uv, with a rolling 7-day minimum release age for supply-chain safety. (Additional request, not in the original branch plan.)

• Add uv/uv.toml with:
  • exclude-newer = "7 days" — a rolling window (a duration, not a fixed date) so uv never resolves a package release younger than a week. Most malicious/compromised uploads are detected and yanked within that window.
  • python-preference = "managed" — uv owns Python version management (install with uv python install <ver>, pin per-project via .python-version).
• Symlink uv/uv.toml → ~/.config/uv/uv.toml in assimilate.sh (also discovered via $XDG_CONFIG_HOME).
• Add brew "uv" to the Brewfile and run uv python install during assimilate to install a uv-managed CPython on fresh machines.

Notes

• exclude-newer accepting a duration string was verified against the installed uv (0.11.6); an invalid value is rejected at parse time, a valid "7 days" is accepted.
• Config lives top-level in uv.toml (the [tool.uv] table form is only for pyproject.toml).

Why & alternatives

Change	Why	Alternatives
exclude-newer = "7 days"	Rolling supply-chain window — wait out the period where most malicious uploads get caught.	A fixed exclude-newer date (must be bumped manually); no protection at all.
python-preference = "managed"	Let uv own Python versions instead of hardcoded python3.11 aliases / pyenv.	Keep pyenv, or only-managed to forbid system interpreters entirely.
brew "uv" + uv python install	Reproducible uv + a managed Python on fresh machines.	Install uv via the standalone installer (current local setup).