fix(security): floor cryptography / python-multipart / starlette to clear active CVEs

[rafeekpro]

Summary

Develop's Python deps CVE scan started failing after fresh advisories were published against transitive dependencies. The CVE gate is now blocking every Python PR (#789, #790, and any new ones) because none of these were pinned at versions above the patched floor — uv lock was happily resolving the vulnerable versions.

Adds explicit floors in apps/engine/pyproject.toml:

Package	Current	New floor	Resolved	CVE
cryptography	48.0.0	>=48.0.1	49.0.0	GHSA-537c-gmf6-5ccf
python-multipart	0.0.28	>=0.0.31	0.0.32	CVE-2026-53538/53539/53540
starlette	1.1.0	>=1.3.1	1.3.1	CVE-2026-54282/54283

Test plan

• uv lock --check clean
• Local smoke test sweep — same pass/fail set as develop (no new failures)
• Two failures observed (test_assistant::test_chat_returns_assistant_message, test_error_explainer::test_explain_endpoint_ai_falls_back_to_deterministic_without_provider) are reproducible on develop verbatim and unrelated to these bumps (pre-existing GLM provider auto-detection bug)
• CI Python deps CVE scan green on this PR
• After merge, chore(deps): bump the python-minor-and-patch group with 4 updates #789 and chore(deps): update psycopg[binary,pool] requirement from >=3.2 to >=3.3.4 #790 should pick up the floors via develop and CVE-scan green

Notes

• starlette 1.1.0 → 1.3.1 is two minors. fastapi 0.137 (still on develop's transitive resolution) supports it; no engine code uses internal Starlette routing APIs.
• python-multipart and cryptography bumps are patch-only on the safe floor; uv picked higher resolutions because the resolver prefers newest within the constraint range.
• The GLM auto-detect bug surfaced by the two pre-existing failures should be filed as a separate issue if it isn't already tracked.

🤖 Generated with Claude Code