fix(security): floor cryptography / python-multipart / starlette to clear active CVEs

apps/engine/pyproject.toml

@@ -42,8 +42,17 @@ dependencies = [
     # At-rest encryption for instance env-var values (#388). Already
     # pulled transitively by fastapi-users, but declared explicitly so
     # the dependency is visible to anyone auditing what we encrypt
-    # with and which version of Fernet we rely on.
-    "cryptography>=42.0",
+    # with and which version of Fernet we rely on. Floor at 48.0.1
+    # to clear GHSA-537c-gmf6-5ccf.
+    "cryptography>=48.0.1",
+    # Transitive deps with active CVE advisories — explicit floors so
+    # ``uv lock`` always pulls a non-vulnerable resolution. Drop these
+    # once fastapi-users / starlette upstream pins satisfy the floors
+    # transitively.
+    # python-multipart >= 0.0.31 — CVE-2026-53538/53539/53540
+    "python-multipart>=0.0.31",
+    # starlette >= 1.3.1 — CVE-2026-54282/54283
+    "starlette>=1.3.1",
 ]
 
 [project.urls]

tests/standalone/test_dap_init.py

@@ -75,7 +75,7 @@ def _try_login(db_path: Path, email: str, password: str) -> bool:
             "/auth/jwt/login",
             data={"username": email, "password": password},
         )
-    return 200 <= response.status_code < 300
+    return bool(200 <= response.status_code < 300)
 
 
 # --------------------------------------------------------------------- #

tests/standalone/test_upgrade_from_001.py

@@ -159,7 +159,7 @@ def _try_login(db_path: Path, email: str, password: str) -> bool:
             "/auth/jwt/login",
             data={"username": email, "password": password},
         )
-    return 200 <= response.status_code < 300
+    return bool(200 <= response.status_code < 300)
 
 
 def _extract_password(stdout_text: str) -> str | None: