Add 7-day dependency cooldowns across all package managers (#5100)

## Summary
- Adds **dependency cooldown** (7 days) to all package managers in the
monorepo as a supply chain defense
- **uv (Python)**: `exclude-newer = "7 days"` added to 14
`pyproject.toml` files, all 13 `uv.lock` files regenerated
- **pnpm (JS)**: `minimumReleaseAge: 10080` (7 days in minutes) added
via new `pnpm-workspace.yaml` in 6 projects

## Context
[Research
shows](https://nesbitt.io/2026/03/04/package-managers-need-to-cool-down.html)
that 8 out of 10 supply chain attacks have exploitation windows under 7
days. By delaying installation of newly published versions, we give the
community and security vendors time to flag compromised packages before
they reach our builds.

This is particularly relevant given our recent experience with the
litellm supply chain attack.

## Lockfile impact
- All uv.lock files regenerated — uv embeds the resolved cooldown
timestamp in the lockfile
- `landing-site` downgraded `attrs v26.1.0 -> v25.4.0` because v26.1.0
was published within the last 7 days — the cooldown correctly filtered
it out
- pnpm lockfiles unchanged — all existing deps already satisfy the 7-day
age requirement

## Test plan
- [x] `uv lock` succeeds in all 13 Python projects
- [x] `pnpm install` succeeds in all 6 JS projects
- [ ] CI passes
- [ ] If a brand-new package version is urgently needed, use `uv lock
--upgrade <pkg>` or add to `minimumReleaseAgeExclude` in pnpm

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Sourced from commit 28fc67ddd174713fc331a2c1ff2a8e475bca8179

Author: CallumMcMahon

futuresearch-mcp/pyproject.toml

@@ -37,6 +37,9 @@ dev = [
     "ruff>=0.9.9",
 ]
 
+[tool.uv]
+exclude-newer = "7 days"
+
 [tool.basedpyright]
 venvPath = ".."
 venv = ".venv"

pyproject.toml

@@ -1,3 +1,6 @@
+[tool.uv]
+exclude-newer = "7 days"
+
 [tool.uv.workspace]
 members = ["futuresearch-mcp"]