chore: refresh uv.lock and tolerate pytest CVE pending companion PR

Two coordinated changes:
1. uv.lock resolver regeneration — brings fastapi/rich/ruff/uvicorn into sync
   with pyproject.toml lower bounds that had drifted after Dependabot merges.
   No behavioural change; test suite green at 324 passed.
2. osv-scanner.toml — time-bounded IgnoredVulns entry for GHSA-6w46-j5rx-g56g
   (ignoreUntil 2026-04-21). The pytest 9.0.2 → 9.0.3 bump lands in companion
   PR (feature/pytest-cve-bump), which will atomically remove this entry.

Refs: Pre-Sprint 4 pytest CVE WI (18 Apr)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: lemur47

osv-scanner.toml

@@ -10,3 +10,8 @@
 [[IgnoredVulns]]
 id = "GHSA-5239-wwwm-4pmq"
 reason = "Low-severity pygments issue (CVSS 3.3), no fix available upstream"
+
+[[IgnoredVulns]]
+id = "GHSA-6w46-j5rx-g56g"
+ignoreUntil = 2026-04-21
+reason = "Temporary ignore — pytest 9.0.2 → 9.0.3 handled in companion PR B (feature/pytest-cve-bump). PR A (chore/uv-lock-refresh) cannot bump pytest without reintroducing the 4-package constraint-satisfaction drift. PR B removes this entry. CTO-approved sequence (Pre-Sprint 4 pytest CVE WI, 18 Apr)."