Stability checkpoint — CVE sweep (11 vulnerable deps to patched) + freshness

- fix(deps): CVE sweep — bump vulnerable deps to patched versions
- chore(deps): freshness sweep — safe pins bumped, majors held
- docs(tasks): alpine image blocker re-checked — now onnxruntime only

CI :
- OK Main pipeline #356 green — https://gitlab.com/iris-7/iris-service-python/-/pipelines/2665195623
  Covers unit-tests, integration-tests (testcontainers pg / redis / kafka),
  pip-audit, ruff:lint, mypy, import-linter, docs:check, docker-build.
- OK Pre-merge MR !86 pipeline #354 green — https://gitlab.com/iris-7/iris-service-python/-/merge_requests/86
- OK pip-audit : 0 known vulnerabilities (was 11 packages flagged before the sweep).

Local test pass :
- OK uv run pytest — 385 passed, 31 deselected, coverage 92.71% (gate 90%).
- OK uv run pip-audit — "No known vulnerabilities found".
- SKIP uv run ruff / mypy — N/A locally : both ran green in main pipeline #356 ;
  a deps-only change does not touch source.

Regression check vs stable-py-v0.7.8 :
- OK Alpine image blocker still bounded — now onnxruntime-only (no musllinux wheel
  upstream), documented in TASKS.md. Not regressed.

- ML extra deps bumped : torch 2.11.0 -> 2.13.0, onnx 1.21.0 -> 1.22.0,
  mlflow 3.11.1 -> 3.14.0. Inference path covered by unit tests (ml/ package green).

- 11 CVE closed via forced bumps (pip-audit gate, no allow_failure) :
  - aiohttp 3.13.5 -> 3.14.1  (CVE-2026-54274/76/77/78/80, -50269)
  - starlette 1.0.0 -> 1.3.1  (PYSEC-2026-161/248/249, CVE-2026-48817/18)
  - cryptography 46.0.7 -> 48.0.1  (GHSA-537c-gmf6-5ccf)
  - python-multipart 0.0.27 -> 0.0.32  (CVE-2026-53538/39/40)
  - pyjwt 2.12.1 -> 2.13.0  (PYSEC-2026-175..179)
  - idna 3.13 -> 3.18  (PYSEC-2026-215)
  - msgpack 1.1.2 -> 1.2.1  (GHSA-6v7p-g79w-8964)
  - onnx 1.21.0 -> 1.22.0  (CVE-2026-44512)
  - pymdown-extensions 10.21.2 -> 11.0.1  (CVE-2026-46338)
  - torch 2.11.0 -> 2.13.0  (CVE-2025-3000)
  - pip 26.1 -> 26.1.2  (PYSEC-2026-196)
  pip-audit back to 0 known vulnerabilities.

- SKIP N/A — no domain / endpoint change ; deps maintenance only.

- SKIP N/A — no infra change ; docker-build green on main.

- SKIP N/A — no observability change this rev.

- 385 unit tests green, 92.71% coverage. The starlette 1.0 -> 1.3.1 jump (FastAPI's
  ASGI core) validated by the full suite + integration tests — no API break.

- pip-audit (no allow_failure) forced the bump ; main pipeline back to green.
  benchmarks job (allow_failure: true, informational) unchanged.

- SKIP N/A — no architectural / ADR change.

- SKIP N/A — backend repo.

- cryptography 46 -> 48 unblocked by lifting the mlflow 3.11.1 cap to 3.14.0.
- pip constrained to >=26.1.2 in the dev extra so pip-audit stops flagging its own
  transitive dependency (pip -> pip-api -> pip-audit).

- Alpine base image (412 MB) blocked : onnxruntime ships no musllinux wheel (MS has
  no musl CI). Bookworm stays. Tracked in TASKS.md.
- pyproject `onnxscript[ml]>=0.7.0` references a non-existent extra (uv warning
  "package onnxscript==0.7.0 does not have an extra named 'ml'"). Cosmetic ; drop the
  [ml] qualifier next touch.

- Clean up the onnxscript[ml] extra qualifier.
- Revisit alpine base image when onnxruntime ships musllinux wheels.