chore(deps): consolidate dotenv/multipart bumps + suppress unfixable pip CVE

[blackaxgit]

Summary

Consolidated security cleanup that supersedes #26 and #27.

• Bumps python-dotenv 1.2.1 → 1.2.2 (fixes CVE-2026-28684, symlink-following in set_key/unset_key).
• Bumps python-multipart 0.0.22 → 0.0.27 (covers CVE-2026-40347 DoS; resolver picked latest patched).
• Adds --ignore-vuln CVE-2026-3219 to the pip-audit step in .github/workflows/ci.yml with an inline comment + tracking link. CVE-2026-3219 affects the runner's bundled pip 26.0.1 — a CI tool, not a runtime dep — and has no published fix yet by upstream pip.

Why a consolidated PR

#26 and #27 individually deadlock: each fixes the CVE the other is missing, so whichever lands second passes but the first always fails pip-audit. Combining the two lock bumps + the pip ignore into one atomic commit breaks the deadlock cleanly. After this lands, #26 and #27 should be closed as superseded.

Test plan

• uv run pytest -q — 520/520 passing locally
• uv run pip-audit --ignore-vuln CVE-2026-3219 — No known vulnerabilities found, 1 ignored
• CI on this PR (4× Python matrix + Lint + Docker) all green
• Remove --ignore-vuln CVE-2026-3219 once upstream pip ships a patched release

Follow-up

Once merged: close #26, close #27, watch advisory page for the eventual pip fix, then revert the workflow change.