Add 4-day dependency cooldown to reduce supply chain risk

[Lee-W]

Description

Adds exclude-newer = "4 days" under [tool.uv.pip] in pyproject.toml, preventing uv from resolving packages published within the last 4 days. This aligns with the constraint already referenced in scripts/ci/prek/upgrade_important_versions.py and reduces exposure to supply chain attacks that exploit newly published malicious package versions. The uv.lock is regenerated under this constraint.

Checklist

• I have read the contributing guidelines

Was generative AI tooling used to co-author this PR?

• Yes (please specify the tool below)

Generated-by: Claude Code following the guidelines

Code Changes

• Add test cases to all the changes you introduce
• Run uv run poe all locally to ensure this change passes linter check and tests
• Manually test the changes:
  • Verify the feature/bug fix works as expected in real-world scenarios
  • Test edge cases and error conditions
  • Ensure backward compatibility is maintained
  • Document any manual testing steps performed
• Update the documentation for the changes

Documentation Changes

N/A — build configuration change only.

Expected Behavior

uv resolves dependencies only from packages published more than 4 days ago.

Steps to Test This Pull Request

1. Run uv lock — verify it completes without errors and respects the exclude-newer window.
2. Run uv sync — verify the environment resolves cleanly.
3. Run uv run poe all — verify tests and linter pass.

Additional Context

The uv.lock diff includes package version bumps (e.g. backrefs 6.2 → 7.0, cachetools 7.0.5 → 7.1.3, certifi update) and a new ast-serialize entry — these reflect the lockfile being regenerated under the new exclude-newer constraint

[github-actions]

🔍 Commitizen bump preview

No commits in this PR are eligible for a version bump.

[github-actions]

🔍 Commitizen bump preview

No commits in this PR are eligible for a version bump.