Python: refresh dev dependencies and validate runtime bounds

[eavanvalkenburg]

Motivation and Context

Consolidates the outstanding Python dependency maintenance into a single PR: refreshes third-party dev dependencies across the workspace and validates that all runtime dependency bounds still hold. Supersedes several open/closed-unmerged Dependabot PRs and documents why two of them cannot be merged as-is.

Description

Dev dependency bumps (root, lab, declarative, durabletask):

• uv 0.11.6→0.11.17, ruff 0.15.8→0.15.15, pytest-asyncio 1.3.0→1.4.0, mcp 1.27.0→1.27.2, azure-monitor-opentelemetry 1.8.7→1.8.8, poethepoet 0.42.1→0.46.0, prek 0.3.9→0.4.3, plus types-python-dateutil / types-PyYaml stub bumps.
• Transitive items swept via the lock: idna 3.11→3.17, pip 26.0.1→26.1.2.

Deliberately excluded (need dedicated PRs / blocked):

• opentelemetry-sdk stays 1.40.0 — azure-monitor-opentelemetry (incl. 1.8.8) hard-pins opentelemetry-sdk==1.40, so it cannot be bumped while present.
• mypy stays 1.20.0 and pyright stays 1.1.408 — the 2.1.0 / 1.1.409 bumps introduce new diagnostics that fail type checking and warrant separate, focused PRs.
• rich kept as a range — agentlightning (lab[lightning]) transitively forces rich==13.9.4.

Code/formatting changes driven by the ruff upgrade:

• devui lifespan now uses try/finally so shutdown cleanup always runs (RUF075).
• Removed unused TYPE_CHECKING imports in core and foundry flagged by ruff 0.15.15.
• Reapplied ruff 0.15.15 formatting to the files it changed.

Runtime bound validation: validate-dependency-bounds-test --package "*" passes — 31/31 lower + 31/31 upper resolutions across the workspace. typing 62/62, lint 31/31, and devui tests pass.

Dependabot cross-check

PR	Bump	Status
#6180 / #6179	uv → 0.11.15	Superseded (→0.11.17)
#5991	types-python-dateutil	Covered
#5983	prek → 0.4.3	Covered
#6168	pip → 26.1	Superseded (→26.1.2)
#5957	idna → 3.15	Superseded (→3.17)
#5990	opentelemetry-sdk → 1.42.1	Blocked by azure-monitor-opentelemetry pin
#5989	mypy → 2.1.0	Excluded (breaks type checking)

Contribution Checklist

• The code builds clean without any errors or warnings
• The PR follows the Contribution Guidelines
• All unit tests pass, and I have added new tests where possible
• Is this a breaking change? If yes, add "[BREAKING]" prefix to the title of the PR.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[moonbox3]

Python Test Coverage Report •

File	Stmts	Miss	Cover	Missing
packages/a2a/agent_framework_a2a
_a2a_executor.py	93	0	100%
packages/core/agent_framework
_middleware.py	366	16	95%	60, 63, 68, 797, 813, 815, 817, 950, 953, 980, 982, 1113, 1117, 1299, 1303, 1371
_skills.py	865	31	96%	289, 536, 548, 1002, 1017, 1019–1020, 1376–1377, 1389–1390, 1620, 1649, 2112, 2568–2569, 2704, 2709, 2712, 2717, 2744, 2749, 2803, 2812, 2817, 2820, 2825, 2849, 2854, 3096–3097
packages/foundry/agent_framework_foundry
_agent.py	239	56	76%	119, 122, 241–242, 246–248, 253–256, 346, 419–420, 432–433, 445–447, 449–450, 452–458, 460–461, 463, 465, 471–473, 476–485, 489–490, 680–681, 684, 710, 720, 736, 806, 811, 815
TOTAL	37396	4350	88%

Python Unit Test Overview

Tests	Skipped	Failures	Errors	Time
7451	34 💤	0 ❌	0 🔥	1m 59s ⏱️

[github-actions]

Automated Code Review

Reviewers: 4 | Confidence: 71% | Result: All clear

Reviewed: Correctness, Security Reliability, Test Coverage, Design Approach

---

Automated review by eavanvalkenburg's agents