sec: relax fastapi upper bound, floor-pin tornado to fix 2 HIGH CVEs

Remove `fastapi<0.116` constraint so consumers can resolve fastapi>=0.130
which dropped the starlette<0.47 upper bound, enabling starlette>=0.49.1
(fixes CVE-2025-62727). Add `tornado>=6.5.5` floor to fix CVE-2026-31958.

uv.lock: fastapi 0.115.14→0.135.2, starlette 0.46.2→1.0.0, tornado 6.5.2→6.5.5

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: scale-ballen

pyproject.toml

@@ -18,7 +18,8 @@ dependencies = [
     "typer>=0.16,<0.17",
     "questionary>=2.0.1,<3",
     "rich>=13.9.2,<14",
-    "fastapi>=0.115.0,<0.116",
+    "fastapi>=0.115.0",           # upper bound removed — CVE-2025-62727 (starlette) fix requires >=0.115.12
+    "tornado>=6.5.5",             # CVE-2026-31958 (HIGH) — floor pin ensures patched release
     "uvicorn>=0.31.1",
     "watchfiles>=0.24.0,<1.0",
     "python-on-whales>=0.73.0,<0.74",