fix(security): Update Starlette to 0.49.1 to fix CVE-2025-62727

SECURITY FIX: Resolves HIGH severity DoS vulnerability in Starlette

Vulnerability Details:
- CVE: CVE-2025-62727
- GHSA: GHSA-7f5h-v6xp-fcq8
- Severity: HIGH
- Type: Denial of Service (O(n²) complexity)
- Attack Vector: Unauthenticated remote

Issue:
Starlette <0.49.1 has O(n²) DoS vulnerability in FileResponse and
StaticFiles when processing crafted HTTP Range headers. An attacker
can send requests like:
  Range: bytes=0000000000000000...a-
causing 3.2 seconds CPU time per request.

Exposed Endpoints:
- /static/* (frontend assets)
- /api/docs (Swagger UI)
- File downloads (scan results, reports)

Mitigation Already In Place:
- Rate limiting: 100 req/min per user, 1000 req/min per IP
- Authentication required for most endpoints
- Static files and API docs accessible without auth (vulnerable)

Fix:
- Upgraded starlette: 0.47.2 → 0.49.1
- Upgraded fastapi: 0.119.1 → 0.120.1 (supports Starlette 0.49.1+)

Testing Required:
- Run pytest backend test suite
- Verify static file serving still works
- Check API docs load correctly
- Test file downloads (scan results)

References:
- docs/SESSION_SUMMARY_2025-11-02.md (lines 170-210)
- Dependabot alert #27

Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: remyluslosius

backend/requirements.txt

@@ -1,8 +1,8 @@
 # OpenWatch Backend Dependencies
 # Core web framework
-fastapi==0.119.1  # Latest stable (Oct 2025), supports starlette>=0.40.0,<0.49.0
+fastapi==0.120.1  # Latest stable (Nov 2025), supports starlette 0.49.1+
 uvicorn[standard]==0.32.1
-starlette==0.47.2  # Security: CVE-2025-59343, DoS via multipart forms
+starlette==0.49.1  # Security: CVE-2025-62727 fixed (O(n²) DoS via HTTP Range header)
 python-multipart==0.0.18
 
 # Database