Bump idna and pymdown-extensions for advisories (#124)

Both flagged by Dependabot on main, both transitive, both
medium-severity. Bumping via ``uv lock --upgrade-package`` so
parent-package constraints stay respected and no direct pin gets
added to pyproject.toml.

- ``idna`` 3.13 -> 3.18 (advisory: specially-crafted inputs to
  ``idna.encode()`` can bypass the CVE-2024-3651 fix; first
  patched in 3.15). Pulled in transitively via httpx + anyio —
  runtime path for LLM provider HTTP calls.

- ``pymdown-extensions`` 10.21.2 -> 10.21.3 (advisory: regression
  in ``pymdownx.snippets`` reintroduces sibling-prefix path
  traversal bypass despite ``restrict_base_path``; first patched
  in 10.21.3). Pulled in via mkdocs-material + mkdocstrings —
  dev-only (docs build). Lower risk in practice since we don't
  configure ``pymdownx.snippets``, but worth taking for hygiene.

Verified:
- ``uv sync`` resolves cleanly
- 531/531 unit tests pass
- 13/13 examples smoke tests pass
- ``mkdocs build --strict`` clean
- ruff + pyright clean

Author: chris-colinsky