ci: refresh poetry.lock content-hash + pin Poetry so install works

The first CI run surfaced a pre-existing problem on `main`: a fresh
`poetry install` fails with "pyproject.toml changed significantly since
poetry.lock was last generated" — pyproject was edited after the lock was
last written, so its content-hash no longer matches. Local dev never hit
this (an existing venv + `poetry run`), but a clean checkout (CI, new
contributors) can't install.

Regenerating the lock changes ONLY the content-hash line — zero package
versions move — so this is a no-op for resolved dependencies. Pin CI to
Poetry 2.1.4 (the lock's generator) so the hash check is deterministic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: martin-castro-laminr-ai

.github/workflows/ci.yml

@@ -60,7 +60,12 @@ jobs:
           python-version: "3.12"
 
       - name: Install Poetry + pre-commit
-        run: pipx install poetry && pipx install pre-commit
+        # Poetry is pinned to the version that generated poetry.lock (see
+        # its header). `poetry install` compares the lock's content-hash
+        # against the one it computes from pyproject; a different Poetry
+        # can compute it differently and reject an otherwise-valid lock.
+        # Bump this in lockstep whenever the lock is regenerated.
+        run: pipx install poetry==2.1.4 && pipx install pre-commit
 
       - name: Install dependencies (locked)
         run: poetry install --no-interaction