fix: bump dependency minimums to address active CVEs (#1526)

## Summary

- **PyJWT**: `>=2.8.0` → `>=2.12.0` — fixes CVE-2026-32597 (accepts
unknown `crit` header extensions)
- **pyOpenSSL**: `25.3.0` → `>=26.0.0` — fixes CVE-2026-27459
- **pyasn1**: `0.6.2` → `>=0.6.3` — fixes CVE-2026-30922
- **google.golang.org/grpc**: `v1.79.2` → `v1.79.3` — fixes
CVE-2026-33186 (authorization bypass via missing leading slash in :path)
- **kagent-tools** helm dep: `0.1.1` → `0.1.2`

## CVE Details

| Package | CVE | Severity | Fixed In |
|---------|-----|----------|----------|
| google.golang.org/grpc | CVE-2026-33186 | CRITICAL | 1.79.3 |
| PyJWT | CVE-2026-32597 | HIGH | 2.12.0 |
| pyOpenSSL | CVE-2026-27459 | HIGH | 26.0.0 |
| pyasn1 | CVE-2026-30922 | HIGH | 0.6.3 |

## Test plan

- [ ] `uv sync` in Python workspace resolves without conflicts
- [ ] `make -C python test` passes
- [ ] `go mod tidy` succeeds with no diff
- [ ] Trivy scan passes in CI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: EItanya

go/go.mod

@@ -58,6 +58,11 @@ require (
 	trpc.group/trpc-go/trpc-a2a-go v0.2.5
 )
 
+require (
+	github.com/testcontainers/testcontainers-go v0.41.0
+	github.com/testcontainers/testcontainers-go/modules/postgres v0.41.0
+)
+
 require (
 	cel.dev/expr v0.25.1 // indirect
 	cloud.google.com/go v0.123.0 // indirect
@@ -121,7 +126,6 @@ require (
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-json v0.10.3 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.26.0 // indirect
@@ -193,8 +197,6 @@ require (
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/testcontainers/testcontainers-go v0.41.0 // indirect
-	github.com/testcontainers/testcontainers-go/modules/postgres v0.41.0 // indirect
 	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.2.0 // indirect
 	github.com/tidwall/pretty v1.2.1 // indirect
@@ -239,7 +241,7 @@ require (
 	google.golang.org/api v0.252.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
-	google.golang.org/grpc v1.79.2 // indirect
+	google.golang.org/grpc v1.79.3 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/apiextensions-apiserver v0.35.0 // indirect

go/go.sum

@@ -9,7 +9,7 @@ dependencies:
     repository: oci://ghcr.io/kagent-dev/kmcp/helm
     condition: kmcp.enabled
   - name: kagent-tools
-    version: 0.1.1
+    version: 0.1.2
     repository: oci://ghcr.io/kagent-dev/tools/helm
     condition: kagent-tools.enabled
   - name: grafana-mcp

helm/kagent/Chart-template.yaml

@@ -17,7 +17,7 @@ dependencies = [
   "typing-extensions>=4.8.0",
   "aiofiles>=24.1.0",
   "anyio>=4.9.0",
-  "PyJWT>=2.8.0",
+  "PyJWT>=2.12.0",
 ]
 
 [tool.uv.sources]

python/packages/agentsts-adk/pyproject.toml

@@ -12,7 +12,7 @@ dependencies = [
   "pydantic>=2.5.0",
   "typing-extensions>=4.8.0",
   "cryptography>=41.0.0",  # For JWT handling
-  "PyJWT>=2.8.0",  # For JWT token parsing
+  "PyJWT>=2.12.0",  # For JWT token parsing
 ]
 
 [project.optional-dependencies]

python/packages/agentsts-core/pyproject.toml

@@ -13,6 +13,8 @@ dev = [
 constraint-dependencies = [
     "cryptography>=46.0.5",
     "jaraco-context>=6.1.0",
+    "pyasn1>=0.6.3",
+    "pyopenssl>=26.0.0",
     "wheel>=0.46.2",
 ]