This pull request hardens package-manager dependency resolution for this public repository. It adds uv age-gate and safe index policy, pins GitHub Actions setup for uv to an immutable action release, and explicitly installs uv 0.11.7 in CI so the relative exclude-newer = "7 days" policy is supported.

What changed

• Add [tool.uv] and [tool.uv.pip] policy with exclude-newer = "7 days" and index-strategy = "first-index".
• Refresh uv.lock so the lock records the resolved cutoff for the configured 7-day policy.
• Pin astral-sh/setup-uv to an immutable setup-uv v8.1.0 commit and document the action and uv package versions inline.
• Update the sandbox tutorial Docker image to copy a digest-pinned uv binary and install Python dependencies with uv pip install --system using age-gate and safe index controls.

Why

This reduces package-compromise and dependency-confusion risk for CI, local lock resolution, and the tutorial container build without changing the SDK public API.

Verification

• Package-manager audit completed with no unsuppressed follow-up items.
• uv build
• Docker build for examples/sandbox/tutorials/Dockerfile
• make typecheck
• make tests

Note: the full helper script that runs typecheck and tests concurrently reproduced an existing timing-sensitive test failure on the unchanged baseline worktree. Running the project checks sequentially passed.