Patch urllib3 CVEs: bump to 2.7.0 (#527)

## Summary

Resolves two HIGH-severity Vanta/Dependabot findings on the krr image,
both in urllib3 2.6.3 (fixed in 2.7.0):

- **CVE-2026-44431** (5.3): sensitive headers
(Authorization/Cookie/Proxy-Authorization) forwarded on cross-origin
redirects via the low-level
`ProxyManager.connection_from_url().urlopen()` flow.
- **CVE-2026-44432** (7.5): DoS via excessive HTTP response
decompression (Brotli read / `drain_conn`) — CWE-409.

## Changes

- Bumps urllib3 `^2.6.3` → `^2.7.0` in `pyproject.toml`
- `2.6.3` → `2.7.0` in `requirements.txt`
- Updates `poetry.lock` accordingly

## Verification

- Trivy rescan of `requirements.txt` reports **0 HIGH/CRITICAL**
- Full test suite passes (55 tests)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: moshemorad