Patch urllib3 CVEs: bump to 2.7.0

Resolves two HIGH-severity Vanta/Dependabot findings on the krr image,
both in urllib3 2.6.3 (fixed in 2.7.0):

- CVE-2026-44431 (5.3): sensitive headers (Authorization/Cookie/
  Proxy-Authorization) forwarded on cross-origin redirects via the
  low-level ProxyManager.connection_from_url().urlopen() flow.
- CVE-2026-44432 (7.5): DoS via excessive HTTP response decompression
  (Brotli read / drain_conn) — CWE-409.

Bumps urllib3 ^2.6.3 -> ^2.7.0 in pyproject.toml, 2.6.3 -> 2.7.0 in
requirements.txt, and updates poetry.lock accordingly. Trivy rescan of
requirements.txt reports 0 HIGH/CRITICAL; full test suite passes (55).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: moshemorad