Patch CVE-2026-44432 and CVE-2026-44431 (urllib3)

Bumps urllib3 2.6.3 -> 2.7.0 to fix two HIGH severity advisories:

- CVE-2026-44432 (GHSA-mf9v-mfxr-j63j, CVSS 7.5): excessive resource
  consumption (CWE-409) when streaming compressed responses via the
  Brotli read path or drain_conn().
- CVE-2026-44431 (GHSA-qccp-gfcp-xxvc, CVSS 5.3): sensitive headers
  (Authorization/Cookie/Proxy-Authorization) leaked on cross-origin
  redirects via the low-level ProxyManager.connection_from_url() API.

urllib3 2.7.0 dropped Python 3.9 support, so the project floor is raised
to ^3.10 (3.9 is past EOL; the shipped Docker image is python:3.12).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: moshemorad