fix: remediate AgentEx Trivy findings (#232)

## Summary
- bump agentex-ui Next.js to 15.5.18
- bump urllib3 to 2.7.0 in the uv lockfile
- add a langchain-core >=1.3.3 override and refresh uv.lock

## Verification
- npm run build
- npm run typecheck
- uv export --frozen --no-dev --package agentex-backend
--no-emit-package agentex-backend
- trivy fs --scanners vuln --severity HIGH,CRITICAL --pkg-types library
--skip-dirs .venv --skip-dirs agentex-ui/node_modules --skip-dirs
agentex-ui/.next --exit-code 1 .

<!-- greptile_comment -->

<h3>Greptile Summary</h3>

This PR remediation bumps three vulnerable dependencies: Next.js
`15.5.15 → 15.5.18` (frontend), `urllib3 2.6.3 → 2.7.0` (Python), and
`langchain-core 1.2.22 → 1.3.3` (Python, via a new
`override-dependencies` entry in `pyproject.toml`). The lockfile changes
are minimal, internally consistent, and all package hashes are present.
The `langchain-core` upgrade pulls in one new transitive dependency
(`langchain-protocol 0.0.15`) which only depends on `typing-extensions`.

<details><summary><h3>Confidence Score: 5/5</h3></summary>

Safe to merge — purely dependency version bumps with no application
logic changes.

All four files contain only dependency version updates. Lockfile hashes
are consistent, package-lock.json is fully aligned, and the only new
transitive dependency (`langchain-protocol`) is a minimal shim. No
custom rules are violated.

No files require special attention.
</details>

<h3>Important Files Changed</h3>

| Filename | Overview |
|----------|----------|
| pyproject.toml | Adds `langchain-core>=1.3.3` override to force a
patched version; straightforward and consistent with existing override
pattern. |
| uv.lock | Bumps `langchain-core` 1.2.22 → 1.3.3 and `urllib3` 2.6.3 →
2.7.0; introduces one new transitive dep (`langchain-protocol 0.0.15`).
All hashes present and consistent. |
| agentex-ui/package.json | Pins `next` to `15.5.18` (up from `15.5.15`)
to address CVE findings. |
| agentex-ui/package-lock.json | All ten Next.js package entries
consistently updated to 15.5.18; diff is small and well-scoped. |

</details>

<details><summary><h3>Flowchart</h3></summary>

```mermaid
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Trivy Scan - HIGH/CRITICAL CVEs] --> B{Affected Components}
    B --> C[Next.js - Frontend]
    B --> D[urllib3 - Python HTTP]
    B --> E[langchain-core - Python AI]

    C --> C1[15.5.15 → 15.5.18\npackage.json + package-lock.json]
    D --> D1[2.6.3 → 2.7.0\nuv.lock]
    E --> E1[1.2.22 → 1.3.3\npyproject.toml override + uv.lock]
    E1 --> E2[New transitive dep:\nlangchain-protocol 0.0.15]

    C1 --> F[Trivy Scan Clean]
    D1 --> F
    E2 --> F
```
</details>

<sub>Reviews (1): Last reviewed commit: ["fix: remediate agentex trivy
findings"](4287a92)
| [Re-trigger
Greptile](https://app.greptile.com/api/retrigger?id=31700429)</sub>

<!-- /greptile_comment -->

Author: scale-ballen

agentex-ui/package-lock.json

@@ -39,7 +39,7 @@
     "date-fns": "^4.1.0",
     "framer-motion": "^12.23.24",
     "lucide-react": "^0.525.0",
-    "next": "15.5.15",
+    "next": "15.5.18",
     "next-themes": "^0.4.6",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",

agentex-ui/package.json

@@ -31,6 +31,7 @@ override-dependencies = [
     "fastapi>=0.135.0",
     "starlette>=0.52.0",
     "httpx[http2]>=0.28.1,<0.29",
+    "langchain-core>=1.3.3",
     "mako>=1.3.12",
     "python-multipart>=0.0.27",
 ]