security(deps): constrain pip >=26.1.2 (PYSEC-2026-196) to unblock pip-audit

A new advisory landed against pip 26.1.1 (fixed in 26.1.2) since the last green deploy, turning the pip-audit --strict gate red even though no app code changed. pip is in the scanned env only because pip-audit pulls it in to resolve deps. Add a [tool.uv] constraint (same mechanism already used for authlib/urllib3/idna/starlette) and re-lock. Verified against the CI-exact sequence: 'uv sync --extra dev' installs pip 26.1.2 and 'uv run pip-audit --strict' reports no vulnerabilities.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: Sbussiso

backend/pyproject.toml

@@ -144,9 +144,16 @@ ignore = ["B008", "UP045"]
 # deploy red.  1.0.0 → 1.0.1 is a patch; fastapi's starlette range
 # accepts it (uv resolves cleanly).  Remove once fastapi's own pin
 # moves past 1.0.1.
+#
+# pip: PYSEC-2026-196 (fixed in 26.1.2).  Present only because pip-audit
+# (our dev-time scanner) pulls pip in to resolve deps, then --strict audits
+# pip itself.  Advisory landed ~2026-06 and turned the scan red even though
+# no code changed.  Dev/CI surface only — pip isn't shipped in the app
+# image.  Remove once pip-audit's own pin clears 26.1.2.
 constraint-dependencies = [
     "authlib>=1.7.1",
     "urllib3>=2.7.0",
     "idna>=3.15",
     "starlette>=1.0.1",
+    "pip>=26.1.2",
 ]