Fix pr-gates supply_chain dependency vulnerability floors

[TensorGymnastic]

Summary

• bump the four runtime dependency minimums that the failing OSV scan flags in requirements.txt
• mirror the same minimum versions in [project.dependencies] so the manifest sync check keeps passing
• keep the fix limited to dependency floors instead of changing the workflow itself

Validation

• python scripts/check_dependency_manifests.py
• HOME=/workspace/.home XDG_CACHE_HOME=/workspace/.cache TMPDIR=/workspace/.tmp /workspace/codewiki/.venv312/bin/python -m pip_audit -r requirements.txt
• HOME=/workspace/.home XDG_CACHE_HOME=/workspace/.cache TMPDIR=/workspace/.tmp /workspace/codewiki/.venv312/bin/python -m pip install -e ".[quality]"

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 84765c417d

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid a litellm floor that conflicts with direct deps

When installing from public PyPI, this new floor can make the project unsatisfiable: the PyPI metadata for litellm==1.83.10 declares openai==2.24.0 and python-dotenv==1.0.1, which conflicts with this project’s existing openai>=2.30.0 and the newly raised python-dotenv>=1.2.2 (mirrored in requirements.txt). A fresh pip install -e . or pip install -r requirements.txt against an index whose latest/safe LiteLLM is 1.83.10 will fail resolution instead of fixing the supply-chain gate; the floor needs to be a LiteLLM release whose own dependency metadata is compatible with these direct requirements, or the direct requirements need to be adjusted together.

Useful? React with 👍 / 👎.