Bump deps: Flask 3.1.3, Werkzeug 3.1.8, Authlib 1.7, pydantic 2.13.2, etc.

Rolls up the open dependabot PRs #65, #66, #69, #72, #73, #74, #75, #76
into a single commit. Each bump is a minor/patch release with no breaking
changes relevant to this codebase; all chat.completions / Flask-SocketIO
/ pydantic-v1-validator usage continues to work.

- Flask[async]       3.1.2 -> 3.1.3   (#65, #72)
- Flask-SocketIO     5.6.0 -> 5.6.1   (#66)
- Werkzeug           3.1.5 -> 3.1.8   (#73; supersedes master-targeting #67
                                        which wanted 3.1.6)
- python-dotenv      1.2.1 -> 1.2.2   (#69)
- requests           2.32.5 -> 2.33.1 (#74)
- pydantic           2.12.5 -> 2.13.2 (#76)
- Authlib            1.6.8 -> 1.7.0   (#75)

Doing this as one commit on dev because dev has diverged from master
(Phase 0 + Phase 1 security/architectural work) and each dependabot PR
has a requirements.txt conflict against the new pins we added — resolving
8 of those by hand is more churn than just bumping the versions directly.

Author: Bentlybro

requirements.txt

@@ -1,11 +1,11 @@
 # Flask and web framework
-Flask[async]==3.1.2
+Flask[async]==3.1.3
 Flask-SQLAlchemy==3.1.1
 Flask-Login==0.6.3
 Flask-WTF==1.2.2
-Flask-SocketIO==5.6.0
+Flask-SocketIO==5.6.1
 WTForms==3.2.1
-Werkzeug==3.1.5
+Werkzeug==3.1.8
 
 # OpenAI integration
 # Latest 2.x — reasoning_effort is supported since 1.58, and the only 2.0
@@ -17,14 +17,14 @@ httpx[http2]==0.27.2
 
 # Security and utilities
 bcrypt==5.0.0
-python-dotenv==1.2.1
-requests==2.32.5
+python-dotenv==1.2.2
+requests==2.33.1
 urllib3>=2.6.3  # Security fix for CVE-2024-37891
 pre-commit==4.5.1
-pydantic==2.12.5
+pydantic==2.13.2
 Flask-Talisman==1.1.0
 Flask-Limiter==3.8.0
-Authlib==1.6.8
+Authlib==1.7.0
 psutil==7.2.2
 sentry-sdk[flask]==2.18.0
 regex==2024.11.6  # ReDoS-safe regex with timeout support