Upgrade to Python 3.11

[olmos-keepsafe]

Key changes

• Migrates packaging from setup.py/setup.cfg to pyproject.toml with Python 3.11 metadata.
• Sets .python-version to 3.11.13 and bumps ks-email-parser from 0.3.2 to 1.0.0.
• Updates runtime/dev pins for Python 3.11 compatibility, including the pystache use_2to3 build blocker.
• Moves runtime pins to latest observed safe versions where proof passes: Markdown 3.10.2, inlinestyler 0.2.5, lxml 6.1.0, parse 1.22.0, beautifulsoup4 4.14.3, and pystache 0.6.8.
• Retains cssutils 2.11.1 as the latest safe cssutils pin after proving cssutils 2.13.0, 2.14.0, and 2.15.0 import-fail locally through the missing encutils module.
• Modernizes Markdown extension hooks for Markdown 3, keeps no-tracking links/base-url images compatible, and preserves golden fixture rendering output.
• Adds a narrow inlinestyler/lxml compatibility shim for CSSSelector.evaluate with lxml 6 while preserving fixture output normalization.
• Confirms msgpack is not a direct dependency, source/test import, or installed transitive dependency; check-msgpack remains in make lint.
• Adds CircleCI package CI following the python311-service-upgrade-stack sample intent with valid CircleCI 2.1 executors/commands: cimg/python:3.11.13, prepare_cache, lint/test jobs, v3-pip-/v3-venv- fallback cache keys, coverage artifact storage, and non-fatal Codecov upload.
• Switches local test workflow from nosetests to pynose and keeps flake8 config in pyproject.toml.
• Modernizes the CLI asyncio execution path and version lookup for Python 3.11.
• Fixes empty render handling both at the top-level render set and empty worker-batch level so missing/wrong input trees fail instead of silently succeeding.
• Adds docs/python311-migration-contract.md, CLI golden fixture smoke, empty-input CLI regression coverage, and refreshed task mapping/proof notes.

Proof run

• Baseline Python 3.11 install failed on pystache==0.5.4 because it uses removed use_2to3 metadata.
• make clean: pass
• make dev: pass from a clean venv
• make lint: pass, including flake8 7.3.0, flake8-pyproject 1.2.4, and check-msgpack
• make test: pass, 86 tests, 79% coverage; includes golden fixture comparisons, CLI smoke, and empty-render failure regression
• make test-only: pass outside sandbox, 86 tests, 79% coverage
• venv/bin/python -m compileall email_parser tests: pass
• venv/bin/python -c import-email-parser-parser-smoke: pass, returned email_parser.Parser
• venv/bin/ks-email-parser --version: pass, returned 1.0.0
• venv/bin/pip check: pass, no broken requirements found
• venv/bin/pip list --format=freeze: pass, confirms no installed msgpack distribution and selected latest-safe pins
• venv/bin/python -m build: pass after allowing isolated build dependency download; built sdist and wheel
• venv/bin/pyupgrade --keep-percent-format ladder from py36-plus through py311-plus: pass/no-op on current files
• ruby -e YAML.load_file('.circleci/config.yml'): pass
• circleci config validate .circleci/config.yml: pass
• Dependency break proof: cssutils 2.13.0, 2.14.0, and 2.15.0 install but fail import cssutils with ModuleNotFoundError for encutils, so cssutils remains pinned to 2.11.1

Known gaps

• Package artifact was built locally but not published.
• Downstream consumers such as email-service, emails, and ansible still need their own proof after consuming ks-email-parser==1.0.0.
• make test still prints legacy warnings from intentionally malformed XML fallback fixtures; those warnings are covered by existing passing tests.
• Service-only python311-service-upgrade-stack tasks are intentionally skipped because this repo is library/CLI-shaped: no Gunicorn, PasteDeploy, service INI, workers, Docker runtime, health endpoints, local E2E stack, or egress guard.