feat(python): uv cooldown, CI uv audit, and Pyrefly for the SDK

[raushanprabhakar1]

Which issue does this PR close?

Closes #3246

Rationale

Supply-chain incidents increasingly rely on very new PyPI uploads. Adding uv’s exclude-newer cooldown limits how fresh a release can be when resolving dependencies. We also run uv audit locally via pre-commit and add Pyrefly 1.x for type checking alongside mypy, with CI and hooks aligned.

What changed?

Dependency resolution for foreign/python now applies a 7-day exclude-newer

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.83%. Comparing base (a4b6a8d) to head (a9d6e0a).
⚠️ Report is 12 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3257      +/-   ##
============================================
+ Coverage     73.82%   73.83%   +0.01%     
  Complexity      943      943              
============================================
  Files          1190     1193       +3     
  Lines        107833   108933    +1100     
  Branches      84851    85967    +1116     
============================================
+ Hits          79606    80433     +827     
- Misses        25473    25740     +267     
- Partials       2754     2760       +6     

Components	Coverage Δ
Rust Core	74.89% <ø> (+0.02%)	⬆️
Java SDK	60.14% <ø> (ø)
C# SDK	69.16% <ø> (-0.28%)	⬇️
Python SDK	81.43% <ø> (ø)
Node SDK	91.53% <ø> (ø)
Go SDK	39.80% <ø> (ø)
see 52 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hubcio]

please fix PR title

/author

[hubcio]

this pr markets supply-chain hardening but ships three defects that all point the same way - the protections are holed or unenforced, while the unrequested dependency addition is fully wired in:

1. urllib3 = false punches a hole in the cooldown for a top-tier supply-chain target, with zero justification (pyproject.toml).
2. uv audit - the check #3246 actually asked for - is added as a pre-commit hook only, and iggy ci does not run pre-commit, so it never gates prs.
3. pyrefly (not requested in #3246) is wired into the ci lint task; the audit is not.

remove the urllib3 exemption, move uv audit into _common.yml if it's meant to gate prs, and verify the pyrefly 1.0.0 wheel hashes in uv.lock against pypi.

lastly, fix the PR title

/author

[hubcio]

exclude-newer-package = { urllib3 = false, pyrefly = false } opts these two packages out of the 7-day cooldown. pyrefly has a reason - 1.0.0 was uploaded 2026-05-12, two days before this pr, so the cooldown would block the version being added. urllib3 has none - it isn't otherwise touched by this pr, and it's one of the highest-value supply-chain targets in the python ecosystem. exempting it from the freshness window, in a pr whose stated purpose is supply-chain hardening, defeats the protection for exactly the package an attacker would most want to push a fresh malicious release of. drop the urllib3 entry. same exemption is mirrored in foreign/python/uv.lock under [options.exclude-newer-package].

[hubcio]

uv-audit is added as a pre-commit hook only. iggy ci does not run pre-commit - .github/workflows/_common.yml mirrors every gating hook as an explicit job. without a matching job in _common.yml, uv audit never runs on prs. it only fires on a contributor machine that has pre-commit installed and touches a matching pyproject.toml/uv.lock. that's the opposite of the threat model in #3246 - a malicious or careless dependency bump arriving in a pr stays unguarded. if the audit is meant to gate prs, add it as a job in _common.yml.

[hubcio]

pyrefly gets wired into ci here, but uv audit - the actual ask in #3246 - gets no ci entry anywhere. so the unrequested scope-creep check is enforced on prs while the security check it was paired with is not. either both belong in ci, or split this pr: the cooldown is what the issue asked for, pyrefly + audit tooling is separate scope and separate review.

[hubcio]

/author

[hubcio]

closing due to inactivity; open new PR once all comments are addressed.