fix: bump idna + starlette to patched versions, 0.2.11 (#103)

pip-audit on develop is flagging two transitive-dep CVEs:

- idna 3.13            CVE-2026-45409   (fix in 3.15+)
- starlette 1.0.0      PYSEC-2026-161   (fix in 1.0.1+)

Both are surfaced via fastapi/httpx. Bumps via:

    uv lock --upgrade-package idna --upgrade-package starlette

Resolves to idna 3.16 (3.15 was the listed fix; 3.16 is a further
patch with the same fix) and starlette 1.1.0 (minor bump; FastAPI is
compatible with it). All 192 unit tests pass on the upgraded lock.

Bumps the project self-version 0.2.10 -> 0.2.11 per
docs/DEVELOPMENT.md.

Unblocks the pip-audit CI gate on #99, #100, #101, #102 (and any
other PRs currently sitting on develop), all of which inherit the
flagged transitive CVEs from develop and cannot pass that gate until
this lands.

Author: constk

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "harness-python-react"
-version = "0.2.10"
+version = "0.2.11"
 description = "Production-quality LLM-driven coding harness — Python (FastAPI) backend, Vite + React + TypeScript frontend."
 readme = "README.md"
 requires-python = ">=3.14"