Pin cryptography<49 in builders host_dependencies.txt

[Kyle-Neale]

What does this PR do?

Adds cryptography<49 to .builders/deps/host_dependencies.txt so the Install management dependencies step in the macos-x86_64 leg of resolve-build-deps continues to install a cryptography release that ships an x86_64 macOS wheel.

Motivation

On 2026-06-12 20:01 UTC, cryptography 49.0.0 was released and dropped its macosx_10_9_universal2 wheel, now shipping only macosx_11_0_arm64.whl for macOS:

cryptography 48.0.1 macOS wheels: macosx_10_9_universal2 ✓ (works on x86_64 + arm64)
cryptography 49.0.0 macOS wheels: macosx_11_0_arm64 only ✗ (no x86_64 wheel)

host_dependencies.txt lists google-cloud-storage==2.14.0, which transitively requires cryptography>=38.0.3 (unpinned). Pip resolves to the latest = 49.0.0. The macos-x86_64 matrix runs on macos-14-large (Intel), can't match the arm64-only wheel, and falls back to building cryptography from sdist. The workflow's brew remove --force --ignore-dependencies $(brew list --formula) step then trips the Rust openssl-sys build:

error: failed to run custom build command for `openssl-sys v0.9.117`
Could not find directory of OpenSSL installation

This affects every PR that triggers the macos-x86_64 build matrix, including the bot's Update dependencies PR (#24041) and any PR that bumps direct deps so the gate's content-hash mismatches.

Review checklist (to be filled by reviewers)

• Feature or bugfix MUST have appropriate tests (unit, integration, e2e) — CI on this PR exercises the fix
• PR title must be written as a CHANGELOG entry (see why)
• Files changes must correspond to the primary purpose of the PR as described in the title (small unrelated changes should have their own PR)
• PR must have changelog/ label attached
• If the PR doesn't need to be tested during QA, please add a qa/skip-qa label.

[dd-octo-sts]

Validation Report

All 21 validations passed.

Show details

Validation	Description	Status
agent-reqs	Verify check versions match the Agent requirements file	✅
ci	Validate CI configuration and code coverage settings	✅
codeowners	Validate every integration has a CODEOWNERS entry	✅
config	Validate default configuration files against spec.yaml	✅
dep	Verify dependency pins are consistent and Agent-compatible	✅
http	Validate integrations use the HTTP wrapper correctly	✅
imports	Validate check imports do not use deprecated modules	✅
integration-style	Validate check code style conventions	✅
jmx-metrics	Validate JMX metrics definition files and config	✅
labeler	Validate PR labeler config matches integration directories	✅
legacy-signature	Validate no integration uses the legacy Agent check signature	✅
license-headers	Validate Python files have proper license headers	✅
licenses	Validate third-party license attribution list	✅
metadata	Validate metadata.csv metric definitions	✅
models	Validate configuration data models match spec.yaml	✅
openmetrics	Validate OpenMetrics integrations disable the metric limit	✅
package	Validate Python package metadata and naming	✅
qa-label	Validate the pull request declares whether it needs QA for the next Agent release	✅
readmes	Validate README files have required sections	✅
saved-views	Validate saved view JSON file structure and fields	✅
version	Validate version consistency between package and changelog	✅

View full run