fix: cap transformers<5 pending stable release; remove diskcache dep

- transformers: pinned to >=4.21.0,<5 in [ml] and [all] extras to block
  accidental installation of 5.0.0rc3 (CVE-2026-1839 fix is a pre-release).
  Comment added noting cap should be removed once 5.0.0 stable ships.
- pyproject.toml no longer declares diskcache; it was silently orphaned after
  the cache layer was rewritten to cachetools.TTLCache (eliminating the
  CVE-2025-69872 attack surface). Stale 0.1.0a1 dist-info entries from the
  unused GuardianSDK repo have been removed from the venv.
- All other pip-audit findings remediated: filelock 3.20.3, protobuf 6.33.5,
  pygments 2.20.0, pytest 9.0.3, python-dotenv 1.2.2, python-multipart 0.0.26,
  requests 2.33.0, urllib3 2.6.3, onnx 1.21.0, setuptools 78.1.1, pip 26.0.
- Remaining open: pip/CVE-2026-3219 (no upstream fix yet).
- 1043 tests pass.

Author: Oracles Technologies LLC

pyproject.toml

@@ -132,7 +132,9 @@ browser = [
 # Without these packages the engine runs its built-in heuristic fallback,
 # which is still effective but less accurate than a fine-tuned classifier.
 ml = [
-    "transformers>=4.21.0",
+    # <5 upper-bound: CVE-2026-1839 fix is 5.0.0rc3 (pre-release).
+    # Revisit and remove this cap once transformers 5.0.0 stable ships.
+    "transformers>=4.21.0,<5",
     "torch>=1.12.0",
 ]
 
@@ -142,7 +144,7 @@ all = [
     "openai>=1.0.0",
     "anthropic>=0.8.0",
     "google-generativeai>=0.3.0",
-    "transformers>=4.21.0",
+    "transformers>=4.21.0,<5",  # see ml extra comment above
     "torch>=1.12.0",
     "langdetect>=1.0.9",
     "Pillow>=9.0.0",