chore(deps): bump minimum versions, add pip-audit, remove Sphinx from dev extras

[jajreidy]

What
Refreshes runtime and dev dependency floors in pyproject.toml and setup.py, raises build-system setuptools / setuptools-scm requirements, and drops Sphinx / sphinx-rtd-theme from optional dev (docs build is no longer in-tree). Adds pip-audit to dev, a make audit target that uses a throwaway .audit-venv and pip-audit -l (so only this project’s dev env is scanned, not the whole user site-packages), and a pip-audit -l step in security-scan.yml. Ignores CVE-2026-4539 / GHSA-5239-wwwm-4pmq until a Pygments release >2.19.2 is on PyPI; then pin pygments>=… under dev and remove those ignores. Documents the same in CHANGELOG.md under Security and Changed; ignores .audit-venv/ in .gitignore.

Why
Keeps installs closer to current stacks, trims unused docs deps, and gives a repeatable local + CI check for dependency advisories without false positives from unrelated global packages.

How to test

make install-dev
make lint && pre-commit run --all-files && make test && git fetch origin && make test-diff-coverage
make audit

Notes for reviewers
Merge gate still expects 100% diff coverage on the PR diff. Pygments advisory is ignored on purpose with an explicit follow-up once a fixed wheel exists; review that trade-off if policy requires zero ignores.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.01%. Comparing base (0e424ea) to head (1f74717).
⚠️ Report is 112 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #92      +/-   ##
==========================================
+ Coverage   95.53%   97.01%   +1.47%     
==========================================
  Files          70       74       +4     
  Lines        3946     5356    +1410     
==========================================
+ Hits         3770     5196    +1426     
+ Misses        176      160      -16     

Flag	Coverage Δ
unit-tests	97.01% <ø> (?)
unittests	?

Flags with carried forward coverage won't be shown. Click here to find out more.
see 2 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.