Security: upgrade urllib3 to patched version

## Problem
`urllib3` 2.6.2 has a known vulnerability; fixed in 2.6.3.

## Evidence
- `arch_report/pip_audit.txt:1`

## Plan
1. Bump `urllib3` to >= 2.6.3 in dependencies.
2. Re-run `pip-audit`.

## Validation
- `uv run pip-audit`
