fix: update Pygments to resolve CVE-2026-4539

[dannyneira]

Summary

• Updates transitive dev dependency Pygments in uv.lock from 2.19.2 to 2.20.0 to resolve CVE-2026-4539 / GHSA-5239-wwwm-4pmq.
• Keeps the fix scoped to the lockfile; no generated SDK source was modified.
• Regenerating uv.lock also corrected the editable package metadata from oz-agent-sdk 0.4.0 to the project version declared in pyproject.toml, 0.13.0.

Vulnerability details

• Advisory: GHSA-5239-wwwm-4pmq
• CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-4539
• Dependabot alert: https://github.com/warpdotdev/oz-sdk-python/security/dependabot/1
• Package: Pygments
• Ecosystem/manifest: pip, uv.lock
• Relationship/scope: transitive runtime dependency in the lockfile, pulled through dev tooling (pytest/rich)
• Vulnerable range: < 2.20.0
• Patched version: 2.20.0

Verification

• uv tree --package pygments shows pygments v2.20.0.
• pip-audit --path .venv/lib/python3.9/site-packages --skip-editable reports Pygments 2.20.0 with no vulnerabilities. Existing findings are for aiohttp, idna, and pytest, which already have open PRs.
• ./scripts/lint
• ./scripts/test
• uv build

Conversation: https://staging.warp.dev/conversation/79ba85ba-09a8-4c6d-a123-722a0564c0b9
Run: https://oz.staging.warp.dev/runs/019e83e9-dd9f-779c-a21b-2eeabe0784ea
This PR was generated with Oz.

[liliwilson]

Closing — these fixes will be applied via the stlc/warp-server flow instead of direct SDK commits.