chore(deps): bump dev and runtime dependencies (#86)

* chore(deps): bump dev and runtime dependencies

Consolidates the open dependabot lockfile bumps and pulls in additional
available updates in one pass. Held back parallel-web (saved for a
separate PR) and pandas (still on 2.x; 3.0 is a major release with
breaking changes for our integrations).

Notable bumps:
- pytest 9.0.2 -> 9.0.3
- requests 2.32.5 -> 2.33.1
- cryptography 46.0.3 -> 47.0.0
- pyopenssl 25.3.0 -> 26.1.0
- pyasn1 0.6.2 -> 0.6.3
- pygments 2.19.2 -> 2.20.0
- python-dotenv 1.2.1 -> 1.2.2
- tornado 6.5.4 -> 6.5.5
- ruff 0.14.14 -> 0.15.12
- ty 0.0.21 -> 0.0.33
- rich 14.2.0 -> 15.0.0
- pydantic 2.12.5 -> 2.13.3
- duckdb 1.4.3 -> 1.5.2
- polars 1.37.1 -> 1.40.1
- snowflake-connector-python 4.2.0 -> 4.4.0
- sqlalchemy 2.0.45 -> 2.0.49
- google-cloud-bigquery 3.40.0 -> 3.41.0

Type fix in cli/commands.py for new ty 0.0.33 narrowing of
json.loads-derived dict values.

* chore(deps): tighten pyproject.toml floors to tested versions

Bumps the lower bounds on direct deps so the manifest reflects what
we actually test against, instead of being a much looser floor than
reality.

Runtime:
- python-dotenv >=1.0.0 -> >=1.2.0
- click >=8.1.0 -> >=8.3.0
- rich >=13.0.0 -> >=15.0.0

Extras:
- polars >=1.37.0 -> >=1.40.0
- pyarrow >=18.0.0 -> >=24.0.0
- duckdb >=1.0.0 -> >=1.5.0
- snowflake-connector-python >=3.0.0 -> >=4.4.0
- sqlalchemy >=2.0.0 -> >=2.0.49

Dev:
- pytest >=8.0.0 -> >=9.0.0
- pytest-cov >=4.0.0 -> >=7.0.0
- pyinstaller >=6.0.0 -> >=6.20.0
- pre-commit >=4.0.0 -> >=4.6.0
- ruff >=0.14.0 -> >=0.15.0
- ty >=0.0.21 -> >=0.0.33
- ipykernel >=7.1.0 -> >=7.2.0

parallel-web and pandas held back per the previous commit.

* chore(deps): walk back runtime/extras floor bumps

Keep dev-tooling floors tightened (we have a real reason: ty 0.0.33 is
required to catch the type narrowing fixed in this PR), but revert the
runtime + extras floors to their previous values.

We don't actually use new APIs from rich 15, click 8.3, polars 1.40,
pyarrow 24, duckdb 1.5, snowflake-connector-python 4.x, etc. Tighter
floors there would force downstream users to upgrade with no real
benefit, and the snowflake 3 -> 4 jump in particular would break
people still on 3.x.

Reverted floors:
- python-dotenv >=1.0.0
- click >=8.1.0
- rich >=13.0.0
- polars >=1.37.0
- pyarrow >=18.0.0
- duckdb >=1.0.0
- snowflake-connector-python >=3.0.0
- sqlalchemy >=2.0.0

Kept tightened (dev only): pytest, pytest-cov, pyinstaller, pre-commit,
ruff, ty, ipykernel.