chore(deps): consolidate 9 dependabot bumps into one PR

[SoundMindsAI]

Why

Nine open chore(deps): dependabot PRs (#495–502, #516), each triggering its own full CI run. Consolidating them into a single branch runs CI once instead of nine times. The five npm PRs all touch ui/package.json + ui/pnpm-lock.yaml, so they would have conflicted/rebased against each other anyway.

What's bumped

Python (uv.lock) — uv lock --upgrade-package pyjwt

• pyjwt 2.12.1 → 2.13.0 (chore(deps): bump pyjwt from 2.12.1 to 2.13.0 in the uv group across 1 directory #516)

npm (ui/package.json + pnpm-lock.yaml) — constraints set to dependabot's targets; pnpm install resolved latest-compatible patches (newer than the targets, which supersedes those PRs):

• next ^16.2.6 → ^16.2.7 (resolved 16.2.9) (chore(deps): bump next from 16.2.6 to 16.2.7 in /ui #501)
• @tanstack/react-query ~5.100.14 → ~5.101.0 (+ -devtools bumped in lockstep) (chore(deps): bump @tanstack/react-query from 5.100.14 to 5.101.0 in /ui #498)
• @radix-ui/react-select ~2.2.6 → ~2.3.0 (resolved 2.3.1) (chore(deps): bump @radix-ui/react-select from 2.2.6 to 2.3.0 in /ui #500)
• @radix-ui/react-tooltip ~1.2.8 → ~1.2.9 (resolved 1.2.10) (chore(deps): bump @radix-ui/react-tooltip from 1.2.8 to 1.2.9 in /ui #502)
• @radix-ui/react-popover ~1.1.15 → ~1.1.16 (resolved 1.1.17) (chore(deps): bump @radix-ui/react-popover from 1.1.15 to 1.1.16 in /ui #499)

GitHub Actions (SHA-pinned)

• astral-sh/setup-uv v7 → v8.2.0 (chore(deps): bump astral-sh/setup-uv from 7.6.0 to 8.2.0 #497)
• ossf/scorecard-action v2.4.0 → v2.4.3 (chore(deps): bump ossf/scorecard-action from 2.4.0 to 2.4.3 #496)
• github/codeql-action v4 SHA bump (chore(deps): bump github/codeql-action from 4.36.1 to 4.36.2 #495)

Verification (local, run together)

• pnpm typecheck ✅
• pnpm test ✅ 1297 tests / 174 files
• pnpm build ✅ (Next.js production build)
• pnpm lint ✅ 0 errors
• uv lock ✅ relocked clean

Supersedes

Closes the following dependabot PRs (will be closed once this merges): #495, #496, #497, #498, #499, #500, #501, #502, #516

🤖 Generated with Claude Code

[gemini-code-assist]

Code Review

This pull request updates several frontend dependencies in ui/package.json and their corresponding lockfile entries in ui/pnpm-lock.yaml, including upgrades to Radix UI components, TanStack React Query, and Next.js. Additionally, the Python dependency pyjwt is upgraded in uv.lock. I have no feedback to provide as there are no review comments or issues identified in these dependency updates.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.