chore(deps): bump worker_plan deps to patch security alerts

[neoneye]

Resolves 25 open Dependabot security alerts in worker_plan/pyproject.toml by bumping to the first stable patched release of each package.

Package	From	To	Alerts
aiohttp	3.13.5	3.14.1	#152, #153, #156–#164
tornado	6.5.4	6.5.7	#113, #114, #136, #155, #165, #166, #171
python-multipart	0.0.22	0.0.32	#142, #149, #167–#170
urllib3	2.6.3	2.7.0	#150, #151
marshmallow	3.24.2	3.26.2	#81

Notes:

• marshmallow stays on the 3.x line (3.26.2 is the first patched release); 4.x is a breaking major and the llama-index / dataclasses-json stack expects <4.
• transformers alert Add logging and robustness to admin UserAccount lazy creation #137 is intentionally NOT included here: the only patched line is 5.x (a major bump from 4.57.3), and the vulnerable Trainer class is never imported by PlanExe (transformers is a transitive dep). Handled/discussed separately.
• starlette alerts Proposal 84: DriftEvaluationTask — pseudocode design #172/Fix report fallback chain broken by broad try/except #173 were already resolved by the earlier 1.3.1 bump (PR chore(deps): bump starlette from 1.2.1 to 1.3.1 in /worker_plan #806).

🤖 Generated with Claude Code