Add hash-pinned dependency lockfile (pip-compile or uv lock)

[aallan]

The pyproject.toml uses version ranges (>=7.0, >=4.0) which is standard, but a lockfile that pins exact versions with hashes prevents dependency confusion and typosquatting attacks on the supply chain.

Options:

• pip-tools (pip-compile): generates requirements.txt with hashes
• uv lock: generates uv.lock in TOML format

Either approach ensures reproducible installs and makes supply chain attacks detectable. The lockfile should be checked in and kept updated via Dependabot or a CI step.

[aallan]

Note: zizmor (#385) also flags unpinned-uses as 18 high-severity findings — every action pinned to a semver tag (@v6, @v5) rather than a SHA hash. Fixing those and maintaining the hash pins is exactly what a lockfile/pinning workflow would provide. The two issues are complementary: this one (#390) handles Python dependency pinning; the zizmor unpinned-uses findings are the GitHub Actions equivalent. Whichever tool is chosen here (pip-compile or uv lock), it would be worth doing the actions pinning at the same time to close both gaps together.

[aallan]

The uv.lock file has been checked in since the project started using uv. This PR completes the issue by:

1. Adding a uv lock --check step to the lint CI job (verifies the lockfile stays consistent with pyproject.toml on every PR)
2. Documenting in CONTRIBUTING.md that uv sync is the recommended install method for reproducible environments with hash-pinned dependencies

Closing as completed.