Update dependencies and modernize dependency management

[onyxfish]

What's in this PR?

This PR updates Python dependencies and lightly modernizes the build process to align better with zephir-contrib-web and Docker best practices. This should also address all open Dependabot alerts.

Dependency upgrades

• Replaced pip/poetry with uv
• Bumped Python to latest 3.13 series release
• Bumped all dependencies to latest minor version (and in a few cases major version)
• Remove compatibility-related CI jobs since we're explicitly pinning a single version in both uv and Docker.

Other changes

• Added project description and bootstrap instructions to README.md
• Simplified and modernized the Dockerfile (cleaner stages, run tests with CMD rather than RUN)
• Added Docker Compose configuration to bootstrap MySQL locally for testing
• Added a bootstrap_db.py script that creates tables and populates them with test data (extracted from the existing sqlite test database)
• Bypassed one erroneous error that was failing Bandit
• Exclude .venv from Vulture scans
• Configured gunicorn to log to the terminal
• Added smart defaults for common environment variables
• Added env.template

How to test

• Run through the non-Docker setup and testing instructions in the README
• Run through the Docker Compose setup and testing instructions in the README
• Confirm tests pass in both configurations

Related tickets

• Progress toward https://github.com/cdlib/zac/issues/835

[Copilot]

Pull request overview

This PR updates the project’s Python dependency management (moving from Poetry to uv), bumps dependency versions for Python 3.13, and modernizes local/dev workflows (Docker, Compose, bootstrap tooling) to simplify setup and address dependency/security alerts.

Changes:

• Migrates dependency management from Poetry to uv (pyproject.toml + uv.lock) and removes poetry.lock.
• Updates container/build tooling (Dockerfile targets, GitHub Actions) to use uv for installs and test runs.
• Adds local MySQL bootstrap workflow via Docker Compose plus a bootstrap_db.py seeding script and sample CSV.

Reviewed changes

Copilot reviewed 14 out of 17 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pyproject.toml	Moves to PEP 621 project metadata and uv dependency groups.
uv.lock	New lockfile capturing resolved dependency set for Python 3.13.
Dockerfile	Reworks multi-stage build to install/run via uv (test + production targets).
docker-compose.yml	Adds local MySQL + bootstrap job and updates API service wiring.
bootstrap_db.py	New script to seed a DB from tests/sample_data.csv.
tests/sample_data.csv	Seed data used by bootstrap script.
gunicorn_config.py	Adds defaults + logs to stdout/stderr for container friendliness.
app/config.py	Sets LOG_LEVEL default and normalizes casing.
app/routes.py	Adds Bandit suppression annotation on Markup(...) return path.
README.md	Documents uv usage and new local + Docker workflows.
env.example	Example environment variable template.
.github/workflows/code-analysis.yml	Switches analysis workflow from Poetry to uv.
.github/workflows/compatability-matrix.yml	Switches compatibility workflow from Poetry to uv.
.dockerignore	Expands ignore list for uv/pytest/ruff caches and local data.
.gitignore	Adds .data/ ignore and removes Poetry-specific comments.
.python-version	Removes pinned local Python version file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[RvanB]

This looks very good! Just not sure if we planned on using the compatibility matrix workflows or if they were an experiment that can be removed. I'll defer to @cscollett .

[onyxfish]

Great, yeah, my read on them was they weren't relevant if we were pinning versions, but happy to restore them if they were serving another purpose!

[cscollett]

👍