fix(env): revert Docker base to python:3.12 + sync stale 260->263 in CI

.github/workflows/ci.yml

@@ -1,7 +1,7 @@
 name: CI + Deploy to HuggingFace Space
 
 # GitHub = single source of truth. HF Space = deployed runtime mirror.
-# On every push to main: run privacy audit + 260-test suite, then (only
+# On every push to main: run privacy audit + 263-test suite, then (only
 # if both green) force-push the tree to the HF Space.
 #
 # Constraints enforced here:
@@ -52,27 +52,27 @@
           echo "✓ No private artefacts tracked. Safe to build."
 
   test:
-    name: Unit tests (260 hermetic tests)
+    name: Unit tests (263 hermetic tests)
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v6
 
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@v6
         with:
           python-version: ${{ env.PYTHON_VERSION }}
           cache: pip
 
       - name: Install pinned runtime + test deps
         run: |
           python -m pip install --upgrade pip
           pip install -r requirements.txt
 
       - name: Run pytest
         run: python -m pytest tests/ -v --tb=short
 
   deploy-hf:
     name: Deploy to HuggingFace Space
     runs-on: ubuntu-latest
     needs: [privacy-audit, test]

Dockerfile

@@ -17,7 +17,7 @@
 # - No mutation of /app at container start.
 # - Provider selection is surfaced in the UI; no hidden switching.
 
-FROM python:3.14-slim-bookworm
+FROM python:3.12-slim-bookworm
 
 # HF Spaces require uid 1000 to own /home/user/app. Create the user first.
 RUN useradd -m -u 1000 user