fix(v2.9.6): SDK 0.1.81, urllib3/python-multipart sec fixes, dynamic models from upstream, SDK-drift auto-PR

[ttlequals0]

Summary

Single bundled v2.9.6 release addressing four concerns:

1. claude-agent-sdk bump 0.1.68 -> 0.1.81 (13 patch releases since v2.9.5).
2. Dependabot HIGH alerts closed:
   • python-multipart ^0.0.26 -> ^0.0.27 (GHSA-pp6c-gr5w-3c5g, DoS via unbounded multipart part headers) — supersedes chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in the pip group across 1 directory #16, which carried Dependabot's Poetry 2.2.1 lockfile noise.
   • urllib3 floor >=2.6.3 -> >=2.7.0 (GHSA-qccp-gfcp-xxvc + GHSA-mf9v-mfxr-j63j).
3. Sync upstream RichardAtCT/claude-code-openai-wrapper#46 — dynamic Anthropic Models API integration for /v1/models. New env vars: FAST_MODEL, CLAUDE_MODELS_OVERRIDE, MODEL_LIST_CACHE_TTL_SECONDS, MODEL_LIST_ERROR_TTL_SECONDS, MODEL_LIST_REQUEST_TIMEOUT_SECONDS, ANTHROPIC_MODELS_URL, ANTHROPIC_VERSION. When ANTHROPIC_API_KEY is set, /v1/models returns the live Anthropic catalog (cached 1h) and the wrapper resolves the latest Sonnet as DEFAULT_MODEL at startup. Concurrent refreshes serialized via async lock + double-check; failures use a short TTL so transient outages don't suppress live discovery for the full hour. Note: our existing model_service (driving /v1/models/refresh and /v1/models/status) is left in place alongside the new in-line cache — consolidation is a follow-up.
4. check-sdk-version.yml reworked: on drift, opens a draft chore/sdk-bump-<latest> PR with the pin bump and regenerated poetry.lock instead of only writing to the run summary. Permissions widened to contents: write + pull-requests: write. Idempotent by head branch (won't re-open if a matching open PR already exists). The ::warning:: annotation and $GITHUB_STEP_SUMMARY fallback still fire so drift remains visible if PR creation can't run.

Commits

• dd9f0c7 cherry-pick of upstream PR feat: dynamically refresh Anthropic model list RichardAtCT/claude-code-openai-wrapper#46 (conflict resolutions preserved our Opus 4.7 entries and pricing/fallback maps in constants.py; kept HEAD's compact README sections and merged in upstream's live-discovery intro + new env-var table rows).
• 4da2b8b the v2.9.6 dep bumps, version bump, CHANGELOG entry, and workflow rewrite.

Verification

• .venv/bin/poetry lock --no-interaction regenerated against Poetry 2.3.4 (matches v2.9.5 lock header; no cosmetic drift like chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in the pip group across 1 directory #16 had).
• New installed versions verified:
  • claude_agent_sdk.__version__ == 0.1.81
  • urllib3.__version__ == 2.7.0
  • multipart.__version__ == 0.0.27
• Full test suite: 664 passed, 31 skipped (+14 from upstream's new tests/test_dynamic_models.py).
• Workflow YAML validated locally.

Known limitations

• The reworked workflow opens PRs with the default GITHUB_TOKEN, which does not trigger downstream pull_request workflow runs by GitHub design. The auto-PR body documents this: reviewers push an empty commit to fire the test matrix. Not worth introducing a PAT secret for a weekly-cron workflow.

Follow-ups (not in this PR)

• Close Dependabot PR chore(deps): bump python-multipart from 0.0.26 to 0.0.27 in the pip group across 1 directory #16 as superseded.
• Consolidate model_service and the new in-line get_available_models() cache.
• Cut the v2.9.6 GitHub Release and run the existing /build-and-push flow from main.

Test plan

• Local: lockfile regenerated cleanly with Poetry 2.3.4
• Local: all 664 tests pass
• Local: workflow YAML parses
• CI test matrix (3.10/3.11/3.12) passes on this PR
• After merge: Dependabot alerts feat(2.8.0): stop error_max_turns from leaking interrupt sentinel as response content #8, fix(2.9.1): close CodeQL alerts for stack-trace exposure and ReDoS #9, chore(deps): bump the pip group across 1 directory with 6 updates #10 auto-resolve
• After merge: manually dispatch check-sdk-version.yml to confirm the up-to-date path still works (no PR created when pin matches latest)