docs(constraints): polish constraints.txt header with regeneration instructions

[CGFixIT]

Summary

Rebased onto current main (da4cbd4). The pip-audit.yml hardening this branch originally proposed (verify-install matrix job, needs: dependency, tightened CVE comment) already landed on main via PR #72/#71 — and main's version is strictly better (SHA-pinned actions, ubuntu-latest + windows-latest matrix, pip>=26.1.2 CVE upgrade, hermetic prep). Those changes were therefore dropped during conflict resolution to avoid regressing main.

What remains in this PR (the one genuinely additive, non-conflicting change):

• constraints.txt — polished header with exact regeneration command (uv pip compile -r requirements.txt --generate-hashes -o constraints.txt), documents the stable chromadb==1.5.6 pin and references tests/VERIFICATION_REPORT_3.12.md, and removes lingering "hotfix dev" language. No dependency pins changed.

Why the original pip-audit.yml diff was dropped

• Main already has the verify-install gate (PR Chore/ci matrix hardening v2 #72) with SHA-pinned actions — the exact SHA-pinning fix that was requested for this work.
• Re-applying this branch's older version would have downgraded actions to unpinned @v4/@v5 tags, dropped windows-latest, and introduced duplicate push:/pull_request: YAML keys. Not worth it.

Net diff: constraints.txt only — 13 insertions, 3 deletions (comment header). No runtime, topology, or invariant changes.

Supersedes #70 (closed as duplicate).