chore(types): enable warn_return_any and cast all no-any-return sites

Turn on mypy warn_return_any (pyproject) and resolve the 84 resulting
[no-any-return] errors across 43 files with typing.cast() at the return
sites — runtime no-ops that make the declared return type explicit where a
dependency (SQLAlchemy scalar/first/one, httpx .json(), subprocess, docker
SDK) hands back Any. No behavior change: no DTO/table field types altered, no
validation/coercion calls added, every cast reflects the true runtime type.

Locks in return-type strictness so the class of bug where a function silently
widens to Any can't regress. mypy decnet/ clean; adversarially verified
behavior-preserving (84 casts 1:1 with prior returns).

Bump tornado 6.5.5 -> 6.5.7 (CVE-2026-49854, transitive via snakeviz).

decnet/rpki/ripestat/validator.py

@@ -17,7 +17,7 @@ import logging
 import sqlite3
 import urllib.request
 from datetime import datetime, timezone
-from typing import Optional
+from typing import Any, Optional, cast
 
 from decnet.rpki import cache as _cache
 from decnet.rpki.base import RpkiResult, RpkiStatus, Validator
@@ -68,13 +68,13 @@ class RipeStatValidator(Validator):
         )
         raw = data.get("data", {}).get("status", "unknown")
         if raw in ("valid", "invalid", "not-found"):
-            return raw
+            return cast(RpkiStatus, raw)
         return "unknown"
 
-    def _fetch(self, url: str) -> dict:
+    def _fetch(self, url: str) -> dict[Any, Any]:
         req = urllib.request.Request(url, headers={"User-Agent": _UA})
         with urllib.request.urlopen(req, timeout=_TIMEOUT_S) as resp:  # nosec B310 — HTTPS RIPE STAT base URL only; IP/ASN components are validated upstream
-            return json.loads(resp.read())
+            return cast(dict[Any, Any], json.loads(resp.read()))
 
     def _store(
         self, ip: str, asn: int, status: str, prefix: Optional[str]