Update UK release bundle to data 1.53.0

[anth-volk]

Fixes #343

Summary

This PR updates the bundled UK release contract to a TRO-compatible release pair:

• policyengine-uk==2.88.6
• policyengine-uk-data==1.53.0

It records the certified enhanced_frs_2023_24 artifact SHA and data build fingerprint in the UK manifest, updates the package pins and lockfile, refreshes tests, and adds the generated bundled TRACE TRO sidecars.

It also fixes refresh_release_bundle so future refreshes use release_manifest.json from the target data release when available. That prevents stale certification metadata, including built_with_model_version, from being carried forward after data/model bumps.

Current release-version behavior

The generated manifest/TRO files in this PR still show the current checked-in policyengine.py version, 4.3.1. That is an inconsistency in the current .py release workflow, not the final published identity for this change: after this merges, the Versioning workflow runs Towncrier, bumps pyproject.toml, syncs policyengine_version and bundle_id in the bundled manifests, regenerates the TRO sidecars, and commits those release artifacts before the package is published.

The forthcoming policyengine-bundles system should avoid this inconsistency by making the bundle version/digest the canonical certified artifact first. A .py release would then point to an already-published bundle version/digest rather than generating provisional pre-release TROs that are later rewritten by .py versioning.

UK validation requested

@vahid-ahmadi please confirm whether this policyengine-uk==2.88.6 / policyengine-uk-data==1.53.0 combination is valid and should be user-facing as the bundled UK runtime pair.

Verification

• uv run --extra dev pytest tests/test_bundle_refresh.py
• uv run --extra dev pytest tests/test_release_manifests.py tests/test_trace_tro.py
• ruff format --check .
• ruff check .

Notes

This is a stopgap update for the current .py release path. It does not replace the broader cross-repository bundle/orchestrator plan.

[anth-volk]

@vahid-ahmadi requested your review here. The main thing to confirm is whether policyengine-uk==2.88.6 with policyengine-uk-data==1.53.0 is a valid UK runtime pair and should be user-facing as the bundled UK default.

[anth-volk]

Blocked on PolicyEngine/policyengine-uk#1666

[MaxGhenis]

Update after merging/releasing the UK Marriage Allowance fix: policyengine-uk==2.88.14 is now on PyPI and fixes the raw child Marriage Allowance scenario, but it is not enough to safely update this PR.\n\nI tested bumping this branch locally from 2.88.6 to 2.88.14. Import fails before the snapshot test with:\n\nValueError: Runtime data build fingerprint does not match the bundled data certification.\n\nThat is the certification guard doing the right thing. The new UK package reports data_build_fingerprint sha256:dff5c5bb976ce254fa965ecfce6a0d84859fe1629a714ae28a79b3075522a0ae, while this PR bundle currently certifies data 1.53.0 with sha256:535d2fd64f9e2b2aa9991e5a5d65be25bdd126f18858682533789f5c7e467782.\n\nSo the next safe step is data-side: publish/finalize a UK 1.53.0 release manifest that explicitly certifies compatibility with policyengine-uk==2.88.14, or regenerate the UK data release with 2.88.14. PR PolicyEngine/policyengine-uk-data#397 is now merged, so the manifest finalization path has the strict bundle fields needed for that. I did not push the local 2.88.14 bump because doing so would require weakening or falsifying the bundled certification.