Add security scanning to CI (npm audit + Dependabot)

## Acceptance criteria
- [ ] npm audit --audit-level=high (or OSV) in GitHub Actions
- [ ] Dependabot config for npm + GitHub Actions
- [ ] Document policy for failing builds on critical CVEs
## Labels