security: add npm audit ci step and dependabot config

[SudiptaPaul-31]

Summary

Hardens the supply chain for agentpay-backend by adding an automated vulnerability audit gate to CI and enabling Dependabot for continuous dependency patching.

closes #157

Changes

.github/workflows/ci.yml

• Added npm audit --audit-level=high step immediately after npm ci
• Added a comment pinning the Node.js version rationale (20.x LTS satisfies engines >= 18.18)
• High or critical severity advisories now fail the build on every push and PR

.github/dependabot.yml (new file)

• Monitors npm ecosystem weekly (Mondays 06:00 UTC)
  • Minor + patch bumps grouped into a single PR to reduce noise
  • Major version bumps get individual PRs for explicit review
  • Open PR cap: 10
• Monitors github-actions ecosystem on the same schedule
  • All action updates grouped into one PR
  • Open PR cap: 5
• PRs labelled dependencies + security (npm) or ci (actions)

README.md

• Replaced the old CI bullet list with a table including the new audit step
• Added a Security / dependency update policy section documenting:
  • Audit threshold and what triggers a build failure
  • Triage process for advisories with no upstream fix
  • Dependabot schedule, grouping, and labelling behaviour

Why

package.json depends on Express 4 and a TS/ESLint toolchain with no automated vulnerability monitoring. A known CVE in any direct or transitive dependency could sit unpatched indefinitely — a significant supply-chain risk for a billing gateway. This PR closes that gap.

What was tested

• npm audit — no high or critical advisories in the current dependency tree
• npm run lint — passes
• npm run build — passes
• npm test — passes
• Dependabot config validated against the GitHub Dependabot schema