feat(security): add Snyk scan, Dependabot, and compliance report (#275)

[Escelit]

Closes #275

What changed

.github/workflows/snyk.yml

• Scans backend/ and root package.json on every push, PR, and daily at 02:00 UTC
• Fails on high/critical findings; medium/low reported only
• Uploads SARIF to GitHub Security tab (Code scanning alerts)
• Stores snyk-report.json as a 90-day CI artifact per run

.github/dependabot.yml

• Daily PRs for backend patch/minor updates (grouped to reduce noise)
• Weekly PRs for root dependencies and GitHub Actions
• Major version bumps skipped — require manual review

backend/src/utils/securityReport.js

• Parses Snyk --json-file-output into a structured compliance report
• Includes severity counts and a compliant flag (false if any high/critical exists)

backend/tests/securityReport.test.js

• 11 unit tests covering classifySeverity, summarize, buildReport
• All passing with Node's built-in test runner (no extra deps)

docs/security_compliance.md

• One-step setup (add SNYK_TOKEN secret)
• Severity policy table, report JSON schema, local usage instructions

Setup required

Add SNYK_TOKEN to repository secrets (Settings → Secrets → Actions).
Get the token from https://app.snyk.io → Account Settings → General.

[drips-wave]

@Escelit Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits.

You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀

Learn more about application limits