ci(security): add Dependabot groups block to batch Mon alert wave (#41)

Why:
  Mon 2026-05-25 06:00 UTC Dependabot wave projected to ~50 individual
  PRs across the 3 paybot repos. Solo-founder bandwidth cannot absorb.
  Groups batch into ~12-15 PRs total.

What:
  npm ecosystem: 5 groups
    - npm-patch-prod / npm-minor-prod  (version-updates, prod, split by risk)
    - npm-dev-deps                     (version-updates, dev, batched freely)
    - npm-security-patch / npm-security-minor  (security-updates, split by severity)
  uv ecosystem (packages/python): 4 groups
    - uv-patch / uv-minor              (version-updates)
    - uv-security-patch / uv-security-minor
    (uv lacks the dependency-type axis npm has, so groups split by
     update-type alone; severity split preserved for security updates.)

Precedent: scanner-bundle PRs paybot-core #3 (6dc6f5aa), paybot-sdk #11
(2513676), paybot-mcp #1 (a6c211db) — same gate model.

Authority: full SINKRA chain per .claude/rules/automated-pr-merge-authority.md.
@qa lightweight (CI green + YAML validity + schema correct) then @devops merge.
DO NOT MERGE before @qa PASS.

Deadline: must merge before Mon 2026-05-25 06:00 UTC.

Author: RBKunnela

.github/dependabot.yml

@@ -29,6 +29,29 @@ updates:
     labels:
       - "dependencies"
       - "npm"
+    # Groups: batch alert waves so a solo operator can absorb them.
+    # Without grouping, a typical Monday wave is ~15-20 individual PRs per repo;
+    # grouped it's 3-5. Production patch/minor split keeps risk-tiers separate.
+    # Dev deps batched freely (no runtime exposure). Security updates split by
+    # severity so a critical CVE never gets bundled with a minor upgrade.
+    groups:
+      npm-patch-prod:
+        applies-to: version-updates
+        update-types: ["patch"]
+        dependency-type: "production"
+      npm-minor-prod:
+        applies-to: version-updates
+        update-types: ["minor"]
+        dependency-type: "production"
+      npm-dev-deps:
+        applies-to: version-updates
+        dependency-type: "development"
+      npm-security-patch:
+        applies-to: security-updates
+        update-types: ["patch"]
+      npm-security-minor:
+        applies-to: security-updates
+        update-types: ["minor"]
 
   # ---------- GitHub Actions ecosystem ----------
   - package-ecosystem: "github-actions"
@@ -69,3 +92,21 @@ updates:
     labels:
       - "dependencies"
       - "python"
+    # Groups: parallel batching to the npm block above. uv does not expose
+    # the `dependency-type: production|development` axis the same way npm
+    # does (uv uses dependency-groups in pyproject.toml), so groups are
+    # split by update-types alone. Security updates split by severity to
+    # keep critical CVEs unbundled.
+    groups:
+      uv-patch:
+        applies-to: version-updates
+        update-types: ["patch"]
+      uv-minor:
+        applies-to: version-updates
+        update-types: ["minor"]
+      uv-security-patch:
+        applies-to: security-updates
+        update-types: ["patch"]
+      uv-security-minor:
+        applies-to: security-updates
+        update-types: ["minor"]