fix: add Dependabot cooldown (7-day) for supply-chain protection (#155)

Adds `cooldown.default-days: 7` to all 4 ecosystem entries. This delays
auto-ingesting newly-published versions, protecting against short-lived
supply-chain compromises that are typically yanked within hours.

Security updates are unaffected — they bypass cooldown entirely.

Fixes #154

Co-authored-by: bgagent <345885+scottschreckengaust@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: scottschreckengaust

.github/dependabot.yml

@@ -6,6 +6,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+    cooldown:
+      default-days: 7
     commit-message:
       prefix: "chore(deps): actions"
     open-pull-requests-limit: 1
@@ -19,6 +21,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+    cooldown:
+      default-days: 7
     commit-message:
       prefix: "chore(deps): docker"
     open-pull-requests-limit: 1
@@ -32,6 +36,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+    cooldown:
+      default-days: 7
     commit-message:
       prefix: "chore(deps): uv"
     open-pull-requests-limit: 1
@@ -45,6 +51,8 @@ updates:
     schedule:
       interval: "weekly"
       day: "saturday"
+    cooldown:
+      default-days: 7
     commit-message:
       prefix: "chore(deps): npm"
     open-pull-requests-limit: 1