[WIP] Fix: add Dependabot coverage for webapp/backend and webapp/frontend

[Copilot]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>fix: add Dependabot coverage for webapp/backend and webapp/frontend</issue_title>
<issue_description>The dependabot.yml config monitors / and /vscode-extension for npm updates, but webapp/backend and webapp/frontend are not covered. Their package-lock.json files will not receive automated vulnerability PRs.

Fix

Add to .github/dependabot.yml:

- package-ecosystem: npm
  directory: /webapp/backend
  schedule:
    interval: weekly
  open-pull-requests-limit: 5
  groups:
    dev-dependencies:
      dependency-type: development
    production-dependencies:
      dependency-type: production

- package-ecosystem: npm
  directory: /webapp/frontend
  schedule:
    interval: weekly
  open-pull-requests-limit: 5
  groups:
    dev-dependencies:
      dependency-type: development

Context

Introduced by PR #90 (webapp). The webapp ships Express, Helmet, and other production dependencies that need vulnerability monitoring.</issue_description>

Comments on the Issue (you are @copilot in this section)