[FEATURE] Dependabot: switch to grouped updates per ecosystem

[JerrettDavis]

Problem Statement

The current .github/dependabot.yml opens one PR per updated dependency across three ecosystems (npm, pip, GitHub Actions). When a handful of routine patches land in a quiet week, the repo gets flooded — recent examples: #164, #165, #166, #167, #168, #169 all arrived within a short window and each required a separate review/merge cycle. The noise makes it hard to spot genuinely interesting bumps (security, majors, new features) and adds friction to the maintainer workflow.

Proposed Solution

Switch to Dependabot's groups: configuration so that all minor and patch updates within a single ecosystem consolidate into one PR per week. Major bumps should remain ungrouped — majors deserve individual attention because they carry higher regression risk and changelog-review cost.

Concrete plan:

1. Group npm minor/patch into a single PR.
2. Group pip minor/patch into a single PR.
3. Group github-actions minor/patch into a single PR.
4. Leave update-types: ["major"] ungrouped — one PR per major, as today.
5. Keep the current schedule/interval — just change how results get bundled.

Use Case

• Who: maintainers of the proxy repo.
• How it helps: compresses roughly 6 routine PRs per week into 3 grouped PRs, cutting review overhead by roughly half while preserving isolation for anything a human actually needs to scrutinize.
• Cost/token savings: not about LLM tokens — about maintainer attention and CI minutes. Grouped PRs also run CI once instead of N times.

Alternatives Considered

• Keep as-is: continues to generate noise; scales poorly as the dependency surface grows.
• Disable Dependabot and rely on manual audits: loses the proactive signal, hurts supply-chain posture (see the companion supply-chain issue in this batch).
• Group everything including majors: risky — a grouped PR with one breaking major buried inside is easy to merge without noticing.

Example API (Optional)

# .github/dependabot.yml
version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule: { interval: "weekly" }
    groups:
      npm-minor-patch:
        update-types: ["minor", "patch"]

  - package-ecosystem: "pip"
    directory: "/"
    schedule: { interval: "weekly" }
    groups:
      pip-minor-patch:
        update-types: ["minor", "patch"]

  - package-ecosystem: "github-actions"
    directory: "/"
    schedule: { interval: "weekly" }
    groups:
      actions-minor-patch:
        update-types: ["minor", "patch"]

Additional Context

• Are you willing to contribute this feature? No — filing to track, open to discuss implementation.
• Composes with the forthcoming "Supply chain validation and hardening" issue in this batch — grouped Dependabot plus pinned SHAs plus digest pinning is the full story.
• Dependabot docs on grouped updates: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#groups