chore(safetycheck): apply /safetycheck fixes 1-6

This commit generates package-lock.json (safetycheck fix 2).

Code + config fixes from /safetycheck already landed in 16503b3 — that
commit carries the generic '[bot:daemon] auto' message because I ran the
refactored daemon as an integration test against the dirty working tree,
and the daemon did its job and pushed. The content is correct; only the
message is generic. Contents of 16503b3:

  1. .gitignore                 +*.cert, +*.crt
  3. .github/dependabot.yml     new (npm + github-actions weekly, matches
                                  morgen-mcp / motion-mcp pattern)
  4. SECURITY.md                new (disclosure policy → nate@lorecraft.io,
                                  4-credential table, defense-in-depth notes)
  5. src/auto-commit.js         execSync(shell string) → execFileSync(array).
                                  All 4 call sites updated. No more shell
                                  quoting of commit messages or env-derived
                                  values (REPO_PATH, BRANCH).
                                  INTEGRATION-TESTED: the live push that
                                  produced 16503b3 exercised git status,
                                  add, commit, and push — all through the
                                  new execFileSync wrapper.
  6. scripts/morgen-backfill.js morgenRequest() now wraps morgenRequestOnce()
                                  with 429 retry logic (3 attempts, honors
                                  Retry-After + ratelimit-reset headers,
                                  exponential backoff 2s→4s→8s capped 60s).

This commit (fix 2): package-lock.json (lockfileVersion 3, 1 package, 0
vulns — because the repo has zero runtime deps, which is the point).

All tests still pass: bash -n 2/2, node --check 7/7, npm test 12/12,
test:helpers 39/39.

Author: fidgetcoding