chore(ci): add Dependabot with grouped, cooldown-gated auto-merge

[calltelemetry-jason]

Mirrors the dependency-automation setup landed on cisco-phone-mcp and cisco-cucm-mcp, adapted for this repo (default branch master, npm, Test & Coverage check).

Changes

• .github/dependabot.yml (new): weekly npm updates;
  • groups → one rolling PR for minor/patch;
  • cooldown (semver-minor-days: 3, semver-patch-days: 3) → supply-chain release-age delay;
  • majors ignored (human-only).
• .github/workflows/dependabot-automerge.yml (new): official dependabot/fetch-metadata pattern. Auto-merges patch+minor Dependabot PRs once the required Test & Coverage check passes. Hardened: on: pull_request, actor and author gated to dependabot[bot], job-level least-privilege perms, per-PR concurrency.

Companion settings (applied via API, not in this diff)

• allow_auto_merge: true
• Branch protection on master requiring Test & Coverage.
• Fork-PR approval tightened to all_external_contributors (untrusted PRs don't run CI until approved).

[coderabbitai]

Warning

Review limit reached

@calltelemetry-jason, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 2 minutes and 59 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 565dc8c1-a5d7-43d2-9c60-6018919211f3

📥 Commits

Reviewing files that changed from the base of the PR and between 5b66f0e and d595080.

📒 Files selected for processing (2)

• .github/dependabot.yml
• .github/workflows/dependabot-automerge.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add-dependabot-automerge

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!