feat: implement security scanning and fix JS/TS vulnerabilities

[slyt3]

Why we need this PR?

This should close phase 1 of Issue (#140)
Automated security scanning is required to maintain a secure baseline and catch dependency vulnerabilities early in the CI/CD pipeline.

Describe your solution

This PR implements Phase 1 of the security initiative by introducing:

• GitHub Actions: security-scan.yaml (PR/Push) and security-scheduled.yaml (Weekly).
• Dependabot: Configured for Go, Python, npm, Docker, and GitHub Actions.
• Immediate Fixes: Resolved high-severity vulnerabilities in the TS SDK and moderate ones in the UI to ensure a green/pass baseline.

Implementation Tasks

• Create security scanning workflows for all languages (Go, Python, JS).
• Configure Dependabot for weekly updates across all modules.
• Fix identified High/Moderate vulnerabilities in JS/TS dependencies.
• Clean up repository (removed untracked E2E files and local docs).

Impact Areas

Which part of Acontext would this feature affect?

• Client SDK (Python)
• Client SDK (TypeScript)
• Core Service
• API Server
• Dashboard
• Other: GitHub Actions infrastructure

Checklist

• Open your pull request against the dev branch.
• All tests (including new security audits) pass in CI.
• Tests are added or modified as needed.

[slyt3]

THe newly implemented security scans identified and allowed me resolve the following vulnerabilites

• Go Standard Library: Upgraded to Go 1.25.5 to resolve GO-2025-4155 (Resource consumption vulnerability in crypto/x509).
• Python (Core & SDK): Upgraded urllib3 to 2.6.3 to resolve CVE-2026-21441 (High-severity vulnerability).
• JS/TS SDK: Resolved high-severity vulnerabilities in glob and moderate ones in js-yaml.
• UI (Dashboard): Addressed moderate vulnerabilities by updating transitive dependencies.

[slyt3]

gonna CI Python audit locally to identify last vulnerabilities

[slyt3]

nvm , python security audit was hitting a limitation in pip-audit where it cannot resolve dependencies when a requirements file mixed security hashes with editable/local projects (like our SDK).
I've refined the workflow to use uv export --no-hashes --no-dev before auditing, provides a clean list of external dependencies for pip-audit to check without triggering that conflict. The scans are now passing reliably.

[slyt3]

I finished with phase 1, security foundation is now secure. gonna mvoe to phase 2 so i will be focusing on 'handshake' tests between the Go API and Python COre to ensure cross-service stability :D

If you dont have any questions. This is ready to merge. :)

@gusye1234 @GenerQAQ

[GenerQAQ]

LGTM 🚀