chore(security): add 7-day cooldown for supply chain protection

[saitota]

Summary

Adds 7-day cooldown to mitigate supply chain attacks (Trivy/LiteLLM/axios in March 2026).

• pnpm-workspace.yaml: minimumReleaseAge: 10080 (7 days, in minutes)
• .github/dependabot.yml: cooldown.default-days 1 → 7 (npm + github-actions)

Refs

• Article: https://zenn.dev/dely_jp/articles/supply-chain-kowai
• pnpm setting: https://pnpm.io/settings#minimumreleaseage (requires pnpm 10.16+, this repo uses 10.33.2)
• Supply chain guide: https://pnpm.io/supply-chain-security

[cm-dyoshikawa]

@saitota

Thanks for putting this together. The CI action bumps look good to me, please go ahead with those.

On the cooldown side though, I think 7 days is too long for this project. The main concern is that it also delays security fixes by the same amount — if a CVE drops on a transitive dep, we'd be sitting on the patched version for a week before pnpm even considers it. pnpm's own docs note that "in most cases malicious releases are removed from the registry within an hour," and their example config uses 1 day (1440 minutes), so 7 days is well above what the upstream guidance suggests.

Also worth remembering that minimumReleaseAge is a floor, not a ceiling — any downstream user who wants a longer window can extend it on their side without us baking it into the project default.

I'd like to drop this to 1 day (1440) at least for now. Same change to cooldown.default-days in dependabot.yml — 1 day there feels right too. Happy to revisit if we see a concrete incident that a longer window would have caught.