ci: wire hypatia-scan.yml to query own Dependabot alerts

Auto-sweep follow-up to the Hypatia DependabotAlerts severity
floor that landed in verification-ecosystem/hypatia commit
75a36ce (2026-04-17). For the rule to actually return findings,
the per-repo hypatia-scan.yml needs:

  - security-events

Without these, scan_from_path returns HTTP 403 and the rule
silently returns no findings.

Cross-ref: 007-lang/audits/audit-dependabot-automation-gap-2026-04-17.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/hypatia-scan.yml

@@ -13,6 +13,9 @@ on:
 
 permissions:
   contents: read
+  # security-events: read lets the built-in GITHUB_TOKEN query this
+  # repo\'s own Dependabot alerts via the Hypatia DependabotAlerts rule.
+  security-events: read
 
 jobs:
   scan: