feat(security): add Snyk CI workflow and pinned Python requirements

- .github/workflows/snyk.yml: scans backend (Python), frontend (npm)
  and backend Docker image on every push/PR and weekly schedule.
  Uses continue-on-error during initial cleanup phase.
  Requires SNYK_TOKEN secret in GitHub repo settings.

- backend/requirements-lock.txt: exact pip freeze from production
  container for accurate Snyk CVE scanning (no version ambiguity).

To enable: add SNYK_TOKEN to GitHub repo secrets (get token from
app.snyk.io -> Account Settings -> API Token).

.github/workflows/snyk.yml

@@ -0,0 +1,71 @@
+name: Snyk Security Scan
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'   # Weekly on Monday 06:00 UTC
+
+jobs:
+  snyk-backend:
+    name: Python vulnerabilities (backend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install backend dependencies
+        run: pip install -r backend/requirements-lock.txt
+
+      - name: Snyk — scan Python packages
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=backend/requirements-lock.txt --severity-threshold=high
+        continue-on-error: true   # report without blocking CI during initial cleanup
+
+  snyk-frontend:
+    name: npm vulnerabilities (frontend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install frontend dependencies
+        run: npm ci
+        working-directory: frontend
+
+      - name: Snyk — scan npm packages
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --file=frontend/package.json --severity-threshold=high
+        continue-on-error: true
+
+  snyk-docker-backend:
+    name: Docker image vulnerabilities (backend)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Build backend image for scanning
+        run: docker build -t aegis-backend:scan backend/
+
+      - name: Snyk — scan Docker image
+        uses: snyk/actions/docker@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: aegis-backend:scan
+          args: --severity-threshold=high
+        continue-on-error: true