Harden code-modernization plugin from a real CardDemo dry run

Fixes found by running the discovery workflow against the AWS CardDemo
mainframe sample (~50 KLOC of COBOL/CICS/JCL/BMS/VSAM):

- modernize-assess: add scc -> cloc -> find/wc fallback chain with the
  COCOMO-II formula so Step 1 works when scc isn't installed; same for
  portfolio-mode cloc/lizard. Drop the reference to a specific
  agent-spawning tool name (just "in parallel"). Sharpen the structural-
  map subagent prompt: 5-12 domains, subgraph clustering, ~40-edge cap,
  repo-relative paths, dangling-reference check.
- modernize-map: expand the parse-target list with the things a
  literal-minded reader would miss on a real mainframe codebase — CICS
  CSD DEFINE TRANSACTION/FILE for entry points and online file I/O,
  EXEC CICS file ops, SELECT...ASSIGN TO joined with JCL DD,
  EXEC SQL table refs (not JCL DD), SEND/RECEIVE MAP, dynamic
  data-name XCTL resolution, COBOL fixed-format column slicing. Without
  these the dead-code list is wrong (most CICS programs look unreachable).
  Also write a machine-readable topology.json alongside the summary.
- modernize-extract-rules: add a Priority (P0/P1/P2) field with a
  heuristic, and an optional Suspected-defect field. modernize-brief
  reads P0 rules to build the behavior contract, but the Rule Card had
  no priority slot — the chain was broken.
- modernize-brief: read the new P0 tags; flag low-confidence P0 rules as
  SME blockers.
- modernize-reimagine: drop "for the demo" wording.
- security-auditor agent: add mainframe/COBOL coverage items (RACF,
  JCL/PROC creds, BMS field validation, DB2 dynamic SQL, copybook PII)
  and mark web-only items as such so it adapts to the target stack.
- README: add Optional Tooling section and a symlink example for the
  expected layout.

plugins/code-modernization/agents/security-auditor.md

@@ -11,20 +11,28 @@ engineer can fix.
 
 ## Coverage checklist
 
-Work through systematically:
-- **Injection** (SQL, NoSQL, OS command, LDAP, XPath, template) — trace every
-  user-controlled input to every sink
+Adapt to the target stack — web items don't apply to a batch COBOL system,
+mainframe items don't apply to a SPA. Work through what's relevant:
+
+- **Injection** (SQL, NoSQL, OS command, LDAP, XPath, template, dynamic
+  DB2 SQL, JCL/PARM injection) — trace every user-controlled input to every sink
 - **Authentication / session** — hardcoded creds, weak session handling,
-  missing auth checks on sensitive routes
-- **Sensitive data exposure** — secrets in source, weak crypto, PII in logs
-- **Access control** — IDOR, missing ownership checks, privilege escalation paths
-- **XSS / CSRF** — unescaped output, missing tokens
+  missing auth checks on sensitive routes/transactions
+- **Sensitive data exposure** — secrets in source, weak crypto, PII/PAN/SSN in
+  logs, cleartext data in copybooks/flat files
+- **Access control** — IDOR, missing ownership checks, privilege escalation;
+  for CICS: missing/permissive RACF transaction & resource definitions,
+  unguarded admin transactions
+- **XSS / CSRF** — unescaped output, missing tokens (web targets only)
 - **Insecure deserialization** — pickle/yaml.load/ObjectInputStream on
   untrusted data
 - **Vulnerable dependencies** — run `npm audit` / `pip-audit` /
   read manifests and flag versions with known CVEs
-- **SSRF / path traversal / open redirect**
-- **Security misconfiguration** — debug mode, verbose errors, default creds
+- **SSRF / path traversal / open redirect** (web targets only)
+- **Input validation** — for CICS/3270: unvalidated BMS field input,
+  missing length/range/format checks before file/DB writes
+- **Security misconfiguration** — debug mode, verbose errors, default creds,
+  hardcoded passwords/userids in JCL, PROCs, or sign-on programs
 
 ## Tooling