fix: code review audit fixes — security, error handling, and repo hygiene

Addresses 12 of 20 items from @mrtwebdesign code review (P1-AUDIT-MATT.md):

Security & repo hygiene:
- Remove committed npx/playwright symlinks, add to .gitignore
- Remove stale BACKLOG-DEPRECATED.md and ROADMAP-DEPRECATED.md
- Add plaintext password warning to AGENTS.md sensitive data section
- Add 1MB Content-Length limit on MCP HTTP transport (413 response)

Error handling:
- Preserve error cause chain in withResourceError() (index.ts)
- Return structured error for missing WPCC binary instead of crash (wpcc.ts)
- Guard against undefined site name with actionable message (local-wp.ts)

Code quality:
- Add JSDoc to regex patterns in allowlist.ts, tmux.ts, wpcc.ts
- Fix POSIX compliance: &> to >/dev/null 2>&1 (wp-ajax-test/install.sh)
- Add timeout 10 wrap on WP-CLI call (theme-crash-loop.sh)
- Add file-existence guard for curl timeout (theme-crash-loop.sh)
- Bump MCP server README version 0.6.2 → 0.6.3

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: noelsaw1

.gitignore

@@ -70,3 +70,7 @@ coverage/
 
 /.claude
 /.mcp.local.json
+
+# Machine-specific symlinks (never commit these)
+/npx
+/playwright

AGENTS.md

@@ -461,7 +461,7 @@ Reference: `recipes/phpstan-wordpress-setup.md`
 
 ### Sensitive data handling
 
-Never commit credentials, PII, auth state, or local config.
+Never commit credentials, PII, auth state, or local config. **Never store passwords in plaintext** — not in JSON files, config files, scripts, or anywhere in the repository. Use environment variables, OS keychains, or one-time auth tokens (like `pw-auth`'s WP-CLI login URLs) instead.
 
 Use `./temp` for:
 - API keys, passwords, tokens, auth JSON