Add grammar security audit and enhance vendor script

- vendor-grammar.sh: copy extra headers (.h, .inc) and common/ subdirs
  from grammar src/ directories. Needed for Astro (tag.h), PureScript/
  Typst (unicode.h), VHDL (.h/.inc files), F# (common/scanner.h).

- audit-grammar-security.sh: pre-vendoring scanner for dangerous patterns
  in vendored grammar C files. Checks for dangerous includes (sys/*,
  unistd.h, dlfcn.h), dangerous calls (system, exec, popen, fopen,
  socket, getenv, fork, dlopen), and suspicious patterns (constructor
  attributes, inline assembly, base64 blobs). PASS/WARN/BLOCK per grammar.