feat(config-audit): /config-audit manifest command (v5 N2) [skip-docs]

New scanners/manifest.mjs CLI + commands/manifest.md slash command.
Reads activeConfig and produces a flat, ranked list of every token
source (CLAUDE.md cascade entries, plugins, skills, MCP servers, hooks)
sorted DESC by estimated_tokens.

CLAUDE.md per-file tokens are derived by distributing
claudeMd.estimatedTokens across the cascade proportional to bytes.

Tests cover both real-config (plugin root) and fixture (rich-repo with
patched HOME containing 2 plugins + 3 skills + .mcp.json) paths, plus
error handling (nonexistent path → exit 3, --output-file).

Builds on readActiveConfig from M1 (v5 alpha.2).

[skip-docs] reason: v5 plan fences off README/CLAUDE.md badge updates
to Session 5; Forgejo pre-commit-docs-gate hook requires this tag on
feat commits without doc changes.

Tests: 593 → 604 (+11).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

plugins/config-audit/commands/manifest.md

@@ -0,0 +1,78 @@
+---
+name: config-audit:manifest
+description: Show ranked token-source manifest — every CLAUDE.md, plugin, skill, MCP server, and hook ordered DESC by estimated tokens
+argument-hint: "[path] [--json]"
+allowed-tools: Read, Bash
+model: sonnet
+---
+
+# Config-Audit: Manifest
+
+Produce a ranked, single-table view of every token source loaded for a given repo path. Where `whats-active` shows separate tables per category, `manifest` collapses everything into one ordered list — making it easy to see what's costing the most regardless of category.
+
+## UX Rules (MANDATORY — from `.claude/rules/ux-rules.md`)
+
+1. **Never show raw JSON or stderr output.** Always use `--output-file` + `2>/dev/null`.
+2. **Narrate before acting.** Tell the user what you're about to do.
+3. **Read, don't dump.** Read the JSON file and render a formatted table.
+4. **End with context-sensitive next steps.**
+
+## Implementation
+
+### Step 1: Parse `$ARGUMENTS`
+
+First non-flag argument is the path (default `.`). Recognized flags:
+
+- `--json` — emit raw JSON instead of the rendered table.
+
+### Step 2: Run the CLI silently
+
+Tell the user: **"Building token-source manifest for `<path>`..."**
+
+```bash
+TMPFILE="/tmp/ca-manifest-$$.json"
+node ${CLAUDE_PLUGIN_ROOT}/scanners/manifest.mjs <path> --output-file "$TMPFILE" 2>/dev/null; echo $?
+```
+
+**Exit code handling:**
+- `0` → continue
+- `3` → tell user: "Couldn't read configuration. Check that the path exists and is a directory." Stop.
+
+### Step 3: If `--json` was requested, cat the file and stop
+
+```bash
+cat "$TMPFILE"
+```
+
+Do NOT render the table in JSON mode.
+
+### Step 4: Read JSON and render
+
+Use the Read tool on `$TMPFILE`. Extract `meta.repoPath`, `total`, and `sources[]`. Render the top 20 sources (or fewer if the manifest is shorter):
+
+```markdown
+**Token-source manifest for `<repoPath>`** — ~{total} tokens at startup
+
+| Rank | Kind | Name | Source | Tokens |
+|------|------|------|--------|--------|
+| 1 | {kind} | `<name>` | {source} | ~{estimated_tokens} |
+| ... | ... | ... | ... | ... |
+
+_Estimates assume ~4 chars/token (Claude ballpark). Real token count varies ±15%._
+```
+
+If `sources.length > 20`, follow the table with: _"Showing top 20 of {N} sources. Run with `--json` to see the full list."_
+
+### Step 5: Suggest next steps
+
+```markdown
+**Next steps:**
+- `/config-audit tokens` — Opus-4.7 token-hotspot patterns (cache-breaking, redundant perms, deep imports, MCP budget)
+- `/config-audit whats-active` — same data grouped by category, with disable suggestions
+- `/config-audit feature-gap` — what *could* improve here, grouped by impact
+```
+
+Tone:
+- High total (>50k): empathetic — "That's a heavy startup cost; tokens bullet anything you'd otherwise spend on the actual conversation."
+- Moderate (10–50k): neutral — "Reasonable. Skim the top 5 to see if anything is unexpectedly large."
+- Low (<10k): encouraging — "Tight setup. The model has plenty of room for the actual work."