feat(config-audit): TOK flags CLAUDE.md cascade > 10k tokens (v5 M4) [skip-docs]

- New Pattern E in TOK: emits medium finding when activeConfig.claudeMd.estimatedTokens > 10_000
- Uses cascade tokens, file count, and calibration note as evidence
- New fixtures: large-cascade (37k bytes / 14475 cascade tokens) + small-cascade (5k baseline)

572 → 574 tests, all green.

plugins/config-audit/tests/fixtures/small-cascade/CLAUDE.md

@@ -0,0 +1,5 @@
+# Small Cascade Fixture
+
+Minimal CLAUDE.md so the cascade stays below the 10k token threshold even
+when added to the ambient user/project cascade picked up by readActiveConfig.
+

plugins/config-audit/tests/scanners/token-hotspots.test.mjs

@@ -189,6 +189,23 @@ describe('TOK scanner — hotspots contract', () => {
   });
 });
 
+describe('TOK scanner — M4 cascade > 10k tokens (v5)', () => {
+  it('flags CLAUDE.md cascade > 10k tokens with medium severity', async () => {
+    const result = await runScanner('large-cascade');
+    const f = result.findings.find(x => /cascade/i.test(x.title || ''));
+    assert.ok(f, `expected cascade finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
+    assert.equal(f.severity, 'medium', `expected medium, got ${f.severity}`);
+    assert.match(f.title, /CLAUDE\.md cascade/i);
+  });
+
+  it('does NOT flag small cascade (< 10k tokens)', async () => {
+    const result = await runScanner('small-cascade');
+    const f = result.findings.find(x => /cascade/i.test(x.title || ''));
+    assert.equal(f, undefined,
+      `expected no cascade finding for small fixture; got: ${f?.title}`);
+  });
+});
+
 describe('TOK scanner — F7 severity recalibration (v5)', () => {
   // Findings identified by title pattern, not finding ID — TOK IDs are
   // sequential per scan run, not semantic per pattern (output.mjs:31).