release(config-audit): v5.1.0 — plain-language UX humanizer

Plain-language UX humanizer release. Default output of all 18 commands
now leads with prose; technical IDs surface at end-of-line as references
rather than headlines. Scanner internals are unchanged; humanization is
a pure output-time transform applied at the rendering layer.

Highlights:
- New scanner-lib modules: humanizer.mjs, humanizer-data.mjs (TRANSLATIONS
  for 13 scanner prefixes)
- New --raw flag threaded through every CLI for byte-stable v5.0.0
  verbatim output (--json unchanged from v5.0.0, also byte-stable)
- 5 user-impact categories, 5 action-language phrases, 3 relevance contexts
- Self-audit terminal output also humanized; --json path unchanged
- 21 command and agent templates updated for humanized rendering with
  --raw passthrough
- 635 → 792 tests (+157) including SC-3 forbidden-words lint, SC-4
  scenario read-test, SC-5/6/7 backwards-compat snapshots

Migration:
- Existing --json automation: zero changes required (envelope is
  byte-stable with v5.0.0; humanizer fields are bypassed)
- stderr-scraping tooling: review default mode (now uses prose); pass
  --raw for v5.0.0 verbatim
- No scanner-internal changes (IDs, severity ladders, scoring weights,
  area scorecards all unchanged)

Verification:
- 792/792 tests pass
- self-audit configGrade A (97), pluginGrade A (100), readmeCheck passed
- README badge: tests-635+ → tests-792+

plugins/config-audit/.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "config-audit",
   "description": "Multi-agent workflow for analyzing, reporting, and optimizing Claude Code configuration across your entire machine",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "author": {
     "name": "Kjell Tore Guttormsen"
   },

plugins/config-audit/CHANGELOG.md

@@ -5,6 +5,52 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.1.0] - 2026-05-01
+
+### Summary
+Plain-language UX humanizer release. Default output of all 18 commands now leads with prose; technical IDs surface at end-of-line as references rather than headlines. Non-expert users — the bulk of the OSS audience — now read findings like "Fix soon: The same automation is set up more than once" instead of "[high] CA-CNF-001: Hook duplicate event registration". Scanner internals are unchanged; humanization is a pure output-time transform applied at the rendering layer. The `--raw` flag preserves v5.0.0 verbatim output for tooling that scrapes stderr; `--json` is unchanged from v5.0.0 and remains byte-stable for programmatic consumption.
+
+Delivered across 6 waves (Wave 0 baseline → Wave 1 humanizer module → Wave 2 test re-anchoring → Wave 3 CLI wiring → Wave 4 contract tests → Wave 5 templates/agents → Wave 6 release).
+
+### Added
+- **`scanners/lib/humanizer.mjs`** — pure-function output translator: `humanizeFinding`, `humanizeFindings`, `humanizeEnvelope`, `computeRelevanceContext`. Never mutates inputs. Adds three additive fields per finding (`userImpactCategory`, `userActionLanguage`, `relevanceContext`) and replaces title/description/recommendation when a translation is available; falls through to originals otherwise.
+- **`scanners/lib/humanizer-data.mjs`** — TRANSLATIONS table for 13 scanner prefixes (CML, SET, HKV, RUL, MCP, IMP, CNF, COL, TOK, CPS, DIS, GAP, PLH). Three-step lookup per finding: exact title → regex pattern → `_default` → fall through to scanner original.
+- **`--raw` flag** threaded through every CLI: `posture.mjs`, `scan-orchestrator.mjs`, `token-hotspots-cli.mjs`, `manifest.mjs`, `whats-active.mjs`, `fix-cli.mjs`, `drift-cli.mjs`, `self-audit.mjs`. Bypasses humanizer; emits byte-stable v5.0.0 verbatim output.
+- **User-impact categories** (5 labels): Configuration mistake, Conflict, Wasted tokens, Missed opportunity, Dead config. Mapped from scanner prefix.
+- **Action-language phrases** (5 labels): Fix this now, Fix soon, Fix when convenient, Optional cleanup, FYI. Mapped from severity.
+- **Relevance context** (3 values): `test-fixture-no-impact`, `affects-this-machine-only`, `affects-everyone`. Computed from finding's file path — basenames matching `*.local.*` and paths containing `/tests/fixtures/` are recognized.
+- **Self-audit terminal humanization** — `formatSelfAudit()` routes through `humanizeEnvelope`. JSON path (`--json`) is unchanged; humanization applies only to the prose terminal render.
+- **Forbidden-words lint** (`tests/lint-forbidden-words.json` + runner) — 3-tier vocabulary blocklist enforced over default-mode output, ensuring humanized prose stays in plain language.
+- **Scenario read-test** (`tests/scenario-read-test.mjs` + 5 scenarios) — corpus-driven readability check covering broken hook, duplicate keys, stale @import, dead tool, oversized cascade.
+- **`tests/snapshots/v5.0.0/`** + **`tests/snapshots/v5.0.0-stderr/`** — frozen byte-equal references for SC-6 (--json) and SC-7 (--raw) backwards-compatibility tests across 8 CLIs.
+- **`tests/snapshots/default-output/`** — humanized-prose snapshots for SC-5 default-output stability.
+
+### Changed
+- **Default output of all 18 commands** now uses plain-language descriptions. Findings group by user-impact category; titles lead with prose; technical IDs (`CA-CML-001`, `CA-TOK-005`, …) surface at end-of-line as references.
+- **All 21 command and agent templates** updated to render humanized output by default and pass `--raw` through when the user requests v5.0.0 verbatim mode.
+- **CLI flag inventory** — every CLI now accepts `--raw` (new) in addition to `--json` (existing, unchanged). `--output-file <path>` still writes raw v5.0.0-shape JSON regardless of mode (humanizer-bypassed, posture-specific).
+
+### Migration
+- **No action required for existing automation** that consumes `--json` — the JSON envelope shape is byte-stable with v5.0.0 and humanizer fields are bypassed in `--json` and `--raw` paths.
+- **Tooling that scrapes stderr** from default mode (e.g., `posture.mjs`'s scorecard) needs review — default stderr now uses prose vocabulary. Pass `--raw` for byte-stable v5.0.0 verbatim stderr.
+- **No scanner-internal changes.** Finding IDs, severity ladders, scoring weights, and area scorecards are unchanged. Upgrades are presentation-layer only.
+
+### Test count
+- 635 → 792 tests across 52 test files (+157 humanizer-tester through Waves 0–5).
+- New top-level tests: `json-backcompat.test.mjs`, `raw-backcompat.test.mjs`, `scenario-read-test.test.mjs`, `snapshot-default-output.test.mjs`.
+- New lib tests: `humanizer.test.mjs`, `humanizer-data.test.mjs`, `scoring-humanizer.test.mjs`.
+- New scanner tests: `posture-humanizer.test.mjs`, `scan-orchestrator-humanizer.test.mjs`, `cli-humanizer.test.mjs`.
+
+### Out of scope (deferred to v5.1.1+)
+- **Posture `--output-file` humanization** — `posture.mjs` does not call `humanizeEnvelope`, so files written via `--output-file` are raw v5.0.0-shape JSON. Future revision: drop `--output-file` from command templates or add a `--humanized-json` flag.
+- **Knowledge cross-references** (Step 17 of plan) — not delivered per user decision (2a).
+- **Scoring scorecard JSON headline emission** — currently rendered prose-side only; command templates that want to skip stderr parsing would benefit.
+
+### Verification
+- 792/792 tests pass (`node --test 'tests/**/*.test.mjs'`)
+- `node scanners/self-audit.mjs --json --check-readme` returns `configGrade: A` (97), `pluginGrade: A` (100), `readmeCheck.passed: true`
+- README badge updated: `tests-635+` → `tests-792+`
+
 ## [5.0.0] - 2026-05-01
 
 ### Summary