feat(config-audit): HKV flags verbose hook output (v5 M5) [skip-docs]

Static heuristic — counts console.log / process.stdout.write lines per
referenced hook script. > 50 → low CA-HKV-NNN finding.

New fixtures:
- hooks-verbose/ (61 verbose lines → triggers)
- hooks-quiet/ (5 lines → no finding)

580 → 582 tests, all green.

plugins/config-audit/tests/scanners/hook-validator.test.mjs

@@ -71,6 +71,28 @@ describe('HKV scanner — broken project', () => {
   });
 });
 
+describe('HKV scanner — verbose hook output (v5 M5)', () => {
+  it('flags hook script with > 50 console.log/stdout.write lines (low)', async () => {
+    resetCounter();
+    const path = resolve(FIXTURES, 'hooks-verbose');
+    const discovery = await discoverConfigFiles(path);
+    const result = await scan(path, discovery);
+    const f = result.findings.find(x => /verbose hook output/i.test(x.title || ''));
+    assert.ok(f, `expected verbose-hook finding; got: ${result.findings.map(x => x.title).join(' | ')}`);
+    assert.equal(f.severity, 'low', `expected low, got ${f.severity}`);
+    assert.match(f.evidence || '', /console_log_or_stdout_lines=6\d/);
+  });
+
+  it('does NOT flag a quiet hook script', async () => {
+    resetCounter();
+    const path = resolve(FIXTURES, 'hooks-quiet');
+    const discovery = await discoverConfigFiles(path);
+    const result = await scan(path, discovery);
+    const f = result.findings.find(x => /verbose hook output/i.test(x.title || ''));
+    assert.equal(f, undefined, `expected no verbose-hook finding; got: ${f?.title}`);
+  });
+});
+
 describe('HKV scanner — empty project', () => {
   let result;
   beforeEach(async () => {