feat(config-audit): severity-weighted scoreByArea (v5 F3)

Replace count-based pass-rate with severity-weighted penalty:
- penalty = sum(count[s] * WEIGHTS[s])
- maxBudget = max(10, findingCount * 4)
- passRate = max(0, 100 - penalty / maxBudget * 100)

A few lows no longer crater an area's grade; a single high or critical
consumes a large fraction of budget. Mirrors the operator intuition that
severity, not count, is the signal.

BREAKING (intentional): scoring semantics differ from v4 for non-clean
configs. Add scoringVersion: 'v5' to the returned struct so consumers
can detect the version. baseline-all-a remains all-A (no critical/high
on that fixture).

Tests: +6 cases for severity weighting; existing "many findings" test
updated to use highs (where v5 still drops the grade as expected).

plugins/config-audit/scanners/lib/scoring.mjs

@@ -3,7 +3,7 @@
  * Zero external dependencies.
  */
 
-import { gradeFromPassRate } from './severity.mjs';
+import { gradeFromPassRate, WEIGHTS } from './severity.mjs';
 
 // --- Tier weights for utilization calculation ---
 const TIER_WEIGHTS = { t1: 3, t2: 2, t3: 1, t4: 1 };
@@ -162,9 +162,23 @@ function slugify(name) {
 }
 
 /**
- * Score per config area from scanner results.
+ * Compute raw severity-weighted penalty from scanner counts.
+ * Critical/high findings dominate; lows barely move the needle.
+ * @param {{ critical?: number, high?: number, medium?: number, low?: number, info?: number }} counts
+ * @returns {number}
+ */
+function severityPenalty(counts) {
+  let penalty = 0;
+  for (const [sev, weight] of Object.entries(WEIGHTS)) {
+    penalty += (counts[sev] || 0) * weight;
+  }
+  return penalty;
+}
+
+/**
+ * Score per config area from scanner results (v5: severity-weighted).
  * @param {object[]} scannerResults - Array of scanner result objects from envelope.scanners
- * @returns {{ areas: Array<{ id: string, name: string, grade: string, score: number, findingCount: number }>, overallGrade: string }}
+ * @returns {{ areas: Array<{ id: string, name: string, grade: string, score: number, findingCount: number }>, overallGrade: string, scoringVersion: string }}
  */
 export function scoreByArea(scannerResults) {
   const areas = [];
@@ -175,14 +189,16 @@ export function scoreByArea(scannerResults) {
 
     let score;
     if (result.scanner === 'GAP') {
-      // Feature coverage: utilization-based
       const util = calculateUtilization(result.findings);
       score = util.score;
     } else {
-      // Quality-based: fewer findings = higher pass rate
-      // Use a reasonable max checks per scanner for pass rate
-      const maxChecks = Math.max(findingCount + 5, 10);
-      const passRate = ((maxChecks - findingCount) / maxChecks) * 100;
+      // v5 severity-weighted: penalty proportional to a per-scanner budget.
+      // maxBudget = max(10, findingCount * 4) — adding more lows doesn't crater the
+      // grade, but a single high-severity finding consumes a large fraction of budget.
+      const counts = result.counts || {};
+      const penalty = severityPenalty(counts);
+      const maxBudget = Math.max(10, findingCount * 4);
+      const passRate = Math.max(0, 100 - (penalty / maxBudget) * 100);
       score = Math.round(passRate);
     }
 
@@ -196,7 +212,7 @@ export function scoreByArea(scannerResults) {
   const avgScore = qualityAreas.length > 0 ? Math.round(totalScore / qualityAreas.length) : 0;
   const overallGrade = gradeFromPassRate(avgScore);
 
-  return { areas, overallGrade };
+  return { areas, overallGrade, scoringVersion: 'v5' };
 }
 
 /**