finding-normalizerlisted

## What It Does Normalizes evidence from docs, tests, runtime checks, and advisory feeds into stable finding entries with consistent ids, severity, effort, and reproduction data. Finding-id prefixes recognised by the normalizer are listed under `# code-prefix` in `assets/vocabulary.txt`: - `PEN-*` — pentest findings (security workflow). - `DT-*` — design-test findings (design-system audit workflow; issue #76). Categories: `token | component | state | a11y | responsive | motion | copy | performance | documentation-drift`. `token` findings default to **high** severity to surface hard-coded design values (hex literals, raw px/rem, ad-hoc font stacks where a token exists). - `MD-*` — prospective module decisions (issue #80, Phase 1). Stored under `.paqad/decisions/module-decisions/<id>.yml`; the consumer is the Attribution Gate, not the pentest workflow. Treat severity/effort/status as advisory only for `MD-*` — the binding state machine lives in `src/module-decisions/schema.ts`. ## Use This When Use this after raw security evidence has been collected and needs to be turned into report-ready findings or retest statuses. ## Inputs - Read the structured evidence payload first. - Read `references/finding-fields.md` before setting severity or effort. - Read retest state when the workflow is `pentest-retest`. ## Procedure 1. Deduplicate findings that describe the same risk surface. 2. Pick severity, effort, and status from the closed sets in `assets/vocabulary.txt`. 3. Preser