Three precision improvements that drop total findings from 2548 to 1643
without losing real violations:
1. web-hardcoded-hex: switch from grep -oE to grep -nE so the scanner
can examine each match in CONTEXT, then apply context filters:
- Skip CSS custom property DEFINITIONS: '--bl-accent: #5A8CFF'
- Skip var(--token, #fallback) patterns: defensive design-token
fallbacks for boot-order safety, not raw hardcodes
- Skip globals.css, *.tokens.*, *Theme.{ts,tsx,swift,kt} files
- Skip design-system/ and color-picker/markdown-preview tool pages
2. b5-hardcoded-product-id: scripts/ exclusion (was previously bypassed
for the script case but still caught churn-alert.ts genuinely).
3. Updates baseline report. Findings by category:
Before After
----- -----
web-hardcoded-hex 1370 465 (-66%)
b7-emoji-in-code 465 465
b4-python-print 351 351
ts-any-type 249 249
b4-console-log 93 93
b5-hardcoded-product-id 13 13
b4-swift-print 7 7
---- ----
Total 2548 1643
Remaining hex findings are now substantively real:
- flowmonk: 114 (zone seed data: { color: '#5A8CFF' })
- fastgap: 102 (BodyCanvas organ colors, organ-data.ts)
- mindlyst: 97 (mixed UI + data)
- common_plat: 59 (brand colors in login page: Google #4285F4 etc.)
- efforise: 39
- mac_tooling: 18
These fall into three classes which will be triaged in Phase 2:
A. Brand colors (Google login etc.) - keep, document as exceptions
B. Data seeds (zone colors, category colors) - migrate to design tokens
C. Inline styling (color: '#fff') - replace with var(--xx-token)
14ab38e49e