# Scanner Design

## Entrypoint

- Selected entrypoint: `apps/platform/tests/Feature/Guards/UiBloatRegressionGuardTest.php`
- Helper: `apps/platform/tests/Support/UiBloat/UiBloatScanner.php`
- Command: `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Guards/UiBloatRegressionGuardTest.php`

## File Discovery

The scanner reads configured source paths only:

- `apps/platform/app/Filament`
- `apps/platform/resources/views/filament`
- `apps/platform/app/Support/EnvironmentDashboard`
- `apps/platform/app/Support/Navigation`
- `apps/platform/app/Support/OpsUx`
- `apps/platform/app/Support/SupportDiagnostics`
- `apps/platform/app/Support/Ui`
- `apps/platform/app/Support/Workspaces`

Absent optional paths are recorded, not scanned:

- `apps/platform/resources/views/components`
- `apps/platform/app/View`

The scanner does not scan `apps/platform/app/Support` wholesale.

## Extensions

- Runtime source extensions: `.php`, `.blade.php`
- Fixture strings: accepted directly by tests to prove rule behavior.

## Exclusions

The scanner excludes vendor, node modules, storage, build artifacts, generated reports, screenshots, specs, tests except explicit fixtures, translations, database dumps, and hidden cache paths.

## Surface Classification

- `customer-auditor`: path/content contains customer review, review pack, stored report, environment review, evidence snapshot, auditor, customer, review output, or review handoff markers.
- `diagnostic-support`: path/content contains diagnostics, support diagnostics, repair diagnostics, required permissions, provider readiness, or support-only markers.
- `operator`: Filament/admin/support UI source without customer/auditor or diagnostic-support markers.
- `unknown`: files outside configured UI source conventions.

## Finding Shape

Each finding contains:

- rule ID
- file
- matched pattern
- surface classification
- result
- severity
- reason
- suggested action
- allowlist status

## Allowlist

V1 uses an in-test empty allowlist for current repo scanning and fixture tests. No committed allowlist file is introduced in v1. The policy for a future file is documented in `allowlist-policy.md`.

## Exit Behavior

The Pest guard asserts that the current repo scan in `warn` mode has no unallowlisted blocking findings. Warning and manual-review findings are captured in `initial-scan-report.md` and do not fail v1 unless `fail` strictness is intentionally selected in tests.

## Limitations

- Text heuristics do not prove rendered DOM visibility.
- Collapsed technical-details detection is conservative and may still mark a raw/internal customer match as manual review.
- Header action overload is source-shape based and intentionally manual-review only.
- No browser, screenshot, or accessibility proof is included.