Fix: scarcity/countdown synonym evasion (#203)

[twschiller]

Summary

Addresses red-team audit item #21 from #203 — "Scarcity / countdown synonym evasion." Each addition is anchored on a number, a fixed retail idiom, or a definite expiry verb, so the false-positive surface stays flat while closing common verbiage-swap bypasses.

Changes

scarcity-redact — synonym additions across all three pattern groups:

• SCARCITY_PATTERNS:
  • "just N left/remaining/in stock/available" — direct synonym of only N
  • "N items/units/pieces left/remaining"
  • "while supplies last" / "while stocks last" — fixed retail idiom
• DEMAND_PATTERNS:
  • "selling/going quickly" — adverbial swap on selling fast
  • "flying off the shelves" / "going off shelves" — retail-only idiom; the 80-char leaf-candidate gate keeps prose mentions out of reach
• ACTIVITY_PATTERNS:
  • "N added to cart/basket/bag/wishlist" (with optional people/shoppers/others infix) — covers the verb swap from viewing to added that benchmark scrapes turn up on Target/Amazon

countdown-timer-redact — extends the candidate surface; the existing decrement gate in reconcileCandidates still has the final word:

• URGENCY_UNIT_PATTERN: add to claim / to save to the suffix vocabulary alongside left/remaining/to go/until
• New EXPIRY_LEAD_PATTERN: (ends|expires|closes) in N <unit> — covers Sale ends in 3h, Offer expires in 45 minutes, Closes in 2d. A static Expires in 30 days badge is never replaced because the snapshot-and-confirm logic still requires the parsed value to decrease over the 1.5s window — there's an explicit test for that.

Why these and not more

Stayed XS per the audit complexity tag. Each phrase had to either:

1. require a digit anchor, or
2. be a fixed retail-only idiom that the 80-char leaf-candidate gate already isolates from prose, or
3. (countdown only) ride the existing decrement gate, which makes the false-positive question moot.

Skipped tempting-but-too-broad candidates like bare running out, last chance, hot item, trending — all FP-prone in non-retail contexts and our gates aren't tight enough to make them safe on their own.

Docs

No doc changes. The rule-list entries are abstract about phrasings ("Only 3 left", "Selling fast", "Sale ends in 12:34:56"); broadening the regex vocabulary doesn't alter the documented contract.

Test plan

• node_modules/.bin/jest src/rules/__tests__/scarcity-redact.test.ts src/rules/__tests__/countdown-timer-redact.test.ts — 106/106 pass (added 14 scarcity positives, 3 scarcity negatives, 2 countdown synonym suite cases, 2 countdown integration cases including the static-badge decrement-gate guard)
• node_modules/.bin/jest — full extension suite (1747 tests) passes
• bun run check — biome + eslint clean
• bun run typecheck — clean
• bun run knip — clean

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
agent-browser-shield-demo-site	Ready	Preview, Comment	Jun 7, 2026 7:36pm