Refined two checks that were generating false positive warnings:
1. SCRIPT_DIR check (was HIGH, now MEDIUM):
- Previously flagged ALL 59 files that define SCRIPT_DIR
- Now only flags library files (which shouldn't define paths)
- Executable scripts CORRECTLY define their own SCRIPT_DIR
- Added note explaining this is not a collision
2. USERDATA-ACCESS check (was CRITICAL, now MEDIUM):
- Reduced severity from CRITICAL to MEDIUM (code quality, not security)
- Added exclusions for legitimate use cases:
- QA script itself (searches for this pattern)
- Diagnostic/analysis tools (malware-scanner, error-analyzer, etc.)
- These tools need direct access by design
- Changed message to suggest abstractions rather than demand them
This eliminates 7 false CRITICAL warnings and 1 false HIGH warning,
making the QA report more actionable.
cschantz
a5d61ea7d8