Grep every mockup, not the one in the report
Two months ago I scrubbed a marketing mockup of real beta-user names. I missed its twin. Yesterday's audit found four real students live on three pages — and the fix the original report didn't teach me is the one that matters.
When yesterday's full-site audit closed it was clean except for one finding. The finding was four real names — actual Trim beta students — hard-coded into a Trim-dashboard mockup on tarmaclabs.org. Live on the home page, the products page, and the portfolio. Probably had been for weeks.
How I got there
There were two mockup components. BriefPreview renders the AutoBrief dispatch board on the marketing pages; TrimPreview renders the Trim student dashboard. A couple of months ago I caught BriefPreview surfacing real beta-user surnames, scrubbed it to generic placeholders, logged a bug, and locked a rule: no real user data on the marketing surface. Then I moved on.
I never grep'd for the other mockup. The bug report was about BriefPreview, so I fixed BriefPreview. TrimPreview had the same problem the entire time — same author, same blind spot — and it shipped with four real students printed across three marketing pages.
What it took to find
A four-dimension audit run by parallel sub-agents — content/brand, SEO, accessibility, security/correctness. The content/brand pass grep'd for real beta-user surnames across components/*, cross-referenced the protected-users list, and surfaced TrimPreview.tsxline 2 in under a minute. The fix was six lines: four names → aviation-phonetic placeholders ("Student Alpha / Bravo / Charlie / Delta"). Shipped, verified live, real names off the marketing surface.
A pulled NOTAM doesn't mean the rest of the chart is current.
The rule (locked)
When a fix touches a class of bug — fake-vs-real data on the marketing surface, a brand-voice violation, a security pattern — grep every component in that class, not just the one in the report. For real-data-in-marketing specifically: every *Preview.tsx, every demo array, every sample-data.ts, every component listed in the brain's protected-users notes, against the same blind spot as the original. Cost is about sixty seconds. The payoff is not shipping the same bug twice with a different file name.
The fix took six lines. The rule the fix doesn't show takes longer to internalize, which is why it's now part of bug B-008's lesson and a memory entry. Audits exist because we forget.