chore(lint): audit:theme-tokens guard against bare --muted / --theme-* drift

Three naming conventions had drifted through the monorepo (--muted, --theme-*,
--color-*). Only the last is defined in the Mana theme; the others silently
fell back to nothing and stopped tracking theme variants. Today's cleanup
migrated ~100 files, but nothing stopped the drift from creeping back.

- scripts/audit-theme-tokens.mjs scans ~3k source files and fails if any
  references a bare shadcn token or a --theme-* prefix, with an allowlist
  for known-literal module brand colors (news-research, agent templates)
- wire into pnpm script and lint-staged (runs once per commit touching
  *.{svelte,css}, ignores per-file args)
- design-ux.md guideline: fix stale --color-destructive entry (Mana uses
  --color-error), add explicit "never bare tokens" warning with examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lint-staged.config.js

@@ -4,6 +4,11 @@ export default {
 		'prettier --config .prettierrc.json --write',
 	],
 	'*.{json,md,svelte,astro}': ['prettier --config .prettierrc.json --write'],
+	// Theme-token audit whenever styles-bearing files change. Runs on the
+	// whole tree (ignores staged filenames), scans ~3k files in <1s, and
+	// fails if any file re-introduces bare --muted / --theme-* references
+	// instead of Mana's canonical --color-* tokens.
+	'*.{svelte,css}': () => 'node scripts/audit-theme-tokens.mjs',
 	// Validate the tunnel config locally so a malformed ingress map can
 	// never reach main. The validator runs entirely in node (no
 	// cloudflared CLI dependency on the dev box) and catches the same