@jmruthers/pace-core 0.5.183 → 0.5.185

package/scripts/check-pace-core-compliance.cjs

@@ -0,0 +1,2353 @@
+#!/usr/bin/env node
+
+/**
+ * Static Analysis Script for pace-core Compliance
+ * @package @jmruthers/pace-core
+ * @module Scripts/check-pace-core-compliance
+ * 
+ * Scans a consuming app's codebase to check compliance with pace-core usage.
+ * Generates a report of violations and suggestions.
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+// ANSI color codes for terminal output
+const colors = {
+  reset: '\x1b[0m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  cyan: '\x1b[36m',
+  bold: '\x1b[1m'
+};
+
+// Load manifest
+function loadManifest() {
+  const manifestPath = path.join(__dirname, '../core-usage-manifest.json');
+  if (!fs.existsSync(manifestPath)) {
+    console.error(`${colors.red}Error: core-usage-manifest.json not found at ${manifestPath}${colors.reset}`);
+    process.exit(1);
+  }
+  return JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+}
+
+// Find project root (look for package.json, going up from current dir or script location)
+function findProjectRoot(startDir = process.cwd()) {
+  let current = path.resolve(startDir);
+  while (current !== path.dirname(current)) {
+    if (fs.existsSync(path.join(current, 'package.json'))) {
+      return current;
+    }
+    current = path.dirname(current);
+  }
+  return startDir;
+}
+
+// Scan provider setup in main entry files
+function scanProviderSetup(filePath, content, relativePath) {
+  const issues = [];
+  
+  // Check for UnifiedAuthProvider
+  const hasUnifiedAuthProvider = /UnifiedAuthProvider/.test(content);
+  if (!hasUnifiedAuthProvider) {
+    issues.push({
+      file: relativePath,
+      line: 1,
+      type: 'missing-provider',
+      provider: 'UnifiedAuthProvider',
+      reason: 'UnifiedAuthProvider is required. Wrap your app with UnifiedAuthProvider from @jmruthers/pace-core.',
+      recommendation: 'Import UnifiedAuthProvider from @jmruthers/pace-core and wrap your app component with it.'
+    });
+  }
+  
+  // Check for OrganisationProvider
+  const hasOrganisationProvider = /OrganisationProvider/.test(content);
+  if (hasUnifiedAuthProvider && !hasOrganisationProvider) {
+    issues.push({
+      file: relativePath,
+      line: 1,
+      type: 'missing-provider',
+      provider: 'OrganisationProvider',
+      reason: 'OrganisationProvider is recommended when using UnifiedAuthProvider. It provides organisation context.',
+      recommendation: 'Import OrganisationProvider from @jmruthers/pace-core and wrap your app inside UnifiedAuthProvider.'
+    });
+  }
+  
+  // Check provider nesting order
+  if (hasUnifiedAuthProvider) {
+    // Normalize content for better pattern matching (handle multiline JSX)
+    const normalizedContent = content.replace(/\s+/g, ' ');
+    
+    const hasBrowserRouter = /BrowserRouter/.test(content);
+    const hasQueryClientProvider = /QueryClientProvider/.test(content);
+    
+    // Only check nesting if we have both BrowserRouter and UnifiedAuthProvider
+    if (hasBrowserRouter) {
+      // Check if BrowserRouter is inside UnifiedAuthProvider (wrong order)
+      // Pattern: <UnifiedAuthProvider ...> ... <BrowserRouter
+      // This is a clear wrong pattern - only report if we see this directly
+      // BUT first check if there's a wrapper component that uses Router hooks
+      const wrapperFunctionMatch = content.match(/(?:function|const)\s+(\w*UnifiedAuthProvider\w*Wrapper)\s*[=\(]/);
+      let wrapperUsesRouterHooks = false;
+      if (wrapperFunctionMatch) {
+        const wrapperName = wrapperFunctionMatch[1];
+        const wrapperStart = content.indexOf(wrapperFunctionMatch[0]);
+        const afterWrapper = content.substring(wrapperStart);
+        let braceCount = 0;
+        let bodyStart = -1;
+        let bodyEnd = -1;
+        for (let i = 0; i < afterWrapper.length; i++) {
+          if (afterWrapper[i] === '{') {
+            if (braceCount === 0) bodyStart = i;
+            braceCount++;
+          } else if (afterWrapper[i] === '}') {
+            braceCount--;
+            if (braceCount === 0 && bodyStart !== -1) {
+              bodyEnd = i;
+              break;
+            }
+          }
+        }
+        if (bodyStart !== -1 && bodyEnd !== -1) {
+          const functionBody = afterWrapper.substring(bodyStart, bodyEnd + 1);
+          wrapperUsesRouterHooks = /useNavigate|useLocation|useParams|useSearchParams/.test(functionBody);
+        }
+      }
+      
+      const wrongNestingPattern = /<UnifiedAuthProvider[^>]*>[\s\S]*?<BrowserRouter/g;
+      // Only flag wrong nesting if there's no wrapper using Router hooks
+      if (wrongNestingPattern.test(content) && !wrapperUsesRouterHooks) {
+        const match = content.match(wrongNestingPattern);
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, match[0]),
+          type: 'wrong-nesting',
+          reason: 'BrowserRouter should wrap UnifiedAuthProvider, not the other way around. This causes Router context errors.',
+          recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
+        });
+      } else {
+        // Check if BrowserRouter wraps UnifiedAuthProvider (correct pattern)
+        // Look for BrowserRouter wrapping UnifiedAuthProvider or any component that might contain it
+        // Pattern: <BrowserRouter ...> ... <UnifiedAuthProvider (or wrapper component)
+        const correctNestingPattern = /<BrowserRouter[^>]*>[\s\S]*?<UnifiedAuthProvider/g;
+        
+        // Also check for wrapper components (e.g., UnifiedAuthProviderWrapper)
+        // Pattern: <BrowserRouter ...> ... <UnifiedAuthProviderWrapper ...> ... <UnifiedAuthProvider
+        const wrapperPattern = /<BrowserRouter[^>]*>[\s\S]*?(?:<UnifiedAuthProviderWrapper|<UnifiedAuthProvider)/g;
+        
+        // wrapperUsesRouterHooks is already set above, reuse it
+        const browserRouterIndex = content.indexOf('<BrowserRouter');
+        const unifiedAuthIndex = content.indexOf('UnifiedAuthProvider');
+        const wrapperIndex = content.indexOf('UnifiedAuthProviderWrapper');
+        
+        // Only report if we can clearly see a wrong pattern
+        // If BrowserRouter wraps UnifiedAuthProvider (directly or via wrapper), that's correct
+        if (browserRouterIndex !== -1 && unifiedAuthIndex !== -1) {
+          // If wrapper uses Router hooks, it must be inside BrowserRouter (correct pattern)
+          // Check if BrowserRouter comes before UnifiedAuthProviderWrapper in the JSX
+          if (wrapperUsesRouterHooks && wrapperPattern.test(content) && 
+              (browserRouterIndex < wrapperIndex || browserRouterIndex < unifiedAuthIndex || wrapperIndex === -1)) {
+            // This is correct - wrapper uses Router hooks and is inside BrowserRouter
+            // Don't report - skip to next check
+          } else if (unifiedAuthIndex < browserRouterIndex && !correctNestingPattern.test(content) && !wrapperPattern.test(content)) {
+            // Only report if we see UnifiedAuthProvider directly wrapping BrowserRouter (clear wrong pattern)
+            // AND wrapper doesn't use Router hooks (which would require BrowserRouter)
+            const unifiedWrappingRouter = /<UnifiedAuthProvider[^>]*>[\s\S]{0,200}<BrowserRouter/g;
+            if (unifiedWrappingRouter.test(content) && !wrapperUsesRouterHooks) {
+              issues.push({
+                file: relativePath,
+                line: getLineNumber(content, /BrowserRouter/.exec(content)?.index || 0),
+                type: 'wrong-nesting',
+                reason: 'UnifiedAuthProvider should be inside BrowserRouter to provide Router context.',
+                recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
+              });
+            }
+            // If it's a wrapper component that uses Router hooks, don't report - that's acceptable
+          }
+        }
+      }
+    }
+    
+    // Check if QueryClientProvider wraps BrowserRouter
+    if (hasQueryClientProvider && hasBrowserRouter) {
+      // Check if QueryClientProvider comes before BrowserRouter in JSX structure
+      const queryBeforeRouter = /<QueryClientProvider[^>]*>[\s\S]*?<BrowserRouter/g;
+      if (!queryBeforeRouter.test(content)) {
+        // Only report if we can clearly see BrowserRouter comes before QueryClientProvider
+        const routerBeforeQuery = /<BrowserRouter[^>]*>[\s\S]*?<QueryClientProvider/g;
+        if (routerBeforeQuery.test(content)) {
+          const queryMatch = /QueryClientProvider/.exec(content);
+          issues.push({
+            file: relativePath,
+            line: getLineNumber(content, queryMatch?.index || 0),
+            type: 'wrong-nesting',
+            reason: 'QueryClientProvider should wrap BrowserRouter.',
+            recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
+          });
+        }
+        // If we can't find either pattern, don't report - might be in wrapper components
+      }
+    }
+  }
+  
+  return issues;
+}
+
+// Scan Vite configuration for required settings
+function scanViteConfig(filePath, content, relativePath) {
+  const issues = [];
+  
+  // Check if @jmruthers/pace-core is in optimizeDeps.exclude
+  const hasOptimizeDepsExclude = /optimizeDeps\s*:\s*\{[\s\S]*?exclude/.test(content);
+  if (hasOptimizeDepsExclude) {
+    const excludeArrayMatch = content.match(/exclude\s*:\s*\[([^\]]*)\]/);
+    if (excludeArrayMatch) {
+      const excludeContent = excludeArrayMatch[1];
+      if (!excludeContent.includes('@jmruthers/pace-core')) {
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, excludeArrayMatch[0]),
+          type: 'missing-exclude',
+          reason: '@jmruthers/pace-core should be excluded from Vite pre-bundling to prevent React context mismatches.',
+          recommendation: "Add '@jmruthers/pace-core' to optimizeDeps.exclude array."
+        });
+      }
+    } else {
+      // Check if it's a single string
+      const excludeStringMatch = content.match(/exclude\s*:\s*['"]@jmruthers\/pace-core['"]/);
+      if (!excludeStringMatch) {
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, /exclude\s*:/.exec(content)?.index || 0),
+          type: 'missing-exclude',
+          reason: '@jmruthers/pace-core should be excluded from Vite pre-bundling.',
+          recommendation: "Add '@jmruthers/pace-core' to optimizeDeps.exclude."
+        });
+      }
+    }
+  } else {
+    issues.push({
+      file: relativePath,
+      line: getLineNumber(content, /optimizeDeps/.exec(content)?.index || 1),
+      type: 'missing-optimize-deps',
+      reason: 'optimizeDeps.exclude is missing. This can cause React context mismatch errors.',
+      recommendation: "Add optimizeDeps: { exclude: ['@jmruthers/pace-core'], include: ['react', 'react-dom', 'react-router-dom'] } to your Vite config."
+    });
+  }
+  
+  // Check if @jmruthers/pace-core is in optimizeDeps.include (should NOT be)
+  const includeArrayMatch = content.match(/include\s*:\s*\[([^\]]*)\]/);
+  if (includeArrayMatch) {
+    const includeContent = includeArrayMatch[1];
+    if (includeContent.includes('@jmruthers/pace-core')) {
+      issues.push({
+        file: relativePath,
+        line: getLineNumber(content, includeArrayMatch[0]),
+        type: 'should-exclude',
+        reason: '@jmruthers/pace-core should NOT be in optimizeDeps.include. It should be in exclude instead.',
+        recommendation: "Remove '@jmruthers/pace-core' from optimizeDeps.include and add it to optimizeDeps.exclude."
+      });
+    }
+  }
+  
+  // Check for react-router-dom in dedupe (recommended)
+  const hasDedupe = /dedupe\s*:\s*\[/.test(content);
+  if (hasDedupe) {
+    const dedupeArrayMatch = content.match(/dedupe\s*:\s*\[([^\]]*)\]/);
+    if (dedupeArrayMatch) {
+      const dedupeContent = dedupeArrayMatch[1];
+      if (!dedupeContent.includes('react-router-dom')) {
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, dedupeArrayMatch[0]),
+          type: 'recommendation',
+          reason: 'Adding react-router-dom to resolve.dedupe is recommended to prevent Router context issues.',
+          recommendation: "Add 'react-router-dom' to resolve.dedupe array: dedupe: ['react', 'react-dom', 'react-router-dom']"
+        });
+      }
+    }
+  } else {
+    // Check if resolve exists
+    if (/resolve\s*:\s*\{/.test(content)) {
+      issues.push({
+        file: relativePath,
+        line: getLineNumber(content, /resolve\s*:/.exec(content)?.index || 1),
+        type: 'recommendation',
+        reason: 'Adding resolve.dedupe is recommended to prevent React context issues.',
+        recommendation: "Add dedupe: ['react', 'react-dom', 'react-router-dom'] to resolve config."
+      });
+    }
+  }
+  
+  // Check for react-router-dom in optimizeDeps.include (should be included, not excluded)
+  const hasOptimizeDepsInclude = /optimizeDeps\s*:\s*\{[\s\S]*?include/.test(content);
+  if (hasOptimizeDepsInclude) {
+    const includeArrayMatch = content.match(/include\s*:\s*\[([^\]]*)\]/);
+    if (includeArrayMatch) {
+      const includeContent = includeArrayMatch[1];
+      if (!includeContent.includes('react-router-dom')) {
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, includeArrayMatch[0]),
+          type: 'recommendation',
+          reason: 'Including react-router-dom in pre-bundling is recommended to prevent module resolution issues.',
+          recommendation: "Add 'react-router-dom' to optimizeDeps.include array."
+        });
+      }
+    }
+  }
+  
+  // Warn if react-router-dom is in exclude (this causes "module is not defined" errors)
+  if (hasOptimizeDepsExclude) {
+    const excludeArrayMatch = content.match(/exclude\s*:\s*\[([^\]]*)\]/);
+    if (excludeArrayMatch) {
+      const excludeContent = excludeArrayMatch[1];
+      if (excludeContent.includes('react-router-dom')) {
+        issues.push({
+          file: relativePath,
+          line: getLineNumber(content, excludeArrayMatch[0]),
+          type: 'should-exclude',
+          reason: 'react-router-dom should NOT be excluded from pre-bundling. This causes "module is not defined" errors.',
+          recommendation: "Remove 'react-router-dom' from optimizeDeps.exclude array and add it to optimizeDeps.include instead."
+        });
+      }
+    }
+  }
+  
+  return issues;
+}
+
+// Scan Router setup in main entry files
+function scanRouterSetup(filePath, content, relativePath) {
+  const issues = [];
+  
+  // Only check main.tsx for BrowserRouter setup
+  // App.tsx might use Routes but doesn't define BrowserRouter
+  const isMainFile = relativePath.match(/^(src\/)?main\.(tsx?|jsx?)$/);
+  
+  if (isMainFile) {
+    // Check for BrowserRouter
+    const hasBrowserRouter = /BrowserRouter/.test(content);
+    if (!hasBrowserRouter) {
+      issues.push({
+        file: relativePath,
+        line: 1,
+        type: 'missing-router',
+        reason: 'BrowserRouter is required for pace-core components that use React Router hooks.',
+        recommendation: 'Import BrowserRouter from react-router-dom and wrap your app with it.'
+      });
+    }
+    
+    // Don't check nesting order here - that's handled in scanProviderSetup
+    // This function just checks if BrowserRouter exists
+  }
+  
+  // Check for Routes usage in any file (indicates Router context is needed)
+  // But only warn if it's in main.tsx and BrowserRouter is missing
+  const hasRoutes = /<Routes/.test(content) || /Routes/.test(content);
+  if (hasRoutes && isMainFile) {
+    const hasBrowserRouter = /BrowserRouter/.test(content);
+    if (!hasBrowserRouter) {
+      issues.push({
+        file: relativePath,
+        line: getLineNumber(content, /Routes/.exec(content)?.index || 0),
+        type: 'missing-router',
+        reason: 'Routes component requires BrowserRouter to provide Router context.',
+        recommendation: 'Wrap your app with BrowserRouter from react-router-dom.'
+      });
+    }
+  }
+  
+  return issues;
+}
+
+// Scan file for violations
+function scanFile(filePath, manifest) {
+  const violations = {
+    restrictedImports: [],
+    duplicateComponents: [],
+    duplicateHooks: [],
+    duplicateUtils: [],
+    suggestions: [],
+    customAuthCode: [],
+    duplicateConfig: [],
+    unprotectedPages: [],
+    directSupabaseAuth: [],
+    providerSetupIssues: [],
+    viteConfigIssues: [],
+    routerSetupIssues: [],
+    unnecessaryWrappers: []
+  };
+  
+  const content = fs.readFileSync(filePath, 'utf8');
+  const relativePath = path.relative(process.cwd(), filePath);
+  
+  // Check for restricted imports
+  manifest.restrictedImports.forEach(({ module, reason }) => {
+    const importPattern = new RegExp(`from\\s+['"]${module.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}['"]`, 'g');
+    if (importPattern.test(content)) {
+      violations.restrictedImports.push({
+        module,
+        reason,
+        file: relativePath,
+        line: getLineNumber(content, content.match(importPattern)[0])
+      });
+    }
+    
+    // Also check for @radix-ui/* pattern
+    if (module.startsWith('@radix-ui/')) {
+      const radixPattern = /from\s+['"]@radix-ui\/[^'"]+['"]/g;
+      const matches = content.match(radixPattern);
+      if (matches) {
+        matches.forEach(match => {
+          const matchedModule = match.match(/['"]([^'"]+)['"]/)[1];
+          if (!manifest.restrictedImports.find(ri => ri.module === matchedModule)) {
+            violations.restrictedImports.push({
+              module: matchedModule,
+              reason: 'Use pace-core component instead of direct Radix UI import',
+              file: relativePath,
+              line: getLineNumber(content, match)
+            });
+          }
+        });
+      }
+    }
+  });
+  
+  // Check for duplicate component names
+  const filename = path.basename(filePath);
+  const componentName = filename.replace(/\.(tsx?|jsx?)$/, '').replace(/\.(test|spec)$/, '');
+  
+  if (manifest.components.includes(componentName)) {
+    // Check if this file exports a component
+    if (content.match(/export\s+(default\s+)?(function|const|class)\s+(\w+)?/)) {
+      violations.duplicateComponents.push({
+        component: componentName,
+        file: relativePath
+      });
+    }
+  }
+  
+  // Check for duplicate hook names
+  if (filename.startsWith('use') && filename.endsWith('.ts') || filename.endsWith('.tsx')) {
+    const hookName = filename.replace(/\.(tsx?|jsx?)$/, '').replace(/\.(test|spec)$/, '');
+    if (manifest.hooks.includes(hookName)) {
+      if (content.match(/export\s+(default\s+)?(function|const)\s+(\w+)?/)) {
+        violations.duplicateHooks.push({
+          hook: hookName,
+          file: relativePath
+        });
+      }
+    }
+  }
+  
+  // Check for duplicate util names
+  const utilName = filename.replace(/\.(ts|js)$/, '').replace(/\.(test|spec)$/, '');
+  if (manifest.utils.includes(utilName)) {
+    if (content.match(/export\s+(default\s+)?(function|const)\s+(\w+)?/)) {
+      violations.duplicateUtils.push({
+        util: utilName,
+        file: relativePath
+      });
+    }
+  }
+  
+  // Check for native HTML elements that should use pace-core components
+  const nativeElementPatterns = {
+    '<button': { suggestion: 'Use Button from @jmruthers/pace-core' },
+    '<input': { suggestion: 'Use Input from @jmruthers/pace-core' },
+    '<textarea': { suggestion: 'Use Textarea from @jmruthers/pace-core' },
+    '<label': { suggestion: 'Use Label from @jmruthers/pace-core' }
+  };
+  
+  Object.entries(nativeElementPatterns).forEach(([pattern, { suggestion }]) => {
+    if (content.includes(pattern) && !content.includes('from \'@jmruthers/pace-core\'')) {
+      violations.suggestions.push({
+        type: 'native-element',
+        suggestion,
+        file: relativePath,
+        pattern
+      });
+    }
+  });
+  
+  // ============================================
+  // RBAC/Auth Compliance Checks
+  // ============================================
+  
+  // Check for custom auth/rbac/permission code that doesn't import from pace-core
+  const authRbacPatterns = [
+    // Custom auth hooks
+    { pattern: /export\s+(default\s+)?(function|const)\s+useAuth\s*[=\(]/g, name: 'useAuth', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useCurrentUser\s*[=\(]/g, name: 'useCurrentUser', type: 'hook', replacement: 'useUnifiedAuth' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useLogin\s*[=\(]/g, name: 'useLogin', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useLogout\s*[=\(]/g, name: 'useLogout', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useSession\s*[=\(]/g, name: 'useSession', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUser\s*[=\(]/g, name: 'useUser', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useAuthentication\s*[=\(]/g, name: 'useAuthentication', type: 'hook' },
+    // Custom RBAC hooks (that query RBAC tables directly)
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUserOrganisationRoles\s*[=\(]/g, name: 'useUserOrganisationRoles', type: 'hook', replacement: 'useOrganisations or pace-core RBAC hooks' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUserRoles\s*[=\(]/g, name: 'useUserRoles', type: 'hook', replacement: 'pace-core RBAC hooks' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+usePermissions\s*[=\(]/g, name: 'usePermissions', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useCan\s*[=\(]/g, name: 'useCan', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useAccessLevel\s*[=\(]/g, name: 'useAccessLevel', type: 'hook' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useRole\s*[=\(]/g, name: 'useRole', type: 'hook' },
+    // Custom RBAC components
+    { pattern: /export\s+(default\s+)?(function|const)\s+PermissionGuard\s*[=\(]/g, name: 'PermissionGuard', type: 'component' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+AuthGuard\s*[=\(]/g, name: 'AuthGuard', type: 'component' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+RoleGuard\s*[=\(]/g, name: 'RoleGuard', type: 'component' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+AccessGuard\s*[=\(]/g, name: 'AccessGuard', type: 'component' },
+    // Custom permission utilities
+    { pattern: /export\s+(default\s+)?(function|const)\s+checkPermission\s*[=\(]/g, name: 'checkPermission', type: 'util' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+hasPermission\s*[=\(]/g, name: 'hasPermission', type: 'util' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+hasAccess\s*[=\(]/g, name: 'hasAccess', type: 'util' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+canAccess\s*[=\(]/g, name: 'canAccess', type: 'util' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+isPermitted\s*[=\(]/g, name: 'isPermitted', type: 'util' }
+  ];
+  
+  // Check if file imports from pace-core for auth/rbac
+  const hasPaceCoreImport = /from\s+['"]@jmruthers\/pace-core/.test(content) || 
+                            /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
+                            /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
+  
+  authRbacPatterns.forEach(({ pattern, name, type, replacement }) => {
+    if (pattern.test(content)) {
+      // For custom RBAC hooks, always flag them even if they import from pace-core
+      // because they're duplicating functionality that should come from pace-core
+      const isCustomRBACHook = [
+        'useUserRoles',
+        'useUserOrganisationRoles',
+        'useRoleMutations',
+        'usePermissions',
+        'useCan',
+        'useAccessLevel',
+        'useRole'
+      ].includes(name);
+      
+      // Flag custom RBAC hooks even if they import from pace-core (they're still duplicating functionality)
+      // For other hooks, only flag if they don't import from pace-core
+      if (isCustomRBACHook || !hasPaceCoreImport) {
+        const replacementName = replacement || name;
+        const reason = isCustomRBACHook
+          ? `Custom ${type} '${name}' detected that duplicates pace-core functionality. Even though it may use some pace-core utilities, it implements custom role/permission management logic that should use pace-core APIs instead.`
+          : `Custom ${type} '${name}' detected. Use pace-core's ${replacementName} instead.`;
+        
+        violations.customAuthCode.push({
+          name,
+          type,
+          file: relativePath,
+          line: getLineNumber(content, content.match(pattern)[0]),
+          reason: reason,
+          replacement: replacementName,
+          severity: 'error'
+        });
+      }
+    }
+  });
+  
+  // Check for duplicate Supabase client configurations
+  const supabaseCreateClientPattern = /createClient\s*\(/g;
+  const supabaseCreateClientMatches = content.match(supabaseCreateClientPattern);
+  if (supabaseCreateClientMatches && supabaseCreateClientMatches.length > 1) {
+    violations.duplicateConfig.push({
+      type: 'supabase-client',
+      file: relativePath,
+      count: supabaseCreateClientMatches.length,
+      reason: `Multiple Supabase client instantiations found (${supabaseCreateClientMatches.length}). Consolidate to a single client configuration.`
+    });
+  }
+  
+  // Check for Supabase URL/key configuration in multiple places
+  // This check is designed to catch actual duplication, not centralized config files.
+  // A centralized config file may legitimately reference env vars multiple times:
+  // - Reading from import.meta.env or process.env
+  // - Validation/error messages
+  // - Using in createClient
+  // - Comments/documentation
+  const supabaseUrlPattern = /(SUPABASE_URL|VITE_SUPABASE_URL|NEXT_PUBLIC_SUPABASE_URL|REACT_APP_SUPABASE_URL)/g;
+  const supabaseKeyPattern = /(SUPABASE_ANON_KEY|VITE_SUPABASE_ANON_KEY|NEXT_PUBLIC_SUPABASE_ANON_KEY|REACT_APP_SUPABASE_ANON_KEY)/g;
+  const urlMatches = content.match(supabaseUrlPattern);
+  const keyMatches = content.match(supabaseKeyPattern);
+  
+  // Check if this looks like a centralized config file
+  // Config files typically:
+  // - Have "config" or "supabase" or "client" in the path
+  // - Have a single createClient call (or none, if it's just exporting env vars)
+  // - Export the env vars or the client (indicating it's the centralized location)
+  const isConfigFile = /config|supabase|client/i.test(relativePath);
+  const hasSingleCreateClient = supabaseCreateClientMatches && supabaseCreateClientMatches.length === 1;
+  const hasNoCreateClient = !supabaseCreateClientMatches || supabaseCreateClientMatches.length === 0;
+  
+  // Check if file exports env vars or client (strong indicator of centralized config)
+  // Matches: export const SUPABASE_URL = ...; export { SUPABASE_URL }; export const supabase = ...
+  const exportsEnvVars = /export\s+(const|let|var|{)\s*(SUPABASE_URL|SUPABASE_ANON_KEY|supabase)/.test(content) ||
+                         /export\s*{\s*[^}]*\b(SUPABASE_URL|SUPABASE_ANON_KEY|supabase)\b/.test(content);
+  const exportsClient = /export\s+(const|let|var)\s+supabase\s*=/.test(content) ||
+                        /export\s*{\s*[^}]*\bsupabase\b/.test(content);
+  
+  // A file is considered a centralized config if:
+  // 1. It's in a config/supabase/client path, AND
+  // 2. Has a single createClient call (typical centralized config), OR
+  // 3. Has no createClient but references env vars (env-only config file), OR
+  // 4. Exports env vars or the client (indicating it's the centralized location)
+  // The path name is the primary indicator - if it's in a config path, trust it
+  const looksLikeCentralizedConfig = isConfigFile && (
+    hasSingleCreateClient || 
+    (hasNoCreateClient && (urlMatches || keyMatches)) ||
+    exportsEnvVars ||
+    exportsClient
+  );
+  
+  // Only flag if:
+  // 1. Multiple createClient calls (already handled above), OR
+  // 2. Many references (10+) in a file that doesn't look like a centralized config
+  // Config files are allowed to have many references (read, validate, use, errors, comments, etc.)
+  const threshold = looksLikeCentralizedConfig ? 20 : 5;
+  
+  if (!looksLikeCentralizedConfig && 
+      ((urlMatches && urlMatches.length > threshold) || 
+       (keyMatches && keyMatches.length > threshold))) {
+    violations.duplicateConfig.push({
+      type: 'supabase-env',
+      file: relativePath,
+      reason: `Supabase environment variables referenced many times (${urlMatches?.length || keyMatches?.length || 0}). If this is a centralized config file, consider moving it to a file with 'config', 'supabase', or 'client' in the path, or export the values to indicate it's the centralized location.`
+    });
+  }
+  
+  // Check for unprotected pages/routes
+  // Look for route definitions without PagePermissionGuard
+  const routePatterns = [
+    /<Route\s+path=["'][^"']+["']/g,
+    /<Route\s+element\s*=/g,
+    /createBrowserRouter\s*\(/g,
+    /createRoutesFromElements/g
+  ];
+  
+  const isRouteFile = routePatterns.some(pattern => pattern.test(content));
+  const hasPagePermissionGuard = /PagePermissionGuard/.test(content) || 
+                                  /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(content);
+  
+  if (isRouteFile && !hasPagePermissionGuard && !relativePath.includes('test') && !relativePath.includes('spec')) {
+    violations.unprotectedPages.push({
+      file: relativePath,
+      reason: 'Route file found without PagePermissionGuard. All routes should be protected with PagePermissionGuard from pace-core.'
+    });
+  }
+  
+  // Check for direct Supabase auth usage (should use UnifiedAuthProvider)
+  // This includes all variations: supabase.auth.getUser(), client.auth.getUser(), etc.
+  // Priority patterns - these are the most common violations
+  // Using multiple patterns to catch all variations
+  const priorityAuthPatterns = [
+    // Most specific patterns first
+    { pattern: /supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
+    { pattern: /supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
+    // Also catch with await or const destructuring
+    { pattern: /await\s+supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
+    { pattern: /await\s+supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
+    { pattern: /const\s+[^=]*=\s*supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
+    { pattern: /const\s+[^=]*=\s*supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
+    // Generic patterns for other variable names
+    { pattern: /\w+\.auth\.getUser\s*\(/g, method: 'getUser', specific: false },
+    { pattern: /\w+\.auth\.getSession\s*\(/g, method: 'getSession', specific: false }
+  ];
+  
+  // Other auth patterns
+  const otherAuthPatterns = [
+    { pattern: /\.auth\.signIn\s*\(/g, method: 'signIn' },
+    { pattern: /\.auth\.signUp\s*\(/g, method: 'signUp' },
+    { pattern: /\.auth\.signOut\s*\(/g, method: 'signOut' },
+    { pattern: /\.auth\.onAuthStateChange\s*\(/g, method: 'onAuthStateChange' }
+  ];
+  
+  // Check if file actually uses useUnifiedAuth hook (not just imports it)
+  const usesUnifiedAuthHook = /useUnifiedAuth\s*\(/.test(content);
+  const hasUnifiedAuthImport = /UnifiedAuthProvider/.test(content) || 
+                               /useUnifiedAuth/.test(content) ||
+                               /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
+  
+  // Check for usage of useCurrentUser hook (even if imported from local file)
+  // This catches both local imports and direct usage
+  const useCurrentUserImportPattern = /import\s+.*useCurrentUser.*from\s+['"][^'"]*['"]/g;
+  const useCurrentUserUsagePattern = /useCurrentUser\s*\(/g;
+  
+  // Check for local import (not from pace-core)
+  const useCurrentUserImportMatch = content.match(useCurrentUserImportPattern);
+  if (useCurrentUserImportMatch) {
+    const isFromPaceCore = useCurrentUserImportMatch.some(match => match.includes('@jmruthers/pace-core'));
+    if (!isFromPaceCore) {
+      useCurrentUserImportMatch.forEach(match => {
+        violations.customAuthCode.push({
+          name: 'useCurrentUser import',
+          type: 'hook import',
+          file: relativePath,
+          line: getLineNumber(content, match),
+          reason: 'useCurrentUser imported from local file. Replace with useUnifiedAuth from pace-core.',
+          replacement: 'useUnifiedAuth from @jmruthers/pace-core'
+        });
+      });
+    }
+  }
+  
+  // Check for usage (even if imported)
+  const useCurrentUserUsageMatches = content.match(useCurrentUserUsagePattern);
+  if (useCurrentUserUsageMatches && !usesUnifiedAuthHook) {
+    useCurrentUserUsageMatches.forEach(match => {
+      violations.customAuthCode.push({
+        name: 'useCurrentUser',
+        type: 'hook usage',
+        file: relativePath,
+        line: getLineNumber(content, match),
+        reason: 'useCurrentUser hook usage detected. Replace with useUnifiedAuth from pace-core.',
+        replacement: 'useUnifiedAuth'
+      });
+    });
+  }
+  
+  // Check priority patterns first (getUser, getSession) - these should always be flagged
+  // Use exec in a loop to get all matches with their correct positions
+  priorityAuthPatterns.forEach(({ pattern, method, specific }) => {
+    // Reset regex for each pattern
+    const regex = new RegExp(pattern.source, pattern.flags);
+    regex.lastIndex = 0; // Reset to start
+    
+    let match;
+    while ((match = regex.exec(content)) !== null) {
+      // Prevent infinite loops on zero-length matches
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+        continue;
+      }
+      
+      const matchIndex = match.index;
+      const matchText = match[0];
+      
+      // Simple comment check - only skip if clearly in a line comment
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      // Only skip if clearly in a comment - be conservative
+      if (!isInLineComment) {
+        violations.directSupabaseAuth.push({
+          file: relativePath,
+          line: getLineNumber(content, matchText),
+          reason: `Direct Supabase auth usage detected (${method}). Use useUnifiedAuth hook from pace-core instead.`,
+          method,
+          recommendation: specific 
+            ? method === 'getUser' 
+              ? `Replace with: const { user } = useUnifiedAuth(); then use user?.id instead of calling supabase.auth.getUser()`
+              : `Replace with: const { session } = useUnifiedAuth(); then use session?.access_token instead of calling supabase.auth.getSession()`
+            : `Use useUnifiedAuth hook from @jmruthers/pace-core instead of direct auth calls`
+        });
+      }
+    }
+  });
+  
+  // Additional simple pattern check as fallback - look for literal strings
+  // This catches cases where the regex might miss due to formatting
+  const simpleAuthPatterns = [
+    { search: 'supabase.auth.getUser(', method: 'getUser' },
+    { search: 'supabase.auth.getSession(', method: 'getSession' }
+  ];
+  
+  simpleAuthPatterns.forEach(({ search, method }) => {
+    let searchIndex = 0;
+    while ((searchIndex = content.indexOf(search, searchIndex)) !== -1) {
+      // Skip if in a line comment
+      const lineStart = content.lastIndexOf('\n', searchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, searchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      if (!isInLineComment) {
+        // Calculate line number from index
+        const lineNum = content.substring(0, searchIndex).split('\n').length;
+        
+        // Check if we already reported this (might overlap with regex matches)
+        const alreadyReported = violations.directSupabaseAuth.some(v => 
+          v.file === relativePath && 
+          Math.abs(v.line - lineNum) <= 2
+        );
+        
+        if (!alreadyReported) {
+          violations.directSupabaseAuth.push({
+            file: relativePath,
+            line: lineNum,
+            reason: `Direct Supabase auth usage detected (${method}). Use useUnifiedAuth hook from pace-core instead.`,
+            method,
+            recommendation: method === 'getUser' 
+              ? `Replace with: const { user } = useUnifiedAuth(); then use user?.id instead of calling supabase.auth.getUser()`
+              : `Replace with: const { session } = useUnifiedAuth(); then use session?.access_token instead of calling supabase.auth.getSession()`
+          });
+        }
+      }
+      
+      searchIndex += search.length; // Move past this match
+    }
+  });
+  
+  // Check other auth patterns - flag if not using useUnifiedAuth
+  otherAuthPatterns.forEach(({ pattern, method }) => {
+    let match;
+    const regex = new RegExp(pattern.source, pattern.flags);
+    
+    while ((match = regex.exec(content)) !== null) {
+      // Prevent infinite loops on zero-length matches
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+      }
+      
+      const matchIndex = match.index;
+      const matchText = match[0];
+      
+      // Skip if this is in a comment or string literal
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineBeforeMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineBeforeMatch);
+      const beforeMatch = content.substring(Math.max(0, matchIndex - 100), matchIndex);
+      const afterMatch = content.substring(matchIndex, Math.min(content.length, matchIndex + matchText.length + 50));
+      const isInBlockComment = /\/\*[\s\S]*?\*\//.test(beforeMatch + matchText + afterMatch);
+      
+      // Check if it's in a string literal
+      const beforeQuotes = content.substring(0, matchIndex);
+      const singleQuotes = (beforeQuotes.match(/'/g) || []).length;
+      const doubleQuotes = (beforeQuotes.match(/"/g) || []).length;
+      const backticks = (beforeQuotes.match(/`/g) || []).length;
+      const isInString = (singleQuotes % 2 === 1 && beforeMatch.endsWith("'")) ||
+                        (doubleQuotes % 2 === 1 && beforeMatch.endsWith('"')) ||
+                        (backticks % 2 === 1 && beforeMatch.endsWith('`'));
+      
+      if (!isInLineComment && !isInBlockComment && !isInString && !usesUnifiedAuthHook) {
+        violations.directSupabaseAuth.push({
+          file: relativePath,
+          line: getLineNumber(content, matchText),
+          reason: `Direct Supabase auth usage detected (${method}). Use UnifiedAuthProvider and useUnifiedAuth from pace-core instead.`,
+          method
+        });
+      }
+    }
+  });
+  
+  // Check for direct RBAC table queries (should use pace-core RBAC APIs/RPC functions)
+  // List of all RBAC tables with specific recommendations
+  const rbacTables = [
+    // Core RBAC tables - should use pace-core APIs
+    { name: 'rbac_organisation_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or useOrganisations hook for queries' },
+    { name: 'rbac_event_app_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or pace-core RBAC APIs (useRBAC, usePermissions) for queries' },
+    { name: 'rbac_global_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or pace-core RBAC APIs (useRBAC) for queries' },
+    { name: 'rbac_apps', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs' },
+    { name: 'rbac_app_pages', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
+    { name: 'rbac_page_permissions', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
+    { name: 'rbac_user_units', type: 'user_data', recommendation: 'Use useSecureSupabase or useSecureDataAccess. For reading, consider data_user_unit_get RPC function' },
+    // User data tables - acceptable to query but must use secure methods
+    { name: 'rbac_user_profiles', type: 'user_data', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core to ensure organisation context is enforced' },
+    { name: 'rbac_user_login_history', type: 'audit', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core. Login history is automatically tracked by UnifiedAuthProvider, but queries should use secure methods' },
+    { name: 'rbac_user_sessions', type: 'session', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core to ensure organisation context is enforced' }
+  ];
+  
+  // Detect admin/management context
+  const isAdminContext = 
+    relativePath.includes('/admin/') ||
+    relativePath.includes('/superadmin/') ||
+    relativePath.includes('/permissions/') ||
+    relativePath.includes('/management/') ||
+    /(Admin|Manager|Management|Permissions)[^/]*\.(tsx?|jsx?)$/.test(relativePath);
+  
+  // Multiple patterns to catch all variations
+  const rbacTablePatterns = [
+    /\.from\s*\(\s*['"]rbac_/g,  // .from('rbac_ or .from("rbac_
+    /from\s*\(\s*['"]rbac_/g,     // from('rbac_ (without dot)
+    /\.select\s*\([^)]*from\s+['"]rbac_/g,  // .select(...).from('rbac_
+    /supabase\.from\s*\(\s*['"]rbac_/g  // supabase.from('rbac_
+  ];
+  
+  // Check if file uses pace-core RBAC APIs (if it does, direct queries might be acceptable in some cases)
+  // But we still want to flag them as they should use the APIs
+  const hasRBACImport = /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
+                        /useRBAC/.test(content) ||
+                        /usePermissions/.test(content) ||
+                        /useSecureSupabase/.test(content) ||
+                        /useSecureDataAccess/.test(content) ||
+                        /PagePermissionGuard/.test(content);
+  
+  // Check if file uses useSecureDataAccess hook
+  const usesSecureDataAccess = /useSecureDataAccess/.test(content);
+  
+  // Check if file destructures secure methods from useSecureDataAccess
+  const hasSecureMethods = /(const|let)\s*\{[^}]*secure(Query|Update|Insert|Delete)/.test(content) ||
+                          /secure(Query|Update|Insert|Delete)\s*\(/.test(content);
+  
+  // First, identify all variables assigned from secure hooks
+  // Match patterns like: const supabase = useSecureSupabase(); or let client = useSecureDataAccess();
+  // Also detect fromSupabaseClient and wrapper patterns
+  const secureVariablePatterns = [
+    /const\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
+    /const\s+(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
+    /let\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
+    /let\s+(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
+    /(\w+)\s*=\s*useSecureSupabase\s*\(/g,
+    /(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
+    // Detect fromSupabaseClient usage
+    /const\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
+    /let\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
+    /(\w+)\s*=\s*fromSupabaseClient\s*\(/g
+  ];
+  
+  // Check for fromSupabaseClient import
+  const hasFromSupabaseClientImport = /import.*fromSupabaseClient.*from\s+['"]@jmruthers\/pace-core\/rbac/.test(content);
+  
+  // Check for wrapper functions that use fromSupabaseClient
+  // Pattern: function/hook that imports fromSupabaseClient and returns a client
+  const wrapperFunctionPattern = /(export\s+)?(function|const)\s+(\w+)\s*[=\(][\s\S]{0,500}fromSupabaseClient/g;
+  const wrapperMatches = content.match(wrapperFunctionPattern);
+  const wrapperFunctionNames = new Set();
+  if (wrapperMatches) {
+    wrapperMatches.forEach(match => {
+      const funcMatch = match.match(/(?:function|const)\s+(\w+)\s*[=\(]/);
+      if (funcMatch && funcMatch[1]) {
+        wrapperFunctionNames.add(funcMatch[1]);
+      }
+    });
+  }
+  
+  // Also check for useSecureClient or similar wrapper patterns
+  const useSecureClientPattern = /(const|let)\s+(\w+)\s*=\s*useSecureClient\s*\(/g;
+  let useSecureClientMatch;
+  while ((useSecureClientMatch = useSecureClientPattern.exec(content)) !== null) {
+    if (useSecureClientMatch[2] && hasFromSupabaseClientImport) {
+      // If useSecureClient is used and file imports fromSupabaseClient, it's likely a wrapper
+      wrapperFunctionNames.add(useSecureClientMatch[2]);
+    }
+  }
+  
+  const secureVariables = new Set();
+  secureVariablePatterns.forEach(pattern => {
+    let match;
+    const regex = new RegExp(pattern.source, pattern.flags);
+    regex.lastIndex = 0;
+    while ((match = regex.exec(content)) !== null) {
+      if (match[1]) {
+        secureVariables.add(match[1]);
+        // Debug: log detected secure variables (can be removed later)
+        // console.log(`Detected secure variable: ${match[1]} from pattern ${pattern.source}`);
+      }
+    }
+  });
+  
+  // Also check for variables assigned from useSecureSupabase with different names
+  // Pattern: const <anyName> = useSecureSupabase();
+  const anySecureSupabasePattern = /(const|let)\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g;
+  let anySecureMatch;
+  while ((anySecureMatch = anySecureSupabasePattern.exec(content)) !== null) {
+    if (anySecureMatch[2]) {
+      secureVariables.add(anySecureMatch[2]);
+    }
+  }
+  
+  // Add wrapper function return values to secure variables
+  wrapperFunctionNames.forEach(wrapperName => {
+    // Find variables assigned from wrapper functions
+    const wrapperUsagePattern = new RegExp(`(const|let)\\s+(\\w+)\\s*=\\s*${wrapperName}\\s*\\(`, 'g');
+    let wrapperUsageMatch;
+    while ((wrapperUsageMatch = wrapperUsagePattern.exec(content)) !== null) {
+      if (wrapperUsageMatch[2]) {
+        secureVariables.add(wrapperUsageMatch[2]);
+      }
+    }
+  });
+  
+  // Debug: Log detected secure variables (only in verbose mode if needed)
+  // For now, we'll trust the detection works
+  
+  // Check each RBAC table specifically
+  rbacTables.forEach(({ name: tableName, type, recommendation }) => {
+    // Pattern to match the table name in a .from() call
+    // Match: variable.from('table_name') or variable\n.from('table_name') (handles newlines)
+    // First, find all .from('table_name') calls
+    const fromPattern = new RegExp(`\\.from\\s*\\(\\s*['"]${tableName.replace(/_/g, '\\_')}['"]`, 'g');
+    let match;
+    const regex = new RegExp(fromPattern.source, fromPattern.flags);
+    regex.lastIndex = 0;
+    
+    // Also check for secureQuery/secureUpdate/secureInsert/secureDelete calls
+    // Pattern: secureQuery('table_name', ...) or secureUpdate('table_name', ...)
+    const secureQueryPattern = new RegExp(`(secureQuery|secureUpdate|secureInsert|secureDelete)\\s*\\(\\s*['"]${tableName.replace(/_/g, '\\_')}['"]`, 'g');
+    let secureMatch;
+    const secureRegex = new RegExp(secureQueryPattern.source, secureQueryPattern.flags);
+    secureRegex.lastIndex = 0;
+    
+    while ((match = regex.exec(content)) !== null) {
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+        continue;
+      }
+      
+      const matchIndex = match.index;
+      
+      // Look backwards to find the variable name (handle newlines and whitespace)
+      // Look back up to 200 characters to find the variable
+      const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+      // Find the last word/identifier before .from
+      // Split by .from and get the last part, then extract the last word
+      const parts = beforeMatch.split('.from');
+      let variableName = null;
+      if (parts.length > 0) {
+        const beforeFrom = parts[parts.length - 1].trim();
+        // Extract the last word (identifier) from the string before .from
+        // Handle cases like: "supabase\n  " or "await supabase\n  " or "supabase"
+        const words = beforeFrom.match(/\b\w+\b/g);
+        if (words && words.length > 0) {
+          variableName = words[words.length - 1];
+        }
+      }
+      
+      // Skip if in a line comment
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      if (!isInLineComment && variableName) {
+        const lineNumber = content.substring(0, matchIndex).split('\n').length;
+        const isUserDataOrAudit = type === 'user_data' || type === 'audit';
+        const isConfigTable = type === 'config';
+        
+        // Check if the variable comes from a secure hook
+        // Check both the secureVariables set and also check if the variable is assigned from useSecureSupabase/useSecureDataAccess
+        // Escape special regex characters in variable name and use multiline flag to handle newlines
+        const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
+        const isUsingSecureVariable = secureVariables.has(variableName) ||
+          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content)) ||
+          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureDataAccess\\s*\\(`, 'm').test(content));
+        
+        // Determine severity based on context
+        let severity = 'error';
+        let reason = '';
+        
+        if (isUserDataOrAudit) {
+          if (isUsingSecureVariable) {
+            // Correct usage - skip it
+            continue;
+          } else {
+            severity = 'error';
+            reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced and RLS policies are respected.`;
+          }
+        } else if (isConfigTable) {
+          if (isUsingSecureVariable) {
+            // Using secure methods for config tables - acceptable (admin operations or hooks using secure methods)
+            // Don't flag if using secure methods, regardless of admin context
+            continue;
+          } else if (isAdminContext) {
+            // Admin operations without secure methods - warning
+            severity = 'warning';
+            reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+          } else {
+            // Not admin context and not using secure methods - error
+            severity = 'error';
+            reason = `Direct query to RBAC configuration table '${tableName}' detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
+          }
+        } else {
+          // Role/permission tables - always error, even in admin context
+          // These should use pace-core APIs or RPC functions, not direct queries
+          severity = 'error';
+          reason = `Direct query to RBAC role/permission table '${tableName}' detected. Use pace-core RBAC APIs (useRBAC, usePermissions) or RPC functions (rbac_role_grant, rbac_role_revoke, rbac_roles_list) instead of direct queries, even in admin contexts.`;
+        }
+        
+        violations.customAuthCode.push({
+          name: `Direct RBAC table query (${tableName})`,
+          type: 'rbac query',
+          file: relativePath,
+          line: lineNumber,
+          reason: reason,
+          replacement: recommendation,
+          severity: severity
+        });
+      }
+    }
+    
+    // Check for secureQuery/secureUpdate/secureInsert/secureDelete calls
+    while ((secureMatch = secureRegex.exec(content)) !== null) {
+      if (secureMatch.index === secureRegex.lastIndex) {
+        secureRegex.lastIndex++;
+        continue;
+      }
+      
+      const secureMatchIndex = secureMatch.index;
+      const secureMethod = secureMatch[1]; // secureQuery, secureUpdate, etc.
+      
+      // Skip if in a line comment
+      const secureLineStart = content.lastIndexOf('\n', secureMatchIndex) + 1;
+      const secureLineUpToMatch = content.substring(secureLineStart, secureMatchIndex);
+      const isSecureInLineComment = /\/\/[^\n]*$/.test(secureLineUpToMatch);
+      
+      if (!isSecureInLineComment) {
+        const secureLineNumber = content.substring(0, secureMatchIndex).split('\n').length;
+        const isUserDataOrAudit = type === 'user_data' || type === 'audit';
+        const isConfigTable = type === 'config';
+        const isRoleTable = type === 'role';
+        
+        // Determine severity - role tables should always be errors (should use pace-core APIs)
+        // Config tables in admin context with secure methods are acceptable
+        // User data/audit tables with secure methods are acceptable
+        let severity = 'error';
+        let reason = '';
+        
+        if (isRoleTable) {
+          // Role tables should use pace-core APIs, not secureQuery
+          severity = 'error';
+          reason = `Direct query to RBAC role table '${tableName}' using ${secureMethod} detected. Role tables should use pace-core RBAC APIs (useRBAC, usePermissions) or RPC functions (rbac_role_grant, rbac_role_revoke, rbac_roles_list) instead of direct queries.`;
+        } else if (isUserDataOrAudit) {
+          // User data/audit tables with secure methods are acceptable
+          continue; // Skip - this is correct usage
+        } else if (isConfigTable) {
+          // Config tables using secure methods - acceptable for admin operations
+          // If using secureQuery/secureUpdate/etc., it's already using secure methods
+          if (isAdminContext || usesSecureDataAccess) {
+            // Config tables in admin context or using secure methods - acceptable
+            continue; // Skip - this is correct usage for admin operations
+          } else {
+            severity = 'error';
+            reason = `Direct query to RBAC configuration table '${tableName}' using ${secureMethod} detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
+          }
+        } else {
+          severity = 'error';
+          reason = `Direct query to RBAC table '${tableName}' using ${secureMethod} detected. Use pace-core RBAC APIs instead.`;
+        }
+        
+        violations.customAuthCode.push({
+          name: `Direct RBAC table query via ${secureMethod} (${tableName})`,
+          type: 'rbac query',
+          file: relativePath,
+          line: secureLineNumber,
+          reason: reason,
+          replacement: recommendation,
+          severity: severity
+        });
+      }
+    }
+  });
+  
+  // Also check generic pattern as fallback (for patterns that might not match the specific table patterns)
+  rbacTablePatterns.forEach(pattern => {
+    let match;
+    const regex = new RegExp(pattern.source, pattern.flags);
+    regex.lastIndex = 0;
+    
+    while ((match = regex.exec(content)) !== null) {
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+        continue;
+      }
+      
+      const matchIndex = match.index;
+      const matchText = match[0];
+      
+      // Extract table name
+      const afterMatch = content.substring(matchIndex, Math.min(content.length, matchIndex + 100));
+      const tableMatch = afterMatch.match(/['"]rbac_([^'"]+)['"]/);
+      const tableName = tableMatch ? `rbac_${tableMatch[1]}` : 'rbac_*';
+      
+      // Find the table config to check if it's user_data or audit
+      const tableConfig = rbacTables.find(t => t.name === tableName);
+      const isUserDataOrAudit = tableConfig && (tableConfig.type === 'user_data' || tableConfig.type === 'audit');
+      const isConfigTable = tableConfig && tableConfig.type === 'config';
+      
+      // Extract variable name if pattern matches variable.from() (handle newlines)
+      let variableName = null;
+      const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+      // Find the last word/identifier before .from (same logic as main pattern)
+      const parts = beforeMatch.split('.from');
+      if (parts.length > 0) {
+        const beforeFrom = parts[parts.length - 1].trim();
+        const words = beforeFrom.match(/\b\w+\b/g);
+        if (words && words.length > 0) {
+          variableName = words[words.length - 1];
+        }
+      }
+      
+      // Check if using secure variable (check both set and direct pattern match)
+      // Escape special regex characters in variable name and use multiline flag to handle newlines
+      const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
+      const isUsingSecureVariable = (variableName && secureVariables.has(variableName)) ||
+        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content)) ||
+        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureDataAccess\\s*\\(`, 'm').test(content));
+      
+      // Skip if we already reported this specific table
+      const alreadyReported = violations.customAuthCode.some(v => 
+        v.file === relativePath && 
+        v.name && v.name.includes(tableName) &&
+        Math.abs(v.line - content.substring(0, matchIndex).split('\n').length) <= 2
+      );
+      
+      // Skip if in a line comment
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      // Skip if using secure variable for user_data/audit tables (correct usage)
+      // isUsingSecureVariable is already declared above
+      if (isUsingSecureVariable && isUserDataOrAudit) {
+        continue; // This is correct usage, don't flag it
+      }
+      
+      // Determine severity for config tables in admin context
+      let severity = 'error';
+      let reason = '';
+      
+      if (isConfigTable && (isAdminContext || usesSecureDataAccess) && (isUsingSecureVariable || hasSecureMethods)) {
+        // Admin operations with secure methods - acceptable, skip
+        continue;
+      } else if (isConfigTable && isAdminContext && !isUsingSecureVariable && !hasSecureMethods) {
+        severity = 'warning';
+        reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+      } else if (isConfigTable && !isAdminContext) {
+        severity = 'error';
+        reason = `Direct query to RBAC configuration table '${tableName}' detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
+      } else if (isUserDataOrAudit) {
+        if (isUsingSecureVariable || hasSecureMethods) {
+          // User data/audit tables with secure methods - acceptable, skip
+          continue;
+        }
+        severity = 'error';
+        reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced and RLS policies are respected.`;
+      } else {
+        severity = 'error';
+        reason = `Direct query to RBAC table '${tableName}' detected. Use pace-core RBAC hooks, RPC functions, or useSecureSupabase instead.`;
+      }
+      
+      if (!alreadyReported && !isInLineComment) {
+        violations.customAuthCode.push({
+          name: `Direct RBAC table query (${tableName})`,
+          type: 'rbac query',
+          file: relativePath,
+          line: content.substring(0, matchIndex).split('\n').length,
+          reason: reason,
+          replacement: tableConfig ? tableConfig.recommendation : 'pace-core RBAC APIs (useRBAC, usePermissions, RPC functions)',
+          severity: severity
+        });
+      }
+    }
+  });
+  
+  // Check for direct permission table CRUD operations
+  // This includes both .from().insert/update/delete patterns AND secureUpdate/secureInsert/secureDelete calls
+  const permissionCrudPatterns = [
+    // .from() patterns
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_page_permissions['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_page_permissions', 
+      operation: 'CRUD',
+      isConfig: true,
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_app_pages['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_app_pages', 
+      operation: 'CRUD',
+      isConfig: true,
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_apps['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_apps', 
+      operation: 'CRUD',
+      isConfig: true,
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_organisation_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_organisation_roles', 
+      operation: 'CRUD',
+      isRole: true,
+      roleType: 'organisation',
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_event_app_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_event_app_roles', 
+      operation: 'CRUD',
+      isRole: true,
+      roleType: 'event_app',
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_global_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_global_roles', 
+      operation: 'CRUD',
+      isRole: true,
+      roleType: 'global',
+      method: 'from'
+    },
+    { 
+      pattern: /\.from\s*\(\s*['"]rbac_user_units['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
+      table: 'rbac_user_units', 
+      operation: 'CRUD',
+      isUserData: true,
+      method: 'from'
+    },
+    // secureUpdate/secureInsert/secureDelete patterns
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_page_permissions['"]/g, 
+      table: 'rbac_page_permissions', 
+      operation: 'update',
+      isConfig: true,
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_page_permissions['"]/g, 
+      table: 'rbac_page_permissions', 
+      operation: 'insert',
+      isConfig: true,
+      method: 'secureInsert'
+    },
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_app_pages['"]/g, 
+      table: 'rbac_app_pages', 
+      operation: 'update',
+      isConfig: true,
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_app_pages['"]/g, 
+      table: 'rbac_app_pages', 
+      operation: 'insert',
+      isConfig: true,
+      method: 'secureInsert'
+    },
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_apps['"]/g, 
+      table: 'rbac_apps', 
+      operation: 'update',
+      isConfig: true,
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_apps['"]/g, 
+      table: 'rbac_apps', 
+      operation: 'insert',
+      isConfig: true,
+      method: 'secureInsert'
+    },
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_organisation_roles['"]/g, 
+      table: 'rbac_organisation_roles', 
+      operation: 'update',
+      isRole: true,
+      roleType: 'organisation',
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_organisation_roles['"]/g, 
+      table: 'rbac_organisation_roles', 
+      operation: 'insert',
+      isRole: true,
+      roleType: 'organisation',
+      method: 'secureInsert'
+    },
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_event_app_roles['"]/g, 
+      table: 'rbac_event_app_roles', 
+      operation: 'update',
+      isRole: true,
+      roleType: 'event_app',
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_event_app_roles['"]/g, 
+      table: 'rbac_event_app_roles', 
+      operation: 'insert',
+      isRole: true,
+      roleType: 'event_app',
+      method: 'secureInsert'
+    },
+    { 
+      pattern: /secureUpdate\s*\(\s*['"]rbac_global_roles['"]/g, 
+      table: 'rbac_global_roles', 
+      operation: 'update',
+      isRole: true,
+      roleType: 'global',
+      method: 'secureUpdate'
+    },
+    { 
+      pattern: /secureInsert\s*\(\s*['"]rbac_global_roles['"]/g, 
+      table: 'rbac_global_roles', 
+      operation: 'insert',
+      isRole: true,
+      roleType: 'global',
+      method: 'secureInsert'
+    }
+  ];
+  
+  permissionCrudPatterns.forEach(({ pattern, table, operation, isConfig, isRole, roleType, isUserData, method }) => {
+    let match;
+    const regex = new RegExp(pattern.source, pattern.flags);
+    regex.lastIndex = 0;
+    
+    while ((match = regex.exec(content)) !== null) {
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+        continue;
+      }
+      
+      const matchIndex = match.index;
+      const matchText = match[0];
+      // For .from() patterns, match[1] is the CRUD method; for secure* patterns, operation is already set
+      const crudMethod = method === 'from' ? match[1] : operation;
+      
+      // Skip if in a line comment
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      if (!isInLineComment) {
+        let reason = '';
+        let replacement = '';
+        let severity = 'error';
+        let example = '';
+        
+        if (isRole) {
+          // Role mutations should use RPC functions
+          const isGrant = crudMethod === 'insert' || crudMethod === 'upsert';
+          const isRevoke = crudMethod === 'delete' || crudMethod === 'update';
+          
+          if (isGrant) {
+            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_grant RPC function instead.`;
+            replacement = `Use rbac_role_grant RPC function with p_role_type='${roleType}'`;
+            example = `const { data, error } = await supabase.rpc('rbac_role_grant', {\n  p_user_id: userId,\n  p_role_type: '${roleType}',\n  p_role_name: 'role_name',\n  p_context_id: contextId, // org_id for organisation, 'event_id:app_id' for event_app\n  p_granted_by: currentUserId\n});`;
+          } else if (isRevoke) {
+            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_revoke RPC function instead.`;
+            replacement = `Use rbac_role_revoke RPC function with p_role_type='${roleType}'`;
+            example = `const { data, error } = await supabase.rpc('rbac_role_revoke', {\n  p_user_id: userId,\n  p_role_type: '${roleType}',\n  p_role_name: 'role_name',\n  p_context_id: contextId, // org_id for organisation, 'event_id:app_id' for event_app\n  p_revoked_by: currentUserId\n});`;
+          } else {
+            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_grant or rbac_role_revoke RPC functions instead.`;
+            replacement = `Use rbac_role_grant/rbac_role_revoke RPC functions with p_role_type='${roleType}'`;
+          }
+        } else if (isConfig) {
+          // Config table mutations - check if using secure methods
+          if (method && method.startsWith('secure')) {
+            // Using secureInsert/secureUpdate/secureDelete - this is correct, don't flag
+            continue;
+          } else if (isAdminContext && usesSecureDataAccess) {
+            // Admin context and using useSecureDataAccess - check if using secure methods
+            // If the operation uses secureQuery/secureUpdate/etc, it's already handled above
+            // This case is for direct .from() calls in admin context
+            severity = 'warning';
+            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations on configuration tables';
+          } else if (isAdminContext) {
+            severity = 'warning';
+            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations on configuration tables';
+          } else {
+            reason = `Direct ${crudMethod} operation on configuration table '${table}' detected. These are system configuration tables. For admin operations, use useSecureSupabase.`;
+            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations';
+          }
+        } else if (isUserData) {
+          reason = `Direct ${crudMethod} operation on '${table}' detected. Use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced.`;
+          replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core';
+        } else {
+          reason = `Direct ${crudMethod} operation on '${table}' detected. Use pace-core permission management APIs or documented RPC functions instead.`;
+          replacement = 'pace-core permission management APIs or RPC functions';
+        }
+        
+        violations.customAuthCode.push({
+          name: `Direct ${operation} (${table})`,
+          type: 'permission management',
+          file: relativePath,
+          line: content.substring(0, matchIndex).split('\n').length,
+          reason: reason,
+          replacement: replacement,
+          severity: severity,
+          example: example
+        });
+      }
+    }
+  });
+  
+  // Check for custom role management hooks/components
+  // Analyze hook operations to distinguish data fetching from permission management
+  const customRoleManagementPatterns = [
+    { pattern: /export\s+(default\s+)?(function|const)\s+useRoleMutations\s*[=\(]/g, name: 'useRoleMutations', type: 'hook', replacement: 'pace-core RBAC APIs (rbac_role_grant, rbac_role_revoke RPC functions or useRoleManagement hook)' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUserRoles\s*[=\(]/g, name: 'useUserRoles', type: 'hook', replacement: 'pace-core RBAC hooks (useRBAC, usePermissions) or rbac_roles_list RPC function' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUserOrganisationRoles\s*[=\(]/g, name: 'useUserOrganisationRoles', type: 'hook', replacement: 'useOrganisations hook from pace-core or data_user_organisation_roles_get RPC function' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useRoleSupportingData\s*[=\(]/g, name: 'useRoleSupportingData', type: 'hook', replacement: 'pace-core RBAC APIs' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useAppAccess\s*[=\(]/g, name: 'useAppAccess', type: 'hook', replacement: 'pace-core RBAC APIs' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useEventForm\s*[=\(]/g, name: 'useEventForm', type: 'hook', replacement: 'pace-core RBAC APIs' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+useUnifiedStats\s*[=\(]/g, name: 'useUnifiedStats', type: 'hook', replacement: 'pace-core RBAC APIs' }
+  ];
+  
+  customRoleManagementPatterns.forEach(({ pattern, name, type, replacement }) => {
+    if (pattern.test(content)) {
+      // Analyze hook operations to determine if it's data fetching or permission management
+      const hookStartMatch = content.match(pattern);
+      if (!hookStartMatch) {
+        return; // Exit early if no match
+      }
+      
+      const hookStartIndex = content.indexOf(hookStartMatch[0]);
+      // Find the end of the hook (next export or end of file, or closing brace at same level)
+      const afterHookStart = content.substring(hookStartIndex);
+      const hookContent = afterHookStart.split(/\n\s*export\s+/)[0]; // Get content until next export
+      
+      // Count operations
+      const readOperations = (
+        (hookContent.match(/secureQuery\s*\(/g) || []).length +
+        (hookContent.match(/\.select\s*\(/g) || []).length +
+        (hookContent.match(/\.rpc\s*\(\s*['"](get_|data_|rbac_roles_list|rbac_permissions_get|data_user_)/g) || []).length
+      );
+      
+      const writeOperations = (
+        (hookContent.match(/secureUpdate\s*\(/g) || []).length +
+        (hookContent.match(/secureInsert\s*\(/g) || []).length +
+        (hookContent.match(/secureDelete\s*\(/g) || []).length +
+        (hookContent.match(/\.(insert|update|delete|upsert)\s*\(/g) || []).length +
+        (hookContent.match(/\.rpc\s*\(\s*['"](rbac_role_grant|rbac_role_revoke|app_)/g) || []).length
+      );
+      
+      const totalOperations = readOperations + writeOperations;
+      const writeRatio = totalOperations > 0 ? writeOperations / totalOperations : 0;
+      
+      // Check if hook primarily uses RPC functions for reads
+      const usesReadOnlyRPCs = /\.rpc\s*\(\s*['"](get_|data_|rbac_roles_list|rbac_permissions_get|data_user_)/.test(hookContent);
+      const onlyReadOperations = writeOperations === 0 && readOperations > 0;
+      
+      // Check if hook name suggests data fetching (supporting data, stats, etc.)
+      const isDataFetchingHook = /SupportingData|Stats|Form/.test(name);
+      
+      // Calculate ratio of role/permission-related code to total code
+      const rolePermissionPatterns = [
+        /rbac_(organisation|event_app|global)_roles/g,
+        /rbac_page_permissions/g,
+        /rbac_role_grant|rbac_role_revoke/g,
+        /grant.*role|revoke.*role/gi
+      ];
+      const rolePermissionMatches = rolePermissionPatterns.reduce((count, pattern) => {
+        const matches = hookContent.match(pattern);
+        return count + (matches ? matches.length : 0);
+      }, 0);
+      
+      // Count total significant operations (not just RBAC, but all operations)
+      const totalSignificantOps = (
+        (hookContent.match(/(secureQuery|secureUpdate|secureInsert|secureDelete|\.from|\.rpc|\.select|\.insert|\.update|\.delete)\s*\(/g) || []).length
+      );
+      const rolePermissionRatio = totalSignificantOps > 0 ? rolePermissionMatches / totalSignificantOps : 0;
+      
+      // Check for patterns indicating primary purpose
+      const isEventManagement = /event.*(create|update|delete|form|manage)/gi.test(hookContent) && name.includes('Event');
+      const isFormManagement = /useZodForm|register|handleSubmit|setValue|watch|reset/.test(hookContent);
+      const isStatsAggregation = /count|sum|aggregate|stats|statistics/gi.test(hookContent) && name.includes('Stats');
+      const isSupportingData = name.includes('SupportingData') || /dropdown|select|options|reference/gi.test(hookContent);
+      
+      // Only flag if:
+      // 1. It's useRoleMutations (always permission management)
+      // 2. OR write operations > 20% of total operations AND operates on role/permission tables
+      // 3. OR role/permission operations > 20% of total operations
+      // Don't flag if:
+      // - It's primarily data fetching (>80% reads, no mutations on role tables)
+      // - It's event/form/stats management with <20% role/permission code
+      // - It only uses read-only RPCs for data fetching
+      if (name === 'useRoleMutations') {
+        // Always flag useRoleMutations - it's explicitly for role mutations
+        violations.customAuthCode.push({
+          name,
+          type,
+          file: relativePath,
+          line: getLineNumber(content, hookStartMatch[0]),
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          replacement,
+          severity: 'error'
+        });
+      } else if (writeRatio > 0.2 && rolePermissionRatio > 0.1) {
+        // Has significant write operations on role/permission tables
+        violations.customAuthCode.push({
+          name,
+          type,
+          file: relativePath,
+          line: getLineNumber(content, hookStartMatch[0]),
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          replacement,
+          severity: 'error'
+        });
+      } else if (rolePermissionRatio > 0.2 && !isEventManagement && !isFormManagement && !isStatsAggregation) {
+        // High ratio of role/permission code and not primarily event/form/stats management
+        violations.customAuthCode.push({
+          name,
+          type,
+          file: relativePath,
+          line: getLineNumber(content, hookStartMatch[0]),
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          replacement,
+          severity: 'error'
+        });
+      } else if (onlyReadOperations && (usesReadOnlyRPCs || isDataFetchingHook || isSupportingData)) {
+        // Data fetching hook using pace-core RPCs or secure queries - don't flag
+        // These are legitimate data fetching hooks
+        return; // Exit early to prevent flagging
+      } else if (name === 'useUserOrganisationRoles') {
+        // useUserOrganisationRoles only uses get_user_organisations RPC - don't flag
+        // This is a pure data fetching hook that only uses RPC functions
+        // Check if it only uses RPC functions and no direct table queries
+        const hasDirectTableQueries = /\.from\s*\(\s*['"]rbac_/.test(hookContent);
+        if (!hasDirectTableQueries && usesReadOnlyRPCs) {
+          // Pure RPC-based data fetching - don't flag
+          return; // Exit early to prevent flagging
+        } else if (onlyReadOperations && usesReadOnlyRPCs) {
+          // Read-only data fetching hook - don't flag
+          return; // Exit early to prevent flagging
+        }
+        // If it has table queries, continue to check below
+      } else if (name === 'useUserRoles') {
+        // useUserRoles uses RPC functions and secure methods for data fetching
+        // Check if it's primarily read-only and uses secure methods
+        const usesSecureForApps = /secureSupabase|useSecureSupabase|secureQuery/.test(hookContent);
+        if (usesReadOnlyRPCs && writeOperations === 0 && (usesSecureForApps || onlyReadOperations)) {
+          // Using secure methods or read-only RPC-based data fetching - don't flag
+          return; // Exit early to prevent flagging
+        }
+        // If it has write operations, continue to check below
+      } else if (isEventManagement || isFormManagement || isStatsAggregation) {
+        // Primary purpose is event/form/stats management - don't flag
+        // Role cleanup during deletion is a side effect, not primary purpose
+      }
+    }
+  });
+  
+  // Check for custom permission management components
+  // Distinguish between configuration management and permission management
+  const customPermissionComponents = [
+    { name: 'UnifiedPermissionsManager', isPermissionManagement: true },
+    { name: 'PermissionsDataTable', isPermissionManagement: true },
+    { name: 'ApplicationPermissionsTable', isPermissionManagement: true },
+    { name: 'ApplicationPermissionsManager', isPermissionManagement: true },
+    { name: 'PermissionsManager', isPermissionManagement: true },
+    // Configuration management components (manage rbac_apps, rbac_app_pages)
+    { name: 'ApplicationsDataTable', isPermissionManagement: false, managesConfig: true },
+    { name: 'PagesDataTable', isPermissionManagement: false, managesConfig: true }
+  ];
+  
+  customPermissionComponents.forEach(({ name, isPermissionManagement, managesConfig }) => {
+    const componentPattern = new RegExp(`export\\s+(default\\s+)?(function|const)\\s+${name}\\s*[=\\(]`, 'g');
+    if (componentPattern.test(content)) {
+      // Check which tables this component operates on
+      const operatesOnPagePermissions = /rbac_page_permissions/.test(content);
+      const operatesOnRoleTables = /rbac_(organisation|event_app|global)_roles/.test(content);
+      const operatesOnConfigTables = /rbac_apps|rbac_app_pages/.test(content);
+      const usesSecureMethods = /useSecureDataAccess|useSecureSupabase|secureQuery|secureUpdate|secureInsert|secureDelete/.test(content);
+      
+      // Only flag as permission management if:
+      // 1. It's explicitly a permission management component AND operates on permission/role tables
+      // 2. OR it operates on permission/role tables (regardless of name)
+      // Don't flag configuration management components that only manage config tables
+      if (isPermissionManagement && (operatesOnPagePermissions || operatesOnRoleTables)) {
+        violations.customAuthCode.push({
+          name: `${name} component`,
+          type: 'permission management component',
+          file: relativePath,
+          line: getLineNumber(content, content.match(componentPattern)[0]),
+          reason: `Custom permission management component '${name}' detected. Even though it may use some pace-core utilities, it implements custom permission management logic that should use pace-core permission management APIs instead.`,
+          replacement: 'pace-core permission management APIs or PagePermissionGuard',
+          severity: 'error'
+        });
+      } else if (!isPermissionManagement && managesConfig && operatesOnConfigTables) {
+        // Configuration management component - check if it only does cleanup on permission tables
+        // If it uses secure methods and primarily manages config tables, don't flag
+        // Permission table operations for cleanup (cascade deletes) are acceptable
+        if (operatesOnPagePermissions && usesSecureMethods) {
+          // Config management component that uses secure methods and does permission cleanup
+          // This is acceptable - don't flag
+        } else if (!usesSecureMethods) {
+          violations.customAuthCode.push({
+            name: `${name} component`,
+            type: 'configuration management component',
+            file: relativePath,
+            line: getLineNumber(content, content.match(componentPattern)[0]),
+            reason: `Configuration management component '${name}' detected. Ensure you're using useSecureDataAccess or useSecureSupabase for secure operations on configuration tables.`,
+            replacement: 'Use useSecureDataAccess or useSecureSupabase from pace-core for admin operations on configuration tables',
+            severity: 'warning'
+          });
+        }
+        // If using secure methods, don't flag (acceptable for admin operations)
+      } else if (operatesOnPagePermissions || operatesOnRoleTables) {
+        // Component operates on permission/role tables - flag it UNLESS it's a config management component using secure methods
+        if (!isPermissionManagement && managesConfig && usesSecureMethods) {
+          // Config management component using secure methods - acceptable, don't flag
+        } else {
+          violations.customAuthCode.push({
+            name: `${name} component`,
+            type: 'permission management component',
+            file: relativePath,
+            line: getLineNumber(content, content.match(componentPattern)[0]),
+            reason: `Component '${name}' detected that operates on permission or role tables. Use pace-core permission management APIs instead.`,
+            replacement: 'pace-core permission management APIs or PagePermissionGuard',
+            severity: 'error'
+          });
+        }
+      }
+    }
+  });
+  
+  // Check provider setup (only main.tsx/main.ts, not App.tsx since it doesn't define providers)
+  if (relativePath.match(/^(src\/)?main\.(tsx?|jsx?)$/)) {
+    const providerIssues = scanProviderSetup(filePath, content, relativePath);
+    violations.providerSetupIssues.push(...providerIssues);
+  }
+  
+  // Check Vite configuration
+  if (relativePath.match(/vite\.config\.(ts|js|tsx|jsx)$/)) {
+    const viteIssues = scanViteConfig(filePath, content, relativePath);
+    violations.viteConfigIssues.push(...viteIssues);
+  }
+  
+  // Check Router setup (main.tsx, main.ts, App.tsx, App.ts)
+  if (relativePath.match(/^(src\/)?(main|App)\.(tsx?|jsx?)$/)) {
+    const routerIssues = scanRouterSetup(filePath, content, relativePath);
+    violations.routerSetupIssues.push(...routerIssues);
+  }
+  
+  // Check for custom auth type files (should use pace-core types)
+  if (relativePath.match(/types\/auth\.(ts|tsx)$/i) || relativePath.match(/src\/types\/auth\.(ts|tsx)$/i)) {
+    // Check if file defines auth-related types without importing from pace-core
+    const hasAuthTypeDefinitions = /(interface|type)\s+(User|Session|AuthError|SignIn|SignUp|AuthState|AuthContext)/.test(content);
+    const hasPaceCoreTypeImport = /from\s+['"]@jmruthers\/pace-core\/types/.test(content) ||
+                                  /from\s+['"]@jmruthers\/pace-core['"]/.test(content);
+    
+    if (hasAuthTypeDefinitions && !hasPaceCoreTypeImport) {
+      violations.customAuthCode.push({
+        name: 'auth types',
+        type: 'types',
+        file: relativePath,
+        line: 1,
+        reason: 'Custom auth types detected. Use types from @jmruthers/pace-core/types/auth instead.',
+        replacement: '@jmruthers/pace-core/types/auth'
+      });
+    }
+  }
+  
+  // Check for custom auth/RBAC context providers
+  const customProviderPatterns = [
+    { pattern: /export\s+(default\s+)?(function|const)\s+AuthProvider\s*[=\(]/g, name: 'AuthProvider', replacement: 'UnifiedAuthProvider' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+AuthContext\s*[=\(]/g, name: 'AuthContext', replacement: 'useUnifiedAuth' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+PermissionProvider\s*[=\(]/g, name: 'PermissionProvider', replacement: 'pace-core RBAC' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+RBACProvider\s*[=\(]/g, name: 'RBACProvider', replacement: 'pace-core RBAC' },
+    { pattern: /export\s+(default\s+)?(function|const)\s+RoleProvider\s*[=\(]/g, name: 'RoleProvider', replacement: 'pace-core RBAC' },
+    { pattern: /createContext\s*<\s*(Auth|Permission|RBAC|Role)/gi, name: 'auth context', replacement: 'pace-core providers' }
+  ];
+  
+  customProviderPatterns.forEach(({ pattern, name, replacement }) => {
+    if (pattern.test(content) && !hasPaceCoreImport && !hasUnifiedAuthImport) {
+      violations.customAuthCode.push({
+        name,
+        type: 'provider',
+        file: relativePath,
+        line: getLineNumber(content, content.match(pattern)[0]),
+        reason: `Custom auth/RBAC provider '${name}' detected. Use ${replacement} from pace-core instead.`,
+        replacement
+      });
+    }
+  });
+  
+  // Check for unused PermissionService interfaces that duplicate pace-core functionality
+  // Flag it even if file imports from pace-core, since it's a duplicate type definition
+  const permissionServicePattern = /(interface|type)\s+PermissionService\s*[={<]/gi;
+  if (permissionServicePattern.test(content)) {
+    // Check if it's actually used in the file (beyond just the definition)
+    const permissionServiceUsage = /PermissionService[^:]/g;
+    const allMatches = content.match(/PermissionService/g) || [];
+    // If defined but only appears in the definition (and maybe one type annotation), it's likely unused
+    // Count: 1 for definition, 1-2 for potential type annotations = 2-3 total
+    if (allMatches.length <= 3) {
+      violations.customAuthCode.push({
+        name: 'PermissionService interface',
+        type: 'unused type',
+        file: relativePath,
+        line: getLineNumber(content, content.match(permissionServicePattern)[0]),
+        reason: 'PermissionService interface detected that duplicates pace-core permission checking APIs. This appears unused and should be removed.',
+        replacement: 'Remove if unused, or use pace-core RBAC APIs (useRBAC, usePermissions) instead',
+        severity: 'error'
+      });
+    }
+  }
+  
+  // Check for unnecessary wrappers around pace-core components and local components
+  // Only check .tsx/.jsx files (component files)
+  if (filePath.match(/\.(tsx|jsx)$/)) {
+    const wrapperIssues = scanUnnecessaryWrappers(content, relativePath, manifest);
+    violations.unnecessaryWrappers.push(...wrapperIssues);
+  }
+  
+  return violations;
+}
+
+// Scan for unnecessary wrappers around pace-core components and local components
+function scanUnnecessaryWrappers(content, relativePath, manifest) {
+  const issues = [];
+  
+  // Check if file imports from pace-core
+  const paceCoreImportPattern = /import\s+{([^}]+)}\s+from\s+['"]@jmruthers\/pace-core['"]/;
+  const paceCoreImportMatch = content.match(paceCoreImportPattern);
+  
+  // Extract imported pace-core component names
+  let importedPaceCoreComponents = [];
+  if (paceCoreImportMatch) {
+    importedPaceCoreComponents = (paceCoreImportMatch[1] || '')
+      .split(',')
+      .map(name => name.trim().replace(/\s+as\s+\w+/, '')) // Remove aliases
+      .filter(name => manifest.components.includes(name));
+  }
+  
+  // Also find all imported components (local and pace-core) to check for wrappers
+  const allImportPattern = /import\s+(?:(?:{([^}]+)})|(\w+))\s+from\s+['"]([^'"]+)['"]/g;
+  const allImports = [];
+  let importMatch;
+  while ((importMatch = allImportPattern.exec(content)) !== null) {
+    const namedImports = importMatch[1]; // { Component1, Component2 }
+    const defaultImport = importMatch[2]; // Component
+    const modulePath = importMatch[3];
+    
+    if (namedImports) {
+      namedImports.split(',').forEach(name => {
+        const cleanName = name.trim().replace(/\s+as\s+(\w+)/, ''); // Remove aliases but keep original
+        allImports.push({ name: cleanName, module: modulePath });
+      });
+    }
+    if (defaultImport) {
+      allImports.push({ name: defaultImport, module: modulePath });
+    }
+  }
+  
+  // Find exported component definitions
+  // Match: export (default)? (function|const) ComponentName = ...
+  const componentPattern = /export\s+(default\s+)?(function|const)\s+(\w+)\s*[=\(]/g;
+  const componentMatches = [...content.matchAll(componentPattern)];
+  
+  componentMatches.forEach(match => {
+    const componentName = match[3];
+    const matchIndex = match.index;
+    
+    // Skip if it's a test file or example file
+    if (relativePath.includes('.test.') || relativePath.includes('.spec.') || 
+        relativePath.includes('example') || relativePath.includes('Example')) {
+      return;
+    }
+    
+    // Find the component body
+    // Look for the opening brace after the function/const declaration
+    let braceCount = 0;
+    let bodyStart = -1;
+    let bodyEnd = -1;
+    let inBody = false;
+    
+    for (let i = matchIndex + match[0].length; i < content.length; i++) {
+      const char = content[i];
+      if (char === '{' && !inBody) {
+        bodyStart = i;
+        inBody = true;
+        braceCount = 1;
+      } else if (char === '{') {
+        braceCount++;
+      } else if (char === '}') {
+        braceCount--;
+        if (braceCount === 0 && inBody) {
+          bodyEnd = i;
+          break;
+        }
+      }
+    }
+    
+    if (bodyStart === -1 || bodyEnd === -1) {
+      return; // Couldn't find component body
+    }
+    
+    const componentBody = content.substring(bodyStart + 1, bodyEnd).trim();
+    
+    // Check if body has significant logic (hooks, state, conditionals, etc.)
+    const hasHooks = /use[A-Z]\w+/.test(componentBody);
+    const hasState = /useState|useReducer|useRef/.test(componentBody);
+    const hasConditionals = /if\s*\(|&&|\?|switch/.test(componentBody);
+    const hasMultipleReturns = (componentBody.match(/return/g) || []).length > 1;
+    const hasLoops = /for\s*\(|while\s*\(|\.map\s*\(/.test(componentBody);
+    
+    // Find all JSX components used in the body
+    // Match JSX opening tags: <ComponentName or <ComponentName>
+    const jsxComponentPattern = /<([A-Z][a-zA-Z0-9]*)[\s>\/]/g;
+    const jsxComponents = [];
+    let jsxMatch;
+    while ((jsxMatch = jsxComponentPattern.exec(componentBody)) !== null) {
+      const jsxComponentName = jsxMatch[1];
+      // Skip React fragments and the component itself
+      if (jsxComponentName !== 'Fragment' && 
+          jsxComponentName !== componentName &&
+          !jsxComponents.includes(jsxComponentName)) {
+        jsxComponents.push(jsxComponentName);
+      }
+    }
+    
+    // Check if component is a simple wrapper around another component
+    // Pattern 1: Just returns a single component (pace-core or local)
+    // Pattern 2: Only does auth/permission checks and returns a component
+    // Pattern 3: Minimal logic that just forwards to another component
+    
+    // Check for auth/permission check patterns (common in page wrappers)
+    const hasAuthCheck = /useUnifiedAuth|usePermissions|useCan|PagePermissionGuard|PermissionGuard|useRBAC/.test(componentBody);
+    const hasEarlyReturn = /if\s*\([^)]*\)\s*return/.test(componentBody);
+    
+    // Count conditional returns (early returns for auth checks)
+    const conditionalReturns = (componentBody.match(/if\s*\([^)]*\)\s*return/g) || []).length;
+    
+    // If there's only one JSX component used and minimal logic, it's likely a wrapper
+    if (jsxComponents.length === 1) {
+      const wrappedComponent = jsxComponents[0];
+      const wrappedComponentCount = (componentBody.match(new RegExp(`<${wrappedComponent}`, 'gi')) || []).length;
+      
+      // Check if it's a simple wrapper:
+      // 1. Uses only one other component
+      // 2. No state management
+      // 3. No loops
+      // 4. Component appears only once or twice (opening and closing tag)
+      // 5. Either no logic at all, OR only auth/permission checks with early returns
+      
+      // Allow auth/permission checks but still flag as wrapper if that's all it does
+      // Pattern: uses auth hook, has early return(s) for auth checks, then returns the wrapped component
+      const hasOnlyAuthLogic = hasAuthCheck && 
+                               !hasState && 
+                               !hasLoops && 
+                               (conditionalReturns === 0 || (conditionalReturns <= 2 && hasEarlyReturn)) &&
+                               (!hasConditionals || conditionalReturns <= 2);
+      
+      // Check if hooks are only auth-related
+      const authHookPattern = /use(UnifiedAuth|Permissions|Can|RBAC)/;
+      const allHooks = componentBody.match(/use[A-Z]\w+/g) || [];
+      const onlyAuthHooks = allHooks.length === 0 || allHooks.every(hook => authHookPattern.test(hook));
+      
+      const isSimpleWrapper = 
+        wrappedComponentCount <= 2 && // Opening and closing tag, or self-closing
+        !hasState &&
+        !hasLoops &&
+        (hasMultipleReturns === false || (hasMultipleReturns && hasOnlyAuthLogic && conditionalReturns <= 2)) &&
+        (!hasConditionals || hasOnlyAuthLogic) &&
+        (!hasHooks || (onlyAuthHooks && hasOnlyAuthLogic));
+      
+      if (isSimpleWrapper) {
+        // Check if the wrapped component is from pace-core or local
+        const wrappedComponentImport = allImports.find(imp => imp.name === wrappedComponent);
+        const isPaceCoreComponent = wrappedComponentImport && 
+                                   wrappedComponentImport.module === '@jmruthers/pace-core';
+        
+        let reason, recommendation;
+        if (isPaceCoreComponent) {
+          reason = `Component '${componentName}' appears to be an unnecessary wrapper around pace-core's '${wrappedComponent}'. It only forwards props without adding functionality.`;
+          recommendation = `Use '${wrappedComponent}' directly from '@jmruthers/pace-core' instead of wrapping it in '${componentName}'.`;
+        } else if (hasOnlyAuthLogic) {
+          reason = `Component '${componentName}' is an unnecessary wrapper around '${wrappedComponent}'. It only performs auth/permission checks and returns the wrapped component.`;
+          recommendation = `Merge the auth/permission logic into '${wrappedComponent}' and rename it to '${componentName}', or use PagePermissionGuard from pace-core to protect the route instead.`;
+        } else {
+          reason = `Component '${componentName}' appears to be an unnecessary wrapper around '${wrappedComponent}'. It only forwards props without adding functionality.`;
+          recommendation = `Remove the wrapper and use '${wrappedComponent}' directly, or merge the logic into '${wrappedComponent}' and rename it to '${componentName}'.`;
+        }
+        
+        issues.push({
+          component: componentName,
+          wrappedComponent: wrappedComponent,
+          file: relativePath,
+          line: getLineNumber(content, match[0]),
+          reason: reason,
+          recommendation: recommendation
+        });
+      }
+    }
+  });
+  
+  return issues;
+}
+
+// Get line number for a match
+function getLineNumber(content, match) {
+  const lines = content.substring(0, content.indexOf(match)).split('\n');
+  return lines.length;
+}
+
+// Generate report
+function generateReport(allViolations, manifest) {
+  const totalRestricted = allViolations.restrictedImports.length;
+  const totalDuplicates = 
+    allViolations.duplicateComponents.length +
+    allViolations.duplicateHooks.length +
+    allViolations.duplicateUtils.length;
+  const totalSuggestions = allViolations.suggestions.length;
+  const totalRbacAuth = 
+    allViolations.customAuthCode.length +
+    allViolations.duplicateConfig.length +
+    allViolations.unprotectedPages.length +
+    allViolations.directSupabaseAuth.length;
+  const totalSetupIssues = 
+    allViolations.providerSetupIssues.length +
+    allViolations.viteConfigIssues.length +
+    allViolations.routerSetupIssues.length;
+  const totalUnnecessaryWrappers = allViolations.unnecessaryWrappers.length;
+  const totalIssues = totalRestricted + totalDuplicates + totalSuggestions + totalRbacAuth + totalSetupIssues + totalUnnecessaryWrappers;
+  
+  console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
+  console.log(`${colors.bold}${colors.cyan}  pace-core Compliance Report${colors.reset}`);
+  console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
+  
+  // Restricted Imports
+  if (totalRestricted > 0) {
+    console.log(`${colors.red}${colors.bold}❌ Restricted Imports Found: ${totalRestricted}${colors.reset}\n`);
+    allViolations.restrictedImports.forEach(({ module, reason, file, line }) => {
+      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+      console.log(`    Import: ${colors.cyan}${module}${colors.reset}`);
+      console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
+    });
+  } else {
+    console.log(`${colors.green}✅ No restricted imports found${colors.reset}\n`);
+  }
+  
+  // Duplicate Components
+  if (allViolations.duplicateComponents.length > 0) {
+    console.log(`${colors.red}${colors.bold}❌ Duplicate Components Found: ${allViolations.duplicateComponents.length}${colors.reset}\n`);
+    allViolations.duplicateComponents.forEach(({ component, file }) => {
+      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+      console.log(`    Component '${colors.cyan}${component}${colors.reset}' conflicts with pace-core component`);
+      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${component}' from '@jmruthers/pace-core' instead\n`);
+    });
+  }
+  
+  // Duplicate Hooks
+  if (allViolations.duplicateHooks.length > 0) {
+    console.log(`${colors.red}${colors.bold}❌ Duplicate Hooks Found: ${allViolations.duplicateHooks.length}${colors.reset}\n`);
+    allViolations.duplicateHooks.forEach(({ hook, file }) => {
+      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+      console.log(`    Hook '${colors.cyan}${hook}${colors.reset}' conflicts with pace-core hook`);
+      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${hook}' from '@jmruthers/pace-core' instead\n`);
+    });
+  }
+  
+  // Duplicate Utils
+  if (allViolations.duplicateUtils.length > 0) {
+    console.log(`${colors.red}${colors.bold}❌ Duplicate Utils Found: ${allViolations.duplicateUtils.length}${colors.reset}\n`);
+    allViolations.duplicateUtils.forEach(({ util, file }) => {
+      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+      console.log(`    Util '${colors.cyan}${util}${colors.reset}' conflicts with pace-core util`);
+      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${util}' from '@jmruthers/pace-core' instead\n`);
+    });
+  }
+  
+  // Suggestions
+  if (totalSuggestions > 0) {
+    console.log(`${colors.yellow}${colors.bold}💡 Suggestions: ${totalSuggestions}${colors.reset}\n`);
+    const grouped = {};
+    allViolations.suggestions.forEach(s => {
+      if (!grouped[s.file]) grouped[s.file] = [];
+      grouped[s.file].push(s);
+    });
+    Object.entries(grouped).forEach(([file, suggestions]) => {
+      console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+      suggestions.forEach(s => {
+        console.log(`    ${s.suggestion}\n`);
+      });
+    });
+  }
+  
+  // Unnecessary Wrappers
+  if (totalUnnecessaryWrappers > 0) {
+    console.log(`${colors.yellow}${colors.bold}⚠️  Unnecessary Wrappers: ${totalUnnecessaryWrappers}${colors.reset}\n`);
+    allViolations.unnecessaryWrappers.forEach(({ component, wrappedComponent, file, line, reason, recommendation }) => {
+      console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+      console.log(`    Component: ${colors.cyan}${component}${colors.reset}`);
+      console.log(`    Wraps: ${colors.cyan}${wrappedComponent}${colors.reset}`);
+      console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
+      if (recommendation) {
+        console.log(`    ${colors.green}Recommendation:${colors.reset} ${recommendation}\n`);
+      } else {
+        console.log(`    ${colors.green}Recommendation:${colors.reset} Remove the wrapper and use the component directly.\n`);
+      }
+    });
+  }
+  
+  // RBAC/Auth Compliance Section
+  if (totalRbacAuth > 0) {
+    console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
+    console.log(`${colors.bold}${colors.cyan}  RBAC/Auth Compliance${colors.reset}`);
+    console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
+    
+    // Custom Auth/RBAC Code
+    if (allViolations.customAuthCode.length > 0) {
+      // Separate by severity
+      const errors = allViolations.customAuthCode.filter(v => !v.severity || v.severity === 'error');
+      const warnings = allViolations.customAuthCode.filter(v => v.severity === 'warning');
+      const info = allViolations.customAuthCode.filter(v => v.severity === 'info');
+      
+      if (errors.length > 0) {
+        console.log(`${colors.red}${colors.bold}❌ Custom Auth/RBAC Code Found: ${errors.length}${colors.reset}\n`);
+        errors.forEach(({ name, type, file, line, reason, replacement, example }) => {
+          console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+          console.log(`    ${type}: ${colors.cyan}${name}${colors.reset}`);
+          console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}`);
+          if (replacement) {
+            console.log(`    ${colors.green}Fix:${colors.reset} ${replacement}`);
+            // Add example code if provided
+            if (example) {
+              console.log(`    ${colors.cyan}Example:${colors.reset}`);
+              example.split('\n').forEach(line => {
+                console.log(`      ${colors.green}${line}${colors.reset}`);
+              });
+            } else {
+              // Add example code for common cases
+              if (type === 'rbac query' && name.includes('rbac_user_profiles')) {
+                console.log(`    ${colors.cyan}Example:${colors.reset}`);
+                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
+                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
+                console.log(`      ${colors.green}const { data } = await supabase.from('rbac_user_profiles').select('*');${colors.reset}`);
+              } else if (type === 'rbac query' && name.includes('rbac_user_login_history')) {
+                console.log(`    ${colors.cyan}Example:${colors.reset}`);
+                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
+                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
+                console.log(`      ${colors.green}const { data } = await supabase.from('rbac_user_login_history').select('*').eq('user_id', userId);${colors.reset}`);
+                console.log(`    ${colors.yellow}Note:${colors.reset} Login history is automatically tracked by UnifiedAuthProvider.`);
+                console.log(`    ${colors.yellow}      ${colors.reset} Queries should use useSecureSupabase to ensure organisation context is enforced.`);
+              } else if (type === 'rbac query' && name.includes('rbac_user_units')) {
+                console.log(`    ${colors.cyan}Example:${colors.reset}`);
+                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
+                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
+                console.log(`      ${colors.green}// For reading, use RPC:${colors.reset}`);
+                console.log(`      ${colors.green}const { data } = await supabase.rpc('data_user_unit_get', {${colors.reset}`);
+                console.log(`      ${colors.green}  p_user_id: userId,${colors.reset}`);
+                console.log(`      ${colors.green}  p_event_id: eventId${colors.reset}`);
+                console.log(`      ${colors.green}});${colors.reset}`);
+              } else if (type === 'rbac query' && (name.includes('rbac_apps') || name.includes('rbac_app_pages') || name.includes('rbac_page_permissions'))) {
+                console.log(`    ${colors.cyan}Example (admin operations):${colors.reset}`);
+                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
+                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
+                console.log(`      ${colors.green}const { data } = await supabase.from('${name.match(/rbac_\w+/)?.[0] || 'rbac_table'}').select('*');${colors.reset}`);
+              }
+            }
+          }
+          console.log('');
+        });
+      }
+      
+      if (warnings.length > 0) {
+        console.log(`${colors.yellow}${colors.bold}⚠️  Warnings (acceptable but should use secure methods): ${warnings.length}${colors.reset}\n`);
+        warnings.forEach(({ name, type, file, line, reason, replacement, example }) => {
+          console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+          console.log(`    ${type}: ${colors.cyan}${name}${colors.reset}`);
+          console.log(`    ${colors.yellow}Note:${colors.reset} ${reason}`);
+          if (replacement) {
+            console.log(`    ${colors.green}Recommendation:${colors.reset} ${replacement}`);
+          }
+          if (example) {
+            console.log(`    ${colors.cyan}Example:${colors.reset}`);
+            example.split('\n').forEach(line => {
+              console.log(`      ${colors.green}${line}${colors.reset}`);
+            });
+          }
+          console.log('');
+        });
+      }
+      
+      // Don't show info-level items (these are correct usage)
+      // They're tracked but not displayed to avoid noise
+    }
+    
+    // Duplicate Configurations
+    if (allViolations.duplicateConfig.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Duplicate Configurations Found: ${allViolations.duplicateConfig.length}${colors.reset}\n`);
+      allViolations.duplicateConfig.forEach(({ type, file, count, reason }) => {
+        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+        console.log(`    Type: ${colors.cyan}${type}${colors.reset}${count ? ` (${count} instances)` : ''}`);
+        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
+      });
+    }
+    
+    // Unprotected Pages
+    if (allViolations.unprotectedPages.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Unprotected Pages Found: ${allViolations.unprotectedPages.length}${colors.reset}\n`);
+      allViolations.unprotectedPages.forEach(({ file, reason }) => {
+        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
+        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
+      });
+    }
+    
+    // Direct Supabase Auth Usage
+    if (allViolations.directSupabaseAuth.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Direct Supabase Auth Usage Found: ${allViolations.directSupabaseAuth.length}${colors.reset}\n`);
+      allViolations.directSupabaseAuth.forEach(({ file, line, reason, method, recommendation }) => {
+        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}`);
+        if (recommendation) {
+          console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
+        } else {
+          console.log(`    ${colors.green}Fix:${colors.reset} Use ${colors.cyan}useUnifiedAuth${colors.reset} hook from @jmruthers/pace-core instead of direct ${method ? `supabase.auth.${method}()` : 'Supabase auth'} calls\n`);
+        }
+      });
+    }
+  } else {
+    console.log(`\n${colors.green}✅ RBAC/Auth compliance: All checks passed${colors.reset}\n`);
+  }
+  
+  // Setup/Configuration Issues Section
+  if (totalSetupIssues > 0) {
+    console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
+    console.log(`${colors.bold}${colors.cyan}  Setup & Configuration Issues${colors.reset}`);
+    console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
+    
+    // Provider Setup Issues
+    if (allViolations.providerSetupIssues.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Provider Setup Issues Found: ${allViolations.providerSetupIssues.length}${colors.reset}\n`);
+      allViolations.providerSetupIssues.forEach(({ file, line, type, provider, reason, recommendation }) => {
+        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+        if (provider) {
+          console.log(`    Missing Provider: ${colors.cyan}${provider}${colors.reset}`);
+        }
+        if (type) {
+          console.log(`    Issue Type: ${colors.cyan}${type}${colors.reset}`);
+        }
+        console.log(`    ${colors.yellow}Problem:${colors.reset} ${reason}`);
+        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
+      });
+    }
+    
+    // Vite Configuration Issues
+    if (allViolations.viteConfigIssues.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Vite Configuration Issues Found: ${allViolations.viteConfigIssues.length}${colors.reset}\n`);
+      allViolations.viteConfigIssues.forEach(({ file, line, type, reason, recommendation }) => {
+        const severity = type === 'recommendation' ? colors.yellow : colors.red;
+        const icon = type === 'recommendation' ? '💡' : '❌';
+        console.log(`  ${severity}${icon}${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+        console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
+        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
+      });
+    }
+    
+    // Router Setup Issues
+    if (allViolations.routerSetupIssues.length > 0) {
+      console.log(`${colors.red}${colors.bold}❌ Router Setup Issues Found: ${allViolations.routerSetupIssues.length}${colors.reset}\n`);
+      allViolations.routerSetupIssues.forEach(({ file, line, type, reason, recommendation }) => {
+        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
+        console.log(`    Issue Type: ${colors.cyan}${type}${colors.reset}`);
+        console.log(`    ${colors.yellow}Problem:${colors.reset} ${reason}`);
+        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
+      });
+    }
+  } else {
+    console.log(`\n${colors.green}✅ Setup & Configuration: All checks passed${colors.reset}\n`);
+  }
+  
+  // Summary
+  console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
+  console.log(`${colors.bold}Summary:${colors.reset}`);
+  console.log(`  Total Issues: ${totalIssues > 0 ? colors.red : colors.green}${totalIssues}${colors.reset}`);
+  console.log(`  - Restricted Imports: ${totalRestricted > 0 ? colors.red : colors.green}${totalRestricted}${colors.reset}`);
+  console.log(`  - Duplicate Components/Hooks/Utils: ${totalDuplicates > 0 ? colors.red : colors.green}${totalDuplicates}${colors.reset}`);
+  console.log(`  - Suggestions: ${colors.yellow}${totalSuggestions}${colors.reset}`);
+  console.log(`  - RBAC/Auth Issues: ${totalRbacAuth > 0 ? colors.red : colors.green}${totalRbacAuth}${colors.reset}`);
+  console.log(`  - Setup/Configuration Issues: ${totalSetupIssues > 0 ? colors.red : colors.green}${totalSetupIssues}${colors.reset}`);
+  
+  if (totalIssues === 0) {
+    console.log(`\n${colors.green}${colors.bold}✅ Excellent! Your codebase is fully compliant with pace-core standards.${colors.reset}\n`);
+    return 0;
+  } else {
+    console.log(`\n${colors.yellow}${colors.bold}⚠️  Please review the issues above and migrate to pace-core components/hooks/utils.${colors.reset}\n`);
+    return 1;
+  }
+}
+
+// Recursively find source files
+function findSourceFiles(dir, fileList = []) {
+  const ignoreDirs = ['node_modules', 'dist', 'build', '.next', 'coverage', '__tests__', '__mocks__'];
+  const ignoreFiles = /\.(test|spec)\.(ts|tsx|js|jsx)$/;
+  const sourceExtensions = /\.(ts|tsx|js|jsx)$/;
+  
+  try {
+    const items = fs.readdirSync(dir);
+    
+    items.forEach(item => {
+      const fullPath = path.join(dir, item);
+      const stat = fs.statSync(fullPath);
+      
+      if (stat.isDirectory()) {
+        if (!ignoreDirs.includes(item) && !item.startsWith('.')) {
+          findSourceFiles(fullPath, fileList);
+        }
+      } else if (stat.isFile()) {
+        if (sourceExtensions.test(item) && !ignoreFiles.test(item)) {
+          fileList.push(fullPath);
+        }
+      }
+    });
+  } catch (error) {
+    // Skip directories we can't read
+  }
+  
+  return fileList;
+}
+
+// Main function
+function main() {
+  const manifest = loadManifest();
+  const projectRoot = findProjectRoot();
+  
+  console.log(`${colors.cyan}Scanning project at: ${projectRoot}${colors.reset}`);
+  
+  // Find all TypeScript/JavaScript files (excluding node_modules, dist, etc.)
+  const files = findSourceFiles(projectRoot);
+  
+  console.log(`Found ${files.length} files to scan...\n`);
+  
+  // Scan all files
+  const allViolations = {
+    restrictedImports: [],
+    duplicateComponents: [],
+    duplicateHooks: [],
+    duplicateUtils: [],
+    suggestions: [],
+    customAuthCode: [],
+    duplicateConfig: [],
+    unprotectedPages: [],
+    directSupabaseAuth: [],
+    providerSetupIssues: [],
+    viteConfigIssues: [],
+    routerSetupIssues: [],
+    unnecessaryWrappers: []
+  };
+  
+  files.forEach(file => {
+    try {
+      const violations = scanFile(file, manifest);
+      allViolations.restrictedImports.push(...violations.restrictedImports);
+      allViolations.duplicateComponents.push(...violations.duplicateComponents);
+      allViolations.duplicateHooks.push(...violations.duplicateHooks);
+      allViolations.duplicateUtils.push(...violations.duplicateUtils);
+      allViolations.suggestions.push(...violations.suggestions);
+      allViolations.customAuthCode.push(...violations.customAuthCode);
+      allViolations.duplicateConfig.push(...violations.duplicateConfig);
+      allViolations.unprotectedPages.push(...violations.unprotectedPages);
+      allViolations.directSupabaseAuth.push(...violations.directSupabaseAuth);
+      allViolations.providerSetupIssues.push(...violations.providerSetupIssues);
+      allViolations.viteConfigIssues.push(...violations.viteConfigIssues);
+      allViolations.routerSetupIssues.push(...violations.routerSetupIssues);
+      allViolations.unnecessaryWrappers.push(...violations.unnecessaryWrappers);
+    } catch (error) {
+      console.error(`${colors.red}Error scanning ${file}: ${error.message}${colors.reset}`);
+    }
+  });
+  
+  // Generate and display report
+  const exitCode = generateReport(allViolations, manifest);
+  process.exit(exitCode);
+}
+
+// Run if called directly
+if (require.main === module) {
+  try {
+    main();
+  } catch (error) {
+    console.error(`${colors.red}Error: ${error.message}${colors.reset}`);
+    console.error(error.stack);
+    process.exit(1);
+  }
+}
+
+module.exports = { main, scanFile, generateReport };
+