@jmruthers/pace-core 0.6.1 → 0.6.3

package/scripts/{check-pace-core-compliance.cjs → audit/core/checks/compliance.cjs}

@@ -1,51 +1,33 @@
 #!/usr/bin/env node
 
 /**
- * Static Analysis Script for pace-core Compliance
+ * pace-core Compliance Check Module
  * @package @jmruthers/pace-core
- * @module Scripts/check-pace-core-compliance
+ * @module Audit/Checks/Compliance
  * 
- * Scans a consuming app's codebase to check compliance with pace-core usage.
- * Generates a report of violations and suggestions.
+ * Scans codebase for pace-core compliance violations including:
+ * - Restricted imports
+ * - Duplicate components/hooks/utils
+ * - Custom auth/RBAC code
+ * - Provider setup issues
+ * - Direct Supabase usage
+ * - Unnecessary wrappers
+ * - App discovery issues
  */
 
 const fs = require('fs');
 const path = require('path');
-
-// ANSI color codes for terminal output
-const colors = {
-  reset: '\x1b[0m',
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  cyan: '\x1b[36m',
-  bold: '\x1b[1m'
-};
+const { getLineNumber, getRelativePath } = require('../utils.cjs');
 
 // Load manifest
 function loadManifest() {
-  const manifestPath = path.join(__dirname, '../core-usage-manifest.json');
+  const manifestPath = path.join(__dirname, '../../../../core-usage-manifest.json');
   if (!fs.existsSync(manifestPath)) {
-    console.error(`${colors.red}Error: core-usage-manifest.json not found at ${manifestPath}${colors.reset}`);
-    process.exit(1);
+    throw new Error(`core-usage-manifest.json not found at ${manifestPath}`);
   }
   return JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
 }
 
-// Find project root (look for package.json, going up from current dir or script location)
-function findProjectRoot(startDir = process.cwd()) {
-  let current = path.resolve(startDir);
-  while (current !== path.dirname(current)) {
-    if (fs.existsSync(path.join(current, 'package.json'))) {
-      return current;
-    }
-    current = path.dirname(current);
-  }
-  return startDir;
-}
-
-// Scan provider setup in main entry files
 function scanProviderSetup(filePath, content, relativePath) {
   const issues = [];
   
@@ -363,8 +345,114 @@ function scanRouterSetup(filePath, content, relativePath) {
   return issues;
 }
 
+// Helper function to provide migration recommendations
+function getMigrationRecommendation(method, operation) {
+  const recommendations = {
+    secureQuery: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').select('*');`,
+    secureInsert: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').insert(data).select().single();`,
+    secureUpdate: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').update(data).eq('id', id).select().single();`,
+    secureDelete: `Replace with: const supabase = useSecureSupabase(); await supabase.from('table').delete().eq('id', id);`,
+    secureRpc: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.rpc('function_name', params);`
+  };
+  
+  return recommendations[method] || `Replace with useSecureSupabase() and use standard Supabase ${operation} API`;
+}
+
+// Scan for unnecessary wrappers around pace-core components and local components
+function scanUnnecessaryWrappers(content, relativePath, manifest) {
+  const issues = [];
+  
+  // Check if file imports from pace-core
+  const paceCoreImportPattern = /import\s+{([^}]+)}\s+from\s+['"]@jmruthers\/pace-core['"]/;
+  const paceCoreImportMatch = content.match(paceCoreImportPattern);
+  
+  // Extract imported pace-core component names
+  let importedPaceCoreComponents = [];
+  if (paceCoreImportMatch) {
+    importedPaceCoreComponents = (paceCoreImportMatch[1] || '')
+      .split(',')
+      .map(name => name.trim().replace(/\s+as\s+\w+/, '')) // Remove aliases
+      .filter(name => manifest.components.includes(name));
+  }
+  
+  // Find exported component definitions
+  const componentPattern = /export\s+(default\s+)?(function|const)\s+(\w+)\s*[=\(]/g;
+  const componentMatches = [...content.matchAll(componentPattern)];
+  
+  componentMatches.forEach(match => {
+    const componentName = match[3];
+    const matchIndex = match.index;
+    
+    // Skip if it's a test file or example file
+    if (relativePath.includes('.test.') || relativePath.includes('.spec.') || 
+        relativePath.includes('example') || relativePath.includes('Example')) {
+      return;
+    }
+    
+    // Find the component body (simplified - just check if it's a simple wrapper)
+    const afterMatch = content.substring(matchIndex + match[0].length, Math.min(content.length, matchIndex + match[0].length + 500));
+    
+    // Check if body has significant logic
+    const hasHooks = /use[A-Z]\w+/.test(afterMatch);
+    const hasState = /useState|useReducer|useRef/.test(afterMatch);
+    const hasConditionals = /if\s*\(|&&|\?|switch/.test(afterMatch);
+    const hasMultipleReturns = (afterMatch.match(/return/g) || []).length > 1;
+    const hasLoops = /for\s*\(|while\s*\(|\.map\s*\(/.test(afterMatch);
+    
+    // Find JSX components used
+    const jsxComponentPattern = /<([A-Z][a-zA-Z0-9]*)[\s>\/]/g;
+    const jsxComponents = [];
+    let jsxMatch;
+    while ((jsxMatch = jsxComponentPattern.exec(afterMatch)) !== null) {
+      const jsxComponentName = jsxMatch[1];
+      if (jsxComponentName !== 'Fragment' && 
+          jsxComponentName !== componentName &&
+          !jsxComponents.includes(jsxComponentName)) {
+        jsxComponents.push(jsxComponentName);
+      }
+    }
+    
+    // Check if it's a simple wrapper
+    if (jsxComponents.length === 1) {
+      const wrappedComponent = jsxComponents[0];
+      const wrappedComponentCount = (afterMatch.match(new RegExp(`<${wrappedComponent}`, 'gi')) || []).length;
+      
+      const isSimpleWrapper = 
+        wrappedComponentCount <= 2 &&
+        !hasState &&
+        !hasLoops &&
+        (!hasMultipleReturns || (hasMultipleReturns && !hasConditionals)) &&
+        (!hasHooks || /use(UnifiedAuth|Permissions|Can|RBAC)/.test(afterMatch));
+      
+      if (isSimpleWrapper) {
+        const isPaceCoreComponent = importedPaceCoreComponents.includes(wrappedComponent);
+        
+        let reason, recommendation;
+        if (isPaceCoreComponent) {
+          reason = `Component '${componentName}' appears to be an unnecessary wrapper around pace-core's '${wrappedComponent}'.`;
+          recommendation = `Use '${wrappedComponent}' directly from '@jmruthers/pace-core' instead.`;
+        } else {
+          reason = `Component '${componentName}' appears to be an unnecessary wrapper around '${wrappedComponent}'.`;
+          recommendation = `Remove the wrapper and use '${wrappedComponent}' directly.`;
+        }
+        
+        issues.push({
+          component: componentName,
+          wrappedComponent: wrappedComponent,
+          file: relativePath,
+          line: getLineNumber(content, match[0]),
+          reason: reason,
+          recommendation: recommendation
+        });
+      }
+    }
+  });
+  
+  return issues;
+}
+
 // Scan file for violations
-function scanFile(filePath, manifest) {
+function scanFile(filePath, manifest, projectRoot) {
   const violations = {
     restrictedImports: [],
     duplicateComponents: [],
@@ -375,6 +463,8 @@ function scanFile(filePath, manifest) {
     duplicateConfig: [],
     unprotectedPages: [],
     directSupabaseAuth: [],
+    directSupabaseClient: [], // Direct Supabase client usage instead of useSecureSupabase
+    deprecatedSecureDataAccess: [], // Deprecated useSecureDataAccess with secureQuery/secureInsert/etc
     providerSetupIssues: [],
     viteConfigIssues: [],
     routerSetupIssues: [],
@@ -383,7 +473,7 @@ function scanFile(filePath, manifest) {
   };
   
   const content = fs.readFileSync(filePath, 'utf8');
-  const relativePath = path.relative(process.cwd(), filePath);
+  const relativePath = getRelativePath(filePath, projectRoot);
   
   // Normalize path for cross-platform compatibility (handle both forward and backslash paths)
   const normalizedPath = relativePath.replace(/\\/g, '/');
@@ -392,6 +482,28 @@ function scanFile(filePath, manifest) {
   // Direct Supabase auth calls are the correct approach in Edge Functions
   const isEdgeFunction = normalizedPath.includes('supabase/functions/');
   
+  // Skip pace-core package files - compliance checks are for consuming applications, not the library itself
+  // The library must import these dependencies to build its components, and its own components/hooks/utils
+  // are the source of truth, not duplicates
+  const isPaceCorePackage = normalizedPath.includes('packages/core/') || normalizedPath.startsWith('packages/core/');
+  if (isPaceCorePackage) {
+    return violations; // Return empty violations for pace-core package files
+  }
+  
+  // Skip scripts directory - these are utility/setup scripts, not application code
+  // Scripts may legitimately need direct database access for admin operations
+  const isScript = normalizedPath.startsWith('scripts/') || normalizedPath.includes('/scripts/');
+  if (isScript) {
+    return violations; // Return empty violations for script files
+  }
+  
+  // Skip root-level src directory - in pace-core repository, this is a demo/showcase app, not a consuming app
+  // The audit is designed for consuming applications, not demo apps in the library repository
+  const isRootSrc = normalizedPath.startsWith('src/') && !normalizedPath.includes('packages/');
+  if (isRootSrc) {
+    return violations; // Return empty violations for root-level src files (demo apps)
+  }
+  
   // Check for restricted imports
   manifest.restrictedImports.forEach(({ module, reason }) => {
     const importPattern = new RegExp(`from\\s+['"]${module.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}['"]`, 'g');
@@ -485,6 +597,11 @@ function scanFile(filePath, manifest) {
   // RBAC/Auth Compliance Checks
   // ============================================
   
+  // Check if file imports from pace-core for auth/rbac (define at function scope)
+  const hasPaceCoreImport = /from\s+['"]@jmruthers\/pace-core/.test(content) || 
+                            /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
+                            /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
+  
   // Check for custom auth/rbac/permission code that doesn't import from pace-core
   const authRbacPatterns = [
     // Custom auth hooks
@@ -515,11 +632,6 @@ function scanFile(filePath, manifest) {
     { pattern: /export\s+(default\s+)?(function|const)\s+isPermitted\s*[=\(]/g, name: 'isPermitted', type: 'util' }
   ];
   
-  // Check if file imports from pace-core for auth/rbac
-  const hasPaceCoreImport = /from\s+['"]@jmruthers\/pace-core/.test(content) || 
-                            /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
-                            /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
-  
   authRbacPatterns.forEach(({ pattern, name, type, replacement }) => {
     // Create a new regex instance to avoid state issues
     const testPattern = new RegExp(pattern.source, pattern.flags);
@@ -537,7 +649,7 @@ function scanFile(filePath, manifest) {
       ].includes(name);
       
       // Check if the hook uses pace-core RBAC APIs (use a fresh regex to avoid state issues)
-      const rbacApiPattern = /useRoleManagement|useSecureSupabase|useSecureDataAccess|useRBAC|usePermissions|useCan|rbac_role_grant|rbac_role_revoke|rbac_roles_list|data_rbac_apps_list/;
+      const rbacApiPattern = /useRoleManagement|useSecureSupabase|useRBAC|usePermissions|useCan|rbac_role_grant|rbac_role_revoke|rbac_roles_list|data_rbac_apps_list/;
       const usesPaceCoreRBAC = isCustomRBACHook && rbacApiPattern.test(content);
       
       // Check for @pace-core-compliant comment (use a fresh regex)
@@ -677,6 +789,13 @@ function scanFile(filePath, manifest) {
     { pattern: /\.auth\.onAuthStateChange\s*\(/g, method: 'onAuthStateChange' }
   ];
   
+  // Check if file actually uses useUnifiedAuth hook (not just imports it)
+  // Define these at function scope so they're available throughout
+  const usesUnifiedAuthHook = /useUnifiedAuth\s*\(/.test(content);
+  const hasUnifiedAuthImport = /UnifiedAuthProvider/.test(content) || 
+                               /useUnifiedAuth/.test(content) ||
+                               /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
+  
   // Skip all auth checks for Edge Functions - they cannot use React hooks
   if (isEdgeFunction) {
     // Edge Functions use service role client or direct auth calls - correct pattern
@@ -696,12 +815,6 @@ function scanFile(filePath, manifest) {
     { pattern: /\w+\.auth\.getUser\s*\(/g, method: 'getUser', specific: false },
     { pattern: /\w+\.auth\.getSession\s*\(/g, method: 'getSession', specific: false }
   ];
-  
-    // Check if file actually uses useUnifiedAuth hook (not just imports it)
-    const usesUnifiedAuthHook = /useUnifiedAuth\s*\(/.test(content);
-    const hasUnifiedAuthImport = /UnifiedAuthProvider/.test(content) || 
-                                 /useUnifiedAuth/.test(content) ||
-                                 /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
     
     // Check for usage of useCurrentUser hook (even if imported from local file)
     // This catches both local imports and direct usage
@@ -885,11 +998,11 @@ function scanFile(filePath, manifest) {
     { name: 'rbac_apps', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs' },
     { name: 'rbac_app_pages', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
     { name: 'rbac_page_permissions', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
-    { name: 'rbac_user_units', type: 'user_data', recommendation: 'Use useSecureSupabase or useSecureDataAccess. For reading, consider data_user_unit_get RPC function' },
+    { name: 'rbac_user_units', type: 'user_data', recommendation: 'Use useSecureSupabase. For reading, consider data_user_unit_get RPC function' },
     // User data tables - acceptable to query but must use secure methods
-    { name: 'rbac_user_profiles', type: 'user_data', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core to ensure organisation context is enforced' },
-    { name: 'rbac_user_login_history', type: 'audit', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core. Login history is automatically tracked by UnifiedAuthProvider, but queries should use secure methods' },
-    { name: 'rbac_user_sessions', type: 'session', recommendation: 'Use useSecureSupabase or useSecureDataAccess from pace-core to ensure organisation context is enforced' }
+    { name: 'rbac_user_profiles', type: 'user_data', recommendation: 'Use useSecureSupabase from pace-core to ensure organisation context is enforced' },
+    { name: 'rbac_user_login_history', type: 'audit', recommendation: 'Use useSecureSupabase from pace-core. Login history is automatically tracked by UnifiedAuthProvider, but queries should use secure methods' },
+    { name: 'rbac_user_sessions', type: 'session', recommendation: 'Use useSecureSupabase from pace-core to ensure organisation context is enforced' }
   ];
   
   // Detect admin/management context
@@ -914,26 +1027,19 @@ function scanFile(filePath, manifest) {
                         /useRBAC/.test(content) ||
                         /usePermissions/.test(content) ||
                         /useSecureSupabase/.test(content) ||
-                        /useSecureDataAccess/.test(content) ||
                         /PagePermissionGuard/.test(content);
   
-  // Check if file uses useSecureDataAccess hook
-  const usesSecureDataAccess = /useSecureDataAccess/.test(content);
-  
-  // Check if file destructures secure methods from useSecureDataAccess
+  // Check if file destructures secure methods (deprecated secureQuery/secureInsert/etc from useSecureDataAccess)
   const hasSecureMethods = /(const|let)\s*\{[^}]*secure(Query|Update|Insert|Delete)/.test(content) ||
                           /secure(Query|Update|Insert|Delete)\s*\(/.test(content);
   
   // First, identify all variables assigned from secure hooks
-  // Match patterns like: const supabase = useSecureSupabase(); or let client = useSecureDataAccess();
+  // Match patterns like: const supabase = useSecureSupabase();
   // Also detect fromSupabaseClient and wrapper patterns
   const secureVariablePatterns = [
     /const\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    /const\s+(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
     /let\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    /let\s+(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
     /(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    /(\w+)\s*=\s*useSecureDataAccess\s*\(/g,
     // Detect fromSupabaseClient usage
     /const\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
     /let\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
@@ -1059,12 +1165,55 @@ function scanFile(filePath, manifest) {
         const isConfigTable = type === 'config';
         
         // Check if the variable comes from a secure hook
-        // Check both the secureVariables set and also check if the variable is assigned from useSecureSupabase/useSecureDataAccess
+        // Check both the secureVariables set and also check if the variable is assigned from useSecureSupabase
         // Escape special regex characters in variable name and use multiline flag to handle newlines
         const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
-        const isUsingSecureVariable = secureVariables.has(variableName) ||
-          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content)) ||
-          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureDataAccess\\s*\\(`, 'm').test(content));
+        
+        // Check if variable is declared locally (const/let = useSecureSupabase())
+        const isDeclaredSecure = secureVariables.has(variableName) ||
+          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content));
+        
+        // Check if variable is passed as function parameter with secure type annotation
+        // Look for function signatures with type annotations indicating secure client
+        const isParameterSecure = variableName && (
+          // Check in beforeMatch (200 chars before) for parameter type annotations
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(beforeMatch) ||
+          // Check full content for function signatures with secure type annotations
+          new RegExp(`(function|=>|async\\s+function|const\\s+\\w+\\s*=\\s*(async\\s+)?(function|=>))[^(]*\\([^)]*\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(content) ||
+          // Check for ReturnType<typeof import pattern (common in TypeScript)
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType.*useSecureSupabase`, 'm').test(content) ||
+          // Check for NonNullable<ReturnType<typeof useSecureSupabase>> pattern
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*NonNullable.*ReturnType.*useSecureSupabase`, 'm').test(content)
+        );
+        
+        // Check for common secure variable names (heuristic for secure usage)
+        const isSecureVariableName = variableName && /^(secureSupabase|secureClient|secureDb|secure)$/i.test(variableName);
+        
+        // Check for comments indicating secure usage (pace-core-compliant, useSecureSupabase, etc.)
+        // Also check for @pace-core-compliant annotation which can suppress false positives
+        const hasSecureComment = variableName && (
+          // Check in beforeMatch for comments
+          new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(beforeMatch) ||
+          // Check for comments on previous lines (up to 10 lines back for better coverage)
+          (() => {
+            const lines = content.substring(0, matchIndex).split('\n');
+            const recentLines = lines.slice(Math.max(0, lines.length - 10)).join('\n');
+            return new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(recentLines);
+          })()
+        );
+        
+        // Check for @pace-core-compliant annotation on the same line or previous lines (suppression mechanism)
+        const hasComplianceAnnotation = (() => {
+          const lines = content.substring(0, matchIndex).split('\n');
+          const currentLineIdx = lines.length - 1;
+          // Check current line and up to 3 previous lines for @pace-core-compliant
+          const checkLines = lines.slice(Math.max(0, currentLineIdx - 3), currentLineIdx + 1);
+          return new RegExp(`@pace-core-compliant`, 'i').test(checkLines.join('\n'));
+        })();
+        
+        // Combine all checks
+        // If @pace-core-compliant annotation is present, trust it (suppression mechanism)
+        const isUsingSecureVariable = hasComplianceAnnotation || isDeclaredSecure || isParameterSecure || (isSecureVariableName && hasSecureComment);
         
         // Determine severity based on context
         let severity = 'error';
@@ -1076,7 +1225,7 @@ function scanFile(filePath, manifest) {
             continue;
           } else {
             severity = 'error';
-            reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced and RLS policies are respected.`;
+            reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase to ensure organisation context is enforced and RLS policies are respected.`;
           }
         } else if (isConfigTable) {
           if (isUsingSecureVariable) {
@@ -1086,7 +1235,7 @@ function scanFile(filePath, manifest) {
           } else if (isAdminContext) {
             // Admin operations without secure methods - warning
             severity = 'warning';
-            reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+            reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase for security.`;
           } else {
             // Not admin context and not using secure methods - error
             severity = 'error';
@@ -1148,8 +1297,8 @@ function scanFile(filePath, manifest) {
         } else if (isConfigTable) {
           // Config tables using secure methods - acceptable for admin operations
           // If using secureQuery/secureUpdate/etc., it's already using secure methods
-          if (isAdminContext || usesSecureDataAccess) {
-            // Config tables in admin context or using secure methods - acceptable
+          if (isAdminContext) {
+            // Config tables in admin context - acceptable
             continue; // Skip - this is correct usage for admin operations
           } else {
             severity = 'error';
@@ -1225,10 +1374,9 @@ function scanFile(filePath, manifest) {
       // Check if using secure variable (check both set and direct pattern match)
       // Escape special regex characters in variable name and use multiline flag to handle newlines
       const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
-      // Check if variable is declared with useSecureSupabase or useSecureDataAccess
+      // Check if variable is declared with useSecureSupabase
       const isDeclaredSecure = (variableName && secureVariables.has(variableName)) ||
-        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content)) ||
-        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureDataAccess\\s*\\(`, 'm').test(content));
+        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content));
       // Check if variable is passed as parameter with useSecureSupabase type annotation
       // Look for the parameter in function signatures (check both beforeMatch and full content)
       const isParameterSecure = variableName && (
@@ -1270,12 +1418,12 @@ function scanFile(filePath, manifest) {
       let severity = 'error';
       let reason = '';
       
-      if (isConfigTable && (isAdminContext || usesSecureDataAccess) && (isUsingSecureVariable || hasSecureMethods)) {
+      if (isConfigTable && isAdminContext && (isUsingSecureVariable || hasSecureMethods)) {
         // Admin operations with secure methods - acceptable, skip
         continue;
       } else if (isConfigTable && isAdminContext && !isUsingSecureVariable && !hasSecureMethods) {
         severity = 'warning';
-        reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
+        reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase for security.`;
       } else if (isConfigTable && !isAdminContext) {
         severity = 'error';
         reason = `Direct query to RBAC configuration table '${tableName}' detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
@@ -1285,7 +1433,7 @@ function scanFile(filePath, manifest) {
           continue;
         }
         severity = 'error';
-        reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced and RLS policies are respected.`;
+        reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase to ensure organisation context is enforced and RLS policies are respected.`;
       } else {
         severity = 'error';
         reason = `Direct query to RBAC table '${tableName}' detected. Use pace-core RBAC hooks, RPC functions, or useSecureSupabase instead.`;
@@ -1470,6 +1618,61 @@ function scanFile(filePath, manifest) {
       // For .from() patterns, match[1] is the CRUD method; for secure* patterns, operation is already set
       const crudMethod = method === 'from' ? match[1] : operation;
       
+      // Extract variable name for .from() patterns (for secure* patterns, we skip variable detection)
+      let variableName = null;
+      if (method === 'from') {
+        // Look backwards to find the variable name before .from()
+        const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+        const parts = beforeMatch.split('.from');
+        if (parts.length > 0) {
+          const beforeFrom = parts[parts.length - 1].trim();
+          const words = beforeFrom.match(/\b\w+\b/g);
+          if (words && words.length > 0) {
+            variableName = words[words.length - 1];
+          }
+        }
+      }
+      
+      // Check if using secure variable (only for .from() patterns)
+      let isUsingSecureVariable = false;
+      if (method === 'from' && variableName) {
+        const escapedVarName = variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        
+        // Check if variable is declared locally
+        const isDeclaredSecure = secureVariables.has(variableName) ||
+          new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content);
+        
+        // Check if variable is passed as function parameter with secure type annotation
+        const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+        const isParameterSecure = 
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(beforeMatch) ||
+          new RegExp(`(function|=>|async\\s+function|const\\s+\\w+\\s*=\\s*(async\\s+)?(function|=>))[^(]*\\([^)]*\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(content) ||
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType.*useSecureSupabase`, 'm').test(content) ||
+          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*NonNullable.*ReturnType.*useSecureSupabase`, 'm').test(content);
+        
+        // Check for common secure variable names
+        const isSecureVariableName = /^(secureSupabase|secureClient|secureDb|secure)$/i.test(variableName);
+        
+        // Check for comments indicating secure usage
+        const hasSecureComment = 
+          new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(beforeMatch) ||
+          (() => {
+            const lines = content.substring(0, matchIndex).split('\n');
+            const recentLines = lines.slice(Math.max(0, lines.length - 10)).join('\n');
+            return new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(recentLines);
+          })();
+        
+        // Check for @pace-core-compliant annotation (suppression mechanism)
+        const hasComplianceAnnotation = (() => {
+          const lines = content.substring(0, matchIndex).split('\n');
+          const currentLineIdx = lines.length - 1;
+          const checkLines = lines.slice(Math.max(0, currentLineIdx - 3), currentLineIdx + 1);
+          return new RegExp(`@pace-core-compliant`, 'i').test(checkLines.join('\n'));
+        })();
+        
+        isUsingSecureVariable = hasComplianceAnnotation || isDeclaredSecure || isParameterSecure || (isSecureVariableName && hasSecureComment);
+      }
+      
       // Skip if in a line comment
       const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
       const lineUpToMatch = content.substring(lineStart, matchIndex);
@@ -1481,6 +1684,16 @@ function scanFile(filePath, manifest) {
         let severity = 'error';
         let example = '';
         
+        // If using secure variable for user_data tables, skip (correct usage)
+        if (isUserData && isUsingSecureVariable) {
+          continue;
+        }
+        
+        // If using secure variable for config tables, skip (correct usage)
+        if (isConfig && isUsingSecureVariable) {
+          continue;
+        }
+        
         if (isRole) {
           // Role mutations should use RPC functions
           const isGrant = crudMethod === 'insert' || crudMethod === 'upsert';
@@ -1503,24 +1716,25 @@ function scanFile(filePath, manifest) {
           if (method && method.startsWith('secure')) {
             // Using secureInsert/secureUpdate/secureDelete - this is correct, don't flag
             continue;
-          } else if (isAdminContext && usesSecureDataAccess) {
-            // Admin context and using useSecureDataAccess - check if using secure methods
+          } else if (isAdminContext) {
+            // Admin context - check if using secure methods
             // If the operation uses secureQuery/secureUpdate/etc, it's already handled above
             // This case is for direct .from() calls in admin context
             severity = 'warning';
-            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
-            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations on configuration tables';
-          } else if (isAdminContext) {
-            severity = 'warning';
-            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase or useSecureDataAccess for security.`;
-            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations on configuration tables';
+            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase for security.`;
+            replacement = 'Use useSecureSupabase from pace-core for admin operations on configuration tables';
           } else {
             reason = `Direct ${crudMethod} operation on configuration table '${table}' detected. These are system configuration tables. For admin operations, use useSecureSupabase.`;
-            replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core for admin operations';
+            replacement = 'Use useSecureSupabase from pace-core for admin operations';
           }
         } else if (isUserData) {
-          reason = `Direct ${crudMethod} operation on '${table}' detected. Use useSecureSupabase or useSecureDataAccess to ensure organisation context is enforced.`;
-          replacement = 'Use useSecureSupabase or useSecureDataAccess from pace-core';
+          // User data tables - should use secure methods
+          if (isUsingSecureVariable) {
+            // Already handled above - skip
+            continue;
+          }
+          reason = `Direct ${crudMethod} operation on '${table}' detected. Use useSecureSupabase to ensure organisation context is enforced.`;
+          replacement = 'Use useSecureSupabase from pace-core';
         } else {
           reason = `Direct ${crudMethod} operation on '${table}' detected. Use pace-core permission management APIs or documented RPC functions instead.`;
           replacement = 'pace-core permission management APIs or RPC functions';
@@ -1629,7 +1843,7 @@ function scanFile(filePath, manifest) {
           type,
           file: relativePath,
           line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
           replacement,
           severity: 'error'
         });
@@ -1640,7 +1854,7 @@ function scanFile(filePath, manifest) {
           type,
           file: relativePath,
           line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
           replacement,
           severity: 'error'
         });
@@ -1651,7 +1865,7 @@ function scanFile(filePath, manifest) {
           type,
           file: relativePath,
           line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities (like useSecureDataAccess), it should use pace-core RBAC APIs instead of implementing custom logic.`,
+          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
           replacement,
           severity: 'error'
         });
@@ -1708,7 +1922,7 @@ function scanFile(filePath, manifest) {
       const operatesOnPagePermissions = /rbac_page_permissions/.test(content);
       const operatesOnRoleTables = /rbac_(organisation|event_app|global)_roles/.test(content);
       const operatesOnConfigTables = /rbac_apps|rbac_app_pages/.test(content);
-      const usesSecureMethods = /useSecureDataAccess|useSecureSupabase|secureQuery|secureUpdate|secureInsert|secureDelete/.test(content);
+      const usesSecureMethods = /useSecureSupabase|secureQuery|secureUpdate|secureInsert|secureDelete/.test(content);
       
       // Only flag as permission management if:
       // 1. It's explicitly a permission management component AND operates on permission/role tables
@@ -1737,8 +1951,8 @@ function scanFile(filePath, manifest) {
             type: 'configuration management component',
             file: relativePath,
             line: getLineNumber(content, content.match(componentPattern)[0]),
-            reason: `Configuration management component '${name}' detected. Ensure you're using useSecureDataAccess or useSecureSupabase for secure operations on configuration tables.`,
-            replacement: 'Use useSecureDataAccess or useSecureSupabase from pace-core for admin operations on configuration tables',
+            reason: `Configuration management component '${name}' detected. Ensure you're using useSecureSupabase for secure operations on configuration tables.`,
+            replacement: 'Use useSecureSupabase from pace-core for admin operations on configuration tables',
             severity: 'warning'
           });
         }
@@ -1769,7 +1983,10 @@ function scanFile(filePath, manifest) {
   }
   
   // Check Vite configuration
-  if (relativePath.match(/vite\.config\.(ts|js|tsx|jsx)$/)) {
+  // Skip root-level vite.config files - these are typically for library/monorepo development, not consuming apps
+  // The audit recommendations (exclude @jmruthers/pace-core, dedupe) are for consuming apps, not library dev setups
+  const isRootViteConfig = /^vite\.config\.(ts|js|tsx|jsx)$/.test(relativePath);
+  if (!isRootViteConfig && relativePath.match(/vite\.config\.(ts|js|tsx|jsx)$/)) {
     const viteIssues = scanViteConfig(filePath, content, relativePath);
     violations.viteConfigIssues.push(...viteIssues);
   }
@@ -1964,644 +2181,526 @@ function scanFile(filePath, manifest) {
     }
   }
   
-  return violations;
-}
-
-// Scan for unnecessary wrappers around pace-core components and local components
-function scanUnnecessaryWrappers(content, relativePath, manifest) {
-  const issues = [];
-  
-  // Check if file imports from pace-core
-  const paceCoreImportPattern = /import\s+{([^}]+)}\s+from\s+['"]@jmruthers\/pace-core['"]/;
-  const paceCoreImportMatch = content.match(paceCoreImportPattern);
-  
-  // Extract imported pace-core component names
-  let importedPaceCoreComponents = [];
-  if (paceCoreImportMatch) {
-    importedPaceCoreComponents = (paceCoreImportMatch[1] || '')
-      .split(',')
-      .map(name => name.trim().replace(/\s+as\s+\w+/, '')) // Remove aliases
-      .filter(name => manifest.components.includes(name));
-  }
+  // ============================================
+  // Check for Direct Supabase Client Usage
+  // ============================================
+  // Detect when consuming apps use createClient from @supabase/supabase-js
+  // and then use that client for database queries instead of useSecureSupabase
+  // This is a critical security issue as it bypasses RLS and organisation context
   
-  // Also find all imported components (local and pace-core) to check for wrappers
-  const allImportPattern = /import\s+(?:(?:{([^}]+)})|(\w+))\s+from\s+['"]([^'"]+)['"]/g;
-  const allImports = [];
-  let importMatch;
-  while ((importMatch = allImportPattern.exec(content)) !== null) {
-    const namedImports = importMatch[1]; // { Component1, Component2 }
-    const defaultImport = importMatch[2]; // Component
-    const modulePath = importMatch[3];
+  // Skip Edge Functions - they run in Deno and must use createClient
+  // Reuse isEdgeFunction declared at the top of the function
+  if (!isEdgeFunction) {
+    // Check for createClient import from @supabase/supabase-js
+    const createClientImportPattern = /import\s+{\s*createClient\s*}\s+from\s+['"]@supabase\/supabase-js['"]/;
+    const hasCreateClientImport = createClientImportPattern.test(content);
     
-    if (namedImports) {
-      namedImports.split(',').forEach(name => {
-        const cleanName = name.trim().replace(/\s+as\s+(\w+)/, ''); // Remove aliases but keep original
-        allImports.push({ name: cleanName, module: modulePath });
-      });
-    }
-    if (defaultImport) {
-      allImports.push({ name: defaultImport, module: modulePath });
-    }
-  }
-  
-  // Find exported component definitions
-  // Match: export (default)? (function|const) ComponentName = ...
-  const componentPattern = /export\s+(default\s+)?(function|const)\s+(\w+)\s*[=\(]/g;
-  const componentMatches = [...content.matchAll(componentPattern)];
-  
-  componentMatches.forEach(match => {
-    const componentName = match[3];
-    const matchIndex = match.index;
+    // Check for createClient usage
+    const createClientUsagePattern = /createClient\s*\(/g;
+    const createClientMatches = content.match(createClientUsagePattern);
+    const hasCreateClientUsage = createClientMatches && createClientMatches.length > 0;
     
-    // Skip if it's a test file or example file
-    if (relativePath.includes('.test.') || relativePath.includes('.spec.') || 
-        relativePath.includes('example') || relativePath.includes('Example')) {
-      return;
-    }
+    // Check if file uses useSecureSupabase (correct usage)
+    const usesSecureSupabase = /useSecureSupabase/.test(content) || 
+                               /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(content);
     
-    // Find the component body
-    // Look for the opening brace after the function/const declaration
-    let braceCount = 0;
-    let bodyStart = -1;
-    let bodyEnd = -1;
-    let inBody = false;
+    // Find all variables assigned from createClient
+    const createClientVariablePattern = /(const|let|var)\s+(\w+)\s*=\s*createClient\s*\(/g;
+    const nonSecureClients = new Set();
+    let match;
+    while ((match = createClientVariablePattern.exec(content)) !== null) {
+      if (match[2]) {
+        nonSecureClients.add(match[2]);
+      }
+    }
     
-    for (let i = matchIndex + match[0].length; i < content.length; i++) {
-      const char = content[i];
-      if (char === '{' && !inBody) {
-        bodyStart = i;
-        inBody = true;
-        braceCount = 1;
-      } else if (char === '{') {
-        braceCount++;
-      } else if (char === '}') {
-        braceCount--;
-        if (braceCount === 0 && inBody) {
-          bodyEnd = i;
-          break;
+    // Check for database queries (.from() calls) using non-secure clients
+    // Pattern: variable.from('table_name')
+    const fromPattern = /\.from\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
+    let fromMatch;
+    while ((fromMatch = fromPattern.exec(content)) !== null) {
+      const matchIndex = fromMatch.index;
+      const tableName = fromMatch[1];
+      
+      // Skip RBAC tables (already checked above)
+      if (tableName.startsWith('rbac_')) {
+        continue;
+      }
+      
+      // Skip if in a line comment
+      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+      const lineUpToMatch = content.substring(lineStart, matchIndex);
+      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+      
+      if (isInLineComment) {
+        continue;
+      }
+      
+      // Find the variable name before .from()
+      const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
+      const parts = beforeMatch.split('.from');
+      let variableName = null;
+      if (parts.length > 0) {
+        const beforeFrom = parts[parts.length - 1].trim();
+        const words = beforeFrom.match(/\b\w+\b/g);
+        if (words && words.length > 0) {
+          variableName = words[words.length - 1];
+        }
+      }
+      
+      // Check if this variable is from createClient (non-secure)
+      if (variableName && nonSecureClients.has(variableName)) {
+        // Check if it's in a config file (acceptable for centralized config)
+        const isConfigFile = /config|supabase|client/i.test(relativePath) && 
+                            (relativePath.includes('supabase.ts') || 
+                             relativePath.includes('supabase.js') ||
+                             relativePath.includes('client.ts') ||
+                             relativePath.includes('client.js'));
+        
+        if (!isConfigFile) {
+          const lineNumber = content.substring(0, matchIndex).split('\n').length;
+          
+          // Check if this is already reported
+          const alreadyReported = violations.directSupabaseClient.some(v => 
+            v.file === relativePath && 
+            v.variable === variableName &&
+            Math.abs(v.line - lineNumber) <= 2
+          );
+          
+          if (!alreadyReported) {
+            violations.directSupabaseClient.push({
+              file: relativePath,
+              line: lineNumber,
+              variable: variableName,
+              table: tableName,
+              reason: `Direct Supabase client usage detected. Variable '${variableName}' is created with createClient() and used for database queries. You MUST use useSecureSupabase() instead to ensure RLS policies and organisation context are enforced.`,
+              recommendation: `Replace with: import { useSecureSupabase } from '@jmruthers/pace-core/rbac'; const ${variableName} = useSecureSupabase();`
+            });
+          }
         }
       }
     }
     
-    if (bodyStart === -1 || bodyEnd === -1) {
-      return; // Couldn't find component body
+    // Also check if file imports createClient but doesn't use useSecureSupabase
+    if (hasCreateClientImport && hasCreateClientUsage && !usesSecureSupabase) {
+      // Check if it's a config file (acceptable)
+      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
+                          (relativePath.includes('supabase.ts') || 
+                           relativePath.includes('supabase.js') ||
+                           relativePath.includes('client.ts') ||
+                           relativePath.includes('client.js'));
+      
+      if (!isConfigFile) {
+        // Check if createClient is used for queries (not just config)
+        const hasDatabaseQueries = /\.from\s*\(/.test(content);
+        
+        if (hasDatabaseQueries) {
+          violations.directSupabaseClient.push({
+            file: relativePath,
+            line: 1,
+            variable: 'unknown',
+            table: 'multiple',
+            reason: 'File imports createClient from @supabase/supabase-js and performs database queries. You MUST use useSecureSupabase() instead to ensure RLS policies and organisation context are enforced.',
+            recommendation: 'Replace createClient with: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
+          });
+        }
+      }
     }
     
-    const componentBody = content.substring(bodyStart + 1, bodyEnd).trim();
-    
-    // Check if body has significant logic (hooks, state, conditionals, etc.)
-    const hasHooks = /use[A-Z]\w+/.test(componentBody);
-    const hasState = /useState|useReducer|useRef/.test(componentBody);
-    const hasConditionals = /if\s*\(|&&|\?|switch/.test(componentBody);
-    const hasMultipleReturns = (componentBody.match(/return/g) || []).length > 1;
-    const hasLoops = /for\s*\(|while\s*\(|\.map\s*\(/.test(componentBody);
-    
-    // Find all JSX components used in the body
-    // Match JSX opening tags: <ComponentName or <ComponentName>
-    const jsxComponentPattern = /<([A-Z][a-zA-Z0-9]*)[\s>\/]/g;
-    const jsxComponents = [];
-    let jsxMatch;
-    while ((jsxMatch = jsxComponentPattern.exec(componentBody)) !== null) {
-      const jsxComponentName = jsxMatch[1];
-      // Skip React fragments and the component itself
-      if (jsxComponentName !== 'Fragment' && 
-          jsxComponentName !== componentName &&
-          !jsxComponents.includes(jsxComponentName)) {
-        jsxComponents.push(jsxComponentName);
+    // Check for createClient imports even without immediate query usage
+    // This catches cases where createClient is imported but may be used later
+    if (hasCreateClientImport && !usesSecureSupabase) {
+      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
+                          (relativePath.includes('supabase.ts') || 
+                           relativePath.includes('supabase.js') ||
+                           relativePath.includes('client.ts') ||
+                           relativePath.includes('client.js'));
+      
+      if (!isConfigFile) {
+        // Find the line number of the import
+        const importMatch = content.match(/import\s+{\s*createClient\s*}\s+from\s+['"]@supabase\/supabase-js['"]/);
+        if (importMatch) {
+          const lineNumber = content.substring(0, importMatch.index).split('\n').length;
+          
+          // Check if this violation is already reported
+          const alreadyReported = violations.directSupabaseClient.some(v => 
+            v.file === relativePath && 
+            v.variable === 'createClient' &&
+            Math.abs(v.line - lineNumber) <= 2
+          );
+          
+          if (!alreadyReported) {
+            violations.directSupabaseClient.push({
+              file: relativePath,
+              line: lineNumber,
+              variable: 'createClient',
+              table: 'none',
+              reason: 'Direct import of createClient from @supabase/supabase-js detected. You MUST use useSecureSupabase() from @jmruthers/pace-core/rbac instead to ensure organisation context and RLS policies are enforced.',
+              recommendation: 'Remove this import and use: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
+            });
+          }
+        }
       }
     }
     
-    // Check if component is a simple wrapper around another component
-    // Pattern 1: Just returns a single component (pace-core or local)
-    // Pattern 2: Only does auth/permission checks and returns a component
-    // Pattern 3: Minimal logic that just forwards to another component
-    
-    // Check for auth/permission check patterns (common in page wrappers)
-    const hasAuthCheck = /useUnifiedAuth|usePermissions|useCan|PagePermissionGuard|PermissionGuard|useRBAC/.test(componentBody);
-    const hasEarlyReturn = /if\s*\([^)]*\)\s*return/.test(componentBody);
-    
-    // Count conditional returns (early returns for auth checks)
-    const conditionalReturns = (componentBody.match(/if\s*\([^)]*\)\s*return/g) || []).length;
-    
-    // If there's only one JSX component used and minimal logic, it's likely a wrapper
-    if (jsxComponents.length === 1) {
-      const wrappedComponent = jsxComponents[0];
-      const wrappedComponentCount = (componentBody.match(new RegExp(`<${wrappedComponent}`, 'gi')) || []).length;
-      
-      // Check if it's a simple wrapper:
-      // 1. Uses only one other component
-      // 2. No state management
-      // 3. No loops
-      // 4. Component appears only once or twice (opening and closing tag)
-      // 5. Either no logic at all, OR only auth/permission checks with early returns
-      
-      // Allow auth/permission checks but still flag as wrapper if that's all it does
-      // Pattern: uses auth hook, has early return(s) for auth checks, then returns the wrapped component
-      const hasOnlyAuthLogic = hasAuthCheck && 
-                               !hasState && 
-                               !hasLoops && 
-                               (conditionalReturns === 0 || (conditionalReturns <= 2 && hasEarlyReturn)) &&
-                               (!hasConditionals || conditionalReturns <= 2);
-      
-      // Check if hooks are only auth-related
-      const authHookPattern = /use(UnifiedAuth|Permissions|Can|RBAC)/;
-      const allHooks = componentBody.match(/use[A-Z]\w+/g) || [];
-      const onlyAuthHooks = allHooks.length === 0 || allHooks.every(hook => authHookPattern.test(hook));
-      
-      const isSimpleWrapper = 
-        wrappedComponentCount <= 2 && // Opening and closing tag, or self-closing
-        !hasState &&
-        !hasLoops &&
-        (hasMultipleReturns === false || (hasMultipleReturns && hasOnlyAuthLogic && conditionalReturns <= 2)) &&
-        (!hasConditionals || hasOnlyAuthLogic) &&
-        (!hasHooks || (onlyAuthHooks && hasOnlyAuthLogic));
-      
-      if (isSimpleWrapper) {
-        // Check if the wrapped component is from pace-core or local
-        const wrappedComponentImport = allImports.find(imp => imp.name === wrappedComponent);
-        const isPaceCoreComponent = wrappedComponentImport && 
-                                   wrappedComponentImport.module === '@jmruthers/pace-core';
-        
-        let reason, recommendation;
-        if (isPaceCoreComponent) {
-          reason = `Component '${componentName}' appears to be an unnecessary wrapper around pace-core's '${wrappedComponent}'. It only forwards props without adding functionality.`;
-          recommendation = `Use '${wrappedComponent}' directly from '@jmruthers/pace-core' instead of wrapping it in '${componentName}'.`;
-        } else if (hasOnlyAuthLogic) {
-          reason = `Component '${componentName}' is an unnecessary wrapper around '${wrappedComponent}'. It only performs auth/permission checks and returns the wrapped component.`;
-          recommendation = `Merge the auth/permission logic into '${wrappedComponent}' and rename it to '${componentName}', or use PagePermissionGuard from pace-core to protect the route instead.`;
-        } else {
-          reason = `Component '${componentName}' appears to be an unnecessary wrapper around '${wrappedComponent}'. It only forwards props without adding functionality.`;
-          recommendation = `Remove the wrapper and use '${wrappedComponent}' directly, or merge the logic into '${wrappedComponent}' and rename it to '${componentName}'.`;
+    // Check for createClient() calls even when variable isn't used for queries yet
+    // This catches potential security issues early
+    if (hasCreateClientUsage && !usesSecureSupabase) {
+      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
+                          (relativePath.includes('supabase.ts') || 
+                           relativePath.includes('supabase.js') ||
+                           relativePath.includes('client.ts') ||
+                           relativePath.includes('client.js'));
+      
+      if (!isConfigFile) {
+        // Find all createClient() calls
+        const createClientCallPattern = /createClient\s*\(/g;
+        let callMatch;
+        while ((callMatch = createClientCallPattern.exec(content)) !== null) {
+          const lineNumber = content.substring(0, callMatch.index).split('\n').length;
+          
+          // Check if this violation is already reported
+          const alreadyReported = violations.directSupabaseClient.some(v => 
+            v.file === relativePath && 
+            Math.abs(v.line - lineNumber) <= 2
+          );
+          
+          if (!alreadyReported) {
+            violations.directSupabaseClient.push({
+              file: relativePath,
+              line: lineNumber,
+              variable: 'unknown',
+              table: 'none',
+              reason: 'Direct createClient() call detected. You MUST use useSecureSupabase() from @jmruthers/pace-core/rbac instead to ensure organisation context and RLS policies are enforced.',
+              recommendation: 'Replace with: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
+            });
+          }
         }
-        
-        issues.push({
-          component: componentName,
-          wrappedComponent: wrappedComponent,
-          file: relativePath,
-          line: getLineNumber(content, match[0]),
-          reason: reason,
-          recommendation: recommendation
-        });
       }
     }
-  });
-  
-  return issues;
-}
-
-// Get line number for a match
-function getLineNumber(content, match) {
-  const lines = content.substring(0, content.indexOf(match)).split('\n');
-  return lines.length;
-}
-
-// Generate report
-function generateReport(allViolations, manifest) {
-  const totalRestricted = allViolations.restrictedImports.length;
-  const totalDuplicates = 
-    allViolations.duplicateComponents.length +
-    allViolations.duplicateHooks.length +
-    allViolations.duplicateUtils.length;
-  const totalSuggestions = allViolations.suggestions.length;
-  const totalRbacAuth = 
-    allViolations.customAuthCode.length +
-    allViolations.duplicateConfig.length +
-    allViolations.unprotectedPages.length +
-    allViolations.directSupabaseAuth.length;
-  const totalSetupIssues = 
-    allViolations.providerSetupIssues.length +
-    allViolations.viteConfigIssues.length +
-    allViolations.routerSetupIssues.length;
-  const totalUnnecessaryWrappers = allViolations.unnecessaryWrappers.length;
-  const totalAppDiscovery = allViolations.appDiscoveryIssues.length;
-  const totalIssues = totalRestricted + totalDuplicates + totalSuggestions + totalRbacAuth + totalSetupIssues + totalUnnecessaryWrappers + totalAppDiscovery;
-  
-  console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
-  console.log(`${colors.bold}${colors.cyan}  pace-core Compliance Report${colors.reset}`);
-  console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
-  
-  // Restricted Imports
-  if (totalRestricted > 0) {
-    console.log(`${colors.red}${colors.bold}❌ Restricted Imports Found: ${totalRestricted}${colors.reset}\n`);
-    allViolations.restrictedImports.forEach(({ module, reason, file, line }) => {
-      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-      console.log(`    Import: ${colors.cyan}${module}${colors.reset}`);
-      console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
-    });
-  } else {
-    console.log(`${colors.green}✅ No restricted imports found${colors.reset}\n`);
-  }
-  
-  // Duplicate Components
-  if (allViolations.duplicateComponents.length > 0) {
-    console.log(`${colors.red}${colors.bold}❌ Duplicate Components Found: ${allViolations.duplicateComponents.length}${colors.reset}\n`);
-    allViolations.duplicateComponents.forEach(({ component, file }) => {
-      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-      console.log(`    Component '${colors.cyan}${component}${colors.reset}' conflicts with pace-core component`);
-      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${component}' from '@jmruthers/pace-core' instead\n`);
-    });
-  }
-  
-  // Duplicate Hooks
-  if (allViolations.duplicateHooks.length > 0) {
-    console.log(`${colors.red}${colors.bold}❌ Duplicate Hooks Found: ${allViolations.duplicateHooks.length}${colors.reset}\n`);
-    allViolations.duplicateHooks.forEach(({ hook, file }) => {
-      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-      console.log(`    Hook '${colors.cyan}${hook}${colors.reset}' conflicts with pace-core hook`);
-      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${hook}' from '@jmruthers/pace-core' instead\n`);
-    });
-  }
-  
-  // Duplicate Utils
-  if (allViolations.duplicateUtils.length > 0) {
-    console.log(`${colors.red}${colors.bold}❌ Duplicate Utils Found: ${allViolations.duplicateUtils.length}${colors.reset}\n`);
-    allViolations.duplicateUtils.forEach(({ util, file }) => {
-      console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-      console.log(`    Util '${colors.cyan}${util}${colors.reset}' conflicts with pace-core util`);
-      console.log(`    ${colors.yellow}Suggestion:${colors.reset} Use '${util}' from '@jmruthers/pace-core' instead\n`);
-    });
-  }
-  
-  // Suggestions
-  if (totalSuggestions > 0) {
-    console.log(`${colors.yellow}${colors.bold}💡 Suggestions: ${totalSuggestions}${colors.reset}\n`);
-    const grouped = {};
-    allViolations.suggestions.forEach(s => {
-      if (!grouped[s.file]) grouped[s.file] = [];
-      grouped[s.file].push(s);
-    });
-    Object.entries(grouped).forEach(([file, suggestions]) => {
-      console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-      suggestions.forEach(s => {
-        console.log(`    ${s.suggestion}\n`);
-      });
-    });
   }
   
-  // Unnecessary Wrappers
-  if (totalUnnecessaryWrappers > 0) {
-    console.log(`${colors.yellow}${colors.bold}⚠️  Unnecessary Wrappers: ${totalUnnecessaryWrappers}${colors.reset}\n`);
-    allViolations.unnecessaryWrappers.forEach(({ component, wrappedComponent, file, line, reason, recommendation }) => {
-      console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-      console.log(`    Component: ${colors.cyan}${component}${colors.reset}`);
-      console.log(`    Wraps: ${colors.cyan}${wrappedComponent}${colors.reset}`);
-      console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
-      if (recommendation) {
-        console.log(`    ${colors.green}Recommendation:${colors.reset} ${recommendation}\n`);
-      } else {
-        console.log(`    ${colors.green}Recommendation:${colors.reset} Remove the wrapper and use the component directly.\n`);
-      }
-    });
-  }
+  // ============================================
+  // Check for Deprecated useSecureDataAccess Usage
+  // ============================================
+  // Detect when consuming apps use useSecureDataAccess() with secureQuery/secureInsert/etc
+  // This is deprecated - they should migrate to useSecureSupabase() instead
+  // This helps identify code that needs migration before retiring the old API
   
-  // App Discovery Issues
-  if (totalAppDiscovery > 0) {
-    console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}  App Discovery Compliance${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
-    
-    // Separate by type
-    const directQueries = allViolations.appDiscoveryIssues.filter(v => v.type === 'direct_table_query');
-    const hardcodedNames = allViolations.appDiscoveryIssues.filter(v => v.type === 'hardcoded_app_name');
-    const suggestions = allViolations.appDiscoveryIssues.filter(v => v.type === 'suggestion');
+  // Skip Edge Functions - they run in Deno
+  if (!isEdgeFunction) {
+    // Check for useSecureDataAccess import
+    const hasSecureDataAccessImport = /import.*useSecureDataAccess.*from\s+['"]@jmruthers\/pace-core['"]/.test(content) ||
+                                      /import.*useSecureDataAccess.*from\s+['"]@jmruthers\/pace-core\/hooks['"]/.test(content);
     
-    if (directQueries.length > 0) {
-      console.log(`${colors.yellow}${colors.bold}⚠️  Direct rbac_apps Queries: ${directQueries.length}${colors.reset}\n`);
-      directQueries.forEach(({ file, line, reason, recommendation }) => {
-        console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
-        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-      });
-    }
+    // Check for useSecureDataAccess hook usage
+    const hasSecureDataAccessHook = /useSecureDataAccess\s*\(/.test(content);
     
-    if (hardcodedNames.length > 0) {
-      console.log(`${colors.yellow}${colors.bold}⚠️  Hardcoded App Names: ${hardcodedNames.length}${colors.reset}\n`);
-      hardcodedNames.forEach(({ file, line, appName, reason, recommendation }) => {
-        console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        console.log(`    App Name: ${colors.cyan}${appName}${colors.reset}`);
-        console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
-        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-      });
-    }
+    // Check for deprecated secure methods
+    const deprecatedMethods = [
+      { name: 'secureQuery', operation: 'query' },
+      { name: 'secureInsert', operation: 'insert' },
+      { name: 'secureUpdate', operation: 'update' },
+      { name: 'secureDelete', operation: 'delete' },
+      { name: 'secureRpc', operation: 'RPC call' }
+    ];
     
-    if (suggestions.length > 0) {
-      console.log(`${colors.cyan}${colors.bold}💡 Suggestions: ${suggestions.length}${colors.reset}\n`);
-      suggestions.forEach(({ file, reason, recommendation }) => {
-        console.log(`  ${colors.cyan}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-        console.log(`    ${reason}`);
-        console.log(`    ${colors.green}Recommendation:${colors.reset} ${recommendation}\n`);
-      });
-    }
+    // Pattern to find destructured secure methods from useSecureDataAccess
+    const destructurePattern = /(const|let)\s*\{[^}]*\b(secureQuery|secureInsert|secureUpdate|secureDelete|secureRpc)\b[^}]*\}\s*=\s*useSecureDataAccess\s*\(/g;
     
-    console.log(`${colors.cyan}Example Usage:${colors.reset}`);
-    console.log(`  ${colors.green}const { data: apps } = await supabase.rpc('data_rbac_apps_list');${colors.reset}`);
-    console.log(`  ${colors.green}const appNames = apps?.map(app => app.name) || [];${colors.reset}\n`);
-  } else {
-    console.log(`${colors.green}✅ App discovery compliance: Using data_rbac_apps_list RPC function${colors.reset}\n`);
-  }
-  
-  // RBAC/Auth Compliance Section
-  if (totalRbacAuth > 0) {
-    console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}  RBAC/Auth Compliance${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
+    // Pattern to find direct method calls (secureQuery(...), secureInsert(...), etc.)
+    const methodCallPatterns = deprecatedMethods.map(method => ({
+      name: method.name,
+      operation: method.operation,
+      pattern: new RegExp(`\\b${method.name}\\s*\\(`, 'g')
+    }));
     
-    // Custom Auth/RBAC Code
-    if (allViolations.customAuthCode.length > 0) {
-      // Separate by severity
-      const errors = allViolations.customAuthCode.filter(v => !v.severity || v.severity === 'error');
-      const warnings = allViolations.customAuthCode.filter(v => v.severity === 'warning');
-      const info = allViolations.customAuthCode.filter(v => v.severity === 'info');
-      
-      if (errors.length > 0) {
-        console.log(`${colors.red}${colors.bold}❌ Custom Auth/RBAC Code Found: ${errors.length}${colors.reset}\n`);
-        errors.forEach(({ name, type, file, line, reason, replacement, example }) => {
-          console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-          console.log(`    ${type}: ${colors.cyan}${name}${colors.reset}`);
-          console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}`);
-          if (replacement) {
-            console.log(`    ${colors.green}Fix:${colors.reset} ${replacement}`);
-            // Add example code if provided
-            if (example) {
-              console.log(`    ${colors.cyan}Example:${colors.reset}`);
-              example.split('\n').forEach(line => {
-                console.log(`      ${colors.green}${line}${colors.reset}`);
-              });
-            } else {
-              // Add example code for common cases
-              if (type === 'rbac query' && name.includes('rbac_user_profiles')) {
-                console.log(`    ${colors.cyan}Example:${colors.reset}`);
-                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
-                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
-                console.log(`      ${colors.green}const { data } = await supabase.from('rbac_user_profiles').select('*');${colors.reset}`);
-              } else if (type === 'rbac query' && name.includes('rbac_user_login_history')) {
-                console.log(`    ${colors.cyan}Example:${colors.reset}`);
-                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
-                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
-                console.log(`      ${colors.green}const { data } = await supabase.from('rbac_user_login_history').select('*').eq('user_id', userId);${colors.reset}`);
-                console.log(`    ${colors.yellow}Note:${colors.reset} Login history is automatically tracked by UnifiedAuthProvider.`);
-                console.log(`    ${colors.yellow}      ${colors.reset} Queries should use useSecureSupabase to ensure organisation context is enforced.`);
-              } else if (type === 'rbac query' && name.includes('rbac_user_units')) {
-                console.log(`    ${colors.cyan}Example:${colors.reset}`);
-                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
-                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
-                console.log(`      ${colors.green}// For reading, use RPC:${colors.reset}`);
-                console.log(`      ${colors.green}const { data } = await supabase.rpc('data_user_unit_get', {${colors.reset}`);
-                console.log(`      ${colors.green}  p_user_id: userId,${colors.reset}`);
-                console.log(`      ${colors.green}  p_event_id: eventId${colors.reset}`);
-                console.log(`      ${colors.green}});${colors.reset}`);
-              } else if (type === 'rbac query' && name.includes('rbac_apps')) {
-                console.log(`    ${colors.cyan}Example (app discovery):${colors.reset}`);
-                console.log(`      ${colors.green}const { data: apps } = await supabase.rpc('data_rbac_apps_list');${colors.reset}`);
-                console.log(`      ${colors.yellow}Note:${colors.reset} Use data_rbac_apps_list RPC function for dynamic app discovery instead of querying rbac_apps directly.`);
-              } else if (type === 'rbac query' && (name.includes('rbac_app_pages') || name.includes('rbac_page_permissions'))) {
-                console.log(`    ${colors.cyan}Example (admin operations):${colors.reset}`);
-                console.log(`      ${colors.green}import { useSecureSupabase } from '@jmruthers/pace-core/rbac';${colors.reset}`);
-                console.log(`      ${colors.green}const supabase = useSecureSupabase();${colors.reset}`);
-                console.log(`      ${colors.green}const { data } = await supabase.from('${name.match(/rbac_\w+/)?.[0] || 'rbac_table'}').select('*');${colors.reset}`);
-              }
-            }
+    // Check if file uses the deprecated hook
+    if (hasSecureDataAccessImport || hasSecureDataAccessHook) {
+      // Find all destructured methods
+      let destructureMatch;
+      const foundMethods = new Set();
+      
+      while ((destructureMatch = destructurePattern.exec(content)) !== null) {
+        const destructureText = destructureMatch[0];
+        deprecatedMethods.forEach(method => {
+          if (destructureText.includes(method.name)) {
+            foundMethods.add(method.name);
           }
-          console.log('');
         });
       }
       
-      if (warnings.length > 0) {
-        console.log(`${colors.yellow}${colors.bold}⚠️  Warnings (acceptable but should use secure methods): ${warnings.length}${colors.reset}\n`);
-        warnings.forEach(({ name, type, file, line, reason, replacement, example }) => {
-          console.log(`  ${colors.yellow}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-          console.log(`    ${type}: ${colors.cyan}${name}${colors.reset}`);
-          console.log(`    ${colors.yellow}Note:${colors.reset} ${reason}`);
-          if (replacement) {
-            console.log(`    ${colors.green}Recommendation:${colors.reset} ${replacement}`);
+      // Find all method calls
+      methodCallPatterns.forEach(({ name, operation, pattern }) => {
+        let match;
+        pattern.lastIndex = 0;
+        
+        while ((match = pattern.exec(content)) !== null) {
+          const matchIndex = match.index;
+          
+          // Skip if in a line comment
+          const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
+          const lineUpToMatch = content.substring(lineStart, matchIndex);
+          const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
+          
+          if (isInLineComment) {
+            continue;
           }
-          if (example) {
-            console.log(`    ${colors.cyan}Example:${colors.reset}`);
-            example.split('\n').forEach(line => {
-              console.log(`      ${colors.green}${line}${colors.reset}`);
-            });
+          
+          // Check if this is from useSecureDataAccess (not from a different source)
+          // Look backwards to see if it's from useSecureDataAccess destructuring
+          const beforeMatch = content.substring(Math.max(0, matchIndex - 500), matchIndex);
+          const isFromSecureDataAccess = 
+            /useSecureDataAccess\s*\(/.test(beforeMatch) ||
+            /(const|let)\s*\{[^}]*\bsecure(Query|Insert|Update|Delete|Rpc)\b/.test(beforeMatch);
+          
+          if (isFromSecureDataAccess) {
+            foundMethods.add(name);
+            
+            const lineNumber = content.substring(0, matchIndex).split('\n').length;
+            
+            // Check if already reported
+            const alreadyReported = violations.deprecatedSecureDataAccess.some(v => 
+              v.file === relativePath && 
+              v.method === name &&
+              Math.abs(v.line - lineNumber) <= 2
+            );
+            
+            if (!alreadyReported) {
+              violations.deprecatedSecureDataAccess.push({
+                file: relativePath,
+                line: lineNumber,
+                method: name,
+                operation: operation,
+                reason: `Deprecated method '${name}' from useSecureDataAccess() detected. This API is being retired. Migrate to useSecureSupabase() instead.`,
+                recommendation: getMigrationRecommendation(name, operation)
+              });
+            }
           }
-          console.log('');
-        });
-      }
-      
-      // Don't show info-level items (these are correct usage)
-      // They're tracked but not displayed to avoid noise
-    }
-    
-    // Duplicate Configurations
-    if (allViolations.duplicateConfig.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Duplicate Configurations Found: ${allViolations.duplicateConfig.length}${colors.reset}\n`);
-      allViolations.duplicateConfig.forEach(({ type, file, count, reason }) => {
-        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-        console.log(`    Type: ${colors.cyan}${type}${colors.reset}${count ? ` (${count} instances)` : ''}`);
-        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
-      });
-    }
-    
-    // Unprotected Pages
-    if (allViolations.unprotectedPages.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Unprotected Pages Found: ${allViolations.unprotectedPages.length}${colors.reset}\n`);
-      allViolations.unprotectedPages.forEach(({ file, reason }) => {
-        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}${colors.reset}`);
-        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}\n`);
-      });
-    }
-    
-    // Direct Supabase Auth Usage
-    if (allViolations.directSupabaseAuth.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Direct Supabase Auth Usage Found: ${allViolations.directSupabaseAuth.length}${colors.reset}\n`);
-      allViolations.directSupabaseAuth.forEach(({ file, line, reason, method, recommendation }) => {
-        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        console.log(`    ${colors.yellow}Reason:${colors.reset} ${reason}`);
-        if (recommendation) {
-          console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-        } else {
-          console.log(`    ${colors.green}Fix:${colors.reset} Use ${colors.cyan}useUnifiedAuth${colors.reset} hook from @jmruthers/pace-core instead of direct ${method ? `supabase.auth.${method}()` : 'Supabase auth'} calls\n`);
         }
       });
-    }
-  } else {
-    console.log(`\n${colors.green}✅ RBAC/Auth compliance: All checks passed${colors.reset}\n`);
-  }
-  
-  // Setup/Configuration Issues Section
-  if (totalSetupIssues > 0) {
-    console.log(`\n${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}  Setup & Configuration Issues${colors.reset}`);
-    console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}\n`);
-    
-    // Provider Setup Issues
-    if (allViolations.providerSetupIssues.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Provider Setup Issues Found: ${allViolations.providerSetupIssues.length}${colors.reset}\n`);
-      allViolations.providerSetupIssues.forEach(({ file, line, type, provider, reason, recommendation }) => {
-        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        if (provider) {
-          console.log(`    Missing Provider: ${colors.cyan}${provider}${colors.reset}`);
-        }
-        if (type) {
-          console.log(`    Issue Type: ${colors.cyan}${type}${colors.reset}`);
+      
+      // If we found the hook usage but haven't reported specific methods, add a general warning
+      if (foundMethods.size === 0 && hasSecureDataAccessHook) {
+        // Check if it's just imported but not used, or used in a way we didn't detect
+        const hasAnySecureMethodCall = /secure(Query|Insert|Update|Delete|Rpc)\s*\(/.test(content);
+        
+        if (hasAnySecureMethodCall) {
+          violations.deprecatedSecureDataAccess.push({
+            file: relativePath,
+            line: 1,
+            method: 'useSecureDataAccess',
+            operation: 'general',
+            reason: 'useSecureDataAccess() hook detected. This API is deprecated and will be retired. Migrate to useSecureSupabase() instead.',
+            recommendation: 'Replace useSecureDataAccess() with useSecureSupabase() and use standard Supabase query builder API (.from(), .select(), etc.)'
+          });
         }
-        console.log(`    ${colors.yellow}Problem:${colors.reset} ${reason}`);
-        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-      });
-    }
-    
-    // Vite Configuration Issues
-    if (allViolations.viteConfigIssues.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Vite Configuration Issues Found: ${allViolations.viteConfigIssues.length}${colors.reset}\n`);
-      allViolations.viteConfigIssues.forEach(({ file, line, type, reason, recommendation }) => {
-        const severity = type === 'recommendation' ? colors.yellow : colors.red;
-        const icon = type === 'recommendation' ? '💡' : '❌';
-        console.log(`  ${severity}${icon}${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        console.log(`    ${colors.yellow}Issue:${colors.reset} ${reason}`);
-        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-      });
-    }
-    
-    // Router Setup Issues
-    if (allViolations.routerSetupIssues.length > 0) {
-      console.log(`${colors.red}${colors.bold}❌ Router Setup Issues Found: ${allViolations.routerSetupIssues.length}${colors.reset}\n`);
-      allViolations.routerSetupIssues.forEach(({ file, line, type, reason, recommendation }) => {
-        console.log(`  ${colors.red}•${colors.reset} ${colors.yellow}${file}:${line}${colors.reset}`);
-        console.log(`    Issue Type: ${colors.cyan}${type}${colors.reset}`);
-        console.log(`    ${colors.yellow}Problem:${colors.reset} ${reason}`);
-        console.log(`    ${colors.green}Fix:${colors.reset} ${recommendation}\n`);
-      });
+      }
     }
-  } else {
-    console.log(`\n${colors.green}✅ Setup & Configuration: All checks passed${colors.reset}\n`);
   }
   
-  // Summary
-  console.log(`${colors.bold}${colors.cyan}═══════════════════════════════════════════════════════════${colors.reset}`);
-  console.log(`${colors.bold}Summary:${colors.reset}`);
-  console.log(`  Total Issues: ${totalIssues > 0 ? colors.red : colors.green}${totalIssues}${colors.reset}`);
-  console.log(`  - Restricted Imports: ${totalRestricted > 0 ? colors.red : colors.green}${totalRestricted}${colors.reset}`);
-  console.log(`  - Duplicate Components/Hooks/Utils: ${totalDuplicates > 0 ? colors.red : colors.green}${totalDuplicates}${colors.reset}`);
-  console.log(`  - Suggestions: ${colors.yellow}${totalSuggestions}${colors.reset}`);
-  console.log(`  - RBAC/Auth Issues: ${totalRbacAuth > 0 ? colors.red : colors.green}${totalRbacAuth}${colors.reset}`);
-  console.log(`  - Setup/Configuration Issues: ${totalSetupIssues > 0 ? colors.red : colors.green}${totalSetupIssues}${colors.reset}`);
-  console.log(`  - Unnecessary Wrappers: ${totalUnnecessaryWrappers > 0 ? colors.yellow : colors.green}${totalUnnecessaryWrappers}${colors.reset}`);
-  console.log(`  - App Discovery Issues: ${totalAppDiscovery > 0 ? colors.yellow : colors.green}${totalAppDiscovery}${colors.reset}`);
-  
-  if (totalIssues === 0) {
-    console.log(`\n${colors.green}${colors.bold}✅ Excellent! Your codebase is fully compliant with pace-core standards.${colors.reset}\n`);
-    return 0;
-  } else {
-    console.log(`\n${colors.yellow}${colors.bold}⚠️  Please review the issues above and migrate to pace-core components/hooks/utils.${colors.reset}\n`);
-    return 1;
-  }
+  return violations;
 }
 
-// Recursively find source files
-function findSourceFiles(dir, fileList = []) {
-  const ignoreDirs = ['node_modules', 'dist', 'build', '.next', 'coverage', '__tests__', '__mocks__'];
-  const ignoreFiles = /\.(test|spec)\.(ts|tsx|js|jsx)$/;
-  const sourceExtensions = /\.(ts|tsx|js|jsx)$/;
-  
-  try {
-    const items = fs.readdirSync(dir);
+/**
+ * Compliance check module
+ */
+const complianceCheck = {
+  name: 'compliance',
+  description: 'pace-core compliance checks (restricted imports, duplicates, auth/RBAC, etc.)',
+  severity: 'error',
+  
+  async run(context) {
+    const { projectRoot, files, manifest: providedManifest } = context;
     
-    items.forEach(item => {
-      const fullPath = path.join(dir, item);
-      const stat = fs.statSync(fullPath);
-      
-      if (stat.isDirectory()) {
-        // Skip Edge Functions directory - they run in Deno, not React, so React hooks aren't available
-        if (item === 'functions' && dir.includes('supabase')) {
-          return; // Skip supabase/functions directory
-        }
-        if (!ignoreDirs.includes(item) && !item.startsWith('.')) {
-          findSourceFiles(fullPath, fileList);
-        }
-      } else if (stat.isFile()) {
-        if (sourceExtensions.test(item) && !ignoreFiles.test(item)) {
-          fileList.push(fullPath);
+    // Load manifest if not provided
+    const manifest = providedManifest || loadManifest();
+    
+    if (!files || files.length === 0) {
+      return {
+        issues: [],
+        warnings: [],
+        suggestions: [],
+        violations: {
+          restrictedImports: [],
+          duplicateComponents: [],
+          duplicateHooks: [],
+          duplicateUtils: [],
+          suggestions: [],
+          customAuthCode: [],
+          duplicateConfig: [],
+          unprotectedPages: [],
+          directSupabaseAuth: [],
+          directSupabaseClient: [],
+          deprecatedSecureDataAccess: [],
+          providerSetupIssues: [],
+          viteConfigIssues: [],
+          routerSetupIssues: [],
+          unnecessaryWrappers: [],
+          appDiscoveryIssues: []
         }
+      };
+    }
+    
+    // Aggregate all violations
+    const allViolations = {
+      restrictedImports: [],
+      duplicateComponents: [],
+      duplicateHooks: [],
+      duplicateUtils: [],
+      suggestions: [],
+      customAuthCode: [],
+      duplicateConfig: [],
+      unprotectedPages: [],
+      directSupabaseAuth: [],
+      directSupabaseClient: [],
+      deprecatedSecureDataAccess: [],
+      providerSetupIssues: [],
+      viteConfigIssues: [],
+      routerSetupIssues: [],
+      unnecessaryWrappers: [],
+      appDiscoveryIssues: []
+    };
+    
+    // Scan all files
+    for (const filePath of files) {
+      try {
+        const violations = scanFile(filePath, manifest, projectRoot);
+        
+        // Aggregate violations
+        Object.keys(allViolations).forEach(key => {
+          if (violations[key] && Array.isArray(violations[key])) {
+            allViolations[key].push(...violations[key]);
+          }
+        });
+      } catch (error) {
+        // Skip files with errors
+        console.warn(`Error scanning ${filePath}: ${error.message}`);
       }
-    });
-  } catch (error) {
-    // Skip directories we can't read
-  }
-  
-  return fileList;
-}
-
-// Main function
-function main() {
-  const manifest = loadManifest();
-  const projectRoot = findProjectRoot();
-  
-  console.log(`${colors.cyan}Scanning project at: ${projectRoot}${colors.reset}`);
-  
-  // Find all TypeScript/JavaScript files (excluding node_modules, dist, etc.)
-  const files = findSourceFiles(projectRoot);
-  
-  console.log(`Found ${files.length} files to scan...\n`);
-  
-  // Scan all files
-  const allViolations = {
-    restrictedImports: [],
-    duplicateComponents: [],
-    duplicateHooks: [],
-    duplicateUtils: [],
-    suggestions: [],
-    customAuthCode: [],
-    duplicateConfig: [],
-    unprotectedPages: [],
-    directSupabaseAuth: [],
-    providerSetupIssues: [],
-    viteConfigIssues: [],
-    routerSetupIssues: [],
-    unnecessaryWrappers: [],
-    appDiscoveryIssues: []
-  };
-  
-  files.forEach(file => {
-    try {
-      const violations = scanFile(file, manifest);
-      allViolations.restrictedImports.push(...violations.restrictedImports);
-      allViolations.duplicateComponents.push(...violations.duplicateComponents);
-      allViolations.duplicateHooks.push(...violations.duplicateHooks);
-      allViolations.duplicateUtils.push(...violations.duplicateUtils);
-      allViolations.suggestions.push(...violations.suggestions);
-      allViolations.customAuthCode.push(...violations.customAuthCode);
-      allViolations.duplicateConfig.push(...violations.duplicateConfig);
-      allViolations.unprotectedPages.push(...violations.unprotectedPages);
-      allViolations.directSupabaseAuth.push(...violations.directSupabaseAuth);
-      allViolations.providerSetupIssues.push(...violations.providerSetupIssues);
-      allViolations.viteConfigIssues.push(...violations.viteConfigIssues);
-      allViolations.routerSetupIssues.push(...violations.routerSetupIssues);
-      allViolations.unnecessaryWrappers.push(...violations.unnecessaryWrappers);
-      allViolations.appDiscoveryIssues.push(...violations.appDiscoveryIssues);
-    } catch (error) {
-      console.error(`${colors.red}Error scanning ${file}: ${error.message}${colors.reset}`);
     }
-  });
-  
-  // Generate and display report
-  const exitCode = generateReport(allViolations, manifest);
-  process.exit(exitCode);
-}
-
-// Run if called directly
-if (require.main === module) {
-  try {
-    main();
-  } catch (error) {
-    console.error(`${colors.red}Error: ${error.message}${colors.reset}`);
-    console.error(error.stack);
-    process.exit(1);
+    
+    // Convert violations to issues/warnings/suggestions format
+    const issues = [
+      ...allViolations.restrictedImports.map(v => ({
+        type: 'restricted-import',
+        file: v.file,
+        line: v.line,
+        message: `Restricted import: ${v.module} - ${v.reason}`,
+        recommendation: `Use pace-core alternative instead`
+      })),
+      ...allViolations.duplicateComponents.map(v => ({
+        type: 'duplicate-component',
+        file: v.file,
+        message: `Duplicate component: ${v.component}`,
+        recommendation: `Use ${v.component} from '@jmruthers/pace-core' instead`
+      })),
+      ...allViolations.duplicateHooks.map(v => ({
+        type: 'duplicate-hook',
+        file: v.file,
+        message: `Duplicate hook: ${v.hook}`,
+        recommendation: `Use ${v.hook} from '@jmruthers/pace-core' instead`
+      })),
+      ...allViolations.duplicateUtils.map(v => ({
+        type: 'duplicate-util',
+        file: v.file,
+        message: `Duplicate util: ${v.util}`,
+        recommendation: `Use ${v.util} from '@jmruthers/pace-core' instead`
+      })),
+      ...allViolations.customAuthCode.filter(v => !v.severity || v.severity === 'error').map(v => ({
+        type: 'custom-auth-code',
+        file: v.file,
+        line: v.line,
+        message: `${v.type}: ${v.name} - ${v.reason}`,
+        recommendation: v.replacement || 'Use pace-core APIs instead'
+      })),
+      ...allViolations.directSupabaseClient.map(v => ({
+        type: 'direct-supabase-client',
+        file: v.file,
+        line: v.line,
+        message: `Direct Supabase client usage: ${v.reason}`,
+        recommendation: v.recommendation || 'Use useSecureSupabase() instead'
+      })),
+      ...allViolations.providerSetupIssues.map(v => ({
+        type: 'provider-setup',
+        file: v.file,
+        line: v.line,
+        message: v.issue || v.reason,
+        recommendation: v.recommendation
+      })),
+      ...allViolations.viteConfigIssues.map(v => ({
+        type: 'vite-config',
+        file: v.file,
+        line: v.line,
+        message: v.issue,
+        recommendation: v.recommendation
+      })),
+      ...allViolations.routerSetupIssues.map(v => ({
+        type: 'router-setup',
+        file: v.file,
+        line: v.line,
+        message: v.issue,
+        recommendation: v.recommendation
+      }))
+    ];
+    
+    const warnings = [
+      ...allViolations.customAuthCode.filter(v => v.severity === 'warning').map(v => ({
+        type: 'custom-auth-code',
+        file: v.file,
+        line: v.line,
+        message: `${v.type}: ${v.name} - ${v.reason}`,
+        recommendation: v.replacement || 'Consider using pace-core APIs'
+      })),
+      ...allViolations.directSupabaseAuth.map(v => ({
+        type: 'direct-supabase-auth',
+        file: v.file,
+        line: v.line,
+        message: `Direct Supabase auth usage: ${v.reason}`,
+        recommendation: v.recommendation || 'Use useUnifiedAuth() instead'
+      })),
+      ...allViolations.deprecatedSecureDataAccess.map(v => ({
+        type: 'deprecated-api',
+        file: v.file,
+        line: v.line,
+        message: `Deprecated API: ${v.method} - ${v.reason}`,
+        recommendation: v.recommendation || 'Migrate to useSecureSupabase()'
+      })),
+      ...allViolations.unnecessaryWrappers.map(v => ({
+        type: 'unnecessary-wrapper',
+        file: v.file,
+        line: v.line,
+        message: `Unnecessary wrapper: ${v.component} wraps ${v.wrappedComponent}`,
+        recommendation: v.recommendation || 'Remove wrapper and use component directly'
+      })),
+      ...allViolations.appDiscoveryIssues.filter(v => v.severity === 'warning').map(v => ({
+        type: 'app-discovery',
+        file: v.file,
+        message: v.issue || v.reason,
+        recommendation: v.recommendation
+      }))
+    ];
+    
+    const suggestions = [
+      ...allViolations.suggestions.map(v => ({
+        type: 'suggestion',
+        file: v.file,
+        message: v.suggestion
+      })),
+      ...allViolations.appDiscoveryIssues.filter(v => v.severity === 'info').map(v => ({
+        type: 'app-discovery',
+        file: v.file,
+        message: v.issue || v.reason,
+        recommendation: v.recommendation
+      }))
+    ];
+    
+    return {
+      issues,
+      warnings,
+      suggestions,
+      violations: allViolations
+    };
   }
-}
-
-module.exports = { 
-  main, 
-  scanFile, 
-  generateReport,
-  loadManifest,
-  findProjectRoot,
-  findSourceFiles
 };
 
+module.exports = complianceCheck;