npm - @jmruthers/pace-core - Versions diffs - 0.6.4 → 0.6.6 - Mend

@jmruthers/pace-core 0.6.4 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (387) hide show

package/CHANGELOG.md +104 -0
package/README.md +5 -403
package/core-usage-manifest.json +93 -0
package/cursor-rules/00-pace-core-compliance.mdc +128 -26
package/cursor-rules/01-standards-compliance.mdc +49 -8
package/cursor-rules/02-project-structure.mdc +6 -0
package/cursor-rules/03-solid-principles.mdc +2 -0
package/cursor-rules/04-testing-standards.mdc +2 -0
package/cursor-rules/05-bug-reports-and-features.mdc +2 -0
package/cursor-rules/06-code-quality.mdc +2 -0
package/cursor-rules/07-tech-stack-compliance.mdc +2 -0
package/cursor-rules/08-markup-quality.mdc +52 -27
package/cursor-rules/09-rbac-compliance.mdc +462 -0
package/cursor-rules/10-error-handling-patterns.mdc +179 -0
package/cursor-rules/11-performance-optimization.mdc +169 -0
package/cursor-rules/12-ci-cd-integration.mdc +150 -0
package/dist/{AuthService-Cb34EQs3.d.ts → AuthService-DmfO5rGS.d.ts} +10 -0
package/dist/{DataTable-BMRU8a1j.d.ts → DataTable-2N_tqbfq.d.ts} +1 -1
package/dist/DataTable-LRJL4IRV.js +15 -0
package/dist/{PublicPageProvider-DEMpysFR.d.ts → PublicPageProvider-BBH6Vqg7.d.ts} +72 -139
package/dist/UnifiedAuthProvider-ZT6TIGM7.js +7 -0
package/dist/api-Y4MQWOFW.js +4 -0
package/dist/audit-MYQXYZFU.js +3 -0
package/dist/{chunk-J36DSWQK.js → chunk-2HGJFNAH.js} +8 -28
package/dist/{chunk-OEWDTMG7.js → chunk-3O3WHILE.js} +38 -121
package/dist/{chunk-M43Y4SSO.js → chunk-3QC3KRHK.js} +1 -14
package/dist/{chunk-DGUM43GV.js → chunk-3RG5ZIWI.js} +1 -4
package/dist/{chunk-QXHPKYJV.js → chunk-4SXLQIZO.js} +1 -26
package/dist/chunk-4T7OBVTU.js +62 -0
package/dist/{chunk-E66EQZE6.js → chunk-6GLLNA6U.js} +3 -9
package/dist/{chunk-ZSAAAMVR.js → chunk-6QYDGKQY.js} +1 -4
package/dist/{chunk-NN6WWZ5U.js → chunk-7TYHROIV.js} +579 -563
package/dist/{chunk-M7MPQISP.js → chunk-A55DK444.js} +9 -16
package/dist/{chunk-63FOKYGO.js → chunk-AHU7G2R5.js} +2 -11
package/dist/{chunk-L4OXEN46.js → chunk-BVP2BCJF.js} +2 -16
package/dist/chunk-C7NSAPTL.js +1 -0
package/dist/{chunk-YKRAFF5K.js → chunk-FENMYN2U.js} +73 -149
package/dist/{chunk-AVMLPIM7.js → chunk-FTCRZOG2.js} +284 -432
package/dist/{chunk-G37KK66H.js → chunk-FYHN4DD5.js} +60 -19
package/dist/{chunk-VBXEHIUJ.js → chunk-HF6O3O37.js} +6 -88
package/dist/{chunk-I6DAQMWX.js → chunk-LAZMKTTF.js} +930 -891
package/dist/{chunk-5EC5MEWX.js → chunk-MAGBIDNS.js} +77 -222
package/dist/chunk-MBADTM7L.js +64 -0
package/dist/chunk-OHIK3MIO.js +994 -0
package/dist/{chunk-6SOIHG6Z.js → chunk-S7DKJPLT.js} +115 -44
package/dist/{chunk-FMUCXFII.js → chunk-SD6WQY43.js} +1 -5
package/dist/{chunk-PWLANIRT.js → chunk-TTRFSOKR.js} +1 -7
package/dist/{chunk-5DRSZLL2.js → chunk-UH3NTO3F.js} +1 -6
package/dist/{chunk-FFQEQTNW.js → chunk-UIYSCEV7.js} +134 -45
package/dist/{chunk-3LPHPB62.js → chunk-ZFYPMX46.js} +271 -87
package/dist/{chunk-7JPAB3T5.js → chunk-ZS5VO5JB.js} +1989 -1283
package/dist/components.d.ts +6 -6
package/dist/components.js +57 -267
package/dist/{database.generated-CzIvgcPu.d.ts → database.generated-CcnC_DRc.d.ts} +4795 -3691
package/dist/eslint-rules/index.cjs +22 -0
package/dist/eslint-rules/rules/compliance.cjs +348 -0
package/dist/eslint-rules/rules/components.cjs +113 -0
package/dist/eslint-rules/rules/imports.cjs +102 -0
package/dist/eslint-rules/rules/rbac.cjs +790 -0
package/dist/eslint-rules/utils/helpers.cjs +42 -0
package/dist/eslint-rules/utils/manifest-loader.cjs +75 -0
package/dist/hooks.d.ts +5 -5
package/dist/hooks.js +62 -270
package/dist/icons/index.d.ts +1 -0
package/dist/icons/index.js +1 -0
package/dist/index.d.ts +36 -26
package/dist/index.js +87 -690
package/dist/providers.d.ts +2 -2
package/dist/providers.js +8 -35
package/dist/rbac/eslint-rules.d.ts +46 -44
package/dist/rbac/eslint-rules.js +7 -4
package/dist/rbac/index.d.ts +124 -594
package/dist/rbac/index.js +14 -207
package/dist/styles/index.js +2 -12
package/dist/theming/runtime.js +3 -19
package/dist/{timezone-CHhWg6b4.d.ts → timezone-BZe_eUxx.d.ts} +175 -1
package/dist/{types-CkbwOr4Y.d.ts → types-B-K_5VnO.d.ts} +4 -0
package/dist/types-t9H8qKRw.d.ts +55 -0
package/dist/types.d.ts +1 -1
package/dist/types.js +7 -94
package/dist/{usePublicRouteParams-i3qtoBgg.d.ts → usePublicRouteParams-COZ28Mvq.d.ts} +9 -9
package/dist/utils.d.ts +24 -117
package/dist/utils.js +54 -392
package/docs/README.md +16 -6
package/docs/api/README.md +4 -402
package/docs/api/modules.md +454 -930
package/docs/api-reference/components.md +3 -1
package/docs/api-reference/deprecated.md +31 -6
package/docs/api-reference/rpc-functions.md +78 -3
package/docs/best-practices/accessibility.md +6 -3
package/docs/getting-started/cursor-rules.md +3 -23
package/docs/getting-started/dependencies.md +650 -0
package/docs/getting-started/installation-guide.md +20 -7
package/docs/getting-started/quick-start.md +23 -12
package/docs/implementation-guides/permission-enforcement.md +4 -0
package/docs/rbac/MIGRATION_GUIDE.md +819 -0
package/docs/rbac/RBAC_CONTRACT.md +724 -0
package/docs/rbac/README.md +12 -3
package/docs/rbac/edge-functions-guide.md +376 -0
package/docs/rbac/secure-client-protection.md +0 -34
package/docs/standards/00-pace-core-compliance.md +967 -0
package/docs/standards/01-standards-compliance.md +188 -0
package/docs/standards/02-project-structure.md +985 -0
package/docs/standards/03-solid-principles.md +39 -0
package/docs/standards/04-testing-standards.md +36 -0
package/docs/standards/05-bug-reports-and-features.md +27 -0
package/docs/standards/{04-code-style-standard.md → 06-code-quality.md} +2 -0
package/docs/standards/07-tech-stack-compliance.md +30 -0
package/docs/standards/08-markup-quality.md +345 -0
package/docs/standards/{07-rbac-and-rls-standard.md → 09-rbac-compliance.md} +149 -54
package/docs/standards/10-error-handling-patterns.md +401 -0
package/docs/standards/11-performance-optimization.md +348 -0
package/docs/standards/12-ci-cd-integration.md +370 -0
package/docs/standards/ALIGNMENT_REVIEW_SUMMARY.md +192 -0
package/docs/standards/README.md +62 -33
package/docs/troubleshooting/organisation-context-setup.md +42 -19
package/eslint-config-pace-core.cjs +20 -4
package/package.json +31 -21
package/scripts/audit/audit-compliance.cjs +1295 -0
package/scripts/audit/audit-components.cjs +260 -0
package/scripts/audit/audit-dependencies.cjs +395 -0
package/scripts/audit/audit-rbac.cjs +954 -0
package/scripts/audit/audit-standards.cjs +1268 -0
package/scripts/audit/index.cjs +1898 -194
package/scripts/install-cursor-rules.cjs +259 -8
package/scripts/validate-master.js +1 -1
package/src/__tests__/fixtures/supabase.ts +1 -1
package/src/__tests__/helpers/__tests__/component-test-utils.test.tsx +1 -1
package/src/__tests__/helpers/__tests__/optimized-test-setup.test.ts +1 -1
package/src/__tests__/helpers/__tests__/supabaseMock.test.ts +1 -1
package/src/__tests__/helpers/__tests__/test-utils.test.tsx +3 -3
package/src/__tests__/helpers/component-test-utils.tsx +1 -1
package/src/__tests__/helpers/supabaseMock.ts +2 -2
package/src/__tests__/public-recipe-view.test.ts +38 -9
package/src/components/Button/Button.tsx +5 -1
package/src/components/ContextSelector/ContextSelector.tsx +42 -39
package/src/components/DataTable/__tests__/keyboard.test.tsx +15 -2
package/src/components/DataTable/components/DataTableBody.tsx +55 -31
package/src/components/DataTable/components/DataTableCore.tsx +186 -13
package/src/components/DataTable/components/DataTableLayout.tsx +30 -5
package/src/components/DataTable/components/EditFields.tsx +23 -3
package/src/components/DataTable/components/EditableRow.tsx +7 -2
package/src/components/DataTable/components/ImportModal.tsx +4 -6
package/src/components/DataTable/components/RowComponent.tsx +12 -0
package/src/components/DataTable/components/ViewRowModal.tsx +4 -4
package/src/components/DataTable/components/__tests__/ImportModal.test.tsx +455 -96
package/src/components/DataTable/components/__tests__/ViewRowModal.test.tsx +122 -58
package/src/components/DataTable/components/hooks/usePermissionTracking.ts +0 -4
package/src/components/DataTable/core/DataTableContext.tsx +1 -1
package/src/components/DataTable/hooks/__tests__/useDataTableState.test.ts +51 -47
package/src/components/DataTable/hooks/useDataTablePermissions.ts +24 -21
package/src/components/DataTable/hooks/useDataTableState.ts +125 -9
package/src/components/DataTable/hooks/useTableColumns.ts +40 -2
package/src/components/DataTable/hooks/useTableHandlers.ts +11 -0
package/src/components/DataTable/types.ts +5 -0
package/src/components/DateTimeField/DateTimeField.tsx +20 -20
package/src/components/DateTimeField/README.md +5 -2
package/src/components/Dialog/Dialog.test.tsx +361 -318
package/src/components/Dialog/Dialog.tsx +1154 -323
package/src/components/Dialog/index.ts +3 -3
package/src/components/FileDisplay/FileDisplay.test.tsx +45 -2
package/src/components/FileDisplay/FileDisplay.tsx +28 -22
package/src/components/Form/Form.test.tsx +9 -10
package/src/components/Form/Form.tsx +369 -9
package/src/components/InactivityWarningModal/InactivityWarningModal.test.tsx +28 -28
package/src/components/InactivityWarningModal/InactivityWarningModal.tsx +40 -54
package/src/components/LoginForm/LoginForm.tsx +2 -2
package/src/components/NavigationMenu/NavigationMenu.test.tsx +14 -13
package/src/components/NavigationMenu/NavigationMenu.tsx +2 -2
package/src/components/NavigationMenu/useNavigationFiltering.ts +11 -21
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +6 -4
package/src/components/PaceAppLayout/PaceAppLayout.tsx +30 -41
package/src/components/PaceAppLayout/README.md +10 -9
package/src/components/PaceAppLayout/test-setup.tsx +40 -31
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +108 -61
package/src/components/PaceLoginPage/PaceLoginPage.tsx +27 -3
package/src/components/PasswordChange/PasswordChangeForm.test.tsx +61 -0
package/src/components/PasswordChange/PasswordChangeForm.tsx +20 -13
package/src/components/PublicLayout/PublicLayout.test.tsx +7 -3
package/src/components/PublicLayout/PublicPageLayout.tsx +5 -8
package/src/components/Select/Select.tsx +23 -21
package/src/components/Select/types.ts +1 -1
package/src/components/UserMenu/UserMenu.test.tsx +38 -6
package/src/components/UserMenu/UserMenu.tsx +39 -34
package/src/components/index.ts +3 -4
package/src/eslint-rules/index.cjs +22 -0
package/src/eslint-rules/rules/compliance.cjs +348 -0
package/src/eslint-rules/rules/components.cjs +113 -0
package/src/eslint-rules/rules/imports.cjs +102 -0
package/src/eslint-rules/rules/rbac.cjs +790 -0
package/src/eslint-rules/utils/helpers.cjs +42 -0
package/src/eslint-rules/utils/manifest-loader.cjs +75 -0
package/src/hooks/__tests__/hooks.integration.test.tsx +6 -8
package/src/hooks/__tests__/useAppConfig.unit.test.ts +129 -67
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +149 -67
package/src/hooks/__tests__/usePublicEvent.test.ts +149 -79
package/src/hooks/__tests__/usePublicEvent.unit.test.ts +158 -109
package/src/hooks/__tests__/useSessionDraft.test.ts +163 -0
package/src/hooks/__tests__/useSessionRestoration.unit.test.tsx +10 -5
package/src/hooks/public/usePublicEvent.ts +62 -190
package/src/hooks/public/usePublicEventLogo.test.ts +70 -17
package/src/hooks/public/usePublicEventLogo.ts +19 -9
package/src/hooks/useAppConfig.ts +26 -24
package/src/hooks/useEventTheme.test.ts +211 -233
package/src/hooks/useEventTheme.ts +19 -28
package/src/hooks/useEvents.ts +11 -7
package/src/hooks/useKeyboardShortcuts.ts +1 -1
package/src/hooks/useOrganisationPermissions.ts +9 -11
package/src/hooks/useOrganisations.ts +13 -7
package/src/hooks/useQueryCache.ts +0 -1
package/src/hooks/useSessionDraft.ts +380 -0
package/src/hooks/useSessionRestoration.ts +3 -1
package/src/icons/index.ts +27 -0
package/src/index.ts +16 -1
package/src/providers/OrganisationProvider.tsx +23 -14
package/src/providers/services/EventServiceProvider.tsx +1 -24
package/src/providers/services/UnifiedAuthProvider.tsx +5 -48
package/src/providers/services/__tests__/UnifiedAuthProvider.integration.test.tsx +3 -0
package/src/rbac/README.md +20 -20
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +7 -457
package/src/rbac/__tests__/auth-rbac.e2e.test.tsx +33 -7
package/src/rbac/adapters.tsx +7 -295
package/src/rbac/api.test.ts +44 -56
package/src/rbac/api.ts +10 -17
package/src/rbac/cache-invalidation.ts +0 -1
package/src/rbac/compliance/index.ts +10 -0
package/src/rbac/compliance/pattern-detector.ts +553 -0
package/src/rbac/compliance/runtime-compliance.ts +22 -0
package/src/rbac/components/AccessDenied.tsx +150 -0
package/src/rbac/components/NavigationGuard.tsx +12 -20
package/src/rbac/components/PagePermissionGuard.tsx +4 -24
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +21 -8
package/src/rbac/components/index.ts +3 -41
package/src/rbac/eslint-rules.js +1 -1
package/src/rbac/hooks/index.ts +0 -3
package/src/rbac/hooks/permissions/index.ts +0 -3
package/src/rbac/hooks/permissions/useAccessLevel.ts +4 -8
package/src/rbac/hooks/usePermissions.ts +0 -3
package/src/rbac/hooks/useRBAC.test.ts +21 -3
package/src/rbac/hooks/useRBAC.ts +4 -3
package/src/rbac/hooks/useResolvedScope.test.ts +57 -47
package/src/rbac/hooks/useResolvedScope.ts +58 -140
package/src/rbac/hooks/useResourcePermissions.test.ts +241 -60
package/src/rbac/hooks/useResourcePermissions.ts +182 -63
package/src/rbac/hooks/useRoleManagement.test.ts +65 -22
package/src/rbac/hooks/useRoleManagement.ts +147 -19
package/src/rbac/hooks/useSecureSupabase.ts +4 -8
package/src/rbac/index.ts +7 -9
package/src/rbac/permissions.ts +17 -17
package/src/rbac/utils/contextValidator.ts +45 -7
package/src/services/AuthService.ts +132 -23
package/src/services/EventService.ts +4 -97
package/src/services/InactivityService.ts +155 -58
package/src/services/OrganisationService.ts +7 -44
package/src/services/__tests__/OrganisationService.test.ts +26 -8
package/src/services/base/BaseService.ts +0 -3
package/src/styles/core.css +4 -0
package/src/types/database.generated.ts +4733 -3809
package/src/utils/__tests__/organisationContext.unit.test.ts +9 -10
package/src/utils/context/organisationContext.test.ts +13 -28
package/src/utils/context/organisationContext.ts +21 -52
package/src/utils/dynamic/dynamicUtils.ts +1 -1
package/src/utils/file-reference/index.ts +39 -15
package/src/utils/formatting/formatDateTime.test.ts +3 -2
package/src/utils/formatting/formatTime.test.ts +3 -2
package/src/utils/google-places/loadGoogleMapsScript.ts +29 -4
package/src/utils/index.ts +4 -1
package/src/utils/persistence/__tests__/keyDerivation.test.ts +135 -0
package/src/utils/persistence/__tests__/sensitiveFieldDetection.test.ts +123 -0
package/src/utils/persistence/keyDerivation.ts +304 -0
package/src/utils/persistence/sensitiveFieldDetection.ts +212 -0
package/src/utils/security/secureStorage.ts +5 -5
package/src/utils/storage/helpers.ts +3 -3
package/src/utils/supabase/createBaseClient.ts +147 -0
package/src/utils/timezone/timezone.test.ts +1 -2
package/src/utils/timezone/timezone.ts +1 -1
package/src/utils/validation/csrf.ts +4 -4
package/cursor-rules/CHANGELOG.md +0 -119
package/cursor-rules/README.md +0 -192
package/dist/DataTable-E7YQZD7D.js +0 -175
package/dist/DataTable-E7YQZD7D.js.map +0 -1
package/dist/UnifiedAuthProvider-QPXO24B4.js +0 -18
package/dist/UnifiedAuthProvider-QPXO24B4.js.map +0 -1
package/dist/api-6LVZTHDS.js +0 -52
package/dist/api-6LVZTHDS.js.map +0 -1
package/dist/audit-V53FV5AG.js +0 -17
package/dist/audit-V53FV5AG.js.map +0 -1
package/dist/chunk-36LVWXB2.js +0 -227
package/dist/chunk-36LVWXB2.js.map +0 -1
package/dist/chunk-3LPHPB62.js.map +0 -1
package/dist/chunk-5DRSZLL2.js.map +0 -1
package/dist/chunk-5EC5MEWX.js.map +0 -1
package/dist/chunk-63FOKYGO.js.map +0 -1
package/dist/chunk-6SOIHG6Z.js.map +0 -1
package/dist/chunk-7JPAB3T5.js.map +0 -1
package/dist/chunk-ATKZM7RX.js +0 -2053
package/dist/chunk-ATKZM7RX.js.map +0 -1
package/dist/chunk-AVMLPIM7.js.map +0 -1
package/dist/chunk-DGUM43GV.js.map +0 -1
package/dist/chunk-E66EQZE6.js.map +0 -1
package/dist/chunk-FFQEQTNW.js.map +0 -1
package/dist/chunk-FMUCXFII.js.map +0 -1
package/dist/chunk-G37KK66H.js.map +0 -1
package/dist/chunk-I6DAQMWX.js.map +0 -1
package/dist/chunk-J36DSWQK.js.map +0 -1
package/dist/chunk-KQCRWDSA.js +0 -1
package/dist/chunk-KQCRWDSA.js.map +0 -1
package/dist/chunk-L4OXEN46.js.map +0 -1
package/dist/chunk-LMC26NLJ.js +0 -84
package/dist/chunk-LMC26NLJ.js.map +0 -1
package/dist/chunk-M43Y4SSO.js.map +0 -1
package/dist/chunk-M7MPQISP.js.map +0 -1
package/dist/chunk-NN6WWZ5U.js.map +0 -1
package/dist/chunk-OEWDTMG7.js.map +0 -1
package/dist/chunk-PWLANIRT.js.map +0 -1
package/dist/chunk-QXHPKYJV.js.map +0 -1
package/dist/chunk-VBXEHIUJ.js.map +0 -1
package/dist/chunk-YKRAFF5K.js.map +0 -1
package/dist/chunk-ZSAAAMVR.js.map +0 -1
package/dist/components.js.map +0 -1
package/dist/contextValidator-OOPCLPZW.js +0 -9
package/dist/contextValidator-OOPCLPZW.js.map +0 -1
package/dist/eslint-rules/pace-core-compliance.cjs +0 -510
package/dist/hooks.js.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers.js.map +0 -1
package/dist/rbac/eslint-rules.js.map +0 -1
package/dist/rbac/index.js.map +0 -1
package/dist/styles/index.js.map +0 -1
package/dist/theming/runtime.js.map +0 -1
package/dist/types.js.map +0 -1
package/dist/utils.js.map +0 -1
package/docs/standards/01-architecture-standard.md +0 -44
package/docs/standards/02-api-and-rpc-standard.md +0 -39
package/docs/standards/03-component-standard.md +0 -32
package/docs/standards/05-security-standard.md +0 -44
package/docs/standards/06-testing-and-docs-standard.md +0 -29
package/docs/standards/pace-core-compliance.md +0 -432
package/scripts/audit/core/checks/accessibility.cjs +0 -197
package/scripts/audit/core/checks/api-usage.cjs +0 -191
package/scripts/audit/core/checks/bundle.cjs +0 -142
package/scripts/audit/core/checks/compliance.cjs +0 -2706
package/scripts/audit/core/checks/config.cjs +0 -54
package/scripts/audit/core/checks/coverage.cjs +0 -84
package/scripts/audit/core/checks/dependencies.cjs +0 -994
package/scripts/audit/core/checks/documentation.cjs +0 -268
package/scripts/audit/core/checks/environment.cjs +0 -116
package/scripts/audit/core/checks/error-handling.cjs +0 -340
package/scripts/audit/core/checks/forms.cjs +0 -172
package/scripts/audit/core/checks/heuristics.cjs +0 -68
package/scripts/audit/core/checks/hooks.cjs +0 -334
package/scripts/audit/core/checks/imports.cjs +0 -244
package/scripts/audit/core/checks/performance.cjs +0 -325
package/scripts/audit/core/checks/routes.cjs +0 -117
package/scripts/audit/core/checks/state.cjs +0 -130
package/scripts/audit/core/checks/structure.cjs +0 -65
package/scripts/audit/core/checks/style.cjs +0 -584
package/scripts/audit/core/checks/testing.cjs +0 -122
package/scripts/audit/core/checks/typescript.cjs +0 -61
package/scripts/audit/core/scanner.cjs +0 -199
package/scripts/audit/core/utils.cjs +0 -137
package/scripts/audit/reporters/console.cjs +0 -151
package/scripts/audit/reporters/json.cjs +0 -54
package/scripts/audit/reporters/markdown.cjs +0 -124
package/scripts/audit-consuming-app.cjs +0 -86
package/src/eslint-rules/pace-core-compliance.cjs +0 -510
package/src/eslint-rules/pace-core-compliance.js +0 -638
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +0 -555
package/src/rbac/components/EnhancedNavigationMenu.tsx +0 -293
package/src/rbac/components/NavigationProvider.test.tsx +0 -481
package/src/rbac/components/NavigationProvider.tsx +0 -345
package/src/rbac/components/PagePermissionProvider.test.tsx +0 -476
package/src/rbac/components/PagePermissionProvider.tsx +0 -279
package/src/rbac/components/PermissionEnforcer.tsx +0 -312
package/src/rbac/components/RoleBasedRouter.tsx +0 -440
package/src/rbac/components/SecureDataProvider.test.tsx +0 -543
package/src/rbac/components/SecureDataProvider.tsx +0 -339
package/src/rbac/components/__tests__/EnhancedNavigationMenu.test.tsx +0 -620
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +0 -726
package/src/rbac/components/__tests__/PagePermissionProvider.test.tsx +0 -661
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +0 -881
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +0 -783
package/src/rbac/components/__tests__/SecureDataProvider.fixed.test.tsx +0 -645
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +0 -659
package/src/rbac/hooks/permissions/useCachedPermissions.ts +0 -79
package/src/rbac/hooks/permissions/useHasAllPermissions.ts +0 -90
package/src/rbac/hooks/permissions/useHasAnyPermission.ts +0 -90

package/docs/standards/00-pace-core-compliance.md ADDED Viewed

@@ -0,0 +1,967 @@
+# pace-core Compliance Enforcement
+**🤖 Cursor Rule**: See [00-pace-core-compliance.mdc](../../cursor-rules/00-pace-core-compliance.mdc) for AI-optimized directives that automatically enforce these standards.
+This guide explains how to enforce pace-core usage patterns in consuming apps to ensure consistent design, reduce duplication, and maintain high code quality.
+## Overview
+pace-core provides a comprehensive enforcement system that includes:
+1. **ESLint Rules** - Real-time linting during development (15 rules)
+2. **Static Analysis Script** - Comprehensive codebase scanning for file-system and config checks
+3. **ESLint Config Preset** - Easy setup for consuming apps
+4. **Cursor Rules Integration** - AI-assisted enforcement via Cursor IDE
+### ESLint vs Audit Scripts
+**ESLint Rules** (Real-time, AST-based):
+- ✅ Run automatically in your IDE
+- ✅ Provide immediate feedback during development
+- ✅ Check single files using AST analysis
+- ✅ Can be auto-fixed in many cases
+- ✅ Integrated with your development workflow
+**Audit Scripts** (Comprehensive, file-system based):
+- ✅ Scan entire codebase
+- ✅ Check file structure and configuration
+- ✅ Cross-file analysis (e.g., provider nesting)
+- ✅ Generate detailed reports
+- ✅ Check setup files (main.tsx, app.css, etc.)
+**What's in ESLint vs Audit Scripts**:
+| Check | ESLint | Audit Script |
+|-------|--------|--------------|
+| Restricted imports | ✅ | ✅ (reference) |
+| Native HTML elements | ✅ | ✅ (reference) |
+| Custom hooks/utils | ✅ | ✅ (reference) |
+| Inline styles | ✅ | ✅ (reference) |
+| Plain form tags | ✅ | ✅ (reference) |
+| Direct Supabase client | ✅ | ✅ (file location) |
+| RBAC permission loading | ✅ | ✅ (reference) |
+| Direct RBAC RPC/table | ✅ | ✅ (reference) |
+| Hardcoded role checks | ✅ | ✅ (reference) |
+| RESOURCE_NAMES constants | ✅ | ✅ (reference) |
+| RBAC wrapper components | ✅ | ✅ (reference) |
+| RBAC wrapper functions | ✅ | ✅ (reference) |
+| RBAC setup (main.tsx) | ❌ | ✅ |
+| Provider nesting | ❌ | ✅ |
+| Core styles import chain | ❌ | ✅ |
+| PagePermissionGuard coverage | ❌ | ✅ |
+| Edge Functions RBAC | ❌ | ✅ |
+**Note**: Many checks have been migrated from audit scripts to ESLint for real-time feedback. The audit scripts now focus on file-system and configuration checks that require cross-file analysis.
+## Quick Start
+### Step 1: Install pace-core
+```bash
+npm install @jmruthers/pace-core
+```
+### Step 2: Setup ESLint (Recommended)
+**Option A: Automated Setup (Easiest)**
+Use the installation script to set up both Cursor rules and ESLint:
+```bash
+node node_modules/@jmruthers/pace-core/scripts/install-cursor-rules.cjs
+```
+This script will:
+- ✅ Install Cursor rules to `.cursor/rules/`
+- ✅ Configure ESLint to use pace-core rules
+- ✅ Create `eslint.config.js` if it doesn't exist
+- ✅ Add pace-core config to existing ESLint config
+- ✅ Create backups before modifying files
+**Options:**
+- `--force` - Force update even if already configured
+- `--skip-cursor` - Skip Cursor rules installation
+- `--skip-eslint` - Skip ESLint config setup
+**Option B: Manual Setup**
+The easiest way to enable compliance checking is to use the shareable ESLint config. The config is CommonJS but works with both ES module and CommonJS ESLint configs:
+**For ES Module ESLint Config (eslint.config.js):**
+```javascript
+// eslint.config.js (ES modules)
+import paceCoreConfig from '@jmruthers/pace-core/eslint-config';
+export default [
+  ...paceCoreConfig,
+  // your other config
+];
+```
+**For CommonJS ESLint Config (.eslintrc.js or eslint.config.cjs):**
+```javascript
+// eslint.config.cjs (CommonJS)
+const paceCoreConfig = require('@jmruthers/pace-core/eslint-config');
+module.exports = [
+  ...paceCoreConfig,
+  // your other config
+];
+```
+**Complete Example (ESLint 9 flat config):**
+```javascript
+// eslint.config.js
+import js from '@eslint/js';
+import reactHooks from 'eslint-plugin-react-hooks';
+import paceCoreConfig from '@jmruthers/pace-core/eslint-config';
+export default [
+  js.configs.recommended,
+  ...paceCoreConfig, // pace-core rules
+  {
+    files: ['**/*.{ts,tsx}'],
+    plugins: {
+      'react-hooks': reactHooks,
+    },
+    rules: {
+      ...reactHooks.configs.recommended.rules,
+      // Your other rules
+    },
+  },
+];
+```
+### Step 3: Setup Cursor Rules (Optional but Recommended)
+To enable AI-assisted enforcement in Cursor IDE, copy the pace-core cursor rules to your project:
+```bash
+# Create .cursor/rules directory if it doesn't exist
+mkdir -p .cursor/rules
+# Copy pace-core cursor rules
+cp node_modules/@jmruthers/pace-core/cursor-rules/*.mdc .cursor/rules/
+```
+Or manually create `.cursor/rules/00-pace-core-compliance.mdc` and reference the pace-core rules:
+```markdown
+---
+description: Enforce pace-core usage patterns
+globs: ["src/**/*.{ts,tsx,js,jsx}"]
+alwaysApply: false
+---
+# pace-core Compliance
+**📚 Full Documentation**: See [pace-core compliance docs](node_modules/@jmruthers/pace-core/docs/standards/00-pace-core-compliance.md)
+**🔧 ESLint Setup**: Ensure ESLint is configured with `@jmruthers/pace-core/eslint-config`
+This rule enforces pace-core usage patterns. ESLint provides real-time feedback, while this Cursor rule provides AI-assisted guidance.
+## Key Requirements
+- Use pace-core components instead of native HTML or custom implementations
+- Use pace-core hooks instead of custom hooks
+- Use pace-core utilities instead of custom utilities
+- Use `useSecureSupabase()` instead of direct Supabase client creation
+- Follow RBAC patterns from pace-core
+- Use RESOURCE_NAMES constants instead of string literals
+See the full documentation for complete rules and examples.
+```
+**Benefits of Cursor Rules Integration**:
+- AI assistant (like me!) will automatically suggest pace-core alternatives
+- Context-aware suggestions during code writing
+- Works alongside ESLint for comprehensive enforcement
+- Provides explanations and examples in real-time
+### Option 2: Manual ESLint Rules Setup
+If you prefer more control, you can import the rules directly. Note: The rules are CommonJS, so use `createRequire` in ES modules:
+**For ES Module ESLint Config:**
+```javascript
+// eslint.config.js
+import { createRequire } from 'module';
+const require = createRequire(import.meta.url);
+const paceCoreRules = require('@jmruthers/pace-core/eslint-rules').rules;
+export default [
+  {
+    plugins: {
+      'pace-core-compliance': {
+        rules: paceCoreRules
+      }
+    },
+    rules: {
+      'pace-core-compliance/no-restricted-imports': 'error',
+      'pace-core-compliance/prefer-pace-core-components': 'warn',
+      'pace-core-compliance/prefer-pace-core-hooks': 'warn',
+      'pace-core-compliance/prefer-pace-core-utils': 'warn',
+      'pace-core-compliance/no-local-component-duplication': 'error'
+    }
+  }
+];
+```
+**For CommonJS ESLint Config:**
+```javascript
+// eslint.config.cjs
+const paceCoreRules = require('@jmruthers/pace-core/eslint-rules').rules;
+module.exports = [
+  {
+    plugins: {
+      'pace-core-compliance': {
+        rules: paceCoreRules
+      }
+    },
+    rules: {
+      'pace-core-compliance/no-restricted-imports': 'error',
+      'pace-core-compliance/prefer-pace-core-components': 'warn',
+      'pace-core-compliance/prefer-pace-core-hooks': 'warn',
+      'pace-core-compliance/prefer-pace-core-utils': 'warn',
+      'pace-core-compliance/no-local-component-duplication': 'error'
+    }
+  }
+];
+```
+## ESLint Rules
+pace-core provides **15 ESLint rules** organized into four categories:
+### Import Rules
+#### no-restricted-imports
+**Severity**: Error
+Blocks direct imports of libraries that pace-core wraps and standardizes.
+**Restricted Libraries**:
+- `@radix-ui/*` - All Radix UI packages (use pace-core components instead)
+- `lucide-react` - Icons (import from `@jmruthers/pace-core/icons` instead)
+- `react-day-picker` - Use `Calendar` from pace-core
+- `@tanstack/react-table` - Use `DataTable` from pace-core
+- `react-hook-form` - Use `Form` and `useZodForm` from pace-core
+- `zod` - Use validation utilities from pace-core
+**Example Violation**:
+```typescript
+// ❌ Bad
+import { Dialog } from '@radix-ui/react-dialog';
+import { ChevronDown, Edit, Trash } from 'lucide-react';
+// ✅ Good
+import { Dialog } from '@jmruthers/pace-core';
+import { ChevronDown, Edit, Trash } from '@jmruthers/pace-core/icons';
+```
+### Compliance Rules
+#### prefer-pace-core-components
+**Severity**: Warning
+Suggests using pace-core components instead of native HTML elements.
+**Detected Patterns**:
+- `<button>` → Use `Button` from pace-core
+- `<input>` → Use `Input` from pace-core
+- `<textarea>` → Use `Textarea` from pace-core
+- `<label>` → Use `Label` from pace-core
+**Example**:
+```tsx
+// ⚠️ Warning
+<button onClick={handleClick}>Click me</button>
+// ✅ Recommended
+import { Button } from '@jmruthers/pace-core';
+<Button onClick={handleClick}>Click me</Button>
+```
+#### prefer-pace-core-hooks
+**Severity**: Warning
+Detects custom hooks that duplicate pace-core functionality.
+**Common Patterns Detected**:
+- `useToast`, `useNotification` → Use `useToast` from pace-core
+- `useDebounce`, `useDebounced` → Use `useDebounce` from pace-core
+- `useAuth`, `useAuthentication` → Use `useUnifiedAuth` from pace-core
+- `useForm`, `useZodForm` → Use `useZodForm` from pace-core
+**Example**:
+```typescript
+// ⚠️ Warning
+function useToast() {
+  // custom implementation
+}
+// ✅ Recommended
+import { useToast } from '@jmruthers/pace-core';
+```
+#### prefer-pace-core-utils
+**Severity**: Warning
+Detects utility functions that duplicate pace-core functionality.
+**Common Patterns Detected**:
+- `formatDate`, `dateFormat` → Use `formatDate` from pace-core
+- `formatCurrency`, `formatMoney` → Use `formatCurrency` from pace-core
+- `cn`, `classNames`, `clsx` → Use `cn` from pace-core
+- `validate`, `validateInput` → Use `validateUserInput` from pace-core
+**Example**:
+```typescript
+// ⚠️ Warning
+function formatDate(date: Date): string {
+  // custom implementation
+}
+// ✅ Recommended
+import { formatDate } from '@jmruthers/pace-core';
+```
+#### no-local-component-duplication
+**Severity**: Error
+Prevents creating local components with names matching pace-core components.
+**Example Violation**:
+```
+// ❌ Error: components/Button.tsx
+export function Button() { ... }
+// pace-core already provides Button component
+```
+**Fix**: Remove the local component and import from pace-core:
+```typescript
+import { Button } from '@jmruthers/pace-core';
+```
+#### no-inline-styles
+**Severity**: Error
+Disallows inline styles. Use pace-core components or Tailwind classes instead.
+**Example Violation**:
+```tsx
+// ❌ Error
+<div style={{ color: 'red', padding: '10px' }}>Content</div>
+// ✅ Good
+<div className="text-acc-500 p-4">Content</div>
+// Or use pace-core components with built-in styling
+```
+### Component Rules
+#### prefer-pace-core-form
+**Severity**: Error
+Disallows plain `<form>` tags and direct `react-hook-form` imports. Use pace-core `Form` component instead.
+**Detected Patterns**:
+- Plain `<form>` tags
+- Direct imports from `react-hook-form` (except `useFormContext` when using pace-core `Form`)
+**Example Violation**:
+```tsx
+// ❌ Error
+import { useForm, FormProvider } from 'react-hook-form';
+<form onSubmit={handleSubmit}>...</form>
+// ✅ Good
+import { Form, useZodForm } from '@jmruthers/pace-core';
+<Form form={form} onSubmit={handleSubmit}>...</Form>
+```
+**Exception**: `useFormContext` is allowed when `Form` is imported from pace-core:
+```tsx
+// ✅ Allowed
+import { Form } from '@jmruthers/pace-core';
+import { useFormContext } from 'react-hook-form'; // OK when using pace-core Form
+```
+### RBAC Rules
+#### no-direct-supabase-client
+**Severity**: Error
+Disallows direct `createClient()` calls from `@supabase/supabase-js`. Use `useSecureSupabase()` from pace-core instead.
+**Why**: Direct client creation bypasses organisation context and RLS policies, leading to security vulnerabilities.
+**Example Violation**:
+```typescript
+// ❌ Error
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key);
+// ✅ Good
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+const secureSupabase = useSecureSupabase();
+```
+**Exception**: Creating the base client for `UnifiedAuthProvider` in `main.tsx` or `App.tsx` is allowed.
+#### rbac-permission-loading
+**Severity**: Error
+Requires `isLoading` extraction from `useResourcePermissions` and checking it before permission calls in mutations.
+**Why**: Permission checks may fail if scope resolution is still in progress.
+**Example Violation**:
+```typescript
+// ❌ Error
+const { canCreate, canUpdate } = useResourcePermissions(RESOURCE_NAMES.EVENTS);
+// Missing isLoading extraction
+// In mutation:
+if (canCreate(event)) { ... } // May fail if permissions still loading
+// ✅ Good
+const { canCreate, canUpdate, isLoading: permissionsLoading } = useResourcePermissions(RESOURCE_NAMES.EVENTS);
+// In mutation:
+if (permissionsLoading) {
+  throw new Error('Permission check in progress. Please wait...');
+}
+if (!canCreate(event)) {
+  throw new Error('Insufficient permissions');
+}
+```
+#### no-direct-rbac-rpc
+**Severity**: Error
+Disallows direct RPC calls to RBAC functions (e.g., `rbac_check_permission_simplified`). Use pace-core RBAC hooks instead.
+**Example Violation**:
+```typescript
+// ❌ Error
+const { data } = await supabase.rpc('rbac_check_permission_simplified', {...});
+// ✅ Good
+import { isPermitted } from '@jmruthers/pace-core/rbac';
+const hasPermission = await isPermitted({...});
+```
+#### no-direct-rbac-table
+**Severity**: Error
+Disallows direct queries to RBAC tables. Use `useSecureSupabase()` hook or pace-core RBAC API functions instead.
+**RBAC Tables**:
+- `rbac_organisation_roles`
+- `rbac_event_app_roles`
+- `rbac_global_roles`
+- `rbac_apps`
+- `rbac_app_pages`
+- `rbac_page_permissions`
+- `rbac_user_profiles`
+**Example Violation**:
+```typescript
+// ❌ Error
+const { data } = await supabase.from('rbac_organisation_roles').select('*');
+// ✅ Good
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+const secureSupabase = useSecureSupabase();
+const { data } = await secureSupabase.from('rbac_organisation_roles').select('*');
+```
+#### no-hardcoded-role-checks
+**Severity**: Error
+Disallows hardcoded role checks. Use `useAccessLevel` hook or `getRoleContext` API from pace-core instead.
+**Example Violation**:
+```typescript
+// ❌ Error
+if (user.role === 'admin') { ... }
+if (currentRole === 'org_admin') { ... }
+// ✅ Good
+import { useAccessLevel } from '@jmruthers/pace-core/rbac';
+const { accessLevel } = useAccessLevel();
+if (accessLevel === 'admin') { ... }
+```
+#### rbac-use-resource-names-constants
+**Severity**: Error
+Requires `RESOURCE_NAMES` constants instead of string literals in `useResourcePermissions` calls.
+**Example Violation**:
+```typescript
+// ❌ Error
+const permissions = useResourcePermissions('organisations');
+// ✅ Good
+import { RESOURCE_NAMES } from '@/config/resource-names';
+const permissions = useResourcePermissions(RESOURCE_NAMES.ORGANISATIONS);
+```
+#### no-rbac-wrapper-components
+**Severity**: Error
+Disallows wrapper components around `PagePermissionGuard`. Use `PagePermissionGuard` directly.
+**Example Violation**:
+```tsx
+// ❌ Error
+function ProtectedPage({ pageName, children }) {
+  return <PagePermissionGuard pageName={pageName}>{children}</PagePermissionGuard>;
+}
+// ✅ Good
+<PagePermissionGuard pageName="events" operation="read">
+  <YourPageContent />
+</PagePermissionGuard>
+```
+#### no-rbac-wrapper-functions
+**Severity**: Error
+Disallows wrapper functions around pace-core permission hooks. Use hooks directly in components.
+**Example Violation**:
+```typescript
+// ❌ Error
+function canEditEvent(eventId: string) {
+  const { canUpdate } = useResourcePermissions(RESOURCE_NAMES.EVENTS);
+  return canUpdate(eventId) && someOtherCondition;
+}
+// ✅ Good
+function YourComponent() {
+  const { canUpdate } = useResourcePermissions(RESOURCE_NAMES.EVENTS);
+  // Use canUpdate directly in component logic
+}
+```
+## Static Analysis Script
+The static analysis script provides a comprehensive scan of your codebase and generates a detailed compliance report.
+### Running the Script
+```bash
+# From your consuming app root
+node node_modules/@jmruthers/pace-core/scripts/check-pace-core-compliance.cjs
+```
+Or add it to your `package.json`:
+```json
+{
+  "scripts": {
+    "check:pace-core": "node node_modules/@jmruthers/pace-core/scripts/check-pace-core-compliance.cjs"
+  }
+}
+```
+### What It Checks
+1. **Restricted Imports** - Scans for direct imports of wrapped libraries
+2. **Duplicate Components** - Finds local components matching pace-core names
+3. **Duplicate Hooks** - Finds local hooks matching pace-core hooks
+4. **Duplicate Utils** - Finds local utils matching pace-core utils
+5. **Suggestions** - Recommends pace-core alternatives for native HTML elements
+### Report Output
+The script generates a color-coded terminal report showing:
+- ❌ **Errors** - Critical violations that must be fixed
+- ⚠️ **Warnings** - Issues that should be addressed
+- 💡 **Suggestions** - Recommendations for improvement
+- ✅ **Summary** - Overall compliance status
+Example output:
+```
+═══════════════════════════════════════════════════════════
+  pace-core Compliance Report
+═══════════════════════════════════════════════════════════
+❌ Restricted Imports Found: 3
+  • src/components/CustomDialog.tsx:5
+    Import: @radix-ui/react-dialog
+    Reason: Use Dialog component from pace-core instead
+Summary:
+  Total Issues: 3
+  - Restricted Imports: 3
+  - Duplicate Components/Hooks/Utils: 0
+  - Suggestions: 0
+```
+## Best Practices
+### 1. Always Import from pace-core
+```typescript
+// ✅ Good
+import { Button, Card, Dialog } from '@jmruthers/pace-core';
+import { useToast, useDebounce } from '@jmruthers/pace-core';
+import { formatDate, formatCurrency } from '@jmruthers/pace-core';
+```
+### 2. Use pace-core Components for UI
+Avoid native HTML elements when pace-core provides a component:
+```tsx
+// ❌ Avoid
+<button className="btn">Click</button>
+// ✅ Use pace-core
+<Button>Click</Button>
+```
+### 3. Leverage pace-core Hooks
+Don't recreate hooks that pace-core already provides:
+```typescript
+// ❌ Avoid
+const [debouncedValue, setDebouncedValue] = useState(value);
+useEffect(() => {
+  const timer = setTimeout(() => setDebouncedValue(value), 500);
+  return () => clearTimeout(timer);
+}, [value]);
+// ✅ Use pace-core
+import { useDebounce } from '@jmruthers/pace-core';
+const debouncedValue = useDebounce(value, 500);
+```
+### 4. Use pace-core Utilities
+Leverage formatting, validation, and other utilities from pace-core:
+```typescript
+// ❌ Avoid
+const formatted = new Intl.DateTimeFormat('en-US').format(date);
+// ✅ Use pace-core
+import { formatDate } from '@jmruthers/pace-core';
+const formatted = formatDate(date);
+```
+### 5. Check Before Creating New Components
+Before creating a new component, check if pace-core already provides it:
+1. Review the [pace-core documentation](https://github.com/your-org/pace-core)
+2. Check `core-usage-manifest.json` for available components
+3. Search pace-core exports
+## Troubleshooting
+### ESLint Rules Not Working
+1. **Verify plugin is loaded**: Check that the config is imported correctly:
+   ```javascript
+   // In your eslint.config.js, add temporarily:
+   import paceCoreConfig from '@jmruthers/pace-core/eslint-config';
+   console.log('Config:', paceCoreConfig);
+   console.log('Has plugins:', paceCoreConfig[0]?.plugins);
+   ```
+2. **Check rule names**: Rules must be prefixed with `pace-core-compliance/`
+3. **Verify manifest exists**: Rules load from `core-usage-manifest.json` in the pace-core package
+4. **CommonJS/ES Module issues**: If you're using ES modules and rules aren't loading:
+   - Ensure you're using the config preset (Option 1) which handles this automatically
+   - Or use `createRequire` when importing rules directly (Option 2)
+5. **Verify rules are available**: Check that the rules file exists:
+   ```bash
+   ls node_modules/@jmruthers/pace-core/dist/eslint-rules/index.cjs
+   ```
+6. **Check rule count**: Verify all 15 rules are loaded:
+   ```bash
+   node -e "const rules = require('@jmruthers/pace-core/eslint-rules'); console.log('Rules:', Object.keys(rules.rules).length);"
+   ```
+   Should output: `Rules: 15`
+### Static Analysis Script Errors
+1. **Manifest not found**: Ensure `core-usage-manifest.json` exists in pace-core package
+2. **No files scanned**: Check that you're running from the project root
+3. **Permission errors**: Ensure script has read access to source files
+### False Positives
+If you encounter false positives:
+1. **Component name conflicts**: If you have a legitimate reason to create a local component with a pace-core name, consider:
+   - Renaming your component
+   - Using a namespace/prefix
+   - Documenting why pace-core doesn't meet your needs
+2. **Hook/Util patterns**: The pattern matching may flag similar names. Review the suggestion and decide if migration makes sense.
+## Integration with CI/CD
+While CI/CD integration is not included in the initial release, you can easily add it:
+```yaml
+# .github/workflows/pace-core-compliance.yml
+name: pace-core Compliance
+on: [push, pull_request]
+jobs:
+  compliance:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+      - run: npm ci
+      - run: npm run check:pace-core
+      - run: npm run lint
+```
+## Verification
+After setting up the ESLint config, verify it's working:
+1. **Check ESLint can load the config**:
+   ```bash
+   npx eslint --print-config src/App.tsx
+   ```
+   Look for `pace-core-compliance` in the plugins section.
+2. **Test with a violation**: Create a test file that imports a restricted library:
+   ```typescript
+   // test-violation.ts
+   import { Dialog } from '@radix-ui/react-dialog'; // Should trigger error
+   ```
+   Run ESLint and verify it reports the violation.
+3. **Run static analysis**: Use the compliance script to get a full report:
+   ```bash
+   npm run check:pace-core
+   ```
+## Getting Help
+- **Documentation**: See [pace-core docs](../README.md)
+- **Issues**: Report false positives or rule issues
+- **Manifest**: Check `core-usage-manifest.json` for available exports
+- **ESLint Config**: The config file is at `@jmruthers/pace-core/eslint-config` (CommonJS)
+- **ESLint Rules**: The rules are at `@jmruthers/pace-core/eslint-rules` (CommonJS)
+## File Locations
+When installed in a consuming app, the compliance tools are available at:
+- **ESLint Config**: `node_modules/@jmruthers/pace-core/eslint-config-pace-core.cjs`
+- **ESLint Rules**: `node_modules/@jmruthers/pace-core/dist/eslint-rules/index.cjs`
+- **Rule Modules**: `node_modules/@jmruthers/pace-core/dist/eslint-rules/rules/*.cjs`
+- **Rule Utils**: `node_modules/@jmruthers/pace-core/dist/eslint-rules/utils/*.cjs`
+- **Static Analysis Script**: `node_modules/@jmruthers/pace-core/scripts/check-pace-core-compliance.cjs`
+- **Manifest**: `node_modules/@jmruthers/pace-core/core-usage-manifest.json`
+- **Cursor Rules**: `node_modules/@jmruthers/pace-core/cursor-rules/*.mdc`
+## MUST: Use Secure Supabase Client
+**All database operations MUST use `useSecureSupabase()` (or the contract-approved pace-core secure client wrapper).**
+Consuming apps **MUST NOT** use the base Supabase client directly for queries.
+### Hard Requirements
+- **MUST NOT** import or call `createClient()` from `@supabase/supabase-js` in consuming app code **except** for creating the base client passed to `UnifiedAuthProvider`.
+- **MUST NOT** export, pass, or store an insecure Supabase client instance for general use.
+- **MUST** perform all `.from(...)`, `.rpc(...)`, `.auth.*`, and storage operations via the secure client returned by `useSecureSupabase()` (or the approved pace-core equivalent).
+- **MUST** create the base Supabase client ONCE and pass it to `UnifiedAuthProvider` as `supabaseClient` prop.
+- **MUST** call `useSecureSupabase()` without parameters - it automatically uses the base client from `useUnifiedAuth()` provider layer.
+- **MUST NOT** pass a base client directly to `useSecureSupabase()` - the hook gets it from the provider automatically.
+### Why this is critical
+Using `createClient()` directly for queries can bypass organisation context enforcement and RLS policies, leading to:
+- Cross-organisation data access
+- Security vulnerabilities
+- Data leakage between organisations
+### Correct Pattern
+```tsx
+// ✅ CORRECT: Create base client ONCE for UnifiedAuthProvider
+// main.tsx or App.tsx
+import { createClient } from '@supabase/supabase-js';
+import { UnifiedAuthProvider } from '@jmruthers/pace-core';
+const supabase = createClient(
+  import.meta.env.VITE_SUPABASE_URL,
+  import.meta.env.VITE_SUPABASE_PUBLISHABLE_KEY
+);
+function App() {
+  return (
+    <UnifiedAuthProvider
+      supabaseClient={supabase}  // Pass base client to provider
+      appName="YourApp"
+      // ... other props
+    >
+      <YourApp />
+    </UnifiedAuthProvider>
+  );
+}
+// ✅ CORRECT: Use secure client in components (no parameters needed)
+// YourComponent.tsx
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+function YourComponent() {
+  const secureSupabase = useSecureSupabase(); // Gets client from provider automatically
+  if (!secureSupabase) {
+    return <div>Loading...</div>;
+  }
+  // Use secureSupabase for all queries
+  const { data } = await secureSupabase.from('users').select('*');
+}
+```
+### Incorrect Patterns
+```tsx
+// ❌ FORBIDDEN: Creating client in component or service
+import { createClient } from '@supabase/supabase-js';
+const supabase = createClient(url, key); // Don't do this for queries
+// ❌ FORBIDDEN: Passing base client to useSecureSupabase
+import { useSecureSupabase } from '@jmruthers/pace-core/rbac';
+import { supabase } from './supabase'; // Don't export base client
+const secureSupabase = useSecureSupabase(supabase); // Don't pass it
+// ❌ FORBIDDEN: Using base client directly for queries
+const { data } = await supabase.from('users').select('*'); // Bypasses RLS
+```
+### Hook Signature
+The `useSecureSupabase()` hook signature is:
+```typescript
+function useSecureSupabase(
+  baseClient?: SupabaseClient<Database> | null
+): SupabaseClient<Database> | null
+```
+**Important**: The `baseClient` parameter is **optional**. The hook automatically gets the base client from `useUnifiedAuth()` provider layer. You should **NOT** pass a base client parameter - call `useSecureSupabase()` without arguments.
+### Acceptable Exceptions
+**The ONLY acceptable use of `createClient()` in consuming app code is:**
+1. **Creating the base client for `UnifiedAuthProvider`** - This MUST be in one of these files:
+   - `src/main.tsx` (or `main.jsx`)
+   - `src/App.tsx` (or `App.jsx`)
+   - `src/lib/supabase.ts` (or `supabase.js`) - ONLY if this file is ONLY used to create the base client for the provider
+**The file containing the base client creation MUST:**
+- Be clearly named (e.g., `supabase.ts`, `main.tsx`)
+- Only create the client once
+- Pass it directly to `UnifiedAuthProvider` (not export it for general use)
+- Include a comment explaining it's the base client for the provider:
+  ```tsx
+  // Base Supabase client for UnifiedAuthProvider only
+  // DO NOT use this client directly - use useSecureSupabase() instead
+  const supabase = createClient(...);
+  ```
+**NO OTHER EXCEPTIONS ARE PERMITTED** - All other uses of `createClient()` are security violations and MUST be fixed.
+### Detection / Audit
+- `rg "createClient\(" src` must return **exactly ONE match** in the file that creates the base client for `UnifiedAuthProvider`.
+- That file MUST be one of: `main.tsx`, `App.tsx`, or `lib/supabase.ts` (or `.jsx`/`.js` equivalents).
+- No `.from(` / `.rpc(` calls may be performed on an insecure client reference.
+- All `useSecureSupabase()` calls should be without parameters.
+## Compliance Exceptions
+**In general, pace-core compliance rules do NOT allow exceptions.** The rules are designed to ensure security, consistency, and maintainability across the PACE suite.
+### When Exceptions Are NOT Allowed
+- **Security rules** (e.g., `createClient()` usage) - NO exceptions except the one documented above
+- **RBAC rules** - NO exceptions
+- **Component usage** - NO exceptions (use pace-core components)
+- **Hook usage** - NO exceptions (use pace-core hooks)
+### Documenting Legitimate Edge Cases
+If you encounter a situation where a rule seems to conflict with a legitimate requirement:
+1. **First**: Verify that pace-core doesn't provide a solution
+2. **Second**: Check if the requirement should be added to pace-core
+3. **Third**: If truly unavoidable, document the case clearly:
+   - Add a comment explaining why the exception is necessary
+   - Include a reference to this standard
+   - Consider opening an issue to add the missing functionality to pace-core
+**Example of proper documentation:**
+```tsx
+// @pace-core-compliance-exception: Legacy integration requires direct Supabase client
+// TODO: Migrate to useSecureSupabase() when legacy system is updated
+// See: https://github.com/your-org/pace-core/issues/123
+const legacyClient = createClient(...);
+```
+**Note**: Even with documentation, exceptions should be:
+- Temporary (with a plan to remove them)
+- Rare (only when absolutely necessary)
+- Reviewed and approved by the team
+- Tracked for eventual removal
+### Audit Handling of Exceptions
+During audits, documented exceptions will be:
+- **Verified** - Confirmed that the exception is legitimate and properly documented
+- **Categorized** - Marked as "Acceptable Exception" if valid, or flagged for remediation if not
+- **Tracked** - Included in the audit report with a recommendation to remove when possible
+**Invalid exceptions** (undocumented, unnecessary, or security-related) will be flagged as violations requiring remediation.
+## Related Documentation
+- [Component Standards](./03-component-standard.md)
+- [API & RPC Standards](./02-api-and-rpc-standard.md)
+- [Getting Started Guide](../getting-started/README.md)
+- [RBAC Getting Started](../rbac/getting-started.md) - Secure client usage