@jmruthers/pace-core 0.6.4 → 0.6.6

package/scripts/audit/audit-compliance.cjs

@@ -0,0 +1,1295 @@
+#!/usr/bin/env node
+
+/**
+ * Compliance Audit Script
+ * 
+ * Audits consuming apps for compliance with pace-core usage patterns.
+ * 
+ * NOTE: Many checks have been migrated to ESLint rules for real-time feedback:
+ * - Native HTML elements → ESLint: prefer-pace-core-components
+ * - Restricted imports → ESLint: no-restricted-imports
+ * - Custom hooks/utils → ESLint: prefer-pace-core-hooks/utils
+ * - Inline styles → ESLint: no-inline-styles
+ * - RBAC permission loading → ESLint: rbac-permission-loading
+ * 
+ * This script now focuses on file-system and config-based checks:
+ * - Secure Supabase client usage (file location checks)
+ * - RBAC setup (main.tsx structure)
+ * - Provider usage (cross-file nesting)
+ * - Core styles import (app.css → core.css chain)
+ * 
+ * Usage:
+ *   const { runComplianceAudit } = require('./audit-compliance.cjs');
+ *   const issues = runComplianceAudit(consumingAppPath);
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Recursively find all TypeScript/JavaScript files in a directory
+ */
+function findSourceFiles(dir, fileList = []) {
+  if (!fs.existsSync(dir)) {
+    return fileList;
+  }
+  
+  const files = fs.readdirSync(dir);
+  
+  files.forEach(file => {
+    const filePath = path.join(dir, file);
+    const stat = fs.statSync(filePath);
+    
+    if (stat.isDirectory()) {
+      // Skip node_modules, dist, build, .git, etc.
+      if (!['node_modules', 'dist', 'build', '.git', '.next', '.vite', 'coverage', '.turbo'].includes(file)) {
+        findSourceFiles(filePath, fileList);
+      }
+    } else if (/\.(ts|tsx|js|jsx)$/.test(file)) {
+      fileList.push(filePath);
+    }
+  });
+  
+  return fileList;
+}
+
+/**
+ * Get line number from index in content
+ */
+function getLineNumber(content, index) {
+  return content.substring(0, index).split('\n').length;
+}
+
+/**
+ * Get code snippet around a match for context
+ */
+function getCodeSnippet(content, index, before = 30, after = 50) {
+  const start = Math.max(0, index - before);
+  const end = Math.min(content.length, index + after);
+  return content.substring(start, end).trim();
+}
+
+/**
+ * Check if content is in a comment or string
+ */
+function isInCommentOrString(content, index) {
+  const before = content.substring(0, index);
+  
+  // Check for line comments
+  const lastLineComment = before.lastIndexOf('//');
+  const lastNewline = before.lastIndexOf('\n');
+  if (lastLineComment > lastNewline) {
+    return true;
+  }
+  
+  // Check for block comments
+  const lastBlockCommentStart = before.lastIndexOf('/*');
+  const lastBlockCommentEnd = before.lastIndexOf('*/');
+  if (lastBlockCommentStart > lastBlockCommentEnd) {
+    return true;
+  }
+  
+  // Check for string literals (simple check)
+  const singleQuoteMatches = [...before.matchAll(/'/g)];
+  const doubleQuoteMatches = [...before.matchAll(/"/g)];
+  const backtickMatches = [...before.matchAll(/`/g)];
+  
+  // Simple heuristic: if odd number of quotes before, might be in string
+  // This is not perfect but good enough for audit purposes
+  const inSingleQuote = singleQuoteMatches.length % 2 === 1;
+  const inDoubleQuote = doubleQuoteMatches.length % 2 === 1;
+  const inBacktick = backtickMatches.length % 2 === 1;
+  
+  return inSingleQuote || inDoubleQuote || inBacktick;
+}
+
+/**
+ * Load core-usage-manifest.json
+ */
+function loadManifest(consumingAppPath) {
+  // Try to find manifest in pace-core package
+  const possiblePaths = [
+    path.resolve(__dirname, '../../core-usage-manifest.json'),
+    path.resolve(__dirname, '../../../core-usage-manifest.json'),
+    path.join(consumingAppPath, 'node_modules', '@jmruthers', 'pace-core', 'core-usage-manifest.json'),
+  ];
+  
+  for (const manifestPath of possiblePaths) {
+    if (fs.existsSync(manifestPath)) {
+      try {
+        return JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
+      } catch (e) {
+        // Continue to next path
+      }
+    }
+  }
+  
+  return null;
+}
+
+/**
+ * Check if file imports a specific component/hook/util from pace-core
+ */
+function importsFromPaceCore(content, name) {
+  // Check for imports like:
+  // import { Name } from '@jmruthers/pace-core'
+  // import { Name } from '@jmruthers/pace-core/components'
+  // import Name from '@jmruthers/pace-core'
+  const patterns = [
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/components`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/hooks`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/utils`),
+  ];
+  
+  return patterns.some(pattern => pattern.test(content));
+}
+
+/**
+ * Check for native HTML elements when pace-core components exist
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'prefer-pace-core-components' ESLint rule.
+ * Kept for reference only.
+ */
+function checkNativeElements_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath, manifest) {
+  const issues = [];
+  
+  // Map of native elements to pace-core components
+  const elementMap = {
+    'button': 'Button',
+    'input': 'Input',
+    'label': 'Label',
+    'textarea': 'Textarea',
+  };
+  
+  Object.entries(elementMap).forEach(([nativeElement, paceCoreComponent]) => {
+    // Pattern to match <element> tags (lowercase only - not <Element> component)
+    // Case-sensitive regex (no 'i' flag) ensures we only match native HTML, not pace-core components
+    const pattern = new RegExp(`<${nativeElement}(\\s|>|/|\\n)`, 'g');
+    let match;
+    
+    while ((match = pattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      // Check if this file imports the pace-core component
+      if (importsFromPaceCore(content, paceCoreComponent)) {
+        // They have the import but still using native element - might be intentional
+        // Flag it anyway as it should use the component
+        const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+        issues.push({
+          type: 'nativeElement',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: `Native <${nativeElement}> element detected. Use pace-core ${paceCoreComponent} component instead.`,
+          code: getCodeSnippet(content, match.index),
+          severity: 'error',
+          fix: `Replace <${nativeElement}> with <${paceCoreComponent}> from '@jmruthers/pace-core'`,
+        });
+      } else {
+        // No import, definitely should use pace-core component
+        const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+        issues.push({
+          type: 'nativeElement',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: `Native <${nativeElement}> element detected. Use pace-core ${paceCoreComponent} component instead.`,
+          code: getCodeSnippet(content, match.index),
+          severity: 'error',
+          fix: `Import and use ${paceCoreComponent} from '@jmruthers/pace-core'`,
+        });
+      }
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check for restricted library imports
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-restricted-imports' ESLint rule.
+ * Kept for reference only.
+ */
+function checkRestrictedImports_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath, manifest) {
+  const issues = [];
+  
+  if (!manifest || !manifest.restrictedImports) {
+    return issues;
+  }
+  
+  manifest.restrictedImports.forEach(restriction => {
+    const moduleName = restriction.module;
+    
+    // Skip react-hook-form - it's handled by audit-components.cjs with more nuanced logic
+    // (allows useFormContext when Form is imported from pace-core)
+    if (moduleName === 'react-hook-form') {
+      return;
+    }
+    
+    // Pattern to match imports from restricted module
+    const importPattern = new RegExp(`from\\s+['"]${moduleName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}['"]`, 'g');
+    let match;
+    
+    while ((match = importPattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      // Get the import line
+      const lineStart = content.lastIndexOf('\n', match.index) + 1;
+      const lineEnd = content.indexOf('\n', match.index);
+      const importLine = content.substring(lineStart, lineEnd === -1 ? content.length : lineEnd);
+      
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      let fix = restriction.reason;
+      if (restriction.importExample) {
+        fix += `\n  Example: ${restriction.importExample}`;
+      }
+      if (restriction.usageExample) {
+        fix += `\n  Usage: ${restriction.usageExample}`;
+      }
+      
+      issues.push({
+        type: 'restrictedImport',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: `Direct import from '${moduleName}' detected. ${restriction.reason}`,
+        code: importLine.trim(),
+        severity: 'error',
+        fix: fix,
+        module: moduleName,
+      });
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check for custom hooks when pace-core provides them
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'prefer-pace-core-hooks' ESLint rule.
+ * Kept for reference only.
+ */
+function checkCustomHooks_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath, manifest) {
+  const issues = [];
+  
+  if (!manifest || !manifest.hooks) {
+    return issues;
+  }
+  
+  // Common custom hook patterns that duplicate pace-core functionality
+  const problematicHooks = {
+    'useAuth': 'useUnifiedAuth',
+    'useToast': 'useToast',
+    'useDebounce': 'useDebounce',
+    'useForm': 'useZodForm',
+  };
+  
+  Object.entries(problematicHooks).forEach(([customHook, paceCoreHook]) => {
+    // Pattern to match hook definitions
+    const patterns = [
+      new RegExp(`(function|const)\\s+${customHook}\\s*[=(]`, 'g'),
+      new RegExp(`export\\s+(function|const)\\s+${customHook}\\s*[=(]`, 'g'),
+    ];
+    
+    patterns.forEach(pattern => {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        // Check if pace-core hook is imported
+        if (importsFromPaceCore(content, paceCoreHook)) {
+          // They have the import but also defined custom hook - likely duplicate
+          const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+          issues.push({
+            type: 'customHook',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Custom ${customHook} hook detected. Use pace-core ${paceCoreHook} hook instead.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Remove custom ${customHook} and use ${paceCoreHook} from '@jmruthers/pace-core'`,
+          });
+        } else {
+          // No import, might be custom implementation
+          const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+          issues.push({
+            type: 'customHook',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Custom ${customHook} hook detected. Consider using pace-core ${paceCoreHook} hook instead.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Use ${paceCoreHook} from '@jmruthers/pace-core' instead of custom implementation`,
+          });
+        }
+      }
+    });
+  });
+  
+  return issues;
+}
+
+/**
+ * Check for custom utilities when pace-core provides them
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'prefer-pace-core-utils' ESLint rule.
+ * Kept for reference only.
+ */
+function checkCustomUtils_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath, manifest) {
+  const issues = [];
+  
+  if (!manifest || !manifest.utils) {
+    return issues;
+  }
+  
+  // Common utility patterns that duplicate pace-core functionality
+  const problematicUtils = {
+    'formatDate': 'formatDate',
+    'formatTime': 'formatTime',
+    'formatDateTime': 'formatDateTime',
+    'formatCurrency': 'formatCurrency',
+    'formatNumber': 'formatNumber',
+    'cn': 'cn',
+  };
+  
+  Object.entries(problematicUtils).forEach(([customUtil, paceCoreUtil]) => {
+    // Pattern to match function definitions
+    const patterns = [
+      new RegExp(`(function|const|export\\s+(function|const))\\s+${customUtil}\\s*[=(]`, 'g'),
+    ];
+    
+    patterns.forEach(pattern => {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        // Check if pace-core util is imported
+        if (importsFromPaceCore(content, paceCoreUtil)) {
+          // They have the import but also defined custom util - likely duplicate
+          const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+          issues.push({
+            type: 'customUtil',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Custom ${customUtil} utility detected. Use pace-core ${paceCoreUtil} utility instead.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Remove custom ${customUtil} and use ${paceCoreUtil} from '@jmruthers/pace-core'`,
+          });
+        } else {
+          // No import, might be custom implementation
+          const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+          issues.push({
+            type: 'customUtil',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Custom ${customUtil} utility detected. Consider using pace-core ${paceCoreUtil} utility instead.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Use ${paceCoreUtil} from '@jmruthers/pace-core' instead of custom implementation`,
+          });
+        }
+      }
+    });
+  });
+  
+  return issues;
+}
+
+/**
+ * Check for secure Supabase client usage
+ */
+function checkSupabaseUsage(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Check for createClient() calls
+  const createClientPattern = /createClient\s*\(/g;
+  let match;
+  
+  while ((match = createClientPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    // Check if this is from @supabase/supabase-js
+    const beforeMatch = content.substring(Math.max(0, match.index - 200), match.index);
+    const hasSupabaseImport = /from\s+['"]@supabase\/supabase-js['"]/.test(beforeMatch);
+    
+    if (hasSupabaseImport) {
+      // Check if file is in allowed location
+      const allowedPatterns = [
+        /[\/\\]main\.(tsx?|jsx?)$/i,
+        /[\/\\]App\.(tsx?|jsx?)$/i,
+        /[\/\\]lib[\/\\]supabase\.(tsx?|jsx?)$/i,
+        /[\/\\]src[\/\\]supabase\.(tsx?|jsx?)$/i,
+      ];
+      
+      const isAllowed = allowedPatterns.some(pattern => pattern.test(filePath));
+      
+      if (!isAllowed) {
+        issues.push({
+          type: 'supabaseClient',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: 'createClient() call detected in unauthorized location. Should only be in main.tsx, App.tsx, or lib/supabase.ts',
+          code: getCodeSnippet(content, match.index),
+          severity: 'error',
+          fix: 'Move createClient() call to main.tsx, App.tsx, or lib/supabase.ts. Use useSecureSupabase() hook for queries.',
+        });
+      }
+    }
+  }
+  
+  // Check for .from(), .rpc(), .auth. calls on potentially insecure clients
+  // This is a heuristic - we look for these patterns and check if they're on a variable
+  // that might be an insecure client
+  const queryPatterns = [
+    /\.from\s*\(/g,
+    /\.rpc\s*\(/g,
+    /\.auth\./g,
+  ];
+  
+  queryPatterns.forEach(pattern => {
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      // Check if this is on useSecureSupabase() result
+      const beforeMatch = content.substring(Math.max(0, match.index - 100), match.index);
+      const hasSecureSupabase = /useSecureSupabase\s*\(/.test(beforeMatch) || 
+                                /secureSupabase/.test(beforeMatch) ||
+                                /supabase\s*=\s*useSecureSupabase/.test(beforeMatch);
+      
+      if (!hasSecureSupabase) {
+        // Might be insecure - check context
+        const contextBefore = content.substring(Math.max(0, match.index - 200), match.index);
+        const hasCreateClient = /createClient\s*\(/.test(contextBefore);
+        
+        if (hasCreateClient) {
+          issues.push({
+            type: 'supabaseClient',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: 'Database query detected on potentially insecure client. Use useSecureSupabase() hook instead.',
+            code: getCodeSnippet(content, match.index),
+            severity: 'error',
+            fix: 'Use useSecureSupabase() hook from @jmruthers/pace-core/rbac for all database queries',
+          });
+        }
+      }
+    }
+  });
+  
+  // Check for useSecureSupabase() called with parameters (should be called without)
+  const useSecureSupabasePattern = /useSecureSupabase\s*\(\s*[^)]/g;
+  let secureMatch;
+  while ((secureMatch = useSecureSupabasePattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, secureMatch.index)) {
+      continue;
+    }
+    
+    // Check if parameter is a base client (acceptable exception)
+    const afterMatch = content.substring(secureMatch.index, secureMatch.index + 100);
+    const hasBaseClientParam = /useSecureSupabase\s*\(\s*(supabase|baseClient|client)/.test(afterMatch);
+    
+    if (!hasBaseClientParam) {
+      // Might be an issue, but base client as parameter is acceptable
+      // This is a warning, not an error
+      issues.push({
+        type: 'supabaseClient',
+        file: relativePath,
+        line: getLineNumber(content, secureMatch.index),
+        message: 'useSecureSupabase() called with parameters. Should be called without parameters (gets client from provider automatically).',
+        code: getCodeSnippet(content, secureMatch.index),
+        severity: 'warning',
+        fix: 'Call useSecureSupabase() without parameters. The hook automatically gets the client from UnifiedAuthProvider.',
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for RBAC permission usage patterns
+ * Detects cases where permission checks are called without waiting for loading state
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'rbac-permission-loading' ESLint rule.
+ * Kept for reference only.
+ */
+function checkRBACPermissionUsage_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Check if file uses useResourcePermissions
+  const usesResourcePermissions = /useResourcePermissions\s*\(/i.test(content);
+  if (!usesResourcePermissions) {
+    return issues;
+  }
+  
+  // Find useResourcePermissions calls and check if isLoading is extracted
+  // Pattern to match destructuring assignments with useResourcePermissions
+  const resourcePermissionsPattern = /(const|let|var)\s*\{[^}]*useResourcePermissions\s*\([^)]*\)[^}]*\}/g;
+  let match;
+  
+  while ((match = resourcePermissionsPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const destructuringBlock = match[0];
+    const matchIndex = match.index;
+    
+    // Check if isLoading is extracted from useResourcePermissions
+    // Match: isLoading, isLoading: permissionsLoading, isLoading: loading, etc.
+    const hasIsLoading = /\bisLoading\s*(?::\s*\w+)?\s*[,}]/i.test(destructuringBlock);
+    
+    // Find permission function calls (canCreate, canUpdate, canDelete) in the file
+    // Look for calls that might not check loading state first
+    const permissionCallPattern = /\b(canCreate|canUpdate|canDelete)\s*\(/g;
+    let permMatch;
+    
+    while ((permMatch = permissionCallPattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, permMatch.index)) {
+        continue;
+      }
+      
+      // Find the function/block that contains this permission call
+      // Look backwards to find the start of the function/block
+      const beforeCall = content.substring(0, permMatch.index);
+      const functionStart = Math.max(
+        beforeCall.lastIndexOf('function'),
+        beforeCall.lastIndexOf('const'),
+        beforeCall.lastIndexOf('=>'),
+        beforeCall.lastIndexOf('async')
+      );
+      
+      if (functionStart === -1) continue;
+      
+      // Get the context around the permission call
+      const contextStart = Math.max(0, functionStart);
+      const contextEnd = Math.min(content.length, permMatch.index + 200);
+      const context = content.substring(contextStart, contextEnd);
+      
+      // Check if isLoading is checked before this permission call in the same context
+      const isLoadingCheckedBefore = new RegExp(
+        `(if\\s*\\(\\s*!?\\s*isLoading|if\\s*\\(\\s*isLoading\\s*===\\s*false|if\\s*\\(\\s*isLoading\\s*!==\\s*true|await|permissionsLoading)`,
+        'i'
+      ).test(context.substring(0, permMatch.index - contextStart));
+      
+      // Check if this is inside a mutation function (where we need to check loading)
+      const isInMutation = /mutationFn\s*[:=]\s*async|mutateAsync|mutation\s*[:=]/i.test(context);
+      
+      // If isLoading is not extracted, flag it
+      if (!hasIsLoading && isInMutation) {
+        issues.push({
+          type: 'rbacPermission',
+          file: relativePath,
+          line: getLineNumber(content, matchIndex),
+          message: `useResourcePermissions is used but 'isLoading' is not extracted. Permission checks may fail if scope resolution is still in progress.`,
+          code: getCodeSnippet(content, matchIndex, 0, 100),
+          severity: 'error',
+          fix: `Extract 'isLoading' from useResourcePermissions: const { canCreate, canUpdate, canDelete, isLoading: permissionsLoading } = useResourcePermissions(...);`,
+        });
+      }
+      
+      // If isLoading is extracted but not checked before permission call in mutation
+      if (hasIsLoading && isInMutation && !isLoadingCheckedBefore) {
+        const permLine = getLineNumber(content, permMatch.index);
+        issues.push({
+          type: 'rbacPermission',
+          file: relativePath,
+          line: permLine,
+          message: `Permission check '${permMatch[1]}()' is called without checking isLoading first. This can cause false negatives when scope resolution is still in progress.`,
+          code: getCodeSnippet(content, permMatch.index, 20, 50),
+          severity: 'error',
+          fix: `Check isLoading before calling permission function: if (permissionsLoading) { throw new Error("Permission check in progress. Please wait..."); } if (!canCreate(resource)) { ... }`,
+        });
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for setupRBAC() call in main.tsx
+ */
+function checkRBACSetup(consumingAppPath) {
+  const issues = [];
+  
+  // Check main.tsx or main.jsx
+  const mainFiles = [
+    path.join(consumingAppPath, 'src', 'main.tsx'),
+    path.join(consumingAppPath, 'src', 'main.ts'),
+    path.join(consumingAppPath, 'src', 'main.jsx'),
+    path.join(consumingAppPath, 'src', 'main.js'),
+    path.join(consumingAppPath, 'main.tsx'),
+    path.join(consumingAppPath, 'main.ts'),
+    path.join(consumingAppPath, 'main.jsx'),
+    path.join(consumingAppPath, 'main.js'),
+  ];
+  
+  let mainFile = null;
+  for (const file of mainFiles) {
+    if (fs.existsSync(file)) {
+      mainFile = file;
+      break;
+    }
+  }
+  
+  if (!mainFile) {
+    issues.push({
+      type: 'rbacSetup',
+      file: 'src/main.tsx (not found)',
+      line: 0,
+      message: 'main.tsx file not found. setupRBAC() must be called in main.tsx before app rendering.',
+      code: '',
+      severity: 'error',
+      fix: 'Create src/main.tsx and call setupRBAC(supabase) before rendering the app.',
+    });
+    return issues;
+  }
+  
+  const content = fs.readFileSync(mainFile, 'utf8');
+  const relativePath = path.relative(consumingAppPath || process.cwd(), mainFile);
+  
+  // Check for setupRBAC call
+  const setupRBACPattern = /setupRBAC\s*\(/;
+  if (!setupRBACPattern.test(content)) {
+    issues.push({
+      type: 'rbacSetup',
+      file: relativePath,
+      line: 1,
+      message: 'setupRBAC() call not found. Must be called in main.tsx before app rendering.',
+      code: '',
+      severity: 'error',
+      fix: 'Add: import { setupRBAC } from \'@jmruthers/pace-core/rbac\'; setupRBAC(supabase);',
+    });
+  } else {
+    // Check if it's called before React rendering
+    const setupRBACIndex = content.indexOf('setupRBAC');
+    const renderIndex = content.search(/(createRoot|render)\s*\(/);
+    
+    if (renderIndex !== -1 && setupRBACIndex > renderIndex) {
+      issues.push({
+        type: 'rbacSetup',
+        file: relativePath,
+        line: getLineNumber(content, setupRBACIndex),
+        message: 'setupRBAC() called after React rendering. Must be called before rendering.',
+        code: getCodeSnippet(content, setupRBACIndex),
+        severity: 'error',
+        fix: 'Move setupRBAC() call before createRoot() or render() call.',
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for required providers
+ * Providers can be in:
+ * - main.tsx or App.tsx (direct)
+ * - A provider file (e.g., AppProviders, providers.tsx)
+ * - A component imported in App.tsx that wraps the app
+ */
+function checkProviders(consumingAppPath) {
+  const issues = [];
+  
+  // First, check main.tsx or App.tsx
+  const checkFiles = [
+    path.join(consumingAppPath, 'src', 'main.tsx'),
+    path.join(consumingAppPath, 'src', 'main.ts'),
+    path.join(consumingAppPath, 'src', 'main.jsx'),
+    path.join(consumingAppPath, 'src', 'main.js'),
+    path.join(consumingAppPath, 'src', 'App.tsx'),
+    path.join(consumingAppPath, 'src', 'App.ts'),
+    path.join(consumingAppPath, 'src', 'App.jsx'),
+    path.join(consumingAppPath, 'src', 'App.js'),
+  ];
+  
+  let foundFile = null;
+  let mainContent = '';
+  let appContent = '';
+  
+  // Read main.tsx if it exists
+  const mainFile = checkFiles.find(f => fs.existsSync(f));
+  if (mainFile) {
+    foundFile = mainFile;
+    mainContent = fs.readFileSync(mainFile, 'utf8');
+  }
+  
+  // Read App.tsx if it exists
+  const appFile = checkFiles.slice(4).find(f => fs.existsSync(f));
+  if (appFile) {
+    appContent = fs.readFileSync(appFile, 'utf8');
+  }
+  
+  if (!foundFile && !appFile) {
+    issues.push({
+      type: 'providers',
+      file: 'src/main.tsx or src/App.tsx (not found)',
+      line: 0,
+      message: 'main.tsx or App.tsx not found. Required providers must wrap the app.',
+      code: '',
+      severity: 'error',
+      fix: 'Create src/main.tsx and wrap app with UnifiedAuthProvider and OrganisationProvider.',
+    });
+    return issues;
+  }
+  
+  // Combine content from both files for checking
+  const combinedContent = mainContent + '\n' + appContent;
+  
+  // Check for UnifiedAuthProvider in main.tsx or App.tsx
+  let hasUnifiedAuthProvider = /<UnifiedAuthProvider/.test(combinedContent) || 
+                               /UnifiedAuthProvider\s*</.test(combinedContent);
+  
+  // Check for OrganisationProvider in main.tsx or App.tsx
+  let hasOrganisationProvider = /<OrganisationProvider/.test(combinedContent) || 
+                               /OrganisationProvider\s*</.test(combinedContent);
+  
+  // If providers not found in main.tsx/App.tsx, check for provider files
+  if (!hasUnifiedAuthProvider || !hasOrganisationProvider) {
+    // Look for provider files that might contain the providers
+    const providerFilePatterns = [
+      '**/providers/**/*.{ts,tsx,js,jsx}',
+      '**/app/providers/**/*.{ts,tsx,js,jsx}',
+      '**/AppProviders.{ts,tsx,js,jsx}',
+      '**/app-providers.{ts,tsx,js,jsx}',
+    ];
+    
+    // Check common provider file locations
+    const providerFiles = [
+      path.join(consumingAppPath, 'src', 'app', 'providers', 'app-providers.tsx'),
+      path.join(consumingAppPath, 'src', 'app', 'providers', 'app-providers.ts'),
+      path.join(consumingAppPath, 'src', 'app', 'providers', 'AppProviders.tsx'),
+      path.join(consumingAppPath, 'src', 'app', 'providers', 'AppProviders.ts'),
+      path.join(consumingAppPath, 'src', 'providers', 'AppProviders.tsx'),
+      path.join(consumingAppPath, 'src', 'providers', 'AppProviders.ts'),
+      path.join(consumingAppPath, 'src', 'providers', 'app-providers.tsx'),
+      path.join(consumingAppPath, 'src', 'providers', 'app-providers.ts'),
+    ];
+    
+    for (const providerFile of providerFiles) {
+      if (fs.existsSync(providerFile)) {
+        try {
+          const providerContent = fs.readFileSync(providerFile, 'utf8');
+          
+          // Check for providers in this file
+          if (!hasUnifiedAuthProvider && /<UnifiedAuthProvider/.test(providerContent)) {
+            hasUnifiedAuthProvider = true;
+          }
+          
+          if (!hasOrganisationProvider && /<OrganisationProvider/.test(providerContent)) {
+            hasOrganisationProvider = true;
+          }
+          
+          // If we found both, we can stop looking
+          if (hasUnifiedAuthProvider && hasOrganisationProvider) {
+            break;
+          }
+        } catch (e) {
+          // Skip files that can't be read
+        }
+      }
+    }
+    
+    // Also check if App.tsx imports a provider component
+    if (appContent) {
+      // Look for imports like: import { AppProviders } from '@/app/providers/app-providers';
+      const providerImportPattern = /import\s+.*\b(AppProviders|app-providers|Providers)\b.*from\s+['"]([^'"]+)['"]/;
+      const providerImportMatch = appContent.match(providerImportPattern);
+      
+      if (providerImportMatch) {
+        // Try to find the imported file
+        const importPath = providerImportMatch[2];
+        // Handle path aliases (@/app/providers/app-providers)
+        const resolvedPath = importPath.startsWith('@/')
+          ? path.join(consumingAppPath, 'src', importPath.slice(2))
+          : path.join(path.dirname(appFile), importPath);
+        
+        // Try with different extensions
+        const possiblePaths = [
+          resolvedPath,
+          resolvedPath + '.tsx',
+          resolvedPath + '.ts',
+          resolvedPath + '.jsx',
+          resolvedPath + '.js',
+        ];
+        
+        for (const possiblePath of possiblePaths) {
+          if (fs.existsSync(possiblePath)) {
+            try {
+              const providerContent = fs.readFileSync(possiblePath, 'utf8');
+              
+              if (!hasUnifiedAuthProvider && /<UnifiedAuthProvider/.test(providerContent)) {
+                hasUnifiedAuthProvider = true;
+              }
+              
+              if (!hasOrganisationProvider && /<OrganisationProvider/.test(providerContent)) {
+                hasOrganisationProvider = true;
+              }
+              
+              break;
+            } catch (e) {
+              // Skip files that can't be read
+            }
+          }
+        }
+      }
+    }
+  }
+  
+  const relativePath = foundFile ? path.relative(consumingAppPath || process.cwd(), foundFile) : 'src/App.tsx';
+  
+  // Check for UnifiedAuthProvider
+  if (!hasUnifiedAuthProvider) {
+    issues.push({
+      type: 'providers',
+      file: relativePath,
+      line: 1,
+      message: 'UnifiedAuthProvider not found. Must wrap the app (can be in main.tsx, App.tsx, or a provider file).',
+      code: '',
+      severity: 'error',
+      fix: 'Import and wrap app with UnifiedAuthProvider from @jmruthers/pace-core',
+    });
+  }
+  
+  // Check for OrganisationProvider
+  if (!hasOrganisationProvider) {
+    issues.push({
+      type: 'providers',
+      file: relativePath,
+      line: 1,
+      message: 'OrganisationProvider not found. Must wrap the app (inside UnifiedAuthProvider, can be in main.tsx, App.tsx, or a provider file).',
+      code: '',
+      severity: 'error',
+      fix: 'Import and wrap app with OrganisationProvider from @jmruthers/pace-core (inside UnifiedAuthProvider)',
+    });
+  }
+  
+  // Check nesting order
+  // Find JSX opening tags (not in import/export statements)
+  if (hasUnifiedAuthProvider && hasOrganisationProvider) {
+    // Find the file that contains the providers for nesting check
+    let nestingCheckContent = combinedContent;
+    let nestingCheckFile = relativePath;
+    
+    // If providers weren't found in main.tsx/App.tsx, find the provider file
+    if (!/<UnifiedAuthProvider/.test(combinedContent) || !/<OrganisationProvider/.test(combinedContent)) {
+      // Look for provider files
+      const providerFiles = [
+        path.join(consumingAppPath, 'src', 'app', 'providers', 'app-providers.tsx'),
+        path.join(consumingAppPath, 'src', 'app', 'providers', 'app-providers.ts'),
+        path.join(consumingAppPath, 'src', 'app', 'providers', 'AppProviders.tsx'),
+        path.join(consumingAppPath, 'src', 'app', 'providers', 'AppProviders.ts'),
+        path.join(consumingAppPath, 'src', 'providers', 'AppProviders.tsx'),
+        path.join(consumingAppPath, 'src', 'providers', 'AppProviders.ts'),
+        path.join(consumingAppPath, 'src', 'providers', 'app-providers.tsx'),
+        path.join(consumingAppPath, 'src', 'providers', 'app-providers.ts'),
+      ];
+      
+      for (const providerFile of providerFiles) {
+        if (fs.existsSync(providerFile)) {
+          try {
+            const providerContent = fs.readFileSync(providerFile, 'utf8');
+            if (/<UnifiedAuthProvider/.test(providerContent) && /<OrganisationProvider/.test(providerContent)) {
+              nestingCheckContent = providerContent;
+              nestingCheckFile = path.relative(consumingAppPath || process.cwd(), providerFile);
+              break;
+            }
+          } catch (e) {
+            // Skip files that can't be read
+          }
+        }
+      }
+    }
+    
+    // Find all occurrences of opening tags
+    const unifiedAuthMatches = [];
+    const organisationMatches = [];
+    
+    // Find <UnifiedAuthProvider opening tags (not in import statements)
+    const unifiedAuthPattern = /<UnifiedAuthProvider\s*(?:[^>]*>|>)/g;
+    let match;
+    while ((match = unifiedAuthPattern.exec(nestingCheckContent)) !== null) {
+      // Check if this is in an import/export statement
+      const beforeMatch = nestingCheckContent.substring(Math.max(0, match.index - 100), match.index);
+      const isInImport = /import\s+.*from\s+['"]/.test(beforeMatch) || 
+                        /export\s+.*from\s+['"]/.test(beforeMatch);
+      if (!isInImport) {
+        unifiedAuthMatches.push(match.index);
+      }
+    }
+    
+    // Find <OrganisationProvider opening tags (not in import statements)
+    const organisationPattern = /<OrganisationProvider\s*(?:[^>]*>|>)/g;
+    while ((match = organisationPattern.exec(nestingCheckContent)) !== null) {
+      // Check if this is in an import/export statement
+      const beforeMatch = nestingCheckContent.substring(Math.max(0, match.index - 100), match.index);
+      const isInImport = /import\s+.*from\s+['"]/.test(beforeMatch) || 
+                        /export\s+.*from\s+['"]/.test(beforeMatch);
+      if (!isInImport) {
+        organisationMatches.push(match.index);
+      }
+    }
+    
+    // Check nesting order - UnifiedAuthProvider should come before OrganisationProvider
+    if (unifiedAuthMatches.length > 0 && organisationMatches.length > 0) {
+      const firstUnifiedAuth = unifiedAuthMatches[0];
+      const firstOrganisation = organisationMatches[0];
+      
+      // Check if OrganisationProvider appears before UnifiedAuthProvider (wrong order)
+      if (firstOrganisation < firstUnifiedAuth) {
+        issues.push({
+          type: 'providers',
+          file: nestingCheckFile,
+          line: getLineNumber(nestingCheckContent, firstOrganisation),
+          message: 'OrganisationProvider must be nested inside UnifiedAuthProvider, not the other way around.',
+          code: getCodeSnippet(nestingCheckContent, firstOrganisation),
+          severity: 'error',
+          fix: 'Nest OrganisationProvider inside UnifiedAuthProvider: <UnifiedAuthProvider><OrganisationProvider>...</OrganisationProvider></UnifiedAuthProvider>',
+        });
+      } else {
+        // UnifiedAuthProvider comes first - verify proper nesting
+        // Find closing tags to check if OrganisationProvider is actually inside UnifiedAuthProvider
+        const unifiedAuthClosePattern = /<\/UnifiedAuthProvider>/g;
+        const organisationClosePattern = /<\/OrganisationProvider>/g;
+        
+        const unifiedAuthCloses = [];
+        const organisationCloses = [];
+        
+        while ((match = unifiedAuthClosePattern.exec(nestingCheckContent)) !== null) {
+          unifiedAuthCloses.push(match.index);
+        }
+        
+        while ((match = organisationClosePattern.exec(nestingCheckContent)) !== null) {
+          organisationCloses.push(match.index);
+        }
+        
+        // Check if OrganisationProvider closing tag comes before UnifiedAuthProvider closing tag
+        // This ensures proper nesting: <UnifiedAuthProvider>...<OrganisationProvider>...</OrganisationProvider>...</UnifiedAuthProvider>
+        if (unifiedAuthCloses.length > 0 && organisationCloses.length > 0) {
+          const firstUnifiedAuthClose = unifiedAuthCloses[0];
+          const firstOrganisationClose = organisationCloses[0];
+          
+          // OrganisationProvider should close before UnifiedAuthProvider closes
+          if (firstOrganisationClose > firstUnifiedAuthClose) {
+            issues.push({
+              type: 'providers',
+              file: nestingCheckFile,
+              line: getLineNumber(nestingCheckContent, firstOrganisation),
+              message: 'OrganisationProvider closing tag must come before UnifiedAuthProvider closing tag. Check nesting order.',
+              code: getCodeSnippet(nestingCheckContent, firstOrganisation),
+              severity: 'error',
+              fix: 'Nest OrganisationProvider inside UnifiedAuthProvider: <UnifiedAuthProvider><OrganisationProvider>...</OrganisationProvider></UnifiedAuthProvider>',
+            });
+          }
+        }
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for core.css import (via app.css)
+ * Correct pattern:
+ * - main.tsx imports ./app.css (NOT core.css directly)
+ * - app.css contains @import "@jmruthers/pace-core/styles/core.css";
+ */
+function checkCoreStyles(consumingAppPath) {
+  const issues = [];
+  
+  // Check main.tsx or App.tsx
+  const checkFiles = [
+    path.join(consumingAppPath, 'src', 'main.tsx'),
+    path.join(consumingAppPath, 'src', 'main.ts'),
+    path.join(consumingAppPath, 'src', 'main.jsx'),
+    path.join(consumingAppPath, 'src', 'main.js'),
+    path.join(consumingAppPath, 'src', 'App.tsx'),
+    path.join(consumingAppPath, 'src', 'App.ts'),
+    path.join(consumingAppPath, 'src', 'App.jsx'),
+    path.join(consumingAppPath, 'src', 'App.js'),
+  ];
+  
+  let foundFile = null;
+  let content = '';
+  
+  for (const file of checkFiles) {
+    if (fs.existsSync(file)) {
+      foundFile = file;
+      content = fs.readFileSync(file, 'utf8');
+      break;
+    }
+  }
+  
+  if (!foundFile) {
+    issues.push({
+      type: 'coreStyles',
+      file: 'src/main.tsx or src/App.tsx (not found)',
+      line: 0,
+      message: 'main.tsx or App.tsx not found. app.css must be imported.',
+      code: '',
+      severity: 'error',
+      fix: 'Create src/main.tsx and import: import \'./app.css\';',
+    });
+    return issues;
+  }
+  
+  const relativePath = path.relative(consumingAppPath || process.cwd(), foundFile);
+  
+  // Check for app.css import (correct pattern)
+  // Matches: import './app.css', import "./app.css", import '@/app.css', import '../app.css', etc.
+  const hasAppCssImport = /import\s+['"](\.\/|@\/|\.\.\/)?app\.css['"]/.test(content);
+  
+  // Check for direct core.css import (incorrect pattern - should be in app.css)
+  const coreCssImportMatch = content.match(/@jmruthers\/pace-core\/styles\/core\.css/);
+  const hasDirectCoreCssImport = coreCssImportMatch !== null;
+  
+  if (hasDirectCoreCssImport) {
+    const coreCssIndex = coreCssImportMatch.index;
+    issues.push({
+      type: 'coreStyles',
+      file: relativePath,
+      line: getLineNumber(content, coreCssIndex),
+      message: 'Direct core.css import detected. Should import app.css instead, which imports core.css.',
+      code: getCodeSnippet(content, coreCssIndex),
+      severity: 'error',
+      fix: 'Remove direct core.css import and import app.css instead: import \'./app.css\';',
+    });
+  }
+  
+  if (!hasAppCssImport) {
+    issues.push({
+      type: 'coreStyles',
+      file: relativePath,
+      line: 1,
+      message: 'app.css import not found. Must import app.css (which imports core.css).',
+      code: '',
+      severity: 'error',
+      fix: 'Add: import \'./app.css\';',
+    });
+  }
+  
+  // Check that app.css exists and contains core.css import
+  const appCssFiles = [
+    path.join(consumingAppPath, 'src', 'app.css'),
+    path.join(consumingAppPath, 'app.css'),
+  ];
+  
+  let appCssFile = null;
+  let appCssContent = '';
+  
+  for (const file of appCssFiles) {
+    if (fs.existsSync(file)) {
+      appCssFile = file;
+      appCssContent = fs.readFileSync(file, 'utf8');
+      break;
+    }
+  }
+  
+  if (!appCssFile) {
+    issues.push({
+      type: 'coreStyles',
+      file: 'src/app.css (not found)',
+      line: 0,
+      message: 'app.css file not found. Must create app.css with @import "@jmruthers/pace-core/styles/core.css";',
+      code: '',
+      severity: 'error',
+      fix: 'Create src/app.css with: @import "tailwindcss"; @import "@jmruthers/pace-core/styles/core.css";',
+    });
+  } else {
+    // Check that app.css contains the core.css import
+    const hasCoreCssInAppCss = /@import\s+['"]@jmruthers\/pace-core\/styles\/core\.css['"]/.test(appCssContent);
+    
+    if (!hasCoreCssInAppCss) {
+      const appCssRelativePath = path.relative(consumingAppPath || process.cwd(), appCssFile);
+      issues.push({
+        type: 'coreStyles',
+        file: appCssRelativePath,
+        line: 1,
+        message: 'core.css import not found in app.css. Must add @import "@jmruthers/pace-core/styles/core.css";',
+        code: '',
+        severity: 'error',
+        fix: 'Add to app.css: @import "@jmruthers/pace-core/styles/core.css";',
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for inline styles
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-inline-styles' ESLint rule.
+ * Kept for reference only.
+ */
+function checkInlineStyles_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  
+  // Pattern to match style={{...}} or style={...}
+  const stylePattern = /style\s*=\s*\{/g;
+  let match;
+  
+  while ((match = stylePattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+    issues.push({
+      type: 'inlineStyles',
+      file: relativePath,
+      line: getLineNumber(content, match.index),
+      message: 'Inline style detected. Use pace-core components or Tailwind classes instead.',
+      code: getCodeSnippet(content, match.index),
+      severity: 'error',
+      fix: 'Remove inline style and use pace-core component styling or Tailwind utility classes',
+    });
+  }
+  
+  return issues;
+}
+
+/**
+ * Main audit function
+ */
+function runComplianceAudit(consumingAppPath = process.cwd()) {
+  const srcPath = path.join(consumingAppPath, 'src');
+  const searchPath = fs.existsSync(srcPath) ? srcPath : consumingAppPath;
+  
+  if (!fs.existsSync(searchPath)) {
+    return {
+      error: `Source directory not found at ${searchPath}`,
+      issues: {
+        supabaseClient: [],
+        rbacSetup: [],
+        providers: [],
+        coreStyles: [],
+        rbacPermission: [],
+      },
+    };
+  }
+  
+  // Load manifest
+  const manifest = loadManifest(consumingAppPath);
+  
+  // Find all source files
+  const sourceFiles = findSourceFiles(searchPath);
+  
+  if (sourceFiles.length === 0) {
+    return {
+      error: `No source files found in ${searchPath}`,
+      issues: {
+        supabaseClient: [],
+        rbacSetup: [],
+        providers: [],
+        coreStyles: [],
+        rbacPermission: [],
+      },
+    };
+  }
+  
+  const issues = {
+    // NOTE: nativeElements, restrictedImports, customHooks, customUtils, inlineStyles
+    // have been migrated to ESLint rules. Only file-system/config checks remain.
+    supabaseClient: [],
+    rbacSetup: [],
+    providers: [],
+    coreStyles: [],
+    // Keep rbacPermission for now (partial migration - complex checks may remain)
+    rbacPermission: [],
+  };
+  
+  // Check each file
+  // NOTE: Native elements, restricted imports, custom hooks/utils, inline styles, 
+  // and RBAC permission loading checks have been migrated to ESLint rules.
+  // Only file-system and config-based checks remain here.
+  sourceFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      
+      // Check for Supabase usage (file-system based checks only)
+      // Direct client creation checks moved to ESLint
+      const supabaseIssues = checkSupabaseUsage(content, filePath, consumingAppPath);
+      issues.supabaseClient.push(...supabaseIssues);
+      
+    } catch (error) {
+      // Skip files that can't be read
+      console.warn(`Warning: Could not read ${filePath}: ${error.message}`);
+    }
+  });
+  
+  // Check setup-specific files
+  const rbacIssues = checkRBACSetup(consumingAppPath);
+  issues.rbacSetup.push(...rbacIssues);
+  
+  const providerIssues = checkProviders(consumingAppPath);
+  issues.providers.push(...providerIssues);
+  
+  const coreStyleIssues = checkCoreStyles(consumingAppPath);
+  issues.coreStyles.push(...coreStyleIssues);
+  
+  return {
+    issues,
+  };
+}
+
+// Export for use by other scripts
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = { runComplianceAudit };
+}
+
+// If run directly, output results
+if (require.main === module) {
+  const consumingAppPath = process.argv[2] || process.cwd();
+  const result = runComplianceAudit(consumingAppPath);
+  
+  if (result.error) {
+    console.error(`Error: ${result.error}`);
+    process.exit(1);
+  }
+  
+  const { issues } = result;
+  
+  // Count total issues
+  const totalIssues = Object.values(issues).reduce((sum, arr) => sum + arr.length, 0);
+  
+  if (totalIssues === 0) {
+    console.log('✅ No compliance issues found!');
+    process.exit(0);
+  }
+  
+  console.log(`\n❌ Found ${totalIssues} compliance issue(s):\n`);
+  
+  // Group by type
+  Object.entries(issues).forEach(([type, typeIssues]) => {
+    if (typeIssues.length > 0) {
+      console.log(`\n${type}: ${typeIssues.length} issue(s)`);
+      typeIssues.forEach(issue => {
+        console.log(`  ${issue.file}:${issue.line}`);
+        console.log(`    ${issue.message}`);
+      });
+    }
+  });
+  
+  process.exit(1);
+}
+