@jmruthers/pace-core 0.6.4 → 0.6.6

package/scripts/audit/audit-rbac.cjs

@@ -0,0 +1,954 @@
+#!/usr/bin/env node
+
+/**
+ * RBAC Compliance Audit Script
+ * 
+ * Audits consuming apps for RBAC compliance according to 09-rbac-compliance.mdc.
+ * Checks for:
+ * - PagePermissionGuard usage on all protected pages
+ * - Wrapper components/functions around RBAC components
+ * - Direct RBAC RPC calls and table queries
+ * - Hardcoded role checks
+ * - RESOURCE_NAMES constants usage
+ * - AccessDenied component usage
+ * - enforcePermissions configuration
+ * - Edge Functions RBAC usage
+ * 
+ * Usage:
+ *   const { runRBACAudit } = require('./audit-rbac.cjs');
+ *   const issues = runRBACAudit(consumingAppPath);
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Recursively find all TypeScript/JavaScript files in a directory
+ */
+function findSourceFiles(dir, fileList = []) {
+  if (!fs.existsSync(dir)) {
+    return fileList;
+  }
+  
+  const files = fs.readdirSync(dir);
+  
+  files.forEach(file => {
+    const filePath = path.join(dir, file);
+    const stat = fs.statSync(filePath);
+    
+    if (stat.isDirectory()) {
+      // Skip node_modules, dist, build, .git, etc.
+      if (!['node_modules', 'dist', 'build', '.git', '.next', '.vite', 'coverage', '.turbo'].includes(file)) {
+        findSourceFiles(filePath, fileList);
+      }
+    } else if (/\.(ts|tsx|js|jsx)$/.test(file)) {
+      fileList.push(filePath);
+    }
+  });
+  
+  return fileList;
+}
+
+/**
+ * Get line number from index in content
+ */
+function getLineNumber(content, index) {
+  return content.substring(0, index).split('\n').length;
+}
+
+/**
+ * Get code snippet around a match for context
+ */
+function getCodeSnippet(content, index, before = 30, after = 50) {
+  const start = Math.max(0, index - before);
+  const end = Math.min(content.length, index + after);
+  return content.substring(start, end).trim();
+}
+
+/**
+ * Check if content is in a comment or string
+ */
+function isInCommentOrString(content, index) {
+  const before = content.substring(0, index);
+  
+  // Check for line comments
+  const lastLineComment = before.lastIndexOf('//');
+  const lastNewline = before.lastIndexOf('\n');
+  if (lastLineComment > lastNewline) {
+    return true;
+  }
+  
+  // Check for block comments
+  const lastBlockCommentStart = before.lastIndexOf('/*');
+  const lastBlockCommentEnd = before.lastIndexOf('*/');
+  if (lastBlockCommentStart > lastBlockCommentEnd) {
+    return true;
+  }
+  
+  // Check for string literals (simple check)
+  const singleQuoteMatches = [...before.matchAll(/'/g)];
+  const doubleQuoteMatches = [...before.matchAll(/"/g)];
+  const backtickMatches = [...before.matchAll(/`/g)];
+  
+  // Simple heuristic: if odd number of quotes before, might be in string
+  const inSingleQuote = singleQuoteMatches.length % 2 === 1;
+  const inDoubleQuote = doubleQuoteMatches.length % 2 === 1;
+  const inBacktick = backtickMatches.length % 2 === 1;
+  
+  return inSingleQuote || inDoubleQuote || inBacktick;
+}
+
+/**
+ * Check if file imports a specific component/hook/util from pace-core
+ */
+function importsFromPaceCore(content, name) {
+  const patterns = [
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/rbac`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/components`),
+    new RegExp(`import\\s+.*\\b${name}\\b.*from\\s+['"]@jmruthers/pace-core/hooks`),
+  ];
+  
+  return patterns.some(pattern => pattern.test(content));
+}
+
+/**
+ * Check if a file is likely a page/route component
+ * Excludes: providers, routing components, shared/reusable components
+ */
+function isPageComponent(filePath, content) {
+  const fileName = path.basename(filePath);
+  const dirName = path.dirname(filePath);
+  const dirParts = dirName.split(path.sep);
+  
+  // EXCLUDE: Provider components
+  if (dirParts.some(part => part.toLowerCase() === 'providers' || part.toLowerCase() === 'provider')) {
+    return false;
+  }
+  
+  // EXCLUDE: Routing components (files matching *Route.tsx or *Routes.tsx)
+  if (/Route(s)?\.(tsx?|jsx?)$/i.test(fileName)) {
+    return false;
+  }
+  
+  // EXCLUDE: Shared/reusable components
+  if (dirParts.some(part => part.toLowerCase() === 'shared' || part.toLowerCase() === 'components')) {
+    // Only exclude if it's in a components directory (not pages/components)
+    const componentsIndex = dirParts.findIndex(part => part.toLowerCase() === 'components');
+    const pagesIndex = dirParts.findIndex(part => part.toLowerCase() === 'pages');
+    if (componentsIndex !== -1 && (pagesIndex === -1 || componentsIndex < pagesIndex)) {
+      return false;
+    }
+  }
+  
+  // EXCLUDE: Files that are clearly providers (contain Provider in name and setup context)
+  if (/Provider\.(tsx?|jsx?)$/i.test(fileName) || 
+      /.*Provider.*\.(tsx?|jsx?)$/i.test(fileName)) {
+    // Check if it actually sets up providers (contains Provider components)
+    if (/<.*Provider|Provider\s*</.test(content) || /createContext|Context\.Provider/.test(content)) {
+      return false;
+    }
+  }
+  
+  // INCLUDE: Files in pages/ directory (definitely pages)
+  if (dirParts.some(part => part.toLowerCase() === 'pages')) {
+    return true;
+  }
+  
+  // INCLUDE: Files matching *Page.tsx pattern (but not *Route.tsx which we already excluded)
+  if (/Page\.(tsx?|jsx?)$/i.test(fileName)) {
+    return true;
+  }
+  
+  // INCLUDE: Files in features/ directory that export page components
+  // (features often contain page components)
+  if (dirParts.some(part => part.toLowerCase() === 'features')) {
+    // Check if it exports a page-like component (has PagePermissionGuard or is a page)
+    if (/export\s+(function|const)\s+\w+Page/.test(content) || 
+        /PagePermissionGuard/.test(content)) {
+      return true;
+    }
+  }
+  
+  // EXCLUDE: Files in app/ directory that are NOT pages
+  // (app/ can contain routes, providers, etc.)
+  if (dirParts.some(part => part.toLowerCase() === 'app')) {
+    // Only include if it's clearly a page (has PagePermissionGuard or matches page patterns)
+    if (/PagePermissionGuard/.test(content) || 
+        /export\s+(function|const)\s+\w+Page/.test(content)) {
+      return true;
+    }
+    // Otherwise exclude (likely a route, provider, or other non-page component)
+    return false;
+  }
+  
+  // EXCLUDE: Files that are clearly routing components (contain Routes, Route, Router)
+  if (/Routes|Router/.test(content) && !/PagePermissionGuard/.test(content)) {
+    // If it contains routing setup but no PagePermissionGuard, it's a routing component
+    if (/<Routes|<Route|<Router/.test(content)) {
+      return false;
+    }
+  }
+  
+  // EXCLUDE: Files that export routing components
+  if (/export\s+(function|const)\s+\w+Route(s)?/.test(content)) {
+    return false;
+  }
+  
+  return false;
+}
+
+/**
+ * Check 1: PagePermissionGuard Usage (Security Critical)
+ */
+function checkPagePermissionGuard(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Only check page components
+  if (!isPageComponent(filePath, content)) {
+    return issues;
+  }
+  
+  // Check if PagePermissionGuard is used
+  const hasPagePermissionGuard = /<PagePermissionGuard/.test(content) || 
+                                 /PagePermissionGuard\s*</.test(content);
+  
+  // Check if RBAC hooks are imported (indicates this should be protected)
+  const hasRBACHooks = importsFromPaceCore(content, 'useCan') ||
+                       importsFromPaceCore(content, 'useResourcePermissions') ||
+                       importsFromPaceCore(content, 'usePermissions') ||
+                       importsFromPaceCore(content, 'useRBAC');
+  
+  // Check if component returns JSX (likely a page)
+  const returnsJSX = /return\s*\(/.test(content) || /return\s+</.test(content);
+  
+  if (returnsJSX && !hasPagePermissionGuard) {
+    // Check if this is a public page (no RBAC hooks)
+    if (hasRBACHooks) {
+      // Definitely should be protected
+      issues.push({
+        type: 'rbacPageGuard',
+        file: relativePath,
+        line: 1,
+        message: 'Page component missing PagePermissionGuard wrapper. Pages using RBAC hooks must be protected.',
+        code: getCodeSnippet(content, content.indexOf('return')),
+        severity: 'error',
+        fix: 'Wrap page content with <PagePermissionGuard pageName="page-name" operation="read">',
+      });
+    } else {
+      // Might be a public page, but flag for review
+      issues.push({
+        type: 'rbacPageGuard',
+        file: relativePath,
+        line: 1,
+        message: 'Page component does not use PagePermissionGuard. Verify if this page should be protected.',
+        code: getCodeSnippet(content, content.indexOf('return') || 0),
+        severity: 'warning',
+        fix: 'If page should be protected, wrap with <PagePermissionGuard pageName="page-name" operation="read">',
+      });
+    }
+  }
+  
+  // Check if PagePermissionGuard is used incorrectly (missing required props)
+  if (hasPagePermissionGuard) {
+    const pageGuardPattern = /<PagePermissionGuard[^>]*>/g;
+    let match;
+    while ((match = pageGuardPattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      const guardProps = match[0];
+      const hasPageName = /pageName\s*=/.test(guardProps);
+      const hasOperation = /operation\s*=/.test(guardProps);
+      
+      if (!hasPageName || !hasOperation) {
+        issues.push({
+          type: 'rbacPageGuard',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: 'PagePermissionGuard missing required props (pageName or operation)',
+          code: guardProps,
+          severity: 'error',
+          fix: 'Add required props: <PagePermissionGuard pageName="page-name" operation="read">',
+        });
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 2: Wrapper Components Around PagePermissionGuard (Security Risk)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-rbac-wrapper-components' ESLint rule.
+ * Kept for reference only.
+ */
+function checkWrapperComponents_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Pattern to find components that wrap PagePermissionGuard
+  // Look for function/const definitions that return PagePermissionGuard
+  const wrapperPattern = /(?:function|const|export\s+(?:function|const))\s+(\w+)\s*[=(][^)]*\)\s*\{[^}]*<PagePermissionGuard/gs;
+  let match;
+  
+  while ((match = wrapperPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const componentName = match[1];
+    const componentBody = match[0];
+    
+    // Check if this component accepts pageName as prop (wrapper pattern)
+    if (/pageName\s*[:=]/.test(componentBody) || /\{[^}]*pageName/.test(componentBody)) {
+      issues.push({
+        type: 'rbacWrapperComponent',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: `Wrapper component '${componentName}' detected around PagePermissionGuard. Must use PagePermissionGuard directly, not through wrappers.`,
+        code: getCodeSnippet(content, match.index, 0, 100),
+        severity: 'error',
+        fix: `Remove wrapper component and use PagePermissionGuard directly in pages.`,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 3: Wrapper Functions Around Permission Hooks (Security Risk)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-rbac-wrapper-functions' ESLint rule.
+ * Kept for reference only.
+ */
+function checkWrapperFunctions_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Pattern to find functions that use permission hooks
+  const permissionHooks = ['useCan', 'useResourcePermissions', 'usePermissions', 'useRBAC'];
+  
+  permissionHooks.forEach(hookName => {
+    // Check if hook is imported
+    if (!importsFromPaceCore(content, hookName)) {
+      return;
+    }
+    
+    // Find function definitions that might wrap the hook
+    // Pattern: function/const name = (...) => { ... useHook ... }
+    const functionPattern = new RegExp(`(?:function|const|export\\s+(?:function|const))\\s+(\\w+)\\s*[=(][^)]*\\)\\s*=>\\s*\\{[^}]*${hookName}`, 'gs');
+    let match;
+    
+    while ((match = functionPattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      const functionName = match[1];
+      const functionBody = match[0];
+      
+      // Check if this function returns a permission check result (wrapper pattern)
+      // Look for patterns like: const canEdit = (...) => { const { can } = useCan(...); return can; }
+      if (/return\s+(can|hasPermission|isPermitted|canCreate|canUpdate|canDelete)/.test(functionBody) ||
+          /:\s*(can|hasPermission|isPermitted|boolean)/.test(functionBody)) {
+        issues.push({
+          type: 'rbacWrapperFunction',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: `Wrapper function '${functionName}' detected around ${hookName} hook. Must use hooks directly, not through wrapper functions.`,
+          code: getCodeSnippet(content, match.index, 0, 150),
+          severity: 'error',
+          fix: `Remove wrapper function and use ${hookName} hook directly in components.`,
+        });
+      }
+    }
+    
+    // Also check for custom permission utility functions
+    const utilityPattern = /(?:function|const|export\s+(?:function|const))\s+(checkPermission|canEdit|canDelete|hasAccess|checkAccess)\s*[=(]/g;
+    let utilMatch;
+    while ((utilMatch = utilityPattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, utilMatch.index)) {
+        continue;
+      }
+      
+      // Check if this function uses permission hooks or RPC calls
+      const funcStart = utilMatch.index;
+      const funcEnd = content.indexOf('}', funcStart);
+      if (funcEnd === -1) continue;
+      
+      const funcBody = content.substring(funcStart, funcEnd);
+      if (new RegExp(hookName).test(funcBody) || /rbac_check_permission/.test(funcBody)) {
+        issues.push({
+          type: 'rbacWrapperFunction',
+          file: relativePath,
+          line: getLineNumber(content, utilMatch.index),
+          message: `Custom permission utility function '${utilMatch[1]}' detected. Must use pace-core hooks directly, not custom utilities.`,
+          code: getCodeSnippet(content, utilMatch.index, 0, 150),
+          severity: 'error',
+          fix: `Remove custom utility and use ${hookName} hook directly.`,
+        });
+      }
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check 4: RESOURCE_NAMES Constants Usage (Type Safety)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'rbac-use-resource-names-constants' ESLint rule.
+ * Kept for reference only.
+ */
+function checkResourceNamesConstants_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Find all useResourcePermissions calls
+  const useResourcePermissionsPattern = /useResourcePermissions\s*\(/g;
+  let match;
+  
+  while ((match = useResourcePermissionsPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    // Get the argument to useResourcePermissions
+    const callStart = match.index;
+    const callEnd = content.indexOf(')', callStart);
+    if (callEnd === -1) continue;
+    
+    const callContent = content.substring(callStart, callEnd + 1);
+    
+    // Check if argument is a string literal (not a constant)
+    const stringLiteralPattern = /useResourcePermissions\s*\(\s*['"]([^'"]+)['"]/;
+    const stringMatch = callContent.match(stringLiteralPattern);
+    
+    if (stringMatch) {
+      const resourceName = stringMatch[1];
+      
+      // Check if RESOURCE_NAMES is imported
+      const hasResourceNames = importsFromPaceCore(content, 'RESOURCE_NAMES') ||
+                               /RESOURCE_NAMES\s*\./.test(content);
+      
+      issues.push({
+        type: 'rbacResourceNames',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: `useResourcePermissions called with string literal '${resourceName}'. Must use RESOURCE_NAMES constant instead.`,
+        code: getCodeSnippet(content, match.index, 0, 80),
+        severity: 'error',
+        fix: `Import RESOURCE_NAMES from '@/config/resource-names' and use RESOURCE_NAMES.${resourceName.toUpperCase()} instead.`,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 5: AccessDenied Component Usage (Consistency)
+ */
+function checkAccessDeniedComponent(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Find custom access denied components
+  const customAccessDeniedPattern = /(?:function|const|export\s+(?:function|const))\s+(\w*(?:AccessDenied|PermissionDenied|Unauthorized|Forbidden)\w*)\s*[=(]/g;
+  let match;
+  
+  while ((match = customAccessDeniedPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const componentName = match[1];
+    
+    // Skip if it's the pace-core AccessDenied import
+    if (importsFromPaceCore(content, 'AccessDenied') && componentName === 'AccessDenied') {
+      continue;
+    }
+    
+    issues.push({
+      type: 'rbacAccessDenied',
+      file: relativePath,
+      line: getLineNumber(content, match.index),
+      message: `Custom access denied component '${componentName}' detected. Must use AccessDenied from pace-core instead.`,
+      code: getCodeSnippet(content, match.index, 0, 100),
+      severity: 'warning',
+      fix: `Remove custom component and use AccessDenied from '@jmruthers/pace-core/rbac'`,
+    });
+  }
+  
+  // Check PagePermissionGuard fallback prop for custom components
+  const pageGuardPattern = /<PagePermissionGuard[^>]*fallback\s*=\s*\{?<(\w+)/g;
+  let fallbackMatch;
+  while ((fallbackMatch = pageGuardPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, fallbackMatch.index)) {
+      continue;
+    }
+    
+    const fallbackComponent = fallbackMatch[1];
+    if (fallbackComponent !== 'AccessDenied' && !importsFromPaceCore(content, fallbackComponent)) {
+      issues.push({
+        type: 'rbacAccessDenied',
+        file: relativePath,
+        line: getLineNumber(content, fallbackMatch.index),
+        message: `PagePermissionGuard uses custom fallback component '${fallbackComponent}'. Must use AccessDenied from pace-core.`,
+        code: getCodeSnippet(content, fallbackMatch.index, 0, 80),
+        severity: 'warning',
+        fix: `Use <AccessDenied /> from '@jmruthers/pace-core/rbac' as fallback prop.`,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 6: Direct RBAC RPC Calls (Security Critical)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-direct-rbac-rpc' ESLint rule.
+ * Kept for reference only.
+ */
+function checkDirectRBACRPC_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Find direct RPC calls to RBAC functions
+  const rpcPattern = /\.rpc\s*\(\s*['"](rbac_[^'"]+)['"]/g;
+  let match;
+  
+  while ((match = rpcPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const rpcName = match[1];
+    
+    // Check if this is the forbidden RPC
+    if (rpcName === 'rbac_check_permission_simplified' || rpcName.startsWith('rbac_')) {
+      // Check if it's in an Edge Function (where setupRBAC + isPermitted should be used)
+      const isEdgeFunction = /supabase\/functions/.test(filePath);
+      
+      issues.push({
+        type: 'rbacDirectRPC',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: `Direct RBAC RPC call '${rpcName}' detected. Must use pace-core API functions (isPermitted, isPermittedCached) instead.`,
+        code: getCodeSnippet(content, match.index, 0, 100),
+        severity: 'error',
+        fix: isEdgeFunction 
+          ? `Use isPermitted() API: import { setupRBAC, isPermitted } from 'npm:@jmruthers/pace-core@^0.6.0/rbac'; setupRBAC(supabase); const hasPermission = await isPermitted({...});`
+          : `Use isPermitted() or isPermittedCached() from '@jmruthers/pace-core/rbac' instead of direct RPC calls.`,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 7: Direct RBAC Table Queries (Security Critical)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-direct-rbac-table' ESLint rule.
+ * Kept for reference only.
+ */
+function checkDirectRBACTables_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // RBAC tables that must use useSecureSupabase
+  const rbacTables = [
+    'rbac_organisation_roles',
+    'rbac_event_app_roles',
+    'rbac_global_roles',
+    'rbac_apps',
+    'rbac_app_pages',
+    'rbac_page_permissions',
+    'rbac_user_profiles',
+  ];
+  
+  rbacTables.forEach(tableName => {
+    // Find .from('rbac_*') calls
+    const tablePattern = new RegExp(`\\.from\\s*\\(\\s*['"]${tableName}['"]`, 'g');
+    let match;
+    
+    while ((match = tablePattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      // Check if this is using useSecureSupabase
+      const beforeMatch = content.substring(Math.max(0, match.index - 200), match.index);
+      const hasSecureSupabase = /useSecureSupabase\s*\(/.test(beforeMatch) ||
+                                /secureSupabase/.test(beforeMatch) ||
+                                /supabase\s*=\s*useSecureSupabase/.test(beforeMatch);
+      
+      if (!hasSecureSupabase) {
+        issues.push({
+          type: 'rbacDirectTable',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: `Direct query to RBAC table '${tableName}' detected. Must use useSecureSupabase() hook instead.`,
+          code: getCodeSnippet(content, match.index, 0, 100),
+          severity: 'error',
+          fix: `Use useSecureSupabase() from '@jmruthers/pace-core/rbac' for all RBAC table queries.`,
+        });
+      }
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check 8: Hardcoded Role Checks (Security Risk)
+ * 
+ * MIGRATED TO ESLINT: This check is now handled by 'no-hardcoded-role-checks' ESLint rule.
+ * Kept for reference only.
+ */
+function checkHardcodedRoleChecks_MIGRATED_TO_ESLINT(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Find hardcoded role comparisons
+  const rolePatterns = [
+    /(?:user|role|userRole)\.role\s*===\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+    /role\s*===\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+    /(?:user|role|userRole)\.role\s*!==\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+    /role\s*!==\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+    /(?:user|role|userRole)\.role\s*==\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+    /role\s*==\s*['"](admin|super_admin|superadmin|owner|manager)['"]/gi,
+  ];
+  
+  rolePatterns.forEach(pattern => {
+    let match;
+    while ((match = pattern.exec(content)) !== null) {
+      if (isInCommentOrString(content, match.index)) {
+        continue;
+      }
+      
+      const roleValue = match[1];
+      
+      issues.push({
+        type: 'rbacHardcodedRole',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: `Hardcoded role check for '${roleValue}' detected. Must use pace-core APIs (useAccessLevel, getRoleContext) instead.`,
+        code: getCodeSnippet(content, match.index, 0, 80),
+        severity: 'error',
+        fix: `Use useAccessLevel(userId, scope) or getRoleContext({ userId, scope }) from '@jmruthers/pace-core/rbac' instead of hardcoded role checks.`,
+      });
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check 9: enforcePermissions Configuration (App Type)
+ */
+function checkEnforcePermissions(content, filePath, consumingAppPath) {
+  const issues = [];
+  const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+  
+  // Find PaceAppLayout usage
+  const paceAppLayoutPattern = /<PaceAppLayout[^>]*>/g;
+  let match;
+  
+  while ((match = paceAppLayoutPattern.exec(content)) !== null) {
+    if (isInCommentOrString(content, match.index)) {
+      continue;
+    }
+    
+    const layoutProps = match[0];
+    const hasEnforcePermissions = /enforcePermissions\s*=/.test(layoutProps);
+    
+    if (!hasEnforcePermissions) {
+      issues.push({
+        type: 'rbacEnforcePermissions',
+        file: relativePath,
+        line: getLineNumber(content, match.index),
+        message: 'PaceAppLayout missing enforcePermissions prop. Must configure based on app type (event-based vs organisation-based).',
+        code: layoutProps,
+        severity: 'error',
+        fix: 'Add enforcePermissions prop: enforcePermissions={false} for event-based apps, enforcePermissions={true} for organisation-based apps.',
+      });
+    } else {
+      // Check if value is correct (heuristic: event-based apps typically have eventId in scope)
+      // This is a warning, not an error, as we can't definitively determine app type
+      const enforceTrue = /enforcePermissions\s*=\s*\{?\s*true\s*\}?/.test(layoutProps);
+      const enforceFalse = /enforcePermissions\s*=\s*\{?\s*false\s*\}?/.test(layoutProps);
+      
+      // Check context for event-based indicators
+      const hasEventContext = /eventId|selectedEventId|useEvents/.test(content);
+      
+      if (hasEventContext && enforceTrue) {
+        issues.push({
+          type: 'rbacEnforcePermissions',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: 'PaceAppLayout has enforcePermissions={true} but app appears to be event-based. Event-based apps should use enforcePermissions={false} (pages handle checks).',
+          code: layoutProps,
+          severity: 'warning',
+          fix: 'Set enforcePermissions={false} for event-based apps. Pages should handle checks via PagePermissionGuard.',
+        });
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Check 10: Edge Functions RBAC Usage (Security Critical)
+ */
+function checkEdgeFunctionsRBAC(consumingAppPath) {
+  const issues = [];
+  
+  // Find Edge Function files
+  const functionsPath = path.join(consumingAppPath, 'supabase', 'functions');
+  if (!fs.existsSync(functionsPath)) {
+    return issues;
+  }
+  
+  const edgeFunctionFiles = findSourceFiles(functionsPath);
+  
+  edgeFunctionFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      // Check for setupRBAC call
+      const hasSetupRBAC = /setupRBAC\s*\(/.test(content);
+      
+      // Check for isPermitted usage
+      const hasIsPermitted = /\bisPermitted\s*\(/.test(content);
+      
+      // Check for custom RBAC helpers
+      const customHelperPattern = /(?:function|const|export\s+(?:function|const))\s+(checkPermission|canEdit|canDelete|hasAccess|checkAccess|rbacCheck)\s*[=(]/g;
+      const hasCustomHelper = customHelperPattern.test(content);
+      
+      // Check for direct RPC calls
+      const hasDirectRPC = /\.rpc\s*\(\s*['"]rbac_/.test(content);
+      
+      if (!hasSetupRBAC && (hasIsPermitted || hasCustomHelper || hasDirectRPC)) {
+        issues.push({
+          type: 'rbacEdgeFunction',
+          file: relativePath,
+          line: 1,
+          message: 'Edge Function uses RBAC but missing setupRBAC() call. Must call setupRBAC(supabase) before using isPermitted().',
+          code: '',
+          severity: 'error',
+          fix: 'Add: import { setupRBAC, isPermitted } from \'npm:@jmruthers/pace-core@^0.6.0/rbac\'; setupRBAC(supabase);',
+        });
+      }
+      
+      if (hasCustomHelper) {
+        issues.push({
+          type: 'rbacEdgeFunction',
+          file: relativePath,
+          line: 1,
+          message: 'Edge Function contains custom RBAC helper functions. Must use isPermitted() API directly, not custom helpers.',
+          code: getCodeSnippet(content, content.indexOf('function') || 0, 0, 100),
+          severity: 'error',
+          fix: 'Remove custom RBAC helpers and use isPermitted() API from pace-core directly.',
+        });
+      }
+      
+      if (hasDirectRPC) {
+        issues.push({
+          type: 'rbacEdgeFunction',
+          file: relativePath,
+          line: 1,
+          message: 'Edge Function uses direct RBAC RPC calls. Must use isPermitted() API instead.',
+          code: '',
+          severity: 'error',
+          fix: 'Replace direct RPC calls with isPermitted() API from pace-core.',
+        });
+      }
+      
+      if (hasSetupRBAC && !hasIsPermitted && !hasDirectRPC && !hasCustomHelper) {
+        // setupRBAC called but no RBAC usage - might be incomplete
+        issues.push({
+          type: 'rbacEdgeFunction',
+          file: relativePath,
+          line: 1,
+          message: 'Edge Function calls setupRBAC() but does not use isPermitted(). Verify if RBAC checks are needed.',
+          code: '',
+          severity: 'warning',
+          fix: 'If RBAC checks are needed, use isPermitted() API. Otherwise, remove setupRBAC() call.',
+        });
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Main audit function
+ */
+function runRBACAudit(consumingAppPath = process.cwd()) {
+  const srcPath = path.join(consumingAppPath, 'src');
+  const searchPath = fs.existsSync(srcPath) ? srcPath : consumingAppPath;
+  
+  if (!fs.existsSync(searchPath)) {
+    return {
+      error: `Source directory not found at ${searchPath}`,
+      issues: {
+        rbacPageGuard: [],
+        rbacWrapperComponent: [],
+        rbacWrapperFunction: [],
+        rbacResourceNames: [],
+        rbacAccessDenied: [],
+        rbacDirectRPC: [],
+        rbacDirectTable: [],
+        rbacHardcodedRole: [],
+        rbacEnforcePermissions: [],
+        rbacEdgeFunction: [],
+      },
+    };
+  }
+  
+  // Find all source files
+  const sourceFiles = findSourceFiles(searchPath);
+  
+  if (sourceFiles.length === 0) {
+    return {
+      error: `No source files found in ${searchPath}`,
+      issues: {
+        rbacPageGuard: [],
+        rbacWrapperComponent: [],
+        rbacWrapperFunction: [],
+        rbacResourceNames: [],
+        rbacAccessDenied: [],
+        rbacDirectRPC: [],
+        rbacDirectTable: [],
+        rbacHardcodedRole: [],
+        rbacEnforcePermissions: [],
+        rbacEdgeFunction: [],
+      },
+    };
+  }
+  
+  const issues = {
+    rbacPageGuard: [],
+    rbacWrapperComponent: [],
+    rbacWrapperFunction: [],
+    rbacResourceNames: [],
+    rbacAccessDenied: [],
+    rbacDirectRPC: [],
+    rbacDirectTable: [],
+    rbacHardcodedRole: [],
+    rbacEnforcePermissions: [],
+    rbacEdgeFunction: [],
+  };
+  
+  // Check each file
+  sourceFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      
+      // Run all checks - wrap each in try-catch to prevent one failure from breaking others
+      try {
+        const pageGuardIssues = checkPagePermissionGuard(content, filePath, consumingAppPath);
+        if (Array.isArray(pageGuardIssues)) {
+          issues.rbacPageGuard.push(...pageGuardIssues);
+        }
+      } catch (e) {
+        // Skip this check for this file
+      }
+      
+      // NOTE: wrapperComponent, wrapperFunction, and resourceNames checks migrated to ESLint
+      // checkWrapperComponents → ESLint: no-rbac-wrapper-components
+      // checkWrapperFunctions → ESLint: no-rbac-wrapper-functions
+      // checkResourceNamesConstants → ESLint: rbac-use-resource-names-constants
+      
+      try {
+        const accessDeniedIssues = checkAccessDeniedComponent(content, filePath, consumingAppPath);
+        if (Array.isArray(accessDeniedIssues)) {
+          issues.rbacAccessDenied.push(...accessDeniedIssues);
+        }
+      } catch (e) {
+        // Skip this check for this file
+      }
+      
+      // NOTE: directRPC, directTable, and hardcodedRole checks migrated to ESLint
+      // checkDirectRBACRPC → ESLint: no-direct-rbac-rpc
+      // checkDirectRBACTables → ESLint: no-direct-rbac-table
+      // checkHardcodedRoleChecks → ESLint: no-hardcoded-role-checks
+      
+      try {
+        const enforcePermissionsIssues = checkEnforcePermissions(content, filePath, consumingAppPath);
+        if (Array.isArray(enforcePermissionsIssues)) {
+          issues.rbacEnforcePermissions.push(...enforcePermissionsIssues);
+        }
+      } catch (e) {
+        // Skip this check for this file
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+      console.warn(`Warning: Could not read ${filePath}: ${error.message}`);
+    }
+  });
+  
+  // Check Edge Functions (separate scan)
+  issues.rbacEdgeFunction.push(...checkEdgeFunctionsRBAC(consumingAppPath));
+  
+  return {
+    issues,
+  };
+}
+
+// Export for use by other scripts
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = { runRBACAudit };
+}
+
+// If run directly, output results
+if (require.main === module) {
+  const consumingAppPath = process.argv[2] || process.cwd();
+  const result = runRBACAudit(consumingAppPath);
+  
+  if (result.error) {
+    console.error(`Error: ${result.error}`);
+    process.exit(1);
+  }
+  
+  const { issues } = result;
+  
+  // Count total issues
+  const totalIssues = Object.values(issues).reduce((sum, arr) => sum + arr.length, 0);
+  
+  if (totalIssues === 0) {
+    console.log('✅ No RBAC compliance issues found!');
+    process.exit(0);
+  }
+  
+  console.log(`\n❌ Found ${totalIssues} RBAC compliance issue(s):\n`);
+  
+  // Group by type
+  Object.entries(issues).forEach(([type, typeIssues]) => {
+    if (typeIssues.length > 0) {
+      console.log(`\n${type}: ${typeIssues.length} issue(s)`);
+      typeIssues.forEach(issue => {
+        console.log(`  ${issue.file}:${issue.line}`);
+        console.log(`    ${issue.message}`);
+      });
+    }
+  });
+  
+  process.exit(1);
+}
+