@jmruthers/pace-core 0.6.4 → 0.6.6

package/scripts/audit/audit-standards.cjs

@@ -0,0 +1,1268 @@
+#!/usr/bin/env node
+
+/**
+ * Standards Compliance Audit Script
+ * 
+ * Audits consuming apps for compliance with pace-core standards from 01-standards-compliance.mdc.
+ * Checks for:
+ * - Cursor ruleset compliance
+ * - TypeScript configuration
+ * - Naming conventions
+ * - RLS policy compliance (SQL migrations)
+ * - RPC naming conventions (SQL migrations)
+ * - Testing configuration
+ * - Input validation (heuristic)
+ * - Logging security (heuristic)
+ * - Error message safety (heuristic)
+ * 
+ * Usage:
+ *   const { runStandardsAudit } = require('./audit-standards.cjs');
+ *   const issues = runStandardsAudit(consumingAppPath);
+ */
+
+const fs = require('fs');
+const path = require('path');
+
+/**
+ * Recursively find all TypeScript/JavaScript files in a directory
+ */
+function findSourceFiles(dir, fileList = []) {
+  if (!fs.existsSync(dir)) {
+    return fileList;
+  }
+  
+  const files = fs.readdirSync(dir);
+  
+  files.forEach(file => {
+    const filePath = path.join(dir, file);
+    const stat = fs.statSync(filePath);
+    
+    if (stat.isDirectory()) {
+      // Skip node_modules, dist, build, .git, etc.
+      if (!['node_modules', 'dist', 'build', '.git', '.next', '.vite', 'coverage', '.turbo'].includes(file)) {
+        findSourceFiles(filePath, fileList);
+      }
+    } else if (/\.(ts|tsx|js|jsx)$/.test(file)) {
+      fileList.push(filePath);
+    }
+  });
+  
+  return fileList;
+}
+
+/**
+ * Recursively find all SQL files in a directory
+ */
+function findSQLFiles(dir, fileList = []) {
+  if (!fs.existsSync(dir)) {
+    return fileList;
+  }
+  
+  const files = fs.readdirSync(dir);
+  
+  files.forEach(file => {
+    const filePath = path.join(dir, file);
+    const stat = fs.statSync(filePath);
+    
+    if (stat.isDirectory()) {
+      // Skip node_modules, dist, build, .git, etc.
+      if (!['node_modules', 'dist', 'build', '.git', '.next', '.vite', 'coverage', '.turbo'].includes(file)) {
+        findSQLFiles(filePath, fileList);
+      }
+    } else if (/\.sql$/.test(file)) {
+      fileList.push(filePath);
+    }
+  });
+  
+  return fileList;
+}
+
+/**
+ * Get line number from index in content
+ */
+function getLineNumber(content, index) {
+  return content.substring(0, index).split('\n').length;
+}
+
+/**
+ * Get code snippet around a match for context
+ */
+function getCodeSnippet(content, index, before = 30, after = 50) {
+  const start = Math.max(0, index - before);
+  const end = Math.min(content.length, index + after);
+  return content.substring(start, end).trim();
+}
+
+/**
+ * Check if content is in a comment or string
+ */
+function isInCommentOrString(content, index) {
+  const before = content.substring(0, index);
+  
+  // Check for line comments
+  const lastLineComment = before.lastIndexOf('--');
+  const lastNewline = before.lastIndexOf('\n');
+  if (lastLineComment > lastNewline && !before.substring(lastLineComment, index).includes('\n')) {
+    return true;
+  }
+  
+  // Check for block comments
+  const lastBlockCommentStart = before.lastIndexOf('/*');
+  const lastBlockCommentEnd = before.lastIndexOf('*/');
+  if (lastBlockCommentStart > lastBlockCommentEnd) {
+    return true;
+  }
+  
+  // Check for string literals (simple check)
+  const singleQuoteMatches = [...before.matchAll(/'/g)];
+  const doubleQuoteMatches = [...before.matchAll(/"/g)];
+  
+  const inSingleQuote = singleQuoteMatches.length % 2 === 1;
+  const inDoubleQuote = doubleQuoteMatches.length % 2 === 1;
+  
+  return inSingleQuote || inDoubleQuote;
+}
+
+/**
+ * Check for cursor ruleset compliance
+ */
+function checkCursorRuleset(consumingAppPath) {
+  const issues = [];
+  
+  const requiredRules = [
+    '00-pace-core-compliance.mdc',
+    '01-standards-compliance.mdc',
+    '02-project-structure.mdc',
+    '03-solid-principles.mdc',
+    '06-code-quality.mdc',
+    '07-tech-stack-compliance.mdc',
+    '08-markup-quality.mdc',
+    '09-rbac-compliance.mdc',
+    '10-error-handling-patterns.mdc',
+    '11-performance-optimization.mdc',
+  ];
+  
+  const rulesDir = path.join(consumingAppPath, '.cursor', 'rules');
+  
+  if (!fs.existsSync(rulesDir)) {
+    issues.push({
+      type: 'cursorRuleset',
+      file: '.cursor/rules (not found)',
+      line: 0,
+      message: '.cursor/rules directory not found. Must include complete pace-core ruleset.',
+      code: '',
+      severity: 'error',
+      fix: 'Create .cursor/rules directory and copy required rule files from pace-core.',
+    });
+    return issues;
+  }
+  
+  requiredRules.forEach(ruleFile => {
+    const rulePath = path.join(rulesDir, ruleFile);
+    if (!fs.existsSync(rulePath)) {
+      issues.push({
+        type: 'cursorRuleset',
+        file: `.cursor/rules/${ruleFile}`,
+        line: 0,
+        message: `Required rule file '${ruleFile}' not found. Must include complete pace-core ruleset.`,
+        code: '',
+        severity: 'error',
+        fix: `Copy ${ruleFile} from pace-core to .cursor/rules/ directory.`,
+      });
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check TypeScript configuration
+ */
+function checkTypeScriptConfig(consumingAppPath) {
+  const issues = [];
+  
+  const tsconfigPaths = [
+    path.join(consumingAppPath, 'tsconfig.json'),
+    path.join(consumingAppPath, 'tsconfig.app.json'),
+  ];
+  
+  let tsconfigPath = null;
+  let tsconfig = null;
+  
+  for (const configPath of tsconfigPaths) {
+    if (fs.existsSync(configPath)) {
+      tsconfigPath = configPath;
+      try {
+        const content = fs.readFileSync(configPath, 'utf8');
+        tsconfig = JSON.parse(content);
+        break;
+      } catch (e) {
+        // Skip if can't parse
+      }
+    }
+  }
+  
+  if (!tsconfigPath || !tsconfig) {
+    issues.push({
+      type: 'typescriptConfig',
+      file: 'tsconfig.json (not found)',
+      line: 0,
+      message: 'tsconfig.json not found or invalid. TypeScript strict mode must be enabled.',
+      code: '',
+      severity: 'error',
+      fix: 'Create tsconfig.json with "strict": true in compilerOptions.',
+    });
+    return issues;
+  }
+  
+  const relativePath = path.relative(consumingAppPath || process.cwd(), tsconfigPath);
+  const compilerOptions = tsconfig.compilerOptions || {};
+  
+  // Check for strict mode
+  if (compilerOptions.strict !== true) {
+    issues.push({
+      type: 'typescriptConfig',
+      file: relativePath,
+      line: 1,
+      message: 'TypeScript strict mode not enabled. Must set "strict": true in compilerOptions.',
+      code: JSON.stringify(compilerOptions, null, 2).substring(0, 100),
+      severity: 'error',
+      fix: 'Set "strict": true in tsconfig.json compilerOptions.',
+    });
+  }
+  
+  // Check for noImplicitAny
+  if (compilerOptions.noImplicitAny !== true && compilerOptions.strict !== true) {
+    issues.push({
+      type: 'typescriptConfig',
+      file: relativePath,
+      line: 1,
+      message: 'noImplicitAny not enabled. Should set "noImplicitAny": true in compilerOptions (or enable strict mode).',
+      code: JSON.stringify(compilerOptions, null, 2).substring(0, 100),
+      severity: 'error',
+      fix: 'Set "noImplicitAny": true in tsconfig.json compilerOptions (or enable strict mode).',
+    });
+  }
+  
+  return issues;
+}
+
+/**
+ * Check for any types in code (with cached file list)
+ */
+function checkAnyTypesWithCache(consumingAppPath, cachedSourceFiles) {
+  const issues = [];
+  
+  cachedSourceFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      
+      // Patterns to match any usage
+      const anyPatterns = [
+        /:\s*any\b/g,           // : any
+        /\bas\s+any\b/g,        // as any
+        /<\s*any\s*>/g,         // <any>
+        /:\s*any\[\]/g,         // : any[]
+        /Array\s*<\s*any\s*>/g, // Array<any>
+      ];
+      
+      anyPatterns.forEach(pattern => {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          if (isInCommentOrString(content, match.index)) {
+            continue;
+          }
+          
+          const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+          issues.push({
+            type: 'anyTypes',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: 'any type detected. Use unknown or proper types instead.',
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: 'Replace any with unknown or define proper types.',
+          });
+        }
+      });
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check naming conventions (with cached file list)
+ */
+function checkNamingConventionsWithCache(consumingAppPath, cachedSourceFiles) {
+  const issues = [];
+  
+  cachedSourceFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      // Check hook naming: use[A-Z][a-zA-Z]*
+      const hookPattern = /(?:function|const|export\s+(?:function|const))\s+(use[a-z][a-zA-Z]*)\s*[=(]/g;
+      let match;
+      while ((match = hookPattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        const hookName = match[1];
+        if (!/^use[A-Z]/.test(hookName)) {
+          issues.push({
+            type: 'namingConvention',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Hook '${hookName}' should follow PascalCase after 'use' prefix (e.g., useAuth, useSomething).`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Rename ${hookName} to follow use[A-Z][a-zA-Z]* pattern.`,
+          });
+        }
+      }
+      
+      // Check provider naming: *Provider
+      const providerPattern = /(?:function|const|export\s+(?:function|const))\s+([a-zA-Z]*Provider)\s*[=(]/g;
+      while ((match = providerPattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        const providerName = match[1];
+        if (!/^[A-Z]/.test(providerName)) {
+          issues.push({
+            type: 'namingConvention',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Provider '${providerName}' should start with uppercase letter (PascalCase).`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: `Rename ${providerName} to start with uppercase letter.`,
+          });
+        }
+      }
+      
+      // Check component exports: export (function|const) [A-Z]
+      const componentPattern = /export\s+(?:function|const)\s+([a-z][a-zA-Z]*)\s*[=(]/g;
+      while ((match = componentPattern.exec(content)) !== null) {
+        if (isInCommentOrString(content, match.index)) {
+          continue;
+        }
+        
+        const componentName = match[1];
+        // Skip if it's a hook (starts with use)
+        if (componentName.startsWith('use')) {
+          continue;
+        }
+        
+        // Check if it's likely a component (exported, might be used in JSX)
+        // This is heuristic - components are usually PascalCase
+        issues.push({
+          type: 'namingConvention',
+          file: relativePath,
+          line: getLineNumber(content, match.index),
+          message: `Exported component '${componentName}' should use PascalCase (starts with uppercase).`,
+          code: getCodeSnippet(content, match.index),
+          severity: 'warning',
+          fix: `Rename ${componentName} to PascalCase (e.g., ${componentName.charAt(0).toUpperCase() + componentName.slice(1)}).`,
+        });
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check RLS policy compliance in SQL migrations
+ */
+function checkRLSPolicies(consumingAppPath) {
+  const issues = [];
+  
+  // Find SQL migration files
+  const migrationsPath = path.join(consumingAppPath, 'supabase', 'migrations');
+  if (!fs.existsSync(migrationsPath)) {
+    // Try alternative location
+    const altPath = path.join(consumingAppPath, 'migrations');
+    if (!fs.existsSync(altPath)) {
+      return issues; // No migrations directory, skip check
+    }
+  }
+  
+  const sqlFiles = findSQLFiles(fs.existsSync(migrationsPath) ? migrationsPath : path.join(consumingAppPath, 'migrations'));
+  
+  sqlFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      // Find CREATE POLICY statements
+      const policyPattern = /CREATE\s+POLICY\s+["']?([^"'\s]+)["']?\s+ON\s+(\w+)\s+FOR\s+(\w+)/gi;
+      let match;
+      
+      while ((match = policyPattern.exec(content)) !== null) {
+        const policyName = match[1];
+        const tableName = match[2];
+        const operation = match[3].toLowerCase();
+        
+        // Check policy naming: rbac_{operation}_{table_name}_{scope}
+        const expectedPattern = new RegExp(`^rbac_${operation}_${tableName}(?:_\\w+)?$`, 'i');
+        if (!expectedPattern.test(policyName)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `RLS policy '${policyName}' does not follow naming convention. Should be 'rbac_${operation}_${tableName}' or 'rbac_${operation}_${tableName}_scope'.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'error',
+            fix: `Rename policy to follow pattern: rbac_${operation}_${tableName}`,
+          });
+        }
+        
+        // Find the USING/WITH CHECK clause
+        const policyStart = match.index;
+        const policyEnd = content.indexOf(';', policyStart);
+        if (policyEnd === -1) continue;
+        
+        const policyBody = content.substring(policyStart, policyEnd);
+        
+        // Check for subqueries in USING/WITH CHECK
+        const subqueryPattern = /(?:USING|WITH\s+CHECK)\s*\([^)]*(?:SELECT\s+[^)]+FROM[^)]+WHERE[^)]*)\)/gi;
+        if (subqueryPattern.test(policyBody)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains subquery. Must use helper functions instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace subquery with helper function. Helper functions must be STABLE SECURITY DEFINER SET search_path TO public.',
+          });
+        }
+        
+        // Check for inline auth.uid() calls
+        const authUidPattern = /\bauth\.uid\s*\(/gi;
+        if (authUidPattern.test(policyBody)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains inline auth.uid() call. Must use helper function instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace auth.uid() with helper function like get_effective_user_id(). Helper functions must be STABLE SECURITY DEFINER.',
+          });
+        }
+        
+        // Check for inline current_setting calls
+        const currentSettingPattern = /\bcurrent_setting\s*\(/gi;
+        if (currentSettingPattern.test(policyBody)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' contains inline current_setting() call. Must use helper function instead for performance.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace current_setting() with helper function. Helper functions must be STABLE SECURITY DEFINER.',
+          });
+        }
+        
+        // Check for is_super_admin() without parameter (security risk - uses fallback strategies)
+        const isSuperAdminWithoutParamPattern = /\bis_super_admin\s*\(\s*\)/gi;
+        if (isSuperAdminWithoutParamPattern.test(policyBody)) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' uses is_super_admin() without parameter. Must use is_super_admin(safe_get_user_id_for_rls()) to avoid fallback strategy vulnerabilities.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Replace is_super_admin() with is_super_admin(safe_get_user_id_for_rls()) to require explicit parameter passing.',
+          });
+        }
+        
+        // Check for missing super-admin checks in authenticated policies
+        // Only check if this is an authenticated policy (not public/anonymous)
+        const isAuthenticatedPolicy = /TO\s+authenticated/i.test(policyBody);
+        const hasSuperAdminCheck = /\bis_super_admin\s*\(/i.test(policyBody);
+        const isPublicPolicy = /TO\s+(?:public|anon)/i.test(policyBody) || policyName.toLowerCase().includes('public') || policyName.toLowerCase().includes('anon');
+        
+        // Exception: User-scoped policies that only check user_id don't need super-admin
+        const isUserScopedOnly = /organisation_id\s+IS\s+NULL/i.test(policyBody) && 
+                                 /get_effective_user_id\s*\(\s*\)\s*=\s*user_id/i.test(policyBody) &&
+                                 !/\bOR\b/i.test(policyBody);
+        
+        // Skip check for public/anonymous policies or service role policies
+        if (isAuthenticatedPolicy && !hasSuperAdminCheck && !isPublicPolicy && !policyName.toLowerCase().includes('service')) {
+          if (!isUserScopedOnly) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, policyStart),
+              message: `RLS policy '${policyName}' for authenticated users is missing super-admin check. All authenticated policies must include is_super_admin(safe_get_user_id_for_rls()) as a bypass.`,
+              code: getCodeSnippet(content, policyStart, 0, 200),
+              severity: 'error',
+              fix: 'Add is_super_admin(safe_get_user_id_for_rls()) check. Pattern: (is_super_admin(safe_get_user_id_for_rls()) OR ...other checks...)',
+            });
+          }
+        }
+        
+        // Check for use of deprecated event access functions when RBAC permissions should be used
+        // These functions should only be used for event-scoped data WITHOUT page permissions
+        const usesEventAccess = /\bcheck_user_event_access\s*\(/i.test(policyBody);
+        const usesEventCreator = /\bcheck_user_is_event_creator\s*\(/i.test(policyBody);
+        const usesRBACPermission = /\bcheck_rbac_permission_with_context\s*\(/i.test(policyBody);
+        
+        // Tables that have page permissions and should use RBAC permission checks
+        // This list should be maintained as pages are added to rbac_app_pages
+        const tablesWithPagePermissions = [
+          'trac_contacts', 'trac_risks', 'trac_journal_posts', 'trac_currency_rates',
+          'trac_accommodation', 'trac_activity', 'trac_transport',
+          'mint_budgets', 'mint_budget_variables',
+          'cake_dish', 'cake_meal', 'cake_item', 'cake_recipe',
+          'medi_profile', 'medi_action_plan'
+        ];
+        
+        const hasPagePermissions = tablesWithPagePermissions.some(t => 
+          tableName.toLowerCase().includes(t.toLowerCase())
+        );
+        
+        if (hasPagePermissions && (usesEventAccess || usesEventCreator) && !usesRBACPermission) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS policy '${policyName}' uses ${usesEventAccess ? 'check_user_event_access()' : 'check_user_is_event_creator()'} but table '${tableName}' has page permissions. Should use check_rbac_permission_with_context() with page-level permissions instead.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: `Replace ${usesEventAccess ? 'check_user_event_access(event_id)' : 'check_user_is_event_creator(event_id)'} with check_rbac_permission_with_context('${operation}:page.{page_name}', '{page_name}', organisation_id, event_id::text, get_app_id('{app_name}')). See RBAC compliance standard for page name mapping.`,
+          });
+        }
+        
+        // Check for missing required field checks in event-scoped tables
+        // Event-scoped tables should check event_id IS NOT NULL
+        // Tables with organisation_id should check organisation_id IS NOT NULL
+        const hasEventIdColumn = /event_id/i.test(policyBody) || tableName.toLowerCase().includes('trac_') || 
+                                  tableName.toLowerCase().includes('mint_') || 
+                                  tableName.toLowerCase().includes('cake_') ||
+                                  tableName.toLowerCase().includes('medi_');
+        const hasOrganisationIdColumn = /organisation_id/i.test(policyBody) || 
+                                        !tableName.toLowerCase().includes('rbac_') &&
+                                        !tableName.toLowerCase().includes('core_organisations');
+        
+        const checksEventIdNotNull = /event_id\s+IS\s+NOT\s+NULL/i.test(policyBody);
+        const checksOrganisationIdNotNull = /organisation_id\s+IS\s+NOT\s+NULL/i.test(policyBody);
+        
+        // For INSERT policies on event-scoped tables, event_id should be required
+        if (operation === 'insert' && hasEventIdColumn && !checksEventIdNotNull) {
+          issues.push({
+            type: 'rlsPolicy',
+            file: relativePath,
+            line: getLineNumber(content, policyStart),
+            message: `RLS INSERT policy '${policyName}' for event-scoped table '${tableName}' should require event_id IS NOT NULL. Permission checks need event_id to verify event-level roles.`,
+            code: getCodeSnippet(content, policyStart, 0, 200),
+            severity: 'error',
+            fix: 'Add event_id IS NOT NULL check to WITH CHECK clause. Pattern: event_id IS NOT NULL AND ...',
+          });
+        }
+        
+        // For authenticated policies, organisation_id should typically be checked
+        if (isAuthenticatedPolicy && hasOrganisationIdColumn && !checksOrganisationIdNotNull && 
+            !isUserScopedOnly && !tableName.toLowerCase().includes('rbac_')) {
+          // Exception: Some tables legitimately allow NULL organisation_id (e.g., user profiles)
+          const allowsNullOrg = /organisation_id\s+IS\s+NULL/i.test(policyBody) && 
+                                /get_effective_user_id\s*\(\s*\)\s*=\s*user_id/i.test(policyBody);
+          
+          if (!allowsNullOrg) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, policyStart),
+              message: `RLS policy '${policyName}' for table '${tableName}' should check organisation_id IS NOT NULL. Permission checks need organisation_id for proper RBAC context.`,
+              code: getCodeSnippet(content, policyStart, 0, 200),
+              severity: 'warning',
+              fix: 'Add organisation_id IS NOT NULL check. Pattern: organisation_id IS NOT NULL AND ...',
+            });
+          }
+        }
+      }
+      
+      // Check helper function definitions for required attributes
+      const functionPattern = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(\w+)\s*\([^)]*\)\s*RETURNS[^;]+LANGUAGE\s+plpgsql[^;]*AS/gi;
+      let funcMatch;
+      while ((funcMatch = functionPattern.exec(content)) !== null) {
+        const funcName = funcMatch[1];
+        const funcStart = funcMatch.index;
+        const funcEnd = content.indexOf('AS $$', funcStart);
+        if (funcEnd === -1) continue;
+        
+        const funcDef = content.substring(funcStart, funcEnd);
+        
+        // Check if this function is used in policies (heuristic: check if function name appears in policy context)
+        // For now, check all helper functions for required attributes
+        const hasStable = /\bSTABLE\b/i.test(funcDef);
+        const hasSecurityDefiner = /\bSECURITY\s+DEFINER\b/i.test(funcDef);
+        const hasSearchPath = /SET\s+search_path\s+TO\s+['"]?public['"]?/i.test(funcDef);
+        
+        // Only flag if function looks like it might be used in RLS (has common helper function patterns)
+        const isLikelyRLSHelper = /check_|get_|is_/.test(funcName.toLowerCase());
+        
+        // Check for security-critical functions with fallback strategies
+        // This is especially important for is_super_admin and similar functions
+        if (funcName.toLowerCase() === 'is_super_admin' || funcName.toLowerCase().includes('super_admin')) {
+          const funcBodyStart = content.indexOf('AS $$', funcStart);
+          if (funcBodyStart !== -1) {
+            const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+            if (funcBodyEnd !== -1) {
+              const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+              
+              // Check for DEFAULT NULL parameter (allows fallback strategies)
+              const hasDefaultNull = /p_\w+\s+UUID\s+DEFAULT\s+NULL/i.test(funcDef);
+              
+              // Check for multiple fallback patterns in function body
+              const hasFallbackPatterns = (
+                /IF\s+\w+\s+IS\s+NULL\s+THEN/i.test(funcBody) &&
+                /ELSE/i.test(funcBody) &&
+                (/\bauth\.uid\s*\(/i.test(funcBody) || /\bcurrent_setting\s*\(/i.test(funcBody))
+              );
+              
+              if (hasDefaultNull || hasFallbackPatterns) {
+                issues.push({
+                  type: 'rlsPolicy',
+                  file: relativePath,
+                  line: getLineNumber(content, funcStart),
+                  message: `Security-critical function '${funcName}' uses fallback strategies (DEFAULT NULL parameter or multiple fallback patterns). This is a security risk - functions should require explicit parameters and fail secure.`,
+                  code: getCodeSnippet(content, funcStart, 0, 300),
+                  severity: 'error',
+                  fix: 'Remove DEFAULT NULL parameter and all fallback logic. Function should require explicit parameter and return false if parameter is NULL (fail secure).',
+                });
+              }
+            }
+          }
+        }
+        
+        if (isLikelyRLSHelper) {
+          if (!hasStable) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing STABLE attribute. RLS helper functions must be STABLE for performance.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add STABLE attribute to function definition.',
+            });
+          }
+          
+          if (!hasSecurityDefiner) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing SECURITY DEFINER attribute. RLS helper functions must be SECURITY DEFINER to bypass RLS recursion.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add SECURITY DEFINER attribute to function definition.',
+            });
+          }
+          
+          if (!hasSearchPath) {
+            issues.push({
+              type: 'rlsPolicy',
+              file: relativePath,
+              line: getLineNumber(content, funcStart),
+              message: `Helper function '${funcName}' missing SET search_path TO public. Required to prevent search path injection.`,
+              code: getCodeSnippet(content, funcStart, 0, 150),
+              severity: 'error',
+              fix: 'Add SET search_path TO public to function definition.',
+            });
+          }
+        }
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check RPC naming conventions
+ */
+function checkRPCNaming(consumingAppPath) {
+  const issues = [];
+  
+  // Find SQL migration files
+  const migrationsPath = path.join(consumingAppPath, 'supabase', 'migrations');
+  if (!fs.existsSync(migrationsPath)) {
+    const altPath = path.join(consumingAppPath, 'migrations');
+    if (!fs.existsSync(altPath)) {
+      return issues; // No migrations directory, skip check
+    }
+  }
+  
+  const sqlFiles = findSQLFiles(fs.existsSync(migrationsPath) ? migrationsPath : path.join(consumingAppPath, 'migrations'));
+  
+  sqlFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      // Find CREATE FUNCTION statements
+      const functionPattern = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(?:public\.)?(\w+)\s*\(/gi;
+      let match;
+      
+      while ((match = functionPattern.exec(content)) !== null) {
+        const funcName = match[1];
+        
+        // Skip if it's a helper function (starts with check_, get_, is_)
+        if (/^(check_|get_|is_)/i.test(funcName)) {
+          continue;
+        }
+        
+        // Check if it follows RPC naming pattern: data_* or app_* prefix
+        const hasDataPrefix = /^data_/.test(funcName);
+        const hasAppPrefix = /^app_/.test(funcName);
+        
+        if (!hasDataPrefix && !hasAppPrefix) {
+          // Check if it's a system function (starts with pg_ or other system prefixes)
+          if (/^(pg_|information_schema|current_|session_|set_|reset_|show_)/i.test(funcName)) {
+            continue;
+          }
+          
+          issues.push({
+            type: 'rpcNaming',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `RPC function '${funcName}' does not follow naming convention. Should start with 'data_' (read) or 'app_' (write) prefix.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'error',
+            fix: `Rename function to follow pattern: data_${funcName} (for read) or app_${funcName} (for write)`,
+          });
+        } else {
+          // Check verb pattern: should end with create, read, update, delete, list, get, or _bulk
+          const validVerbs = ['create', 'read', 'update', 'delete', 'list', 'get'];
+          const hasValidVerb = validVerbs.some(verb => funcName.toLowerCase().endsWith(`_${verb}`) || funcName.toLowerCase().endsWith(`_${verb}_bulk`));
+          const hasBulkSuffix = funcName.toLowerCase().endsWith('_bulk');
+          
+          if (!hasValidVerb && !hasBulkSuffix) {
+            issues.push({
+              type: 'rpcNaming',
+              file: relativePath,
+              line: getLineNumber(content, match.index),
+              message: `RPC function '${funcName}' should end with a CRUD verb (create, read, update, delete, list, get) or _bulk suffix.`,
+              code: getCodeSnippet(content, match.index),
+              severity: 'error',
+              fix: `Rename function to include CRUD verb: ${funcName}_list, ${funcName}_get, ${funcName}_create, etc.`,
+            });
+          }
+        }
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check testing configuration
+ */
+function checkTestingConfig(consumingAppPath) {
+  const issues = [];
+  
+  const packageJsonPath = path.join(consumingAppPath, 'package.json');
+  if (!fs.existsSync(packageJsonPath)) {
+    issues.push({
+      type: 'testingConfig',
+      file: 'package.json (not found)',
+      line: 0,
+      message: 'package.json not found. test:coverage script must be configured.',
+      code: '',
+      severity: 'error',
+      fix: 'Create package.json with test:coverage script.',
+    });
+    return issues;
+  }
+  
+  try {
+    const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+    const scripts = packageJson.scripts || {};
+    
+    // Check for test:coverage script
+    if (!scripts['test:coverage']) {
+      issues.push({
+        type: 'testingConfig',
+        file: 'package.json',
+        line: 1,
+        message: 'test:coverage script not found. Must provide npm run test:coverage script.',
+        code: '',
+        severity: 'error',
+        fix: 'Add "test:coverage" script to package.json scripts section.',
+      });
+    }
+    
+    // Check for vitest or jest config
+    const vitestConfigPaths = [
+      path.join(consumingAppPath, 'vitest.config.ts'),
+      path.join(consumingAppPath, 'vitest.config.js'),
+      path.join(consumingAppPath, 'vitest.config.mjs'),
+      path.join(consumingAppPath, 'vitest.config.cjs'),
+    ];
+    
+    const jestConfigPaths = [
+      path.join(consumingAppPath, 'jest.config.js'),
+      path.join(consumingAppPath, 'jest.config.ts'),
+      path.join(consumingAppPath, 'jest.config.json'),
+    ];
+    
+    let configPath = null;
+    let configContent = null;
+    
+    for (const configFile of [...vitestConfigPaths, ...jestConfigPaths]) {
+      if (fs.existsSync(configFile)) {
+        configPath = configFile;
+        try {
+          configContent = fs.readFileSync(configFile, 'utf8');
+          break;
+        } catch (e) {
+          // Continue to next
+        }
+      }
+    }
+    
+    if (!configPath) {
+      issues.push({
+        type: 'testingConfig',
+        file: 'vitest.config.* or jest.config.* (not found)',
+        line: 0,
+        message: 'Test runner config not found. Must configure coverage thresholds.',
+        code: '',
+        severity: 'error',
+        fix: 'Create vitest.config.ts or jest.config.js with coverage thresholds configured.',
+      });
+    } else {
+      // Check for coverage thresholds
+      const hasCoverageThresholds = /coverage\s*:\s*\{[^}]*thresholds/i.test(configContent) ||
+                                    /coverageThreshold/i.test(configContent);
+      
+      if (!hasCoverageThresholds) {
+        const relativePath = path.relative(consumingAppPath || process.cwd(), configPath);
+        issues.push({
+          type: 'testingConfig',
+          file: relativePath,
+          line: 1,
+          message: 'Coverage thresholds not configured. Must set ≥90% for utils/hooks, ≥70% for components.',
+          code: '',
+          severity: 'error',
+          fix: 'Add coverage thresholds to test config: { coverage: { thresholds: { lines: 90, functions: 90, branches: 90, statements: 90 } } }',
+        });
+      }
+    }
+    
+  } catch (error) {
+    issues.push({
+      type: 'testingConfig',
+      file: 'package.json',
+      line: 0,
+      message: `Error reading package.json: ${error.message}`,
+      code: '',
+      severity: 'error',
+      fix: 'Fix package.json syntax errors.',
+    });
+  }
+  
+  return issues;
+}
+
+/**
+ * Check input validation (heuristic, with cached file list)
+ */
+function checkInputValidationWithCache(consumingAppPath, cachedSourceFiles) {
+  const issues = [];
+  
+  cachedSourceFiles.forEach(filePath => {
+    try {
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      // Check for form components without Zod schemas
+      // Look for form-related patterns
+      const hasFormComponent = /<Form|useForm|FormField/.test(content);
+      const hasZodImport = /from\s+['"]@jmruthers\/pace-core['"].*z\b|from\s+['"]zod['"]/.test(content);
+      const hasZodSchema = /z\.(object|string|number|boolean|array)/.test(content);
+      
+      if (hasFormComponent && !hasZodImport && !hasZodSchema) {
+        // Might be using pace-core Form which handles validation, but flag for review
+        // This is heuristic - pace-core Form might be imported differently
+        const hasPaceCoreForm = /from\s+['"]@jmruthers\/pace-core['"].*Form/.test(content);
+        if (!hasPaceCoreForm) {
+          issues.push({
+            type: 'inputValidation',
+            file: relativePath,
+            line: 1,
+            message: 'Form component detected but no Zod schema found. Forms should use Zod validation.',
+            code: '',
+            severity: 'warning',
+            fix: 'Add Zod schema validation. Import z from @jmruthers/pace-core and define schema.',
+          });
+        }
+      }
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check logging security (heuristic, with cached file list)
+ */
+function checkLoggingSecurityWithCache(consumingAppPath, cachedSourceFiles) {
+  const issues = [];
+  
+  // Use simpler, more efficient patterns that avoid catastrophic backtracking
+  // Instead of [^)]* which can hang, use a limited lookahead
+  const sensitivePatterns = [
+    {
+      // Match console.log( or logger.log( followed by password-related keywords within reasonable distance
+      pattern: /(?:console\.(log|warn|error|info)|logger\.(log|warn|error|info|debug))\s*\([^)]{0,200}?(?:password|pwd|passwd)/i,
+      keyword: 'password',
+    },
+    {
+      pattern: /(?:console\.(log|warn|error|info)|logger\.(log|warn|error|info|debug))\s*\([^)]{0,200}?(?:token|access_token|refresh_token|api_key|apikey)/i,
+      keyword: 'token',
+    },
+    {
+      pattern: /(?:console\.(log|warn|error|info)|logger\.(log|warn|error|info|debug))\s*\([^)]{0,200}?(?:secret|secret_key|private_key)/i,
+      keyword: 'secret',
+    },
+  ];
+  
+  let processedCount = 0;
+  const totalFiles = cachedSourceFiles.length;
+  
+  cachedSourceFiles.forEach(filePath => {
+    try {
+      processedCount++;
+      // Show progress every 20 files
+      if (processedCount % 20 === 0 || processedCount === totalFiles) {
+        process.stdout.write(`\r  Checking logging security... ${processedCount}/${totalFiles} files`);
+      }
+      
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      sensitivePatterns.forEach(({ pattern, keyword }) => {
+        // Reset regex lastIndex to avoid issues with global regex
+        pattern.lastIndex = 0;
+        let match;
+        let matchCount = 0;
+        // Limit matches per file to prevent infinite loops
+        const maxMatchesPerFile = 10;
+        
+        while ((match = pattern.exec(content)) !== null && matchCount < maxMatchesPerFile) {
+          matchCount++;
+          if (isInCommentOrString(content, match.index)) {
+            continue;
+          }
+          
+          issues.push({
+            type: 'loggingSecurity',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: `Potential sensitive data (${keyword}) in logging statement. Must NOT log passwords, tokens, or secrets.`,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: 'Remove sensitive data from log statements. Log only IDs and non-PII metadata.',
+          });
+        }
+      });
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  // Clear progress line
+  if (totalFiles > 20) {
+    process.stdout.write('\r  Checking logging security... ');
+  }
+  
+  return issues;
+}
+
+/**
+ * Check error message safety (heuristic, with cached file list)
+ */
+function checkErrorMessagesWithCache(consumingAppPath, cachedSourceFiles) {
+  const issues = [];
+  
+  // Use simpler, more efficient patterns that avoid catastrophic backtracking
+  const errorPatterns = [
+    {
+      pattern: /throw\s+new\s+Error\s*\([^)]{0,200}?(?:stack|trace|at\s+\w+)/i,
+      message: 'Error message may expose stack trace. Error messages should not expose internal details.',
+    },
+    {
+      pattern: /throw\s+new\s+Error\s*\([^)]{0,200}?(?:\/[a-z]+\/|\\[a-z]+\\|\.tsx?|\.jsx?)/i,
+      message: 'Error message may expose file paths. Error messages should not expose internal details.',
+    },
+    {
+      pattern: /(?:console\.error|logger\.error)\s*\([^)]{0,200}?(?:stack|trace|at\s+\w+)/i,
+      message: 'Error logging may expose stack trace. Log stack traces only in development, not in user-facing errors.',
+    },
+  ];
+  
+  let processedCount = 0;
+  const totalFiles = cachedSourceFiles.length;
+  
+  cachedSourceFiles.forEach(filePath => {
+    try {
+      processedCount++;
+      // Show progress every 20 files
+      if (processedCount % 20 === 0 || processedCount === totalFiles) {
+        process.stdout.write(`\r  Checking error messages... ${processedCount}/${totalFiles} files`);
+      }
+      
+      const content = fs.readFileSync(filePath, 'utf8');
+      const relativePath = path.relative(consumingAppPath || process.cwd(), filePath);
+      
+      errorPatterns.forEach(({ pattern, message }) => {
+        // Reset regex lastIndex to avoid issues with global regex
+        pattern.lastIndex = 0;
+        let match;
+        let matchCount = 0;
+        // Limit matches per file to prevent infinite loops
+        const maxMatchesPerFile = 10;
+        
+        while ((match = pattern.exec(content)) !== null && matchCount < maxMatchesPerFile) {
+          matchCount++;
+          if (isInCommentOrString(content, match.index)) {
+            continue;
+          }
+          
+          issues.push({
+            type: 'errorMessages',
+            file: relativePath,
+            line: getLineNumber(content, match.index),
+            message: message,
+            code: getCodeSnippet(content, match.index),
+            severity: 'warning',
+            fix: 'Use safe error messages that do not expose internal details. Log detailed errors server-side only.',
+          });
+        }
+      });
+      
+    } catch (error) {
+      // Skip files that can't be read
+    }
+  });
+  
+  // Clear progress line
+  if (totalFiles > 20) {
+    process.stdout.write('\r  Checking error messages... ');
+  }
+  
+  return issues;
+}
+
+/**
+ * Main audit function
+ */
+function runStandardsAudit(consumingAppPath = process.cwd(), showProgress = false) {
+  const issues = {
+    cursorRuleset: [],
+    typescriptConfig: [],
+    anyTypes: [],
+    namingConvention: [],
+    rlsPolicy: [],
+    rpcNaming: [],
+    testingConfig: [],
+    inputValidation: [],
+    loggingSecurity: [],
+    errorMessages: [],
+  };
+  
+  try {
+    // Check cursor ruleset
+    if (showProgress) {
+      process.stdout.write('  Checking cursor ruleset... ');
+    }
+    const cursorIssues = checkCursorRuleset(consumingAppPath);
+    issues.cursorRuleset.push(...cursorIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${cursorIssues.length} issues)\n`);
+    }
+    
+    // Check TypeScript config
+    if (showProgress) {
+      process.stdout.write('  Checking TypeScript config... ');
+    }
+    const tsConfigIssues = checkTypeScriptConfig(consumingAppPath);
+    issues.typescriptConfig.push(...tsConfigIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${tsConfigIssues.length} issues)\n`);
+    }
+    
+    // Cache source files to avoid multiple scans
+    if (showProgress) {
+      process.stdout.write('  Scanning source files... ');
+    }
+    const srcPath = path.join(consumingAppPath, 'src');
+    const searchPath = fs.existsSync(srcPath) ? srcPath : consumingAppPath;
+    let cachedSourceFiles = [];
+    if (fs.existsSync(searchPath)) {
+      cachedSourceFiles = findSourceFiles(searchPath);
+    }
+    if (showProgress) {
+      process.stdout.write(`✓ (${cachedSourceFiles.length} files)\n`);
+    }
+    
+    // Check for any types
+    if (showProgress) {
+      process.stdout.write('  Checking for any types... ');
+    }
+    const anyTypeIssues = checkAnyTypesWithCache(consumingAppPath, cachedSourceFiles);
+    issues.anyTypes.push(...anyTypeIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${anyTypeIssues.length} issues)\n`);
+    }
+    
+    // Check naming conventions
+    if (showProgress) {
+      process.stdout.write('  Checking naming conventions... ');
+    }
+    const namingIssues = checkNamingConventionsWithCache(consumingAppPath, cachedSourceFiles);
+    issues.namingConvention.push(...namingIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${namingIssues.length} issues)\n`);
+    }
+    
+    // Check RLS policies
+    if (showProgress) {
+      process.stdout.write('  Checking RLS policies... ');
+    }
+    const rlsIssues = checkRLSPolicies(consumingAppPath);
+    issues.rlsPolicy.push(...rlsIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${rlsIssues.length} issues)\n`);
+    }
+    
+    // Check RPC naming
+    if (showProgress) {
+      process.stdout.write('  Checking RPC naming... ');
+    }
+    const rpcIssues = checkRPCNaming(consumingAppPath);
+    issues.rpcNaming.push(...rpcIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${rpcIssues.length} issues)\n`);
+    }
+    
+    // Check testing config
+    if (showProgress) {
+      process.stdout.write('  Checking testing config... ');
+    }
+    const testingIssues = checkTestingConfig(consumingAppPath);
+    issues.testingConfig.push(...testingIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${testingIssues.length} issues)\n`);
+    }
+    
+    // Check input validation (heuristic)
+    if (showProgress) {
+      process.stdout.write('  Checking input validation... ');
+    }
+    const validationIssues = checkInputValidationWithCache(consumingAppPath, cachedSourceFiles);
+    issues.inputValidation.push(...validationIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${validationIssues.length} issues)\n`);
+    }
+    
+    // Check logging security (heuristic)
+    if (showProgress) {
+      process.stdout.write('  Checking logging security... ');
+    }
+    const loggingIssues = checkLoggingSecurityWithCache(consumingAppPath, cachedSourceFiles);
+    issues.loggingSecurity.push(...loggingIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${loggingIssues.length} issues)\n`);
+    }
+    
+    // Check error messages (heuristic)
+    if (showProgress) {
+      process.stdout.write('  Checking error messages... ');
+    }
+    const errorIssues = checkErrorMessagesWithCache(consumingAppPath, cachedSourceFiles);
+    issues.errorMessages.push(...errorIssues);
+    if (showProgress) {
+      process.stdout.write(`✓ (${errorIssues.length} issues)\n`);
+    }
+  } catch (error) {
+    return {
+      error: `Standards audit failed: ${error.message}`,
+      issues,
+    };
+  }
+  
+  return {
+    issues,
+  };
+}
+
+// Export for use by other scripts
+if (typeof module !== 'undefined' && module.exports) {
+  module.exports = { runStandardsAudit };
+}
+
+// If run directly, output results
+if (require.main === module) {
+  const consumingAppPath = process.argv[2] || process.cwd();
+  const result = runStandardsAudit(consumingAppPath, true);
+  
+  if (result.error) {
+    console.error(`Error: ${result.error}`);
+    process.exit(1);
+  }
+  
+  const { issues } = result;
+  
+  // Count total issues
+  const totalIssues = Object.values(issues).reduce((sum, arr) => sum + arr.length, 0);
+  
+  if (totalIssues === 0) {
+    console.log('\n✅ No standards compliance issues found!');
+    process.exit(0);
+  }
+  
+  console.log(`\n❌ Found ${totalIssues} standards compliance issue(s):\n`);
+  
+  // Group by type
+  Object.entries(issues).forEach(([type, typeIssues]) => {
+    if (typeIssues.length > 0) {
+      console.log(`\n${type}: ${typeIssues.length} issue(s)`);
+      typeIssues.forEach(issue => {
+        console.log(`  ${issue.file}:${issue.line}`);
+        console.log(`    ${issue.message}`);
+      });
+    }
+  });
+  
+  process.exit(1);
+}
+