npm - @jmruthers/pace-core - Versions diffs - 0.6.4 → 0.6.6 - Mend

@jmruthers/pace-core 0.6.4 → 0.6.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (387) hide show

package/CHANGELOG.md +104 -0
package/README.md +5 -403
package/core-usage-manifest.json +93 -0
package/cursor-rules/00-pace-core-compliance.mdc +128 -26
package/cursor-rules/01-standards-compliance.mdc +49 -8
package/cursor-rules/02-project-structure.mdc +6 -0
package/cursor-rules/03-solid-principles.mdc +2 -0
package/cursor-rules/04-testing-standards.mdc +2 -0
package/cursor-rules/05-bug-reports-and-features.mdc +2 -0
package/cursor-rules/06-code-quality.mdc +2 -0
package/cursor-rules/07-tech-stack-compliance.mdc +2 -0
package/cursor-rules/08-markup-quality.mdc +52 -27
package/cursor-rules/09-rbac-compliance.mdc +462 -0
package/cursor-rules/10-error-handling-patterns.mdc +179 -0
package/cursor-rules/11-performance-optimization.mdc +169 -0
package/cursor-rules/12-ci-cd-integration.mdc +150 -0
package/dist/{AuthService-Cb34EQs3.d.ts → AuthService-DmfO5rGS.d.ts} +10 -0
package/dist/{DataTable-BMRU8a1j.d.ts → DataTable-2N_tqbfq.d.ts} +1 -1
package/dist/DataTable-LRJL4IRV.js +15 -0
package/dist/{PublicPageProvider-DEMpysFR.d.ts → PublicPageProvider-BBH6Vqg7.d.ts} +72 -139
package/dist/UnifiedAuthProvider-ZT6TIGM7.js +7 -0
package/dist/api-Y4MQWOFW.js +4 -0
package/dist/audit-MYQXYZFU.js +3 -0
package/dist/{chunk-J36DSWQK.js → chunk-2HGJFNAH.js} +8 -28
package/dist/{chunk-OEWDTMG7.js → chunk-3O3WHILE.js} +38 -121
package/dist/{chunk-M43Y4SSO.js → chunk-3QC3KRHK.js} +1 -14
package/dist/{chunk-DGUM43GV.js → chunk-3RG5ZIWI.js} +1 -4
package/dist/{chunk-QXHPKYJV.js → chunk-4SXLQIZO.js} +1 -26
package/dist/chunk-4T7OBVTU.js +62 -0
package/dist/{chunk-E66EQZE6.js → chunk-6GLLNA6U.js} +3 -9
package/dist/{chunk-ZSAAAMVR.js → chunk-6QYDGKQY.js} +1 -4
package/dist/{chunk-NN6WWZ5U.js → chunk-7TYHROIV.js} +579 -563
package/dist/{chunk-M7MPQISP.js → chunk-A55DK444.js} +9 -16
package/dist/{chunk-63FOKYGO.js → chunk-AHU7G2R5.js} +2 -11
package/dist/{chunk-L4OXEN46.js → chunk-BVP2BCJF.js} +2 -16
package/dist/chunk-C7NSAPTL.js +1 -0
package/dist/{chunk-YKRAFF5K.js → chunk-FENMYN2U.js} +73 -149
package/dist/{chunk-AVMLPIM7.js → chunk-FTCRZOG2.js} +284 -432
package/dist/{chunk-G37KK66H.js → chunk-FYHN4DD5.js} +60 -19
package/dist/{chunk-VBXEHIUJ.js → chunk-HF6O3O37.js} +6 -88
package/dist/{chunk-I6DAQMWX.js → chunk-LAZMKTTF.js} +930 -891
package/dist/{chunk-5EC5MEWX.js → chunk-MAGBIDNS.js} +77 -222
package/dist/chunk-MBADTM7L.js +64 -0
package/dist/chunk-OHIK3MIO.js +994 -0
package/dist/{chunk-6SOIHG6Z.js → chunk-S7DKJPLT.js} +115 -44
package/dist/{chunk-FMUCXFII.js → chunk-SD6WQY43.js} +1 -5
package/dist/{chunk-PWLANIRT.js → chunk-TTRFSOKR.js} +1 -7
package/dist/{chunk-5DRSZLL2.js → chunk-UH3NTO3F.js} +1 -6
package/dist/{chunk-FFQEQTNW.js → chunk-UIYSCEV7.js} +134 -45
package/dist/{chunk-3LPHPB62.js → chunk-ZFYPMX46.js} +271 -87
package/dist/{chunk-7JPAB3T5.js → chunk-ZS5VO5JB.js} +1989 -1283
package/dist/components.d.ts +6 -6
package/dist/components.js +57 -267
package/dist/{database.generated-CzIvgcPu.d.ts → database.generated-CcnC_DRc.d.ts} +4795 -3691
package/dist/eslint-rules/index.cjs +22 -0
package/dist/eslint-rules/rules/compliance.cjs +348 -0
package/dist/eslint-rules/rules/components.cjs +113 -0
package/dist/eslint-rules/rules/imports.cjs +102 -0
package/dist/eslint-rules/rules/rbac.cjs +790 -0
package/dist/eslint-rules/utils/helpers.cjs +42 -0
package/dist/eslint-rules/utils/manifest-loader.cjs +75 -0
package/dist/hooks.d.ts +5 -5
package/dist/hooks.js +62 -270
package/dist/icons/index.d.ts +1 -0
package/dist/icons/index.js +1 -0
package/dist/index.d.ts +36 -26
package/dist/index.js +87 -690
package/dist/providers.d.ts +2 -2
package/dist/providers.js +8 -35
package/dist/rbac/eslint-rules.d.ts +46 -44
package/dist/rbac/eslint-rules.js +7 -4
package/dist/rbac/index.d.ts +124 -594
package/dist/rbac/index.js +14 -207
package/dist/styles/index.js +2 -12
package/dist/theming/runtime.js +3 -19
package/dist/{timezone-CHhWg6b4.d.ts → timezone-BZe_eUxx.d.ts} +175 -1
package/dist/{types-CkbwOr4Y.d.ts → types-B-K_5VnO.d.ts} +4 -0
package/dist/types-t9H8qKRw.d.ts +55 -0
package/dist/types.d.ts +1 -1
package/dist/types.js +7 -94
package/dist/{usePublicRouteParams-i3qtoBgg.d.ts → usePublicRouteParams-COZ28Mvq.d.ts} +9 -9
package/dist/utils.d.ts +24 -117
package/dist/utils.js +54 -392
package/docs/README.md +16 -6
package/docs/api/README.md +4 -402
package/docs/api/modules.md +454 -930
package/docs/api-reference/components.md +3 -1
package/docs/api-reference/deprecated.md +31 -6
package/docs/api-reference/rpc-functions.md +78 -3
package/docs/best-practices/accessibility.md +6 -3
package/docs/getting-started/cursor-rules.md +3 -23
package/docs/getting-started/dependencies.md +650 -0
package/docs/getting-started/installation-guide.md +20 -7
package/docs/getting-started/quick-start.md +23 -12
package/docs/implementation-guides/permission-enforcement.md +4 -0
package/docs/rbac/MIGRATION_GUIDE.md +819 -0
package/docs/rbac/RBAC_CONTRACT.md +724 -0
package/docs/rbac/README.md +12 -3
package/docs/rbac/edge-functions-guide.md +376 -0
package/docs/rbac/secure-client-protection.md +0 -34
package/docs/standards/00-pace-core-compliance.md +967 -0
package/docs/standards/01-standards-compliance.md +188 -0
package/docs/standards/02-project-structure.md +985 -0
package/docs/standards/03-solid-principles.md +39 -0
package/docs/standards/04-testing-standards.md +36 -0
package/docs/standards/05-bug-reports-and-features.md +27 -0
package/docs/standards/{04-code-style-standard.md → 06-code-quality.md} +2 -0
package/docs/standards/07-tech-stack-compliance.md +30 -0
package/docs/standards/08-markup-quality.md +345 -0
package/docs/standards/{07-rbac-and-rls-standard.md → 09-rbac-compliance.md} +149 -54
package/docs/standards/10-error-handling-patterns.md +401 -0
package/docs/standards/11-performance-optimization.md +348 -0
package/docs/standards/12-ci-cd-integration.md +370 -0
package/docs/standards/ALIGNMENT_REVIEW_SUMMARY.md +192 -0
package/docs/standards/README.md +62 -33
package/docs/troubleshooting/organisation-context-setup.md +42 -19
package/eslint-config-pace-core.cjs +20 -4
package/package.json +31 -21
package/scripts/audit/audit-compliance.cjs +1295 -0
package/scripts/audit/audit-components.cjs +260 -0
package/scripts/audit/audit-dependencies.cjs +395 -0
package/scripts/audit/audit-rbac.cjs +954 -0
package/scripts/audit/audit-standards.cjs +1268 -0
package/scripts/audit/index.cjs +1898 -194
package/scripts/install-cursor-rules.cjs +259 -8
package/scripts/validate-master.js +1 -1
package/src/__tests__/fixtures/supabase.ts +1 -1
package/src/__tests__/helpers/__tests__/component-test-utils.test.tsx +1 -1
package/src/__tests__/helpers/__tests__/optimized-test-setup.test.ts +1 -1
package/src/__tests__/helpers/__tests__/supabaseMock.test.ts +1 -1
package/src/__tests__/helpers/__tests__/test-utils.test.tsx +3 -3
package/src/__tests__/helpers/component-test-utils.tsx +1 -1
package/src/__tests__/helpers/supabaseMock.ts +2 -2
package/src/__tests__/public-recipe-view.test.ts +38 -9
package/src/components/Button/Button.tsx +5 -1
package/src/components/ContextSelector/ContextSelector.tsx +42 -39
package/src/components/DataTable/__tests__/keyboard.test.tsx +15 -2
package/src/components/DataTable/components/DataTableBody.tsx +55 -31
package/src/components/DataTable/components/DataTableCore.tsx +186 -13
package/src/components/DataTable/components/DataTableLayout.tsx +30 -5
package/src/components/DataTable/components/EditFields.tsx +23 -3
package/src/components/DataTable/components/EditableRow.tsx +7 -2
package/src/components/DataTable/components/ImportModal.tsx +4 -6
package/src/components/DataTable/components/RowComponent.tsx +12 -0
package/src/components/DataTable/components/ViewRowModal.tsx +4 -4
package/src/components/DataTable/components/__tests__/ImportModal.test.tsx +455 -96
package/src/components/DataTable/components/__tests__/ViewRowModal.test.tsx +122 -58
package/src/components/DataTable/components/hooks/usePermissionTracking.ts +0 -4
package/src/components/DataTable/core/DataTableContext.tsx +1 -1
package/src/components/DataTable/hooks/__tests__/useDataTableState.test.ts +51 -47
package/src/components/DataTable/hooks/useDataTablePermissions.ts +24 -21
package/src/components/DataTable/hooks/useDataTableState.ts +125 -9
package/src/components/DataTable/hooks/useTableColumns.ts +40 -2
package/src/components/DataTable/hooks/useTableHandlers.ts +11 -0
package/src/components/DataTable/types.ts +5 -0
package/src/components/DateTimeField/DateTimeField.tsx +20 -20
package/src/components/DateTimeField/README.md +5 -2
package/src/components/Dialog/Dialog.test.tsx +361 -318
package/src/components/Dialog/Dialog.tsx +1154 -323
package/src/components/Dialog/index.ts +3 -3
package/src/components/FileDisplay/FileDisplay.test.tsx +45 -2
package/src/components/FileDisplay/FileDisplay.tsx +28 -22
package/src/components/Form/Form.test.tsx +9 -10
package/src/components/Form/Form.tsx +369 -9
package/src/components/InactivityWarningModal/InactivityWarningModal.test.tsx +28 -28
package/src/components/InactivityWarningModal/InactivityWarningModal.tsx +40 -54
package/src/components/LoginForm/LoginForm.tsx +2 -2
package/src/components/NavigationMenu/NavigationMenu.test.tsx +14 -13
package/src/components/NavigationMenu/NavigationMenu.tsx +2 -2
package/src/components/NavigationMenu/useNavigationFiltering.ts +11 -21
package/src/components/PaceAppLayout/PaceAppLayout.test.tsx +6 -4
package/src/components/PaceAppLayout/PaceAppLayout.tsx +30 -41
package/src/components/PaceAppLayout/README.md +10 -9
package/src/components/PaceAppLayout/test-setup.tsx +40 -31
package/src/components/PaceLoginPage/PaceLoginPage.test.tsx +108 -61
package/src/components/PaceLoginPage/PaceLoginPage.tsx +27 -3
package/src/components/PasswordChange/PasswordChangeForm.test.tsx +61 -0
package/src/components/PasswordChange/PasswordChangeForm.tsx +20 -13
package/src/components/PublicLayout/PublicLayout.test.tsx +7 -3
package/src/components/PublicLayout/PublicPageLayout.tsx +5 -8
package/src/components/Select/Select.tsx +23 -21
package/src/components/Select/types.ts +1 -1
package/src/components/UserMenu/UserMenu.test.tsx +38 -6
package/src/components/UserMenu/UserMenu.tsx +39 -34
package/src/components/index.ts +3 -4
package/src/eslint-rules/index.cjs +22 -0
package/src/eslint-rules/rules/compliance.cjs +348 -0
package/src/eslint-rules/rules/components.cjs +113 -0
package/src/eslint-rules/rules/imports.cjs +102 -0
package/src/eslint-rules/rules/rbac.cjs +790 -0
package/src/eslint-rules/utils/helpers.cjs +42 -0
package/src/eslint-rules/utils/manifest-loader.cjs +75 -0
package/src/hooks/__tests__/hooks.integration.test.tsx +6 -8
package/src/hooks/__tests__/useAppConfig.unit.test.ts +129 -67
package/src/hooks/__tests__/usePublicEvent.simple.test.ts +149 -67
package/src/hooks/__tests__/usePublicEvent.test.ts +149 -79
package/src/hooks/__tests__/usePublicEvent.unit.test.ts +158 -109
package/src/hooks/__tests__/useSessionDraft.test.ts +163 -0
package/src/hooks/__tests__/useSessionRestoration.unit.test.tsx +10 -5
package/src/hooks/public/usePublicEvent.ts +62 -190
package/src/hooks/public/usePublicEventLogo.test.ts +70 -17
package/src/hooks/public/usePublicEventLogo.ts +19 -9
package/src/hooks/useAppConfig.ts +26 -24
package/src/hooks/useEventTheme.test.ts +211 -233
package/src/hooks/useEventTheme.ts +19 -28
package/src/hooks/useEvents.ts +11 -7
package/src/hooks/useKeyboardShortcuts.ts +1 -1
package/src/hooks/useOrganisationPermissions.ts +9 -11
package/src/hooks/useOrganisations.ts +13 -7
package/src/hooks/useQueryCache.ts +0 -1
package/src/hooks/useSessionDraft.ts +380 -0
package/src/hooks/useSessionRestoration.ts +3 -1
package/src/icons/index.ts +27 -0
package/src/index.ts +16 -1
package/src/providers/OrganisationProvider.tsx +23 -14
package/src/providers/services/EventServiceProvider.tsx +1 -24
package/src/providers/services/UnifiedAuthProvider.tsx +5 -48
package/src/providers/services/__tests__/UnifiedAuthProvider.integration.test.tsx +3 -0
package/src/rbac/README.md +20 -20
package/src/rbac/__tests__/adapters.comprehensive.test.tsx +7 -457
package/src/rbac/__tests__/auth-rbac.e2e.test.tsx +33 -7
package/src/rbac/adapters.tsx +7 -295
package/src/rbac/api.test.ts +44 -56
package/src/rbac/api.ts +10 -17
package/src/rbac/cache-invalidation.ts +0 -1
package/src/rbac/compliance/index.ts +10 -0
package/src/rbac/compliance/pattern-detector.ts +553 -0
package/src/rbac/compliance/runtime-compliance.ts +22 -0
package/src/rbac/components/AccessDenied.tsx +150 -0
package/src/rbac/components/NavigationGuard.tsx +12 -20
package/src/rbac/components/PagePermissionGuard.tsx +4 -24
package/src/rbac/components/__tests__/NavigationGuard.test.tsx +21 -8
package/src/rbac/components/index.ts +3 -41
package/src/rbac/eslint-rules.js +1 -1
package/src/rbac/hooks/index.ts +0 -3
package/src/rbac/hooks/permissions/index.ts +0 -3
package/src/rbac/hooks/permissions/useAccessLevel.ts +4 -8
package/src/rbac/hooks/usePermissions.ts +0 -3
package/src/rbac/hooks/useRBAC.test.ts +21 -3
package/src/rbac/hooks/useRBAC.ts +4 -3
package/src/rbac/hooks/useResolvedScope.test.ts +57 -47
package/src/rbac/hooks/useResolvedScope.ts +58 -140
package/src/rbac/hooks/useResourcePermissions.test.ts +241 -60
package/src/rbac/hooks/useResourcePermissions.ts +182 -63
package/src/rbac/hooks/useRoleManagement.test.ts +65 -22
package/src/rbac/hooks/useRoleManagement.ts +147 -19
package/src/rbac/hooks/useSecureSupabase.ts +4 -8
package/src/rbac/index.ts +7 -9
package/src/rbac/permissions.ts +17 -17
package/src/rbac/utils/contextValidator.ts +45 -7
package/src/services/AuthService.ts +132 -23
package/src/services/EventService.ts +4 -97
package/src/services/InactivityService.ts +155 -58
package/src/services/OrganisationService.ts +7 -44
package/src/services/__tests__/OrganisationService.test.ts +26 -8
package/src/services/base/BaseService.ts +0 -3
package/src/styles/core.css +4 -0
package/src/types/database.generated.ts +4733 -3809
package/src/utils/__tests__/organisationContext.unit.test.ts +9 -10
package/src/utils/context/organisationContext.test.ts +13 -28
package/src/utils/context/organisationContext.ts +21 -52
package/src/utils/dynamic/dynamicUtils.ts +1 -1
package/src/utils/file-reference/index.ts +39 -15
package/src/utils/formatting/formatDateTime.test.ts +3 -2
package/src/utils/formatting/formatTime.test.ts +3 -2
package/src/utils/google-places/loadGoogleMapsScript.ts +29 -4
package/src/utils/index.ts +4 -1
package/src/utils/persistence/__tests__/keyDerivation.test.ts +135 -0
package/src/utils/persistence/__tests__/sensitiveFieldDetection.test.ts +123 -0
package/src/utils/persistence/keyDerivation.ts +304 -0
package/src/utils/persistence/sensitiveFieldDetection.ts +212 -0
package/src/utils/security/secureStorage.ts +5 -5
package/src/utils/storage/helpers.ts +3 -3
package/src/utils/supabase/createBaseClient.ts +147 -0
package/src/utils/timezone/timezone.test.ts +1 -2
package/src/utils/timezone/timezone.ts +1 -1
package/src/utils/validation/csrf.ts +4 -4
package/cursor-rules/CHANGELOG.md +0 -119
package/cursor-rules/README.md +0 -192
package/dist/DataTable-E7YQZD7D.js +0 -175
package/dist/DataTable-E7YQZD7D.js.map +0 -1
package/dist/UnifiedAuthProvider-QPXO24B4.js +0 -18
package/dist/UnifiedAuthProvider-QPXO24B4.js.map +0 -1
package/dist/api-6LVZTHDS.js +0 -52
package/dist/api-6LVZTHDS.js.map +0 -1
package/dist/audit-V53FV5AG.js +0 -17
package/dist/audit-V53FV5AG.js.map +0 -1
package/dist/chunk-36LVWXB2.js +0 -227
package/dist/chunk-36LVWXB2.js.map +0 -1
package/dist/chunk-3LPHPB62.js.map +0 -1
package/dist/chunk-5DRSZLL2.js.map +0 -1
package/dist/chunk-5EC5MEWX.js.map +0 -1
package/dist/chunk-63FOKYGO.js.map +0 -1
package/dist/chunk-6SOIHG6Z.js.map +0 -1
package/dist/chunk-7JPAB3T5.js.map +0 -1
package/dist/chunk-ATKZM7RX.js +0 -2053
package/dist/chunk-ATKZM7RX.js.map +0 -1
package/dist/chunk-AVMLPIM7.js.map +0 -1
package/dist/chunk-DGUM43GV.js.map +0 -1
package/dist/chunk-E66EQZE6.js.map +0 -1
package/dist/chunk-FFQEQTNW.js.map +0 -1
package/dist/chunk-FMUCXFII.js.map +0 -1
package/dist/chunk-G37KK66H.js.map +0 -1
package/dist/chunk-I6DAQMWX.js.map +0 -1
package/dist/chunk-J36DSWQK.js.map +0 -1
package/dist/chunk-KQCRWDSA.js +0 -1
package/dist/chunk-KQCRWDSA.js.map +0 -1
package/dist/chunk-L4OXEN46.js.map +0 -1
package/dist/chunk-LMC26NLJ.js +0 -84
package/dist/chunk-LMC26NLJ.js.map +0 -1
package/dist/chunk-M43Y4SSO.js.map +0 -1
package/dist/chunk-M7MPQISP.js.map +0 -1
package/dist/chunk-NN6WWZ5U.js.map +0 -1
package/dist/chunk-OEWDTMG7.js.map +0 -1
package/dist/chunk-PWLANIRT.js.map +0 -1
package/dist/chunk-QXHPKYJV.js.map +0 -1
package/dist/chunk-VBXEHIUJ.js.map +0 -1
package/dist/chunk-YKRAFF5K.js.map +0 -1
package/dist/chunk-ZSAAAMVR.js.map +0 -1
package/dist/components.js.map +0 -1
package/dist/contextValidator-OOPCLPZW.js +0 -9
package/dist/contextValidator-OOPCLPZW.js.map +0 -1
package/dist/eslint-rules/pace-core-compliance.cjs +0 -510
package/dist/hooks.js.map +0 -1
package/dist/index.js.map +0 -1
package/dist/providers.js.map +0 -1
package/dist/rbac/eslint-rules.js.map +0 -1
package/dist/rbac/index.js.map +0 -1
package/dist/styles/index.js.map +0 -1
package/dist/theming/runtime.js.map +0 -1
package/dist/types.js.map +0 -1
package/dist/utils.js.map +0 -1
package/docs/standards/01-architecture-standard.md +0 -44
package/docs/standards/02-api-and-rpc-standard.md +0 -39
package/docs/standards/03-component-standard.md +0 -32
package/docs/standards/05-security-standard.md +0 -44
package/docs/standards/06-testing-and-docs-standard.md +0 -29
package/docs/standards/pace-core-compliance.md +0 -432
package/scripts/audit/core/checks/accessibility.cjs +0 -197
package/scripts/audit/core/checks/api-usage.cjs +0 -191
package/scripts/audit/core/checks/bundle.cjs +0 -142
package/scripts/audit/core/checks/compliance.cjs +0 -2706
package/scripts/audit/core/checks/config.cjs +0 -54
package/scripts/audit/core/checks/coverage.cjs +0 -84
package/scripts/audit/core/checks/dependencies.cjs +0 -994
package/scripts/audit/core/checks/documentation.cjs +0 -268
package/scripts/audit/core/checks/environment.cjs +0 -116
package/scripts/audit/core/checks/error-handling.cjs +0 -340
package/scripts/audit/core/checks/forms.cjs +0 -172
package/scripts/audit/core/checks/heuristics.cjs +0 -68
package/scripts/audit/core/checks/hooks.cjs +0 -334
package/scripts/audit/core/checks/imports.cjs +0 -244
package/scripts/audit/core/checks/performance.cjs +0 -325
package/scripts/audit/core/checks/routes.cjs +0 -117
package/scripts/audit/core/checks/state.cjs +0 -130
package/scripts/audit/core/checks/structure.cjs +0 -65
package/scripts/audit/core/checks/style.cjs +0 -584
package/scripts/audit/core/checks/testing.cjs +0 -122
package/scripts/audit/core/checks/typescript.cjs +0 -61
package/scripts/audit/core/scanner.cjs +0 -199
package/scripts/audit/core/utils.cjs +0 -137
package/scripts/audit/reporters/console.cjs +0 -151
package/scripts/audit/reporters/json.cjs +0 -54
package/scripts/audit/reporters/markdown.cjs +0 -124
package/scripts/audit-consuming-app.cjs +0 -86
package/src/eslint-rules/pace-core-compliance.cjs +0 -510
package/src/eslint-rules/pace-core-compliance.js +0 -638
package/src/rbac/components/EnhancedNavigationMenu.test.tsx +0 -555
package/src/rbac/components/EnhancedNavigationMenu.tsx +0 -293
package/src/rbac/components/NavigationProvider.test.tsx +0 -481
package/src/rbac/components/NavigationProvider.tsx +0 -345
package/src/rbac/components/PagePermissionProvider.test.tsx +0 -476
package/src/rbac/components/PagePermissionProvider.tsx +0 -279
package/src/rbac/components/PermissionEnforcer.tsx +0 -312
package/src/rbac/components/RoleBasedRouter.tsx +0 -440
package/src/rbac/components/SecureDataProvider.test.tsx +0 -543
package/src/rbac/components/SecureDataProvider.tsx +0 -339
package/src/rbac/components/__tests__/EnhancedNavigationMenu.test.tsx +0 -620
package/src/rbac/components/__tests__/NavigationProvider.test.tsx +0 -726
package/src/rbac/components/__tests__/PagePermissionProvider.test.tsx +0 -661
package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx +0 -881
package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx +0 -783
package/src/rbac/components/__tests__/SecureDataProvider.fixed.test.tsx +0 -645
package/src/rbac/components/__tests__/SecureDataProvider.test.tsx +0 -659
package/src/rbac/hooks/permissions/useCachedPermissions.ts +0 -79
package/src/rbac/hooks/permissions/useHasAllPermissions.ts +0 -90
package/src/rbac/hooks/permissions/useHasAnyPermission.ts +0 -90

package/src/eslint-rules/rules/rbac.cjs ADDED Viewed

@@ -0,0 +1,790 @@
+/**
+ * RBAC-specific rules
+ * @package @jmruthers/pace-core
+ * @module ESLintRules/rules/rbac
+ */
+const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
+module.exports = {
+  rules: {
+    /**
+     * Disallow direct Supabase client creation - must use useSecureSupabase
+     */
+    'no-direct-supabase-client': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct createClient calls from @supabase/supabase-js. Use useSecureSupabase() from pace-core instead to ensure organisation context and RLS policies are enforced.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          directClientCreation: "Direct Supabase client creation detected. You MUST use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead to ensure organisation context and RLS policies are enforced. This prevents cross-organisation data access.",
+          directClientImport: "Direct import of createClient from @supabase/supabase-js is not allowed. Use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        // Allow createClient in specific config files (supabaseClient.ts/js, etc.)
+        const isConfigFile = /(supabase|client)\.(ts|js|tsx|jsx)$/i.test(filename) &&
+                            (filename.includes('supabase') || filename.includes('client'));
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            // Check for @supabase/supabase-js import
+            if (importSource === '@supabase/supabase-js') {
+              // Check if createClient is imported
+              const hasCreateClient = node.specifiers.some(spec => {
+                if (spec.type === 'ImportSpecifier') {
+                  return spec.imported.name === 'createClient';
+                }
+                if (spec.type === 'ImportNamespaceSpecifier') {
+                  return true; // import * as supabase
+                }
+                return false;
+              });
+              if (hasCreateClient && !isConfigFile) {
+                context.report({
+                  node: node.source,
+                  messageId: 'directClientImport',
+                  suggest: [{
+                    desc: 'Replace with useSecureSupabase hook',
+                    fix(fixer) {
+                      return fixer.remove(node);
+                    }
+                  }]
+                });
+              }
+            }
+          },
+          CallExpression(node) {
+            // Check for createClient() calls
+            if (node.callee.type === 'Identifier' && node.callee.name === 'createClient') {
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+            // Check for supabase.createClient() or similar patterns
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property?.name === 'createClient') {
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Check RBAC permission loading state usage
+     */
+    'rbac-permission-loading': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Require isLoading extraction from useResourcePermissions and check it before permission calls in mutations.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          missingIsLoading: "useResourcePermissions is used but 'isLoading' is not extracted. Permission checks may fail if scope resolution is still in progress.",
+          missingLoadingCheck: "Permission check '{{permission}}()' is called without checking isLoading first. This can cause false negatives when scope resolution is still in progress."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        let useResourcePermissionsFound = false;
+        let hasIsLoadingExtraction = false;
+        let isLoadingVarName = null;
+        return {
+          CallExpression(node) {
+            // Find useResourcePermissions calls
+            if (node.callee.type === 'Identifier' &&
+                node.callee.name === 'useResourcePermissions') {
+              useResourcePermissionsFound = true;
+              // Check parent to see if isLoading is destructured
+              const parent = node.parent;
+              if (parent && parent.type === 'VariableDeclarator' &&
+                  parent.id && parent.id.type === 'ObjectPattern') {
+                const properties = parent.id.properties;
+                const isLoadingProp = properties.find(prop => {
+                  if (prop.type === 'Property') {
+                    const key = prop.key;
+                    if (key.type === 'Identifier' && key.name === 'isLoading') {
+                      return true;
+                    }
+                    // Also check for renamed: isLoading: permissionsLoading
+                    if (key.type === 'Identifier' && key.name === 'isLoading') {
+                      if (prop.value && prop.value.type === 'Identifier') {
+                        isLoadingVarName = prop.value.name;
+                      }
+                      return true;
+                    }
+                  }
+                  return false;
+                });
+                if (isLoadingProp) {
+                  hasIsLoadingExtraction = true;
+                  if (!isLoadingVarName) {
+                    isLoadingVarName = 'isLoading';
+                  }
+                }
+              }
+            }
+            // Check for permission function calls in mutations
+            if (useResourcePermissionsFound &&
+                node.callee.type === 'Identifier' &&
+                ['canCreate', 'canUpdate', 'canDelete', 'canRead'].includes(node.callee.name)) {
+              // Check if we're in a mutation context
+              const sourceCode = context.sourceCode || context.getSourceCode();
+              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
+              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
+              const isInMutation = ancestors.some(ancestor => {
+                if (ancestor.type === 'Property' && ancestor.key) {
+                  const keyName = ancestor.key.name || (ancestor.key.type === 'Identifier' && ancestor.key.name);
+                  return keyName === 'mutationFn' || keyName === 'mutateAsync';
+                }
+                return false;
+              });
+              if (isInMutation) {
+                // Check if isLoading is checked before this call
+                const nodeText = sourceCode.getText(node);
+                const beforeNode = sourceCode.getText().substring(0, sourceCode.getIndexFromLoc(node.loc.start));
+                // Look for isLoading check before this call
+                const hasLoadingCheck = new RegExp(
+                  `(if\\s*\\(\\s*!?\\s*(${isLoadingVarName || 'isLoading'})|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*===\\s*false|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*!==\\s*true|await)`,
+                  'i'
+                ).test(beforeNode);
+                if (!hasIsLoadingExtraction) {
+                  context.report({
+                    node,
+                    messageId: 'missingIsLoading',
+                    suggest: [{
+                      desc: `Extract 'isLoading' from useResourcePermissions`,
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                } else if (!hasLoadingCheck) {
+                  context.report({
+                    node,
+                    messageId: 'missingLoadingCheck',
+                    data: {
+                      permission: node.callee.name
+                    },
+                    suggest: [{
+                      desc: `Check ${isLoadingVarName || 'isLoading'} before calling permission function`,
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Disallow direct RPC calls to RBAC functions
+     */
+    'no-direct-rbac-rpc': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct calls to RBAC RPC functions. Use pace-core RBAC hooks instead.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          directRbacRpc: "Direct RPC call to '{{rpcName}}' detected. Use pace-core RBAC hooks from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        const rbacRpcPatterns = ['rbac_check_permission_simplified', 'rbac_'];
+        return {
+          CallExpression(node) {
+            // Check for supabase.rpc('rbac_*', ...)
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property &&
+                node.callee.property.name === 'rpc' &&
+                node.arguments.length > 0) {
+              const firstArg = node.arguments[0];
+              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
+                const rpcName = firstArg.value;
+                if (rpcName.startsWith('rbac_')) {
+                  context.report({
+                    node: firstArg,
+                    messageId: 'directRbacRpc',
+                    data: {
+                      rpcName
+                    },
+                    suggest: [{
+                      desc: 'Use pace-core RBAC hooks instead',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Disallow direct queries to RBAC tables
+     */
+    'no-direct-rbac-table': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct queries to RBAC tables. Use pace-core RBAC API functions or useSecureSupabase instead.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          directRbacTable: "Direct query to RBAC table '{{tableName}}' detected. Use pace-core RBAC API functions from '@jmruthers/pace-core/rbac' or useSecureSupabase hook instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        const rbacTables = [
+          'rbac_organisation_roles',
+          'rbac_event_app_roles',
+          'rbac_global_roles',
+          'rbac_apps',
+          'rbac_app_pages',
+          'rbac_page_permissions',
+          'rbac_user_profiles'
+        ];
+        let hasSecureSupabase = false;
+        let secureSupabaseVarName = null;
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' ||
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              if (node.specifiers.some(spec =>
+                spec.type === 'ImportSpecifier' && spec.imported.name === 'useSecureSupabase'
+              )) {
+                hasSecureSupabase = true;
+              }
+            }
+          },
+          VariableDeclarator(node) {
+            if (node.init &&
+                node.init.type === 'CallExpression' &&
+                node.init.callee &&
+                node.init.callee.name === 'useSecureSupabase') {
+              if (node.id.type === 'Identifier') {
+                secureSupabaseVarName = node.id.name;
+              }
+            }
+          },
+          CallExpression(node) {
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property &&
+                node.callee.property.name === 'from' &&
+                node.arguments.length > 0) {
+              // Check if this is called on secureSupabase
+              let isSecureClient = false;
+              if (node.callee.object.type === 'Identifier') {
+                const objName = node.callee.object.name;
+                if (objName === 'secureSupabase' ||
+                    objName === secureSupabaseVarName ||
+                    (hasSecureSupabase && objName.includes('secure'))) {
+                  isSecureClient = true;
+                }
+              }
+              // Allow queries through secureSupabase
+              if (isSecureClient) {
+                return;
+              }
+              const firstArg = node.arguments[0];
+              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
+                const tableName = firstArg.value;
+                if (rbacTables.includes(tableName) || tableName.startsWith('rbac_')) {
+                  context.report({
+                    node: firstArg,
+                    messageId: 'directRbacTable',
+                    data: {
+                      tableName
+                    },
+                    suggest: [{
+                      desc: 'Use useSecureSupabase hook or pace-core RBAC API functions',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Disallow hardcoded role checks
+     */
+    'no-hardcoded-role-checks': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow hardcoded role checks. Use useAccessLevel hook or getRoleContext API from pace-core instead.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          hardcodedRoleCheck: "Hardcoded role check detected. Use useAccessLevel hook or getRoleContext API from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        const roleNames = ['admin', 'org_admin', 'event_admin', 'user', 'member', 'viewer', 'editor'];
+        const roleCheckPattern = new RegExp(
+          `(?:role|user\\.role|userRole|currentRole|userRoleName)\\s*(?:===|!==|==|!=)\\s*['"](${roleNames.join('|')})['"]`,
+          'i'
+        );
+        let hasPaceCoreImport = false;
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' ||
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              hasPaceCoreImport = true;
+            }
+          },
+          BinaryExpression(node) {
+            if (node.operator === '===' || node.operator === '!==' || node.operator === '==' || node.operator === '!=') {
+              const sourceCode = context.getSourceCode();
+              const leftText = sourceCode.getText(node.left);
+              const rightText = sourceCode.getText(node.right);
+              // Check if it's a role comparison
+              if (roleCheckPattern.test(leftText + ' ' + node.operator + ' ' + rightText)) {
+                // Check if using pace-core APIs
+                if (!hasPaceCoreImport ||
+                    (!leftText.includes('useAccessLevel') && !leftText.includes('getRoleContext'))) {
+                  context.report({
+                    node,
+                    messageId: 'hardcodedRoleCheck',
+                    suggest: [{
+                      desc: 'Use useAccessLevel hook or getRoleContext API',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Require RESOURCE_NAMES constants in useResourcePermissions
+     */
+    'rbac-use-resource-names-constants': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Require RESOURCE_NAMES constants instead of string literals in useResourcePermissions calls.',
+          category: 'Best Practices',
+          recommended: true
+        },
+        messages: {
+          resourcePermissionStringLiteral: "Resource permission string literal detected. Use RESOURCE_NAMES constant object instead (e.g., RESOURCE_NAMES.ORGANISATIONS, RESOURCE_NAMES.EVENTS)."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        let hasResourceNamesImport = false;
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (node.specifiers.some(spec =>
+              spec.type === 'ImportSpecifier' && spec.imported.name === 'RESOURCE_NAMES'
+            )) {
+              hasResourceNamesImport = true;
+            }
+          },
+          CallExpression(node) {
+            if (node.callee.type === 'Identifier' &&
+                node.callee.name === 'useResourcePermissions') {
+              // Check if argument is a string literal
+              if (node.arguments.length > 0 &&
+                  node.arguments[0].type === 'Literal' &&
+                  typeof node.arguments[0].value === 'string') {
+                // Check if RESOURCE_NAMES is used in the file
+                const sourceCode = context.getSourceCode();
+                const fileText = sourceCode.getText();
+                if (!hasResourceNamesImport || !fileText.includes('RESOURCE_NAMES.')) {
+                  context.report({
+                    node: node.arguments[0],
+                    messageId: 'resourcePermissionStringLiteral',
+                    suggest: [{
+                      desc: 'Use RESOURCE_NAMES constant instead',
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Disallow wrapper components around PagePermissionGuard
+     */
+    'no-rbac-wrapper-components': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow wrapper components around PagePermissionGuard. Use PagePermissionGuard directly.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          wrapperComponent: "Wrapper component '{{componentName}}' detected around PagePermissionGuard. Must use PagePermissionGuard directly, not through wrappers."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Allow in pace-core package itself
+        if (filename.includes('packages/core/src/rbac') || filename.includes('packages\\core\\src\\rbac')) {
+          return {};
+        }
+        let hasPagePermissionGuard = false;
+        let wrapperComponentName = null;
+        return {
+          JSXOpeningElement(node) {
+            if (node.name.type === 'JSXIdentifier' && node.name.name === 'PagePermissionGuard') {
+              hasPagePermissionGuard = true;
+              // Check if this is inside a wrapper component
+              const sourceCode = context.sourceCode || context.getSourceCode();
+              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
+              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
+              const componentAncestor = ancestors.find(ancestor =>
+                ancestor.type === 'FunctionDeclaration' ||
+                (ancestor.type === 'VariableDeclarator' && ancestor.init &&
+                 (ancestor.init.type === 'ArrowFunctionExpression' || ancestor.init.type === 'FunctionExpression'))
+              );
+              if (componentAncestor) {
+                let componentName = null;
+                let componentParams = null;
+                if (componentAncestor.type === 'FunctionDeclaration' && componentAncestor.id) {
+                  componentName = componentAncestor.id.name;
+                  componentParams = componentAncestor.params;
+                } else if (componentAncestor.type === 'VariableDeclarator' && componentAncestor.id.type === 'Identifier') {
+                  componentName = componentAncestor.id.name;
+                  // For arrow functions and function expressions, get params from init
+                  if (componentAncestor.init) {
+                    if (componentAncestor.init.type === 'ArrowFunctionExpression' ||
+                        componentAncestor.init.type === 'FunctionExpression') {
+                      componentParams = componentAncestor.init.params;
+                    }
+                  }
+                }
+                // Check if component accepts pageName as a FUNCTION PARAMETER (not just uses it in JSX)
+                // This distinguishes wrapper components from legitimate page components
+                // Wrapper pattern: function Wrapper({ pageName }) { return <PagePermissionGuard pageName={pageName}> }
+                // Legitimate pattern: function Page() { return <PagePermissionGuard pageName={PAGE_NAMES.PAGE}> }
+                const acceptsPageNameAsParam = componentParams && componentParams.some(param => {
+                  if (param.type === 'Identifier') {
+                    return param.name === 'pageName';
+                  }
+                  // Handle destructured params: { pageName } or { pageName: pn }
+                  if (param.type === 'ObjectPattern') {
+                    return param.properties.some(prop => {
+                      if (prop.type === 'Property') {
+                        const key = prop.key;
+                        if (key.type === 'Identifier') {
+                          return key.name === 'pageName';
+                        }
+                      }
+                      return false;
+                    });
+                  }
+                  return false;
+                });
+                // Only flag if component accepts pageName as a parameter (wrapper pattern)
+                // Legitimate page components use constants like PAGE_NAMES.CONTACTS, not accept it as prop
+                if (acceptsPageNameAsParam) {
+                  context.report({
+                    node,
+                    messageId: 'wrapperComponent',
+                    data: {
+                      componentName: componentName || 'Unknown'
+                    },
+                    suggest: [{
+                      desc: 'Remove wrapper component and use PagePermissionGuard directly in pages',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+    /**
+     * Disallow wrapper functions around permission hooks
+     */
+    'no-rbac-wrapper-functions': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow wrapper functions around pace-core permission hooks. Use hooks directly in components.',
+          category: 'Security',
+          recommended: true
+        },
+        messages: {
+          wrapperFunction: "Permission wrapper function '{{functionName}}' detected. Use pace-core hooks (useCan, useResourcePermissions) directly in components instead of wrapping them."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        const permissionHookNames = ['useCan', 'useResourcePermissions', 'usePermissions', 'useMultiplePermissions'];
+        const permissionFunctionNames = ['canCreate', 'canUpdate', 'canDelete', 'canRead', 'can'];
+        let hasPaceCoreRBACImport = false;
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' ||
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              hasPaceCoreRBACImport = true;
+            }
+          },
+          FunctionDeclaration(node) {
+            if (!node.id || !hasPaceCoreRBACImport) return;
+            const functionName = node.id.name;
+            if (!functionName) return;
+            // Check if function body uses permission hooks/functions
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.body);
+            // Check if function uses permission hooks or functions
+            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
+            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
+            // Check if function has additional logic beyond permission checking
+            const hasAdditionalLogic = (
+              functionText.includes('&&') ||
+              functionText.includes('||') ||
+              functionText.includes('if') ||
+              (functionText.match(/return/g) || []).length > 1 ||
+              functionText.includes('.find') ||
+              functionText.includes('.filter') ||
+              functionText.includes('.map')
+            );
+            // Pattern: Functions that start with 'can' and use permission hooks/functions
+            // and have additional logic
+            const isPermissionWrapper = (
+              (functionName.toLowerCase().startsWith('can') ||
+               functionName.toLowerCase().includes('permission') ||
+               functionName.toLowerCase().includes('access')) &&
+              (usesPermissionHooks || usesPermissionFunctions) &&
+              hasAdditionalLogic &&
+              node.params.length > 0
+            );
+            if (isPermissionWrapper) {
+              context.report({
+                node: node.id,
+                messageId: 'wrapperFunction',
+                data: {
+                  functionName
+                },
+                suggest: [{
+                  desc: 'Use permission hooks directly in components',
+                  fix(fixer) {
+                    return null;
+                  }
+                }]
+              });
+            }
+          },
+          VariableDeclarator(node) {
+            if (!hasPaceCoreRBACImport) return;
+            if (node.id.type !== 'Identifier') return;
+            const varName = node.id.name;
+            if (!varName) return;
+            // Only check arrow functions and function expressions
+            if (!node.init ||
+                (node.init.type !== 'ArrowFunctionExpression' &&
+                 node.init.type !== 'FunctionExpression')) {
+              return;
+            }
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.init);
+            // Check if function uses permission hooks or functions
+            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
+            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
+            // Check if function has additional logic beyond permission checking
+            const hasAdditionalLogic = (
+              functionText.includes('&&') ||
+              functionText.includes('||') ||
+              functionText.includes('if') ||
+              (functionText.match(/return/g) || []).length > 1 ||
+              functionText.includes('.find') ||
+              functionText.includes('.filter') ||
+              functionText.includes('.map')
+            );
+            // Pattern: Variables that start with 'can' and use permission hooks/functions
+            // and have additional logic
+            const isPermissionWrapper = (
+              (varName.toLowerCase().startsWith('can') ||
+               varName.toLowerCase().includes('permission') ||
+               varName.toLowerCase().includes('access')) &&
+              (usesPermissionHooks || usesPermissionFunctions) &&
+              hasAdditionalLogic &&
+              node.init.params && node.init.params.length > 0
+            );
+            if (isPermissionWrapper) {
+              context.report({
+                node: node.id,
+                messageId: 'wrapperFunction',
+                data: {
+                  functionName: varName
+                },
+                suggest: [{
+                  desc: 'Use permission hooks directly in components',
+                  fix(fixer) {
+                    return null;
+                  }
+                }]
+              });
+            }
+          }
+        };
+      }
+    }
+  }
+};