@jmruthers/pace-core 0.6.5 → 0.6.7

package/scripts/audit/core/checks/compliance.cjs

@@ -1,2706 +0,0 @@
-#!/usr/bin/env node
-
-/**
- * pace-core Compliance Check Module
- * @package @jmruthers/pace-core
- * @module Audit/Checks/Compliance
- * 
- * Scans codebase for pace-core compliance violations including:
- * - Restricted imports
- * - Duplicate components/hooks/utils
- * - Custom auth/RBAC code
- * - Provider setup issues
- * - Direct Supabase usage
- * - Unnecessary wrappers
- * - App discovery issues
- */
-
-const fs = require('fs');
-const path = require('path');
-const { getLineNumber, getRelativePath } = require('../utils.cjs');
-
-// Load manifest
-function loadManifest() {
-  const manifestPath = path.join(__dirname, '../../../../core-usage-manifest.json');
-  if (!fs.existsSync(manifestPath)) {
-    throw new Error(`core-usage-manifest.json not found at ${manifestPath}`);
-  }
-  return JSON.parse(fs.readFileSync(manifestPath, 'utf8'));
-}
-
-function scanProviderSetup(filePath, content, relativePath) {
-  const issues = [];
-  
-  // Check for UnifiedAuthProvider
-  const hasUnifiedAuthProvider = /UnifiedAuthProvider/.test(content);
-  if (!hasUnifiedAuthProvider) {
-    issues.push({
-      file: relativePath,
-      line: 1,
-      type: 'missing-provider',
-      provider: 'UnifiedAuthProvider',
-      reason: 'UnifiedAuthProvider is required. Wrap your app with UnifiedAuthProvider from @jmruthers/pace-core.',
-      recommendation: 'Import UnifiedAuthProvider from @jmruthers/pace-core and wrap your app component with it.'
-    });
-  }
-  
-  // Check for OrganisationProvider
-  const hasOrganisationProvider = /OrganisationProvider/.test(content);
-  if (hasUnifiedAuthProvider && !hasOrganisationProvider) {
-    issues.push({
-      file: relativePath,
-      line: 1,
-      type: 'missing-provider',
-      provider: 'OrganisationProvider',
-      reason: 'OrganisationProvider is recommended when using UnifiedAuthProvider. It provides organisation context.',
-      recommendation: 'Import OrganisationProvider from @jmruthers/pace-core and wrap your app inside UnifiedAuthProvider.'
-    });
-  }
-  
-  // Check provider nesting order
-  if (hasUnifiedAuthProvider) {
-    // Normalize content for better pattern matching (handle multiline JSX)
-    const normalizedContent = content.replace(/\s+/g, ' ');
-    
-    const hasBrowserRouter = /BrowserRouter/.test(content);
-    const hasQueryClientProvider = /QueryClientProvider/.test(content);
-    
-    // Only check nesting if we have both BrowserRouter and UnifiedAuthProvider
-    if (hasBrowserRouter) {
-      // Check if BrowserRouter is inside UnifiedAuthProvider (wrong order)
-      // Pattern: <UnifiedAuthProvider ...> ... <BrowserRouter
-      // This is a clear wrong pattern - only report if we see this directly
-      // BUT first check if there's a wrapper component that uses Router hooks
-      const wrapperFunctionMatch = content.match(/(?:function|const)\s+(\w*UnifiedAuthProvider\w*Wrapper)\s*[=\(]/);
-      let wrapperUsesRouterHooks = false;
-      if (wrapperFunctionMatch) {
-        const wrapperName = wrapperFunctionMatch[1];
-        const wrapperStart = content.indexOf(wrapperFunctionMatch[0]);
-        const afterWrapper = content.substring(wrapperStart);
-        let braceCount = 0;
-        let bodyStart = -1;
-        let bodyEnd = -1;
-        for (let i = 0; i < afterWrapper.length; i++) {
-          if (afterWrapper[i] === '{') {
-            if (braceCount === 0) bodyStart = i;
-            braceCount++;
-          } else if (afterWrapper[i] === '}') {
-            braceCount--;
-            if (braceCount === 0 && bodyStart !== -1) {
-              bodyEnd = i;
-              break;
-            }
-          }
-        }
-        if (bodyStart !== -1 && bodyEnd !== -1) {
-          const functionBody = afterWrapper.substring(bodyStart, bodyEnd + 1);
-          wrapperUsesRouterHooks = /useNavigate|useLocation|useParams|useSearchParams/.test(functionBody);
-        }
-      }
-      
-      const wrongNestingPattern = /<UnifiedAuthProvider[^>]*>[\s\S]*?<BrowserRouter/g;
-      // Only flag wrong nesting if there's no wrapper using Router hooks
-      if (wrongNestingPattern.test(content) && !wrapperUsesRouterHooks) {
-        const match = content.match(wrongNestingPattern);
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, match[0]),
-          type: 'wrong-nesting',
-          reason: 'BrowserRouter should wrap UnifiedAuthProvider, not the other way around. This causes Router context errors.',
-          recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
-        });
-      } else {
-        // Check if BrowserRouter wraps UnifiedAuthProvider (correct pattern)
-        // Look for BrowserRouter wrapping UnifiedAuthProvider or any component that might contain it
-        // Pattern: <BrowserRouter ...> ... <UnifiedAuthProvider (or wrapper component)
-        const correctNestingPattern = /<BrowserRouter[^>]*>[\s\S]*?<UnifiedAuthProvider/g;
-        
-        // Also check for wrapper components (e.g., UnifiedAuthProviderWrapper)
-        // Pattern: <BrowserRouter ...> ... <UnifiedAuthProviderWrapper ...> ... <UnifiedAuthProvider
-        const wrapperPattern = /<BrowserRouter[^>]*>[\s\S]*?(?:<UnifiedAuthProviderWrapper|<UnifiedAuthProvider)/g;
-        
-        // wrapperUsesRouterHooks is already set above, reuse it
-        const browserRouterIndex = content.indexOf('<BrowserRouter');
-        const unifiedAuthIndex = content.indexOf('UnifiedAuthProvider');
-        const wrapperIndex = content.indexOf('UnifiedAuthProviderWrapper');
-        
-        // Only report if we can clearly see a wrong pattern
-        // If BrowserRouter wraps UnifiedAuthProvider (directly or via wrapper), that's correct
-        if (browserRouterIndex !== -1 && unifiedAuthIndex !== -1) {
-          // If wrapper uses Router hooks, it must be inside BrowserRouter (correct pattern)
-          // Check if BrowserRouter comes before UnifiedAuthProviderWrapper in the JSX
-          if (wrapperUsesRouterHooks && wrapperPattern.test(content) && 
-              (browserRouterIndex < wrapperIndex || browserRouterIndex < unifiedAuthIndex || wrapperIndex === -1)) {
-            // This is correct - wrapper uses Router hooks and is inside BrowserRouter
-            // Don't report - skip to next check
-          } else if (unifiedAuthIndex < browserRouterIndex && !correctNestingPattern.test(content) && !wrapperPattern.test(content)) {
-            // Only report if we see UnifiedAuthProvider directly wrapping BrowserRouter (clear wrong pattern)
-            // AND wrapper doesn't use Router hooks (which would require BrowserRouter)
-            const unifiedWrappingRouter = /<UnifiedAuthProvider[^>]*>[\s\S]{0,200}<BrowserRouter/g;
-            if (unifiedWrappingRouter.test(content) && !wrapperUsesRouterHooks) {
-              issues.push({
-                file: relativePath,
-                line: getLineNumber(content, /BrowserRouter/.exec(content)?.index || 0),
-                type: 'wrong-nesting',
-                reason: 'UnifiedAuthProvider should be inside BrowserRouter to provide Router context.',
-                recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
-              });
-            }
-            // If it's a wrapper component that uses Router hooks, don't report - that's acceptable
-          }
-        }
-      }
-    }
-    
-    // Check if QueryClientProvider wraps BrowserRouter
-    if (hasQueryClientProvider && hasBrowserRouter) {
-      // Check if QueryClientProvider comes before BrowserRouter in JSX structure
-      const queryBeforeRouter = /<QueryClientProvider[^>]*>[\s\S]*?<BrowserRouter/g;
-      if (!queryBeforeRouter.test(content)) {
-        // Only report if we can clearly see BrowserRouter comes before QueryClientProvider
-        const routerBeforeQuery = /<BrowserRouter[^>]*>[\s\S]*?<QueryClientProvider/g;
-        if (routerBeforeQuery.test(content)) {
-          const queryMatch = /QueryClientProvider/.exec(content);
-          issues.push({
-            file: relativePath,
-            line: getLineNumber(content, queryMatch?.index || 0),
-            type: 'wrong-nesting',
-            reason: 'QueryClientProvider should wrap BrowserRouter.',
-            recommendation: 'Correct nesting order: QueryClientProvider → BrowserRouter → UnifiedAuthProvider → OrganisationProvider → App'
-          });
-        }
-        // If we can't find either pattern, don't report - might be in wrapper components
-      }
-    }
-  }
-  
-  return issues;
-}
-
-// Scan Vite configuration for required settings
-function scanViteConfig(filePath, content, relativePath) {
-  const issues = [];
-  
-  // Check if @jmruthers/pace-core is in optimizeDeps.exclude
-  const hasOptimizeDepsExclude = /optimizeDeps\s*:\s*\{[\s\S]*?exclude/.test(content);
-  if (hasOptimizeDepsExclude) {
-    const excludeArrayMatch = content.match(/exclude\s*:\s*\[([^\]]*)\]/);
-    if (excludeArrayMatch) {
-      const excludeContent = excludeArrayMatch[1];
-      if (!excludeContent.includes('@jmruthers/pace-core')) {
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, excludeArrayMatch[0]),
-          type: 'missing-exclude',
-          reason: '@jmruthers/pace-core should be excluded from Vite pre-bundling to prevent React context mismatches.',
-          recommendation: "Add '@jmruthers/pace-core' to optimizeDeps.exclude array."
-        });
-      }
-    } else {
-      // Check if it's a single string
-      const excludeStringMatch = content.match(/exclude\s*:\s*['"]@jmruthers\/pace-core['"]/);
-      if (!excludeStringMatch) {
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, /exclude\s*:/.exec(content)?.index || 0),
-          type: 'missing-exclude',
-          reason: '@jmruthers/pace-core should be excluded from Vite pre-bundling.',
-          recommendation: "Add '@jmruthers/pace-core' to optimizeDeps.exclude."
-        });
-      }
-    }
-  } else {
-    issues.push({
-      file: relativePath,
-      line: getLineNumber(content, /optimizeDeps/.exec(content)?.index || 1),
-      type: 'missing-optimize-deps',
-      reason: 'optimizeDeps.exclude is missing. This can cause React context mismatch errors.',
-      recommendation: "Add optimizeDeps: { exclude: ['@jmruthers/pace-core'], include: ['react', 'react-dom', 'react-router-dom'] } to your Vite config."
-    });
-  }
-  
-  // Check if @jmruthers/pace-core is in optimizeDeps.include (should NOT be)
-  const includeArrayMatch = content.match(/include\s*:\s*\[([^\]]*)\]/);
-  if (includeArrayMatch) {
-    const includeContent = includeArrayMatch[1];
-    if (includeContent.includes('@jmruthers/pace-core')) {
-      issues.push({
-        file: relativePath,
-        line: getLineNumber(content, includeArrayMatch[0]),
-        type: 'should-exclude',
-        reason: '@jmruthers/pace-core should NOT be in optimizeDeps.include. It should be in exclude instead.',
-        recommendation: "Remove '@jmruthers/pace-core' from optimizeDeps.include and add it to optimizeDeps.exclude."
-      });
-    }
-  }
-  
-  // Check for react-router-dom in dedupe (recommended)
-  const hasDedupe = /dedupe\s*:\s*\[/.test(content);
-  if (hasDedupe) {
-    const dedupeArrayMatch = content.match(/dedupe\s*:\s*\[([^\]]*)\]/);
-    if (dedupeArrayMatch) {
-      const dedupeContent = dedupeArrayMatch[1];
-      if (!dedupeContent.includes('react-router-dom')) {
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, dedupeArrayMatch[0]),
-          type: 'recommendation',
-          reason: 'Adding react-router-dom to resolve.dedupe is recommended to prevent Router context issues.',
-          recommendation: "Add 'react-router-dom' to resolve.dedupe array: dedupe: ['react', 'react-dom', 'react-router-dom']"
-        });
-      }
-    }
-  } else {
-    // Check if resolve exists
-    if (/resolve\s*:\s*\{/.test(content)) {
-      issues.push({
-        file: relativePath,
-        line: getLineNumber(content, /resolve\s*:/.exec(content)?.index || 1),
-        type: 'recommendation',
-        reason: 'Adding resolve.dedupe is recommended to prevent React context issues.',
-        recommendation: "Add dedupe: ['react', 'react-dom', 'react-router-dom'] to resolve config."
-      });
-    }
-  }
-  
-  // Check for react-router-dom in optimizeDeps.include (should be included, not excluded)
-  const hasOptimizeDepsInclude = /optimizeDeps\s*:\s*\{[\s\S]*?include/.test(content);
-  if (hasOptimizeDepsInclude) {
-    const includeArrayMatch = content.match(/include\s*:\s*\[([^\]]*)\]/);
-    if (includeArrayMatch) {
-      const includeContent = includeArrayMatch[1];
-      if (!includeContent.includes('react-router-dom')) {
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, includeArrayMatch[0]),
-          type: 'recommendation',
-          reason: 'Including react-router-dom in pre-bundling is recommended to prevent module resolution issues.',
-          recommendation: "Add 'react-router-dom' to optimizeDeps.include array."
-        });
-      }
-    }
-  }
-  
-  // Warn if react-router-dom is in exclude (this causes "module is not defined" errors)
-  if (hasOptimizeDepsExclude) {
-    const excludeArrayMatch = content.match(/exclude\s*:\s*\[([^\]]*)\]/);
-    if (excludeArrayMatch) {
-      const excludeContent = excludeArrayMatch[1];
-      if (excludeContent.includes('react-router-dom')) {
-        issues.push({
-          file: relativePath,
-          line: getLineNumber(content, excludeArrayMatch[0]),
-          type: 'should-exclude',
-          reason: 'react-router-dom should NOT be excluded from pre-bundling. This causes "module is not defined" errors.',
-          recommendation: "Remove 'react-router-dom' from optimizeDeps.exclude array and add it to optimizeDeps.include instead."
-        });
-      }
-    }
-  }
-  
-  return issues;
-}
-
-// Scan Router setup in main entry files
-function scanRouterSetup(filePath, content, relativePath) {
-  const issues = [];
-  
-  // Only check main.tsx for BrowserRouter setup
-  // App.tsx might use Routes but doesn't define BrowserRouter
-  const isMainFile = relativePath.match(/^(src\/)?main\.(tsx?|jsx?)$/);
-  
-  if (isMainFile) {
-    // Check for BrowserRouter
-    const hasBrowserRouter = /BrowserRouter/.test(content);
-    if (!hasBrowserRouter) {
-      issues.push({
-        file: relativePath,
-        line: 1,
-        type: 'missing-router',
-        reason: 'BrowserRouter is required for pace-core components that use React Router hooks.',
-        recommendation: 'Import BrowserRouter from react-router-dom and wrap your app with it.'
-      });
-    }
-    
-    // Don't check nesting order here - that's handled in scanProviderSetup
-    // This function just checks if BrowserRouter exists
-  }
-  
-  // Check for Routes usage in any file (indicates Router context is needed)
-  // But only warn if it's in main.tsx and BrowserRouter is missing
-  const hasRoutes = /<Routes/.test(content) || /Routes/.test(content);
-  if (hasRoutes && isMainFile) {
-    const hasBrowserRouter = /BrowserRouter/.test(content);
-    if (!hasBrowserRouter) {
-      issues.push({
-        file: relativePath,
-        line: getLineNumber(content, /Routes/.exec(content)?.index || 0),
-        type: 'missing-router',
-        reason: 'Routes component requires BrowserRouter to provide Router context.',
-        recommendation: 'Wrap your app with BrowserRouter from react-router-dom.'
-      });
-    }
-  }
-  
-  return issues;
-}
-
-// Helper function to provide migration recommendations
-function getMigrationRecommendation(method, operation) {
-  const recommendations = {
-    secureQuery: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').select('*');`,
-    secureInsert: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').insert(data).select().single();`,
-    secureUpdate: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.from('table').update(data).eq('id', id).select().single();`,
-    secureDelete: `Replace with: const supabase = useSecureSupabase(); await supabase.from('table').delete().eq('id', id);`,
-    secureRpc: `Replace with: const supabase = useSecureSupabase(); const { data } = await supabase.rpc('function_name', params);`
-  };
-  
-  return recommendations[method] || `Replace with useSecureSupabase() and use standard Supabase ${operation} API`;
-}
-
-// Scan for unnecessary wrappers around pace-core components and local components
-function scanUnnecessaryWrappers(content, relativePath, manifest) {
-  const issues = [];
-  
-  // Check if file imports from pace-core
-  const paceCoreImportPattern = /import\s+{([^}]+)}\s+from\s+['"]@jmruthers\/pace-core['"]/;
-  const paceCoreImportMatch = content.match(paceCoreImportPattern);
-  
-  // Extract imported pace-core component names
-  let importedPaceCoreComponents = [];
-  if (paceCoreImportMatch) {
-    importedPaceCoreComponents = (paceCoreImportMatch[1] || '')
-      .split(',')
-      .map(name => name.trim().replace(/\s+as\s+\w+/, '')) // Remove aliases
-      .filter(name => manifest.components.includes(name));
-  }
-  
-  // Find exported component definitions
-  const componentPattern = /export\s+(default\s+)?(function|const)\s+(\w+)\s*[=\(]/g;
-  const componentMatches = [...content.matchAll(componentPattern)];
-  
-  componentMatches.forEach(match => {
-    const componentName = match[3];
-    const matchIndex = match.index;
-    
-    // Skip if it's a test file or example file
-    if (relativePath.includes('.test.') || relativePath.includes('.spec.') || 
-        relativePath.includes('example') || relativePath.includes('Example')) {
-      return;
-    }
-    
-    // Find the component body (simplified - just check if it's a simple wrapper)
-    const afterMatch = content.substring(matchIndex + match[0].length, Math.min(content.length, matchIndex + match[0].length + 500));
-    
-    // Check if body has significant logic
-    const hasHooks = /use[A-Z]\w+/.test(afterMatch);
-    const hasState = /useState|useReducer|useRef/.test(afterMatch);
-    const hasConditionals = /if\s*\(|&&|\?|switch/.test(afterMatch);
-    const hasMultipleReturns = (afterMatch.match(/return/g) || []).length > 1;
-    const hasLoops = /for\s*\(|while\s*\(|\.map\s*\(/.test(afterMatch);
-    
-    // Find JSX components used
-    const jsxComponentPattern = /<([A-Z][a-zA-Z0-9]*)[\s>\/]/g;
-    const jsxComponents = [];
-    let jsxMatch;
-    while ((jsxMatch = jsxComponentPattern.exec(afterMatch)) !== null) {
-      const jsxComponentName = jsxMatch[1];
-      if (jsxComponentName !== 'Fragment' && 
-          jsxComponentName !== componentName &&
-          !jsxComponents.includes(jsxComponentName)) {
-        jsxComponents.push(jsxComponentName);
-      }
-    }
-    
-    // Check if it's a simple wrapper
-    if (jsxComponents.length === 1) {
-      const wrappedComponent = jsxComponents[0];
-      const wrappedComponentCount = (afterMatch.match(new RegExp(`<${wrappedComponent}`, 'gi')) || []).length;
-      
-      const isSimpleWrapper = 
-        wrappedComponentCount <= 2 &&
-        !hasState &&
-        !hasLoops &&
-        (!hasMultipleReturns || (hasMultipleReturns && !hasConditionals)) &&
-        (!hasHooks || /use(UnifiedAuth|Permissions|Can|RBAC)/.test(afterMatch));
-      
-      if (isSimpleWrapper) {
-        const isPaceCoreComponent = importedPaceCoreComponents.includes(wrappedComponent);
-        
-        let reason, recommendation;
-        if (isPaceCoreComponent) {
-          reason = `Component '${componentName}' appears to be an unnecessary wrapper around pace-core's '${wrappedComponent}'.`;
-          recommendation = `Use '${wrappedComponent}' directly from '@jmruthers/pace-core' instead.`;
-        } else {
-          reason = `Component '${componentName}' appears to be an unnecessary wrapper around '${wrappedComponent}'.`;
-          recommendation = `Remove the wrapper and use '${wrappedComponent}' directly.`;
-        }
-        
-        issues.push({
-          component: componentName,
-          wrappedComponent: wrappedComponent,
-          file: relativePath,
-          line: getLineNumber(content, match[0]),
-          reason: reason,
-          recommendation: recommendation
-        });
-      }
-    }
-  });
-  
-  return issues;
-}
-
-// Scan file for violations
-function scanFile(filePath, manifest, projectRoot) {
-  const violations = {
-    restrictedImports: [],
-    duplicateComponents: [],
-    duplicateHooks: [],
-    duplicateUtils: [],
-    suggestions: [],
-    customAuthCode: [],
-    duplicateConfig: [],
-    unprotectedPages: [],
-    directSupabaseAuth: [],
-    directSupabaseClient: [], // Direct Supabase client usage instead of useSecureSupabase
-    deprecatedSecureDataAccess: [], // Deprecated useSecureDataAccess with secureQuery/secureInsert/etc
-    providerSetupIssues: [],
-    viteConfigIssues: [],
-    routerSetupIssues: [],
-    unnecessaryWrappers: [],
-    appDiscoveryIssues: []
-  };
-  
-  const content = fs.readFileSync(filePath, 'utf8');
-  const relativePath = getRelativePath(filePath, projectRoot);
-  
-  // Normalize path for cross-platform compatibility (handle both forward and backslash paths)
-  const normalizedPath = relativePath.replace(/\\/g, '/');
-  
-  // Skip Edge Functions - they run in Deno, not React, so React hooks aren't available
-  // Direct Supabase auth calls are the correct approach in Edge Functions
-  const isEdgeFunction = normalizedPath.includes('supabase/functions/');
-  
-  // Skip pace-core package files - compliance checks are for consuming applications, not the library itself
-  // The library must import these dependencies to build its components, and its own components/hooks/utils
-  // are the source of truth, not duplicates
-  const isPaceCorePackage = normalizedPath.includes('packages/core/') || normalizedPath.startsWith('packages/core/');
-  if (isPaceCorePackage) {
-    return violations; // Return empty violations for pace-core package files
-  }
-  
-  // Skip scripts directory - these are utility/setup scripts, not application code
-  // Scripts may legitimately need direct database access for admin operations
-  const isScript = normalizedPath.startsWith('scripts/') || normalizedPath.includes('/scripts/');
-  if (isScript) {
-    return violations; // Return empty violations for script files
-  }
-  
-  // Skip root-level src directory - in pace-core repository, this is a demo/showcase app, not a consuming app
-  // The audit is designed for consuming applications, not demo apps in the library repository
-  const isRootSrc = normalizedPath.startsWith('src/') && !normalizedPath.includes('packages/');
-  if (isRootSrc) {
-    return violations; // Return empty violations for root-level src files (demo apps)
-  }
-  
-  // Check for restricted imports
-  manifest.restrictedImports.forEach(({ module, reason }) => {
-    const importPattern = new RegExp(`from\\s+['"]${module.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}['"]`, 'g');
-    if (importPattern.test(content)) {
-      violations.restrictedImports.push({
-        module,
-        reason,
-        file: relativePath,
-        line: getLineNumber(content, content.match(importPattern)[0])
-      });
-    }
-    
-    // Also check for @radix-ui/* pattern
-    if (module.startsWith('@radix-ui/')) {
-      const radixPattern = /from\s+['"]@radix-ui\/[^'"]+['"]/g;
-      const matches = content.match(radixPattern);
-      if (matches) {
-        matches.forEach(match => {
-          const matchedModule = match.match(/['"]([^'"]+)['"]/)[1];
-          if (!manifest.restrictedImports.find(ri => ri.module === matchedModule)) {
-            violations.restrictedImports.push({
-              module: matchedModule,
-              reason: 'Use pace-core component instead of direct Radix UI import',
-              file: relativePath,
-              line: getLineNumber(content, match)
-            });
-          }
-        });
-      }
-    }
-  });
-  
-  // Check for duplicate component names
-  const filename = path.basename(filePath);
-  const componentName = filename.replace(/\.(tsx?|jsx?)$/, '').replace(/\.(test|spec)$/, '');
-  
-  if (manifest.components.includes(componentName)) {
-    // Check if this file exports a component
-    if (content.match(/export\s+(default\s+)?(function|const|class)\s+(\w+)?/)) {
-      violations.duplicateComponents.push({
-        component: componentName,
-        file: relativePath
-      });
-    }
-  }
-  
-  // Check for duplicate hook names
-  if (filename.startsWith('use') && filename.endsWith('.ts') || filename.endsWith('.tsx')) {
-    const hookName = filename.replace(/\.(tsx?|jsx?)$/, '').replace(/\.(test|spec)$/, '');
-    if (manifest.hooks.includes(hookName)) {
-      if (content.match(/export\s+(default\s+)?(function|const)\s+(\w+)?/)) {
-        violations.duplicateHooks.push({
-          hook: hookName,
-          file: relativePath
-        });
-      }
-    }
-  }
-  
-  // Check for duplicate util names
-  const utilName = filename.replace(/\.(ts|js)$/, '').replace(/\.(test|spec)$/, '');
-  if (manifest.utils.includes(utilName)) {
-    if (content.match(/export\s+(default\s+)?(function|const)\s+(\w+)?/)) {
-      violations.duplicateUtils.push({
-        util: utilName,
-        file: relativePath
-      });
-    }
-  }
-  
-  // Check for native HTML elements that should use pace-core components
-  const nativeElementPatterns = {
-    '<button': { suggestion: 'Use Button from @jmruthers/pace-core' },
-    '<input': { suggestion: 'Use Input from @jmruthers/pace-core' },
-    '<textarea': { suggestion: 'Use Textarea from @jmruthers/pace-core' },
-    '<label': { suggestion: 'Use Label from @jmruthers/pace-core' }
-  };
-  
-  Object.entries(nativeElementPatterns).forEach(([pattern, { suggestion }]) => {
-    if (content.includes(pattern) && !content.includes('from \'@jmruthers/pace-core\'')) {
-      violations.suggestions.push({
-        type: 'native-element',
-        suggestion,
-        file: relativePath,
-        pattern
-      });
-    }
-  });
-  
-  // ============================================
-  // RBAC/Auth Compliance Checks
-  // ============================================
-  
-  // Check if file imports from pace-core for auth/rbac (define at function scope)
-  const hasPaceCoreImport = /from\s+['"]@jmruthers\/pace-core/.test(content) || 
-                            /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
-                            /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
-  
-  // Check for custom auth/rbac/permission code that doesn't import from pace-core
-  const authRbacPatterns = [
-    // Custom auth hooks
-    { pattern: /export\s+(default\s+)?(function|const)\s+useAuth\s*[=\(]/g, name: 'useAuth', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useCurrentUser\s*[=\(]/g, name: 'useCurrentUser', type: 'hook', replacement: 'useUnifiedAuth' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useLogin\s*[=\(]/g, name: 'useLogin', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useLogout\s*[=\(]/g, name: 'useLogout', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useSession\s*[=\(]/g, name: 'useSession', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUser\s*[=\(]/g, name: 'useUser', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useAuthentication\s*[=\(]/g, name: 'useAuthentication', type: 'hook' },
-    // Custom RBAC hooks (that query RBAC tables directly)
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUserOrganisationRoles\s*[=\(]/g, name: 'useUserOrganisationRoles', type: 'hook', replacement: 'useOrganisations or pace-core RBAC hooks' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUserRoles\s*[=\(]/g, name: 'useUserRoles', type: 'hook', replacement: 'pace-core RBAC hooks' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+usePermissions\s*[=\(]/g, name: 'usePermissions', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useCan\s*[=\(]/g, name: 'useCan', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useAccessLevel\s*[=\(]/g, name: 'useAccessLevel', type: 'hook' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useRole\s*[=\(]/g, name: 'useRole', type: 'hook' },
-    // Custom RBAC components
-    { pattern: /export\s+(default\s+)?(function|const)\s+PermissionGuard\s*[=\(]/g, name: 'PermissionGuard', type: 'component' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+AuthGuard\s*[=\(]/g, name: 'AuthGuard', type: 'component' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+RoleGuard\s*[=\(]/g, name: 'RoleGuard', type: 'component' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+AccessGuard\s*[=\(]/g, name: 'AccessGuard', type: 'component' },
-    // Custom permission utilities
-    { pattern: /export\s+(default\s+)?(function|const)\s+checkPermission\s*[=\(]/g, name: 'checkPermission', type: 'util' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+hasPermission\s*[=\(]/g, name: 'hasPermission', type: 'util' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+hasAccess\s*[=\(]/g, name: 'hasAccess', type: 'util' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+canAccess\s*[=\(]/g, name: 'canAccess', type: 'util' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+isPermitted\s*[=\(]/g, name: 'isPermitted', type: 'util' }
-  ];
-  
-  authRbacPatterns.forEach(({ pattern, name, type, replacement }) => {
-    // Create a new regex instance to avoid state issues
-    const testPattern = new RegExp(pattern.source, pattern.flags);
-    if (testPattern.test(content)) {
-      // For custom RBAC hooks, check if they're actually using pace-core APIs
-      // If they use pace-core RBAC APIs (useRoleManagement, useSecureSupabase, etc.), they're compliant
-      const isCustomRBACHook = [
-        'useUserRoles',
-        'useUserOrganisationRoles',
-        'useRoleMutations',
-        'usePermissions',
-        'useCan',
-        'useAccessLevel',
-        'useRole'
-      ].includes(name);
-      
-      // Check if the hook uses pace-core RBAC APIs (use a fresh regex to avoid state issues)
-      const rbacApiPattern = /useRoleManagement|useSecureSupabase|useRBAC|usePermissions|useCan|rbac_role_grant|rbac_role_revoke|rbac_roles_list|data_rbac_apps_list/;
-      const usesPaceCoreRBAC = isCustomRBACHook && rbacApiPattern.test(content);
-      
-      // Check for @pace-core-compliant comment (use a fresh regex)
-      const compliancePattern = /@pace-core-compliant|pace-core-compliant/i;
-      const hasComplianceComment = compliancePattern.test(content);
-      
-      // If it's a custom RBAC hook but uses pace-core APIs or has compliance comment, skip it
-      if (isCustomRBACHook && (usesPaceCoreRBAC || hasComplianceComment)) {
-        // This hook is compliant - it uses pace-core APIs
-        return; // Skip to next pattern
-      }
-      
-      // Flag custom RBAC hooks even if they import from pace-core (they're still duplicating functionality)
-      // For other hooks, only flag if they don't import from pace-core
-      if (isCustomRBACHook || !hasPaceCoreImport) {
-        const replacementName = replacement || name;
-        const reason = isCustomRBACHook
-          ? `Custom ${type} '${name}' detected that duplicates pace-core functionality. Even though it may use some pace-core utilities, it implements custom role/permission management logic that should use pace-core APIs instead.`
-          : `Custom ${type} '${name}' detected. Use pace-core's ${replacementName} instead.`;
-        
-        violations.customAuthCode.push({
-          name,
-          type,
-          file: relativePath,
-          line: getLineNumber(content, content.match(pattern)[0]),
-          reason: reason,
-          replacement: replacementName,
-          severity: 'error'
-        });
-      }
-    }
-  });
-  
-  // Check for duplicate Supabase client configurations
-  const supabaseCreateClientPattern = /createClient\s*\(/g;
-  const supabaseCreateClientMatches = content.match(supabaseCreateClientPattern);
-  if (supabaseCreateClientMatches && supabaseCreateClientMatches.length > 1) {
-    violations.duplicateConfig.push({
-      type: 'supabase-client',
-      file: relativePath,
-      count: supabaseCreateClientMatches.length,
-      reason: `Multiple Supabase client instantiations found (${supabaseCreateClientMatches.length}). Consolidate to a single client configuration.`
-    });
-  }
-  
-  // Check for Supabase URL/key configuration in multiple places
-  // This check is designed to catch actual duplication, not centralized config files.
-  // A centralized config file may legitimately reference env vars multiple times:
-  // - Reading from import.meta.env or process.env
-  // - Validation/error messages
-  // - Using in createClient
-  // - Comments/documentation
-  const supabaseUrlPattern = /(SUPABASE_URL|VITE_SUPABASE_URL|NEXT_PUBLIC_SUPABASE_URL|REACT_APP_SUPABASE_URL)/g;
-  const supabaseKeyPattern = /(SUPABASE_ANON_KEY|VITE_SUPABASE_PUBLISHABLE_KEY|NEXT_PUBLIC_SUPABASE_PUBLISHABLE_KEY|REACT_APP_SUPABASE_PUBLISHABLE_KEY)/g;
-  const urlMatches = content.match(supabaseUrlPattern);
-  const keyMatches = content.match(supabaseKeyPattern);
-  
-  // Check if this looks like a centralized config file
-  // Config files typically:
-  // - Have "config" or "supabase" or "client" in the path
-  // - Have a single createClient call (or none, if it's just exporting env vars)
-  // - Export the env vars or the client (indicating it's the centralized location)
-  const isConfigFile = /config|supabase|client/i.test(relativePath);
-  const hasSingleCreateClient = supabaseCreateClientMatches && supabaseCreateClientMatches.length === 1;
-  const hasNoCreateClient = !supabaseCreateClientMatches || supabaseCreateClientMatches.length === 0;
-  
-  // Check if file exports env vars or client (strong indicator of centralized config)
-  // Matches: export const SUPABASE_URL = ...; export { SUPABASE_URL }; export const supabase = ...
-  const exportsEnvVars = /export\s+(const|let|var|{)\s*(SUPABASE_URL|SUPABASE_ANON_KEY|supabase)/.test(content) ||
-                         /export\s*{\s*[^}]*\b(SUPABASE_URL|SUPABASE_ANON_KEY|supabase)\b/.test(content);
-  const exportsClient = /export\s+(const|let|var)\s+supabase\s*=/.test(content) ||
-                        /export\s*{\s*[^}]*\bsupabase\b/.test(content);
-  
-  // A file is considered a centralized config if:
-  // 1. It's in a config/supabase/client path, AND
-  // 2. Has a single createClient call (typical centralized config), OR
-  // 3. Has no createClient but references env vars (env-only config file), OR
-  // 4. Exports env vars or the client (indicating it's the centralized location)
-  // The path name is the primary indicator - if it's in a config path, trust it
-  const looksLikeCentralizedConfig = isConfigFile && (
-    hasSingleCreateClient || 
-    (hasNoCreateClient && (urlMatches || keyMatches)) ||
-    exportsEnvVars ||
-    exportsClient
-  );
-  
-  // Only flag if:
-  // 1. Multiple createClient calls (already handled above), OR
-  // 2. Many references (10+) in a file that doesn't look like a centralized config
-  // Config files are allowed to have many references (read, validate, use, errors, comments, etc.)
-  const threshold = looksLikeCentralizedConfig ? 20 : 5;
-  
-  if (!looksLikeCentralizedConfig && 
-      ((urlMatches && urlMatches.length > threshold) || 
-       (keyMatches && keyMatches.length > threshold))) {
-    violations.duplicateConfig.push({
-      type: 'supabase-env',
-      file: relativePath,
-      reason: `Supabase environment variables referenced many times (${urlMatches?.length || keyMatches?.length || 0}). If this is a centralized config file, consider moving it to a file with 'config', 'supabase', or 'client' in the path, or export the values to indicate it's the centralized location.`
-    });
-  }
-  
-  // Check for unprotected pages/routes
-  // Look for route definitions without PagePermissionGuard
-  const routePatterns = [
-    /<Route\s+path=["'][^"']+["']/g,
-    /<Route\s+element\s*=/g,
-    /createBrowserRouter\s*\(/g,
-    /createRoutesFromElements/g
-  ];
-  
-  const isRouteFile = routePatterns.some(pattern => pattern.test(content));
-  const hasPagePermissionGuard = /PagePermissionGuard/.test(content) || 
-                                  /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(content);
-  
-  if (isRouteFile && !hasPagePermissionGuard && !relativePath.includes('test') && !relativePath.includes('spec')) {
-    violations.unprotectedPages.push({
-      file: relativePath,
-      reason: 'Route file found without PagePermissionGuard. All routes should be protected with PagePermissionGuard from pace-core.'
-    });
-  }
-  
-  // Check for direct Supabase auth usage (should use UnifiedAuthProvider)
-  // This includes all variations: supabase.auth.getUser(), client.auth.getUser(), etc.
-  // Priority patterns - these are the most common violations
-  // Using multiple patterns to catch all variations
-  
-  // Skip Edge Functions - they run in Deno, not React, so React hooks are not available
-  // Edge Functions MUST use direct supabase.auth.getUser() calls - this is correct and required
-  // isEdgeFunction is already defined above
-  
-  // Other auth patterns - defined here so it's accessible in all scopes
-  const otherAuthPatterns = [
-    { pattern: /\.auth\.signIn\s*\(/g, method: 'signIn' },
-    { pattern: /\.auth\.signUp\s*\(/g, method: 'signUp' },
-    { pattern: /\.auth\.signOut\s*\(/g, method: 'signOut' },
-    { pattern: /\.auth\.onAuthStateChange\s*\(/g, method: 'onAuthStateChange' }
-  ];
-  
-  // Check if file actually uses useUnifiedAuth hook (not just imports it)
-  // Define these at function scope so they're available throughout
-  const usesUnifiedAuthHook = /useUnifiedAuth\s*\(/.test(content);
-  const hasUnifiedAuthImport = /UnifiedAuthProvider/.test(content) || 
-                               /useUnifiedAuth/.test(content) ||
-                               /from\s+['"]@jmruthers\/pace-core\/providers/.test(content);
-  
-  // Skip all auth checks for Edge Functions - they cannot use React hooks
-  if (isEdgeFunction) {
-    // Edge Functions use service role client or direct auth calls - correct pattern
-    // Don't flag these as violations
-  } else {
-    // Only check for direct auth usage in client-side code (React components, hooks, etc.)
-    const priorityAuthPatterns = [
-    // Most specific patterns first
-    { pattern: /supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
-    { pattern: /supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
-    // Also catch with await or const destructuring
-    { pattern: /await\s+supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
-    { pattern: /await\s+supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
-    { pattern: /const\s+[^=]*=\s*supabase\.auth\.getUser\s*\(/g, method: 'getUser', specific: true },
-    { pattern: /const\s+[^=]*=\s*supabase\.auth\.getSession\s*\(/g, method: 'getSession', specific: true },
-    // Generic patterns for other variable names
-    { pattern: /\w+\.auth\.getUser\s*\(/g, method: 'getUser', specific: false },
-    { pattern: /\w+\.auth\.getSession\s*\(/g, method: 'getSession', specific: false }
-  ];
-    
-    // Check for usage of useCurrentUser hook (even if imported from local file)
-    // This catches both local imports and direct usage
-    const useCurrentUserImportPattern = /import\s+.*useCurrentUser.*from\s+['"][^'"]*['"]/g;
-    const useCurrentUserUsagePattern = /useCurrentUser\s*\(/g;
-    
-    // Check for local import (not from pace-core)
-    const useCurrentUserImportMatch = content.match(useCurrentUserImportPattern);
-    if (useCurrentUserImportMatch) {
-      const isFromPaceCore = useCurrentUserImportMatch.some(match => match.includes('@jmruthers/pace-core'));
-      if (!isFromPaceCore) {
-        useCurrentUserImportMatch.forEach(match => {
-          violations.customAuthCode.push({
-            name: 'useCurrentUser import',
-            type: 'hook import',
-            file: relativePath,
-            line: getLineNumber(content, match),
-            reason: 'useCurrentUser imported from local file. Replace with useUnifiedAuth from pace-core.',
-            replacement: 'useUnifiedAuth from @jmruthers/pace-core'
-          });
-        });
-      }
-    }
-    
-    // Check for usage (even if imported)
-    const useCurrentUserUsageMatches = content.match(useCurrentUserUsagePattern);
-    if (useCurrentUserUsageMatches && !usesUnifiedAuthHook) {
-      useCurrentUserUsageMatches.forEach(match => {
-        violations.customAuthCode.push({
-          name: 'useCurrentUser',
-          type: 'hook usage',
-          file: relativePath,
-          line: getLineNumber(content, match),
-          reason: 'useCurrentUser hook usage detected. Replace with useUnifiedAuth from pace-core.',
-          replacement: 'useUnifiedAuth'
-        });
-      });
-    }
-    
-    // Check priority patterns first (getUser, getSession) - these should always be flagged
-  // Use exec in a loop to get all matches with their correct positions
-  priorityAuthPatterns.forEach(({ pattern, method, specific }) => {
-    // Reset regex for each pattern
-    const regex = new RegExp(pattern.source, pattern.flags);
-    regex.lastIndex = 0; // Reset to start
-    
-    let match;
-    while ((match = regex.exec(content)) !== null) {
-      // Prevent infinite loops on zero-length matches
-      if (match.index === regex.lastIndex) {
-        regex.lastIndex++;
-        continue;
-      }
-      
-      const matchIndex = match.index;
-      const matchText = match[0];
-      
-      // Simple comment check - only skip if clearly in a line comment
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      // Only skip if clearly in a comment - be conservative
-      // Also skip Edge Functions - they run in Deno, not React, so React hooks aren't available
-      if (!isInLineComment && !isEdgeFunction) {
-        violations.directSupabaseAuth.push({
-          file: relativePath,
-          line: getLineNumber(content, matchText),
-          reason: `Direct Supabase auth usage detected (${method}). Use useUnifiedAuth hook from pace-core instead.`,
-          method,
-          recommendation: specific 
-            ? method === 'getUser' 
-              ? `Replace with: const { user } = useUnifiedAuth(); then use user?.id instead of calling supabase.auth.getUser()`
-              : `Replace with: const { session } = useUnifiedAuth(); then use session?.access_token instead of calling supabase.auth.getSession()`
-            : `Use useUnifiedAuth hook from @jmruthers/pace-core instead of direct auth calls`
-        });
-      }
-    }
-  });
-  } // End of else block for non-Edge Functions
-  
-  // Additional simple pattern check as fallback - look for literal strings
-  // Skip for Edge Functions
-  if (!isEdgeFunction) {
-  // This catches cases where the regex might miss due to formatting
-  const simpleAuthPatterns = [
-    { search: 'supabase.auth.getUser(', method: 'getUser' },
-    { search: 'supabase.auth.getSession(', method: 'getSession' }
-  ];
-  
-  simpleAuthPatterns.forEach(({ search, method }) => {
-    let searchIndex = 0;
-    while ((searchIndex = content.indexOf(search, searchIndex)) !== -1) {
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', searchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, searchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      // Skip Edge Functions - they run in Deno, not React, so React hooks aren't available
-      if (!isInLineComment && !isEdgeFunction) {
-        // Calculate line number from index
-        const lineNum = content.substring(0, searchIndex).split('\n').length;
-        
-        // Check if we already reported this (might overlap with regex matches)
-        const alreadyReported = violations.directSupabaseAuth.some(v => 
-          v.file === relativePath && 
-          Math.abs(v.line - lineNum) <= 2
-        );
-        
-        if (!alreadyReported) {
-          violations.directSupabaseAuth.push({
-            file: relativePath,
-            line: lineNum,
-            reason: `Direct Supabase auth usage detected (${method}). Use useUnifiedAuth hook from pace-core instead.`,
-            method,
-            recommendation: method === 'getUser' 
-              ? `Replace with: const { user } = useUnifiedAuth(); then use user?.id instead of calling supabase.auth.getUser()`
-              : `Replace with: const { session } = useUnifiedAuth(); then use session?.access_token instead of calling supabase.auth.getSession()`
-          });
-        }
-      }
-      
-      searchIndex += search.length; // Move past this match
-    }
-  });
-  } // End of Edge Function check for simple patterns
-  
-  // Check other auth patterns - flag if not using useUnifiedAuth
-  // Skip for Edge Functions
-  if (!isEdgeFunction) {
-  otherAuthPatterns.forEach(({ pattern, method }) => {
-    let match;
-    const regex = new RegExp(pattern.source, pattern.flags);
-    
-    while ((match = regex.exec(content)) !== null) {
-      // Prevent infinite loops on zero-length matches
-      if (match.index === regex.lastIndex) {
-        regex.lastIndex++;
-      }
-      
-      const matchIndex = match.index;
-      const matchText = match[0];
-      
-      // Skip if this is in a comment or string literal
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineBeforeMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineBeforeMatch);
-      const beforeMatch = content.substring(Math.max(0, matchIndex - 100), matchIndex);
-      const afterMatch = content.substring(matchIndex, Math.min(content.length, matchIndex + matchText.length + 50));
-      const isInBlockComment = /\/\*[\s\S]*?\*\//.test(beforeMatch + matchText + afterMatch);
-      
-      // Check if it's in a string literal
-      const beforeQuotes = content.substring(0, matchIndex);
-      const singleQuotes = (beforeQuotes.match(/'/g) || []).length;
-      const doubleQuotes = (beforeQuotes.match(/"/g) || []).length;
-      const backticks = (beforeQuotes.match(/`/g) || []).length;
-      const isInString = (singleQuotes % 2 === 1 && beforeMatch.endsWith("'")) ||
-                        (doubleQuotes % 2 === 1 && beforeMatch.endsWith('"')) ||
-                        (backticks % 2 === 1 && beforeMatch.endsWith('`'));
-      
-      // Skip Edge Functions - they run in Deno, not React, so React hooks aren't available
-      if (!isInLineComment && !isInBlockComment && !isInString && !usesUnifiedAuthHook && !isEdgeFunction) {
-        violations.directSupabaseAuth.push({
-          file: relativePath,
-          line: getLineNumber(content, matchText),
-          reason: `Direct Supabase auth usage detected (${method}). Use UnifiedAuthProvider and useUnifiedAuth from pace-core instead.`,
-          method
-        });
-      }
-    }
-  });
-  } // End of Edge Function check for other auth patterns
-  
-  // Check for direct RBAC table queries (should use pace-core RBAC APIs/RPC functions)
-  // List of all RBAC tables with specific recommendations
-  const rbacTables = [
-    // Core RBAC tables - should use pace-core APIs
-    { name: 'rbac_organisation_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or useOrganisations hook for queries' },
-    { name: 'rbac_event_app_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or pace-core RBAC APIs (useRBAC, usePermissions) for queries' },
-    { name: 'rbac_global_roles', type: 'role', recommendation: 'Use rbac_role_grant/rbac_role_revoke RPC functions for mutations, or pace-core RBAC APIs (useRBAC) for queries' },
-    { name: 'rbac_apps', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs' },
-    { name: 'rbac_app_pages', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
-    { name: 'rbac_page_permissions', type: 'config', recommendation: 'For admin operations, use useSecureSupabase. For application use, use pace-core permission management APIs or PagePermissionGuard' },
-    { name: 'rbac_user_units', type: 'user_data', recommendation: 'Use useSecureSupabase. For reading, consider data_user_unit_get RPC function' },
-    // User data tables - acceptable to query but must use secure methods
-    { name: 'rbac_user_profiles', type: 'user_data', recommendation: 'Use useSecureSupabase from pace-core to ensure organisation context is enforced' },
-    { name: 'rbac_user_login_history', type: 'audit', recommendation: 'Use useSecureSupabase from pace-core. Login history is automatically tracked by UnifiedAuthProvider, but queries should use secure methods' },
-    { name: 'rbac_user_sessions', type: 'session', recommendation: 'Use useSecureSupabase from pace-core to ensure organisation context is enforced' }
-  ];
-  
-  // Detect admin/management context
-  const isAdminContext = 
-    relativePath.includes('/admin/') ||
-    relativePath.includes('/superadmin/') ||
-    relativePath.includes('/permissions/') ||
-    relativePath.includes('/management/') ||
-    /(Admin|Manager|Management|Permissions)[^/]*\.(tsx?|jsx?)$/.test(relativePath);
-  
-  // Multiple patterns to catch all variations
-  const rbacTablePatterns = [
-    /\.from\s*\(\s*['"]rbac_/g,  // .from('rbac_ or .from("rbac_
-    /from\s*\(\s*['"]rbac_/g,     // from('rbac_ (without dot)
-    /\.select\s*\([^)]*from\s+['"]rbac_/g,  // .select(...).from('rbac_
-    /supabase\.from\s*\(\s*['"]rbac_/g  // supabase.from('rbac_
-  ];
-  
-  // Check if file uses pace-core RBAC APIs (if it does, direct queries might be acceptable in some cases)
-  // But we still want to flag them as they should use the APIs
-  const hasRBACImport = /from\s+['"]@jmruthers\/pace-core\/rbac/.test(content) ||
-                        /useRBAC/.test(content) ||
-                        /usePermissions/.test(content) ||
-                        /useSecureSupabase/.test(content) ||
-                        /PagePermissionGuard/.test(content);
-  
-  // Check if file destructures secure methods (deprecated secureQuery/secureInsert/etc from useSecureDataAccess)
-  const hasSecureMethods = /(const|let)\s*\{[^}]*secure(Query|Update|Insert|Delete)/.test(content) ||
-                          /secure(Query|Update|Insert|Delete)\s*\(/.test(content);
-  
-  // First, identify all variables assigned from secure hooks
-  // Match patterns like: const supabase = useSecureSupabase();
-  // Also detect fromSupabaseClient and wrapper patterns
-  const secureVariablePatterns = [
-    /const\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    /let\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    /(\w+)\s*=\s*useSecureSupabase\s*\(/g,
-    // Detect fromSupabaseClient usage
-    /const\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
-    /let\s+(\w+)\s*=\s*fromSupabaseClient\s*\(/g,
-    /(\w+)\s*=\s*fromSupabaseClient\s*\(/g
-  ];
-  
-  // Check for fromSupabaseClient import
-  const hasFromSupabaseClientImport = /import.*fromSupabaseClient.*from\s+['"]@jmruthers\/pace-core\/rbac/.test(content);
-  
-  // Check for wrapper functions that use fromSupabaseClient
-  // Pattern: function/hook that imports fromSupabaseClient and returns a client
-  const wrapperFunctionPattern = /(export\s+)?(function|const)\s+(\w+)\s*[=\(][\s\S]{0,500}fromSupabaseClient/g;
-  const wrapperMatches = content.match(wrapperFunctionPattern);
-  const wrapperFunctionNames = new Set();
-  if (wrapperMatches) {
-    wrapperMatches.forEach(match => {
-      const funcMatch = match.match(/(?:function|const)\s+(\w+)\s*[=\(]/);
-      if (funcMatch && funcMatch[1]) {
-        wrapperFunctionNames.add(funcMatch[1]);
-      }
-    });
-  }
-  
-  // Also check for useSecureClient or similar wrapper patterns
-  const useSecureClientPattern = /(const|let)\s+(\w+)\s*=\s*useSecureClient\s*\(/g;
-  let useSecureClientMatch;
-  while ((useSecureClientMatch = useSecureClientPattern.exec(content)) !== null) {
-    if (useSecureClientMatch[2] && hasFromSupabaseClientImport) {
-      // If useSecureClient is used and file imports fromSupabaseClient, it's likely a wrapper
-      wrapperFunctionNames.add(useSecureClientMatch[2]);
-    }
-  }
-  
-  const secureVariables = new Set();
-  secureVariablePatterns.forEach(pattern => {
-    let match;
-    const regex = new RegExp(pattern.source, pattern.flags);
-    regex.lastIndex = 0;
-    while ((match = regex.exec(content)) !== null) {
-      if (match[1]) {
-        secureVariables.add(match[1]);
-        // Debug: log detected secure variables (can be removed later)
-        // console.log(`Detected secure variable: ${match[1]} from pattern ${pattern.source}`);
-      }
-    }
-  });
-  
-  // Also check for variables assigned from useSecureSupabase with different names
-  // Pattern: const <anyName> = useSecureSupabase();
-  const anySecureSupabasePattern = /(const|let)\s+(\w+)\s*=\s*useSecureSupabase\s*\(/g;
-  let anySecureMatch;
-  while ((anySecureMatch = anySecureSupabasePattern.exec(content)) !== null) {
-    if (anySecureMatch[2]) {
-      secureVariables.add(anySecureMatch[2]);
-    }
-  }
-  
-  // Add wrapper function return values to secure variables
-  wrapperFunctionNames.forEach(wrapperName => {
-    // Find variables assigned from wrapper functions
-    const wrapperUsagePattern = new RegExp(`(const|let)\\s+(\\w+)\\s*=\\s*${wrapperName}\\s*\\(`, 'g');
-    let wrapperUsageMatch;
-    while ((wrapperUsageMatch = wrapperUsagePattern.exec(content)) !== null) {
-      if (wrapperUsageMatch[2]) {
-        secureVariables.add(wrapperUsageMatch[2]);
-      }
-    }
-  });
-  
-  // Debug: Log detected secure variables (only in verbose mode if needed)
-  // For now, we'll trust the detection works
-  
-  // Check each RBAC table specifically
-  rbacTables.forEach(({ name: tableName, type, recommendation }) => {
-    // Pattern to match the table name in a .from() call
-    // Match: variable.from('table_name') or variable\n.from('table_name') (handles newlines)
-    // First, find all .from('table_name') calls
-    const fromPattern = new RegExp(`\\.from\\s*\\(\\s*['"]${tableName.replace(/_/g, '\\_')}['"]`, 'g');
-    let match;
-    const regex = new RegExp(fromPattern.source, fromPattern.flags);
-    regex.lastIndex = 0;
-    
-    // Also check for secureQuery/secureUpdate/secureInsert/secureDelete calls
-    // Pattern: secureQuery('table_name', ...) or secureUpdate('table_name', ...)
-    const secureQueryPattern = new RegExp(`(secureQuery|secureUpdate|secureInsert|secureDelete)\\s*\\(\\s*['"]${tableName.replace(/_/g, '\\_')}['"]`, 'g');
-    let secureMatch;
-    const secureRegex = new RegExp(secureQueryPattern.source, secureQueryPattern.flags);
-    secureRegex.lastIndex = 0;
-    
-    while ((match = regex.exec(content)) !== null) {
-      if (match.index === regex.lastIndex) {
-        regex.lastIndex++;
-        continue;
-      }
-      
-      const matchIndex = match.index;
-      
-      // Look backwards to find the variable name (handle newlines and whitespace)
-      // Look back up to 200 characters to find the variable
-      const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
-      // Find the last word/identifier before .from
-      // Split by .from and get the last part, then extract the last word
-      const parts = beforeMatch.split('.from');
-      let variableName = null;
-      if (parts.length > 0) {
-        const beforeFrom = parts[parts.length - 1].trim();
-        // Extract the last word (identifier) from the string before .from
-        // Handle cases like: "supabase\n  " or "await supabase\n  " or "supabase"
-        const words = beforeFrom.match(/\b\w+\b/g);
-        if (words && words.length > 0) {
-          variableName = words[words.length - 1];
-        }
-      }
-      
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      if (!isInLineComment && variableName) {
-        const lineNumber = content.substring(0, matchIndex).split('\n').length;
-        const isUserDataOrAudit = type === 'user_data' || type === 'audit';
-        const isConfigTable = type === 'config';
-        
-        // Check if the variable comes from a secure hook
-        // Check both the secureVariables set and also check if the variable is assigned from useSecureSupabase
-        // Escape special regex characters in variable name and use multiline flag to handle newlines
-        const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
-        
-        // Check if variable is declared locally (const/let = useSecureSupabase())
-        const isDeclaredSecure = secureVariables.has(variableName) ||
-          (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content));
-        
-        // Check if variable is passed as function parameter with secure type annotation
-        // Look for function signatures with type annotations indicating secure client
-        const isParameterSecure = variableName && (
-          // Check in beforeMatch (200 chars before) for parameter type annotations
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(beforeMatch) ||
-          // Check full content for function signatures with secure type annotations
-          new RegExp(`(function|=>|async\\s+function|const\\s+\\w+\\s*=\\s*(async\\s+)?(function|=>))[^(]*\\([^)]*\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(content) ||
-          // Check for ReturnType<typeof import pattern (common in TypeScript)
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType.*useSecureSupabase`, 'm').test(content) ||
-          // Check for NonNullable<ReturnType<typeof useSecureSupabase>> pattern
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*NonNullable.*ReturnType.*useSecureSupabase`, 'm').test(content)
-        );
-        
-        // Check for common secure variable names (heuristic for secure usage)
-        const isSecureVariableName = variableName && /^(secureSupabase|secureClient|secureDb|secure)$/i.test(variableName);
-        
-        // Check for comments indicating secure usage (pace-core-compliant, useSecureSupabase, etc.)
-        // Also check for @pace-core-compliant annotation which can suppress false positives
-        const hasSecureComment = variableName && (
-          // Check in beforeMatch for comments
-          new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(beforeMatch) ||
-          // Check for comments on previous lines (up to 10 lines back for better coverage)
-          (() => {
-            const lines = content.substring(0, matchIndex).split('\n');
-            const recentLines = lines.slice(Math.max(0, lines.length - 10)).join('\n');
-            return new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(recentLines);
-          })()
-        );
-        
-        // Check for @pace-core-compliant annotation on the same line or previous lines (suppression mechanism)
-        const hasComplianceAnnotation = (() => {
-          const lines = content.substring(0, matchIndex).split('\n');
-          const currentLineIdx = lines.length - 1;
-          // Check current line and up to 3 previous lines for @pace-core-compliant
-          const checkLines = lines.slice(Math.max(0, currentLineIdx - 3), currentLineIdx + 1);
-          return new RegExp(`@pace-core-compliant`, 'i').test(checkLines.join('\n'));
-        })();
-        
-        // Combine all checks
-        // If @pace-core-compliant annotation is present, trust it (suppression mechanism)
-        const isUsingSecureVariable = hasComplianceAnnotation || isDeclaredSecure || isParameterSecure || (isSecureVariableName && hasSecureComment);
-        
-        // Determine severity based on context
-        let severity = 'error';
-        let reason = '';
-        
-        if (isUserDataOrAudit) {
-          if (isUsingSecureVariable) {
-            // Correct usage - skip it
-            continue;
-          } else {
-            severity = 'error';
-            reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase to ensure organisation context is enforced and RLS policies are respected.`;
-          }
-        } else if (isConfigTable) {
-          if (isUsingSecureVariable) {
-            // Using secure methods for config tables - acceptable (admin operations or hooks using secure methods)
-            // Don't flag if using secure methods, regardless of admin context
-            continue;
-          } else if (isAdminContext) {
-            // Admin operations without secure methods - warning
-            severity = 'warning';
-            reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase for security.`;
-          } else {
-            // Not admin context and not using secure methods - error
-            severity = 'error';
-            reason = `Direct query to RBAC configuration table '${tableName}' detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
-          }
-        } else {
-          // Role/permission tables - always error, even in admin context
-          // These should use pace-core APIs or RPC functions, not direct queries
-          severity = 'error';
-          reason = `Direct query to RBAC role/permission table '${tableName}' detected. Use pace-core RBAC APIs (useRBAC, usePermissions) or RPC functions (rbac_role_grant, rbac_role_revoke, rbac_roles_list) instead of direct queries, even in admin contexts.`;
-        }
-        
-        violations.customAuthCode.push({
-          name: `Direct RBAC table query (${tableName})`,
-          type: 'rbac query',
-          file: relativePath,
-          line: lineNumber,
-          reason: reason,
-          replacement: recommendation,
-          severity: severity
-        });
-      }
-    }
-    
-    // Check for secureQuery/secureUpdate/secureInsert/secureDelete calls
-    while ((secureMatch = secureRegex.exec(content)) !== null) {
-      if (secureMatch.index === secureRegex.lastIndex) {
-        secureRegex.lastIndex++;
-        continue;
-      }
-      
-      const secureMatchIndex = secureMatch.index;
-      const secureMethod = secureMatch[1]; // secureQuery, secureUpdate, etc.
-      
-      // Skip if in a line comment
-      const secureLineStart = content.lastIndexOf('\n', secureMatchIndex) + 1;
-      const secureLineUpToMatch = content.substring(secureLineStart, secureMatchIndex);
-      const isSecureInLineComment = /\/\/[^\n]*$/.test(secureLineUpToMatch);
-      
-      if (!isSecureInLineComment) {
-        const secureLineNumber = content.substring(0, secureMatchIndex).split('\n').length;
-        const isUserDataOrAudit = type === 'user_data' || type === 'audit';
-        const isConfigTable = type === 'config';
-        const isRoleTable = type === 'role';
-        
-        // Determine severity - role tables should always be errors (should use pace-core APIs)
-        // Config tables in admin context with secure methods are acceptable
-        // User data/audit tables with secure methods are acceptable
-        let severity = 'error';
-        let reason = '';
-        
-        if (isRoleTable) {
-          // Role tables should use pace-core APIs, not secureQuery
-          severity = 'error';
-          reason = `Direct query to RBAC role table '${tableName}' using ${secureMethod} detected. Role tables should use pace-core RBAC APIs (useRBAC, usePermissions) or RPC functions (rbac_role_grant, rbac_role_revoke, rbac_roles_list) instead of direct queries.`;
-        } else if (isUserDataOrAudit) {
-          // User data/audit tables with secure methods are acceptable
-          continue; // Skip - this is correct usage
-        } else if (isConfigTable) {
-          // Config tables using secure methods - acceptable for admin operations
-          // If using secureQuery/secureUpdate/etc., it's already using secure methods
-          if (isAdminContext) {
-            // Config tables in admin context - acceptable
-            continue; // Skip - this is correct usage for admin operations
-          } else {
-            severity = 'error';
-            reason = `Direct query to RBAC configuration table '${tableName}' using ${secureMethod} detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
-          }
-        } else {
-          severity = 'error';
-          reason = `Direct query to RBAC table '${tableName}' using ${secureMethod} detected. Use pace-core RBAC APIs instead.`;
-        }
-        
-        violations.customAuthCode.push({
-          name: `Direct RBAC table query via ${secureMethod} (${tableName})`,
-          type: 'rbac query',
-          file: relativePath,
-          line: secureLineNumber,
-          reason: reason,
-          replacement: recommendation,
-          severity: severity
-        });
-      }
-    }
-  });
-  
-  // Also check generic pattern as fallback (for patterns that might not match the specific table patterns)
-  rbacTablePatterns.forEach(pattern => {
-    let match;
-    const regex = new RegExp(pattern.source, pattern.flags);
-    regex.lastIndex = 0;
-    
-    while ((match = regex.exec(content)) !== null) {
-      if (match.index === regex.lastIndex) {
-        regex.lastIndex++;
-        continue;
-      }
-      
-      const matchIndex = match.index;
-      const matchText = match[0];
-      
-      // Check if this is an edge function (supabase/functions directory) - check early to skip
-      // Handle both forward and backslash paths (Windows vs Unix)
-      const normalizedPath = relativePath.replace(/\\/g, '/');
-      const isEdgeFunction = normalizedPath.includes('supabase/functions/');
-      
-      // Skip edge functions - they use service role client which is correct for server-side operations
-      if (isEdgeFunction) {
-        continue; // Edge functions use service role client - correct pattern
-      }
-      
-      // Extract table name
-      const afterMatch = content.substring(matchIndex, Math.min(content.length, matchIndex + 100));
-      const tableMatch = afterMatch.match(/['"]rbac_([^'"]+)['"]/);
-      const tableName = tableMatch ? `rbac_${tableMatch[1]}` : 'rbac_*';
-      
-      // Find the table config to check if it's user_data or audit
-      const tableConfig = rbacTables.find(t => t.name === tableName);
-      const isUserDataOrAudit = tableConfig && (tableConfig.type === 'user_data' || tableConfig.type === 'audit');
-      const isConfigTable = tableConfig && tableConfig.type === 'config';
-      
-      // Extract variable name if pattern matches variable.from() (handle newlines)
-      let variableName = null;
-      // Use wider context to find function signatures (up to 500 chars before)
-      const beforeMatch = content.substring(Math.max(0, matchIndex - 500), matchIndex);
-      // Find the last word/identifier before .from (same logic as main pattern)
-      const parts = beforeMatch.split('.from');
-      if (parts.length > 0) {
-        const beforeFrom = parts[parts.length - 1].trim();
-        const words = beforeFrom.match(/\b\w+\b/g);
-        if (words && words.length > 0) {
-          variableName = words[words.length - 1];
-        }
-      }
-      
-      // Check if using secure variable (check both set and direct pattern match)
-      // Escape special regex characters in variable name and use multiline flag to handle newlines
-      const escapedVarName = variableName ? variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : '';
-      // Check if variable is declared with useSecureSupabase
-      const isDeclaredSecure = (variableName && secureVariables.has(variableName)) ||
-        (variableName && new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content));
-      // Check if variable is passed as parameter with useSecureSupabase type annotation
-      // Look for the parameter in function signatures (check both beforeMatch and full content)
-      const isParameterSecure = variableName && (
-        // Check in beforeMatch (500 chars before)
-        new RegExp(`\\b${escapedVarName}\\s*:\\s*.*useSecureSupabase`, 'm').test(beforeMatch) ||
-        new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType`, 'm').test(beforeMatch) ||
-        new RegExp(`\\b${escapedVarName}\\s*:\\s*.*secureSupabase`, 'i').test(beforeMatch) ||
-        // Also check the full function signature area (wider context in full content)
-        new RegExp(`(function|=>|async\\s+function)[^(]*\\([^)]*\\b${escapedVarName}\\s*:\\s*.*(useSecureSupabase|ReturnType|secureSupabase)`, 'm').test(content) ||
-        // Check for ReturnType<typeof import pattern (common in TypeScript)
-        new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType.*useSecureSupabase`, 'm').test(content)
-      );
-      // Check for comments indicating secureSupabase usage
-      const hasSecureComment = variableName && (
-        new RegExp(`secureSupabase|useSecureSupabase`, 'i').test(beforeMatch) ||
-        new RegExp(`COMPLIANCE.*secureSupabase|pace-core.*secureSupabase`, 'i').test(beforeMatch)
-      );
-      const isUsingSecureVariable = isDeclaredSecure || isParameterSecure || hasSecureComment;
-      
-      // Skip if we already reported this specific table
-      const alreadyReported = violations.customAuthCode.some(v => 
-        v.file === relativePath && 
-        v.name && v.name.includes(tableName) &&
-        Math.abs(v.line - content.substring(0, matchIndex).split('\n').length) <= 2
-      );
-      
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      // Skip if using secure variable for user_data/audit tables (correct usage)
-      // isUsingSecureVariable is already declared above
-      if (isUsingSecureVariable && isUserDataOrAudit) {
-        continue; // This is correct usage, don't flag it
-      }
-      
-      // Determine severity for config tables in admin context
-      let severity = 'error';
-      let reason = '';
-      
-      if (isConfigTable && isAdminContext && (isUsingSecureVariable || hasSecureMethods)) {
-        // Admin operations with secure methods - acceptable, skip
-        continue;
-      } else if (isConfigTable && isAdminContext && !isUsingSecureVariable && !hasSecureMethods) {
-        severity = 'warning';
-        reason = `Admin operation on configuration table '${tableName}' detected. Ensure you're using useSecureSupabase for security.`;
-      } else if (isConfigTable && !isAdminContext) {
-        severity = 'error';
-        reason = `Direct query to RBAC configuration table '${tableName}' detected. These are system configuration tables. For admin operations, use useSecureSupabase. For application use, use pace-core RBAC APIs.`;
-      } else if (isUserDataOrAudit) {
-        if (isUsingSecureVariable || hasSecureMethods) {
-          // User data/audit tables with secure methods - acceptable, skip
-          continue;
-        }
-        severity = 'error';
-        reason = `Direct query to RBAC table '${tableName}' detected. This table can be queried, but you MUST use useSecureSupabase to ensure organisation context is enforced and RLS policies are respected.`;
-      } else {
-        severity = 'error';
-        reason = `Direct query to RBAC table '${tableName}' detected. Use pace-core RBAC hooks, RPC functions, or useSecureSupabase instead.`;
-      }
-      
-      if (!alreadyReported && !isInLineComment) {
-        violations.customAuthCode.push({
-          name: `Direct RBAC table query (${tableName})`,
-          type: 'rbac query',
-          file: relativePath,
-          line: content.substring(0, matchIndex).split('\n').length,
-          reason: reason,
-          replacement: tableConfig ? tableConfig.recommendation : 'pace-core RBAC APIs (useRBAC, usePermissions, RPC functions)',
-          severity: severity
-        });
-      }
-    }
-  });
-  
-  // Check for direct permission table CRUD operations
-  // This includes both .from().insert/update/delete patterns AND secureUpdate/secureInsert/secureDelete calls
-  const permissionCrudPatterns = [
-    // .from() patterns
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_page_permissions['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_page_permissions', 
-      operation: 'CRUD',
-      isConfig: true,
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_app_pages['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_app_pages', 
-      operation: 'CRUD',
-      isConfig: true,
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_apps['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_apps', 
-      operation: 'CRUD',
-      isConfig: true,
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_organisation_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_organisation_roles', 
-      operation: 'CRUD',
-      isRole: true,
-      roleType: 'organisation',
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_event_app_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_event_app_roles', 
-      operation: 'CRUD',
-      isRole: true,
-      roleType: 'event_app',
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_global_roles['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_global_roles', 
-      operation: 'CRUD',
-      isRole: true,
-      roleType: 'global',
-      method: 'from'
-    },
-    { 
-      pattern: /\.from\s*\(\s*['"]rbac_user_units['"]\s*\)\s*\.(insert|update|delete|upsert)\s*\(/g, 
-      table: 'rbac_user_units', 
-      operation: 'CRUD',
-      isUserData: true,
-      method: 'from'
-    },
-    // secureUpdate/secureInsert/secureDelete patterns
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_page_permissions['"]/g, 
-      table: 'rbac_page_permissions', 
-      operation: 'update',
-      isConfig: true,
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_page_permissions['"]/g, 
-      table: 'rbac_page_permissions', 
-      operation: 'insert',
-      isConfig: true,
-      method: 'secureInsert'
-    },
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_app_pages['"]/g, 
-      table: 'rbac_app_pages', 
-      operation: 'update',
-      isConfig: true,
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_app_pages['"]/g, 
-      table: 'rbac_app_pages', 
-      operation: 'insert',
-      isConfig: true,
-      method: 'secureInsert'
-    },
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_apps['"]/g, 
-      table: 'rbac_apps', 
-      operation: 'update',
-      isConfig: true,
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_apps['"]/g, 
-      table: 'rbac_apps', 
-      operation: 'insert',
-      isConfig: true,
-      method: 'secureInsert'
-    },
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_organisation_roles['"]/g, 
-      table: 'rbac_organisation_roles', 
-      operation: 'update',
-      isRole: true,
-      roleType: 'organisation',
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_organisation_roles['"]/g, 
-      table: 'rbac_organisation_roles', 
-      operation: 'insert',
-      isRole: true,
-      roleType: 'organisation',
-      method: 'secureInsert'
-    },
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_event_app_roles['"]/g, 
-      table: 'rbac_event_app_roles', 
-      operation: 'update',
-      isRole: true,
-      roleType: 'event_app',
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_event_app_roles['"]/g, 
-      table: 'rbac_event_app_roles', 
-      operation: 'insert',
-      isRole: true,
-      roleType: 'event_app',
-      method: 'secureInsert'
-    },
-    { 
-      pattern: /secureUpdate\s*\(\s*['"]rbac_global_roles['"]/g, 
-      table: 'rbac_global_roles', 
-      operation: 'update',
-      isRole: true,
-      roleType: 'global',
-      method: 'secureUpdate'
-    },
-    { 
-      pattern: /secureInsert\s*\(\s*['"]rbac_global_roles['"]/g, 
-      table: 'rbac_global_roles', 
-      operation: 'insert',
-      isRole: true,
-      roleType: 'global',
-      method: 'secureInsert'
-    }
-  ];
-  
-  permissionCrudPatterns.forEach(({ pattern, table, operation, isConfig, isRole, roleType, isUserData, method }) => {
-    let match;
-    const regex = new RegExp(pattern.source, pattern.flags);
-    regex.lastIndex = 0;
-    
-    while ((match = regex.exec(content)) !== null) {
-      if (match.index === regex.lastIndex) {
-        regex.lastIndex++;
-        continue;
-      }
-      
-      const matchIndex = match.index;
-      const matchText = match[0];
-      // For .from() patterns, match[1] is the CRUD method; for secure* patterns, operation is already set
-      const crudMethod = method === 'from' ? match[1] : operation;
-      
-      // Extract variable name for .from() patterns (for secure* patterns, we skip variable detection)
-      let variableName = null;
-      if (method === 'from') {
-        // Look backwards to find the variable name before .from()
-        const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
-        const parts = beforeMatch.split('.from');
-        if (parts.length > 0) {
-          const beforeFrom = parts[parts.length - 1].trim();
-          const words = beforeFrom.match(/\b\w+\b/g);
-          if (words && words.length > 0) {
-            variableName = words[words.length - 1];
-          }
-        }
-      }
-      
-      // Check if using secure variable (only for .from() patterns)
-      let isUsingSecureVariable = false;
-      if (method === 'from' && variableName) {
-        const escapedVarName = variableName.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-        
-        // Check if variable is declared locally
-        const isDeclaredSecure = secureVariables.has(variableName) ||
-          new RegExp(`(const|let)\\s+${escapedVarName}\\s*=\\s*useSecureSupabase\\s*\\(`, 'm').test(content);
-        
-        // Check if variable is passed as function parameter with secure type annotation
-        const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
-        const isParameterSecure = 
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(beforeMatch) ||
-          new RegExp(`(function|=>|async\\s+function|const\\s+\\w+\\s*=\\s*(async\\s+)?(function|=>))[^(]*\\([^)]*\\b${escapedVarName}\\s*:\\s*.*(SecureSupabaseClient|useSecureSupabase|ReturnType.*useSecureSupabase)`, 'm').test(content) ||
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*ReturnType.*useSecureSupabase`, 'm').test(content) ||
-          new RegExp(`\\b${escapedVarName}\\s*:\\s*.*NonNullable.*ReturnType.*useSecureSupabase`, 'm').test(content);
-        
-        // Check for common secure variable names
-        const isSecureVariableName = /^(secureSupabase|secureClient|secureDb|secure)$/i.test(variableName);
-        
-        // Check for comments indicating secure usage
-        const hasSecureComment = 
-          new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(beforeMatch) ||
-          (() => {
-            const lines = content.substring(0, matchIndex).split('\n');
-            const recentLines = lines.slice(Math.max(0, lines.length - 10)).join('\n');
-            return new RegExp(`(pace-core-compliant|useSecureSupabase|secureSupabase|@pace-core-compliant)`, 'i').test(recentLines);
-          })();
-        
-        // Check for @pace-core-compliant annotation (suppression mechanism)
-        const hasComplianceAnnotation = (() => {
-          const lines = content.substring(0, matchIndex).split('\n');
-          const currentLineIdx = lines.length - 1;
-          const checkLines = lines.slice(Math.max(0, currentLineIdx - 3), currentLineIdx + 1);
-          return new RegExp(`@pace-core-compliant`, 'i').test(checkLines.join('\n'));
-        })();
-        
-        isUsingSecureVariable = hasComplianceAnnotation || isDeclaredSecure || isParameterSecure || (isSecureVariableName && hasSecureComment);
-      }
-      
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      if (!isInLineComment) {
-        let reason = '';
-        let replacement = '';
-        let severity = 'error';
-        let example = '';
-        
-        // If using secure variable for user_data tables, skip (correct usage)
-        if (isUserData && isUsingSecureVariable) {
-          continue;
-        }
-        
-        // If using secure variable for config tables, skip (correct usage)
-        if (isConfig && isUsingSecureVariable) {
-          continue;
-        }
-        
-        if (isRole) {
-          // Role mutations should use RPC functions
-          const isGrant = crudMethod === 'insert' || crudMethod === 'upsert';
-          const isRevoke = crudMethod === 'delete' || crudMethod === 'update';
-          
-          if (isGrant) {
-            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_grant RPC function instead.`;
-            replacement = `Use rbac_role_grant RPC function with p_role_type='${roleType}'`;
-            example = `const { data, error } = await supabase.rpc('rbac_role_grant', {\n  p_user_id: userId,\n  p_role_type: '${roleType}',\n  p_role_name: 'role_name',\n  p_context_id: contextId, // org_id for organisation, 'event_id:app_id' for event_app\n  p_granted_by: currentUserId\n});`;
-          } else if (isRevoke) {
-            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_revoke RPC function instead.`;
-            replacement = `Use rbac_role_revoke RPC function with p_role_type='${roleType}'`;
-            example = `const { data, error } = await supabase.rpc('rbac_role_revoke', {\n  p_user_id: userId,\n  p_role_type: '${roleType}',\n  p_role_name: 'role_name',\n  p_context_id: contextId, // org_id for organisation, 'event_id:app_id' for event_app\n  p_revoked_by: currentUserId\n});`;
-          } else {
-            reason = `Direct ${crudMethod} operation on '${table}' detected. Use rbac_role_grant or rbac_role_revoke RPC functions instead.`;
-            replacement = `Use rbac_role_grant/rbac_role_revoke RPC functions with p_role_type='${roleType}'`;
-          }
-        } else if (isConfig) {
-          // Config table mutations - check if using secure methods
-          if (method && method.startsWith('secure')) {
-            // Using secureInsert/secureUpdate/secureDelete - this is correct, don't flag
-            continue;
-          } else if (isAdminContext) {
-            // Admin context - check if using secure methods
-            // If the operation uses secureQuery/secureUpdate/etc, it's already handled above
-            // This case is for direct .from() calls in admin context
-            severity = 'warning';
-            reason = `Admin operation (${crudMethod}) on configuration table '${table}' detected. Ensure you're using useSecureSupabase for security.`;
-            replacement = 'Use useSecureSupabase from pace-core for admin operations on configuration tables';
-          } else {
-            reason = `Direct ${crudMethod} operation on configuration table '${table}' detected. These are system configuration tables. For admin operations, use useSecureSupabase.`;
-            replacement = 'Use useSecureSupabase from pace-core for admin operations';
-          }
-        } else if (isUserData) {
-          // User data tables - should use secure methods
-          if (isUsingSecureVariable) {
-            // Already handled above - skip
-            continue;
-          }
-          reason = `Direct ${crudMethod} operation on '${table}' detected. Use useSecureSupabase to ensure organisation context is enforced.`;
-          replacement = 'Use useSecureSupabase from pace-core';
-        } else {
-          reason = `Direct ${crudMethod} operation on '${table}' detected. Use pace-core permission management APIs or documented RPC functions instead.`;
-          replacement = 'pace-core permission management APIs or RPC functions';
-        }
-        
-        violations.customAuthCode.push({
-          name: `Direct ${operation} (${table})`,
-          type: 'permission management',
-          file: relativePath,
-          line: content.substring(0, matchIndex).split('\n').length,
-          reason: reason,
-          replacement: replacement,
-          severity: severity,
-          example: example
-        });
-      }
-    }
-  });
-  
-  // Check for custom role management hooks/components
-  // Analyze hook operations to distinguish data fetching from permission management
-  const customRoleManagementPatterns = [
-    { pattern: /export\s+(default\s+)?(function|const)\s+useRoleMutations\s*[=\(]/g, name: 'useRoleMutations', type: 'hook', replacement: 'pace-core RBAC APIs (rbac_role_grant, rbac_role_revoke RPC functions or useRoleManagement hook)' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUserRoles\s*[=\(]/g, name: 'useUserRoles', type: 'hook', replacement: 'pace-core RBAC hooks (useRBAC, usePermissions) or rbac_roles_list RPC function' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUserOrganisationRoles\s*[=\(]/g, name: 'useUserOrganisationRoles', type: 'hook', replacement: 'useOrganisations hook from pace-core or data_user_organisation_roles_get RPC function' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useRoleSupportingData\s*[=\(]/g, name: 'useRoleSupportingData', type: 'hook', replacement: 'pace-core RBAC APIs' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useAppAccess\s*[=\(]/g, name: 'useAppAccess', type: 'hook', replacement: 'pace-core RBAC APIs' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useEventForm\s*[=\(]/g, name: 'useEventForm', type: 'hook', replacement: 'pace-core RBAC APIs' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+useUnifiedStats\s*[=\(]/g, name: 'useUnifiedStats', type: 'hook', replacement: 'pace-core RBAC APIs' }
-  ];
-  
-  customRoleManagementPatterns.forEach(({ pattern, name, type, replacement }) => {
-    if (pattern.test(content)) {
-      // Analyze hook operations to determine if it's data fetching or permission management
-      const hookStartMatch = content.match(pattern);
-      if (!hookStartMatch) {
-        return; // Exit early if no match
-      }
-      
-      const hookStartIndex = content.indexOf(hookStartMatch[0]);
-      // Find the end of the hook (next export or end of file, or closing brace at same level)
-      const afterHookStart = content.substring(hookStartIndex);
-      const hookContent = afterHookStart.split(/\n\s*export\s+/)[0]; // Get content until next export
-      
-      // Count operations
-      const readOperations = (
-        (hookContent.match(/secureQuery\s*\(/g) || []).length +
-        (hookContent.match(/\.select\s*\(/g) || []).length +
-        (hookContent.match(/\.rpc\s*\(\s*['"](get_|data_|rbac_roles_list|rbac_permissions_get|data_user_)/g) || []).length
-      );
-      
-      const writeOperations = (
-        (hookContent.match(/secureUpdate\s*\(/g) || []).length +
-        (hookContent.match(/secureInsert\s*\(/g) || []).length +
-        (hookContent.match(/secureDelete\s*\(/g) || []).length +
-        (hookContent.match(/\.(insert|update|delete|upsert)\s*\(/g) || []).length +
-        (hookContent.match(/\.rpc\s*\(\s*['"](rbac_role_grant|rbac_role_revoke|app_)/g) || []).length
-      );
-      
-      const totalOperations = readOperations + writeOperations;
-      const writeRatio = totalOperations > 0 ? writeOperations / totalOperations : 0;
-      
-      // Check if hook primarily uses RPC functions for reads
-      const usesReadOnlyRPCs = /\.rpc\s*\(\s*['"](get_|data_|rbac_roles_list|rbac_permissions_get|data_user_)/.test(hookContent);
-      const onlyReadOperations = writeOperations === 0 && readOperations > 0;
-      
-      // Check if hook name suggests data fetching (supporting data, stats, etc.)
-      const isDataFetchingHook = /SupportingData|Stats|Form/.test(name);
-      
-      // Calculate ratio of role/permission-related code to total code
-      const rolePermissionPatterns = [
-        /rbac_(organisation|event_app|global)_roles/g,
-        /rbac_page_permissions/g,
-        /rbac_role_grant|rbac_role_revoke/g,
-        /grant.*role|revoke.*role/gi
-      ];
-      const rolePermissionMatches = rolePermissionPatterns.reduce((count, pattern) => {
-        const matches = hookContent.match(pattern);
-        return count + (matches ? matches.length : 0);
-      }, 0);
-      
-      // Count total significant operations (not just RBAC, but all operations)
-      const totalSignificantOps = (
-        (hookContent.match(/(secureQuery|secureUpdate|secureInsert|secureDelete|\.from|\.rpc|\.select|\.insert|\.update|\.delete)\s*\(/g) || []).length
-      );
-      const rolePermissionRatio = totalSignificantOps > 0 ? rolePermissionMatches / totalSignificantOps : 0;
-      
-      // Check for patterns indicating primary purpose
-      const isEventManagement = /event.*(create|update|delete|form|manage)/gi.test(hookContent) && name.includes('Event');
-      const isFormManagement = /useZodForm|register|handleSubmit|setValue|watch|reset/.test(hookContent);
-      const isStatsAggregation = /count|sum|aggregate|stats|statistics/gi.test(hookContent) && name.includes('Stats');
-      const isSupportingData = name.includes('SupportingData') || /dropdown|select|options|reference/gi.test(hookContent);
-      
-      // Only flag if:
-      // 1. It's useRoleMutations (always permission management)
-      // 2. OR write operations > 20% of total operations AND operates on role/permission tables
-      // 3. OR role/permission operations > 20% of total operations
-      // Don't flag if:
-      // - It's primarily data fetching (>80% reads, no mutations on role tables)
-      // - It's event/form/stats management with <20% role/permission code
-      // - It only uses read-only RPCs for data fetching
-      if (name === 'useRoleMutations') {
-        // Always flag useRoleMutations - it's explicitly for role mutations
-        violations.customAuthCode.push({
-          name,
-          type,
-          file: relativePath,
-          line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
-          replacement,
-          severity: 'error'
-        });
-      } else if (writeRatio > 0.2 && rolePermissionRatio > 0.1) {
-        // Has significant write operations on role/permission tables
-        violations.customAuthCode.push({
-          name,
-          type,
-          file: relativePath,
-          line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
-          replacement,
-          severity: 'error'
-        });
-      } else if (rolePermissionRatio > 0.2 && !isEventManagement && !isFormManagement && !isStatsAggregation) {
-        // High ratio of role/permission code and not primarily event/form/stats management
-        violations.customAuthCode.push({
-          name,
-          type,
-          file: relativePath,
-          line: getLineNumber(content, hookStartMatch[0]),
-          reason: `Custom ${type} '${name}' detected that implements role/permission management logic. Even though it may use some pace-core utilities, it should use pace-core RBAC APIs instead of implementing custom logic.`,
-          replacement,
-          severity: 'error'
-        });
-      } else if (onlyReadOperations && (usesReadOnlyRPCs || isDataFetchingHook || isSupportingData)) {
-        // Data fetching hook using pace-core RPCs or secure queries - don't flag
-        // These are legitimate data fetching hooks
-        return; // Exit early to prevent flagging
-      } else if (name === 'useUserOrganisationRoles') {
-        // useUserOrganisationRoles only uses get_user_organisations RPC - don't flag
-        // This is a pure data fetching hook that only uses RPC functions
-        // Check if it only uses RPC functions and no direct table queries
-        const hasDirectTableQueries = /\.from\s*\(\s*['"]rbac_/.test(hookContent);
-        if (!hasDirectTableQueries && usesReadOnlyRPCs) {
-          // Pure RPC-based data fetching - don't flag
-          return; // Exit early to prevent flagging
-        } else if (onlyReadOperations && usesReadOnlyRPCs) {
-          // Read-only data fetching hook - don't flag
-          return; // Exit early to prevent flagging
-        }
-        // If it has table queries, continue to check below
-      } else if (name === 'useUserRoles') {
-        // useUserRoles uses RPC functions and secure methods for data fetching
-        // Check if it's primarily read-only and uses secure methods
-        const usesSecureForApps = /secureSupabase|useSecureSupabase|secureQuery/.test(hookContent);
-        if (usesReadOnlyRPCs && writeOperations === 0 && (usesSecureForApps || onlyReadOperations)) {
-          // Using secure methods or read-only RPC-based data fetching - don't flag
-          return; // Exit early to prevent flagging
-        }
-        // If it has write operations, continue to check below
-      } else if (isEventManagement || isFormManagement || isStatsAggregation) {
-        // Primary purpose is event/form/stats management - don't flag
-        // Role cleanup during deletion is a side effect, not primary purpose
-      }
-    }
-  });
-  
-  // Check for custom permission management components
-  // Distinguish between configuration management and permission management
-  const customPermissionComponents = [
-    { name: 'UnifiedPermissionsManager', isPermissionManagement: true },
-    { name: 'PermissionsDataTable', isPermissionManagement: true },
-    { name: 'ApplicationPermissionsTable', isPermissionManagement: true },
-    { name: 'ApplicationPermissionsManager', isPermissionManagement: true },
-    { name: 'PermissionsManager', isPermissionManagement: true },
-    // Configuration management components (manage rbac_apps, rbac_app_pages)
-    { name: 'ApplicationsDataTable', isPermissionManagement: false, managesConfig: true },
-    { name: 'PagesDataTable', isPermissionManagement: false, managesConfig: true }
-  ];
-  
-  customPermissionComponents.forEach(({ name, isPermissionManagement, managesConfig }) => {
-    const componentPattern = new RegExp(`export\\s+(default\\s+)?(function|const)\\s+${name}\\s*[=\\(]`, 'g');
-    if (componentPattern.test(content)) {
-      // Check which tables this component operates on
-      const operatesOnPagePermissions = /rbac_page_permissions/.test(content);
-      const operatesOnRoleTables = /rbac_(organisation|event_app|global)_roles/.test(content);
-      const operatesOnConfigTables = /rbac_apps|rbac_app_pages/.test(content);
-      const usesSecureMethods = /useSecureSupabase|secureQuery|secureUpdate|secureInsert|secureDelete/.test(content);
-      
-      // Only flag as permission management if:
-      // 1. It's explicitly a permission management component AND operates on permission/role tables
-      // 2. OR it operates on permission/role tables (regardless of name)
-      // Don't flag configuration management components that only manage config tables
-      if (isPermissionManagement && (operatesOnPagePermissions || operatesOnRoleTables)) {
-        violations.customAuthCode.push({
-          name: `${name} component`,
-          type: 'permission management component',
-          file: relativePath,
-          line: getLineNumber(content, content.match(componentPattern)[0]),
-          reason: `Custom permission management component '${name}' detected. Even though it may use some pace-core utilities, it implements custom permission management logic that should use pace-core permission management APIs instead.`,
-          replacement: 'pace-core permission management APIs or PagePermissionGuard',
-          severity: 'error'
-        });
-      } else if (!isPermissionManagement && managesConfig && operatesOnConfigTables) {
-        // Configuration management component - check if it only does cleanup on permission tables
-        // If it uses secure methods and primarily manages config tables, don't flag
-        // Permission table operations for cleanup (cascade deletes) are acceptable
-        if (operatesOnPagePermissions && usesSecureMethods) {
-          // Config management component that uses secure methods and does permission cleanup
-          // This is acceptable - don't flag
-        } else if (!usesSecureMethods) {
-          violations.customAuthCode.push({
-            name: `${name} component`,
-            type: 'configuration management component',
-            file: relativePath,
-            line: getLineNumber(content, content.match(componentPattern)[0]),
-            reason: `Configuration management component '${name}' detected. Ensure you're using useSecureSupabase for secure operations on configuration tables.`,
-            replacement: 'Use useSecureSupabase from pace-core for admin operations on configuration tables',
-            severity: 'warning'
-          });
-        }
-        // If using secure methods, don't flag (acceptable for admin operations)
-      } else if (operatesOnPagePermissions || operatesOnRoleTables) {
-        // Component operates on permission/role tables - flag it UNLESS it's a config management component using secure methods
-        if (!isPermissionManagement && managesConfig && usesSecureMethods) {
-          // Config management component using secure methods - acceptable, don't flag
-        } else {
-          violations.customAuthCode.push({
-            name: `${name} component`,
-            type: 'permission management component',
-            file: relativePath,
-            line: getLineNumber(content, content.match(componentPattern)[0]),
-            reason: `Component '${name}' detected that operates on permission or role tables. Use pace-core permission management APIs instead.`,
-            replacement: 'pace-core permission management APIs or PagePermissionGuard',
-            severity: 'error'
-          });
-        }
-      }
-    }
-  });
-  
-  // Check provider setup (only main.tsx/main.ts, not App.tsx since it doesn't define providers)
-  if (relativePath.match(/^(src\/)?main\.(tsx?|jsx?)$/)) {
-    const providerIssues = scanProviderSetup(filePath, content, relativePath);
-    violations.providerSetupIssues.push(...providerIssues);
-  }
-  
-  // Check Vite configuration
-  // Skip root-level vite.config files - these are typically for library/monorepo development, not consuming apps
-  // The audit recommendations (exclude @jmruthers/pace-core, dedupe) are for consuming apps, not library dev setups
-  const isRootViteConfig = /^vite\.config\.(ts|js|tsx|jsx)$/.test(relativePath);
-  if (!isRootViteConfig && relativePath.match(/vite\.config\.(ts|js|tsx|jsx)$/)) {
-    const viteIssues = scanViteConfig(filePath, content, relativePath);
-    violations.viteConfigIssues.push(...viteIssues);
-  }
-  
-  // Check Router setup (main.tsx, main.ts, App.tsx, App.ts)
-  if (relativePath.match(/^(src\/)?(main|App)\.(tsx?|jsx?)$/)) {
-    const routerIssues = scanRouterSetup(filePath, content, relativePath);
-    violations.routerSetupIssues.push(...routerIssues);
-  }
-  
-  // Check for custom auth type files (should use pace-core types)
-  if (relativePath.match(/types\/auth\.(ts|tsx)$/i) || relativePath.match(/src\/types\/auth\.(ts|tsx)$/i)) {
-    // Check if file defines auth-related types without importing from pace-core
-    const hasAuthTypeDefinitions = /(interface|type)\s+(User|Session|AuthError|SignIn|SignUp|AuthState|AuthContext)/.test(content);
-    const hasPaceCoreTypeImport = /from\s+['"]@jmruthers\/pace-core\/types/.test(content) ||
-                                  /from\s+['"]@jmruthers\/pace-core['"]/.test(content);
-    
-    if (hasAuthTypeDefinitions && !hasPaceCoreTypeImport) {
-      violations.customAuthCode.push({
-        name: 'auth types',
-        type: 'types',
-        file: relativePath,
-        line: 1,
-        reason: 'Custom auth types detected. Use types from @jmruthers/pace-core/types/auth instead.',
-        replacement: '@jmruthers/pace-core/types/auth'
-      });
-    }
-  }
-  
-  // Check for custom auth/RBAC context providers
-  const customProviderPatterns = [
-    { pattern: /export\s+(default\s+)?(function|const)\s+AuthProvider\s*[=\(]/g, name: 'AuthProvider', replacement: 'UnifiedAuthProvider' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+AuthContext\s*[=\(]/g, name: 'AuthContext', replacement: 'useUnifiedAuth' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+PermissionProvider\s*[=\(]/g, name: 'PermissionProvider', replacement: 'pace-core RBAC' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+RBACProvider\s*[=\(]/g, name: 'RBACProvider', replacement: 'pace-core RBAC' },
-    { pattern: /export\s+(default\s+)?(function|const)\s+RoleProvider\s*[=\(]/g, name: 'RoleProvider', replacement: 'pace-core RBAC' },
-    { pattern: /createContext\s*<\s*(Auth|Permission|RBAC|Role)/gi, name: 'auth context', replacement: 'pace-core providers' }
-  ];
-  
-  customProviderPatterns.forEach(({ pattern, name, replacement }) => {
-    if (pattern.test(content) && !hasPaceCoreImport && !hasUnifiedAuthImport) {
-      violations.customAuthCode.push({
-        name,
-        type: 'provider',
-        file: relativePath,
-        line: getLineNumber(content, content.match(pattern)[0]),
-        reason: `Custom auth/RBAC provider '${name}' detected. Use ${replacement} from pace-core instead.`,
-        replacement
-      });
-    }
-  });
-  
-  // Check for unused PermissionService interfaces that duplicate pace-core functionality
-  // Flag it even if file imports from pace-core, since it's a duplicate type definition
-  const permissionServicePattern = /(interface|type)\s+PermissionService\s*[={<]/gi;
-  if (permissionServicePattern.test(content)) {
-    // Check if it's actually used in the file (beyond just the definition)
-    const permissionServiceUsage = /PermissionService[^:]/g;
-    const allMatches = content.match(/PermissionService/g) || [];
-    // If defined but only appears in the definition (and maybe one type annotation), it's likely unused
-    // Count: 1 for definition, 1-2 for potential type annotations = 2-3 total
-    if (allMatches.length <= 3) {
-      violations.customAuthCode.push({
-        name: 'PermissionService interface',
-        type: 'unused type',
-        file: relativePath,
-        line: getLineNumber(content, content.match(permissionServicePattern)[0]),
-        reason: 'PermissionService interface detected that duplicates pace-core permission checking APIs. This appears unused and should be removed.',
-        replacement: 'Remove if unused, or use pace-core RBAC APIs (useRBAC, usePermissions) instead',
-        severity: 'error'
-      });
-    }
-  }
-  
-  // Check for unnecessary wrappers around pace-core components and local components
-  // Only check .tsx/.jsx files (component files)
-  if (filePath.match(/\.(tsx|jsx)$/)) {
-    const wrapperIssues = scanUnnecessaryWrappers(content, relativePath, manifest);
-    violations.unnecessaryWrappers.push(...wrapperIssues);
-  }
-  
-  // ============================================
-  // App Discovery Compliance Checks
-  // ============================================
-  // Check for direct queries to rbac_apps table or hardcoded app names
-  // Should use data_rbac_apps_list RPC function instead
-  
-  // Check for direct queries to rbac_apps table
-  const rbacAppsQueryPatterns = [
-    // Supabase client queries
-    /\.from\s*\(\s*['"]rbac_apps['"]\s*\)/g,
-    /\.from\s*\(\s*['"]rbac_apps['"]\s*\)/g,
-    // SQL queries (less common but possible)
-    /FROM\s+rbac_apps\b/gi,
-    /SELECT\s+.*\s+FROM\s+rbac_apps\b/gi
-  ];
-  
-  // Check if file uses data_rbac_apps_list RPC function
-  const usesRpcFunction = /data_rbac_apps_list|rpc\s*\(\s*['"]data_rbac_apps_list['"]/gi.test(content);
-  
-  rbacAppsQueryPatterns.forEach(pattern => {
-    let match;
-    while ((match = pattern.exec(content)) !== null) {
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', match.index) + 1;
-      const lineUpToMatch = content.substring(lineStart, match.index);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      if (isInLineComment) {
-        continue;
-      }
-      
-      // Check what comes after .from('rbac_apps') to determine if it's a SELECT query or CRUD operation
-      const afterMatch = content.substring(match.index, Math.min(content.length, match.index + 200));
-      const isSelectQuery = /\.(select|selectAll)\s*\(/i.test(afterMatch);
-      const isCrudOperation = /\.(update|insert|delete|upsert)\s*\(/i.test(afterMatch);
-      
-      // Only flag SELECT queries - UPDATE/INSERT/DELETE operations are acceptable with secureSupabase
-      if (isSelectQuery && !isCrudOperation) {
-        violations.appDiscoveryIssues.push({
-          type: 'direct_table_query',
-          file: relativePath,
-          line: getLineNumber(content, match[0]),
-          reason: 'Direct query to rbac_apps table detected. Use data_rbac_apps_list RPC function for dynamic app discovery.',
-          recommendation: 'Replace with: const { data } = await supabase.rpc(\'data_rbac_apps_list\');',
-          severity: 'warning'
-        });
-      }
-      // Skip CRUD operations (UPDATE/INSERT/DELETE) - these are acceptable with secureSupabase
-    }
-  });
-  
-  // Check for hardcoded app names in arrays or string literals
-  // Known app names: BASE, CAKE, PACE, MINT, TRAC, PORTAL, MEDI
-  // Only flag if they appear to be used for app discovery (arrays, comparisons, etc.)
-  const hardcodedAppNamePatterns = [
-    // Array of app names (likely used for iteration/discovery)
-    /\[['"]\s*(BASE|CAKE|PACE|MINT|TRAC|PORTAL|MEDI)\s*['"]/gi,
-    // String literals in comparisons or includes checks (app discovery patterns)
-    /(app|apps|appName|app_name)\s*[=!]==?\s*['"]\s*(BASE|CAKE|PACE|MINT|TRAC|PORTAL|MEDI)\s*['"]/gi,
-    /(app|apps|appName|app_name)\s*\.(includes|indexOf|find|filter)\s*\([^)]*['"]\s*(BASE|CAKE|PACE|MINT|TRAC|PORTAL|MEDI)\s*['"]/gi,
-    /['"]\s*(BASE|CAKE|PACE|MINT|TRAC|PORTAL|MEDI)\s*['"]\s*\.(includes|indexOf)/gi
-  ];
-  
-  hardcodedAppNamePatterns.forEach(pattern => {
-    let match;
-    while ((match = pattern.exec(content)) !== null) {
-      // Skip if it's in a get_app_id call (acceptable usage)
-      const beforeMatch = content.substring(Math.max(0, match.index - 50), match.index);
-      const isInGetAppId = /get_app_id\s*\(/i.test(beforeMatch);
-      
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', match.index) + 1;
-      const lineUpToMatch = content.substring(lineStart, match.index);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      // Skip if it's a comment about app names
-      const isInComment = /\/\*[\s\S]*?\*\//.test(beforeMatch + match[0]);
-      
-      // Skip if it's in a data_rbac_apps_list call (already using the function)
-      const isInRpcCall = /data_rbac_apps_list/i.test(beforeMatch);
-      
-      // Extract app name (could be in different capture groups depending on pattern)
-      const appName = match[1] || match[2] || match[3];
-      
-      if (!isInGetAppId && !isInLineComment && !isInComment && !isInRpcCall && appName) {
-        violations.appDiscoveryIssues.push({
-          type: 'hardcoded_app_name',
-          file: relativePath,
-          line: getLineNumber(content, match[0]),
-          appName: appName,
-          reason: `Hardcoded app name '${appName}' detected. Use data_rbac_apps_list RPC function for dynamic app discovery.`,
-          recommendation: 'Use data_rbac_apps_list() to discover apps dynamically instead of hardcoding app names.',
-          severity: 'warning'
-        });
-      }
-    }
-  });
-  
-  // If file has app discovery code but doesn't use the RPC function, suggest it
-  if (violations.appDiscoveryIssues.length > 0 && !usesRpcFunction) {
-    // Add a general suggestion if there are multiple issues
-    if (violations.appDiscoveryIssues.length > 1) {
-      violations.appDiscoveryIssues.push({
-        type: 'suggestion',
-        file: relativePath,
-        line: 1,
-        reason: 'Multiple app discovery issues found. Consider using data_rbac_apps_list RPC function for all app discovery needs.',
-        recommendation: 'Replace all hardcoded app names and direct table queries with: const { data: apps } = await supabase.rpc(\'data_rbac_apps_list\');',
-        severity: 'info'
-      });
-    }
-  }
-  
-  // ============================================
-  // Check for Direct Supabase Client Usage
-  // ============================================
-  // Detect when consuming apps use createClient from @supabase/supabase-js
-  // and then use that client for database queries instead of useSecureSupabase
-  // This is a critical security issue as it bypasses RLS and organisation context
-  
-  // Skip Edge Functions - they run in Deno and must use createClient
-  // Reuse isEdgeFunction declared at the top of the function
-  if (!isEdgeFunction) {
-    // Check for createClient import from @supabase/supabase-js
-    const createClientImportPattern = /import\s+{\s*createClient\s*}\s+from\s+['"]@supabase\/supabase-js['"]/;
-    const hasCreateClientImport = createClientImportPattern.test(content);
-    
-    // Check for createClient usage
-    const createClientUsagePattern = /createClient\s*\(/g;
-    const createClientMatches = content.match(createClientUsagePattern);
-    const hasCreateClientUsage = createClientMatches && createClientMatches.length > 0;
-    
-    // Check if file uses useSecureSupabase (correct usage)
-    const usesSecureSupabase = /useSecureSupabase/.test(content) || 
-                               /from\s+['"]@jmruthers\/pace-core\/rbac['"]/.test(content);
-    
-    // Find all variables assigned from createClient
-    const createClientVariablePattern = /(const|let|var)\s+(\w+)\s*=\s*createClient\s*\(/g;
-    const nonSecureClients = new Set();
-    let match;
-    while ((match = createClientVariablePattern.exec(content)) !== null) {
-      if (match[2]) {
-        nonSecureClients.add(match[2]);
-      }
-    }
-    
-    // Check for database queries (.from() calls) using non-secure clients
-    // Pattern: variable.from('table_name')
-    const fromPattern = /\.from\s*\(\s*['"]([^'"]+)['"]\s*\)/g;
-    let fromMatch;
-    while ((fromMatch = fromPattern.exec(content)) !== null) {
-      const matchIndex = fromMatch.index;
-      const tableName = fromMatch[1];
-      
-      // Skip RBAC tables (already checked above)
-      if (tableName.startsWith('rbac_')) {
-        continue;
-      }
-      
-      // Skip if in a line comment
-      const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-      const lineUpToMatch = content.substring(lineStart, matchIndex);
-      const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-      
-      if (isInLineComment) {
-        continue;
-      }
-      
-      // Find the variable name before .from()
-      const beforeMatch = content.substring(Math.max(0, matchIndex - 200), matchIndex);
-      const parts = beforeMatch.split('.from');
-      let variableName = null;
-      if (parts.length > 0) {
-        const beforeFrom = parts[parts.length - 1].trim();
-        const words = beforeFrom.match(/\b\w+\b/g);
-        if (words && words.length > 0) {
-          variableName = words[words.length - 1];
-        }
-      }
-      
-      // Check if this variable is from createClient (non-secure)
-      if (variableName && nonSecureClients.has(variableName)) {
-        // Check if it's in a config file (acceptable for centralized config)
-        const isConfigFile = /config|supabase|client/i.test(relativePath) && 
-                            (relativePath.includes('supabase.ts') || 
-                             relativePath.includes('supabase.js') ||
-                             relativePath.includes('client.ts') ||
-                             relativePath.includes('client.js'));
-        
-        if (!isConfigFile) {
-          const lineNumber = content.substring(0, matchIndex).split('\n').length;
-          
-          // Check if this is already reported
-          const alreadyReported = violations.directSupabaseClient.some(v => 
-            v.file === relativePath && 
-            v.variable === variableName &&
-            Math.abs(v.line - lineNumber) <= 2
-          );
-          
-          if (!alreadyReported) {
-            violations.directSupabaseClient.push({
-              file: relativePath,
-              line: lineNumber,
-              variable: variableName,
-              table: tableName,
-              reason: `Direct Supabase client usage detected. Variable '${variableName}' is created with createClient() and used for database queries. You MUST use useSecureSupabase() instead to ensure RLS policies and organisation context are enforced.`,
-              recommendation: `Replace with: import { useSecureSupabase } from '@jmruthers/pace-core/rbac'; const ${variableName} = useSecureSupabase();`
-            });
-          }
-        }
-      }
-    }
-    
-    // Also check if file imports createClient but doesn't use useSecureSupabase
-    if (hasCreateClientImport && hasCreateClientUsage && !usesSecureSupabase) {
-      // Check if it's a config file (acceptable)
-      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
-                          (relativePath.includes('supabase.ts') || 
-                           relativePath.includes('supabase.js') ||
-                           relativePath.includes('client.ts') ||
-                           relativePath.includes('client.js'));
-      
-      if (!isConfigFile) {
-        // Check if createClient is used for queries (not just config)
-        const hasDatabaseQueries = /\.from\s*\(/.test(content);
-        
-        if (hasDatabaseQueries) {
-          violations.directSupabaseClient.push({
-            file: relativePath,
-            line: 1,
-            variable: 'unknown',
-            table: 'multiple',
-            reason: 'File imports createClient from @supabase/supabase-js and performs database queries. You MUST use useSecureSupabase() instead to ensure RLS policies and organisation context are enforced.',
-            recommendation: 'Replace createClient with: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
-          });
-        }
-      }
-    }
-    
-    // Check for createClient imports even without immediate query usage
-    // This catches cases where createClient is imported but may be used later
-    if (hasCreateClientImport && !usesSecureSupabase) {
-      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
-                          (relativePath.includes('supabase.ts') || 
-                           relativePath.includes('supabase.js') ||
-                           relativePath.includes('client.ts') ||
-                           relativePath.includes('client.js'));
-      
-      if (!isConfigFile) {
-        // Find the line number of the import
-        const importMatch = content.match(/import\s+{\s*createClient\s*}\s+from\s+['"]@supabase\/supabase-js['"]/);
-        if (importMatch) {
-          const lineNumber = content.substring(0, importMatch.index).split('\n').length;
-          
-          // Check if this violation is already reported
-          const alreadyReported = violations.directSupabaseClient.some(v => 
-            v.file === relativePath && 
-            v.variable === 'createClient' &&
-            Math.abs(v.line - lineNumber) <= 2
-          );
-          
-          if (!alreadyReported) {
-            violations.directSupabaseClient.push({
-              file: relativePath,
-              line: lineNumber,
-              variable: 'createClient',
-              table: 'none',
-              reason: 'Direct import of createClient from @supabase/supabase-js detected. You MUST use useSecureSupabase() from @jmruthers/pace-core/rbac instead to ensure organisation context and RLS policies are enforced.',
-              recommendation: 'Remove this import and use: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
-            });
-          }
-        }
-      }
-    }
-    
-    // Check for createClient() calls even when variable isn't used for queries yet
-    // This catches potential security issues early
-    if (hasCreateClientUsage && !usesSecureSupabase) {
-      const isConfigFile = /config|supabase|client/i.test(relativePath) && 
-                          (relativePath.includes('supabase.ts') || 
-                           relativePath.includes('supabase.js') ||
-                           relativePath.includes('client.ts') ||
-                           relativePath.includes('client.js'));
-      
-      if (!isConfigFile) {
-        // Find all createClient() calls
-        const createClientCallPattern = /createClient\s*\(/g;
-        let callMatch;
-        while ((callMatch = createClientCallPattern.exec(content)) !== null) {
-          const lineNumber = content.substring(0, callMatch.index).split('\n').length;
-          
-          // Check if this violation is already reported
-          const alreadyReported = violations.directSupabaseClient.some(v => 
-            v.file === relativePath && 
-            Math.abs(v.line - lineNumber) <= 2
-          );
-          
-          if (!alreadyReported) {
-            violations.directSupabaseClient.push({
-              file: relativePath,
-              line: lineNumber,
-              variable: 'unknown',
-              table: 'none',
-              reason: 'Direct createClient() call detected. You MUST use useSecureSupabase() from @jmruthers/pace-core/rbac instead to ensure organisation context and RLS policies are enforced.',
-              recommendation: 'Replace with: import { useSecureSupabase } from \'@jmruthers/pace-core/rbac\'; const supabase = useSecureSupabase();'
-            });
-          }
-        }
-      }
-    }
-  }
-  
-  // ============================================
-  // Check for Deprecated useSecureDataAccess Usage
-  // ============================================
-  // Detect when consuming apps use useSecureDataAccess() with secureQuery/secureInsert/etc
-  // This is deprecated - they should migrate to useSecureSupabase() instead
-  // This helps identify code that needs migration before retiring the old API
-  
-  // Skip Edge Functions - they run in Deno
-  if (!isEdgeFunction) {
-    // Check for useSecureDataAccess import
-    const hasSecureDataAccessImport = /import.*useSecureDataAccess.*from\s+['"]@jmruthers\/pace-core['"]/.test(content) ||
-                                      /import.*useSecureDataAccess.*from\s+['"]@jmruthers\/pace-core\/hooks['"]/.test(content);
-    
-    // Check for useSecureDataAccess hook usage
-    const hasSecureDataAccessHook = /useSecureDataAccess\s*\(/.test(content);
-    
-    // Check for deprecated secure methods
-    const deprecatedMethods = [
-      { name: 'secureQuery', operation: 'query' },
-      { name: 'secureInsert', operation: 'insert' },
-      { name: 'secureUpdate', operation: 'update' },
-      { name: 'secureDelete', operation: 'delete' },
-      { name: 'secureRpc', operation: 'RPC call' }
-    ];
-    
-    // Pattern to find destructured secure methods from useSecureDataAccess
-    const destructurePattern = /(const|let)\s*\{[^}]*\b(secureQuery|secureInsert|secureUpdate|secureDelete|secureRpc)\b[^}]*\}\s*=\s*useSecureDataAccess\s*\(/g;
-    
-    // Pattern to find direct method calls (secureQuery(...), secureInsert(...), etc.)
-    const methodCallPatterns = deprecatedMethods.map(method => ({
-      name: method.name,
-      operation: method.operation,
-      pattern: new RegExp(`\\b${method.name}\\s*\\(`, 'g')
-    }));
-    
-    // Check if file uses the deprecated hook
-    if (hasSecureDataAccessImport || hasSecureDataAccessHook) {
-      // Find all destructured methods
-      let destructureMatch;
-      const foundMethods = new Set();
-      
-      while ((destructureMatch = destructurePattern.exec(content)) !== null) {
-        const destructureText = destructureMatch[0];
-        deprecatedMethods.forEach(method => {
-          if (destructureText.includes(method.name)) {
-            foundMethods.add(method.name);
-          }
-        });
-      }
-      
-      // Find all method calls
-      methodCallPatterns.forEach(({ name, operation, pattern }) => {
-        let match;
-        pattern.lastIndex = 0;
-        
-        while ((match = pattern.exec(content)) !== null) {
-          const matchIndex = match.index;
-          
-          // Skip if in a line comment
-          const lineStart = content.lastIndexOf('\n', matchIndex) + 1;
-          const lineUpToMatch = content.substring(lineStart, matchIndex);
-          const isInLineComment = /\/\/[^\n]*$/.test(lineUpToMatch);
-          
-          if (isInLineComment) {
-            continue;
-          }
-          
-          // Check if this is from useSecureDataAccess (not from a different source)
-          // Look backwards to see if it's from useSecureDataAccess destructuring
-          const beforeMatch = content.substring(Math.max(0, matchIndex - 500), matchIndex);
-          const isFromSecureDataAccess = 
-            /useSecureDataAccess\s*\(/.test(beforeMatch) ||
-            /(const|let)\s*\{[^}]*\bsecure(Query|Insert|Update|Delete|Rpc)\b/.test(beforeMatch);
-          
-          if (isFromSecureDataAccess) {
-            foundMethods.add(name);
-            
-            const lineNumber = content.substring(0, matchIndex).split('\n').length;
-            
-            // Check if already reported
-            const alreadyReported = violations.deprecatedSecureDataAccess.some(v => 
-              v.file === relativePath && 
-              v.method === name &&
-              Math.abs(v.line - lineNumber) <= 2
-            );
-            
-            if (!alreadyReported) {
-              violations.deprecatedSecureDataAccess.push({
-                file: relativePath,
-                line: lineNumber,
-                method: name,
-                operation: operation,
-                reason: `Deprecated method '${name}' from useSecureDataAccess() detected. This API is being retired. Migrate to useSecureSupabase() instead.`,
-                recommendation: getMigrationRecommendation(name, operation)
-              });
-            }
-          }
-        }
-      });
-      
-      // If we found the hook usage but haven't reported specific methods, add a general warning
-      if (foundMethods.size === 0 && hasSecureDataAccessHook) {
-        // Check if it's just imported but not used, or used in a way we didn't detect
-        const hasAnySecureMethodCall = /secure(Query|Insert|Update|Delete|Rpc)\s*\(/.test(content);
-        
-        if (hasAnySecureMethodCall) {
-          violations.deprecatedSecureDataAccess.push({
-            file: relativePath,
-            line: 1,
-            method: 'useSecureDataAccess',
-            operation: 'general',
-            reason: 'useSecureDataAccess() hook detected. This API is deprecated and will be retired. Migrate to useSecureSupabase() instead.',
-            recommendation: 'Replace useSecureDataAccess() with useSecureSupabase() and use standard Supabase query builder API (.from(), .select(), etc.)'
-          });
-        }
-      }
-    }
-  }
-  
-  return violations;
-}
-
-/**
- * Compliance check module
- */
-const complianceCheck = {
-  name: 'compliance',
-  description: 'pace-core compliance checks (restricted imports, duplicates, auth/RBAC, etc.)',
-  severity: 'error',
-  
-  async run(context) {
-    const { projectRoot, files, manifest: providedManifest } = context;
-    
-    // Load manifest if not provided
-    const manifest = providedManifest || loadManifest();
-    
-    if (!files || files.length === 0) {
-      return {
-        issues: [],
-        warnings: [],
-        suggestions: [],
-        violations: {
-          restrictedImports: [],
-          duplicateComponents: [],
-          duplicateHooks: [],
-          duplicateUtils: [],
-          suggestions: [],
-          customAuthCode: [],
-          duplicateConfig: [],
-          unprotectedPages: [],
-          directSupabaseAuth: [],
-          directSupabaseClient: [],
-          deprecatedSecureDataAccess: [],
-          providerSetupIssues: [],
-          viteConfigIssues: [],
-          routerSetupIssues: [],
-          unnecessaryWrappers: [],
-          appDiscoveryIssues: []
-        }
-      };
-    }
-    
-    // Aggregate all violations
-    const allViolations = {
-      restrictedImports: [],
-      duplicateComponents: [],
-      duplicateHooks: [],
-      duplicateUtils: [],
-      suggestions: [],
-      customAuthCode: [],
-      duplicateConfig: [],
-      unprotectedPages: [],
-      directSupabaseAuth: [],
-      directSupabaseClient: [],
-      deprecatedSecureDataAccess: [],
-      providerSetupIssues: [],
-      viteConfigIssues: [],
-      routerSetupIssues: [],
-      unnecessaryWrappers: [],
-      appDiscoveryIssues: []
-    };
-    
-    // Scan all files
-    for (const filePath of files) {
-      try {
-        const violations = scanFile(filePath, manifest, projectRoot);
-        
-        // Aggregate violations
-        Object.keys(allViolations).forEach(key => {
-          if (violations[key] && Array.isArray(violations[key])) {
-            allViolations[key].push(...violations[key]);
-          }
-        });
-      } catch (error) {
-        // Skip files with errors
-        console.warn(`Error scanning ${filePath}: ${error.message}`);
-      }
-    }
-    
-    // Convert violations to issues/warnings/suggestions format
-    const issues = [
-      ...allViolations.restrictedImports.map(v => ({
-        type: 'restricted-import',
-        file: v.file,
-        line: v.line,
-        message: `Restricted import: ${v.module} - ${v.reason}`,
-        recommendation: `Use pace-core alternative instead`
-      })),
-      ...allViolations.duplicateComponents.map(v => ({
-        type: 'duplicate-component',
-        file: v.file,
-        message: `Duplicate component: ${v.component}`,
-        recommendation: `Use ${v.component} from '@jmruthers/pace-core' instead`
-      })),
-      ...allViolations.duplicateHooks.map(v => ({
-        type: 'duplicate-hook',
-        file: v.file,
-        message: `Duplicate hook: ${v.hook}`,
-        recommendation: `Use ${v.hook} from '@jmruthers/pace-core' instead`
-      })),
-      ...allViolations.duplicateUtils.map(v => ({
-        type: 'duplicate-util',
-        file: v.file,
-        message: `Duplicate util: ${v.util}`,
-        recommendation: `Use ${v.util} from '@jmruthers/pace-core' instead`
-      })),
-      ...allViolations.customAuthCode.filter(v => !v.severity || v.severity === 'error').map(v => ({
-        type: 'custom-auth-code',
-        file: v.file,
-        line: v.line,
-        message: `${v.type}: ${v.name} - ${v.reason}`,
-        recommendation: v.replacement || 'Use pace-core APIs instead'
-      })),
-      ...allViolations.directSupabaseClient.map(v => ({
-        type: 'direct-supabase-client',
-        file: v.file,
-        line: v.line,
-        message: `Direct Supabase client usage: ${v.reason}`,
-        recommendation: v.recommendation || 'Use useSecureSupabase() instead'
-      })),
-      ...allViolations.providerSetupIssues.map(v => ({
-        type: 'provider-setup',
-        file: v.file,
-        line: v.line,
-        message: v.issue || v.reason,
-        recommendation: v.recommendation
-      })),
-      ...allViolations.viteConfigIssues.map(v => ({
-        type: 'vite-config',
-        file: v.file,
-        line: v.line,
-        message: v.issue,
-        recommendation: v.recommendation
-      })),
-      ...allViolations.routerSetupIssues.map(v => ({
-        type: 'router-setup',
-        file: v.file,
-        line: v.line,
-        message: v.issue,
-        recommendation: v.recommendation
-      }))
-    ];
-    
-    const warnings = [
-      ...allViolations.customAuthCode.filter(v => v.severity === 'warning').map(v => ({
-        type: 'custom-auth-code',
-        file: v.file,
-        line: v.line,
-        message: `${v.type}: ${v.name} - ${v.reason}`,
-        recommendation: v.replacement || 'Consider using pace-core APIs'
-      })),
-      ...allViolations.directSupabaseAuth.map(v => ({
-        type: 'direct-supabase-auth',
-        file: v.file,
-        line: v.line,
-        message: `Direct Supabase auth usage: ${v.reason}`,
-        recommendation: v.recommendation || 'Use useUnifiedAuth() instead'
-      })),
-      ...allViolations.deprecatedSecureDataAccess.map(v => ({
-        type: 'deprecated-api',
-        file: v.file,
-        line: v.line,
-        message: `Deprecated API: ${v.method} - ${v.reason}`,
-        recommendation: v.recommendation || 'Migrate to useSecureSupabase()'
-      })),
-      ...allViolations.unnecessaryWrappers.map(v => ({
-        type: 'unnecessary-wrapper',
-        file: v.file,
-        line: v.line,
-        message: `Unnecessary wrapper: ${v.component} wraps ${v.wrappedComponent}`,
-        recommendation: v.recommendation || 'Remove wrapper and use component directly'
-      })),
-      ...allViolations.appDiscoveryIssues.filter(v => v.severity === 'warning').map(v => ({
-        type: 'app-discovery',
-        file: v.file,
-        message: v.issue || v.reason,
-        recommendation: v.recommendation
-      }))
-    ];
-    
-    const suggestions = [
-      ...allViolations.suggestions.map(v => ({
-        type: 'suggestion',
-        file: v.file,
-        message: v.suggestion
-      })),
-      ...allViolations.appDiscoveryIssues.filter(v => v.severity === 'info').map(v => ({
-        type: 'app-discovery',
-        file: v.file,
-        message: v.issue || v.reason,
-        recommendation: v.recommendation
-      }))
-    ];
-    
-    return {
-      issues,
-      warnings,
-      suggestions,
-      violations: allViolations
-    };
-  }
-};
-
-module.exports = complianceCheck;