@jmruthers/pace-core 0.6.5 → 0.6.7

package/dist/eslint-rules/rules/06-security-rbac.cjs

@@ -0,0 +1,806 @@
+/**
+ * Security & RBAC Rules (Standard 6)
+ * @package @jmruthers/pace-core
+ * @module ESLintRules/rules/security-rbac
+ * 
+ * Enforces security and RBAC patterns from Standard 6:
+ * - Use secure Supabase client (useSecureSupabase)
+ * - Use RESOURCE_NAMES constants
+ * - No wrapper components/functions around RBAC hooks
+ * - Proper permission loading state handling
+ * 
+ * Reference: packages/core/docs/standards/6-security-rbac-standards.md
+ */
+
+const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
+
+module.exports = {
+  rules: {
+    /**
+     * Disallow direct Supabase client creation - must use useSecureSupabase
+     */
+    'no-direct-supabase-client': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct createClient calls from @supabase/supabase-js. Use useSecureSupabase() from pace-core instead to ensure organisation context and RLS policies are enforced.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          directClientCreation: "Direct Supabase client creation detected. You MUST use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead to ensure organisation context and RLS policies are enforced. This prevents cross-organisation data access.",
+          directClientImport: "Direct import of createClient from @supabase/supabase-js is not allowed. Use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        // Allow createClient in specific config files (supabaseClient.ts/js, etc.)
+        const isConfigFile = /(supabase|client)\.(ts|js|tsx|jsx)$/i.test(filename) && 
+                            (filename.includes('supabase') || filename.includes('client'));
+        
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            
+            // Check for @supabase/supabase-js import
+            if (importSource === '@supabase/supabase-js') {
+              // Check if createClient is imported
+              const hasCreateClient = node.specifiers.some(spec => {
+                if (spec.type === 'ImportSpecifier') {
+                  return spec.imported.name === 'createClient';
+                }
+                if (spec.type === 'ImportNamespaceSpecifier') {
+                  return true; // import * as supabase
+                }
+                return false;
+              });
+              
+              if (hasCreateClient && !isConfigFile) {
+                context.report({
+                  node: node.source,
+                  messageId: 'directClientImport',
+                  suggest: [{
+                    desc: 'Replace with useSecureSupabase hook',
+                    fix(fixer) {
+                      return fixer.remove(node);
+                    }
+                  }]
+                });
+              }
+            }
+          },
+          
+          CallExpression(node) {
+            // Check for createClient() calls
+            if (node.callee.type === 'Identifier' && node.callee.name === 'createClient') {
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+            
+            // Check for supabase.createClient() or similar patterns
+            if (node.callee.type === 'MemberExpression' && 
+                node.callee.property?.name === 'createClient') {
+              if (!isConfigFile) {
+                context.report({
+                  node,
+                  messageId: 'directClientCreation',
+                  suggest: [{
+                    desc: 'Use useSecureSupabase() hook instead',
+                    fix(fixer) {
+                      return null;
+                    }
+                  }]
+                });
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Check RBAC permission loading state usage
+     */
+    'rbac-permission-loading': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Require isLoading extraction from useResourcePermissions and check it before permission calls in mutations.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          missingIsLoading: "useResourcePermissions is used but 'isLoading' is not extracted. Permission checks may fail if scope resolution is still in progress.",
+          missingLoadingCheck: "Permission check '{{permission}}()' is called without checking isLoading first. This can cause false negatives when scope resolution is still in progress."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        let useResourcePermissionsFound = false;
+        let hasIsLoadingExtraction = false;
+        let isLoadingVarName = null;
+        
+        return {
+          CallExpression(node) {
+            // Find useResourcePermissions calls
+            if (node.callee.type === 'Identifier' && 
+                node.callee.name === 'useResourcePermissions') {
+              useResourcePermissionsFound = true;
+              
+              // Check parent to see if isLoading is destructured
+              const parent = node.parent;
+              if (parent && parent.type === 'VariableDeclarator' && 
+                  parent.id && parent.id.type === 'ObjectPattern') {
+                const properties = parent.id.properties;
+                const isLoadingProp = properties.find(prop => {
+                  if (prop.type === 'Property') {
+                    const key = prop.key;
+                    if (key.type === 'Identifier' && key.name === 'isLoading') {
+                      return true;
+                    }
+                    // Also check for renamed: isLoading: permissionsLoading
+                    if (key.type === 'Identifier' && key.name === 'isLoading') {
+                      if (prop.value && prop.value.type === 'Identifier') {
+                        isLoadingVarName = prop.value.name;
+                      }
+                      return true;
+                    }
+                  }
+                  return false;
+                });
+                
+                if (isLoadingProp) {
+                  hasIsLoadingExtraction = true;
+                  if (!isLoadingVarName) {
+                    isLoadingVarName = 'isLoading';
+                  }
+                }
+              }
+            }
+            
+            // Check for permission function calls in mutations
+            if (useResourcePermissionsFound && 
+                node.callee.type === 'Identifier' &&
+                ['canCreate', 'canUpdate', 'canDelete', 'canRead'].includes(node.callee.name)) {
+              
+              // Check if we're in a mutation context
+              const sourceCode = context.sourceCode || context.getSourceCode();
+              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
+              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
+              const isInMutation = ancestors.some(ancestor => {
+                if (ancestor.type === 'Property' && ancestor.key) {
+                  const keyName = ancestor.key.name || (ancestor.key.type === 'Identifier' && ancestor.key.name);
+                  return keyName === 'mutationFn' || keyName === 'mutateAsync';
+                }
+                return false;
+              });
+              
+              if (isInMutation) {
+                // Check if isLoading is checked before this call
+                const nodeText = sourceCode.getText(node);
+                const beforeNode = sourceCode.getText().substring(0, sourceCode.getIndexFromLoc(node.loc.start));
+                
+                // Look for isLoading check before this call
+                const hasLoadingCheck = new RegExp(
+                  `(if\\s*\\(\\s*!?\\s*(${isLoadingVarName || 'isLoading'})|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*===\\s*false|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*!==\\s*true|await)`,
+                  'i'
+                ).test(beforeNode);
+                
+                if (!hasIsLoadingExtraction) {
+                  context.report({
+                    node,
+                    messageId: 'missingIsLoading',
+                    suggest: [{
+                      desc: `Extract 'isLoading' from useResourcePermissions`,
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                } else if (!hasLoadingCheck) {
+                  context.report({
+                    node,
+                    messageId: 'missingLoadingCheck',
+                    data: {
+                      permission: node.callee.name
+                    },
+                    suggest: [{
+                      desc: `Check ${isLoadingVarName || 'isLoading'} before calling permission function`,
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Disallow direct RPC calls to RBAC functions
+     */
+    'no-direct-rbac-rpc': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct calls to RBAC RPC functions. Use pace-core RBAC hooks instead.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          directRbacRpc: "Direct RPC call to '{{rpcName}}' detected. Use pace-core RBAC hooks from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        const rbacRpcPatterns = ['rbac_check_permission_simplified', 'rbac_'];
+        
+        return {
+          CallExpression(node) {
+            // Check for supabase.rpc('rbac_*', ...)
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property &&
+                node.callee.property.name === 'rpc' &&
+                node.arguments.length > 0) {
+              
+              const firstArg = node.arguments[0];
+              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
+                const rpcName = firstArg.value;
+                if (rpcName.startsWith('rbac_')) {
+                  context.report({
+                    node: firstArg,
+                    messageId: 'directRbacRpc',
+                    data: {
+                      rpcName
+                    },
+                    suggest: [{
+                      desc: 'Use pace-core RBAC hooks instead',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Disallow direct queries to RBAC tables
+     */
+    'no-direct-rbac-table': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow direct queries to RBAC tables. Use pace-core RBAC API functions or useSecureSupabase instead.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          directRbacTable: "Direct query to RBAC table '{{tableName}}' detected. Use pace-core RBAC API functions from '@jmruthers/pace-core/rbac' or useSecureSupabase hook instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        const rbacTables = [
+          'rbac_organisation_roles',
+          'rbac_event_app_roles',
+          'rbac_global_roles',
+          'rbac_apps',
+          'rbac_app_pages',
+          'rbac_page_permissions',
+          'rbac_user_profiles'
+        ];
+        
+        let hasSecureSupabase = false;
+        let secureSupabaseVarName = null;
+        
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' || 
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              if (node.specifiers.some(spec => 
+                spec.type === 'ImportSpecifier' && spec.imported.name === 'useSecureSupabase'
+              )) {
+                hasSecureSupabase = true;
+              }
+            }
+          },
+          VariableDeclarator(node) {
+            if (node.init && 
+                node.init.type === 'CallExpression' &&
+                node.init.callee &&
+                node.init.callee.name === 'useSecureSupabase') {
+              if (node.id.type === 'Identifier') {
+                secureSupabaseVarName = node.id.name;
+              }
+            }
+          },
+          CallExpression(node) {
+            if (node.callee.type === 'MemberExpression' &&
+                node.callee.property &&
+                node.callee.property.name === 'from' &&
+                node.arguments.length > 0) {
+              
+              // Check if this is called on secureSupabase
+              let isSecureClient = false;
+              if (node.callee.object.type === 'Identifier') {
+                const objName = node.callee.object.name;
+                if (objName === 'secureSupabase' || 
+                    objName === secureSupabaseVarName ||
+                    (hasSecureSupabase && objName.includes('secure'))) {
+                  isSecureClient = true;
+                }
+              }
+              
+              // Allow queries through secureSupabase
+              if (isSecureClient) {
+                return;
+              }
+              
+              const firstArg = node.arguments[0];
+              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
+                const tableName = firstArg.value;
+                if (rbacTables.includes(tableName) || tableName.startsWith('rbac_')) {
+                  context.report({
+                    node: firstArg,
+                    messageId: 'directRbacTable',
+                    data: {
+                      tableName
+                    },
+                    suggest: [{
+                      desc: 'Use useSecureSupabase hook or pace-core RBAC API functions',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Disallow hardcoded role checks
+     */
+    'no-hardcoded-role-checks': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow hardcoded role checks. Use useAccessLevel hook or getRoleContext API from pace-core instead.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          hardcodedRoleCheck: "Hardcoded role check detected. Use useAccessLevel hook or getRoleContext API from '@jmruthers/pace-core/rbac' instead."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        const roleNames = ['admin', 'org_admin', 'event_admin', 'user', 'member', 'viewer', 'editor'];
+        const roleCheckPattern = new RegExp(
+          `(?:role|user\\.role|userRole|currentRole|userRoleName)\\s*(?:===|!==|==|!=)\\s*['"](${roleNames.join('|')})['"]`,
+          'i'
+        );
+        
+        let hasPaceCoreImport = false;
+        
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' || 
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              hasPaceCoreImport = true;
+            }
+          },
+          BinaryExpression(node) {
+            if (node.operator === '===' || node.operator === '!==' || node.operator === '==' || node.operator === '!=') {
+              const sourceCode = context.getSourceCode();
+              const leftText = sourceCode.getText(node.left);
+              const rightText = sourceCode.getText(node.right);
+              
+              // Check if it's a role comparison
+              if (roleCheckPattern.test(leftText + ' ' + node.operator + ' ' + rightText)) {
+                // Check if using pace-core APIs
+                if (!hasPaceCoreImport || 
+                    (!leftText.includes('useAccessLevel') && !leftText.includes('getRoleContext'))) {
+                  context.report({
+                    node,
+                    messageId: 'hardcodedRoleCheck',
+                    suggest: [{
+                      desc: 'Use useAccessLevel hook or getRoleContext API',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Require RESOURCE_NAMES constants in useResourcePermissions
+     */
+    'rbac-use-resource-names-constants': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Require RESOURCE_NAMES constants instead of string literals in useResourcePermissions calls.',
+          category: 'Best Practices',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          resourcePermissionStringLiteral: "Resource permission string literal detected. Use RESOURCE_NAMES constant object instead (e.g., RESOURCE_NAMES.ORGANISATIONS, RESOURCE_NAMES.EVENTS)."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        let hasResourceNamesImport = false;
+        
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (node.specifiers.some(spec => 
+              spec.type === 'ImportSpecifier' && spec.imported.name === 'RESOURCE_NAMES'
+            )) {
+              hasResourceNamesImport = true;
+            }
+          },
+          CallExpression(node) {
+            if (node.callee.type === 'Identifier' && 
+                node.callee.name === 'useResourcePermissions') {
+              // Check if argument is a string literal
+              if (node.arguments.length > 0 && 
+                  node.arguments[0].type === 'Literal' && 
+                  typeof node.arguments[0].value === 'string') {
+                // Check if RESOURCE_NAMES is used in the file
+                const sourceCode = context.getSourceCode();
+                const fileText = sourceCode.getText();
+                
+                if (!hasResourceNamesImport || !fileText.includes('RESOURCE_NAMES.')) {
+                  context.report({
+                    node: node.arguments[0],
+                    messageId: 'resourcePermissionStringLiteral',
+                    suggest: [{
+                      desc: 'Use RESOURCE_NAMES constant instead',
+                      fix(fixer) {
+                        return null; // Complex fix
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Disallow wrapper components around PagePermissionGuard
+     */
+    'no-rbac-wrapper-components': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow wrapper components around PagePermissionGuard. Use PagePermissionGuard directly.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          wrapperComponent: "Wrapper component '{{componentName}}' detected around PagePermissionGuard. Must use PagePermissionGuard directly, not through wrappers."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Allow in pace-core package itself
+        if (filename.includes('packages/core/src/rbac') || filename.includes('packages\\core\\src\\rbac')) {
+          return {};
+        }
+        
+        let hasPagePermissionGuard = false;
+        let wrapperComponentName = null;
+        
+        return {
+          JSXOpeningElement(node) {
+            if (node.name.type === 'JSXIdentifier' && node.name.name === 'PagePermissionGuard') {
+              hasPagePermissionGuard = true;
+              
+              // Check if this is inside a wrapper component
+              const sourceCode = context.sourceCode || context.getSourceCode();
+              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
+              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
+              const componentAncestor = ancestors.find(ancestor => 
+                ancestor.type === 'FunctionDeclaration' || 
+                (ancestor.type === 'VariableDeclarator' && ancestor.init && 
+                 (ancestor.init.type === 'ArrowFunctionExpression' || ancestor.init.type === 'FunctionExpression'))
+              );
+              
+              if (componentAncestor) {
+                let componentName = null;
+                let componentParams = null;
+                
+                if (componentAncestor.type === 'FunctionDeclaration' && componentAncestor.id) {
+                  componentName = componentAncestor.id.name;
+                  componentParams = componentAncestor.params;
+                } else if (componentAncestor.type === 'VariableDeclarator' && componentAncestor.id.type === 'Identifier') {
+                  componentName = componentAncestor.id.name;
+                  // For arrow functions and function expressions, get params from init
+                  if (componentAncestor.init) {
+                    if (componentAncestor.init.type === 'ArrowFunctionExpression' || 
+                        componentAncestor.init.type === 'FunctionExpression') {
+                      componentParams = componentAncestor.init.params;
+                    }
+                  }
+                }
+                
+                // Check if component accepts pageName as a FUNCTION PARAMETER (not just uses it in JSX)
+                // This distinguishes wrapper components from legitimate page components
+                // Wrapper pattern: function Wrapper({ pageName }) { return <PagePermissionGuard pageName={pageName}> }
+                // Legitimate pattern: function Page() { return <PagePermissionGuard pageName={PAGE_NAMES.PAGE}> }
+                const acceptsPageNameAsParam = componentParams && componentParams.some(param => {
+                  if (param.type === 'Identifier') {
+                    return param.name === 'pageName';
+                  }
+                  // Handle destructured params: { pageName } or { pageName: pn }
+                  if (param.type === 'ObjectPattern') {
+                    return param.properties.some(prop => {
+                      if (prop.type === 'Property') {
+                        const key = prop.key;
+                        if (key.type === 'Identifier') {
+                          return key.name === 'pageName';
+                        }
+                      }
+                      return false;
+                    });
+                  }
+                  return false;
+                });
+                
+                // Only flag if component accepts pageName as a parameter (wrapper pattern)
+                // Legitimate page components use constants like PAGE_NAMES.CONTACTS, not accept it as prop
+                if (acceptsPageNameAsParam) {
+                  context.report({
+                    node,
+                    messageId: 'wrapperComponent',
+                    data: {
+                      componentName: componentName || 'Unknown'
+                    },
+                    suggest: [{
+                      desc: 'Remove wrapper component and use PagePermissionGuard directly in pages',
+                      fix(fixer) {
+                        return null;
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Disallow wrapper functions around permission hooks
+     */
+    'no-rbac-wrapper-functions': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow wrapper functions around pace-core permission hooks. Use hooks directly in components.',
+          category: 'Security',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
+        },
+        messages: {
+          wrapperFunction: "Permission wrapper function '{{functionName}}' detected. Use pace-core hooks (useCan, useResourcePermissions) directly in components instead of wrapping them."
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        const permissionHookNames = ['useCan', 'useResourcePermissions', 'usePermissions', 'useMultiplePermissions'];
+        const permissionFunctionNames = ['canCreate', 'canUpdate', 'canDelete', 'canRead', 'can'];
+        
+        let hasPaceCoreRBACImport = false;
+        
+        return {
+          ImportDeclaration(node) {
+            const importSource = node.source.value;
+            if (importSource === '@jmruthers/pace-core/rbac' || 
+                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
+              hasPaceCoreRBACImport = true;
+            }
+          },
+          FunctionDeclaration(node) {
+            if (!node.id || !hasPaceCoreRBACImport) return;
+            
+            const functionName = node.id.name;
+            if (!functionName) return;
+            
+            // Check if function body uses permission hooks/functions
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.body);
+            
+            // Check if function uses permission hooks or functions
+            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
+            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
+            
+            // Check if function has additional logic beyond permission checking
+            const hasAdditionalLogic = (
+              functionText.includes('&&') ||
+              functionText.includes('||') ||
+              functionText.includes('if') ||
+              (functionText.match(/return/g) || []).length > 1 ||
+              functionText.includes('.find') ||
+              functionText.includes('.filter') ||
+              functionText.includes('.map')
+            );
+            
+            // Pattern: Functions that start with 'can' and use permission hooks/functions
+            // and have additional logic
+            const isPermissionWrapper = (
+              (functionName.toLowerCase().startsWith('can') || 
+               functionName.toLowerCase().includes('permission') ||
+               functionName.toLowerCase().includes('access')) &&
+              (usesPermissionHooks || usesPermissionFunctions) &&
+              hasAdditionalLogic &&
+              node.params.length > 0
+            );
+            
+            if (isPermissionWrapper) {
+              context.report({
+                node: node.id,
+                messageId: 'wrapperFunction',
+                data: {
+                  functionName
+                },
+                suggest: [{
+                  desc: 'Use permission hooks directly in components',
+                  fix(fixer) {
+                    return null;
+                  }
+                }]
+              });
+            }
+          },
+          VariableDeclarator(node) {
+            if (!hasPaceCoreRBACImport) return;
+            if (node.id.type !== 'Identifier') return;
+            
+            const varName = node.id.name;
+            if (!varName) return;
+            
+            // Only check arrow functions and function expressions
+            if (!node.init || 
+                (node.init.type !== 'ArrowFunctionExpression' && 
+                 node.init.type !== 'FunctionExpression')) {
+              return;
+            }
+            
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.init);
+            
+            // Check if function uses permission hooks or functions
+            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
+            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
+            
+            // Check if function has additional logic beyond permission checking
+            const hasAdditionalLogic = (
+              functionText.includes('&&') ||
+              functionText.includes('||') ||
+              functionText.includes('if') ||
+              (functionText.match(/return/g) || []).length > 1 ||
+              functionText.includes('.find') ||
+              functionText.includes('.filter') ||
+              functionText.includes('.map')
+            );
+            
+            // Pattern: Variables that start with 'can' and use permission hooks/functions
+            // and have additional logic
+            const isPermissionWrapper = (
+              (varName.toLowerCase().startsWith('can') || 
+               varName.toLowerCase().includes('permission') ||
+               varName.toLowerCase().includes('access')) &&
+              (usesPermissionHooks || usesPermissionFunctions) &&
+              hasAdditionalLogic &&
+              node.init.params && node.init.params.length > 0
+            );
+            
+            if (isPermissionWrapper) {
+              context.report({
+                node: node.id,
+                messageId: 'wrapperFunction',
+                data: {
+                  functionName: varName
+                },
+                suggest: [{
+                  desc: 'Use permission hooks directly in components',
+                  fix(fixer) {
+                    return null;
+                  }
+                }]
+              });
+            }
+          }
+        };
+      }
+    }
+  }
+};
+