@jmruthers/pace-core 0.6.6 → 0.6.7

package/src/eslint-rules/rules/rbac.cjs

@@ -1,790 +0,0 @@
-/**
- * RBAC-specific rules
- * @package @jmruthers/pace-core
- * @module ESLintRules/rules/rbac
- */
-
-const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
-
-module.exports = {
-  rules: {
-    /**
-     * Disallow direct Supabase client creation - must use useSecureSupabase
-     */
-    'no-direct-supabase-client': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow direct createClient calls from @supabase/supabase-js. Use useSecureSupabase() from pace-core instead to ensure organisation context and RLS policies are enforced.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          directClientCreation: "Direct Supabase client creation detected. You MUST use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead to ensure organisation context and RLS policies are enforced. This prevents cross-organisation data access.",
-          directClientImport: "Direct import of createClient from @supabase/supabase-js is not allowed. Use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        // Allow createClient in specific config files (supabaseClient.ts/js, etc.)
-        const isConfigFile = /(supabase|client)\.(ts|js|tsx|jsx)$/i.test(filename) && 
-                            (filename.includes('supabase') || filename.includes('client'));
-        
-        return {
-          ImportDeclaration(node) {
-            const importSource = node.source.value;
-            
-            // Check for @supabase/supabase-js import
-            if (importSource === '@supabase/supabase-js') {
-              // Check if createClient is imported
-              const hasCreateClient = node.specifiers.some(spec => {
-                if (spec.type === 'ImportSpecifier') {
-                  return spec.imported.name === 'createClient';
-                }
-                if (spec.type === 'ImportNamespaceSpecifier') {
-                  return true; // import * as supabase
-                }
-                return false;
-              });
-              
-              if (hasCreateClient && !isConfigFile) {
-                context.report({
-                  node: node.source,
-                  messageId: 'directClientImport',
-                  suggest: [{
-                    desc: 'Replace with useSecureSupabase hook',
-                    fix(fixer) {
-                      return fixer.remove(node);
-                    }
-                  }]
-                });
-              }
-            }
-          },
-          
-          CallExpression(node) {
-            // Check for createClient() calls
-            if (node.callee.type === 'Identifier' && node.callee.name === 'createClient') {
-              if (!isConfigFile) {
-                context.report({
-                  node,
-                  messageId: 'directClientCreation',
-                  suggest: [{
-                    desc: 'Use useSecureSupabase() hook instead',
-                    fix(fixer) {
-                      return null;
-                    }
-                  }]
-                });
-              }
-            }
-            
-            // Check for supabase.createClient() or similar patterns
-            if (node.callee.type === 'MemberExpression' && 
-                node.callee.property?.name === 'createClient') {
-              if (!isConfigFile) {
-                context.report({
-                  node,
-                  messageId: 'directClientCreation',
-                  suggest: [{
-                    desc: 'Use useSecureSupabase() hook instead',
-                    fix(fixer) {
-                      return null;
-                    }
-                  }]
-                });
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Check RBAC permission loading state usage
-     */
-    'rbac-permission-loading': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Require isLoading extraction from useResourcePermissions and check it before permission calls in mutations.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          missingIsLoading: "useResourcePermissions is used but 'isLoading' is not extracted. Permission checks may fail if scope resolution is still in progress.",
-          missingLoadingCheck: "Permission check '{{permission}}()' is called without checking isLoading first. This can cause false negatives when scope resolution is still in progress."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        let useResourcePermissionsFound = false;
-        let hasIsLoadingExtraction = false;
-        let isLoadingVarName = null;
-        
-        return {
-          CallExpression(node) {
-            // Find useResourcePermissions calls
-            if (node.callee.type === 'Identifier' && 
-                node.callee.name === 'useResourcePermissions') {
-              useResourcePermissionsFound = true;
-              
-              // Check parent to see if isLoading is destructured
-              const parent = node.parent;
-              if (parent && parent.type === 'VariableDeclarator' && 
-                  parent.id && parent.id.type === 'ObjectPattern') {
-                const properties = parent.id.properties;
-                const isLoadingProp = properties.find(prop => {
-                  if (prop.type === 'Property') {
-                    const key = prop.key;
-                    if (key.type === 'Identifier' && key.name === 'isLoading') {
-                      return true;
-                    }
-                    // Also check for renamed: isLoading: permissionsLoading
-                    if (key.type === 'Identifier' && key.name === 'isLoading') {
-                      if (prop.value && prop.value.type === 'Identifier') {
-                        isLoadingVarName = prop.value.name;
-                      }
-                      return true;
-                    }
-                  }
-                  return false;
-                });
-                
-                if (isLoadingProp) {
-                  hasIsLoadingExtraction = true;
-                  if (!isLoadingVarName) {
-                    isLoadingVarName = 'isLoading';
-                  }
-                }
-              }
-            }
-            
-            // Check for permission function calls in mutations
-            if (useResourcePermissionsFound && 
-                node.callee.type === 'Identifier' &&
-                ['canCreate', 'canUpdate', 'canDelete', 'canRead'].includes(node.callee.name)) {
-              
-              // Check if we're in a mutation context
-              const sourceCode = context.sourceCode || context.getSourceCode();
-              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
-              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
-              const isInMutation = ancestors.some(ancestor => {
-                if (ancestor.type === 'Property' && ancestor.key) {
-                  const keyName = ancestor.key.name || (ancestor.key.type === 'Identifier' && ancestor.key.name);
-                  return keyName === 'mutationFn' || keyName === 'mutateAsync';
-                }
-                return false;
-              });
-              
-              if (isInMutation) {
-                // Check if isLoading is checked before this call
-                const nodeText = sourceCode.getText(node);
-                const beforeNode = sourceCode.getText().substring(0, sourceCode.getIndexFromLoc(node.loc.start));
-                
-                // Look for isLoading check before this call
-                const hasLoadingCheck = new RegExp(
-                  `(if\\s*\\(\\s*!?\\s*(${isLoadingVarName || 'isLoading'})|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*===\\s*false|if\\s*\\(\\s*(${isLoadingVarName || 'isLoading'})\\s*!==\\s*true|await)`,
-                  'i'
-                ).test(beforeNode);
-                
-                if (!hasIsLoadingExtraction) {
-                  context.report({
-                    node,
-                    messageId: 'missingIsLoading',
-                    suggest: [{
-                      desc: `Extract 'isLoading' from useResourcePermissions`,
-                      fix(fixer) {
-                        return null; // Complex fix
-                      }
-                    }]
-                  });
-                } else if (!hasLoadingCheck) {
-                  context.report({
-                    node,
-                    messageId: 'missingLoadingCheck',
-                    data: {
-                      permission: node.callee.name
-                    },
-                    suggest: [{
-                      desc: `Check ${isLoadingVarName || 'isLoading'} before calling permission function`,
-                      fix(fixer) {
-                        return null; // Complex fix
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Disallow direct RPC calls to RBAC functions
-     */
-    'no-direct-rbac-rpc': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow direct calls to RBAC RPC functions. Use pace-core RBAC hooks instead.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          directRbacRpc: "Direct RPC call to '{{rpcName}}' detected. Use pace-core RBAC hooks from '@jmruthers/pace-core/rbac' instead."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        const rbacRpcPatterns = ['rbac_check_permission_simplified', 'rbac_'];
-        
-        return {
-          CallExpression(node) {
-            // Check for supabase.rpc('rbac_*', ...)
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property &&
-                node.callee.property.name === 'rpc' &&
-                node.arguments.length > 0) {
-              
-              const firstArg = node.arguments[0];
-              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
-                const rpcName = firstArg.value;
-                if (rpcName.startsWith('rbac_')) {
-                  context.report({
-                    node: firstArg,
-                    messageId: 'directRbacRpc',
-                    data: {
-                      rpcName
-                    },
-                    suggest: [{
-                      desc: 'Use pace-core RBAC hooks instead',
-                      fix(fixer) {
-                        return null;
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Disallow direct queries to RBAC tables
-     */
-    'no-direct-rbac-table': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow direct queries to RBAC tables. Use pace-core RBAC API functions or useSecureSupabase instead.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          directRbacTable: "Direct query to RBAC table '{{tableName}}' detected. Use pace-core RBAC API functions from '@jmruthers/pace-core/rbac' or useSecureSupabase hook instead."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        const rbacTables = [
-          'rbac_organisation_roles',
-          'rbac_event_app_roles',
-          'rbac_global_roles',
-          'rbac_apps',
-          'rbac_app_pages',
-          'rbac_page_permissions',
-          'rbac_user_profiles'
-        ];
-        
-        let hasSecureSupabase = false;
-        let secureSupabaseVarName = null;
-        
-        return {
-          ImportDeclaration(node) {
-            const importSource = node.source.value;
-            if (importSource === '@jmruthers/pace-core/rbac' || 
-                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
-              if (node.specifiers.some(spec => 
-                spec.type === 'ImportSpecifier' && spec.imported.name === 'useSecureSupabase'
-              )) {
-                hasSecureSupabase = true;
-              }
-            }
-          },
-          VariableDeclarator(node) {
-            if (node.init && 
-                node.init.type === 'CallExpression' &&
-                node.init.callee &&
-                node.init.callee.name === 'useSecureSupabase') {
-              if (node.id.type === 'Identifier') {
-                secureSupabaseVarName = node.id.name;
-              }
-            }
-          },
-          CallExpression(node) {
-            if (node.callee.type === 'MemberExpression' &&
-                node.callee.property &&
-                node.callee.property.name === 'from' &&
-                node.arguments.length > 0) {
-              
-              // Check if this is called on secureSupabase
-              let isSecureClient = false;
-              if (node.callee.object.type === 'Identifier') {
-                const objName = node.callee.object.name;
-                if (objName === 'secureSupabase' || 
-                    objName === secureSupabaseVarName ||
-                    (hasSecureSupabase && objName.includes('secure'))) {
-                  isSecureClient = true;
-                }
-              }
-              
-              // Allow queries through secureSupabase
-              if (isSecureClient) {
-                return;
-              }
-              
-              const firstArg = node.arguments[0];
-              if (firstArg.type === 'Literal' && typeof firstArg.value === 'string') {
-                const tableName = firstArg.value;
-                if (rbacTables.includes(tableName) || tableName.startsWith('rbac_')) {
-                  context.report({
-                    node: firstArg,
-                    messageId: 'directRbacTable',
-                    data: {
-                      tableName
-                    },
-                    suggest: [{
-                      desc: 'Use useSecureSupabase hook or pace-core RBAC API functions',
-                      fix(fixer) {
-                        return null;
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Disallow hardcoded role checks
-     */
-    'no-hardcoded-role-checks': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow hardcoded role checks. Use useAccessLevel hook or getRoleContext API from pace-core instead.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          hardcodedRoleCheck: "Hardcoded role check detected. Use useAccessLevel hook or getRoleContext API from '@jmruthers/pace-core/rbac' instead."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        const roleNames = ['admin', 'org_admin', 'event_admin', 'user', 'member', 'viewer', 'editor'];
-        const roleCheckPattern = new RegExp(
-          `(?:role|user\\.role|userRole|currentRole|userRoleName)\\s*(?:===|!==|==|!=)\\s*['"](${roleNames.join('|')})['"]`,
-          'i'
-        );
-        
-        let hasPaceCoreImport = false;
-        
-        return {
-          ImportDeclaration(node) {
-            const importSource = node.source.value;
-            if (importSource === '@jmruthers/pace-core/rbac' || 
-                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
-              hasPaceCoreImport = true;
-            }
-          },
-          BinaryExpression(node) {
-            if (node.operator === '===' || node.operator === '!==' || node.operator === '==' || node.operator === '!=') {
-              const sourceCode = context.getSourceCode();
-              const leftText = sourceCode.getText(node.left);
-              const rightText = sourceCode.getText(node.right);
-              
-              // Check if it's a role comparison
-              if (roleCheckPattern.test(leftText + ' ' + node.operator + ' ' + rightText)) {
-                // Check if using pace-core APIs
-                if (!hasPaceCoreImport || 
-                    (!leftText.includes('useAccessLevel') && !leftText.includes('getRoleContext'))) {
-                  context.report({
-                    node,
-                    messageId: 'hardcodedRoleCheck',
-                    suggest: [{
-                      desc: 'Use useAccessLevel hook or getRoleContext API',
-                      fix(fixer) {
-                        return null;
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Require RESOURCE_NAMES constants in useResourcePermissions
-     */
-    'rbac-use-resource-names-constants': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Require RESOURCE_NAMES constants instead of string literals in useResourcePermissions calls.',
-          category: 'Best Practices',
-          recommended: true
-        },
-        messages: {
-          resourcePermissionStringLiteral: "Resource permission string literal detected. Use RESOURCE_NAMES constant object instead (e.g., RESOURCE_NAMES.ORGANISATIONS, RESOURCE_NAMES.EVENTS)."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        let hasResourceNamesImport = false;
-        
-        return {
-          ImportDeclaration(node) {
-            const importSource = node.source.value;
-            if (node.specifiers.some(spec => 
-              spec.type === 'ImportSpecifier' && spec.imported.name === 'RESOURCE_NAMES'
-            )) {
-              hasResourceNamesImport = true;
-            }
-          },
-          CallExpression(node) {
-            if (node.callee.type === 'Identifier' && 
-                node.callee.name === 'useResourcePermissions') {
-              // Check if argument is a string literal
-              if (node.arguments.length > 0 && 
-                  node.arguments[0].type === 'Literal' && 
-                  typeof node.arguments[0].value === 'string') {
-                // Check if RESOURCE_NAMES is used in the file
-                const sourceCode = context.getSourceCode();
-                const fileText = sourceCode.getText();
-                
-                if (!hasResourceNamesImport || !fileText.includes('RESOURCE_NAMES.')) {
-                  context.report({
-                    node: node.arguments[0],
-                    messageId: 'resourcePermissionStringLiteral',
-                    suggest: [{
-                      desc: 'Use RESOURCE_NAMES constant instead',
-                      fix(fixer) {
-                        return null; // Complex fix
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Disallow wrapper components around PagePermissionGuard
-     */
-    'no-rbac-wrapper-components': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow wrapper components around PagePermissionGuard. Use PagePermissionGuard directly.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          wrapperComponent: "Wrapper component '{{componentName}}' detected around PagePermissionGuard. Must use PagePermissionGuard directly, not through wrappers."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Allow in pace-core package itself
-        if (filename.includes('packages/core/src/rbac') || filename.includes('packages\\core\\src\\rbac')) {
-          return {};
-        }
-        
-        let hasPagePermissionGuard = false;
-        let wrapperComponentName = null;
-        
-        return {
-          JSXOpeningElement(node) {
-            if (node.name.type === 'JSXIdentifier' && node.name.name === 'PagePermissionGuard') {
-              hasPagePermissionGuard = true;
-              
-              // Check if this is inside a wrapper component
-              const sourceCode = context.sourceCode || context.getSourceCode();
-              // ESLint 9: use sourceCode.getAncestors(node), ESLint 8: use context.getAncestors()
-              const ancestors = sourceCode.getAncestors ? sourceCode.getAncestors(node) : (context.getAncestors ? context.getAncestors() : []);
-              const componentAncestor = ancestors.find(ancestor => 
-                ancestor.type === 'FunctionDeclaration' || 
-                (ancestor.type === 'VariableDeclarator' && ancestor.init && 
-                 (ancestor.init.type === 'ArrowFunctionExpression' || ancestor.init.type === 'FunctionExpression'))
-              );
-              
-              if (componentAncestor) {
-                let componentName = null;
-                let componentParams = null;
-                
-                if (componentAncestor.type === 'FunctionDeclaration' && componentAncestor.id) {
-                  componentName = componentAncestor.id.name;
-                  componentParams = componentAncestor.params;
-                } else if (componentAncestor.type === 'VariableDeclarator' && componentAncestor.id.type === 'Identifier') {
-                  componentName = componentAncestor.id.name;
-                  // For arrow functions and function expressions, get params from init
-                  if (componentAncestor.init) {
-                    if (componentAncestor.init.type === 'ArrowFunctionExpression' || 
-                        componentAncestor.init.type === 'FunctionExpression') {
-                      componentParams = componentAncestor.init.params;
-                    }
-                  }
-                }
-                
-                // Check if component accepts pageName as a FUNCTION PARAMETER (not just uses it in JSX)
-                // This distinguishes wrapper components from legitimate page components
-                // Wrapper pattern: function Wrapper({ pageName }) { return <PagePermissionGuard pageName={pageName}> }
-                // Legitimate pattern: function Page() { return <PagePermissionGuard pageName={PAGE_NAMES.PAGE}> }
-                const acceptsPageNameAsParam = componentParams && componentParams.some(param => {
-                  if (param.type === 'Identifier') {
-                    return param.name === 'pageName';
-                  }
-                  // Handle destructured params: { pageName } or { pageName: pn }
-                  if (param.type === 'ObjectPattern') {
-                    return param.properties.some(prop => {
-                      if (prop.type === 'Property') {
-                        const key = prop.key;
-                        if (key.type === 'Identifier') {
-                          return key.name === 'pageName';
-                        }
-                      }
-                      return false;
-                    });
-                  }
-                  return false;
-                });
-                
-                // Only flag if component accepts pageName as a parameter (wrapper pattern)
-                // Legitimate page components use constants like PAGE_NAMES.CONTACTS, not accept it as prop
-                if (acceptsPageNameAsParam) {
-                  context.report({
-                    node,
-                    messageId: 'wrapperComponent',
-                    data: {
-                      componentName: componentName || 'Unknown'
-                    },
-                    suggest: [{
-                      desc: 'Remove wrapper component and use PagePermissionGuard directly in pages',
-                      fix(fixer) {
-                        return null;
-                      }
-                    }]
-                  });
-                }
-              }
-            }
-          }
-        };
-      }
-    },
-
-    /**
-     * Disallow wrapper functions around permission hooks
-     */
-    'no-rbac-wrapper-functions': {
-      meta: {
-        type: 'problem',
-        docs: {
-          description: 'Disallow wrapper functions around pace-core permission hooks. Use hooks directly in components.',
-          category: 'Security',
-          recommended: true
-        },
-        messages: {
-          wrapperFunction: "Permission wrapper function '{{functionName}}' detected. Use pace-core hooks (useCan, useResourcePermissions) directly in components instead of wrapping them."
-        },
-        hasSuggestions: true
-      },
-      create(context) {
-        const filename = context.getFilename();
-        
-        // Exclude pace-core source files - these rules are for consuming apps
-        if (isPaceCoreSourceFile(filename)) {
-          return {};
-        }
-        
-        const permissionHookNames = ['useCan', 'useResourcePermissions', 'usePermissions', 'useMultiplePermissions'];
-        const permissionFunctionNames = ['canCreate', 'canUpdate', 'canDelete', 'canRead', 'can'];
-        
-        let hasPaceCoreRBACImport = false;
-        
-        return {
-          ImportDeclaration(node) {
-            const importSource = node.source.value;
-            if (importSource === '@jmruthers/pace-core/rbac' || 
-                importSource.startsWith('@jmruthers/pace-core/rbac/')) {
-              hasPaceCoreRBACImport = true;
-            }
-          },
-          FunctionDeclaration(node) {
-            if (!node.id || !hasPaceCoreRBACImport) return;
-            
-            const functionName = node.id.name;
-            if (!functionName) return;
-            
-            // Check if function body uses permission hooks/functions
-            const sourceCode = context.getSourceCode();
-            const functionText = sourceCode.getText(node.body);
-            
-            // Check if function uses permission hooks or functions
-            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
-            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
-            
-            // Check if function has additional logic beyond permission checking
-            const hasAdditionalLogic = (
-              functionText.includes('&&') ||
-              functionText.includes('||') ||
-              functionText.includes('if') ||
-              (functionText.match(/return/g) || []).length > 1 ||
-              functionText.includes('.find') ||
-              functionText.includes('.filter') ||
-              functionText.includes('.map')
-            );
-            
-            // Pattern: Functions that start with 'can' and use permission hooks/functions
-            // and have additional logic
-            const isPermissionWrapper = (
-              (functionName.toLowerCase().startsWith('can') || 
-               functionName.toLowerCase().includes('permission') ||
-               functionName.toLowerCase().includes('access')) &&
-              (usesPermissionHooks || usesPermissionFunctions) &&
-              hasAdditionalLogic &&
-              node.params.length > 0
-            );
-            
-            if (isPermissionWrapper) {
-              context.report({
-                node: node.id,
-                messageId: 'wrapperFunction',
-                data: {
-                  functionName
-                },
-                suggest: [{
-                  desc: 'Use permission hooks directly in components',
-                  fix(fixer) {
-                    return null;
-                  }
-                }]
-              });
-            }
-          },
-          VariableDeclarator(node) {
-            if (!hasPaceCoreRBACImport) return;
-            if (node.id.type !== 'Identifier') return;
-            
-            const varName = node.id.name;
-            if (!varName) return;
-            
-            // Only check arrow functions and function expressions
-            if (!node.init || 
-                (node.init.type !== 'ArrowFunctionExpression' && 
-                 node.init.type !== 'FunctionExpression')) {
-              return;
-            }
-            
-            const sourceCode = context.getSourceCode();
-            const functionText = sourceCode.getText(node.init);
-            
-            // Check if function uses permission hooks or functions
-            const usesPermissionHooks = permissionHookNames.some(hook => functionText.includes(hook));
-            const usesPermissionFunctions = permissionFunctionNames.some(fn => functionText.includes(fn));
-            
-            // Check if function has additional logic beyond permission checking
-            const hasAdditionalLogic = (
-              functionText.includes('&&') ||
-              functionText.includes('||') ||
-              functionText.includes('if') ||
-              (functionText.match(/return/g) || []).length > 1 ||
-              functionText.includes('.find') ||
-              functionText.includes('.filter') ||
-              functionText.includes('.map')
-            );
-            
-            // Pattern: Variables that start with 'can' and use permission hooks/functions
-            // and have additional logic
-            const isPermissionWrapper = (
-              (varName.toLowerCase().startsWith('can') || 
-               varName.toLowerCase().includes('permission') ||
-               varName.toLowerCase().includes('access')) &&
-              (usesPermissionHooks || usesPermissionFunctions) &&
-              hasAdditionalLogic &&
-              node.init.params && node.init.params.length > 0
-            );
-            
-            if (isPermissionWrapper) {
-              context.report({
-                node: node.id,
-                messageId: 'wrapperFunction',
-                data: {
-                  functionName: varName
-                },
-                suggest: [{
-                  desc: 'Use permission hooks directly in components',
-                  fix(fixer) {
-                    return null;
-                  }
-                }]
-              });
-            }
-          }
-        };
-      }
-    }
-  }
-};
-