@jmruthers/pace-core 0.6.6 → 0.6.8

package/dist/eslint-rules/rules/04-code-quality.cjs

@@ -0,0 +1,346 @@
+/**
+ * Code Quality Rules (Standard 4)
+ * @package @jmruthers/pace-core
+ * @module ESLintRules/rules/code-quality
+ * 
+ * Enforces code quality patterns from Standard 4:
+ * - Naming conventions (hooks: use*, providers: *Provider)
+ * - TypeScript best practices
+ * 
+ * Reference: packages/core/docs/standards/4-code-quality-standards.md
+ */
+
+const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
+
+module.exports = {
+  rules: {
+    /**
+     * Enforce naming conventions for hooks and providers
+     */
+    'naming-convention': {
+      meta: {
+        type: 'suggestion',
+        docs: {
+          description: 'Enforce naming conventions: hooks must start with "use", providers must end with "Provider"',
+          category: 'Best Practices',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/4-code-quality-standards.md'
+        },
+        messages: {
+          hookNaming: "Hook '{{name}}' must start with 'use' (e.g., useEventData, useUserProfile)",
+          providerNaming: "Provider '{{name}}' must end with 'Provider' (e.g., AuthProvider, OrganisationProvider)"
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        return {
+          FunctionDeclaration(node) {
+            if (!node.id) return;
+            
+            const functionName = node.id.name;
+            if (!functionName) return;
+            
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.body);
+            
+            // Check if function returns JSX (is a component)
+            const returnsJSX = functionText.includes('return') && (functionText.includes('<') || functionText.includes('createElement'));
+            
+            // Check for hooks (functions that use React hooks but are NOT components)
+            const usesReactHooks = /use(State|Effect|Callback|Memo|Ref|Context|Reducer|LayoutEffect|ImperativeHandle|DebugValue)/.test(functionText);
+            
+            // Only flag as hook if:
+            // 1. It uses React hooks AND doesn't return JSX (not a component)
+            // 2. OR it starts with 'use' but doesn't return JSX (likely a hook)
+            // Components that use hooks are NOT hooks themselves
+            if (usesReactHooks && !returnsJSX) {
+              if (!functionName.startsWith('use')) {
+                context.report({
+                  node: node.id,
+                  messageId: 'hookNaming',
+                  data: { name: functionName },
+                  suggest: [{
+                    desc: `Rename to use${functionName.charAt(0).toUpperCase() + functionName.slice(1)}`,
+                    fix(fixer) {
+                      return null; // Complex rename
+                    }
+                  }]
+                });
+              }
+            }
+            
+            // Check for providers (components that CREATE a Context.Provider, not just use/wrap one)
+            // A provider component must:
+            // 1. Use createContext (creates a context)
+            // 2. Return <ContextName.Provider> (provides the context)
+            // We don't flag components that just wrap other providers (like AppProviders wrapping QueryClientProvider)
+            const createsContext = /createContext\s*\(/.test(functionText);
+            const returnsContextProvider = /<[A-Z][a-zA-Z0-9]*\.Provider/.test(functionText) ||
+                                         /\.Provider\s*>/.test(functionText);
+            
+            // Only flag if it actually creates a context AND returns a Context.Provider
+            // AND doesn't already end with 'Provider'
+            if (returnsJSX && createsContext && returnsContextProvider && !functionName.endsWith('Provider')) {
+              context.report({
+                node: node.id,
+                messageId: 'providerNaming',
+                data: { name: functionName },
+                suggest: [{
+                  desc: `Rename to ${functionName}Provider`,
+                  fix(fixer) {
+                    return null; // Complex rename
+                  }
+                }]
+              });
+            }
+          },
+          
+          VariableDeclarator(node) {
+            if (!node.id || node.id.type !== 'Identifier') return;
+            if (!node.init) return;
+            
+            const varName = node.id.name;
+            if (!varName) return;
+            
+            // Check for hook variables (arrow functions that use React hooks)
+            if (node.init.type === 'ArrowFunctionExpression' || node.init.type === 'FunctionExpression') {
+              const sourceCode = context.getSourceCode();
+              const functionText = sourceCode.getText(node.init);
+              
+              // Check if it returns JSX (is a component)
+              const returnsJSX = functionText.includes('return') && (functionText.includes('<') || functionText.includes('createElement'));
+              const usesReactHooks = /use(State|Effect|Callback|Memo|Ref|Context|Reducer|LayoutEffect|ImperativeHandle|DebugValue)/.test(functionText);
+              
+              // Only flag as hook if it uses React hooks but doesn't return JSX (not a component)
+              // Components that use hooks are NOT hooks themselves
+              if (usesReactHooks && !returnsJSX && !varName.startsWith('use')) {
+                context.report({
+                  node: node.id,
+                  messageId: 'hookNaming',
+                  data: { name: varName },
+                  suggest: [{
+                    desc: `Rename to use${varName.charAt(0).toUpperCase() + varName.slice(1)}`,
+                    fix(fixer) {
+                      return null; // Complex rename
+                    }
+                  }]
+                });
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Enforce component naming: PascalCase
+     */
+    'component-naming': {
+      meta: {
+        type: 'suggestion',
+        docs: {
+          description: 'Enforce component naming: components must use PascalCase',
+          category: 'Best Practices',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/4-code-quality-standards.md'
+        },
+        messages: {
+          componentNaming: "Component '{{name}}' must use PascalCase (e.g., EventCard, UserProfile)"
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        const isComponentFile = filename.match(/(components|Components)\//);
+        if (!isComponentFile) {
+          return {};
+        }
+        
+        return {
+          FunctionDeclaration(node) {
+            if (!node.id) return;
+            
+            const functionName = node.id.name;
+            if (!functionName) return;
+            
+            // Skip event handlers and utility functions (these are not components)
+            const isEventHandler = functionName.startsWith('handle') || 
+                                   functionName.startsWith('on') ||
+                                   functionName.startsWith('get') ||
+                                   functionName.startsWith('set') ||
+                                   functionName.startsWith('load') ||
+                                   functionName.startsWith('read') ||
+                                   functionName.startsWith('create') ||
+                                   functionName.startsWith('update') ||
+                                   functionName.startsWith('delete');
+            
+            if (isEventHandler) return;
+            
+            // Only check exported components (not internal functions)
+            const isExported = node.parent?.type === 'ExportNamedDeclaration' || 
+                              node.parent?.type === 'ExportDefaultDeclaration' ||
+                              (node.parent?.parent?.type === 'ExportNamedDeclaration');
+            
+            if (!isExported) return;
+            
+            // Check if it's a component (returns JSX)
+            const sourceCode = context.getSourceCode();
+            const functionText = sourceCode.getText(node.body);
+            const returnsJSX = functionText.includes('return') && (functionText.includes('<') || functionText.includes('createElement'));
+            
+            if (returnsJSX) {
+              // Check if it's PascalCase
+              const isPascalCase = /^[A-Z][a-zA-Z0-9]*$/.test(functionName);
+              if (!isPascalCase) {
+                context.report({
+                  node: node.id,
+                  messageId: 'componentNaming',
+                  data: { name: functionName },
+                  suggest: [{
+                    desc: `Rename to ${functionName.charAt(0).toUpperCase() + functionName.slice(1).replace(/[^a-zA-Z0-9]/g, '')}`,
+                    fix(fixer) {
+                      return null; // Complex rename
+                    }
+                  }]
+                });
+              }
+            }
+          },
+          
+          VariableDeclarator(node) {
+            if (!node.id || node.id.type !== 'Identifier') return;
+            if (!node.init) return;
+            
+            const varName = node.id.name;
+            if (!varName) return;
+            
+            // Skip event handlers and utility functions (these are not components)
+            const isEventHandler = varName.startsWith('handle') || 
+                                   varName.startsWith('on') ||
+                                   varName.startsWith('get') ||
+                                   varName.startsWith('set') ||
+                                   varName.startsWith('load') ||
+                                   varName.startsWith('read') ||
+                                   varName.startsWith('create') ||
+                                   varName.startsWith('update') ||
+                                   varName.startsWith('delete');
+            
+            if (isEventHandler) return;
+            
+            // Only check exported components (not internal functions)
+            const isExported = node.parent?.parent?.type === 'ExportNamedDeclaration' ||
+                              node.parent?.parent?.type === 'ExportDefaultDeclaration';
+            
+            if (!isExported) return;
+            
+            // Check for component variables (arrow functions that return JSX)
+            if (node.init.type === 'ArrowFunctionExpression' || node.init.type === 'FunctionExpression') {
+              const sourceCode = context.getSourceCode();
+              const functionText = sourceCode.getText(node.init);
+              const returnsJSX = functionText.includes('return') && (functionText.includes('<') || functionText.includes('createElement'));
+              
+              if (returnsJSX) {
+                const isPascalCase = /^[A-Z][a-zA-Z0-9]*$/.test(varName);
+                if (!isPascalCase) {
+                  context.report({
+                    node: node.id,
+                    messageId: 'componentNaming',
+                    data: { name: varName },
+                    suggest: [{
+                      desc: `Rename to ${varName.charAt(0).toUpperCase() + varName.slice(1).replace(/[^a-zA-Z0-9]/g, '')}`,
+                      fix(fixer) {
+                        return null; // Complex rename
+                      }
+                    }]
+                  });
+                }
+              }
+            }
+          }
+        };
+      }
+    },
+
+    /**
+     * Enforce type/interface naming: PascalCase
+     */
+    'type-naming': {
+      meta: {
+        type: 'suggestion',
+        docs: {
+          description: 'Enforce type/interface naming: types and interfaces must use PascalCase',
+          category: 'Best Practices',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/4-code-quality-standards.md'
+        },
+        messages: {
+          typeNaming: "Type/interface '{{name}}' must use PascalCase (e.g., EventStatus, UserProfile)"
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        return {
+          TSInterfaceDeclaration(node) {
+            const interfaceName = node.id.name;
+            if (!interfaceName) return;
+            
+            const isPascalCase = /^[A-Z][a-zA-Z0-9]*$/.test(interfaceName);
+            if (!isPascalCase) {
+              context.report({
+                node: node.id,
+                messageId: 'typeNaming',
+                data: { name: interfaceName },
+                suggest: [{
+                  desc: `Rename to ${interfaceName.charAt(0).toUpperCase() + interfaceName.slice(1).replace(/[^a-zA-Z0-9]/g, '')}`,
+                  fix(fixer) {
+                    return null; // Complex rename
+                  }
+                }]
+              });
+            }
+          },
+          
+          TSTypeAliasDeclaration(node) {
+            const typeName = node.id.name;
+            if (!typeName) return;
+            
+            const isPascalCase = /^[A-Z][a-zA-Z0-9]*$/.test(typeName);
+            if (!isPascalCase) {
+              context.report({
+                node: node.id,
+                messageId: 'typeNaming',
+                data: { name: typeName },
+                suggest: [{
+                  desc: `Rename to ${typeName.charAt(0).toUpperCase() + typeName.slice(1).replace(/[^a-zA-Z0-9]/g, '')}`,
+                  fix(fixer) {
+                    return null; // Complex rename
+                  }
+                }]
+              });
+            }
+          }
+        };
+      }
+    }
+  }
+};

package/dist/eslint-rules/rules/05-styling.cjs

@@ -0,0 +1,61 @@
+/**
+ * Styling Rules (Standard 5)
+ * @package @jmruthers/pace-core
+ * @module ESLintRules/rules/styling
+ * 
+ * Enforces styling patterns from Standard 5:
+ * - No inline styles (use pace-core components or Tailwind classes)
+ * 
+ * Reference: packages/core/docs/standards/5-styling-standards.md
+ */
+
+const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
+
+module.exports = {
+  rules: {
+    /**
+     * Disallow inline styles
+     */
+    'no-inline-styles': {
+      meta: {
+        type: 'problem',
+        docs: {
+          description: 'Disallow inline styles. Use pace-core components or Tailwind classes instead.',
+          category: 'Best Practices',
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/5-styling-standards.md'
+        },
+        messages: {
+          inlineStyle: 'Inline style detected. Use pace-core components or Tailwind classes instead.'
+        },
+        hasSuggestions: true
+      },
+      create(context) {
+        const filename = context.getFilename();
+        
+        // Exclude pace-core source files - these rules are for consuming apps
+        if (isPaceCoreSourceFile(filename)) {
+          return {};
+        }
+        
+        return {
+          JSXAttribute(node) {
+            if (node.name && node.name.name === 'style') {
+              context.report({
+                node,
+                messageId: 'inlineStyle',
+                suggest: [{
+                  desc: 'Remove inline style and use pace-core component styling or Tailwind utility classes',
+                  fix(fixer) {
+                    // Remove the style attribute
+                    return fixer.remove(node);
+                  }
+                }]
+              });
+            }
+          }
+        };
+      }
+    }
+  }
+};

package/dist/eslint-rules/rules/{rbac.cjs → 06-security-rbac.cjs}

@@ -1,7 +1,15 @@
 /**
- * RBAC-specific rules
+ * Security & RBAC Rules (Standard 6)
  * @package @jmruthers/pace-core
- * @module ESLintRules/rules/rbac
+ * @module ESLintRules/rules/security-rbac
+ * 
+ * Enforces security and RBAC patterns from Standard 6:
+ * - Use secure Supabase client (useSecureSupabase)
+ * - Use RESOURCE_NAMES constants
+ * - No wrapper components/functions around RBAC hooks
+ * - Proper permission loading state handling
+ * 
+ * Reference: packages/core/docs/standards/6-security-rbac-standards.md
  */
 
 const { isPaceCoreSourceFile } = require('../utils/helpers.cjs');
@@ -17,7 +25,8 @@ module.exports = {
         docs: {
           description: 'Disallow direct createClient calls from @supabase/supabase-js. Use useSecureSupabase() from pace-core instead to ensure organisation context and RLS policies are enforced.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           directClientCreation: "Direct Supabase client creation detected. You MUST use useSecureSupabase() from '@jmruthers/pace-core/rbac' instead to ensure organisation context and RLS policies are enforced. This prevents cross-organisation data access.",
@@ -33,6 +42,11 @@ module.exports = {
           return {};
         }
         
+        // Exclude Edge Functions - they run in Deno and cannot use React hooks
+        // Edge Functions must use createClient() directly with service role keys
+        const isEdgeFunction = filename.includes('supabase/functions/') || 
+                              filename.includes('supabase\\functions\\');
+        
         // Allow createClient in specific config files (supabaseClient.ts/js, etc.)
         const isConfigFile = /(supabase|client)\.(ts|js|tsx|jsx)$/i.test(filename) && 
                             (filename.includes('supabase') || filename.includes('client'));
@@ -54,7 +68,7 @@ module.exports = {
                 return false;
               });
               
-              if (hasCreateClient && !isConfigFile) {
+              if (hasCreateClient && !isConfigFile && !isEdgeFunction) {
                 context.report({
                   node: node.source,
                   messageId: 'directClientImport',
@@ -72,7 +86,7 @@ module.exports = {
           CallExpression(node) {
             // Check for createClient() calls
             if (node.callee.type === 'Identifier' && node.callee.name === 'createClient') {
-              if (!isConfigFile) {
+              if (!isConfigFile && !isEdgeFunction) {
                 context.report({
                   node,
                   messageId: 'directClientCreation',
@@ -89,7 +103,7 @@ module.exports = {
             // Check for supabase.createClient() or similar patterns
             if (node.callee.type === 'MemberExpression' && 
                 node.callee.property?.name === 'createClient') {
-              if (!isConfigFile) {
+              if (!isConfigFile && !isEdgeFunction) {
                 context.report({
                   node,
                   messageId: 'directClientCreation',
@@ -116,7 +130,8 @@ module.exports = {
         docs: {
           description: 'Require isLoading extraction from useResourcePermissions and check it before permission calls in mutations.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           missingIsLoading: "useResourcePermissions is used but 'isLoading' is not extracted. Permission checks may fail if scope resolution is still in progress.",
@@ -237,7 +252,8 @@ module.exports = {
         docs: {
           description: 'Disallow direct calls to RBAC RPC functions. Use pace-core RBAC hooks instead.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           directRbacRpc: "Direct RPC call to '{{rpcName}}' detected. Use pace-core RBAC hooks from '@jmruthers/pace-core/rbac' instead."
@@ -296,7 +312,8 @@ module.exports = {
         docs: {
           description: 'Disallow direct queries to RBAC tables. Use pace-core RBAC API functions or useSecureSupabase instead.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           directRbacTable: "Direct query to RBAC table '{{tableName}}' detected. Use pace-core RBAC API functions from '@jmruthers/pace-core/rbac' or useSecureSupabase hook instead."
@@ -402,7 +419,8 @@ module.exports = {
         docs: {
           description: 'Disallow hardcoded role checks. Use useAccessLevel hook or getRoleContext API from pace-core instead.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           hardcodedRoleCheck: "Hardcoded role check detected. Use useAccessLevel hook or getRoleContext API from '@jmruthers/pace-core/rbac' instead."
@@ -471,7 +489,8 @@ module.exports = {
         docs: {
           description: 'Require RESOURCE_NAMES constants instead of string literals in useResourcePermissions calls.',
           category: 'Best Practices',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           resourcePermissionStringLiteral: "Resource permission string literal detected. Use RESOURCE_NAMES constant object instead (e.g., RESOURCE_NAMES.ORGANISATIONS, RESOURCE_NAMES.EVENTS)."
@@ -536,7 +555,8 @@ module.exports = {
         docs: {
           description: 'Disallow wrapper components around PagePermissionGuard. Use PagePermissionGuard directly.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           wrapperComponent: "Wrapper component '{{componentName}}' detected around PagePermissionGuard. Must use PagePermissionGuard directly, not through wrappers."
@@ -643,7 +663,8 @@ module.exports = {
         docs: {
           description: 'Disallow wrapper functions around pace-core permission hooks. Use hooks directly in components.',
           category: 'Security',
-          recommended: true
+          recommended: true,
+          url: 'https://github.com/jmruthers/pace-core/blob/main/packages/core/docs/standards/6-security-rbac-standards.md'
         },
         messages: {
           wrapperFunction: "Permission wrapper function '{{functionName}}' detected. Use pace-core hooks (useCan, useResourcePermissions) directly in components instead of wrapping them."