@jmruthers/pace-core 0.6.8 → 0.6.10

package/CHANGELOG.md

@@ -7,6 +7,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- **DataTable: Automatic label display for select fields** - Select fields with `fieldType: 'select'` and `fieldOptions` now automatically display labels (e.g., "Mobile") instead of raw values (e.g., `1`) in read mode. This eliminates the need for custom cell renderers for common select field patterns. The feature supports simple options, grouped options, type coercion, and gracefully falls back to raw values when labels aren't found. Custom cell renderers are preserved if already defined.
+
 ### Breaking Changes
 - **@supabase/supabase-js is now an included dependency (security enforcement)**: Moved from peer dependency to included dependency to enforce security rules. Consuming apps can no longer import `createClient` directly.
   - **Action Required**: 

package/audit-tool/audits/02-project-structure.cjs

@@ -127,6 +127,8 @@ function checkImportPaths(consumingAppPath) {
 
 /**
  * Check test file colocation
+ * Only flags tests that are in the wrong location (e.g., in __tests__/ when they should be colocated).
+ * Does not flag missing test files - use test coverage tools for that.
  */
 function checkTestColocation(consumingAppPath) {
   const issues = [];
@@ -136,9 +138,9 @@ function checkTestColocation(consumingAppPath) {
     return issues;
   }
   
-  // Find all source files
-  const sourceFiles = [];
-  function findFiles(dir) {
+  // Find all test files
+  const testFiles = [];
+  function findTestFiles(dir) {
     if (!fs.existsSync(dir)) return;
     
     const files = fs.readdirSync(dir);
@@ -148,49 +150,111 @@ function checkTestColocation(consumingAppPath) {
       
       if (stat.isDirectory()) {
         if (!['node_modules', 'dist', 'build', '.git'].includes(file)) {
-          findFiles(filePath);
+          findTestFiles(filePath);
         }
-      } else if (/\.(ts|tsx|js|jsx)$/.test(file) && !file.includes('.test.') && !file.includes('.spec.')) {
-        sourceFiles.push(filePath);
+      } else if (/\.(ts|tsx|js|jsx)$/.test(file) && (file.includes('.test.') || file.includes('.spec.'))) {
+        testFiles.push(filePath);
       }
     });
   }
   
-  findFiles(srcDir);
+  findTestFiles(srcDir);
   
-  // Check if test files are colocated
-  sourceFiles.forEach(sourceFile => {
-    const dir = path.dirname(sourceFile);
-    const basename = path.basename(sourceFile, path.extname(sourceFile));
-    const ext = path.extname(sourceFile);
+  // Check if test files are in the wrong location
+  testFiles.forEach(testFile => {
+    const testDir = path.dirname(testFile);
+    const testBasename = path.basename(testFile);
     
-    // Look for test file
-    const testFile = path.join(dir, `${basename}.test${ext}`);
-    const testFileTsx = path.join(dir, `${basename}.test.tsx`);
+    // Extract the source file name from the test file name
+    // e.g., "Component.test.tsx" -> "Component.tsx"
+    const sourceBasename = testBasename.replace(/\.(test|spec)\./, '.');
+    const sourceFile = path.join(testDir, sourceBasename);
     
-    // Skip if it's a test file itself or if test file exists
-    if (fileExists(testFile) || fileExists(testFileTsx)) {
-      return;
-    }
+    // Check if test is in a __tests__ or tests directory
+    const isInTestDirectory = testDir.includes('/__tests__/') || testDir.includes('/tests/') || 
+                               testDir.endsWith('/__tests__') || testDir.endsWith('/tests');
     
-    // Check if file is in a test directory (acceptable alternative)
-    if (dir.includes('/__tests__/') || dir.includes('/tests/')) {
-      return;
+    // If test is in a test directory, check if the source file exists in the parent directory
+    if (isInTestDirectory) {
+      // Get the parent directory (should be where the source file is)
+      const parentDir = path.dirname(testDir);
+      const expectedSourceFile = path.join(parentDir, sourceBasename);
+      
+      // If source file exists in parent, flag that test should be colocated
+      if (fileExists(expectedSourceFile)) {
+        const relativePath = getRelativePath(testFile, consumingAppPath);
+        issues.push({
+          type: 'testColocation',
+          file: relativePath,
+          line: 1,
+          message: `Test file is in a test directory but should be colocated with source file. Move to ${parentDir}`,
+          severity: 'warning',
+          fix: `Move test file to ${parentDir} to colocate with source file`,
+        });
+      }
     }
+  });
+  
+  return issues;
+}
+
+/**
+ * Check for domain-based organization (Pattern 2 - not allowed)
+ * Feature-based organization is the only standard
+ */
+function checkFeatureBasedOrganization(consumingAppPath) {
+  const issues = [];
+  
+  const srcDir = path.join(consumingAppPath, 'src');
+  if (!directoryExists(srcDir)) {
+    return issues;
+  }
+  
+  // Check for src/domains/ directory (Pattern 2 structure - not allowed)
+  const domainsDir = path.join(srcDir, 'domains');
+  if (directoryExists(domainsDir)) {
+    issues.push({
+      type: 'organizationPattern',
+      file: 'src/domains',
+      line: 0,
+      message: 'Domain-based organization (src/domains/) is not allowed. Use feature-based organization instead (src/components/[feature]/, src/hooks/[feature]/, etc.)',
+      severity: 'error',
+      fix: 'Reorganize to feature-based structure: move components from src/domains/[domain]/components/ to src/components/[domain]/, hooks to src/hooks/[domain]/, etc.',
+    });
+  }
+  
+  // Check components directory for type-based organization (anti-pattern)
+  const componentsDir = path.join(srcDir, 'components');
+  if (directoryExists(componentsDir)) {
+    const componentDirs = [];
+    function scanComponentsDir(dir) {
+      if (!fs.existsSync(dir)) return;
+      const entries = fs.readdirSync(dir);
+      entries.forEach(entry => {
+        const entryPath = path.join(dir, entry);
+        const stat = fs.statSync(entryPath);
+        if (stat.isDirectory()) {
+          componentDirs.push(entry);
+        }
+      });
+    }
+    scanComponentsDir(componentsDir);
     
-    // For components, hooks, and utils, suggest colocation
-    if (dir.includes('/components/') || dir.includes('/hooks/') || dir.includes('/utils/')) {
-      const relativePath = getRelativePath(sourceFile, consumingAppPath);
+    // Common type-based directory names that should not exist
+    const typeBasedPatterns = ['buttons', 'button', 'inputs', 'input', 'cards', 'card', 'forms', 'form', 'modals', 'modal', 'dialogs', 'dialog'];
+    const foundTypeBased = componentDirs.filter(dir => typeBasedPatterns.includes(dir.toLowerCase()));
+    
+    if (foundTypeBased.length > 0) {
       issues.push({
-        type: 'testColocation',
-        file: relativePath,
-        line: 1,
-        message: `Test file not colocated with source file. Consider creating ${path.basename(testFile)}`,
-        severity: 'info',
-        fix: `Create test file: ${path.basename(testFile)} in the same directory`,
+        type: 'organizationPattern',
+        file: `src/components/${foundTypeBased[0]}`,
+        line: 0,
+        message: `Components organized by type (${foundTypeBased.join(', ')}) instead of feature. Use pace-core components for UI primitives and organize app components by feature.`,
+        severity: 'error',
+        fix: `Reorganize components by feature. Use pace-core for ${foundTypeBased.join(', ')} components. Move feature-specific components to src/components/[feature]/`,
       });
     }
-  });
+  }
   
   return issues;
 }
@@ -221,6 +285,7 @@ function runStandard2Audit(consumingAppPath) {
     issues.push(...checkConfigFiles(consumingAppPath));
     issues.push(...checkImportPaths(consumingAppPath));
     issues.push(...checkTestColocation(consumingAppPath));
+    issues.push(...checkFeatureBasedOrganization(consumingAppPath));
     issues.push(...checkSupabaseStructure(consumingAppPath));
   } catch (error) {
     return {

package/audit-tool/audits/03-architecture.cjs

@@ -13,6 +13,66 @@ const path = require('path');
 const { findSourceFiles, readFileSafe, getRelativePath } = require('../utils/file-utils.cjs');
 const { getLineNumber, getCodeSnippet, isInCommentOrString, parseImports } = require('../utils/code-utils.cjs');
 
+/**
+ * Check if a file is a test file or test utility file
+ * @param {string} filePath - Full path to the file
+ * @returns {boolean} - True if file is a test file
+ */
+function isTestFile(filePath) {
+  const fileName = path.basename(filePath, path.extname(filePath));
+  const fileNameLower = fileName.toLowerCase();
+  const filePathLower = filePath.toLowerCase();
+  
+  // Standard test file patterns
+  if (filePath.includes('.test.') || filePath.includes('.spec.')) {
+    return true;
+  }
+  
+  // Files in test directories
+  if (filePath.includes('/test/') || 
+      filePath.includes('/tests/') || 
+      filePath.includes('__tests__') ||
+      filePath.includes('__test__')) {
+    return true;
+  }
+  
+  // Files starting with "test" prefix
+  if (fileNameLower.startsWith('test')) {
+    return true;
+  }
+  
+  // Test utility patterns in filename
+  const testUtilityPatterns = [
+    'testassertion', 'testverifier', 'testhelper', 'testutility',
+    'testsetup', 'testteardown', 'testmock', 'testfixture',
+    'testdata', 'testutil', 'testhelper', 'testutils'
+  ];
+  
+  if (testUtilityPatterns.some(pattern => fileNameLower.includes(pattern))) {
+    return true;
+  }
+  
+  // Test utility patterns in path
+  const testPathPatterns = [
+    'testutils', 'testhelpers', 'testassertions', 'testverifiers',
+    'testsetup', 'testmocks', 'testfixtures', 'testdata'
+  ];
+  
+  if (testPathPatterns.some(pattern => filePathLower.includes(pattern))) {
+    return true;
+  }
+  
+  // Files ending with test utility suffixes
+  if (fileNameLower.endsWith('testutil') || 
+      fileNameLower.endsWith('testhelper') ||
+      fileNameLower.endsWith('testassertion') ||
+      fileNameLower.endsWith('testverifier')) {
+    return true;
+  }
+  
+  return false;
+}
+
 /**
  * Check for component boundary violations (domain logic in components)
  */
@@ -25,29 +85,37 @@ function checkComponentBoundaries(consumingAppPath) {
   }
   
   const componentFiles = findSourceFiles(srcDir).filter(file => {
-    // Only check actual component files, not test files or utility files
-    const isTestFile = file.includes('.test.') || file.includes('.spec.');
-    const isUtilityFile = file.endsWith('Utils.ts') || 
-                         file.endsWith('Utils.tsx') ||
-                         file.endsWith('Helpers.ts') ||
-                         file.endsWith('Helpers.tsx') ||
-                         file.includes('testUtils') ||
-                         file.includes('testHelpers') ||
-                         file.includes('testAssertions') ||
-                         file.includes('testSetup');
-    
-    if (isTestFile || isUtilityFile) {
+    // Skip all test files
+    if (isTestFile(file)) {
       return false;
     }
     
     const dir = path.dirname(file);
     const isComponentDir = dir.includes('/components/') || dir.includes('/pages/');
-    const isComponentFile = file.endsWith('.tsx') || (file.endsWith('.ts') && !isUtilityFile);
+    // Only check .tsx files for component boundaries (React components)
+    // .ts files are utilities, hooks, or test files and shouldn't be checked
+    const isComponentFile = file.endsWith('.tsx');
     
     return isComponentDir && isComponentFile;
   });
   
-  componentFiles.forEach(filePath => {
+  // For data fetching checks, also include .ts files (to catch data fetching in hooks)
+  const filesForDataFetchingCheck = findSourceFiles(srcDir).filter(file => {
+    // Skip all test files
+    if (isTestFile(file)) {
+      return false;
+    }
+    
+    const dir = path.dirname(file);
+    const isComponentDir = dir.includes('/components/') || dir.includes('/pages/');
+    const isComponentFile = file.endsWith('.tsx') || file.endsWith('.ts');
+    
+    return isComponentDir && isComponentFile;
+  });
+  
+  // Check for data fetching in components (should be in hooks)
+  // Check both .tsx and .ts files for data fetching
+  filesForDataFetchingCheck.forEach(filePath => {
     const content = readFileSafe(filePath);
     if (!content) {
       return;
@@ -55,7 +123,6 @@ function checkComponentBoundaries(consumingAppPath) {
   
     const relativePath = getRelativePath(filePath, consumingAppPath);
     
-    // Check for data fetching in components (should be in hooks)
     const dataFetchingPatterns = [
       /\.from\s*\([^)]*\)\s*\.select/i,
       /\.rpc\s*\(/i,
@@ -87,8 +154,29 @@ function checkComponentBoundaries(consumingAppPath) {
         }
       }
     });
+  });
+  
+  // Check for complex business logic in components
+  // Only check .tsx files (React components), not .ts files (utilities/hooks/test files)
+  componentFiles.forEach(filePath => {
+    // Safety check: explicitly skip .ts files (should already be filtered, but double-check)
+    if (!filePath.endsWith('.tsx')) {
+      return;
+    }
+    
+    // Also skip test files as an extra safety measure
+    if (isTestFile(filePath)) {
+      return;
+    }
+    
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+  
+    const relativePath = getRelativePath(filePath, consumingAppPath);
     
-    // Check for complex business logic in components
+    // All files in componentFiles are .tsx files, so we can check them directly
     // Only flag actual business logic patterns, not UI text or comments
     const businessLogicPatterns = [
       /if\s*\([^)]*permission[^)]*\)/i,  // Permission checks
@@ -98,10 +186,43 @@ function checkComponentBoundaries(consumingAppPath) {
       /process\w+\s*\(/i,                 // Process functions (not "Processing..." text)
     ];
     
+    // Exclude test utility functions - functions that start with test/verify/get/create
+    // These are test helpers, not business logic
+    const isTestUtilityFunction = (match, content, index) => {
+      // Look backwards to extract the function name being called
+      const beforeMatch = content.substring(Math.max(0, index - 200), index);
+      
+      // Extract identifier before the match (function name)
+      // Look for word characters, dots, and spaces before the match
+      const identifierMatch = beforeMatch.match(/(\w+)\s*$/);
+      if (identifierMatch) {
+        const functionName = identifierMatch[1];
+        // Check if function name starts with test utility prefixes
+        const testUtilityPrefixes = /^(verify|get|test|create|assert|check|expect|mock|setup|teardown)/i;
+        if (testUtilityPrefixes.test(functionName)) {
+          return true;
+        }
+      }
+      
+      // Also check if it's a function definition with test utility prefix
+      return /(?:export\s+)?(?:async\s+)?function\s+(verify|get|test|create|assert|check|expect|mock|setup|teardown)\w*\s*\(/i.test(beforeMatch) ||
+             // Check if it's a const/let/var assignment
+             /(?:export\s+)?(?:const|let|var)\s+(verify|get|test|create|assert|check|expect|mock|setup|teardown)\w*\s*=\s*(?:async\s+)?\(/i.test(beforeMatch);
+    };
+    
     // This is a heuristic - look for complex logic that should be in hooks/utils
     // Exclude common UI text patterns
     const hasUIOnlyText = /Processing\.\.\.|processing\.\.\./i.test(content);
-    const hasComplexLogic = businessLogicPatterns.some(pattern => pattern.test(content));
+    const hasComplexLogic = businessLogicPatterns.some(pattern => {
+      const matches = content.matchAll(new RegExp(pattern.source, pattern.flags + 'g'));
+      for (const match of matches) {
+        const index = match.index;
+        if (!isInCommentOrString(content, index) && !isTestUtilityFunction(match, content, index)) {
+          return true;
+        }
+      }
+      return false;
+    });
     
     if (hasComplexLogic && !hasUIOnlyText) {
       // Check if logic is in a hook call (acceptable)
@@ -155,6 +276,11 @@ function checkApiResultUsage(consumingAppPath) {
   
   // Check for API functions that don't use ApiResult
   sourceFiles.forEach(filePath => {
+    // Skip test files
+    if (isTestFile(filePath)) {
+      return;
+    }
+    
     const content = readFileSafe(filePath);
     if (!content) {
       return;
@@ -168,8 +294,8 @@ function checkApiResultUsage(consumingAppPath) {
       const functionName = match[1];
       const functionIndex = match.index;
       
-      // Skip if it's a test file or hook
-      if (filePath.includes('.test.') || functionName.startsWith('use')) {
+      // Skip if it's a hook
+      if (functionName.startsWith('use')) {
         return;
       }
       

package/audit-tool/audits/04-code-quality.cjs

@@ -11,7 +11,8 @@
  */
 
 const path = require('path');
-const { findConfigFiles, readFileSafe, getRelativePath } = require('../utils/file-utils.cjs');
+const { findConfigFiles, readFileSafe, getRelativePath, findSourceFiles } = require('../utils/file-utils.cjs');
+const { getLineNumber, isInCommentOrString } = require('../utils/code-utils.cjs');
 
 /**
  * Check TypeScript configuration
@@ -120,6 +121,89 @@ function checkTestCoverageConfig(consumingAppPath) {
   return issues;
 }
 
+/**
+ * Check for excessive console logging in production code
+ */
+function checkConsoleLogging(consumingAppPath) {
+  const issues = [];
+  
+  const srcDir = path.join(consumingAppPath, 'src');
+  if (!require('fs').existsSync(srcDir)) {
+    return issues;
+  }
+  
+  const sourceFiles = findSourceFiles(srcDir).filter(file => {
+    // Skip test files
+    const isTestFile = file.includes('.test.') || 
+                       file.includes('.spec.') || 
+                       file.includes('/test/') || 
+                       file.includes('/tests/') ||
+                       file.includes('__tests__') ||
+                       file.includes('__test__') ||
+                       path.basename(file, path.extname(file)).toLowerCase().startsWith('test');
+    
+    return !isTestFile;
+  });
+  
+  sourceFiles.forEach(filePath => {
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+    
+    const relativePath = getRelativePath(filePath, consumingAppPath);
+    
+    // Count console.log, console.debug, console.warn, console.error statements
+    const consolePatterns = [
+      { pattern: /console\.(log|debug)\s*\(/gi, name: 'console.log/debug', threshold: 3 },
+      { pattern: /console\.warn\s*\(/gi, name: 'console.warn', threshold: 5 },
+      { pattern: /console\.error\s*\(/gi, name: 'console.error', threshold: 10 }, // Errors are usually OK
+    ];
+    
+    consolePatterns.forEach(({ pattern, name, threshold }) => {
+      const matches = [...content.matchAll(pattern)];
+      const validMatches = matches.filter(match => {
+        const index = match.index;
+        return !isInCommentOrString(content, index);
+      });
+      
+      if (validMatches.length > threshold) {
+        const firstMatch = validMatches[0];
+        issues.push({
+          type: 'excessiveConsoleLogging',
+          file: relativePath,
+          line: getLineNumber(content, firstMatch.index),
+          message: `Excessive ${name} usage detected (${validMatches.length} instances). Consider removing debug logs or using a proper logging library.`,
+          severity: 'warning',
+          fix: `Remove or replace ${name} statements. Use a logging library or remove debug logs before production.`,
+        });
+      }
+    });
+    
+    // Special check for DEBUG logging (common pattern)
+    const debugLogPattern = /console\.(log|debug)\s*\(\s*['"`]\[DEBUG\]/gi;
+    const debugMatches = [...content.matchAll(debugLogPattern)];
+    const validDebugMatches = debugMatches.filter(match => {
+      const index = match.index;
+      return !isInCommentOrString(content, index);
+    });
+    
+    if (validDebugMatches.length > 0) {
+      const firstMatch = validDebugMatches[0];
+      issues.push({
+        type: 'debugConsoleLogging',
+        file: relativePath,
+        line: getLineNumber(content, firstMatch.index),
+        message: `Debug console logging detected (${validDebugMatches.length} instances). Debug logs should be removed or disabled in production.`,
+        severity: 'warning',
+        fix: 'Remove debug console.log statements or use environment-based logging that can be disabled in production.',
+      });
+    }
+  });
+  
+  return issues;
+}
+
 /**
  * Run audit for Standard 4: Code Quality
  * @param {string} consumingAppPath - Path to consuming app
@@ -131,6 +215,7 @@ function runStandard4Audit(consumingAppPath) {
   try {
     issues.push(...checkTypeScriptConfig(consumingAppPath));
     issues.push(...checkTestCoverageConfig(consumingAppPath));
+    issues.push(...checkConsoleLogging(consumingAppPath));
   } catch (error) {
     return {
       standard: '04-code-quality',

package/audit-tool/audits/06-security-rbac.cjs

@@ -293,16 +293,36 @@ function checkRLSPolicies(consumingAppPath) {
             });
           }
           
+          // Check if function queries RLS-protected tables to determine if SECURITY DEFINER is needed
+          const funcBodyStart = content.indexOf('AS $$', funcStart);
+          let needsSecurityDefiner = false;
+          if (funcBodyStart !== -1) {
+            const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+            if (funcBodyEnd !== -1) {
+              const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+              const rlsProtectedTables = ['rbac_organisation_roles', 'rbac_global_roles', 'rbac_event_app_roles', 'rbac_user_profiles', 'rbac_apps', 'rbac_app_pages', 'rbac_page_permissions'];
+              needsSecurityDefiner = rlsProtectedTables.some(table => {
+                const tablePattern = new RegExp(`\\b${table}\\b`, 'i');
+                return tablePattern.test(funcBody);
+              });
+            }
+          }
+          
           if (!hasSecurityDefiner) {
-            issues.push({
-              type: 'rlsPolicy',
-              file: relativePath,
-              line: getLineNumber(content, funcStart),
-              message: `Helper function '${funcName}' missing SECURITY DEFINER attribute. RLS helper functions must be SECURITY DEFINER to bypass RLS recursion.`,
-              code: getCodeSnippet(content, funcStart, 0, 150),
-              severity: 'error',
-              fix: 'Add SECURITY DEFINER attribute to function definition.',
-            });
+            if (needsSecurityDefiner) {
+              issues.push({
+                type: 'rlsPolicy',
+                file: relativePath,
+                line: getLineNumber(content, funcStart),
+                message: `Helper function '${funcName}' queries RLS-protected tables but missing SECURITY DEFINER attribute. REQUIRED: SECURITY DEFINER is needed to bypass RLS and avoid circular dependencies when querying RLS-protected tables from within RLS policies.`,
+                code: getCodeSnippet(content, funcStart, 0, 150),
+                severity: 'error',
+                fix: 'Add SECURITY DEFINER attribute to function definition. Also ensure SET search_path TO public is present.',
+              });
+            } else {
+              // Function doesn't query RLS-protected tables, SECURITY DEFINER might not be needed
+              // This is just informational, not an error
+            }
           }
           
           if (!hasSearchPath) {
@@ -310,12 +330,90 @@ function checkRLSPolicies(consumingAppPath) {
               type: 'rlsPolicy',
               file: relativePath,
               line: getLineNumber(content, funcStart),
-              message: `Helper function '${funcName}' missing SET search_path TO public. Required to prevent search path injection.`,
+              message: `Helper function '${funcName}' missing SET search_path TO public. MANDATORY for SECURITY DEFINER functions to prevent search path hijacking attacks.`,
               code: getCodeSnippet(content, funcStart, 0, 150),
               severity: 'error',
-              fix: 'Add SET search_path TO public to function definition.',
+              fix: 'Add SET search_path TO public to function definition. This is MANDATORY for SECURITY DEFINER functions to prevent search path hijacking.',
             });
           }
+          
+          // Additional security checks for SECURITY DEFINER functions
+          if (hasSecurityDefiner) {
+            // Get function body to check for unqualified references
+            const funcBodyStart = content.indexOf('AS $$', funcStart);
+            if (funcBodyStart !== -1) {
+              const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+              if (funcBodyEnd !== -1) {
+                const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+                
+                // Check for unqualified table references (security risk)
+                // Look for FROM/JOIN without schema qualification
+                const unqualifiedTablePattern = /(?:FROM|JOIN)\s+([a-z_][a-z0-9_]*)\s+(?!WHERE|ON|,|$)/gi;
+                let tableMatch;
+                const rlsProtectedTables = ['rbac_organisation_roles', 'rbac_global_roles', 'rbac_event_app_roles', 'rbac_user_profiles', 'rbac_apps', 'rbac_app_pages', 'rbac_page_permissions'];
+                
+                while ((tableMatch = unqualifiedTablePattern.exec(funcBody)) !== null) {
+                  const tableName = tableMatch[1].toLowerCase();
+                  // Check if it's a known RLS-protected table without schema qualification
+                  if (rlsProtectedTables.some(t => t.toLowerCase() === tableName)) {
+                    // Check if it's already schema-qualified (public.table_name)
+                    const beforeMatch = funcBody.substring(Math.max(0, tableMatch.index - 20), tableMatch.index);
+                    if (!/public\./i.test(beforeMatch)) {
+                      issues.push({
+                        type: 'rlsPolicy',
+                        file: relativePath,
+                        line: getLineNumber(content, funcStart + tableMatch.index),
+                        message: `SECURITY DEFINER function '${funcName}' uses unqualified table reference '${tableName}'. MANDATORY: All table references in SECURITY DEFINER functions must be schema-qualified (e.g., public.${tableName}) to prevent search path hijacking.`,
+                        code: getCodeSnippet(content, funcStart + tableMatch.index, 0, 100),
+                        severity: 'error',
+                        fix: `Schema-qualify the table reference: public.${tableName}`,
+                      });
+                    }
+                  }
+                }
+                
+                // Check if function queries RLS-protected tables (justification for SECURITY DEFINER)
+                const queriesRLSProtected = rlsProtectedTables.some(table => {
+                  const tablePattern = new RegExp(`\\b${table}\\b`, 'i');
+                  return tablePattern.test(funcBody);
+                });
+                
+                // Check if function has any table queries at all
+                const hasTableQueries = /(?:FROM|JOIN|INTO|UPDATE)\s+\w+/i.test(funcBody);
+                
+                if (!queriesRLSProtected && hasTableQueries) {
+                  // Function has SECURITY DEFINER but doesn't query RLS-protected tables
+                  // This might be okay if it needs elevated privileges, but should be documented
+                  const hasComment = /COMMENT\s+ON\s+FUNCTION.*SECURITY\s+DEFINER/i.test(content.substring(funcStart, funcStart + 2000));
+                  if (!hasComment) {
+                    issues.push({
+                      type: 'rlsPolicy',
+                      file: relativePath,
+                      line: getLineNumber(content, funcStart),
+                      message: `SECURITY DEFINER function '${funcName}' does not query RLS-protected tables. If SECURITY DEFINER is needed for elevated privileges, document why in a COMMENT. Otherwise, consider removing SECURITY DEFINER if not needed.`,
+                      code: getCodeSnippet(content, funcStart, 0, 200),
+                      severity: 'warning',
+                      fix: 'Add COMMENT ON FUNCTION explaining why SECURITY DEFINER is needed, or remove SECURITY DEFINER if not required.',
+                    });
+                  }
+                } else if (queriesRLSProtected && !hasComment) {
+                  // Function queries RLS-protected tables but doesn't document why SECURITY DEFINER is needed
+                  const hasComment = /COMMENT\s+ON\s+FUNCTION/i.test(content.substring(funcStart, funcStart + 2000));
+                  if (!hasComment) {
+                    issues.push({
+                      type: 'rlsPolicy',
+                      file: relativePath,
+                      line: getLineNumber(content, funcStart),
+                      message: `SECURITY DEFINER function '${funcName}' queries RLS-protected tables but lacks documentation. REQUIRED: Add COMMENT ON FUNCTION explaining why SECURITY DEFINER is needed (to avoid circular RLS dependencies).`,
+                      code: getCodeSnippet(content, funcStart, 0, 200),
+                      severity: 'warning',
+                      fix: 'Add COMMENT ON FUNCTION documenting that SECURITY DEFINER is required to avoid circular RLS dependencies when querying RLS-protected tables.',
+                    });
+                  }
+                }
+              }
+            }
+          }
         }
       }
     } catch (error) {