@jmruthers/pace-core 0.6.9 → 0.6.10

package/audit-tool/audits/02-project-structure.cjs

@@ -198,6 +198,67 @@ function checkTestColocation(consumingAppPath) {
   return issues;
 }
 
+/**
+ * Check for domain-based organization (Pattern 2 - not allowed)
+ * Feature-based organization is the only standard
+ */
+function checkFeatureBasedOrganization(consumingAppPath) {
+  const issues = [];
+  
+  const srcDir = path.join(consumingAppPath, 'src');
+  if (!directoryExists(srcDir)) {
+    return issues;
+  }
+  
+  // Check for src/domains/ directory (Pattern 2 structure - not allowed)
+  const domainsDir = path.join(srcDir, 'domains');
+  if (directoryExists(domainsDir)) {
+    issues.push({
+      type: 'organizationPattern',
+      file: 'src/domains',
+      line: 0,
+      message: 'Domain-based organization (src/domains/) is not allowed. Use feature-based organization instead (src/components/[feature]/, src/hooks/[feature]/, etc.)',
+      severity: 'error',
+      fix: 'Reorganize to feature-based structure: move components from src/domains/[domain]/components/ to src/components/[domain]/, hooks to src/hooks/[domain]/, etc.',
+    });
+  }
+  
+  // Check components directory for type-based organization (anti-pattern)
+  const componentsDir = path.join(srcDir, 'components');
+  if (directoryExists(componentsDir)) {
+    const componentDirs = [];
+    function scanComponentsDir(dir) {
+      if (!fs.existsSync(dir)) return;
+      const entries = fs.readdirSync(dir);
+      entries.forEach(entry => {
+        const entryPath = path.join(dir, entry);
+        const stat = fs.statSync(entryPath);
+        if (stat.isDirectory()) {
+          componentDirs.push(entry);
+        }
+      });
+    }
+    scanComponentsDir(componentsDir);
+    
+    // Common type-based directory names that should not exist
+    const typeBasedPatterns = ['buttons', 'button', 'inputs', 'input', 'cards', 'card', 'forms', 'form', 'modals', 'modal', 'dialogs', 'dialog'];
+    const foundTypeBased = componentDirs.filter(dir => typeBasedPatterns.includes(dir.toLowerCase()));
+    
+    if (foundTypeBased.length > 0) {
+      issues.push({
+        type: 'organizationPattern',
+        file: `src/components/${foundTypeBased[0]}`,
+        line: 0,
+        message: `Components organized by type (${foundTypeBased.join(', ')}) instead of feature. Use pace-core components for UI primitives and organize app components by feature.`,
+        severity: 'error',
+        fix: `Reorganize components by feature. Use pace-core for ${foundTypeBased.join(', ')} components. Move feature-specific components to src/components/[feature]/`,
+      });
+    }
+  }
+  
+  return issues;
+}
+
 /**
  * Check Supabase structure
  * Note: Consuming apps don't need migrations directory - only pace-core handles migrations
@@ -224,6 +285,7 @@ function runStandard2Audit(consumingAppPath) {
     issues.push(...checkConfigFiles(consumingAppPath));
     issues.push(...checkImportPaths(consumingAppPath));
     issues.push(...checkTestColocation(consumingAppPath));
+    issues.push(...checkFeatureBasedOrganization(consumingAppPath));
     issues.push(...checkSupabaseStructure(consumingAppPath));
   } catch (error) {
     return {

package/audit-tool/audits/03-architecture.cjs

@@ -13,6 +13,66 @@ const path = require('path');
 const { findSourceFiles, readFileSafe, getRelativePath } = require('../utils/file-utils.cjs');
 const { getLineNumber, getCodeSnippet, isInCommentOrString, parseImports } = require('../utils/code-utils.cjs');
 
+/**
+ * Check if a file is a test file or test utility file
+ * @param {string} filePath - Full path to the file
+ * @returns {boolean} - True if file is a test file
+ */
+function isTestFile(filePath) {
+  const fileName = path.basename(filePath, path.extname(filePath));
+  const fileNameLower = fileName.toLowerCase();
+  const filePathLower = filePath.toLowerCase();
+  
+  // Standard test file patterns
+  if (filePath.includes('.test.') || filePath.includes('.spec.')) {
+    return true;
+  }
+  
+  // Files in test directories
+  if (filePath.includes('/test/') || 
+      filePath.includes('/tests/') || 
+      filePath.includes('__tests__') ||
+      filePath.includes('__test__')) {
+    return true;
+  }
+  
+  // Files starting with "test" prefix
+  if (fileNameLower.startsWith('test')) {
+    return true;
+  }
+  
+  // Test utility patterns in filename
+  const testUtilityPatterns = [
+    'testassertion', 'testverifier', 'testhelper', 'testutility',
+    'testsetup', 'testteardown', 'testmock', 'testfixture',
+    'testdata', 'testutil', 'testhelper', 'testutils'
+  ];
+  
+  if (testUtilityPatterns.some(pattern => fileNameLower.includes(pattern))) {
+    return true;
+  }
+  
+  // Test utility patterns in path
+  const testPathPatterns = [
+    'testutils', 'testhelpers', 'testassertions', 'testverifiers',
+    'testsetup', 'testmocks', 'testfixtures', 'testdata'
+  ];
+  
+  if (testPathPatterns.some(pattern => filePathLower.includes(pattern))) {
+    return true;
+  }
+  
+  // Files ending with test utility suffixes
+  if (fileNameLower.endsWith('testutil') || 
+      fileNameLower.endsWith('testhelper') ||
+      fileNameLower.endsWith('testassertion') ||
+      fileNameLower.endsWith('testverifier')) {
+    return true;
+  }
+  
+  return false;
+}
+
 /**
  * Check for component boundary violations (domain logic in components)
  */
@@ -25,29 +85,37 @@ function checkComponentBoundaries(consumingAppPath) {
   }
   
   const componentFiles = findSourceFiles(srcDir).filter(file => {
-    // Only check actual component files, not test files or utility files
-    const isTestFile = file.includes('.test.') || file.includes('.spec.');
-    const isUtilityFile = file.endsWith('Utils.ts') || 
-                         file.endsWith('Utils.tsx') ||
-                         file.endsWith('Helpers.ts') ||
-                         file.endsWith('Helpers.tsx') ||
-                         file.includes('testUtils') ||
-                         file.includes('testHelpers') ||
-                         file.includes('testAssertions') ||
-                         file.includes('testSetup');
-    
-    if (isTestFile || isUtilityFile) {
+    // Skip all test files
+    if (isTestFile(file)) {
       return false;
     }
     
     const dir = path.dirname(file);
     const isComponentDir = dir.includes('/components/') || dir.includes('/pages/');
-    const isComponentFile = file.endsWith('.tsx') || (file.endsWith('.ts') && !isUtilityFile);
+    // Only check .tsx files for component boundaries (React components)
+    // .ts files are utilities, hooks, or test files and shouldn't be checked
+    const isComponentFile = file.endsWith('.tsx');
     
     return isComponentDir && isComponentFile;
   });
   
-  componentFiles.forEach(filePath => {
+  // For data fetching checks, also include .ts files (to catch data fetching in hooks)
+  const filesForDataFetchingCheck = findSourceFiles(srcDir).filter(file => {
+    // Skip all test files
+    if (isTestFile(file)) {
+      return false;
+    }
+    
+    const dir = path.dirname(file);
+    const isComponentDir = dir.includes('/components/') || dir.includes('/pages/');
+    const isComponentFile = file.endsWith('.tsx') || file.endsWith('.ts');
+    
+    return isComponentDir && isComponentFile;
+  });
+  
+  // Check for data fetching in components (should be in hooks)
+  // Check both .tsx and .ts files for data fetching
+  filesForDataFetchingCheck.forEach(filePath => {
     const content = readFileSafe(filePath);
     if (!content) {
       return;
@@ -55,7 +123,6 @@ function checkComponentBoundaries(consumingAppPath) {
   
     const relativePath = getRelativePath(filePath, consumingAppPath);
     
-    // Check for data fetching in components (should be in hooks)
     const dataFetchingPatterns = [
       /\.from\s*\([^)]*\)\s*\.select/i,
       /\.rpc\s*\(/i,
@@ -87,8 +154,29 @@ function checkComponentBoundaries(consumingAppPath) {
         }
       }
     });
+  });
+  
+  // Check for complex business logic in components
+  // Only check .tsx files (React components), not .ts files (utilities/hooks/test files)
+  componentFiles.forEach(filePath => {
+    // Safety check: explicitly skip .ts files (should already be filtered, but double-check)
+    if (!filePath.endsWith('.tsx')) {
+      return;
+    }
+    
+    // Also skip test files as an extra safety measure
+    if (isTestFile(filePath)) {
+      return;
+    }
+    
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+  
+    const relativePath = getRelativePath(filePath, consumingAppPath);
     
-    // Check for complex business logic in components
+    // All files in componentFiles are .tsx files, so we can check them directly
     // Only flag actual business logic patterns, not UI text or comments
     const businessLogicPatterns = [
       /if\s*\([^)]*permission[^)]*\)/i,  // Permission checks
@@ -98,10 +186,43 @@ function checkComponentBoundaries(consumingAppPath) {
       /process\w+\s*\(/i,                 // Process functions (not "Processing..." text)
     ];
     
+    // Exclude test utility functions - functions that start with test/verify/get/create
+    // These are test helpers, not business logic
+    const isTestUtilityFunction = (match, content, index) => {
+      // Look backwards to extract the function name being called
+      const beforeMatch = content.substring(Math.max(0, index - 200), index);
+      
+      // Extract identifier before the match (function name)
+      // Look for word characters, dots, and spaces before the match
+      const identifierMatch = beforeMatch.match(/(\w+)\s*$/);
+      if (identifierMatch) {
+        const functionName = identifierMatch[1];
+        // Check if function name starts with test utility prefixes
+        const testUtilityPrefixes = /^(verify|get|test|create|assert|check|expect|mock|setup|teardown)/i;
+        if (testUtilityPrefixes.test(functionName)) {
+          return true;
+        }
+      }
+      
+      // Also check if it's a function definition with test utility prefix
+      return /(?:export\s+)?(?:async\s+)?function\s+(verify|get|test|create|assert|check|expect|mock|setup|teardown)\w*\s*\(/i.test(beforeMatch) ||
+             // Check if it's a const/let/var assignment
+             /(?:export\s+)?(?:const|let|var)\s+(verify|get|test|create|assert|check|expect|mock|setup|teardown)\w*\s*=\s*(?:async\s+)?\(/i.test(beforeMatch);
+    };
+    
     // This is a heuristic - look for complex logic that should be in hooks/utils
     // Exclude common UI text patterns
     const hasUIOnlyText = /Processing\.\.\.|processing\.\.\./i.test(content);
-    const hasComplexLogic = businessLogicPatterns.some(pattern => pattern.test(content));
+    const hasComplexLogic = businessLogicPatterns.some(pattern => {
+      const matches = content.matchAll(new RegExp(pattern.source, pattern.flags + 'g'));
+      for (const match of matches) {
+        const index = match.index;
+        if (!isInCommentOrString(content, index) && !isTestUtilityFunction(match, content, index)) {
+          return true;
+        }
+      }
+      return false;
+    });
     
     if (hasComplexLogic && !hasUIOnlyText) {
       // Check if logic is in a hook call (acceptable)
@@ -155,6 +276,11 @@ function checkApiResultUsage(consumingAppPath) {
   
   // Check for API functions that don't use ApiResult
   sourceFiles.forEach(filePath => {
+    // Skip test files
+    if (isTestFile(filePath)) {
+      return;
+    }
+    
     const content = readFileSafe(filePath);
     if (!content) {
       return;
@@ -168,8 +294,8 @@ function checkApiResultUsage(consumingAppPath) {
       const functionName = match[1];
       const functionIndex = match.index;
       
-      // Skip if it's a test file or hook
-      if (filePath.includes('.test.') || functionName.startsWith('use')) {
+      // Skip if it's a hook
+      if (functionName.startsWith('use')) {
         return;
       }
       

package/audit-tool/audits/04-code-quality.cjs

@@ -11,7 +11,8 @@
  */
 
 const path = require('path');
-const { findConfigFiles, readFileSafe, getRelativePath } = require('../utils/file-utils.cjs');
+const { findConfigFiles, readFileSafe, getRelativePath, findSourceFiles } = require('../utils/file-utils.cjs');
+const { getLineNumber, isInCommentOrString } = require('../utils/code-utils.cjs');
 
 /**
  * Check TypeScript configuration
@@ -120,6 +121,89 @@ function checkTestCoverageConfig(consumingAppPath) {
   return issues;
 }
 
+/**
+ * Check for excessive console logging in production code
+ */
+function checkConsoleLogging(consumingAppPath) {
+  const issues = [];
+  
+  const srcDir = path.join(consumingAppPath, 'src');
+  if (!require('fs').existsSync(srcDir)) {
+    return issues;
+  }
+  
+  const sourceFiles = findSourceFiles(srcDir).filter(file => {
+    // Skip test files
+    const isTestFile = file.includes('.test.') || 
+                       file.includes('.spec.') || 
+                       file.includes('/test/') || 
+                       file.includes('/tests/') ||
+                       file.includes('__tests__') ||
+                       file.includes('__test__') ||
+                       path.basename(file, path.extname(file)).toLowerCase().startsWith('test');
+    
+    return !isTestFile;
+  });
+  
+  sourceFiles.forEach(filePath => {
+    const content = readFileSafe(filePath);
+    if (!content) {
+      return;
+    }
+    
+    const relativePath = getRelativePath(filePath, consumingAppPath);
+    
+    // Count console.log, console.debug, console.warn, console.error statements
+    const consolePatterns = [
+      { pattern: /console\.(log|debug)\s*\(/gi, name: 'console.log/debug', threshold: 3 },
+      { pattern: /console\.warn\s*\(/gi, name: 'console.warn', threshold: 5 },
+      { pattern: /console\.error\s*\(/gi, name: 'console.error', threshold: 10 }, // Errors are usually OK
+    ];
+    
+    consolePatterns.forEach(({ pattern, name, threshold }) => {
+      const matches = [...content.matchAll(pattern)];
+      const validMatches = matches.filter(match => {
+        const index = match.index;
+        return !isInCommentOrString(content, index);
+      });
+      
+      if (validMatches.length > threshold) {
+        const firstMatch = validMatches[0];
+        issues.push({
+          type: 'excessiveConsoleLogging',
+          file: relativePath,
+          line: getLineNumber(content, firstMatch.index),
+          message: `Excessive ${name} usage detected (${validMatches.length} instances). Consider removing debug logs or using a proper logging library.`,
+          severity: 'warning',
+          fix: `Remove or replace ${name} statements. Use a logging library or remove debug logs before production.`,
+        });
+      }
+    });
+    
+    // Special check for DEBUG logging (common pattern)
+    const debugLogPattern = /console\.(log|debug)\s*\(\s*['"`]\[DEBUG\]/gi;
+    const debugMatches = [...content.matchAll(debugLogPattern)];
+    const validDebugMatches = debugMatches.filter(match => {
+      const index = match.index;
+      return !isInCommentOrString(content, index);
+    });
+    
+    if (validDebugMatches.length > 0) {
+      const firstMatch = validDebugMatches[0];
+      issues.push({
+        type: 'debugConsoleLogging',
+        file: relativePath,
+        line: getLineNumber(content, firstMatch.index),
+        message: `Debug console logging detected (${validDebugMatches.length} instances). Debug logs should be removed or disabled in production.`,
+        severity: 'warning',
+        fix: 'Remove debug console.log statements or use environment-based logging that can be disabled in production.',
+      });
+    }
+  });
+  
+  return issues;
+}
+
 /**
  * Run audit for Standard 4: Code Quality
  * @param {string} consumingAppPath - Path to consuming app
@@ -131,6 +215,7 @@ function runStandard4Audit(consumingAppPath) {
   try {
     issues.push(...checkTypeScriptConfig(consumingAppPath));
     issues.push(...checkTestCoverageConfig(consumingAppPath));
+    issues.push(...checkConsoleLogging(consumingAppPath));
   } catch (error) {
     return {
       standard: '04-code-quality',

package/audit-tool/audits/06-security-rbac.cjs

@@ -293,16 +293,36 @@ function checkRLSPolicies(consumingAppPath) {
             });
           }
           
+          // Check if function queries RLS-protected tables to determine if SECURITY DEFINER is needed
+          const funcBodyStart = content.indexOf('AS $$', funcStart);
+          let needsSecurityDefiner = false;
+          if (funcBodyStart !== -1) {
+            const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+            if (funcBodyEnd !== -1) {
+              const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+              const rlsProtectedTables = ['rbac_organisation_roles', 'rbac_global_roles', 'rbac_event_app_roles', 'rbac_user_profiles', 'rbac_apps', 'rbac_app_pages', 'rbac_page_permissions'];
+              needsSecurityDefiner = rlsProtectedTables.some(table => {
+                const tablePattern = new RegExp(`\\b${table}\\b`, 'i');
+                return tablePattern.test(funcBody);
+              });
+            }
+          }
+          
           if (!hasSecurityDefiner) {
-            issues.push({
-              type: 'rlsPolicy',
-              file: relativePath,
-              line: getLineNumber(content, funcStart),
-              message: `Helper function '${funcName}' missing SECURITY DEFINER attribute. RLS helper functions must be SECURITY DEFINER to bypass RLS recursion.`,
-              code: getCodeSnippet(content, funcStart, 0, 150),
-              severity: 'error',
-              fix: 'Add SECURITY DEFINER attribute to function definition.',
-            });
+            if (needsSecurityDefiner) {
+              issues.push({
+                type: 'rlsPolicy',
+                file: relativePath,
+                line: getLineNumber(content, funcStart),
+                message: `Helper function '${funcName}' queries RLS-protected tables but missing SECURITY DEFINER attribute. REQUIRED: SECURITY DEFINER is needed to bypass RLS and avoid circular dependencies when querying RLS-protected tables from within RLS policies.`,
+                code: getCodeSnippet(content, funcStart, 0, 150),
+                severity: 'error',
+                fix: 'Add SECURITY DEFINER attribute to function definition. Also ensure SET search_path TO public is present.',
+              });
+            } else {
+              // Function doesn't query RLS-protected tables, SECURITY DEFINER might not be needed
+              // This is just informational, not an error
+            }
           }
           
           if (!hasSearchPath) {
@@ -310,12 +330,90 @@ function checkRLSPolicies(consumingAppPath) {
               type: 'rlsPolicy',
               file: relativePath,
               line: getLineNumber(content, funcStart),
-              message: `Helper function '${funcName}' missing SET search_path TO public. Required to prevent search path injection.`,
+              message: `Helper function '${funcName}' missing SET search_path TO public. MANDATORY for SECURITY DEFINER functions to prevent search path hijacking attacks.`,
               code: getCodeSnippet(content, funcStart, 0, 150),
               severity: 'error',
-              fix: 'Add SET search_path TO public to function definition.',
+              fix: 'Add SET search_path TO public to function definition. This is MANDATORY for SECURITY DEFINER functions to prevent search path hijacking.',
             });
           }
+          
+          // Additional security checks for SECURITY DEFINER functions
+          if (hasSecurityDefiner) {
+            // Get function body to check for unqualified references
+            const funcBodyStart = content.indexOf('AS $$', funcStart);
+            if (funcBodyStart !== -1) {
+              const funcBodyEnd = content.indexOf('$$;', funcBodyStart);
+              if (funcBodyEnd !== -1) {
+                const funcBody = content.substring(funcBodyStart, funcBodyEnd);
+                
+                // Check for unqualified table references (security risk)
+                // Look for FROM/JOIN without schema qualification
+                const unqualifiedTablePattern = /(?:FROM|JOIN)\s+([a-z_][a-z0-9_]*)\s+(?!WHERE|ON|,|$)/gi;
+                let tableMatch;
+                const rlsProtectedTables = ['rbac_organisation_roles', 'rbac_global_roles', 'rbac_event_app_roles', 'rbac_user_profiles', 'rbac_apps', 'rbac_app_pages', 'rbac_page_permissions'];
+                
+                while ((tableMatch = unqualifiedTablePattern.exec(funcBody)) !== null) {
+                  const tableName = tableMatch[1].toLowerCase();
+                  // Check if it's a known RLS-protected table without schema qualification
+                  if (rlsProtectedTables.some(t => t.toLowerCase() === tableName)) {
+                    // Check if it's already schema-qualified (public.table_name)
+                    const beforeMatch = funcBody.substring(Math.max(0, tableMatch.index - 20), tableMatch.index);
+                    if (!/public\./i.test(beforeMatch)) {
+                      issues.push({
+                        type: 'rlsPolicy',
+                        file: relativePath,
+                        line: getLineNumber(content, funcStart + tableMatch.index),
+                        message: `SECURITY DEFINER function '${funcName}' uses unqualified table reference '${tableName}'. MANDATORY: All table references in SECURITY DEFINER functions must be schema-qualified (e.g., public.${tableName}) to prevent search path hijacking.`,
+                        code: getCodeSnippet(content, funcStart + tableMatch.index, 0, 100),
+                        severity: 'error',
+                        fix: `Schema-qualify the table reference: public.${tableName}`,
+                      });
+                    }
+                  }
+                }
+                
+                // Check if function queries RLS-protected tables (justification for SECURITY DEFINER)
+                const queriesRLSProtected = rlsProtectedTables.some(table => {
+                  const tablePattern = new RegExp(`\\b${table}\\b`, 'i');
+                  return tablePattern.test(funcBody);
+                });
+                
+                // Check if function has any table queries at all
+                const hasTableQueries = /(?:FROM|JOIN|INTO|UPDATE)\s+\w+/i.test(funcBody);
+                
+                if (!queriesRLSProtected && hasTableQueries) {
+                  // Function has SECURITY DEFINER but doesn't query RLS-protected tables
+                  // This might be okay if it needs elevated privileges, but should be documented
+                  const hasComment = /COMMENT\s+ON\s+FUNCTION.*SECURITY\s+DEFINER/i.test(content.substring(funcStart, funcStart + 2000));
+                  if (!hasComment) {
+                    issues.push({
+                      type: 'rlsPolicy',
+                      file: relativePath,
+                      line: getLineNumber(content, funcStart),
+                      message: `SECURITY DEFINER function '${funcName}' does not query RLS-protected tables. If SECURITY DEFINER is needed for elevated privileges, document why in a COMMENT. Otherwise, consider removing SECURITY DEFINER if not needed.`,
+                      code: getCodeSnippet(content, funcStart, 0, 200),
+                      severity: 'warning',
+                      fix: 'Add COMMENT ON FUNCTION explaining why SECURITY DEFINER is needed, or remove SECURITY DEFINER if not required.',
+                    });
+                  }
+                } else if (queriesRLSProtected && !hasComment) {
+                  // Function queries RLS-protected tables but doesn't document why SECURITY DEFINER is needed
+                  const hasComment = /COMMENT\s+ON\s+FUNCTION/i.test(content.substring(funcStart, funcStart + 2000));
+                  if (!hasComment) {
+                    issues.push({
+                      type: 'rlsPolicy',
+                      file: relativePath,
+                      line: getLineNumber(content, funcStart),
+                      message: `SECURITY DEFINER function '${funcName}' queries RLS-protected tables but lacks documentation. REQUIRED: Add COMMENT ON FUNCTION explaining why SECURITY DEFINER is needed (to avoid circular RLS dependencies).`,
+                      code: getCodeSnippet(content, funcStart, 0, 200),
+                      severity: 'warning',
+                      fix: 'Add COMMENT ON FUNCTION documenting that SECURITY DEFINER is required to avoid circular RLS dependencies when querying RLS-protected tables.',
+                    });
+                  }
+                }
+              }
+            }
+          }
         }
       }
     } catch (error) {

package/cursor-rules/02-project-structure.mdc

@@ -14,7 +14,7 @@ This guide defines the standard folder structure and file organization for consu
 ## AI Agent Instructions
 
 **When creating or organizing files, ALWAYS:**
-1. **Organize by feature** - Group components, hooks, and utilities by feature/domain, not by type
+1. **Organize by feature** - Group components, hooks, and utilities by feature, not by type
 2. **Colocate tests** - Place test files next to source files (`Component.test.tsx` next to `Component.tsx`)
 3. **Follow naming conventions** - Components: `PascalCase.tsx`, Hooks: `use*.ts`, Utils: `camelCase.ts`
 4. **Use absolute imports** - Use `@/` path alias for imports, never relative imports for distant files
@@ -74,7 +74,7 @@ your-app/
 
 ## MUST: Organize Components by Feature
 
-**ALWAYS organize components by feature/domain, not by type:**
+**ALWAYS organize components by feature, not by type:**
 
 ```
 src/
@@ -136,30 +136,6 @@ src/
   - where migrations/RLS policies are managed
   - whether the app is expected to add migrations in the future
 
-## SHOULD: Organize by Domain
-
-**For larger apps, SHOULD organize by domain/feature:**
-
-```
-src/
-├── domains/
-│   ├── events/
-│   │   ├── components/
-│   │   ├── hooks/
-│   │   ├── services/
-│   │   └── types.ts
-│   └── users/
-│       ├── components/
-│       ├── hooks/
-│       ├── services/
-│       └── types.ts
-├── shared/              # Shared across domains
-│   ├── components/
-│   ├── hooks/
-│   └── utils/
-└── App.tsx
-```
-
 ## MUST: Keep Root Directory Clean
 
 **Root directory SHOULD only contain:**