@arcbridge/core 0.5.0 → 0.6.0

package/dist/index.js

@@ -54,7 +54,8 @@ var ArcBridgeConfigSchema = z2.object({
     "api-service",
     "dotnet-webapi",
     "unity-game",
-    "angular-app"
+    "angular-app",
+    "fullstack-nextjs-dotnet"
   ]).default("nextjs-app-router"),
   services: z2.array(ServiceSchema).default([]),
   platforms: z2.array(z2.enum(["claude", "copilot", "gemini", "codex", "opencode"])).default(["claude"]),
@@ -809,6 +810,46 @@ function configTemplate6(input) {
   };
 }
 
+// src/templates/config/fullstack-nextjs-dotnet.ts
+function configTemplate7(input) {
+  return {
+    schema_version: 1,
+    project_name: input.name,
+    project_type: "fullstack-nextjs-dotnet",
+    services: [
+      { name: "frontend", path: "frontend", type: "nextjs", tsconfig: "frontend/tsconfig.json" },
+      { name: "api", path: "api", type: "dotnet" }
+    ],
+    platforms: input.platforms,
+    quality_priorities: input.quality_priorities,
+    indexing: {
+      include: [
+        "frontend/src/**/*",
+        "frontend/app/**/*",
+        "api/**/*.cs",
+        "shared/**/*",
+        "contracts/**/*"
+      ],
+      exclude: ["node_modules", "dist", ".next", "bin", "obj", "coverage"],
+      default_mode: "fast",
+      csharp_indexer: "auto"
+    },
+    testing: {
+      test_command: "npm test",
+      timeout_ms: 6e4
+    },
+    drift: {
+      ignore_paths: []
+    },
+    metrics: { auto_record: false },
+    sync: {
+      auto_detect_drift: true,
+      drift_severity_threshold: "warning",
+      propose_updates_on: "phase-complete"
+    }
+  };
+}
+
 // src/generators/config-generator.ts
 var configTemplates = {
   "nextjs-app-router": configTemplate,
@@ -816,7 +857,8 @@ var configTemplates = {
   "api-service": configTemplate3,
   "dotnet-webapi": configTemplate4,
   "unity-game": configTemplate5,
-  "angular-app": configTemplate6
+  "angular-app": configTemplate6,
+  "fullstack-nextjs-dotnet": configTemplate7
 };
 function generateConfig(targetDir, input) {
   const templateFn = configTemplates[input.template] ?? configTemplate;
@@ -845,7 +887,7 @@ function introductionTemplate(input) {
 
 ## Requirements Overview
 
-${input.name} is a ${input.template === "nextjs-app-router" ? "Next.js application using the App Router" : input.template === "angular-app" ? "Angular application with standalone components" : input.template === "dotnet-webapi" ? "ASP.NET Core Web API" : input.template === "unity-game" ? "Unity game built with a code-heavy C# architecture" : "web application"}.
+${input.name} is a ${input.template === "nextjs-app-router" ? "Next.js application using the App Router" : input.template === "angular-app" ? "Angular application with standalone components" : input.template === "dotnet-webapi" ? "ASP.NET Core Web API" : input.template === "unity-game" ? "Unity game built with a code-heavy C# architecture" : input.template === "fullstack-nextjs-dotnet" ? "fullstack application with a Next.js frontend and .NET API backend" : "web application"}.
 
 ### Key Features
 
@@ -1047,7 +1089,66 @@ function getEntrypoints(template, srcPrefix, appPrefix) {
 function buildingBlocksTemplate(input) {
   const now = (/* @__PURE__ */ new Date()).toISOString();
   const layout = detectProjectLayout(input.projectRoot, input.template);
-  const defaultBlocks = input.template === "dotnet-webapi" ? buildDotnetBlocks(input) : input.template === "unity-game" ? buildUnityBlocks() : input.template === "angular-app" ? buildAngularBlocks(layout) : buildJsBlocks(input, layout);
+  const defaultBlocks = input.template === "fullstack-nextjs-dotnet" ? buildFullstackBlocks() : input.template === "dotnet-webapi" ? buildDotnetBlocks(input) : input.template === "unity-game" ? buildUnityBlocks() : input.template === "angular-app" ? buildAngularBlocks(layout) : buildJsBlocks(input, layout);
+  function buildFullstackBlocks() {
+    return [
+      {
+        id: "frontend-shell",
+        name: "Frontend Shell",
+        level: 1,
+        code_paths: ["frontend/app/", "frontend/src/app/"],
+        interfaces: [],
+        quality_scenarios: ["PERF-01"],
+        adrs: [],
+        responsibility: "Next.js App Router layouts, pages, and top-level page structure",
+        service: "frontend"
+      },
+      {
+        id: "frontend-components",
+        name: "Frontend Components",
+        level: 1,
+        code_paths: ["frontend/src/components/", "frontend/components/"],
+        interfaces: [],
+        quality_scenarios: ["A11Y-01"],
+        adrs: [],
+        responsibility: "Shared, reusable React UI components",
+        service: "frontend"
+      },
+      {
+        id: "api-controllers",
+        name: "API Controllers",
+        level: 1,
+        code_paths: ["api/Controllers/"],
+        interfaces: [],
+        quality_scenarios: ["SEC-03"],
+        adrs: [],
+        responsibility: "ASP.NET Core API endpoint definitions and request handling",
+        service: "api"
+      },
+      {
+        id: "api-services",
+        name: "API Services",
+        level: 1,
+        code_paths: ["api/Services/"],
+        interfaces: ["api-controllers"],
+        quality_scenarios: [],
+        adrs: [],
+        responsibility: "Business logic, use cases, and orchestration between domain and infrastructure",
+        service: "api"
+      },
+      {
+        id: "shared-contracts",
+        name: "Shared Contracts",
+        level: 1,
+        code_paths: ["shared/", "contracts/"],
+        interfaces: ["frontend-shell", "api-controllers"],
+        quality_scenarios: ["MAINT-01"],
+        adrs: [],
+        responsibility: "API types, schemas, and contracts shared between the Next.js frontend and .NET backend",
+        service: "api"
+      }
+    ];
+  }
   function buildJsBlocks(inp, lt) {
     const src = lt.srcPrefix;
     const entries = lt.entrypoints;
@@ -2275,13 +2376,169 @@ var ANGULAR_SCENARIOS = {
     }
   ]
 };
+var FULLSTACK_NEXTJS_DOTNET_SCENARIOS = {
+  security: [
+    {
+      id: "SEC-02",
+      name: "No secrets in client bundles or source",
+      category: "security",
+      priority: "must",
+      scenario: "Client-side JavaScript bundle and .NET source/config files are analyzed",
+      expected: "No API keys, tokens, or secrets are found in client-side code or hardcoded in appsettings",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-shell", "api-controllers"],
+      verification: "automatic",
+      status: "untested"
+    },
+    {
+      id: "SEC-04",
+      name: "CORS policy restricts origins",
+      category: "security",
+      priority: "should",
+      scenario: "A cross-origin request is made from an untrusted domain",
+      expected: "Request is rejected by CORS middleware; only the frontend origin is allowed",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["api-controllers"],
+      verification: "automatic",
+      status: "untested"
+    },
+    {
+      id: "SEC-05",
+      name: "Cross-service auth token handling",
+      category: "security",
+      priority: "must",
+      scenario: "Frontend sends an auth token to the .NET API on every protected request",
+      expected: "Token is validated server-side; expired or invalid tokens return 401; tokens are never stored in localStorage",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-shell", "api-services"],
+      verification: "automatic",
+      status: "untested"
+    }
+  ],
+  performance: [
+    {
+      id: "PERF-01",
+      name: "Initial page load under 3s",
+      category: "performance",
+      priority: "should",
+      scenario: "User loads the landing page on a 3G connection",
+      expected: "Largest Contentful Paint (LCP) is under 3 seconds",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-shell"],
+      verification: "semi-automatic",
+      status: "untested"
+    },
+    {
+      id: "PERF-03",
+      name: "Frontend bundle under 200KB gzipped",
+      category: "performance",
+      priority: "should",
+      scenario: "Production build output is analyzed",
+      expected: "Main JavaScript bundle is under 200KB gzipped",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-shell", "frontend-components"],
+      verification: "semi-automatic",
+      status: "untested"
+    },
+    {
+      id: "PERF-04",
+      name: "Async all the way in .NET API",
+      category: "performance",
+      priority: "must",
+      scenario: "I/O-bound operations in the API are reviewed",
+      expected: "All I/O operations use async/await; no sync-over-async or blocking calls",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["api-controllers", "api-services"],
+      verification: "semi-automatic",
+      status: "untested"
+    }
+  ],
+  reliability: [
+    {
+      id: "REL-02",
+      name: "Health check covers dependencies",
+      category: "reliability",
+      priority: "should",
+      scenario: "Orchestrator calls the /health endpoint",
+      expected: "Returns degraded or unhealthy if database or critical external service is unreachable",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["api-controllers"],
+      verification: "automatic",
+      status: "untested"
+    },
+    {
+      id: "REL-03",
+      name: "Structured logging with correlation",
+      category: "reliability",
+      priority: "should",
+      scenario: "A request flows through frontend to API and back",
+      expected: "All log entries share a correlation ID across services; logs are structured JSON",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["api-services"],
+      verification: "semi-automatic",
+      status: "untested"
+    }
+  ],
+  accessibility: [
+    {
+      id: "A11Y-01",
+      name: "WCAG 2.1 AA compliance",
+      category: "accessibility",
+      priority: "should",
+      scenario: "All pages are audited with axe-core",
+      expected: "No critical or serious accessibility violations",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-components"],
+      verification: "semi-automatic",
+      status: "untested"
+    },
+    {
+      id: "A11Y-02",
+      name: "Keyboard navigation",
+      category: "accessibility",
+      priority: "should",
+      scenario: "User navigates the entire application using only keyboard",
+      expected: "All interactive elements are reachable and operable via keyboard",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["frontend-components"],
+      verification: "manual",
+      status: "untested"
+    }
+  ],
+  maintainability: [
+    {
+      id: "MAINT-03",
+      name: "API contract consistency",
+      category: "maintainability",
+      priority: "must",
+      scenario: "Frontend type definitions are compared against API OpenAPI spec or shared contracts",
+      expected: "All frontend API types match the backend contract; CI check prevents drift",
+      linked_code: [],
+      linked_tests: [],
+      linked_blocks: ["shared-contracts"],
+      verification: "automatic",
+      status: "untested"
+    }
+  ]
+};
 var TEMPLATE_SCENARIOS = {
   "nextjs-app-router": FRONTEND_SCENARIOS,
   "react-vite": FRONTEND_SCENARIOS,
   "angular-app": ANGULAR_SCENARIOS,
   "api-service": API_SCENARIOS,
   "dotnet-webapi": DOTNET_SCENARIOS,
-  "unity-game": UNITY_GAME_SCENARIOS
+  "unity-game": UNITY_GAME_SCENARIOS,
+  "fullstack-nextjs-dotnet": FULLSTACK_NEXTJS_DOTNET_SCENARIOS
 };
 function mergeScenarios(template, category) {
   const shared = SHARED_SCENARIOS[category] ?? [];
@@ -3857,90 +4114,445 @@ function phaseTasksTemplate6(_input, phaseId) {
           ]
         },
         {
-          id: "task-0.2-routing",
-          title: "Set up routing with lazy loading",
+          id: "task-0.2-routing",
+          title: "Set up routing with lazy loading",
+          status: "todo",
+          building_block: "app-shell",
+          quality_scenarios: ["PERF-05"],
+          acceptance_criteria: [
+            "App routes defined in app.routes.ts",
+            "At least one feature route uses loadComponent or loadChildren",
+            "Route guards and resolvers use functional approach"
+          ]
+        },
+        {
+          id: "task-0.3-core-services",
+          title: "Set up core services and HTTP interceptor",
+          status: "todo",
+          building_block: "core-services",
+          quality_scenarios: [],
+          acceptance_criteria: [
+            "HTTP interceptor for API base URL and error handling",
+            "Core services provided in root",
+            "Environment configuration set up"
+          ]
+        },
+        {
+          id: "task-0.4-testing",
+          title: "Set up testing infrastructure",
+          status: "todo",
+          quality_scenarios: ["MAINT-02"],
+          acceptance_criteria: [
+            "Unit test framework configured (Vitest or Karma/Jasmine)",
+            "First component test passes",
+            "Test coverage reporting enabled"
+          ]
+        }
+      ]
+    },
+    "phase-1-foundation": {
+      schema_version: 1,
+      phase_id: "phase-1-foundation",
+      tasks: [
+        {
+          id: "task-1.1-shared-components",
+          title: "Build shared component library",
+          status: "todo",
+          building_block: "shared-components",
+          quality_scenarios: ["A11Y-01"],
+          acceptance_criteria: [
+            "Reusable UI components in shared/ directory",
+            "Components use OnPush change detection or signals",
+            "Components follow accessibility guidelines"
+          ]
+        },
+        {
+          id: "task-1.2-auth",
+          title: "Implement authentication and route guards",
+          status: "todo",
+          building_block: "core-services",
+          quality_scenarios: ["SEC-01"],
+          acceptance_criteria: [
+            "Auth service with login/logout/token management",
+            "Functional route guard protecting private routes",
+            "Auth interceptor attaching tokens to API requests"
+          ]
+        },
+        {
+          id: "task-1.3-api-client",
+          title: "Set up API client layer",
+          status: "todo",
+          building_block: "api-client",
+          quality_scenarios: [],
+          acceptance_criteria: [
+            "Typed API service methods for backend endpoints",
+            "Error handling and retry logic",
+            "Loading/error state management"
+          ]
+        },
+        {
+          id: "task-1.4-document-decisions",
+          title: "Document architectural decisions as ADRs",
+          status: "todo",
+          quality_scenarios: [],
+          acceptance_criteria: [
+            "ADR for each significant architecture/pattern choice",
+            "ADRs linked to affected building blocks and code paths"
+          ]
+        }
+      ]
+    }
+  };
+  return tasksByPhase[phaseId] ?? null;
+}
+
+// src/templates/phases/fullstack-nextjs-dotnet.ts
+function phasePlanTemplate7(_input) {
+  const phases = [
+    {
+      id: "phase-0-setup",
+      name: "Monorepo Setup",
+      phase_number: 0,
+      status: "planned",
+      description: "Initialize monorepo structure, scaffold Next.js frontend and .NET API backend, configure shared tooling",
+      gate_requirements: [
+        "Monorepo structure with frontend/ and api/ directories",
+        "Next.js app builds and runs at localhost:3000",
+        ".NET API builds and runs with health check at /health",
+        "Shared dev scripts (start, build, test) work from root"
+      ]
+    },
+    {
+      id: "phase-1-api-foundation",
+      name: "API Foundation",
+      phase_number: 1,
+      status: "planned",
+      description: "Build .NET API controllers, services, authentication middleware, and database access layer",
+      gate_requirements: [
+        "Auth middleware protects API endpoints",
+        "Global exception handler returns ProblemDetails",
+        "Database access layer configured with migrations",
+        "OpenAPI/Swagger documentation generated",
+        "Quality scenarios SEC-01, SEC-02 verified"
+      ]
+    },
+    {
+      id: "phase-2-frontend-foundation",
+      name: "Frontend Foundation",
+      phase_number: 2,
+      status: "planned",
+      description: "Build Next.js layouts, reusable components, API client layer, and authentication UI",
+      gate_requirements: [
+        "App shell with layout and navigation working",
+        "API client layer communicates with .NET backend",
+        "Auth UI (login, register, protected routes) functional",
+        "Component library with consistent styling",
+        "Quality scenarios A11Y-01, PERF-01 verified"
+      ]
+    },
+    {
+      id: "phase-3-feature-integration",
+      name: "Feature Integration",
+      phase_number: 3,
+      status: "planned",
+      description: "Implement end-to-end features across frontend and backend, API contract synchronization, and shared types",
+      gate_requirements: [
+        "At least one full CRUD feature works end-to-end",
+        "API contracts validated between frontend and backend",
+        "Shared type definitions keep frontend and API in sync",
+        "Integration tests cover cross-service workflows"
+      ]
+    },
+    {
+      id: "phase-4-production",
+      name: "Production Readiness",
+      phase_number: 4,
+      status: "planned",
+      description: "CI/CD pipeline, deployment configuration, monitoring, and performance optimization",
+      gate_requirements: [
+        "CI pipeline builds and tests both services",
+        "Docker Compose or equivalent runs the full stack",
+        "Rate limiting and CORS configured for production",
+        "All quality scenarios passing",
+        "Production deployment successful"
+      ]
+    }
+  ];
+  return { schema_version: 1, phases };
+}
+function phaseTasksTemplate7(_input, phaseId) {
+  const tasksByPhase = {
+    "phase-0-setup": {
+      schema_version: 1,
+      phase_id: "phase-0-setup",
+      tasks: [
+        {
+          id: "task-0.1-monorepo-structure",
+          title: "Set up monorepo structure with frontend and api directories",
+          status: "todo",
+          building_block: "frontend-shell",
+          quality_scenarios: [],
+          acceptance_criteria: [
+            "Root package.json with workspace scripts",
+            "frontend/ directory with Next.js app (App Router)",
+            "api/ directory with ASP.NET Core Web API project",
+            "Shared .editorconfig and linting configuration"
+          ]
+        },
+        {
+          id: "task-0.2-frontend-scaffold",
+          title: "Scaffold Next.js frontend with App Router",
+          status: "todo",
+          building_block: "frontend-shell",
+          quality_scenarios: ["MAINT-01"],
+          acceptance_criteria: [
+            "Next.js app created with TypeScript and App Router",
+            "Root layout with metadata and font configuration",
+            "Landing page renders at localhost:3000",
+            "ESLint and Prettier configured"
+          ]
+        },
+        {
+          id: "task-0.3-api-scaffold",
+          title: "Scaffold .NET API with health check",
+          status: "todo",
+          building_block: "api-controllers",
+          quality_scenarios: [],
+          acceptance_criteria: [
+            "ASP.NET Core Web API project created",
+            "Health check endpoint responds at /health",
+            "DI container configured with core services",
+            "Logging and configuration in place"
+          ]
+        },
+        {
+          id: "task-0.4-shared-tooling",
+          title: "Configure shared development tooling and scripts",
+          status: "todo",
+          building_block: "shared-contracts",
+          quality_scenarios: ["MAINT-02"],
+          acceptance_criteria: [
+            "Root-level scripts to start, build, and test both services",
+            "Shared TypeScript types or OpenAPI contract directory",
+            "Testing infrastructure for both frontend and backend",
+            "Git hooks for linting and formatting"
+          ]
+        }
+      ]
+    },
+    "phase-1-api-foundation": {
+      schema_version: 1,
+      phase_id: "phase-1-api-foundation",
+      tasks: [
+        {
+          id: "task-1.1-api-auth",
+          title: "Implement API authentication and authorization",
+          status: "todo",
+          building_block: "api-services",
+          quality_scenarios: ["SEC-01", "SEC-02"],
+          acceptance_criteria: [
+            "JWT bearer auth configured in .NET API",
+            "Authorization policies defined for role-based access",
+            "Auth middleware applied to protected endpoints",
+            "Token validation and refresh logic implemented"
+          ]
+        },
+        {
+          id: "task-1.2-api-controllers",
+          title: "Build core API controllers and endpoints",
+          status: "todo",
+          building_block: "api-controllers",
+          quality_scenarios: ["SEC-03"],
+          acceptance_criteria: [
+            "RESTful controllers for core resources",
+            "Input validation via FluentValidation or data annotations",
+            "Consistent response format with ProblemDetails for errors",
+            "OpenAPI/Swagger documentation generated and accessible"
+          ]
+        },
+        {
+          id: "task-1.3-api-services",
+          title: "Implement business logic and service layer",
+          status: "todo",
+          building_block: "api-services",
+          quality_scenarios: ["MAINT-01"],
+          acceptance_criteria: [
+            "Service classes encapsulate business logic",
+            "Repository pattern for data access",
+            "EF Core or Dapper configured with migrations",
+            "Unit tests cover service layer logic"
+          ]
+        },
+        {
+          id: "task-1.4-api-middleware",
+          title: "Configure middleware pipeline and error handling",
+          status: "todo",
+          building_block: "api-controllers",
+          quality_scenarios: ["REL-01"],
+          acceptance_criteria: [
+            "Global exception handler returns RFC 7807 ProblemDetails",
+            "Request/response logging with correlation IDs",
+            "CORS policy configured for frontend origin",
+            "No stack traces leaked in production"
+          ]
+        }
+      ]
+    },
+    "phase-2-frontend-foundation": {
+      schema_version: 1,
+      phase_id: "phase-2-frontend-foundation",
+      tasks: [
+        {
+          id: "task-2.1-frontend-layout",
+          title: "Build app shell with layouts and navigation",
+          status: "todo",
+          building_block: "frontend-shell",
+          quality_scenarios: ["A11Y-01"],
+          acceptance_criteria: [
+            "Root layout with header, sidebar, and main content area",
+            "Navigation component with active state indicators",
+            "Responsive layout that works on mobile and desktop",
+            "Loading and error boundary components"
+          ]
+        },
+        {
+          id: "task-2.2-frontend-components",
+          title: "Create reusable UI component library",
+          status: "todo",
+          building_block: "frontend-components",
+          quality_scenarios: ["A11Y-02"],
+          acceptance_criteria: [
+            "Button, Input, Card, Modal, and Table components",
+            "Consistent styling with design tokens or Tailwind",
+            "All components meet WCAG 2.1 AA accessibility",
+            "Component documentation or Storybook setup"
+          ]
+        },
+        {
+          id: "task-2.3-api-client",
+          title: "Build API client layer for backend communication",
+          status: "todo",
+          building_block: "shared-contracts",
+          quality_scenarios: ["REL-01"],
+          acceptance_criteria: [
+            "Typed API client generated from OpenAPI spec or manually defined",
+            "Error handling with user-friendly messages",
+            "Auth token injection in request headers",
+            "Request/response interceptors for logging and retry"
+          ]
+        },
+        {
+          id: "task-2.4-frontend-auth",
+          title: "Implement frontend authentication UI and flow",
           status: "todo",
-          building_block: "app-shell",
-          quality_scenarios: ["PERF-05"],
+          building_block: "frontend-shell",
+          quality_scenarios: ["SEC-01"],
           acceptance_criteria: [
-            "App routes defined in app.routes.ts",
-            "At least one feature route uses loadComponent or loadChildren",
-            "Route guards and resolvers use functional approach"
+            "Login and registration pages",
+            "Protected route middleware or layout",
+            "Token storage and refresh handling",
+            "Auth state management (context or store)"
+          ]
+        }
+      ]
+    },
+    "phase-3-feature-integration": {
+      schema_version: 1,
+      phase_id: "phase-3-feature-integration",
+      tasks: [
+        {
+          id: "task-3.1-e2e-feature",
+          title: "Implement first end-to-end CRUD feature",
+          status: "todo",
+          building_block: "api-controllers",
+          quality_scenarios: ["PERF-02"],
+          acceptance_criteria: [
+            "Full CRUD operations from frontend through API to database",
+            "Optimistic UI updates where appropriate",
+            "Server-side validation reflected in frontend forms",
+            "List, detail, create, edit, and delete views working"
           ]
         },
         {
-          id: "task-0.3-core-services",
-          title: "Set up core services and HTTP interceptor",
+          id: "task-3.2-contract-sync",
+          title: "Set up API contract synchronization",
           status: "todo",
-          building_block: "core-services",
-          quality_scenarios: [],
+          building_block: "shared-contracts",
+          quality_scenarios: ["MAINT-01"],
           acceptance_criteria: [
-            "HTTP interceptor for API base URL and error handling",
-            "Core services provided in root",
-            "Environment configuration set up"
+            "OpenAPI spec or shared type definitions in contracts directory",
+            "Frontend types generated from or validated against API contract",
+            "CI check prevents contract drift between frontend and backend",
+            "Documentation for updating contracts when API changes"
           ]
         },
         {
-          id: "task-0.4-testing",
-          title: "Set up testing infrastructure",
+          id: "task-3.3-integration-tests",
+          title: "Write cross-service integration tests",
           status: "todo",
+          building_block: "shared-contracts",
           quality_scenarios: ["MAINT-02"],
           acceptance_criteria: [
-            "Unit test framework configured (Vitest or Karma/Jasmine)",
-            "First component test passes",
-            "Test coverage reporting enabled"
+            "Integration tests exercise frontend-to-API workflows",
+            "Test environment starts both services",
+            "Auth flow tested end-to-end",
+            "Error scenarios covered (API down, validation failures)"
           ]
         }
       ]
     },
-    "phase-1-foundation": {
+    "phase-4-production": {
       schema_version: 1,
-      phase_id: "phase-1-foundation",
+      phase_id: "phase-4-production",
       tasks: [
         {
-          id: "task-1.1-shared-components",
-          title: "Build shared component library",
+          id: "task-4.1-ci-cd",
+          title: "Set up CI/CD pipeline for both services",
           status: "todo",
-          building_block: "shared-components",
-          quality_scenarios: ["A11Y-01"],
+          quality_scenarios: ["MAINT-02"],
           acceptance_criteria: [
-            "Reusable UI components in shared/ directory",
-            "Components use OnPush change detection or signals",
-            "Components follow accessibility guidelines"
+            "CI builds and tests both frontend and API",
+            "Lint, type-check, and test steps for each service",
+            "Build artifacts produced for deployment",
+            "Pipeline fails fast on errors"
           ]
         },
         {
-          id: "task-1.2-auth",
-          title: "Implement authentication and route guards",
+          id: "task-4.2-deployment",
+          title: "Configure deployment for full stack",
           status: "todo",
-          building_block: "core-services",
-          quality_scenarios: ["SEC-01"],
+          quality_scenarios: ["REL-01"],
           acceptance_criteria: [
-            "Auth service with login/logout/token management",
-            "Functional route guard protecting private routes",
-            "Auth interceptor attaching tokens to API requests"
+            "Docker Compose for local full-stack development",
+            "Dockerfiles for frontend and API",
+            "Environment-specific configuration (dev, staging, prod)",
+            "Database migration runs as part of deployment"
           ]
         },
         {
-          id: "task-1.3-api-client",
-          title: "Set up API client layer",
+          id: "task-4.3-monitoring",
+          title: "Add monitoring, logging, and rate limiting",
           status: "todo",
-          building_block: "api-client",
-          quality_scenarios: [],
+          building_block: "api-services",
+          quality_scenarios: ["PERF-02", "SEC-04"],
           acceptance_criteria: [
-            "Typed API service methods for backend endpoints",
-            "Error handling and retry logic",
-            "Loading/error state management"
+            "Structured logging in API with Serilog or similar",
+            "Frontend error tracking (Sentry or similar)",
+            "Rate limiting configured on API endpoints",
+            "Health check dashboard or monitoring alerts"
           ]
         },
         {
-          id: "task-1.4-document-decisions",
-          title: "Document architectural decisions as ADRs",
+          id: "task-4.4-performance",
+          title: "Optimize performance across the stack",
           status: "todo",
-          quality_scenarios: [],
+          building_block: "frontend-shell",
+          quality_scenarios: ["PERF-01", "PERF-03"],
           acceptance_criteria: [
-            "ADR for each significant architecture/pattern choice",
-            "ADRs linked to affected building blocks and code paths"
+            "Frontend bundle size optimized (code splitting, tree shaking)",
+            "API response times meet p95 < 200ms target",
+            "Database queries optimized with proper indexing",
+            "Static assets cached with appropriate headers"
           ]
         }
       ]
@@ -3956,7 +4568,8 @@ var planTemplates = {
   "api-service": { plan: phasePlanTemplate3, tasks: phaseTasksTemplate3 },
   "dotnet-webapi": { plan: phasePlanTemplate4, tasks: phaseTasksTemplate4 },
   "unity-game": { plan: phasePlanTemplate5, tasks: phaseTasksTemplate5 },
-  "angular-app": { plan: phasePlanTemplate6, tasks: phaseTasksTemplate6 }
+  "angular-app": { plan: phasePlanTemplate6, tasks: phaseTasksTemplate6 },
+  "fullstack-nextjs-dotnet": { plan: phasePlanTemplate7, tasks: phaseTasksTemplate7 }
 };
 function generatePlan(targetDir, input) {
   const planDir = join5(targetDir, ".arcbridge", "plan");
@@ -4630,7 +5243,7 @@ You cannot see screenshots, but you CAN reason about UI quality through code:
 }
 
 // src/generators/agent-generator.ts
-var UI_TEMPLATES = /* @__PURE__ */ new Set(["nextjs-app-router", "react-vite", "angular-app", "unity-game"]);
+var UI_TEMPLATES = /* @__PURE__ */ new Set(["nextjs-app-router", "react-vite", "angular-app", "unity-game", "fullstack-nextjs-dotnet"]);
 function writeAgentRole(dir, role) {
   const { system_prompt, ...frontmatter } = role;
   const content = matter2.stringify(system_prompt, frontmatter);
@@ -5903,7 +6516,7 @@ function analyzeRoutes(projectRoot, db, service = "main") {
     }
   }
   walkAppDir(appDir, "/", routes, layoutStack, service, projectRoot);
-  writeRoutes(db, routes);
+  writeRoutes(db, routes, service);
   return routes.length;
 }
 function walkAppDir(dir, routePath, routes, layoutStack, service, projectRoot) {
@@ -5986,9 +6599,9 @@ function extractHttpMethods(filePath) {
   }
   return methods;
 }
-function writeRoutes(db, routes) {
+function writeRoutes(db, routes, service) {
+  db.prepare("DELETE FROM routes WHERE service = ?").run(service);
   if (routes.length === 0) return;
-  db.prepare("DELETE FROM routes").run();
   const insert = db.prepare(`
     INSERT OR IGNORE INTO routes (
       id, route_path, kind, http_methods, has_auth, parent_layout, service
@@ -5997,7 +6610,7 @@ function writeRoutes(db, routes) {
   transaction(db, () => {
     for (const r of routes) {
       insert.run(
-        r.id,
+        `${service}::${r.id}`,
         r.routePath,
         r.kind,
         JSON.stringify(r.httpMethods),
@@ -6303,7 +6916,7 @@ function indexDotnetProjectRoslyn(db, options) {
     transaction(db, () => {
       for (const route of output.routes) {
         insertRoute.run(
-          route.id,
+          `${service}::${route.id}`,
           route.routePath,
           route.kind,
           JSON.stringify(route.httpMethods),
@@ -7247,7 +7860,7 @@ async function indexCSharpTreeSitter(db, options) {
     transaction(db, () => {
       for (const route of allRoutes) {
         insertRoute.run(
-          route.id,
+          `${service}::${route.id}`,
           route.routePath,
           route.kind,
           JSON.stringify(route.httpMethods),
@@ -7726,6 +8339,144 @@ function isTypeContext2(node) {
   parent.type === "typed_parameter" && node !== parent.childForFieldName("name") || parent.type === "typed_default_parameter" && node !== parent.childForFieldName("name");
 }
 
+// src/indexer/python/route-analyzer.ts
+var FASTAPI_HTTP_METHODS = /* @__PURE__ */ new Set([
+  "get",
+  "post",
+  "put",
+  "delete",
+  "patch",
+  "head",
+  "options"
+]);
+function extractPythonRoutes(tree, _relativePath) {
+  const routes = [];
+  const decoratedDefs = findAllNodes2(tree.rootNode, "decorated_definition");
+  for (const decorated of decoratedDefs) {
+    const decorators = decorated.namedChildren.filter(
+      (c) => c.type === "decorator"
+    );
+    for (const decorator of decorators) {
+      const routeInfo = parseDecorator(decorator);
+      if (!routeInfo) continue;
+      for (const method of routeInfo.methods) {
+        const routePath = routeInfo.path.startsWith("/") ? routeInfo.path : `/${routeInfo.path}`;
+        const id = `route::${routePath.slice(1)}::${method}`;
+        routes.push({
+          id,
+          routePath,
+          kind: "api-route",
+          httpMethods: [method],
+          hasAuth: routeInfo.hasAuth
+        });
+      }
+    }
+  }
+  return routes;
+}
+function parseDecorator(decorator) {
+  const callNode = findFirstChild(decorator, "call");
+  if (!callNode) return null;
+  const funcNode = callNode.childForFieldName("function");
+  if (!funcNode || funcNode.type !== "attribute") return null;
+  const attrName = funcNode.childForFieldName("attribute");
+  if (!attrName) return null;
+  const methodName = attrName.text;
+  if (FASTAPI_HTTP_METHODS.has(methodName)) {
+    const path = getFirstStringArgument2(callNode);
+    if (path === null) return null;
+    const hasAuth = detectAuthInCall(callNode);
+    return {
+      path,
+      methods: [methodName.toUpperCase()],
+      hasAuth
+    };
+  }
+  if (methodName === "route") {
+    const path = getFirstStringArgument2(callNode);
+    if (path === null) return null;
+    const methods = getMethodsKeywordArgument(callNode).map((m) => m.toUpperCase());
+    const hasAuth = detectAuthInCall(callNode);
+    return {
+      path,
+      methods: methods.length > 0 ? methods : ["GET"],
+      hasAuth
+    };
+  }
+  return null;
+}
+function detectAuthInCall(callNode) {
+  const args = callNode.childForFieldName("arguments");
+  if (!args) return false;
+  const text = args.text;
+  if (/Depends\s*\(\s*auth/.test(text)) return true;
+  if (/login_required|auth_required|require_auth|jwt_required/.test(text))
+    return true;
+  return false;
+}
+function getFirstStringArgument2(callNode) {
+  const args = callNode.childForFieldName("arguments");
+  if (!args) return null;
+  for (const child of args.namedChildren) {
+    if (child.type === "keyword_argument") continue;
+    if (child.type === "string") {
+      return stripQuotes(child.text);
+    }
+    const strNode = findFirstChild(child, "string");
+    if (strNode) {
+      return stripQuotes(strNode.text);
+    }
+  }
+  return null;
+}
+function getMethodsKeywordArgument(callNode) {
+  const args = callNode.childForFieldName("arguments");
+  if (!args) return [];
+  for (const child of args.namedChildren) {
+    if (child.type !== "keyword_argument") continue;
+    const nameNode = child.childForFieldName("name");
+    if (!nameNode || nameNode.text !== "methods") continue;
+    const valueNode = child.childForFieldName("value");
+    if (!valueNode) continue;
+    return extractStringListValues(valueNode);
+  }
+  return [];
+}
+function extractStringListValues(node) {
+  const values = [];
+  if (node.type === "list") {
+    for (const child of node.namedChildren) {
+      if (child.type === "string") {
+        values.push(stripQuotes(child.text));
+      }
+    }
+  }
+  return values;
+}
+function findAllNodes2(root, type) {
+  const results = [];
+  function walk(node) {
+    if (node.type === type) results.push(node);
+    for (const child of node.namedChildren) {
+      walk(child);
+    }
+  }
+  walk(root);
+  return results;
+}
+function findFirstChild(node, type) {
+  for (const child of node.namedChildren) {
+    if (child.type === type) return child;
+  }
+  for (const child of node.children) {
+    if (child.type === type) return child;
+  }
+  return null;
+}
+function stripQuotes(text) {
+  return text.replace(/^[fFrRbBuU]*["']|["']$/g, "");
+}
+
 // src/indexer/python/indexer.ts
 async function indexPythonTreeSitter(db, options) {
   const start = Date.now();
@@ -7796,11 +8547,35 @@ async function indexPythonTreeSitter(db, options) {
     "DELETE FROM dependencies WHERE source_symbol IN (SELECT id FROM symbols WHERE service = ? AND language = 'python')"
   ).run(service);
   writeDependencies(db, allDeps);
+  const allRoutes = [];
+  for (const [relPath, cached] of fileCache) {
+    const routes = extractPythonRoutes(cached.tree, relPath);
+    allRoutes.push(...routes);
+  }
+  db.prepare("DELETE FROM routes WHERE service = ?").run(service);
+  if (allRoutes.length > 0) {
+    const insertRoute = db.prepare(`
+      INSERT OR REPLACE INTO routes (id, route_path, kind, http_methods, has_auth, service)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `);
+    transaction(db, () => {
+      for (const route of allRoutes) {
+        insertRoute.run(
+          `${service}::${route.id}`,
+          route.routePath,
+          route.kind,
+          JSON.stringify(route.httpMethods),
+          route.hasAuth ? 1 : 0,
+          service
+        );
+      }
+    });
+  }
   return {
     symbolsIndexed: allNewSymbols.length,
     dependenciesIndexed: allDeps.length,
     componentsAnalyzed: 0,
-    routesAnalyzed: 0,
+    routesAnalyzed: allRoutes.length,
     filesProcessed: changedFiles.length,
     filesSkipped,
     filesRemoved: removed.length,
@@ -8299,6 +9074,236 @@ function collectTypeIdentifiersRecursive3(node, names) {
   }
 }
 
+// src/indexer/go/route-analyzer.ts
+var GIN_METHODS = {
+  GET: "GET",
+  POST: "POST",
+  PUT: "PUT",
+  DELETE: "DELETE",
+  PATCH: "PATCH",
+  HEAD: "HEAD",
+  OPTIONS: "OPTIONS"
+};
+var CHI_METHODS = {
+  Get: "GET",
+  Post: "POST",
+  Put: "PUT",
+  Delete: "DELETE",
+  Patch: "PATCH",
+  Head: "HEAD",
+  Options: "OPTIONS"
+};
+var NET_HTTP_METHODS = /* @__PURE__ */ new Set(["HandleFunc", "Handle"]);
+function extractGoRoutes(tree, _relativePath) {
+  const routes = [];
+  const scopedPrefixes = extractGroupPrefixes2(tree.rootNode);
+  const authScopes = findAuthUseScopes(tree.rootNode);
+  const calls = findAllNodes3(tree.rootNode, "call_expression");
+  for (const call of calls) {
+    const funcNode = call.childForFieldName("function");
+    if (!funcNode || funcNode.type !== "selector_expression") continue;
+    const fieldNode = funcNode.childForFieldName("field");
+    if (!fieldNode) continue;
+    const methodName = fieldNode.text;
+    const receiverNode = funcNode.childForFieldName("operand");
+    const receiverName = receiverNode?.type === "identifier" ? receiverNode.text : null;
+    let httpMethods = null;
+    let isNetHttp = false;
+    if (GIN_METHODS[methodName]) {
+      httpMethods = [GIN_METHODS[methodName]];
+    } else if (CHI_METHODS[methodName]) {
+      httpMethods = [CHI_METHODS[methodName]];
+    } else if (NET_HTTP_METHODS.has(methodName)) {
+      httpMethods = [];
+      isNetHttp = true;
+    }
+    if (httpMethods === null) continue;
+    const routeTemplate = getFirstStringArgument3(call);
+    if (routeTemplate === null) continue;
+    const prefix = receiverName ? resolvePrefix(receiverName, call, scopedPrefixes) : "";
+    let routePath;
+    if (prefix && routeTemplate) {
+      routePath = `${prefix}/${routeTemplate}`.replace(/\/{2,}/g, "/");
+    } else if (prefix) {
+      routePath = prefix;
+    } else {
+      routePath = routeTemplate;
+    }
+    routePath = routePath.startsWith("/") ? routePath : `/${routePath}`;
+    routePath = routePath.replace(/\/{2,}/g, "/").replace(/\/+$/, "") || "/";
+    let hasAuth = false;
+    if (!isNetHttp) {
+      hasAuth = hasAuthArgument(call);
+      if (!hasAuth && authScopes.length > 0) {
+        hasAuth = isInsideAuthScope(call, authScopes);
+      }
+    }
+    const cleanPath = routePath.slice(1) || "";
+    const idMethod = httpMethods.length > 0 ? httpMethods.join(",") : "ANY";
+    const id = `route::${cleanPath}::${idMethod}`;
+    routes.push({
+      id,
+      routePath,
+      kind: "api-route",
+      httpMethods,
+      hasAuth
+    });
+  }
+  return routes;
+}
+function extractGroupPrefixes2(root) {
+  const prefixes = [];
+  const calls = findAllNodes3(root, "call_expression");
+  for (const call of calls) {
+    const funcNode = call.childForFieldName("function");
+    if (funcNode?.type !== "selector_expression") continue;
+    const fieldNode = funcNode.childForFieldName("field");
+    const methodName = fieldNode?.text;
+    if (methodName !== "Group" && methodName !== "Route") continue;
+    const prefix = getFirstStringArgument3(call);
+    if (prefix === null) continue;
+    const assignNode = findAncestor(call, ["short_var_declaration", "assignment_statement"]);
+    if (assignNode) {
+      const left = assignNode.childForFieldName("left");
+      if (left) {
+        const varNode = left.type === "expression_list" ? left.namedChildren[0] : left;
+        if (varNode?.type === "identifier") {
+          const scope = findAncestor(call, [
+            "func_literal",
+            "function_declaration",
+            "method_declaration"
+          ]);
+          prefixes.push({ varName: varNode.text, prefix, scope });
+        }
+      }
+    }
+    if (methodName === "Route") {
+      const argList = findChild7(call, "argument_list");
+      if (argList) {
+        for (const arg of argList.namedChildren) {
+          if (arg.type === "func_literal") {
+            const paramList = arg.childForFieldName("parameters");
+            if (paramList) {
+              const firstParam = paramList.namedChildren[0];
+              if (firstParam?.type === "parameter_declaration") {
+                const paramName = firstParam.childForFieldName("name");
+                if (paramName?.type === "identifier") {
+                  prefixes.push({ varName: paramName.text, prefix, scope: arg });
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+  return prefixes;
+}
+function resolvePrefix(receiverName, callNode, scopedPrefixes) {
+  let best = null;
+  for (const sp of scopedPrefixes) {
+    if (sp.varName !== receiverName) continue;
+    if (sp.scope === null) {
+      if (!best) best = sp;
+    } else {
+      if (isDescendantOf(callNode, sp.scope)) {
+        if (!best || best.scope === null || isDescendantOf(sp.scope, best.scope)) {
+          best = sp;
+        }
+      }
+    }
+  }
+  return best?.prefix ?? "";
+}
+function isSameNode(a, b) {
+  return a.type === b.type && a.startPosition.row === b.startPosition.row && a.startPosition.column === b.startPosition.column && a.endPosition.row === b.endPosition.row && a.endPosition.column === b.endPosition.column;
+}
+function isDescendantOf(node, ancestor) {
+  let current = node.parent;
+  while (current) {
+    if (isSameNode(current, ancestor)) return true;
+    current = current.parent;
+  }
+  return false;
+}
+function findAncestor(node, types) {
+  let current = node.parent;
+  while (current) {
+    if (types.includes(current.type)) return current;
+    current = current.parent;
+  }
+  return null;
+}
+function findAuthUseScopes(root) {
+  const scopes = [];
+  const calls = findAllNodes3(root, "call_expression");
+  for (const call of calls) {
+    const funcNode = call.childForFieldName("function");
+    if (funcNode?.type !== "selector_expression") continue;
+    const fieldNode = funcNode.childForFieldName("field");
+    if (fieldNode?.text !== "Use") continue;
+    if (hasAuthArgument(call)) {
+      let scope = call.parent;
+      while (scope && scope.type !== "func_literal" && scope.type !== "function_declaration" && scope.type !== "method_declaration") {
+        scope = scope.parent;
+      }
+      if (scope) {
+        scopes.push(scope);
+      }
+    }
+  }
+  return scopes;
+}
+function isInsideAuthScope(node, scopes) {
+  let current = node.parent;
+  while (current) {
+    for (const scope of scopes) {
+      if (isSameNode(current, scope)) return true;
+    }
+    current = current.parent;
+  }
+  return false;
+}
+function hasAuthArgument(call) {
+  const argList = findChild7(call, "argument_list");
+  if (!argList) return false;
+  for (const arg of argList.namedChildren) {
+    const text = arg.text;
+    if (/[Aa]uth/.test(text)) return true;
+  }
+  return false;
+}
+function findChild7(node, type) {
+  for (const child of node.namedChildren) {
+    if (child.type === type) return child;
+  }
+  return null;
+}
+function findAllNodes3(root, type) {
+  const results = [];
+  function walk(node) {
+    if (node.type === type) results.push(node);
+    for (const child of node.namedChildren) {
+      walk(child);
+    }
+  }
+  walk(root);
+  return results;
+}
+function getFirstStringArgument3(node) {
+  const argList = findChild7(node, "argument_list");
+  if (!argList) return null;
+  for (const arg of argList.namedChildren) {
+    if (arg.type === "interpreted_string_literal") {
+      return arg.text.replace(/^"|"$/g, "");
+    }
+    if (arg.type === "raw_string_literal") {
+      return arg.text.replace(/^`|`$/g, "");
+    }
+  }
+  return null;
+}
+
 // src/indexer/go/indexer.ts
 async function indexGoTreeSitter(db, options) {
   const start = Date.now();
@@ -8367,11 +9372,35 @@ async function indexGoTreeSitter(db, options) {
     "DELETE FROM dependencies WHERE source_symbol IN (SELECT id FROM symbols WHERE service = ? AND language = 'go')"
   ).run(service);
   writeDependencies(db, allDeps);
+  const allRoutes = [];
+  for (const [relPath, cached] of fileCache) {
+    const routes = extractGoRoutes(cached.tree, relPath);
+    allRoutes.push(...routes);
+  }
+  db.prepare("DELETE FROM routes WHERE service = ?").run(service);
+  if (allRoutes.length > 0) {
+    const insertRoute = db.prepare(`
+      INSERT OR REPLACE INTO routes (id, route_path, kind, http_methods, has_auth, service)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `);
+    transaction(db, () => {
+      for (const route of allRoutes) {
+        insertRoute.run(
+          `${service}::${route.id}`,
+          route.routePath,
+          route.kind,
+          JSON.stringify(route.httpMethods),
+          route.hasAuth ? 1 : 0,
+          service
+        );
+      }
+    });
+  }
   return {
     symbolsIndexed: allNewSymbols.length,
     dependenciesIndexed: allDeps.length,
     componentsAnalyzed: 0,
-    routesAnalyzed: 0,
+    routesAnalyzed: allRoutes.length,
     filesProcessed: changedFiles.length,
     filesSkipped,
     filesRemoved: removed.length,