@atlashub/smartstack-cli 3.15.0 → 3.17.0

package/dist/mcp-entry.mjs

@@ -25774,7 +25774,14 @@ var init_types3 = __esm({
       dbContext: external_exports.enum(["core", "extensions"]).default("core"),
       baseNamespace: external_exports.string().optional(),
       smartStackVersion: external_exports.string().optional(),
-      initialized: external_exports.string().optional()
+      initialized: external_exports.string().optional(),
+      paths: external_exports.object({
+        api: external_exports.string().optional(),
+        domain: external_exports.string().optional(),
+        application: external_exports.string().optional(),
+        infrastructure: external_exports.string().optional(),
+        web: external_exports.string().optional()
+      }).optional()
     });
     SmartStackConfigSchema = external_exports.object({
       projectPath: external_exports.string(),
@@ -25848,7 +25855,7 @@ var init_types3 = __esm({
     });
     ValidateConventionsInputSchema = external_exports.object({
       path: external_exports.string().optional().describe("Project path to validate (default: SmartStack.app path)"),
-      checks: external_exports.array(external_exports.enum(["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions", "all"])).default(["all"]).describe("Types of checks to perform")
+      checks: external_exports.array(external_exports.enum(["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions", "permissions", "frontend-routes", "feature-json", "all"])).default(["all"]).describe("Types of checks to perform")
     });
     CheckMigrationsInputSchema = external_exports.object({
       projectPath: external_exports.string().optional().describe("EF Core project path"),
@@ -25947,6 +25954,7 @@ var init_types3 = __esm({
       "authorization",
       "dangerous-functions",
       "input-validation",
+      "guid-empty",
       "xss",
       "csrf",
       "logging-sensitive",
@@ -26578,21 +26586,36 @@ async function detectProject(projectPath) {
 }
 async function findSmartStackStructure(projectPath) {
   const structure = { root: projectPath };
+  const configPath = path7.join(projectPath, ".smartstack", "config.json");
+  if (await fileExists(configPath)) {
+    try {
+      const configContent = JSON.parse(await readText(configPath));
+      if (configContent.paths) {
+        const paths = configContent.paths;
+        if (paths.api) structure.api = path7.resolve(projectPath, paths.api);
+        if (paths.domain) structure.domain = path7.resolve(projectPath, paths.domain);
+        if (paths.application) structure.application = path7.resolve(projectPath, paths.application);
+        if (paths.infrastructure) structure.infrastructure = path7.resolve(projectPath, paths.infrastructure);
+        if (paths.web) structure.web = path7.resolve(projectPath, paths.web);
+      }
+    } catch {
+    }
+  }
   const csprojFiles = await findCsprojFiles(projectPath);
   for (const csproj of csprojFiles) {
     const projectName = path7.basename(csproj, ".csproj").toLowerCase();
     const projectDir = path7.dirname(csproj);
-    if (projectName.includes("domain")) {
+    if (!structure.domain && projectName.includes("domain")) {
       structure.domain = projectDir;
-    } else if (projectName.includes("application")) {
+    } else if (!structure.application && projectName.includes("application")) {
       structure.application = projectDir;
-    } else if (projectName.includes("infrastructure")) {
+    } else if (!structure.infrastructure && projectName.includes("infrastructure")) {
       structure.infrastructure = projectDir;
     } else if (projectName.includes("api.core")) {
-      structure.apiCore = projectDir;
-      structure.api = projectDir;
+      if (!structure.apiCore) structure.apiCore = projectDir;
+      if (!structure.api) structure.api = projectDir;
     } else if (projectName.includes("api") && !projectName.includes("api.core")) {
-      structure.apiExtensions = projectDir;
+      if (!structure.apiExtensions) structure.apiExtensions = projectDir;
       if (!structure.api) {
         structure.api = projectDir;
       }
@@ -26604,9 +26627,11 @@ async function findSmartStackStructure(projectPath) {
       structure.migrations = migrationsPath;
     }
   }
-  const webFolder = await findWebProjectFolder(projectPath);
-  if (webFolder) {
-    structure.web = webFolder;
+  if (!structure.web) {
+    const webFolder = await findWebProjectFolder(projectPath);
+    if (webFolder) {
+      structure.web = webFolder;
+    }
   }
   return structure;
 }
@@ -26642,7 +26667,7 @@ import path8 from "path";
 async function handleValidateConventions(args, config2) {
   const input = ValidateConventionsInputSchema.parse(args);
   const projectPath = input.path || config2.smartstack.projectPath;
-  const checks = input.checks.includes("all") ? ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions"] : input.checks;
+  const checks = input.checks.includes("all") ? ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions", "permissions", "frontend-routes", "feature-json"] : input.checks;
   logger.info("Validating conventions", { projectPath, checks });
   const result = {
     valid: true,
@@ -26684,6 +26709,15 @@ async function handleValidateConventions(args, config2) {
   if (checks.includes("protected-actions")) {
     await validateProtectedActions(structure, config2, result);
   }
+  if (checks.includes("permissions")) {
+    await validatePermissionSeeding(structure, config2, result);
+  }
+  if (checks.includes("frontend-routes")) {
+    await validateFrontendRoutes(structure, config2, result);
+  }
+  if (checks.includes("feature-json")) {
+    await validateFeatureJson(structure, config2, result);
+  }
   result.valid = result.errors.length === 0;
   result.summary = generateSummary(result, checks);
   return formatResult(result);
@@ -27066,6 +27100,7 @@ async function validateControllerRoutes(structure, _config, result) {
       const navRouteMatch = content.match(/\[NavRoute\s*\(\s*"([^"]+)"(?:\s*,\s*Suffix\s*=\s*"([^"]+)")?\s*\)\]/);
       if (navRouteMatch) {
         const routePath = navRouteMatch[1];
+        const suffix = navRouteMatch[2];
         const parts = routePath.split(".");
         if (parts.length < 2) {
           result.warnings.push({
@@ -27086,6 +27121,28 @@ async function validateControllerRoutes(structure, _config, result) {
             suggestion: 'NavRoute paths must be lowercase (e.g., "platform.administration.users")'
           });
         }
+        const expectedRoute = `api/${routePath.replace(/\./g, "/")}${suffix ? `/${suffix}` : ""}`;
+        const routeAttrMatch = content.match(/\[Route\s*\(\s*"([^"]+)"\s*\)\]/);
+        if (routeAttrMatch) {
+          const actualRoute = routeAttrMatch[1];
+          if (actualRoute !== expectedRoute) {
+            result.errors.push({
+              type: "error",
+              category: "controllers",
+              message: `Controller "${fileName}" has [Route("${actualRoute}")] that doesn't match NavRoute "${routePath}". Expected [Route("${expectedRoute}")]`,
+              file: path8.relative(structure.root, file),
+              suggestion: `Change [Route] to [Route("${expectedRoute}")] to match the NavRoute convention`
+            });
+          }
+        } else {
+          result.warnings.push({
+            type: "warning",
+            category: "controllers",
+            message: `Controller "${fileName}" has [NavRoute] but no explicit [Route] attribute`,
+            file: path8.relative(structure.root, file),
+            suggestion: `Add [Route("${expectedRoute}")] for deterministic routing`
+          });
+        }
       }
     } else if (hasHardcodedRoute) {
       hardcodedRouteCount++;
@@ -27098,6 +27155,44 @@ async function validateControllerRoutes(structure, _config, result) {
       });
     }
   }
+  const routesByDirectory = /* @__PURE__ */ new Map();
+  for (const file of controllerFiles) {
+    const content = await readText(file);
+    const fileName = path8.basename(file, ".cs");
+    if (systemControllers.includes(fileName)) continue;
+    const routeAttrMatch = content.match(/\[Route\s*\(\s*"([^"]+)"\s*\)\]/);
+    if (!routeAttrMatch) continue;
+    const routeValue = routeAttrMatch[1];
+    const relativePath = path8.relative(structure.api, file);
+    const dirParts = path8.dirname(relativePath).split(path8.sep);
+    const moduleDir = dirParts.slice(0, Math.min(dirParts.length, 3)).join("/");
+    if (!routesByDirectory.has(moduleDir)) {
+      routesByDirectory.set(moduleDir, []);
+    }
+    routesByDirectory.get(moduleDir).push({
+      controller: fileName,
+      route: routeValue,
+      file: path8.relative(structure.root, file)
+    });
+  }
+  for (const [moduleDir, controllers] of routesByDirectory) {
+    if (controllers.length < 2) continue;
+    const routeBases = controllers.map((c) => {
+      const parts = c.route.split("/");
+      return parts.slice(0, -1).join("/");
+    });
+    const uniqueBases = [...new Set(routeBases)];
+    if (uniqueBases.length > 1) {
+      const routeList = controllers.map((c) => `${c.controller}: "${c.route}"`).join(", ");
+      result.errors.push({
+        type: "error",
+        category: "controllers",
+        message: `Inconsistent route bases in ${moduleDir}: [${uniqueBases.join("] vs [")}]`,
+        file: controllers[0].file,
+        suggestion: `All controllers in the same module should share the same route base. Found: ${routeList}`
+      });
+    }
+  }
   const totalControllers = controllerFiles.length;
   const businessControllers = totalControllers - systemControllerCount;
   const navRoutePercentage = businessControllers > 0 ? Math.round(navRouteCount / businessControllers * 100) : 0;
@@ -27553,6 +27648,344 @@ async function validateProtectedActions(structure, _config, result) {
     }
   }
 }
+async function validatePermissionSeeding(structure, _config, result) {
+  const searchPaths = [structure.infrastructure, structure.application].filter(Boolean);
+  if (searchPaths.length === 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "permissions",
+      message: "Infrastructure/Application projects not found, skipping permission validation"
+    });
+    return;
+  }
+  let enumParseCount = 0;
+  let stringActionCount = 0;
+  let typeSafeCount = 0;
+  for (const searchPath of searchPaths) {
+    const seedFiles = await findFiles("**/*Seed*.cs", { cwd: searchPath });
+    const permFiles = await findFiles("**/*Permission*.cs", { cwd: searchPath });
+    const providerFiles = await findFiles("**/*Provider*.cs", { cwd: searchPath });
+    const allFiles = [.../* @__PURE__ */ new Set([...seedFiles, ...permFiles, ...providerFiles])];
+    for (const file of allFiles) {
+      const content = await readText(file);
+      const relPath = path8.relative(structure.root, file);
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const trimmed = line.trim();
+        if (trimmed.startsWith("//") || trimmed.startsWith("*") || trimmed.startsWith("/*")) {
+          continue;
+        }
+        const enumParseMatch = line.match(/Enum\.Parse\s*<\s*PermissionAction\s*>\s*\(\s*"([^"]*)"\s*\)/);
+        if (enumParseMatch) {
+          enumParseCount++;
+          const parsedValue = enumParseMatch[1];
+          const isValid2 = VALID_PERMISSION_ACTIONS.includes(parsedValue);
+          result.errors.push({
+            type: "error",
+            category: "permissions",
+            message: `Enum.Parse<PermissionAction>("${parsedValue}") is an anti-pattern${!isValid2 ? ` \u2014 "${parsedValue}" is NOT a valid PermissionAction value` : ""}`,
+            file: relPath,
+            line: i + 1,
+            suggestion: `Use PermissionAction.${isValid2 ? parsedValue : "Read"} directly (compile-time safe). Valid values: ${VALID_PERMISSION_ACTIONS.join(", ")}`
+          });
+        }
+        const enumParseTypeofMatch = line.match(/\(\s*PermissionAction\s*\)\s*Enum\.Parse\s*\(\s*typeof\s*\(\s*PermissionAction\s*\)\s*,\s*"([^"]*)"\s*\)/);
+        if (enumParseTypeofMatch) {
+          enumParseCount++;
+          const parsedValue = enumParseTypeofMatch[1];
+          const isValid2 = VALID_PERMISSION_ACTIONS.includes(parsedValue);
+          result.errors.push({
+            type: "error",
+            category: "permissions",
+            message: `Enum.Parse(typeof(PermissionAction), "${parsedValue}") is an anti-pattern${!isValid2 ? ` \u2014 "${parsedValue}" is NOT a valid value` : ""}`,
+            file: relPath,
+            line: i + 1,
+            suggestion: `Use PermissionAction.${isValid2 ? parsedValue : "Read"} directly. Valid values: ${VALID_PERMISSION_ACTIONS.join(", ")}`
+          });
+        }
+        if (/Action\s*=\s*"[^"]*"/.test(line) && /[Pp]ermission/.test(content.substring(0, content.indexOf(line)))) {
+          const stringMatch = line.match(/Action\s*=\s*"([^"]*)"/);
+          if (stringMatch) {
+            stringActionCount++;
+            result.warnings.push({
+              type: "warning",
+              category: "permissions",
+              message: `Permission Action assigned as string "${stringMatch[1]}" instead of enum`,
+              file: relPath,
+              line: i + 1,
+              suggestion: `Use Action = PermissionAction.${stringMatch[1]} (typed enum)`
+            });
+          }
+        }
+        const typeSafeMatches = line.match(/PermissionAction\.\w+/g);
+        if (typeSafeMatches) {
+          for (const m of typeSafeMatches) {
+            const value = m.replace("PermissionAction.", "");
+            if (VALID_PERMISSION_ACTIONS.includes(value)) {
+              typeSafeCount++;
+            } else {
+              result.errors.push({
+                type: "error",
+                category: "permissions",
+                message: `PermissionAction.${value} is not a valid enum value`,
+                file: relPath,
+                line: i + 1,
+                suggestion: `Valid PermissionAction values: ${VALID_PERMISSION_ACTIONS.join(", ")}`
+              });
+            }
+          }
+        }
+      }
+    }
+  }
+  if (enumParseCount > 0 || stringActionCount > 0 || typeSafeCount > 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "permissions",
+      message: `Permission seeding summary: ${typeSafeCount} type-safe usages, ${enumParseCount} Enum.Parse anti-patterns, ${stringActionCount} string-based actions`
+    });
+  }
+  if (enumParseCount > 0) {
+    result.errors.push({
+      type: "error",
+      category: "permissions",
+      message: `Found ${enumParseCount} Enum.Parse<PermissionAction> usage(s) \u2014 these cause runtime crashes if the string is invalid`,
+      suggestion: 'Replace ALL Enum.Parse<PermissionAction>("...") with PermissionAction.{Value} for compile-time safety'
+    });
+  }
+}
+async function validateFrontendRoutes(structure, _config, result) {
+  if (!structure.web) {
+    result.warnings.push({
+      type: "warning",
+      category: "frontend-routes",
+      message: "Web project not found, skipping frontend route validation"
+    });
+    return;
+  }
+  const appFiles = await findFiles("**/App.tsx", { cwd: structure.web });
+  if (appFiles.length === 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "frontend-routes",
+      message: "App.tsx not found in web project"
+    });
+    return;
+  }
+  const appContent = await readText(appFiles[0]);
+  const hasClientRoutes = appContent.includes("clientRoutes");
+  const hasRouteComponents = /<Route\s/.test(appContent);
+  if (!hasClientRoutes && !hasRouteComponents) {
+    result.errors.push({
+      type: "error",
+      category: "frontend-routes",
+      message: "App.tsx has no route definitions (neither clientRoutes import nor <Route> components)",
+      file: path8.relative(structure.root, appFiles[0]),
+      suggestion: "Wire generated routes to App.tsx. Import clientRoutes from the generated file and render them."
+    });
+    return;
+  }
+  const seedFiles = await findFiles("**/*NavigationSeedData.cs", { cwd: structure.root });
+  const seedNavRoutes = [];
+  for (const file of seedFiles) {
+    const content = await readText(file);
+    const routeMatches = content.matchAll(/(?:route:\s*|Route\s*=\s*)["']([^"']+)["']/g);
+    for (const match2 of routeMatches) {
+      seedNavRoutes.push({
+        route: match2[1],
+        file: path8.relative(structure.root, file)
+      });
+    }
+  }
+  if (seedNavRoutes.length === 0) return;
+  const missingRoutes = [];
+  for (const nav of seedNavRoutes) {
+    const routeSegments = nav.route.split("/").filter(Boolean);
+    const lastSegment = routeSegments[routeSegments.length - 1];
+    const moduleSegment = routeSegments.length > 1 ? routeSegments[routeSegments.length - 2] : "";
+    const routeInApp = appContent.includes(nav.route) || appContent.includes(`path: '${nav.route}'`) || appContent.includes(`path="${nav.route}"`) || appContent.includes(`path: '/${lastSegment}'`) || appContent.includes(`path="/${lastSegment}"`) || moduleSegment && appContent.includes(`/${moduleSegment}/${lastSegment}`);
+    if (!routeInApp) {
+      missingRoutes.push(nav);
+    }
+  }
+  if (missingRoutes.length > 0) {
+    for (const missing of missingRoutes.slice(0, 5)) {
+      result.errors.push({
+        type: "error",
+        category: "frontend-routes",
+        message: `Navigation route "${missing.route}" from seed data not found in App.tsx`,
+        file: path8.relative(structure.root, appFiles[0]),
+        suggestion: `Add route for "${missing.route}" in App.tsx (defined in ${missing.file})`
+      });
+    }
+    if (missingRoutes.length > 5) {
+      result.errors.push({
+        type: "error",
+        category: "frontend-routes",
+        message: `... and ${missingRoutes.length - 5} more seed data routes missing from App.tsx`
+      });
+    }
+  }
+  result.warnings.push({
+    type: "warning",
+    category: "frontend-routes",
+    message: `Frontend routes summary: ${seedNavRoutes.length} seed data routes, ${missingRoutes.length} missing from App.tsx`
+  });
+}
+async function validateFeatureJson(structure, _config, result) {
+  const featureFiles = await findFiles("**/business-analyse/**/feature.json", { cwd: structure.root });
+  if (featureFiles.length === 0) {
+    result.warnings.push({
+      type: "warning",
+      category: "feature-json",
+      message: "No feature.json files found, skipping feature.json validation"
+    });
+    return;
+  }
+  let appLevelFeature = null;
+  let appLevelPath = "";
+  for (const file of featureFiles) {
+    const relPath = path8.relative(structure.root, file);
+    let data;
+    try {
+      data = await readJson(file);
+    } catch {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: `Invalid JSON in feature.json`,
+        file: relPath,
+        suggestion: "Fix the JSON syntax in this file"
+      });
+      continue;
+    }
+    if (data.scope === "application" || data.metadata?.scope === "application") {
+      appLevelFeature = data;
+      appLevelPath = relPath;
+    }
+    if (data.$schema && data.$schema.startsWith("http")) {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: `feature.json uses remote $schema URL instead of relative path`,
+        file: relPath,
+        suggestion: 'Use relative $schema path: "../../../schemas/feature-schema.json"'
+      });
+    }
+    if (data.metadata?.language && data.metadata.language !== "fr") {
+      result.warnings.push({
+        type: "warning",
+        category: "feature-json",
+        message: `feature.json language is "${data.metadata.language}" instead of "fr"`,
+        file: relPath,
+        suggestion: 'SmartStack projects should use language: "fr" for consistency'
+      });
+    }
+    const currentYear = (/* @__PURE__ */ new Date()).getFullYear().toString();
+    const dates = [data.metadata?.createdAt, data.metadata?.updatedAt, data.metadata?.lastModified].filter(Boolean);
+    for (const dateStr of dates) {
+      if (dateStr && !dateStr.startsWith(currentYear) && !dateStr.startsWith((parseInt(currentYear) - 1).toString())) {
+        result.warnings.push({
+          type: "warning",
+          category: "feature-json",
+          message: `feature.json has date "${dateStr}" which doesn't match current year (${currentYear})`,
+          file: relPath,
+          suggestion: "Verify the date is correct \u2014 it may indicate a copy-paste error"
+        });
+      }
+    }
+    if (data.metadata?.lastModified && !data.metadata?.updatedAt) {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: 'feature.json uses "lastModified" instead of "updatedAt"',
+        file: relPath,
+        suggestion: 'Rename "lastModified" to "updatedAt" for schema compliance'
+      });
+    }
+    if (data.metadata?.context && data.metadata.context !== "business" && relPath.includes("Business")) {
+      result.warnings.push({
+        type: "warning",
+        category: "feature-json",
+        message: `feature.json context is "${data.metadata.context}" but file is in Business directory`,
+        file: relPath,
+        suggestion: 'Use context: "business" for business domain features'
+      });
+    }
+    if (data.metadata?.analysisMode && data.metadata.analysisMode !== "interactive") {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: `feature.json analysisMode is "${data.metadata.analysisMode}" instead of "interactive"`,
+        file: relPath,
+        suggestion: 'analysisMode must always be "interactive" (vibe_coding bypass was removed)'
+      });
+    }
+    if (data.metadata?.tablePrefix) {
+      if (!/^[a-z]{2,5}_$/.test(data.metadata.tablePrefix)) {
+        result.errors.push({
+          type: "error",
+          category: "feature-json",
+          message: `Invalid tablePrefix "${data.metadata.tablePrefix}"`,
+          file: relPath,
+          suggestion: "tablePrefix must match pattern ^[a-z]{2,5}_$ (e.g., rh_, fi_, crm_)"
+        });
+      }
+    }
+    if (!data.id) {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: 'feature.json missing required field "id"',
+        file: relPath,
+        suggestion: "Add id field with format FEAT-XXX"
+      });
+    } else if (!/^FEAT-\d{3,}$/.test(data.id)) {
+      result.errors.push({
+        type: "error",
+        category: "feature-json",
+        message: `feature.json id "${data.id}" does not match pattern FEAT-XXX`,
+        file: relPath,
+        suggestion: "Use format: FEAT-001, FEAT-002, etc."
+      });
+    }
+  }
+  if (appLevelFeature && featureFiles.length > 1) {
+    for (const file of featureFiles) {
+      const relPath = path8.relative(structure.root, file);
+      if (relPath === appLevelPath) continue;
+      try {
+        const moduleData = await readJson(file);
+        if (!moduleData.metadata) continue;
+        if (appLevelFeature.metadata?.tablePrefix && moduleData.metadata.tablePrefix && moduleData.metadata.tablePrefix !== appLevelFeature.metadata.tablePrefix) {
+          result.errors.push({
+            type: "error",
+            category: "feature-json",
+            message: `Module tablePrefix "${moduleData.metadata.tablePrefix}" differs from app-level "${appLevelFeature.metadata.tablePrefix}"`,
+            file: relPath,
+            suggestion: `Use tablePrefix: "${appLevelFeature.metadata.tablePrefix}" to match the application-level feature.json`
+          });
+        }
+        if (appLevelFeature.metadata?.language && moduleData.metadata.language && moduleData.metadata.language !== appLevelFeature.metadata.language) {
+          result.warnings.push({
+            type: "warning",
+            category: "feature-json",
+            message: `Module language "${moduleData.metadata.language}" differs from app-level "${appLevelFeature.metadata.language}"`,
+            file: relPath,
+            suggestion: `Use language: "${appLevelFeature.metadata.language}" for consistency`
+          });
+        }
+      } catch {
+      }
+    }
+  }
+  result.warnings.push({
+    type: "warning",
+    category: "feature-json",
+    message: `Feature.json summary: ${featureFiles.length} file(s) validated`
+  });
+}
 function generateSummary(result, checks) {
   const parts = [];
   parts.push(`Checks performed: ${checks.join(", ")}`);
@@ -27598,7 +28031,7 @@ function formatResult(result) {
   }
   return lines.join("\n");
 }
-var validateConventionsTool;
+var validateConventionsTool, VALID_PERMISSION_ACTIONS;
 var init_validate_conventions = __esm({
   "src/mcp/tools/validate-conventions.ts"() {
     "use strict";
@@ -27609,7 +28042,7 @@ var init_validate_conventions = __esm({
     init_logger();
     validateConventionsTool = {
       name: "validate_conventions",
-      description: "Validate AtlasHub/SmartStack conventions: SQL schemas (core/extensions), domain table prefixes (auth_, nav_, ai_, etc.), migration naming ({context}_v{version}_{sequence}_*), service interfaces (I*Service), namespace structure, controller routes (NavRoute)",
+      description: "Validate AtlasHub/SmartStack conventions: SQL schemas (core/extensions), domain table prefixes (auth_, nav_, ai_, etc.), migration naming ({context}_v{version}_{sequence}_*), service interfaces (I*Service), namespace structure, controller routes (NavRoute), permission seeding safety",
       inputSchema: {
         type: "object",
         properties: {
@@ -27621,7 +28054,7 @@ var init_validate_conventions = __esm({
             type: "array",
             items: {
               type: "string",
-              enum: ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions", "all"]
+              enum: ["tables", "migrations", "services", "namespaces", "entities", "tenants", "controllers", "layouts", "tabs", "hierarchies", "protected-actions", "permissions", "frontend-routes", "feature-json", "all"]
             },
             description: "Types of checks to perform",
             default: ["all"]
@@ -27629,6 +28062,19 @@ var init_validate_conventions = __esm({
         }
       }
     };
+    VALID_PERMISSION_ACTIONS = [
+      "Access",
+      "Read",
+      "Create",
+      "Update",
+      "Delete",
+      "Export",
+      "Import",
+      "Approve",
+      "Reject",
+      "Assign",
+      "Execute"
+    ];
   }
 });
 
@@ -34669,7 +35115,10 @@ async function scaffoldController(name, options, structure, config2, result, dry
   const namespace = options?.namespace || (hierarchy.controllerArea ? `${config2.conventions.namespaces.api}.Controllers.${hierarchy.controllerArea}` : `${config2.conventions.namespaces.api}.Controllers`);
   const navRoute = options?.navRoute;
   const navRouteSuffix = options?.navRouteSuffix;
-  const routeAttribute = navRoute ? navRouteSuffix ? `[NavRoute("${navRoute}", Suffix = "${navRouteSuffix}")]` : `[NavRoute("${navRoute}")]` : `[Route("api/[controller]")]`;
+  const apiRoute = navRoute ? `api/${navRoute.replace(/\./g, "/")}${navRouteSuffix ? `/${navRouteSuffix}` : ""}` : null;
+  const routeAttribute = navRoute ? navRouteSuffix ? `[Route("${apiRoute}")]
+[NavRoute("${navRoute}", Suffix = "${navRouteSuffix}")]` : `[Route("${apiRoute}")]
+[NavRoute("${navRoute}")]` : `[Route("api/[controller]")]`;
   const navRouteUsing = navRoute ? "using SmartStack.Api.Core.Routing;\n" : "";
   const controllerTemplate = `using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -34771,10 +35220,12 @@ public record Update{{name}}Request();
   }
   result.files.push({ path: controllerFilePath, content: controllerContent, type: "created" });
   if (navRoute) {
-    result.instructions.push("Controller created with NavRoute (Navigation-based routing).");
+    result.instructions.push("Controller created with NavRoute + explicit Route (deterministic routing).");
     result.instructions.push(`NavRoute: ${navRoute}${navRouteSuffix ? ` (Suffix: ${navRouteSuffix})` : ""}`);
+    result.instructions.push(`API Route: ${apiRoute}`);
     result.instructions.push("");
-    result.instructions.push("The actual API route will be resolved from Navigation entities at startup.");
+    result.instructions.push("The [Route] attribute ensures deterministic API routing.");
+    result.instructions.push("The [NavRoute] attribute integrates with the navigation/permission system.");
     result.instructions.push("Ensure the navigation path exists in the database:");
     result.instructions.push(`  Context > Application > Module > Section matching "${navRoute}"`);
   } else {
@@ -52147,6 +52598,14 @@ function generatePermissionsForNavRoute(navRoute, customActions, includeStandard
       category: context
     });
   }
+  for (const customAction of customActions) {
+    if (!VALID_PERMISSION_ACTIONS2[customAction.toLowerCase()]) {
+      const validActions = Object.keys(VALID_PERMISSION_ACTIONS2).join(", ");
+      throw new Error(
+        `Invalid custom action: "${customAction}". Valid PermissionAction values: ${validActions}.`
+      );
+    }
+  }
   const actions = includeStandardActions ? [...STANDARD_ACTIONS, ...customActions] : customActions;
   for (const action of actions) {
     const code = `${navRoute}.${action}`;
@@ -52248,14 +52707,24 @@ function formatPermissionDescription(navRoute, action) {
 }
 function getActionVerb(action) {
   const verbs = {
+    "access": "Access",
     "read": "View",
     "create": "Create",
     "update": "Update",
     "delete": "Delete",
     "export": "Export",
-    "import": "Import"
+    "import": "Import",
+    "approve": "Approve",
+    "reject": "Reject",
+    "assign": "Assign",
+    "execute": "Execute"
   };
-  return verbs[action] || action.charAt(0).toUpperCase() + action.slice(1);
+  const verb = verbs[action.toLowerCase()];
+  if (!verb) {
+    logger.warn(`Unknown permission action verb: "${action}". This may cause runtime errors.`);
+    return action.charAt(0).toUpperCase() + action.slice(1);
+  }
+  return verb;
 }
 function formatPermissionsReport(permissions) {
   let report = "";
@@ -52324,17 +52793,14 @@ function generatePlaceholderGuid() {
   return "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";
 }
 function getActionEnum(action) {
-  const actionMap = {
-    "read": "Read",
-    "create": "Create",
-    "update": "Update",
-    "delete": "Delete",
-    "assign": "Assign",
-    "execute": "Execute",
-    "export": "Export",
-    "import": "Import"
-  };
-  return actionMap[action.toLowerCase()] || action.charAt(0).toUpperCase() + action.slice(1);
+  const result = VALID_PERMISSION_ACTIONS2[action.toLowerCase()];
+  if (!result) {
+    const validActions = Object.keys(VALID_PERMISSION_ACTIONS2).join(", ");
+    throw new Error(
+      `Invalid PermissionAction: "${action}". Valid actions: ${validActions}. Do NOT use Enum.Parse<PermissionAction>() with arbitrary strings \u2014 use typed enum values directly.`
+    );
+  }
+  return result;
 }
 async function readDirectoryRecursive(dir) {
   const files = [];
@@ -52352,7 +52818,7 @@ async function readDirectoryRecursive(dir) {
   }
   return files;
 }
-var HTTP_METHOD_TO_ACTION, STANDARD_ACTIONS, generatePermissionsTool;
+var HTTP_METHOD_TO_ACTION, STANDARD_ACTIONS, generatePermissionsTool, VALID_PERMISSION_ACTIONS2;
 var init_generate_permissions = __esm({
   "src/mcp/tools/generate-permissions.ts"() {
     "use strict";
@@ -52415,6 +52881,30 @@ After adding to PermissionConfiguration.cs, run: dotnet ef migrations add <Migra
         }
       }
     };
+    VALID_PERMISSION_ACTIONS2 = {
+      "access": "Access",
+      // 0 - Wildcard permissions only
+      "read": "Read",
+      // 1
+      "create": "Create",
+      // 2
+      "update": "Update",
+      // 3
+      "delete": "Delete",
+      // 4
+      "export": "Export",
+      // 5
+      "import": "Import",
+      // 6
+      "approve": "Approve",
+      // 7
+      "reject": "Reject",
+      // 8
+      "assign": "Assign",
+      // 9
+      "execute": "Execute"
+      // 10
+    };
   }
 });
 
@@ -56516,12 +57006,23 @@ async function scaffoldRoutes(input, config2) {
   const structure = await findSmartStackStructure(projectRoot);
   const webPath = structure.web || path19.join(projectRoot, "web");
   const routesPath = options?.outputPath || path19.join(webPath, "src", "routes");
-  const navRoutes = await discoverNavRoutes(structure, scope);
+  const routeWarnings = [];
+  const navRoutes = await discoverNavRoutes(structure, scope, routeWarnings);
   if (navRoutes.length === 0) {
     result.success = false;
     result.instructions.push("No NavRoute attributes found in controllers");
     return result;
   }
+  if (routeWarnings.length > 0) {
+    result.instructions.push("");
+    result.instructions.push("### Route/NavRoute Mismatches Detected:");
+    for (const warning of routeWarnings) {
+      result.instructions.push(warning);
+    }
+    result.instructions.push("");
+    result.instructions.push('Fix: Update [Route] attributes to match the NavRoute convention: api/{navRoute.replace(".", "/")}');
+    result.instructions.push("");
+  }
   if (generateRegistry) {
     const registryContent = generateNavRouteRegistry(navRoutes);
     const registryFile = path19.join(routesPath, "navRoutes.generated.ts");
@@ -56602,7 +57103,7 @@ async function scaffoldRoutes(input, config2) {
   }
   return result;
 }
-async function discoverNavRoutes(structure, scope) {
+async function discoverNavRoutes(structure, scope, warnings) {
   const routes = [];
   const apiPaths = [];
   if (scope === "all" || scope === "platform") {
@@ -56659,6 +57160,7 @@ async function discoverNavRoutes(structure, scope) {
           permissions.push(match2[1]);
         }
         const fullNavRoute = suffix ? `${navRoute}.${suffix}` : navRoute;
+        const expectedRoute = `api/${navRoute.replace(/\./g, "/")}${suffix ? `/${suffix}` : ""}`;
         routes.push({
           navRoute: fullNavRoute,
           apiPath: `/api/${navRoute.replace(/\./g, "/")}${suffix ? `/${suffix}` : ""}`,
@@ -56667,6 +57169,15 @@ async function discoverNavRoutes(structure, scope) {
           controller: controllerName,
           methods
         });
+        const routeAttrMatch = content.match(/\[Route\s*\(\s*"([^"]+)"\s*\)\]/);
+        if (routeAttrMatch && warnings) {
+          const actualRoute = routeAttrMatch[1];
+          if (actualRoute !== expectedRoute && actualRoute !== "api/[controller]") {
+            warnings.push(
+              `WARNING: ${controllerName}Controller has [Route("${actualRoute}")] that doesn't match NavRoute "${navRoute}". Expected [Route("${expectedRoute}")]`
+            );
+          }
+        }
       }
     } catch {
       logger.debug(`Failed to parse controller: ${file}`);
@@ -57245,10 +57756,10 @@ import path20 from "path";
 async function handleValidateFrontendRoutes(args, config2) {
   const input = ValidateFrontendRoutesInputSchema.parse(args);
   logger.info("Validating frontend routes", { scope: input.scope });
-  const result = await validateFrontendRoutes(input, config2);
+  const result = await validateFrontendRoutes2(input, config2);
   return formatResult6(result, input);
 }
-async function validateFrontendRoutes(input, config2) {
+async function validateFrontendRoutes2(input, config2) {
   const result = {
     valid: true,
     registry: {
@@ -57480,6 +57991,21 @@ async function validateAppWiring(webPath, backendRoutes, result) {
       break;
     }
   }
+  if (!appFilePath) {
+    try {
+      const deepSearch = await glob("**/App.tsx", {
+        cwd: webPath,
+        absolute: true,
+        ignore: ["**/node_modules/**", "**/dist/**", "**/build/**"]
+      });
+      if (deepSearch.length > 0) {
+        appFilePath = deepSearch[0];
+        appContent = await readText(appFilePath);
+      }
+    } catch {
+      logger.debug("Fallback App.tsx search failed");
+    }
+  }
   result.appWiring = {
     exists: !!appFilePath,
     routesImported: false,
@@ -57487,7 +58013,10 @@ async function validateAppWiring(webPath, backendRoutes, result) {
     issues: []
   };
   if (!appFilePath || !appContent) {
-    result.appWiring.issues.push("No App.tsx or main.tsx found in web/src/");
+    const searchedPaths = appCandidates.map((c) => path20.join(webPath, "src", c)).join(", ");
+    result.appWiring.issues.push(
+      `No App.tsx or main.tsx found. Searched: ${searchedPaths} and ${webPath}/**/App.tsx`
+    );
     return;
   }
   const hasClientRoutesImport = appContent.includes("clientRoutes.generated");
@@ -59528,7 +60057,8 @@ async function handleValidateSecurity(args, config2) {
     "tenant-isolation",
     "authorization",
     "dangerous-functions",
-    "input-validation"
+    "input-validation",
+    "guid-empty"
   ] : input.checks;
   logger.info("Validating security", { projectPath, checks: checksToRun });
   const result = {
@@ -59561,6 +60091,9 @@ async function handleValidateSecurity(args, config2) {
   if (checksToRun.includes("input-validation")) {
     await checkInputValidation(structure, result);
   }
+  if (checksToRun.includes("guid-empty")) {
+    await checkGuidEmpty(structure, result);
+  }
   result.stats.blocking = result.findings.filter((f) => f.severity === "blocking").length;
   result.stats.critical = result.findings.filter((f) => f.severity === "critical").length;
   result.stats.warning = result.findings.filter((f) => f.severity === "warning").length;
@@ -59688,22 +60221,60 @@ async function checkTenantIsolation(structure, result) {
     const serviceFiles = await findFiles("**/*Service.cs", { cwd: structure.application });
     for (const file of serviceFiles) {
       const content = await readText(file);
-      const directAccessPattern = /_context\.\w+\.(?:First|Single|Find|ToList)\s*\(/g;
+      const lines = content.split("\n");
+      const tenantDbSets = /* @__PURE__ */ new Set();
+      for (const entity of tenantEntities) {
+        tenantDbSets.add(entity + "s");
+        tenantDbSets.add(entity + "es");
+        tenantDbSets.add(entity + "ies");
+        tenantDbSets.add(entity);
+      }
+      const dbSetAccessPattern = /_context\.(\w+)/g;
       let match2;
-      while ((match2 = directAccessPattern.exec(content)) !== null) {
-        const surroundingCode = content.substring(Math.max(0, match2.index - 100), match2.index + 100);
-        if (!surroundingCode.includes(".Where(") && !surroundingCode.includes("TenantId")) {
-          const lineNumber = getLineNumber(content, match2.index);
-          result.findings.push({
-            severity: "critical",
-            category: "tenant-isolation",
-            message: "Direct DbContext access without tenant filtering",
-            file: path23.relative(structure.root, file),
-            line: lineNumber,
-            code: truncateCode(match2[0]),
-            suggestion: "Use repository with global tenant filter or add explicit TenantId filter",
-            cweId: "CWE-639"
-          });
+      while ((match2 = dbSetAccessPattern.exec(content)) !== null) {
+        const dbSetName = match2[1];
+        if (tenantEntities.length > 0 && !tenantDbSets.has(dbSetName)) {
+          continue;
+        }
+        const chainStart = match2.index;
+        const semicolonIndex = content.indexOf(";", chainStart);
+        if (semicolonIndex === -1) continue;
+        const fullChain = content.substring(chainStart, semicolonIndex);
+        if (fullChain.includes("TenantId")) continue;
+        if (/\.Add\s*\(/.test(fullChain) || /\.Remove\s*\(/.test(fullChain) || /\.Update\s*\(/.test(fullChain)) continue;
+        if (!fullChain.includes(".") || !fullChain.includes("(")) continue;
+        const lineNumber = getLineNumber(content, match2.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        result.findings.push({
+          severity: "blocking",
+          category: "tenant-isolation",
+          message: `Query on _context.${dbSetName} without TenantId filter`,
+          file: path23.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: "Add .Where(x => x.TenantId == tenantId) to the query chain, or ensure a global query filter is applied.",
+          cweId: "CWE-639"
+        });
+      }
+      for (const entity of tenantEntities) {
+        const newEntityPattern = new RegExp(`new\\s+${entity}\\s*\\{([^}]*)\\}`, "gs");
+        let newMatch;
+        while ((newMatch = newEntityPattern.exec(content)) !== null) {
+          const objectInitializer = newMatch[1];
+          if (!objectInitializer.includes("TenantId")) {
+            const lineNumber = getLineNumber(content, newMatch.index);
+            const lineContent = lines[lineNumber - 1]?.trim() || "";
+            result.findings.push({
+              severity: "blocking",
+              category: "tenant-isolation",
+              message: `new ${entity} { } without TenantId assignment`,
+              file: path23.relative(structure.root, file),
+              line: lineNumber,
+              code: truncateCode(lineContent),
+              suggestion: `Add TenantId = tenantId to the object initializer, or use ${entity}.Create(tenantId, ...) factory method.`,
+              cweId: "CWE-639"
+            });
+          }
         }
       }
     }
@@ -59829,6 +60400,49 @@ async function checkInputValidation(structure, result) {
     }
   }
 }
+async function checkGuidEmpty(structure, result) {
+  const searchPaths = [];
+  if (structure.application) searchPaths.push(structure.application);
+  if (structure.api) searchPaths.push(structure.api);
+  if (searchPaths.length === 0) return;
+  const guidEmptyPattern = /Guid\.Empty/g;
+  for (const searchPath of searchPaths) {
+    const serviceFiles = await findFiles("**/*Service.cs", { cwd: searchPath });
+    const controllerFiles = await findFiles("**/Controllers/**/*Controller.cs", { cwd: searchPath });
+    const filesToScan = [...serviceFiles, ...controllerFiles];
+    result.stats.filesScanned += filesToScan.length;
+    for (const file of filesToScan) {
+      if (isExcludedFile(file)) continue;
+      const content = await readText(file);
+      const lines = content.split("\n");
+      guidEmptyPattern.lastIndex = 0;
+      let match2;
+      while ((match2 = guidEmptyPattern.exec(content)) !== null) {
+        const lineNumber = getLineNumber(content, match2.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        if (lineContent.startsWith("//") || lineContent.startsWith("*") || lineContent.startsWith("/*")) {
+          continue;
+        }
+        if (/[!=]=\s*Guid\.Empty/.test(lineContent) || /Guid\.Empty\s*[!=]=/.test(lineContent)) {
+          continue;
+        }
+        if (/default\s*[:(]/.test(lineContent) || /\?\?\s*Guid\.Empty/.test(lineContent)) {
+          continue;
+        }
+        result.findings.push({
+          severity: "critical",
+          category: "guid-empty",
+          message: "Guid.Empty used as a value in business logic",
+          file: path23.relative(structure.root, file),
+          line: lineNumber,
+          code: truncateCode(lineContent),
+          suggestion: "Replace Guid.Empty with actual value from the current user context (e.g., currentUser.Id, tenantId). Guid.Empty typically indicates a missing resolution.",
+          cweId: "CWE-639"
+        });
+      }
+    }
+  }
+}
 async function getFilesToScan(structure, patterns) {
   const allFiles = [];
   for (const pattern of patterns) {
@@ -59971,6 +60585,7 @@ var init_validate_security = __esm({
                 "authorization",
                 "dangerous-functions",
                 "input-validation",
+                "guid-empty",
                 "xss",
                 "csrf",
                 "logging-sensitive",
@@ -61309,6 +61924,90 @@ async function checkSecurity(context) {
         }
       }
     }
+    if (file.language === "csharp" && file.relativePath.includes("Service")) {
+      const dbSetPattern = /_context\.(\w+)\./g;
+      let dbSetMatch;
+      dbSetPattern.lastIndex = 0;
+      while ((dbSetMatch = dbSetPattern.exec(file.content)) !== null) {
+        const chainStart = dbSetMatch.index;
+        const semicolonIndex = file.content.indexOf(";", chainStart);
+        if (semicolonIndex === -1) continue;
+        const fullChain = file.content.substring(chainStart, semicolonIndex);
+        if (/\.Add\s*\(/.test(fullChain) || /\.Remove\s*\(/.test(fullChain) || /\.Update\s*\(/.test(fullChain)) continue;
+        if (!fullChain.includes("(")) continue;
+        if (file.content.includes("ITenantEntity") || file.content.includes("TenantId")) {
+          if (!fullChain.includes("TenantId")) {
+            const lineNumber = getLineNumber3(file.content, dbSetMatch.index);
+            const lineContent = lines[lineNumber - 1]?.trim() || "";
+            if (isInComment(lineContent)) continue;
+            findings.push({
+              id: generateFindingId("security"),
+              category: "security",
+              severity: "blocking",
+              title: "Query Without Tenant Filter",
+              description: `Query on _context.${dbSetMatch[1]} does not include TenantId filter. In a multi-tenant application, all queries must filter by tenant.`,
+              file: file.relativePath,
+              line: lineNumber,
+              code: truncateCode2(lineContent),
+              suggestion: "Add .Where(x => x.TenantId == tenantId) or ensure a global query filter is applied.",
+              autoFixable: false,
+              cweId: "CWE-639"
+            });
+          }
+        }
+      }
+      if (file.content.includes("ITenantEntity") || file.content.includes(": TenantEntity")) {
+        const newEntityPattern = /new\s+(\w+)\s*\{([^}]*)\}/gs;
+        let newMatch;
+        newEntityPattern.lastIndex = 0;
+        while ((newMatch = newEntityPattern.exec(file.content)) !== null) {
+          const entityName = newMatch[1];
+          const initializer3 = newMatch[2];
+          if (/Dto|Request|Response|Result|Exception|Options|Config/i.test(entityName)) continue;
+          if (!initializer3.includes("TenantId")) {
+            const lineNumber = getLineNumber3(file.content, newMatch.index);
+            const lineContent = lines[lineNumber - 1]?.trim() || "";
+            if (isInComment(lineContent)) continue;
+            findings.push({
+              id: generateFindingId("security"),
+              category: "security",
+              severity: "critical",
+              title: "Entity Creation Without TenantId",
+              description: `new ${entityName} { } without TenantId assignment. Tenant entities must always have TenantId set.`,
+              file: file.relativePath,
+              line: lineNumber,
+              code: truncateCode2(lineContent),
+              suggestion: `Add TenantId = tenantId to the initializer, or use ${entityName}.Create(tenantId, ...).`,
+              autoFixable: false,
+              cweId: "CWE-639"
+            });
+          }
+        }
+      }
+      const guidEmptyPattern = /Guid\.Empty/g;
+      let guidMatch;
+      guidEmptyPattern.lastIndex = 0;
+      while ((guidMatch = guidEmptyPattern.exec(file.content)) !== null) {
+        const lineNumber = getLineNumber3(file.content, guidMatch.index);
+        const lineContent = lines[lineNumber - 1]?.trim() || "";
+        if (isInComment(lineContent)) continue;
+        if (/[!=]=\s*Guid\.Empty/.test(lineContent) || /Guid\.Empty\s*[!=]=/.test(lineContent)) continue;
+        if (/default\s*[:(]/.test(lineContent) || /\?\?\s*Guid\.Empty/.test(lineContent)) continue;
+        findings.push({
+          id: generateFindingId("security"),
+          category: "security",
+          severity: "critical",
+          title: "Guid.Empty Used as Value",
+          description: "Guid.Empty used as a business value. This typically indicates a missing resolution (e.g., current user ID, tenant ID).",
+          file: file.relativePath,
+          line: lineNumber,
+          code: truncateCode2(lineContent),
+          suggestion: "Replace Guid.Empty with the actual value from user context (currentUser.Id, tenantId, etc.).",
+          autoFixable: false,
+          cweId: "CWE-639"
+        });
+      }
+    }
     if (["typescript", "javascript", "tsx", "jsx"].includes(file.language)) {
       for (const { pattern, name } of XSS_PATTERNS) {
         let match2;