@atlashub/smartstack-cli 3.21.0 → 3.23.0

package/templates/skills/ralph-loop/references/core-seed-data.md

@@ -53,6 +53,171 @@ if (!navRoute) {
 
 ---
 
+## 1b. NavigationApplicationSeedData.cs (ONCE per application)
+
+**File:** `Infrastructure/Persistence/Seeding/Data/NavigationApplicationSeedData.cs`
+
+> **MANDATORY:** This file MUST be created BEFORE any module seed data.
+> Without it, modules have no parent ApplicationId and ApplicationRolesSeedData has no GUID reference.
+> This file is created **ONCE per application** (not per module).
+
+### Data Source
+
+From `seedDataCore.navigationApplications[0]` in feature.json (generated by BA step-05a):
+
+| Placeholder | Source |
+|-------------|--------|
+| `{appCode}` | `navigationApplications[0].code` |
+| `{appLabel_xx}` | `navigationApplications[0].labels.xx` (fr, en, it, de) |
+| `{appDesc_xx}` | `navigationApplications[0].description.xx` |
+| `{appIcon}` | `navigationApplications[0].icon` |
+| `{contextCode}` | `navigationApplications[0].context` or `_seedDataMeta.contextCode` |
+
+### GUID Generation Rule
+
+```csharp
+// Deterministic GUID from context + application code
+public static readonly Guid ApplicationId =
+    GenerateDeterministicGuid("navigation-application-{contextCode}.{appCode}");
+// Example: GenerateDeterministicGuid("navigation-application-business.humanresources")
+```
+
+### Template
+
+```csharp
+using SmartStack.Domain.Navigation;
+
+namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
+
+/// <summary>
+/// Navigation seed data for {AppLabel_en} application.
+/// Consumed by IClientSeedDataProvider at application startup.
+/// Created ONCE per application — modules reference ApplicationId as parent.
+/// </summary>
+public static class NavigationApplicationSeedData
+{
+    // Deterministic GUID for this application
+    public static readonly Guid ApplicationId =
+        GenerateDeterministicGuid("navigation-application-{contextCode}.{appCode}");
+
+    /// <summary>
+    /// Returns navigation application entry for seeding into core.nav_Applications.
+    /// </summary>
+    public static NavigationApplicationSeedEntry GetApplicationEntry(Guid contextId)
+    {
+        return new NavigationApplicationSeedEntry
+        {
+            Id = ApplicationId,
+            ContextId = contextId,
+            Code = "{appCode}",
+            Label = "{appLabel_en}",
+            Description = "{appDesc_en}",
+            Icon = "{appIcon}",              // Lucide React icon name
+            IconType = IconType.Lucide,
+            Route = ToKebabCase("/{contextCode}/{appCode}"),
+            DisplayOrder = 1,
+            IsActive = true
+        };
+    }
+
+    /// <summary>
+    /// Returns 4-language translations for this application.
+    /// </summary>
+    public static IEnumerable<NavigationTranslationSeedEntry> GetTranslationEntries()
+    {
+        var appId = ApplicationId;
+        return new[]
+        {
+            new NavigationTranslationSeedEntry
+            {
+                EntityType = NavigationEntityType.Application,
+                EntityId = appId,
+                LanguageCode = "fr",
+                Label = "{appLabel_fr}",
+                Description = "{appDesc_fr}"
+            },
+            new NavigationTranslationSeedEntry
+            {
+                EntityType = NavigationEntityType.Application,
+                EntityId = appId,
+                LanguageCode = "en",
+                Label = "{appLabel_en}",
+                Description = "{appDesc_en}"
+            },
+            new NavigationTranslationSeedEntry
+            {
+                EntityType = NavigationEntityType.Application,
+                EntityId = appId,
+                LanguageCode = "it",
+                Label = "{appLabel_it}",
+                Description = "{appDesc_it}"
+            },
+            new NavigationTranslationSeedEntry
+            {
+                EntityType = NavigationEntityType.Application,
+                EntityId = appId,
+                LanguageCode = "de",
+                Label = "{appLabel_de}",
+                Description = "{appDesc_de}"
+            }
+        };
+    }
+
+    private static Guid GenerateDeterministicGuid(string seed)
+    {
+        using var sha256 = System.Security.Cryptography.SHA256.Create();
+        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
+        return new Guid(hash.Take(16).ToArray());
+    }
+
+    /// <summary>
+    /// Converts PascalCase route segments to kebab-case for web URLs.
+    /// </summary>
+    private static string ToKebabCase(string route)
+    {
+        if (string.IsNullOrEmpty(route)) return route;
+
+        var segments = route.Split('/');
+        var kebabSegments = new List<string>();
+
+        foreach (var segment in segments)
+        {
+            if (string.IsNullOrEmpty(segment))
+            {
+                kebabSegments.Add(segment);
+                continue;
+            }
+
+            var kebab = System.Text.RegularExpressions.Regex
+                .Replace(segment, "([a-z])([A-Z])", "$1-$2")
+                .ToLowerInvariant();
+            kebabSegments.Add(kebab);
+        }
+
+        return string.Join("/", kebabSegments);
+    }
+}
+
+/// <summary>Seed entry DTO for navigation application.</summary>
+public class NavigationApplicationSeedEntry
+{
+    public Guid Id { get; init; }
+    public Guid ContextId { get; init; }
+    public string Code { get; init; } = null!;
+    public string Label { get; init; } = null!;
+    public string? Description { get; init; }
+    public string? Icon { get; init; }
+    public IconType IconType { get; init; }
+    public string? Route { get; init; }
+    public int DisplayOrder { get; init; }
+    public bool IsActive { get; init; }
+}
+```
+
+**Replace placeholders** with values from `seedDataCore.navigationApplications[0]`.
+
+---
+
 ## 2. NavigationModuleSeedData.cs
 
 **File:** `Infrastructure/Persistence/Seeding/Data/{ModulePascal}/NavigationModuleSeedData.cs`
@@ -104,7 +269,7 @@ public static class {ModulePascal}NavigationSeedData
             Description = "{desc_en}",
             Icon = "{icon}",              // Lucide React icon name
             IconType = IconType.Lucide,
-            Route = "/{contextCode}/{appCode}/{moduleCode}",
+            Route = ToKebabCase($"/{contextCode}/{appCode}/{moduleCode}"),
             DisplayOrder = {displayOrder},
             IsActive = true
         };
@@ -159,6 +324,35 @@ public static class {ModulePascal}NavigationSeedData
         var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
         return new Guid(hash.Take(16).ToArray());
     }
+
+    /// <summary>
+    /// Converts PascalCase route segments to kebab-case for web URLs.
+    /// Example: /business/HumanResources/TimeManagement → /business/human-resources/time-management
+    /// </summary>
+    private static string ToKebabCase(string route)
+    {
+        if (string.IsNullOrEmpty(route)) return route;
+
+        var segments = route.Split('/');
+        var kebabSegments = new List<string>();
+
+        foreach (var segment in segments)
+        {
+            if (string.IsNullOrEmpty(segment))
+            {
+                kebabSegments.Add(segment);
+                continue;
+            }
+
+            // Convert PascalCase to kebab-case: HumanResources → human-resources
+            var kebab = System.Text.RegularExpressions.Regex
+                .Replace(segment, "([a-z])([A-Z])", "$1-$2")
+                .ToLowerInvariant();
+            kebabSegments.Add(kebab);
+        }
+
+        return string.Join("/", kebabSegments);
+    }
 }
 
 /// <summary>Seed entry DTO for navigation module.</summary>
@@ -236,7 +430,7 @@ public static IEnumerable<NavigationSectionSeedEntry> GetSectionEntries(Guid mod
             Description = "{section1_desc_en}",
             Icon = "{section1_icon}",
             IconType = IconType.Lucide,
-            Route = "/{contextCode}/{appCode}/{moduleCode}/{section1Code}",
+            Route = ToKebabCase($"/{contextCode}/{appCode}/{moduleCode}/{section1Code}"),
             DisplayOrder = {section1_sort},
             IsActive = true
         }
@@ -325,7 +519,7 @@ public static IEnumerable<NavigationResourceSeedEntry> GetResourceEntries(Guid s
                 Code = "{resource1Code}",
                 Label = "{resource1_label_en}",
                 EntityType = "{resource1_entity}",
-                Route = "/{contextCode}/{appCode}/{moduleCode}/{section1Code}/{resource1Code}",
+                Route = ToKebabCase($"/{contextCode}/{appCode}/{moduleCode}/{section1Code}/{resource1Code}"),
                 DisplayOrder = 1
             }
             // Repeat for each resource in this section...
@@ -559,8 +753,8 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
 /// </summary>
 public static class ApplicationRolesSeedData
 {
-    // Application ID from NavigationApplicationSeedData
-    private static readonly Guid ApplicationId = {ApplicationGuid};
+    // Application ID from NavigationApplicationSeedData (deterministic GUID)
+    public static readonly Guid ApplicationId = NavigationApplicationSeedData.ApplicationId;
 
     public static readonly Guid AdminRoleId = GenerateRoleGuid("admin");
     public static readonly Guid ManagerRoleId = GenerateRoleGuid("manager");
@@ -738,30 +932,30 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedNavigationAsync(ICoreDbContext context, CancellationToken ct)
     {
-        // --- Application ---
+        // --- Application (from NavigationApplicationSeedData) ---
+        var appEntry = NavigationApplicationSeedData.GetApplicationEntry(Guid.Empty); // contextId resolved below
         var exists = await context.NavigationApplications
-            .AnyAsync(a => a.Code == "{appCode}", ct);
+            .AnyAsync(a => a.Code == appEntry.Code, ct);
         if (exists) return;
 
         var parentContext = await context.NavigationContexts
             .FirstAsync(c => c.Code == "{contextCode}", ct);
 
+        // Re-get entry with resolved contextId
+        appEntry = NavigationApplicationSeedData.GetApplicationEntry(parentContext.Id);
         var app = NavigationApplication.Create(
-            parentContext.Id, "{appCode}", "{appLabel_en}",
-            "{appDesc_en}", "{appIcon}", IconType.Lucide,
-            "/{contextCode}/{appCode}", 1);
+            appEntry.ContextId, appEntry.Code, appEntry.Label,
+            appEntry.Description, appEntry.Icon, appEntry.IconType,
+            appEntry.Route, appEntry.DisplayOrder);
         context.NavigationApplications.Add(app);
         await ((DbContext)context).SaveChangesAsync(ct);
 
-        // --- Application translations (4 languages) ---
-        var appTranslations = new[]
+        // --- Application translations (4 languages, from NavigationApplicationSeedData) ---
+        foreach (var t in NavigationApplicationSeedData.GetTranslationEntries())
         {
-            NavigationTranslation.Create(NavigationEntityType.Application, app.Id, "fr", "{appLabel_fr}", "{appDesc_fr}"),
-            NavigationTranslation.Create(NavigationEntityType.Application, app.Id, "en", "{appLabel_en}", "{appDesc_en}"),
-            NavigationTranslation.Create(NavigationEntityType.Application, app.Id, "it", "{appLabel_it}", "{appDesc_it}"),
-            NavigationTranslation.Create(NavigationEntityType.Application, app.Id, "de", "{appLabel_de}", "{appDesc_de}")
-        };
-        foreach (var t in appTranslations) context.NavigationTranslations.Add(t);
+            context.NavigationTranslations.Add(
+                NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+        }
         await ((DbContext)context).SaveChangesAsync(ct);
 
         // --- Modules ---
@@ -926,7 +1120,8 @@ When processing multiple modules in the same ralph-loop run:
 
 ### Module 1 (first): Creates everything from scratch
 
-1. `ApplicationRolesSeedData.cs` (application-level, once per app)
+0. `NavigationApplicationSeedData.cs` (**application-level**, once per app — FIRST FILE, provides ApplicationId)
+1. `ApplicationRolesSeedData.cs` (application-level, once per app — references NavigationApplicationSeedData.ApplicationId)
 2. `{Module1}NavigationSeedData.cs` (module + sections + resources + all translations)
 3. `{Module1}PermissionsSeedData.cs`
 4. `{Module1}RolesSeedData.cs`
@@ -935,6 +1130,7 @@ When processing multiple modules in the same ralph-loop run:
 
 ### Module 2+ (subsequent): Append to existing provider
 
+0. `NavigationApplicationSeedData.cs` (already exists — skip)
 1. `ApplicationRolesSeedData.cs` (already exists — skip)
 2. `{Module2}NavigationSeedData.cs` (new file — include sections + resources if defined in feature.json)
 3. `{Module2}PermissionsSeedData.cs` (new file)
@@ -942,7 +1138,7 @@ When processing multiple modules in the same ralph-loop run:
 5. `{AppPascalName}SeedDataProvider.cs` (**modify** — add using, add entries in Navigation/Permissions/RolePermissions methods, **including section/resource seeding for the new module**)
 6. DI registration (already exists — skip)
 
-**Detection:** Check if `{AppPascalName}SeedDataProvider.cs` exists. If yes, READ it and ADD the new module's entries to the appropriate methods (Navigation, Permissions, RolePermissions). Do NOT modify SeedRolesAsync().
+**Detection:** Check if `{AppPascalName}SeedDataProvider.cs` exists. If yes, READ it and ADD the new module's entries to the appropriate methods (Navigation, Permissions, RolePermissions). Do NOT modify SeedRolesAsync() or the Application creation in SeedNavigationAsync().
 
 ### Section/Resource Conditionality
 
@@ -960,6 +1156,14 @@ Sections and resources are **optional per module**. When processing a module's f
 
 Before marking the task as completed, verify ALL:
 
+**Application-Level (FIRST — before modules):**
+- [ ] `NavigationApplicationSeedData.cs` created (once per application, at `Infrastructure/Persistence/Seeding/Data/`)
+- [ ] Application GUID is deterministic (SHA256 of `"navigation-application-{contextCode}.{appCode}"`)
+- [ ] Application translations created (4 languages: fr, en, it, de, EntityType = Application)
+- [ ] `IClientSeedDataProvider.SeedNavigationAsync()` uses `NavigationApplicationSeedData` (NO hardcoded `{appLabel_en}` / `{appIcon}` placeholders)
+- [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (NO `{ApplicationGuid}` placeholder)
+
+**Module-Level:**
 - [ ] Deterministic GUIDs (NEVER `Guid.NewGuid()`) — SHA256 of path
 - [ ] 4 languages for each navigation entity (fr, en, it, de)
 - [ ] `ApplicationRolesSeedData.cs` created (once per application)
@@ -969,7 +1173,7 @@ Before marking the task as completed, verify ALL:
 - [ ] MCP `generate_permissions` called (or fallback used)
 - [ ] Role-permission mappings assigned (Admin, Manager, Contributor, Viewer)
 - [ ] `IClientSeedDataProvider` generated with 4 methods (Navigation, Roles, Permissions, RolePermissions)
-- [ ] Execution order: Navigation (modules → sections → resources) → Roles → Permissions → RolePermissions
+- [ ] Execution order: Navigation (application → modules → sections → resources) → Roles → Permissions → RolePermissions
 - [ ] Each Seed method is idempotent (checks existence before inserting)
 - [ ] Factory methods used throughout (NEVER `new Entity()`)
 - [ ] `SaveChangesAsync` called per group (Navigation → Roles → Permissions → RolePermissions)
@@ -981,6 +1185,13 @@ Before marking the task as completed, verify ALL:
 - [ ] NO `Enum.Parse<PermissionAction>` usage anywhere in seeding code (use typed enum directly)
 - [ ] ALL PermissionAction values are from the valid enum: Access, Read, Create, Update, Delete, Export, Import, Approve, Reject, Assign, Execute
 
+**Seed Data Integrity (BLOCKING — run AFTER `dotnet build`):**
+- [ ] Application startup test: `dotnet run --urls http://localhost:0 --environment Development` exits without seed data exceptions
+- [ ] Verify `nav_Applications` has entry for `{appCode}` (query or startup log)
+- [ ] Verify `nav_Modules` has entries for each module (count matches feature.json modules)
+- [ ] Verify `auth_Roles` has 4 application-scoped roles (admin, manager, contributor, viewer)
+- [ ] Verify `auth_Permissions` has entries for each module (wildcard + CRUD)
+
 **If ANY check fails, the task status = 'failed'.**
 
 ---

package/templates/skills/ralph-loop/steps/step-01-task.md

@@ -186,7 +186,9 @@ Initialize `.ralph/progress.txt`:
 > This check prevents the "no frontend generated" failure mode.
 
 ```javascript
-const REQUIRED_CATEGORIES = ['domain', 'infrastructure', 'application', 'api', 'frontend', 'test'];
+// CRITICAL: seedData MUST be in the required list — without it, nav_Applications/auth_Roles/auth_Permissions
+// are not seeded, and frontend/test tasks execute against an empty database.
+const REQUIRED_CATEGORIES = ['domain', 'infrastructure', 'application', 'api', 'seedData', 'frontend', 'test'];
 const presentCategories = new Set(prd.tasks.map(t => t.category));
 const missingCategories = REQUIRED_CATEGORIES.filter(c => !presentCategories.has(c));
 
@@ -199,19 +201,38 @@ if (missingCategories.length > 0) {
     return isNaN(num) ? 0 : num;
   }));
   const prefix = prd.tasks[0]?.id?.replace(/[0-9]+$/, '') || 'GUARD-';
-  const lastBackendTask = prd.tasks.filter(t => t.category === 'api').pop()?.id || prd.tasks[prd.tasks.length - 1]?.id;
+  const lastApiTask = prd.tasks.filter(t => t.category === 'api').pop()?.id || prd.tasks[prd.tasks.length - 1]?.id;
+  const lastSeedDataTask = prd.tasks.filter(t => t.category === 'seedData').pop()?.id;
+
+  // DEPENDENCY CHAIN: domain → infrastructure → application → api → seedData → frontend → test
+  // Frontend MUST depend on seedData (not just API) — otherwise navigation/permissions are empty
+  const frontendDep = lastSeedDataTask || lastApiTask;
 
   for (const cat of missingCategories) {
     maxIdNum++;
     const taskId = `${prefix}${String(maxIdNum).padStart(3, '0')}`;
+
+    // Determine dependencies based on category order
+    let deps;
+    if (cat === 'seedData') {
+      deps = [lastApiTask]; // seedData depends on API (infrastructure must exist first)
+    } else if (cat === 'frontend') {
+      deps = [frontendDep]; // frontend depends on seedData (navigation must be seeded)
+    } else if (cat === 'test') {
+      deps = [frontendDep]; // test depends on seedData too
+    } else {
+      deps = [];
+    }
+
     const guardrailTask = {
       id: taskId,
       description: `[GUARDRAIL] Generate ${cat} layer for ${prd.project?.module || 'module'}`,
       status: 'pending',
       category: cat,
-      dependencies: cat === 'test' ? [lastBackendTask] : (cat === 'frontend' ? [lastBackendTask] : []),
+      dependencies: deps,
       acceptance_criteria: [
-        cat === 'frontend' ? 'React pages created via MCP scaffold_api_client + scaffold_routes, wired to App.tsx' :
+        cat === 'seedData' ? 'NavigationApplicationSeedData + NavigationModuleSeedData + PermissionsSeedData + ApplicationRolesSeedData created, IClientSeedDataProvider wired, startup test passes' :
+        cat === 'frontend' ? 'React pages created via MCP scaffold_api_client + scaffold_routes, wired to App.tsx, navigation seed data verified in DB' :
         cat === 'test' ? 'Unit + Integration test projects created, scaffold_tests MCP called, dotnet test passes' :
         `${cat} layer fully implemented per category-rules.md`
       ],
@@ -220,6 +241,17 @@ if (missingCategories.length > 0) {
     };
     prd.tasks.push(guardrailTask);
     console.log(`  → Injected guardrail: [${taskId}] ${cat}`);
+
+    // Update frontendDep if we just injected seedData (frontend guardrail should depend on it)
+    if (cat === 'seedData') {
+      // Re-resolve for subsequent iterations
+      const updatedFrontendDep = taskId;
+      // Patch any previously-added frontend guardrail to depend on this seedData task
+      const frontendGuard = prd.tasks.find(t => t.category === 'frontend' && t.description.includes('[GUARDRAIL]'));
+      if (frontendGuard && !frontendGuard.dependencies.includes(taskId)) {
+        frontendGuard.dependencies = [taskId];
+      }
+    }
   }
 
   writeJSON('.ralph/prd.json', prd);

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -83,6 +83,87 @@ dotnet build --no-restore
 
 MUST pass before proceeding to application/api/test/frontend. Fix if fails.
 
+**POST-CHECK: Route kebab-case validation (BLOCKING)**
+
+After generating NavigationSeedData files, verify routes follow kebab-case convention:
+
+```bash
+# Search for routes with uppercase in NavigationSeedData files
+UPPERCASE_ROUTES=$(grep -E 'Route = "?/[^"]*[A-Z]' Infrastructure/Persistence/Seeding/Data/*/NavigationSeedData.cs 2>/dev/null)
+
+if [ -n "$UPPERCASE_ROUTES" ]; then
+  echo "❌ ERROR: Routes must be kebab-case lowercase. Found PascalCase in NavigationSeedData routes:"
+  echo "$UPPERCASE_ROUTES"
+  echo ""
+  echo "Expected format: /business/human-resources/projects"
+  echo "Fix: Use ToKebabCase() helper in route generation (see core-seed-data.md)"
+  exit 1
+fi
+```
+
+**Why this matters:**
+- Backend seed data defines menu navigation routes
+- Frontend React Router expects kebab-case URLs
+- Mismatch causes 404 on menu click
+- Convention: `HumanResources` (C# code) → `human-resources` (web URL)
+
+**Fix:** If check fails, routes were generated without `ToKebabCase()` transformation. Regenerate NavigationSeedData with the helper.
+
+**POST-CHECK: Core Seed Data Integrity (BLOCKING)**
+
+After generating ALL seed data files (NavigationApplicationSeedData, NavigationModuleSeedData, PermissionsSeedData, RolesSeedData, ApplicationRolesSeedData, IClientSeedDataProvider), verify the complete chain:
+
+```bash
+# 1. NavigationApplicationSeedData.cs exists
+APP_SEED=$(find . -path "*/Seeding/Data/NavigationApplicationSeedData.cs" 2>/dev/null | head -1)
+if [ -z "$APP_SEED" ]; then
+  echo "❌ BLOCKING: NavigationApplicationSeedData.cs NOT FOUND"
+  echo "Without this, nav_Applications is empty → navigation menu invisible"
+  echo "Fix: Generate from core-seed-data.md section 1b using seedDataCore.navigationApplications"
+  exit 1
+fi
+
+# 2. ApplicationRolesSeedData.cs references NavigationApplicationSeedData.ApplicationId (no placeholder)
+if grep -q '{ApplicationGuid}' Infrastructure/Persistence/Seeding/Data/ApplicationRolesSeedData.cs 2>/dev/null; then
+  echo "❌ BLOCKING: ApplicationRolesSeedData still has {ApplicationGuid} placeholder"
+  echo "Fix: Replace with NavigationApplicationSeedData.ApplicationId"
+  exit 1
+fi
+
+# 3. IClientSeedDataProvider has no hardcoded app placeholders
+PROVIDER=$(find . -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
+if [ -n "$PROVIDER" ]; then
+  if grep -qE '\{appLabel_|appDesc_|appIcon\}' "$PROVIDER" 2>/dev/null; then
+    echo "❌ BLOCKING: SeedDataProvider has hardcoded {appLabel_xx}/{appIcon} placeholders"
+    echo "Fix: Use NavigationApplicationSeedData.GetApplicationEntry() and GetTranslationEntries()"
+    exit 1
+  fi
+fi
+
+# 4. Quick startup test — verify seed data doesn't crash at runtime
+echo "Running startup test to verify seed data..."
+dotnet run --project "$API_PROJECT" --urls "http://localhost:0" -- --environment Development &
+RUN_PID=$!
+sleep 8
+
+if ! kill -0 $RUN_PID 2>/dev/null; then
+  echo "❌ BLOCKING: Application crashed during startup (seed data likely failed)"
+  echo "Check logs for: navigation, role, or permission seed data errors"
+  wait $RUN_PID 2>/dev/null
+  exit 1
+else
+  echo "✓ Startup test passed — seed data executed without crash"
+  kill $RUN_PID 2>/dev/null
+  wait $RUN_PID 2>/dev/null
+fi
+```
+
+**Why this matters:**
+- If `nav_Applications` is empty → navigation menu shows nothing → user can't access modules
+- If `auth_Roles` is empty → role-permission mappings fail silently → RBAC broken
+- If `auth_Permissions` is empty → all authorization checks reject → 403 on every endpoint
+- These are **foundational** — without them, ALL subsequent features (frontend, API, tests) are useless
+
 ### 6. Validate with MCP
 
 ```