@atlashub/smartstack-cli 3.23.0 → 3.25.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "3.23.0",
+  "version": "3.25.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/mcp-scaffolding/component.tsx.hbs

@@ -174,7 +174,27 @@ export const {{name}}: React.FC<{{name}}Props> = ({
 
       {/* Form */}
       <form onSubmit={handleSubmit} className="p-6 space-y-6">
-        {/* TODO: Add form fields */}
+        {/*
+          TODO: Add form fields based on entity properties.
+          IMPORTANT — Field type mapping:
+          - string properties → <input type="text" />
+          - bool properties → <input type="checkbox" />
+          - number properties → <input type="number" />
+          - DateTime properties → <input type="date" />
+          - Guid FK properties (e.g., EmployeeId, DepartmentId) → <EntityLookup /> (NEVER plain text input!)
+
+          For FK fields, use EntityLookup from @/components/ui/EntityLookup:
+          <EntityLookup
+            apiEndpoint="/api/{related-entity-route}"
+            value={data.relatedEntityId}
+            onChange={(id) => handleChange('relatedEntityId', id)}
+            label="Related Entity"
+            mapOption={(item) => ({ id: item.id, label: item.name, sublabel: item.code })}
+            required
+          />
+
+          See smartstack-frontend.md section 6 for the full EntityLookup pattern.
+        */}
         <div className="text-[var(--text-secondary)] text-center py-8">
           Add your form fields here
         </div>

package/templates/skills/apex/references/smartstack-api.md

@@ -228,13 +228,33 @@ public class {Name}Service : I{Name}Service
         _logger = logger;
     }
 
-    public async Task<List<{Name}ResponseDto>> GetAllAsync(CancellationToken ct)
+    public async Task<PaginatedResult<{Name}ResponseDto>> GetAllAsync(
+        string? search = null,
+        int page = 1,
+        int pageSize = 20,
+        CancellationToken ct = default)
     {
-        return await _db.{Name}s
+        var query = _db.{Name}s
             .Where(x => x.TenantId == _currentUser.TenantId)  // MANDATORY tenant filter
-            .AsNoTracking()
+            .AsNoTracking();
+
+        // Search filter — enables EntityLookup on frontend
+        if (!string.IsNullOrWhiteSpace(search))
+        {
+            query = query.Where(x =>
+                x.Name.Contains(search) ||
+                x.Code.Contains(search));
+        }
+
+        var totalCount = await query.CountAsync(ct);
+        var items = await query
+            .OrderBy(x => x.Name)
+            .Skip((page - 1) * pageSize)
+            .Take(pageSize)
             .Select(x => new {Name}ResponseDto(x.Id, x.Code, x.Name, x.CreatedAt))
             .ToListAsync(ct);
+
+        return new PaginatedResult<{Name}ResponseDto>(items, totalCount, page, pageSize);
     }
 
     public async Task<{Name}ResponseDto?> GetByIdAsync(Guid id, CancellationToken ct)
@@ -313,8 +333,12 @@ public class {Name}Controller : ControllerBase
 
     [HttpGet]
     [RequirePermission(Permissions.{Module}.Read)]
-    public async Task<ActionResult<List<{Name}ResponseDto>>> GetAll(CancellationToken ct)
-        => Ok(await _service.GetAllAsync(ct));
+    public async Task<ActionResult<PaginatedResult<{Name}ResponseDto>>> GetAll(
+        [FromQuery] string? search = null,
+        [FromQuery] int page = 1,
+        [FromQuery] int pageSize = 20,
+        CancellationToken ct = default)
+        => Ok(await _service.GetAllAsync(search, page, pageSize, ct));
 
     [HttpGet("{id:guid}")]
     [RequirePermission(Permissions.{Module}.Read)]
@@ -479,3 +503,148 @@ services.AddValidatorsFromAssemblyContaining<Create{Name}DtoValidator>();
 | Route `"humanresources"` in seed data | Must be full path `"/business/human-resources"` |
 | Route without leading `/` | All routes must start with `/` |
 | `Permission.Create()` | Does NOT exist — use `CreateForModule()`, `CreateForSection()`, etc. |
+| `GetAllAsync()` without search param | ALL GetAll endpoints MUST support `?search=` for EntityLookup |
+| FK field as plain text input | Frontend MUST use `EntityLookup` component for Guid FK fields |
+
+---
+
+## Critical Anti-Patterns (with code examples)
+
+> **These are the most common and dangerous mistakes.** Each one has been observed in production code generation.
+
+### Anti-Pattern 1: HasQueryFilter with `!= Guid.Empty` (SECURITY — OWASP A01)
+
+The `HasQueryFilter` in EF Core should use **runtime tenant resolution**, NOT a static comparison against `Guid.Empty`.
+
+**INCORRECT — Does NOT isolate tenants:**
+```csharp
+// WRONG: This only excludes empty GUIDs — ALL tenant data is still visible to everyone!
+public void Configure(EntityTypeBuilder<MyEntity> builder)
+{
+    builder.HasQueryFilter(e => e.TenantId != Guid.Empty);
+}
+```
+
+**CORRECT — Tenant isolation via service:**
+```csharp
+// CORRECT: In SmartStack, tenant filtering is done in the SERVICE layer, not via HasQueryFilter.
+public async Task<PaginatedResult<MyEntityDto>> GetAllAsync(...)
+{
+    var query = _db.MyEntities
+        .Where(x => x.TenantId == _currentUser.TenantId)  // MANDATORY runtime filter
+        .AsNoTracking();
+    // ...
+}
+```
+
+**Why it's wrong:** `HasQueryFilter(e => e.TenantId != Guid.Empty)` is a **static filter** — it only removes records with empty GUIDs. It does NOT restrict data to the current tenant. This is an **OWASP A01 Broken Access Control** vulnerability.
+
+---
+
+### Anti-Pattern 2: `List<T>` instead of `PaginatedResult<T>` for GetAll
+
+**INCORRECT — No pagination:**
+```csharp
+// WRONG: Returns all records at once — no pagination, no totalCount
+public async Task<List<MyEntityDto>> GetAllAsync(CancellationToken ct)
+{
+    return await _db.MyEntities
+        .Where(x => x.TenantId == _currentUser.TenantId)
+        .Select(x => new MyEntityDto(x.Id, x.Code, x.Name))
+        .ToListAsync(ct);
+}
+```
+
+**CORRECT — Paginated with search:**
+```csharp
+// CORRECT: Returns PaginatedResult<T> with search, page, pageSize
+public async Task<PaginatedResult<MyEntityDto>> GetAllAsync(
+    string? search = null, int page = 1, int pageSize = 20, CancellationToken ct = default)
+{
+    var query = _db.MyEntities.Where(x => x.TenantId == _currentUser.TenantId).AsNoTracking();
+    if (!string.IsNullOrWhiteSpace(search))
+        query = query.Where(x => x.Name.Contains(search) || x.Code.Contains(search));
+    var totalCount = await query.CountAsync(ct);
+    var items = await query.OrderBy(x => x.Name).Skip((page - 1) * pageSize).Take(pageSize)
+        .Select(x => new MyEntityDto(x.Id, x.Code, x.Name, x.CreatedAt)).ToListAsync(ct);
+    return new PaginatedResult<MyEntityDto>(items, totalCount, page, pageSize);
+}
+```
+
+**Why it's wrong:** `List<T>` loads ALL records into memory. It also breaks `EntityLookup` which requires `{ items, totalCount }` response format.
+
+---
+
+### Anti-Pattern 3: Missing `IAuditableEntity` on tenant entities
+
+**INCORRECT — No audit trail:**
+```csharp
+// WRONG: Tenant entity without IAuditableEntity
+public class MyEntity : BaseEntity, ITenantEntity
+{
+    public Guid TenantId { get; private set; }
+    public string Code { get; private set; } = null!;
+}
+```
+
+**CORRECT — Always pair ITenantEntity with IAuditableEntity:**
+```csharp
+public class MyEntity : BaseEntity, ITenantEntity, IAuditableEntity
+{
+    public Guid TenantId { get; private set; }
+    public string? CreatedBy { get; set; }
+    public string? UpdatedBy { get; set; }
+    public string Code { get; private set; } = null!;
+}
+```
+
+**Why it's wrong:** Without `IAuditableEntity`, there is no record of who created or modified data. Mandatory for compliance in multi-tenant environments.
+
+---
+
+### Anti-Pattern 4: Code auto-generation with `Count() + 1`
+
+**INCORRECT — Race condition:**
+```csharp
+// WRONG: Two concurrent requests get the same count
+var count = await _db.MyEntities.Where(x => x.TenantId == _currentUser.TenantId).CountAsync(ct);
+return $"ENT{(count + 1):D4}";
+```
+
+**CORRECT — Use `GenerateNextCodeAsync()` (atomic):**
+```csharp
+var code = await GenerateNextCodeAsync("MyEntity", _currentUser.TenantId, ct);
+```
+
+**Why it's wrong:** `Count() + 1` causes **race conditions** — concurrent requests generate duplicate codes.
+
+---
+
+### Anti-Pattern 5: Missing Update validator
+
+**INCORRECT — Only CreateValidator:**
+```csharp
+public class CreateMyEntityDtoValidator : AbstractValidator<CreateMyEntityDto>
+{
+    public CreateMyEntityDtoValidator()
+    {
+        RuleFor(x => x.Code).NotEmpty().MaximumLength(100);
+        RuleFor(x => x.Name).NotEmpty().MaximumLength(200);
+    }
+}
+// No UpdateMyEntityDtoValidator exists!
+```
+
+**CORRECT — Always create validators in pairs:**
+```csharp
+public class CreateMyEntityDtoValidator : AbstractValidator<CreateMyEntityDto> { /* ... */ }
+public class UpdateMyEntityDtoValidator : AbstractValidator<UpdateMyEntityDto>
+{
+    public UpdateMyEntityDtoValidator()
+    {
+        RuleFor(x => x.Name).NotEmpty().MaximumLength(200);
+    }
+}
+```
+
+**Why it's wrong:** Without an `UpdateValidator`, the Update endpoint accepts **any data without validation**.