@atlashub/smartstack-cli 3.24.0 → 3.25.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "3.24.0",
+  "version": "3.25.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/skills/apex/references/smartstack-api.md

@@ -505,3 +505,146 @@ services.AddValidatorsFromAssemblyContaining<Create{Name}DtoValidator>();
 | `Permission.Create()` | Does NOT exist — use `CreateForModule()`, `CreateForSection()`, etc. |
 | `GetAllAsync()` without search param | ALL GetAll endpoints MUST support `?search=` for EntityLookup |
 | FK field as plain text input | Frontend MUST use `EntityLookup` component for Guid FK fields |
+
+---
+
+## Critical Anti-Patterns (with code examples)
+
+> **These are the most common and dangerous mistakes.** Each one has been observed in production code generation.
+
+### Anti-Pattern 1: HasQueryFilter with `!= Guid.Empty` (SECURITY — OWASP A01)
+
+The `HasQueryFilter` in EF Core should use **runtime tenant resolution**, NOT a static comparison against `Guid.Empty`.
+
+**INCORRECT — Does NOT isolate tenants:**
+```csharp
+// WRONG: This only excludes empty GUIDs — ALL tenant data is still visible to everyone!
+public void Configure(EntityTypeBuilder<MyEntity> builder)
+{
+    builder.HasQueryFilter(e => e.TenantId != Guid.Empty);
+}
+```
+
+**CORRECT — Tenant isolation via service:**
+```csharp
+// CORRECT: In SmartStack, tenant filtering is done in the SERVICE layer, not via HasQueryFilter.
+public async Task<PaginatedResult<MyEntityDto>> GetAllAsync(...)
+{
+    var query = _db.MyEntities
+        .Where(x => x.TenantId == _currentUser.TenantId)  // MANDATORY runtime filter
+        .AsNoTracking();
+    // ...
+}
+```
+
+**Why it's wrong:** `HasQueryFilter(e => e.TenantId != Guid.Empty)` is a **static filter** — it only removes records with empty GUIDs. It does NOT restrict data to the current tenant. This is an **OWASP A01 Broken Access Control** vulnerability.
+
+---
+
+### Anti-Pattern 2: `List<T>` instead of `PaginatedResult<T>` for GetAll
+
+**INCORRECT — No pagination:**
+```csharp
+// WRONG: Returns all records at once — no pagination, no totalCount
+public async Task<List<MyEntityDto>> GetAllAsync(CancellationToken ct)
+{
+    return await _db.MyEntities
+        .Where(x => x.TenantId == _currentUser.TenantId)
+        .Select(x => new MyEntityDto(x.Id, x.Code, x.Name))
+        .ToListAsync(ct);
+}
+```
+
+**CORRECT — Paginated with search:**
+```csharp
+// CORRECT: Returns PaginatedResult<T> with search, page, pageSize
+public async Task<PaginatedResult<MyEntityDto>> GetAllAsync(
+    string? search = null, int page = 1, int pageSize = 20, CancellationToken ct = default)
+{
+    var query = _db.MyEntities.Where(x => x.TenantId == _currentUser.TenantId).AsNoTracking();
+    if (!string.IsNullOrWhiteSpace(search))
+        query = query.Where(x => x.Name.Contains(search) || x.Code.Contains(search));
+    var totalCount = await query.CountAsync(ct);
+    var items = await query.OrderBy(x => x.Name).Skip((page - 1) * pageSize).Take(pageSize)
+        .Select(x => new MyEntityDto(x.Id, x.Code, x.Name, x.CreatedAt)).ToListAsync(ct);
+    return new PaginatedResult<MyEntityDto>(items, totalCount, page, pageSize);
+}
+```
+
+**Why it's wrong:** `List<T>` loads ALL records into memory. It also breaks `EntityLookup` which requires `{ items, totalCount }` response format.
+
+---
+
+### Anti-Pattern 3: Missing `IAuditableEntity` on tenant entities
+
+**INCORRECT — No audit trail:**
+```csharp
+// WRONG: Tenant entity without IAuditableEntity
+public class MyEntity : BaseEntity, ITenantEntity
+{
+    public Guid TenantId { get; private set; }
+    public string Code { get; private set; } = null!;
+}
+```
+
+**CORRECT — Always pair ITenantEntity with IAuditableEntity:**
+```csharp
+public class MyEntity : BaseEntity, ITenantEntity, IAuditableEntity
+{
+    public Guid TenantId { get; private set; }
+    public string? CreatedBy { get; set; }
+    public string? UpdatedBy { get; set; }
+    public string Code { get; private set; } = null!;
+}
+```
+
+**Why it's wrong:** Without `IAuditableEntity`, there is no record of who created or modified data. Mandatory for compliance in multi-tenant environments.
+
+---
+
+### Anti-Pattern 4: Code auto-generation with `Count() + 1`
+
+**INCORRECT — Race condition:**
+```csharp
+// WRONG: Two concurrent requests get the same count
+var count = await _db.MyEntities.Where(x => x.TenantId == _currentUser.TenantId).CountAsync(ct);
+return $"ENT{(count + 1):D4}";
+```
+
+**CORRECT — Use `GenerateNextCodeAsync()` (atomic):**
+```csharp
+var code = await GenerateNextCodeAsync("MyEntity", _currentUser.TenantId, ct);
+```
+
+**Why it's wrong:** `Count() + 1` causes **race conditions** — concurrent requests generate duplicate codes.
+
+---
+
+### Anti-Pattern 5: Missing Update validator
+
+**INCORRECT — Only CreateValidator:**
+```csharp
+public class CreateMyEntityDtoValidator : AbstractValidator<CreateMyEntityDto>
+{
+    public CreateMyEntityDtoValidator()
+    {
+        RuleFor(x => x.Code).NotEmpty().MaximumLength(100);
+        RuleFor(x => x.Name).NotEmpty().MaximumLength(200);
+    }
+}
+// No UpdateMyEntityDtoValidator exists!
+```
+
+**CORRECT — Always create validators in pairs:**
+```csharp
+public class CreateMyEntityDtoValidator : AbstractValidator<CreateMyEntityDto> { /* ... */ }
+public class UpdateMyEntityDtoValidator : AbstractValidator<UpdateMyEntityDto>
+{
+    public UpdateMyEntityDtoValidator()
+    {
+        RuleFor(x => x.Name).NotEmpty().MaximumLength(200);
+    }
+}
+```
+
+**Why it's wrong:** Without an `UpdateValidator`, the Update endpoint accepts **any data without validation**.

package/templates/skills/apex/references/smartstack-frontend.md

@@ -58,6 +58,26 @@ element: <EmployeesPage />
 <Suspense><EmployeesPage /></Suspense>
 ```
 
+### Client App.tsx — Lazy Imports Mandatory
+
+> **CRITICAL:** In the client `App.tsx` (where `contextRoutes` are defined), ALL page imports MUST use `React.lazy()`.
+
+**CORRECT — Lazy imports in client App.tsx:**
+```tsx
+const ClientsListPage = lazy(() =>
+  import('@/pages/Business/HumanResources/Clients/ClientsListPage')
+    .then(m => ({ default: m.ClientsListPage }))
+);
+```
+
+**FORBIDDEN — Static imports in client App.tsx:**
+```tsx
+// WRONG: Static import kills code splitting
+import { ClientsListPage } from '@/pages/Business/HumanResources/Clients/ClientsListPage';
+```
+
+> **Note:** The `smartstackRoutes.tsx` from the npm package may use static imports internally — this is acceptable for the package. But client `App.tsx` code MUST always use lazy imports for business pages.
+
 ---
 
 ## 2. I18n / Translations (react-i18next)

package/templates/skills/apex/steps/step-03-execute.md

@@ -45,8 +45,10 @@ For each entity:
 ```
 1. MCP suggest_migration → get standardized name
 2. dotnet ef migrations add {Name} --project src/{Infra}.csproj --startup-project src/{Api}.csproj -o Persistence/Migrations
-3. dotnet ef database update (if local DB)
-4. dotnet build → MUST PASS
+3. Cleanup corrupted EF Core artifacts:
+   for d in src/*/bin?Debug; do [ -d "$d" ] && rm -rf "$d"; done
+4. dotnet ef database update (if local DB)
+5. dotnet build → MUST PASS
 ```
 
 **BLOCKING:** If build fails after migration, fix EF configs before proceeding.

package/templates/skills/apex/steps/step-04-validate.md

@@ -54,6 +54,9 @@ Verify:
 ## 4. Build Verification
 
 ```bash
+# Cleanup corrupted EF Core design-time artifacts (Roslyn BuildHost bug on Windows)
+for d in src/*/bin?Debug; do [ -d "$d" ] && echo "Removing corrupted artifact: $d" && rm -rf "$d"; done
+
 # Backend
 dotnet clean && dotnet restore && dotnet build
 
@@ -299,6 +302,17 @@ fi
 ### POST-CHECK 10: Form pages must have companion test files
 
 ```bash
+# Minimum requirement: if frontend pages exist, at least 1 test file must be present
+PAGE_FILES=$(find src/pages/ -name "*.tsx" ! -name "*.test.tsx" 2>/dev/null)
+if [ -n "$PAGE_FILES" ]; then
+  ALL_TESTS=$(find src/pages/ -name "*.test.tsx" 2>/dev/null)
+  if [ -z "$ALL_TESTS" ]; then
+    echo "BLOCKING: No frontend test files found in src/pages/"
+    echo "Every form page MUST have a companion .test.tsx file"
+    exit 1
+  fi
+fi
+
 # Every CreatePage and EditPage must have a .test.tsx file
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test)
 if [ -n "$FORM_PAGES" ]; then
@@ -320,14 +334,18 @@ fi
 # Check for FK fields rendered as plain text inputs in form pages
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test | grep -v node_modules)
 if [ -n "$FORM_PAGES" ]; then
-  # Detect pattern: input with value containing "Id" (e.g., employeeId, departmentId)
-  FK_TEXT_INPUTS=$(grep -Pn 'type=["\x27]text["\x27].*[a-z]+Id|value=\{[^}]*\.[a-z]+Id\}.*type=["\x27]text["\x27]' $FORM_PAGES 2>/dev/null)
-  if [ -n "$FK_TEXT_INPUTS" ]; then
-    echo "BLOCKING: FK fields rendered as plain text inputs — MUST use EntityLookup component"
-    echo "Users cannot type GUIDs manually. Use <EntityLookup /> from @/components/ui/EntityLookup"
-    echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
-    echo "$FK_TEXT_INPUTS"
-    exit 1
+  # Detect FK input fields: <input> with name ending in "Id" (catches inputs with or without explicit type)
+  FK_INPUTS=$(grep -Pn '<input[^>]*name=["\x27][a-zA-Z]*Id["\x27]' $FORM_PAGES 2>/dev/null)
+  if [ -n "$FK_INPUTS" ]; then
+    # Filter out hidden inputs (legitimate for FK submission)
+    FK_TEXT_INPUTS=$(echo "$FK_INPUTS" | grep -Pv 'type=["\x27]hidden["\x27]')
+    if [ -n "$FK_TEXT_INPUTS" ]; then
+      echo "BLOCKING: FK fields rendered as plain text inputs — MUST use EntityLookup component"
+      echo "Users cannot type GUIDs manually. Use <EntityLookup /> from @/components/ui/EntityLookup"
+      echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
+      echo "$FK_TEXT_INPUTS"
+      exit 1
+    fi
   fi
 
   # Check for input placeholders mentioning "ID" or "id" or "Enter...Id"
@@ -362,9 +380,10 @@ fi
 ### POST-CHECK 13: No hardcoded Tailwind colors in generated pages
 
 ```bash
-NEW_PAGES=$(git diff --name-only HEAD 2>/dev/null | grep "src/pages/.*\.tsx$")
-if [ -n "$NEW_PAGES" ]; then
-  HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone)-' $NEW_PAGES 2>/dev/null)
+# Scan all page and component files directly (works for uncommitted/untracked files, Windows/WSL compatible)
+ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$ALL_PAGES" ]; then
+  HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone)-' $ALL_PAGES 2>/dev/null)
   if [ -n "$HARDCODED" ]; then
     echo "WARNING: Pages should use CSS variables instead of hardcoded Tailwind colors"
     echo "Fix: bg-[var(--bg-card)] instead of bg-white, text-[var(--text-primary)] instead of text-gray-900"
@@ -373,6 +392,123 @@ if [ -n "$NEW_PAGES" ]; then
 fi
 ```
 
+### POST-CHECK 14: Routes seed data must match frontend contextRoutes
+
+```bash
+SEED_ROUTES=$(grep -Poh 'Route\s*=\s*"([^"]+)"' $(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null) 2>/dev/null | grep -oP '"[^"]+"' | tr -d '"' | sort -u)
+APP_TSX=$(find src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+if [ -n "$APP_TSX" ] && [ -n "$SEED_ROUTES" ]; then
+  FRONTEND_PATHS=$(grep -oP "path:\s*'([^']+)'" "$APP_TSX" | grep -oP "'[^']+'" | tr -d "'" | sort -u)
+  if [ -n "$FRONTEND_PATHS" ]; then
+    MISMATCH_FOUND=false
+    for SEED_ROUTE in $SEED_ROUTES; do
+      DEPTH=$(echo "$SEED_ROUTE" | tr '/' '\n' | grep -c '.')
+      if [ "$DEPTH" -lt 3 ]; then continue; fi
+      SEED_SUFFIX=$(echo "$SEED_ROUTE" | sed 's|^/[^/]*/||')
+      SEED_NORM=$(echo "$SEED_SUFFIX" | tr '[:upper:]' '[:lower:]' | tr -d '-')
+      MATCH_FOUND=false
+      for FE_PATH in $FRONTEND_PATHS; do
+        FE_BASE=$(echo "$FE_PATH" | sed 's|/list$||;s|/new$||;s|/:id.*||;s|/create$||')
+        FE_NORM=$(echo "$FE_BASE" | tr '[:upper:]' '[:lower:]' | tr -d '-')
+        if [ "$SEED_NORM" = "$FE_NORM" ]; then
+          MATCH_FOUND=true
+          break
+        fi
+      done
+      if [ "$MATCH_FOUND" = false ]; then
+        echo "BLOCKING: Seed data route has no matching frontend route: $SEED_ROUTE"
+        MISMATCH_FOUND=true
+      fi
+    done
+    if [ "$MISMATCH_FOUND" = true ]; then
+      echo "Fix: Ensure every NavigationSeedData route has a corresponding contextRoutes entry in App.tsx"
+      exit 1
+    fi
+  fi
+fi
+```
+
+### POST-CHECK 15: HasQueryFilter must not use Guid.Empty (OWASP A01)
+
+```bash
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  BAD_FILTERS=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
+  if [ -n "$BAD_FILTERS" ]; then
+    echo "BLOCKING (OWASP A01): HasQueryFilter uses Guid.Empty instead of runtime tenant isolation"
+    echo "$BAD_FILTERS"
+    echo ""
+    echo "Anti-pattern: .HasQueryFilter(e => e.TenantId != Guid.Empty)"
+    echo "Fix: Remove HasQueryFilter. Tenant isolation is handled by SmartStack base DbContext"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 16: GetAll methods must return PaginatedResult<T>
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_RETURNS=$(grep -Pn '(Task<\s*(?:List|IEnumerable|IList|ICollection|IReadOnlyList|IReadOnlyCollection)<).*GetAll' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_RETURNS" ]; then
+    echo "BLOCKING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
+    echo "$BAD_RETURNS"
+    echo "Fix: Change return type to Task<PaginatedResult<{Entity}ResponseDto>>"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 17: i18n files must contain required structural keys
+
+```bash
+I18N_DIR="src/i18n/locales/fr"
+if [ -d "$I18N_DIR" ]; then
+  REQUIRED_KEYS="actions columns empty errors form labels messages validation"
+  for JSON_FILE in "$I18N_DIR"/*.json; do
+    [ ! -f "$JSON_FILE" ] && continue
+    BASENAME=$(basename "$JSON_FILE")
+    case "$BASENAME" in common.json|navigation.json) continue;; esac
+    for KEY in $REQUIRED_KEYS; do
+      if ! jq -e "has(\"$KEY\")" "$JSON_FILE" > /dev/null 2>&1; then
+        echo "BLOCKING: i18n file missing required key '$KEY': $JSON_FILE"
+        echo "Module i18n files MUST contain: $REQUIRED_KEYS"
+        exit 1
+      fi
+    done
+  done
+fi
+```
+
+### POST-CHECK 18: Entities must implement IAuditableEntity + Validators must have Create/Update pairs
+
+```bash
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$ENTITY_FILES" ]; then
+  for f in $ENTITY_FILES; do
+    if grep -q "ITenantEntity" "$f" && ! grep -q "IAuditableEntity" "$f"; then
+      echo "BLOCKING: Entity implements ITenantEntity but NOT IAuditableEntity: $f"
+      echo "Pattern: public class Entity : BaseEntity, ITenantEntity, IAuditableEntity"
+      exit 1
+    fi
+  done
+fi
+CREATE_VALIDATORS=$(find src/ -path "*/Validators/*" -name "Create*Validator.cs" 2>/dev/null)
+if [ -n "$CREATE_VALIDATORS" ]; then
+  for f in $CREATE_VALIDATORS; do
+    VALIDATOR_DIR=$(dirname "$f")
+    ENTITY_NAME=$(basename "$f" | sed 's/^Create\(.*\)Validator\.cs$/\1/')
+    if [ ! -f "$VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs" ]; then
+      echo "BLOCKING: Create${ENTITY_NAME}Validator exists but Update${ENTITY_NAME}Validator is missing"
+      echo "  Found: $f"
+      echo "  Expected: $VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs"
+      exit 1
+    fi
+  done
+fi
+```
+
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**
 
 ---
@@ -414,6 +550,11 @@ AC2: {criterion} → PASS / FAIL (evidence: {file:line or test})
 | FK fields: EntityLookup, no plain text | PASS / N/A |
 | APIs: search parameter on GetAll | PASS / N/A |
 | CSS variables: no hardcoded colors | PASS / N/A |
+| Routes: seed data vs frontend match | PASS / N/A |
+| HasQueryFilter: no Guid.Empty pattern | PASS / N/A |
+| GetAll: PaginatedResult required | PASS / N/A |
+| I18n: required key structure | PASS / N/A |
+| Entities: IAuditableEntity + validators | PASS / N/A |
 | Acceptance criteria | {X}/{Y} PASS |
 ```
 

package/templates/skills/efcore/steps/migration/step-02-create.md

@@ -107,7 +107,20 @@ dotnet ef migrations add "$MIGRATION_NAME" \
   --verbose
 ```
 
-### 6. Verify Creation
+### 6. Cleanup EF Core Design-Time Artifacts
+
+```bash
+# EF Core's Roslyn BuildHost creates corrupted bin folders on Windows (U+F05C instead of backslash)
+# Clean up any bin*Debug folders that are NOT the normal bin/Debug path
+for d in src/*/bin?Debug; do
+  if [ -d "$d" ]; then
+    echo "Removing corrupted EF Core artifact: $d"
+    rm -rf "$d"
+  fi
+done
+```
+
+### 7. Verify Creation
 
 ```bash
 # Check files were created

package/templates/skills/ralph-loop/references/category-rules.md

@@ -56,8 +56,9 @@ Execution sequence:
    > NEVER use `$HOME/.dotnet/tools` alone — on WSL, `$HOME` resolves to `/home/{user}` where .NET SDK is not installed.
 1. Call `mcp__smartstack__suggest_migration` → get standardized name
 2. `dotnet ef migrations add {Name} --project src/{Infra}.csproj --startup-project src/{Api}.csproj -o Persistence/Migrations`
-3. `dotnet ef database update --project src/{Infra}.csproj --startup-project src/{Api}.csproj`
-4. `dotnet build --no-restore` → verify build passes
+3. Cleanup corrupted EF Core artifacts: `for d in src/*/bin?Debug; do [ -d "$d" ] && rm -rf "$d"; done`
+4. `dotnet ef database update --project src/{Infra}.csproj --startup-project src/{Api}.csproj`
+5. `dotnet build --no-restore` → verify build passes
 
 **BLOCKING:** If migration fails, DO NOT proceed. Fix the EF configs first.
 
@@ -477,6 +478,29 @@ useState(showCreateModal/editDialog)         → navigate to form page, NEVER to
 - Coverage >= 80%
 - No `[Fact(Skip = "...")]`
 
+**Frontend test completeness (BLOCKING):**
+
+After all frontend pages are generated, verify test coverage:
+
+```bash
+# Count page files vs test files
+PAGE_COUNT=$(find src/pages/ -name "*.tsx" ! -name "*.test.tsx" 2>/dev/null | wc -l)
+TEST_COUNT=$(find src/pages/ -name "*.test.tsx" 2>/dev/null | wc -l)
+
+if [ "$PAGE_COUNT" -gt 0 ] && [ "$TEST_COUNT" -eq 0 ]; then
+  echo "BLOCKING: Category D — No .test.tsx files found in src/pages/"
+  echo "Every module with pages MUST have at least one test file"
+  echo "Pages found: $PAGE_COUNT, Tests found: 0"
+  exit 1
+fi
+
+# Minimum ratio: at least 1 test per 3 pages
+MIN_TESTS=$(( (PAGE_COUNT + 2) / 3 ))
+if [ "$TEST_COUNT" -lt "$MIN_TESTS" ]; then
+  echo "WARNING: Low test coverage — $TEST_COUNT tests for $PAGE_COUNT pages (minimum: $MIN_TESTS)"
+fi
+```
+
 ---
 
 ## Validation (FINAL — BLOCKING)

package/templates/skills/ralph-loop/references/compact-loop.md

@@ -108,7 +108,7 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
 
 | Category | Action |
 |----------|--------|
-| `infrastructure` with `_migrationMeta` | Migration sequence: `suggest_migration` MCP → `dotnet ef migrations add` → `dotnet ef database update` → `dotnet build` |
+| `infrastructure` with `_migrationMeta` | Migration sequence: `suggest_migration` MCP → `dotnet ef migrations add` → cleanup corrupted artifacts (`for d in src/*/bin?Debug; do [ -d "$d" ] && rm -rf "$d"; done`) → `dotnet ef database update` → `dotnet build` |
 | `infrastructure` with seed data keywords | **MANDATORY:** Read `references/core-seed-data.md` → implement templates → `dotnet build` |
 | `frontend` | MCP-first: `scaffold_api_client` → `scaffold_routes` (outputFormat: clientRoutes) → **wire to App.tsx (detect pattern: `contextRoutes` array OR JSX `<Route>`)** → create pages → `npm run typecheck && npm run lint` |
 | `test` | **Create tests:** `scaffold_tests` MCP → **Run:** `dotnet test --verbosity normal` → **Fix loop:** if fail → fix SOURCE CODE → rebuild → retest → repeat until 100% pass |

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -271,6 +271,17 @@ if [ -n "$LIST_PAGES" ]; then
   done
 fi
 
+# First check: at least one test file must exist in pages/
+PAGE_FILES=$(find src/pages/ -name "*.tsx" ! -name "*.test.tsx" 2>/dev/null)
+if [ -n "$PAGE_FILES" ]; then
+  TEST_FILES=$(find src/pages/ -name "*.test.tsx" 2>/dev/null)
+  if [ -z "$TEST_FILES" ]; then
+    echo "BLOCKING: No frontend test files found in src/pages/"
+    echo "Every module with pages MUST have at least one .test.tsx file"
+    exit 1
+  fi
+fi
+
 # POST-CHECK: Form pages must have companion test files
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test)
 if [ -n "$FORM_PAGES" ]; then
@@ -286,7 +297,8 @@ fi
 # POST-CHECK: FK fields must NOT be plain text inputs — use EntityLookup
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test | grep -v node_modules)
 if [ -n "$FORM_PAGES" ]; then
-  FK_TEXT_INPUTS=$(grep -Pn 'type=["\x27]text["\x27].*[a-z]+Id|value=\{[^}]*\.[a-z]+Id\}.*type=["\x27]text["\x27]' $FORM_PAGES 2>/dev/null)
+  # Match any input with name ending in "Id" (except hidden inputs)
+  FK_TEXT_INPUTS=$(grep -Pn '<input[^>]*name=["\x27][a-zA-Z]*Id["\x27]' $FORM_PAGES 2>/dev/null | grep -v 'type=["\x27]hidden["\x27]')
   if [ -n "$FK_TEXT_INPUTS" ]; then
     echo "BLOCKING: FK Guid fields rendered as plain text inputs — MUST use EntityLookup"
     echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
@@ -313,6 +325,74 @@ if [ -n "$CTRL_FILES" ]; then
     fi
   done
 fi
+
+# POST-CHECK: Route seed data vs frontend cross-validation
+SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null)
+APP_TSX=$(find src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+if [ -n "$SEED_NAV_FILES" ] && [ -n "$APP_TSX" ]; then
+  SEED_ROUTES=$(grep -ohP 'Route\s*=\s*"([^"]+)"' $SEED_NAV_FILES | sed 's/Route\s*=\s*"//' | sed 's/"//' | sort -u)
+  CLIENT_PATHS=$(grep -ohP "path:\s*['\"]([^'\"]+)['\"]" "$APP_TSX" | sed "s/path:\s*['\"]//;s/['\"]//" | sort -u)
+  if [ -n "$SEED_ROUTES" ] && [ -z "$CLIENT_PATHS" ]; then
+    echo "WARNING: Seed data has navigation routes but App.tsx has no client routes defined"
+  fi
+fi
+
+# POST-CHECK: HasQueryFilter anti-pattern
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  BAD_FILTER=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
+  if [ -n "$BAD_FILTER" ]; then
+    echo "BLOCKING: HasQueryFilter uses Guid.Empty — must use runtime tenant filter"
+    echo "$BAD_FILTER"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: PaginatedResult<T> for GetAll
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_GETALL=$(grep -Pn 'Task<(List|IEnumerable|IList|ICollection)<' $SERVICE_FILES 2>/dev/null | grep -i "getall")
+  if [ -n "$BAD_GETALL" ]; then
+    echo "BLOCKING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
+    echo "$BAD_GETALL"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: i18n required key structure
+FR_I18N_FILES=$(find src/i18n/locales/fr/ -name "*.json" 2>/dev/null)
+if [ -n "$FR_I18N_FILES" ]; then
+  for f in $FR_I18N_FILES; do
+    BASENAME=$(basename "$f")
+    case "$BASENAME" in common.json|navigation.json) continue;; esac
+    for KEY in "actions" "labels" "errors"; do
+      if ! grep -q "\"$KEY\"" "$f"; then
+        echo "WARNING: i18n file missing required key '$KEY': $f"
+      fi
+    done
+  done
+fi
+
+# POST-CHECK: IAuditableEntity + Validator pairing
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/Business/*" -name "*.cs" 2>/dev/null)
+if [ -n "$ENTITY_FILES" ]; then
+  for f in $ENTITY_FILES; do
+    if grep -q "ITenantEntity" "$f" && ! grep -q "IAuditableEntity" "$f"; then
+      echo "WARNING: Entity has ITenantEntity but missing IAuditableEntity: $f"
+    fi
+  done
+fi
+CREATE_VALIDATORS=$(find src/ -path "*/Validators/*" -name "Create*Validator.cs" 2>/dev/null)
+if [ -n "$CREATE_VALIDATORS" ]; then
+  for CV in $CREATE_VALIDATORS; do
+    UV=$(echo "$CV" | sed 's/Create/Update/')
+    if [ ! -f "$UV" ]; then
+      echo "BLOCKING: CreateValidator without matching UpdateValidator: $CV"
+      echo "Expected: $UV"
+      exit 1
+    fi
+  done
+fi
 ```
 
 **Error resolution cycle (ALL categories):**

package/templates/skills/validate-feature/steps/step-01-compile.md

@@ -15,9 +15,12 @@ next_step: steps/step-02-unit-tests.md
 ls *.sln 2>/dev/null || find . -maxdepth 2 -name "*.sln" -type f
 ```
 
-### 2. Build the entire solution
+### 2. Cleanup & Build
 
 ```bash
+# Cleanup corrupted EF Core design-time artifacts (Roslyn BuildHost bug on Windows)
+for d in src/*/bin?Debug; do [ -d "$d" ] && echo "Removing corrupted artifact: $d" && rm -rf "$d"; done
+
 dotnet build {SolutionFile} --verbosity minimal
 ```