@atlashub/smartstack-cli 3.24.0 → 3.26.0

package/templates/skills/ralph-loop/references/core-seed-data.md

@@ -75,11 +75,20 @@ From `seedDataCore.navigationApplications[0]` in feature.json (generated by BA s
 
 ### GUID Generation Rule
 
+> **CRITICAL — NavigationContext IDs are NEVER generated as deterministic GUIDs.**
+> Contexts (`business`, `platform`, `personal`) are pre-seeded by SmartStack core with hardcoded GUIDs.
+> The `contextId` parameter in `GetApplicationEntry(Guid contextId)` is resolved at runtime
+> by querying `db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "business", ct)`.
+> **FORBIDDEN:** `GenerateDeterministicGuid("nav:business")` or any ContextId constant in SeedConstants.
+
 ```csharp
-// Deterministic GUID from context + application code
+// Deterministic GUID for APPLICATION (not context — contexts are pre-seeded by SmartStack core)
 public static readonly Guid ApplicationId =
     GenerateDeterministicGuid("navigation-application-{contextCode}.{appCode}");
 // Example: GenerateDeterministicGuid("navigation-application-business.humanresources")
+//
+// FORBIDDEN — Context IDs must NOT be generated:
+// public static readonly Guid BusinessContextId = GenerateDeterministicGuid("nav:business"); // WRONG!
 ```
 
 ### Template
@@ -723,20 +732,33 @@ If MCP `generate_permissions` fails, use the template above directly with values
 
 Creates the 4 standard application-scoped roles: Admin, Manager, Contributor, Viewer.
 
+> **CRITICAL — SmartStack core MAY already provide system roles (admin, manager, contributor, viewer).**
+> If system roles already exist in `auth_Roles`, do NOT create duplicates.
+> `SeedRolesAsync()` MUST check existence by Code, not just by ApplicationId.
+> **For RolePermission mappings:** ALWAYS look up roles by Code at runtime (in `SeedRolePermissionsAsync()`).
+> **FORBIDDEN:** Using `GenerateRoleGuid()`, `DeterministicGuid("role:admin")`, or any hardcoded role GUID
+> when creating RolePermission entries. The role GUIDs may differ from what's in the database.
+
 **CRITICAL:** This file is created **ONCE per application** (not per module).
-Without these roles, role-permission mappings in `SeedRolePermissionsAsync()` will fail silently.
 
 ### GUID Generation Rule
 
+> **WARNING:** These deterministic GUIDs are ONLY used for role creation (if roles don't already exist).
+> They MUST NEVER be used for RolePermission mapping — always look up roles by Code at runtime.
+
 ```csharp
 // Deterministic GUID from application ID + role type
+// WARNING: Only for role creation. NEVER use these GUIDs for RolePermission mapping.
+// RolePermissions MUST resolve roles by Code at runtime (see SeedRolePermissionsAsync).
 private static Guid GenerateRoleGuid(string roleType)
 {
     using var sha256 = System.Security.Cryptography.SHA256.Create();
     var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
     return new Guid(hash.Take(16).ToArray());
 }
-// roleType values: "admin", "manager", "contributor", "viewer"
+// FORBIDDEN in RolePermission mapping:
+// var roleId = GenerateRoleGuid("admin");     // WRONG — GUID may not match DB
+// var roleId = DeterministicGuid("role:admin"); // WRONG — use Code lookup instead
 ```
 
 ### Template
@@ -841,6 +863,11 @@ public class ApplicationRoleSeedEntry
 
 **File:** `Infrastructure/Persistence/Seeding/Data/{ModulePascal}/RolesSeedData.cs`
 
+> **CRITICAL:** This file uses `RoleCode` (string), NOT role GUIDs.
+> Roles are resolved by Code at runtime in `SeedRolePermissionsAsync()`.
+> **FORBIDDEN:** `DeterministicGuid("role:admin")`, `GenerateRoleGuid("admin")`, or any hardcoded Guid for roles.
+> SmartStack core pre-seeds system roles — their IDs are NOT deterministic from the client perspective.
+
 ### Context-Based Role Mapping
 
 | Context | Admin | Manager | Contributor | Viewer |
@@ -1019,15 +1046,17 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
     {
-        // Check idempotence
-        var applicationId = ApplicationRolesSeedData.ApplicationId;
-        var exists = await context.Roles
-            .AnyAsync(r => r.ApplicationId == applicationId, ct);
-        if (exists) return;
+        // Check idempotence — verify by Code (roles may already exist from SmartStack core)
+        var existingRoleCodes = await context.Roles
+            .Where(r => r.Code == "admin" || r.Code == "manager" || r.Code == "contributor" || r.Code == "viewer")
+            .Select(r => r.Code)
+            .ToListAsync(ct);
 
-        // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
+        // Only create roles that don't already exist (SmartStack core may pre-seed system roles)
         foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
         {
+            if (existingRoleCodes.Contains(entry.Code)) continue; // Skip if already exists
+
             var role = Role.Create(
                 entry.Code,
                 entry.Name,
@@ -1072,7 +1101,9 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             .AnyAsync(rp => rp.Permission!.Path.StartsWith("{contextCode}.{appCode}."), ct);
         if (exists) return;
 
-        // Resolve roles by Code
+        // CRITICAL: Resolve roles by Code from DB — NEVER use deterministic GUIDs.
+        // System roles (admin, manager, contributor, viewer) are pre-seeded by SmartStack core
+        // with their own IDs that do NOT match DeterministicGuid("role:admin").
         var roles = await context.Roles
             .Where(r => r.ApplicationId != null || r.IsSystem)
             .ToListAsync(ct);
@@ -1159,6 +1190,8 @@ Before marking the task as completed, verify ALL:
 **Application-Level (FIRST — before modules):**
 - [ ] `NavigationApplicationSeedData.cs` created (once per application, at `Infrastructure/Persistence/Seeding/Data/`)
 - [ ] Application GUID is deterministic (SHA256 of `"navigation-application-{contextCode}.{appCode}"`)
+- [ ] **NO ContextId constant in SeedConstants** — Context IDs are pre-seeded by SmartStack core (hardcoded GUIDs, NOT deterministic)
+- [ ] **SeedDataProvider queries context by code at runtime:** `db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "{contextCode}", ct)`
 - [ ] Application translations created (4 languages: fr, en, it, de, EntityType = Application)
 - [ ] `IClientSeedDataProvider.SeedNavigationAsync()` uses `NavigationApplicationSeedData` (NO hardcoded `{appLabel_en}` / `{appIcon}` placeholders)
 - [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (NO `{ApplicationGuid}` placeholder)
@@ -1172,6 +1205,8 @@ Before marking the task as completed, verify ALL:
 - [ ] `Permissions.cs` constants match seed data paths
 - [ ] MCP `generate_permissions` called (or fallback used)
 - [ ] Role-permission mappings assigned (Admin, Manager, Contributor, Viewer)
+- [ ] **RolePermission mappings use Code-based lookup** — NEVER `DeterministicGuid("role:admin")` or `GenerateRoleGuid()`
+- [ ] **SeedRolesAsync checks existence by Code** — SmartStack core may pre-seed system roles
 - [ ] `IClientSeedDataProvider` generated with 4 methods (Navigation, Roles, Permissions, RolePermissions)
 - [ ] Execution order: Navigation (application → modules → sections → resources) → Roles → Permissions → RolePermissions
 - [ ] Each Seed method is idempotent (checks existence before inserting)

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -271,6 +271,17 @@ if [ -n "$LIST_PAGES" ]; then
   done
 fi
 
+# First check: at least one test file must exist in pages/
+PAGE_FILES=$(find src/pages/ -name "*.tsx" ! -name "*.test.tsx" 2>/dev/null)
+if [ -n "$PAGE_FILES" ]; then
+  TEST_FILES=$(find src/pages/ -name "*.test.tsx" 2>/dev/null)
+  if [ -z "$TEST_FILES" ]; then
+    echo "BLOCKING: No frontend test files found in src/pages/"
+    echo "Every module with pages MUST have at least one .test.tsx file"
+    exit 1
+  fi
+fi
+
 # POST-CHECK: Form pages must have companion test files
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test)
 if [ -n "$FORM_PAGES" ]; then
@@ -286,7 +297,8 @@ fi
 # POST-CHECK: FK fields must NOT be plain text inputs — use EntityLookup
 FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test | grep -v node_modules)
 if [ -n "$FORM_PAGES" ]; then
-  FK_TEXT_INPUTS=$(grep -Pn 'type=["\x27]text["\x27].*[a-z]+Id|value=\{[^}]*\.[a-z]+Id\}.*type=["\x27]text["\x27]' $FORM_PAGES 2>/dev/null)
+  # Match any input with name ending in "Id" (except hidden inputs)
+  FK_TEXT_INPUTS=$(grep -Pn '<input[^>]*name=["\x27][a-zA-Z]*Id["\x27]' $FORM_PAGES 2>/dev/null | grep -v 'type=["\x27]hidden["\x27]')
   if [ -n "$FK_TEXT_INPUTS" ]; then
     echo "BLOCKING: FK Guid fields rendered as plain text inputs — MUST use EntityLookup"
     echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
@@ -313,6 +325,121 @@ if [ -n "$CTRL_FILES" ]; then
     fi
   done
 fi
+
+# POST-CHECK: Route seed data vs frontend cross-validation
+SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null)
+APP_TSX=$(find src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+if [ -n "$SEED_NAV_FILES" ] && [ -n "$APP_TSX" ]; then
+  SEED_ROUTES=$(grep -ohP 'Route\s*=\s*"([^"]+)"' $SEED_NAV_FILES | sed 's/Route\s*=\s*"//' | sed 's/"//' | sort -u)
+  CLIENT_PATHS=$(grep -ohP "path:\s*['\"]([^'\"]+)['\"]" "$APP_TSX" | sed "s/path:\s*['\"]//;s/['\"]//" | sort -u)
+  if [ -n "$SEED_ROUTES" ] && [ -z "$CLIENT_PATHS" ]; then
+    echo "WARNING: Seed data has navigation routes but App.tsx has no client routes defined"
+  fi
+fi
+
+# POST-CHECK: HasQueryFilter anti-pattern
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  BAD_FILTER=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
+  if [ -n "$BAD_FILTER" ]; then
+    echo "BLOCKING: HasQueryFilter uses Guid.Empty — must use runtime tenant filter"
+    echo "$BAD_FILTER"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: PaginatedResult<T> for GetAll
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_GETALL=$(grep -Pn 'Task<(List|IEnumerable|IList|ICollection)<' $SERVICE_FILES 2>/dev/null | grep -i "getall")
+  if [ -n "$BAD_GETALL" ]; then
+    echo "BLOCKING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
+    echo "$BAD_GETALL"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: i18n required key structure
+FR_I18N_FILES=$(find src/i18n/locales/fr/ -name "*.json" 2>/dev/null)
+if [ -n "$FR_I18N_FILES" ]; then
+  for f in $FR_I18N_FILES; do
+    BASENAME=$(basename "$f")
+    case "$BASENAME" in common.json|navigation.json) continue;; esac
+    for KEY in "actions" "labels" "errors"; do
+      if ! grep -q "\"$KEY\"" "$f"; then
+        echo "WARNING: i18n file missing required key '$KEY': $f"
+      fi
+    done
+  done
+fi
+
+# POST-CHECK: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+if [ -n "$SEED_CONST_FILES" ]; then
+  BAD_CTX=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_CTX" ]; then
+    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
+    echo "Context IDs are pre-seeded by SmartStack core — look up by code at runtime"
+    echo "$BAD_CTX"
+    exit 1
+  fi
+fi
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
+  if [ -n "$BAD_CTX_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
+    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
+    echo "$BAD_CTX_GUID"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: RolePermission seed data must NOT use deterministic role GUIDs
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_ROLE_GUID=$(grep -Pn 'DeterministicGuid\("role:' $SEED_ALL_FILES $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_ROLE_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for role detected"
+    echo "System roles are pre-seeded by SmartStack core — look up by Code at runtime"
+    echo "$BAD_ROLE_GUID"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: Services must NOT use TenantId!.Value (crashes with 500 instead of 401)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_PATTERN=$(grep -Pn 'TenantId!\s*\.Value|TenantId!\s*\.ToString|\.TenantId!' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_PATTERN" ]; then
+    echo "BLOCKING: TenantId!.Value causes 500 when tenant context is missing"
+    echo "Fix: var tenantId = _currentTenant.TenantId ?? throw new UnauthorizedAccessException(\"Tenant context is required\");"
+    echo "$BAD_PATTERN"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: IAuditableEntity + Validator pairing
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/Business/*" -name "*.cs" 2>/dev/null)
+if [ -n "$ENTITY_FILES" ]; then
+  for f in $ENTITY_FILES; do
+    if grep -q "ITenantEntity" "$f" && ! grep -q "IAuditableEntity" "$f"; then
+      echo "WARNING: Entity has ITenantEntity but missing IAuditableEntity: $f"
+    fi
+  done
+fi
+CREATE_VALIDATORS=$(find src/ -path "*/Validators/*" -name "Create*Validator.cs" 2>/dev/null)
+if [ -n "$CREATE_VALIDATORS" ]; then
+  for CV in $CREATE_VALIDATORS; do
+    UV=$(echo "$CV" | sed 's/Create/Update/')
+    if [ ! -f "$UV" ]; then
+      echo "BLOCKING: CreateValidator without matching UpdateValidator: $CV"
+      echo "Expected: $UV"
+      exit 1
+    fi
+  done
+fi
 ```
 
 **Error resolution cycle (ALL categories):**

package/templates/skills/validate-feature/steps/step-01-compile.md

@@ -15,9 +15,12 @@ next_step: steps/step-02-unit-tests.md
 ls *.sln 2>/dev/null || find . -maxdepth 2 -name "*.sln" -type f
 ```
 
-### 2. Build the entire solution
+### 2. Cleanup & Build
 
 ```bash
+# Cleanup corrupted EF Core design-time artifacts (Roslyn BuildHost bug on Windows)
+for d in src/*/bin?Debug; do [ -d "$d" ] && echo "Removing corrupted artifact: $d" && rm -rf "$d"; done
+
 dotnet build {SolutionFile} --verbosity minimal
 ```