@atlashub/smartstack-cli 3.24.0 → 3.26.0

package/templates/skills/apex/references/post-checks.md

@@ -0,0 +1,457 @@
+# BLOCKING POST-CHECKs
+
+> **Referenced by:** step-04-examine.md (section 6b)
+> These checks run on the actual generated files. Model-interpreted checks are unreliable.
+
+### POST-CHECK 1: Navigation routes must be full paths starting with /
+
+```bash
+# Find all seed data files and check route values
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  # Check for short routes (no leading /) in Create() calls for navigation entities
+  BAD_ROUTES=$(grep -Pn 'NavigationApplication\.Create\(|NavigationModule\.Create\(|NavigationSection\.Create\(|NavigationResource\.Create\(' $SEED_FILES | grep -v '"/[a-z]')
+  if [ -n "$BAD_ROUTES" ]; then
+    echo "BLOCKING: Navigation routes must be full paths starting with /"
+    echo "$BAD_ROUTES"
+    echo "Expected: \"/business/human-resources\" NOT \"humanresources\""
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 2: All services must filter by TenantId (OWASP A01)
+
+```bash
+# Find all service implementation files
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  # Check each service file has TenantId reference (either _currentUser.TenantId or TenantId filter)
+  for f in $SERVICE_FILES; do
+    if ! grep -q "TenantId" "$f"; then
+      echo "BLOCKING (OWASP A01): Service missing TenantId filter: $f"
+      echo "Every service query MUST filter by _currentUser.TenantId"
+      exit 1
+    fi
+    if grep -q "Guid.Empty" "$f"; then
+      echo "BLOCKING (OWASP A01): Service uses Guid.Empty instead of _currentUser.TenantId: $f"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK 3: Controllers must use [RequirePermission], not just [Authorize]
+
+```bash
+# Find all controller files
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    # Check controller has at least one RequirePermission attribute
+    if grep -q "\[Authorize\]" "$f" && ! grep -q "\[RequirePermission" "$f"; then
+      echo "WARNING: Controller uses [Authorize] without [RequirePermission]: $f"
+      echo "Use [RequirePermission(Permissions.{Module}.{Action})] on each endpoint"
+    fi
+  done
+fi
+```
+
+### POST-CHECK 4: Seed data must not use Guid.NewGuid()
+
+```bash
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  BAD_GUIDS=$(grep -n "Guid.NewGuid()" $SEED_FILES 2>/dev/null)
+  if [ -n "$BAD_GUIDS" ]; then
+    echo "BLOCKING: Seed data must use deterministic GUIDs (SHA256), not Guid.NewGuid()"
+    echo "$BAD_GUIDS"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 5: Services must inject ICurrentTenantService (tenant isolation)
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  for f in $SERVICE_FILES; do
+    # Accept either ICurrentTenantService or ICurrentUser (legacy) for tenant context
+    if ! grep -qE "ICurrentTenantService|ICurrentUser" "$f"; then
+      echo "BLOCKING: Service missing tenant context injection: $f"
+      echo "All services MUST inject ICurrentTenantService for tenant isolation"
+      echo "Pattern: private readonly ICurrentTenantService _currentTenant;"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK 6: Translation files must exist for all 4 languages (if frontend)
+
+```bash
+# Find all i18n namespaces used in tsx files
+TSX_FILES=$(find src/pages/ -name "*.tsx" 2>/dev/null)
+if [ -n "$TSX_FILES" ]; then
+  NAMESPACES=$(grep -ohP "useTranslation\(\[?'([^']+)" $TSX_FILES | sed "s/.*'//" | sort -u)
+  for NS in $NAMESPACES; do
+    for LANG in fr en it de; do
+      if [ ! -f "src/i18n/locales/$LANG/$NS.json" ]; then
+        echo "BLOCKING: Missing translation file: src/i18n/locales/$LANG/$NS.json"
+        exit 1
+      fi
+    done
+  done
+fi
+```
+
+### POST-CHECK 7: Pages must use lazy loading (no static page imports in routes)
+
+```bash
+ROUTE_FILES=$(find src/routes/ -name "*.tsx" -o -name "*.ts" 2>/dev/null)
+if [ -n "$ROUTE_FILES" ]; then
+  STATIC_PAGE_IMPORTS=$(grep -Pn "^import .+ from '@/pages/" $ROUTE_FILES 2>/dev/null)
+  if [ -n "$STATIC_PAGE_IMPORTS" ]; then
+    echo "BLOCKING: Route files must use React.lazy() for page imports, not static imports"
+    echo "$STATIC_PAGE_IMPORTS"
+    echo "Fix: const Page = lazy(() => import('@/pages/...').then(m => ({ default: m.Page })));"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 8: Forms must be full pages with routes — ZERO modals/popups/drawers
+
+```bash
+# Check for modal/dialog/drawer imports in page files (create/edit forms)
+PAGE_FILES=$(find src/pages/ -name "*.tsx" 2>/dev/null)
+if [ -n "$PAGE_FILES" ]; then
+  MODAL_IMPORTS=$(grep -Pn "import.*(?:Modal|Dialog|Drawer|Popup|Sheet)" $PAGE_FILES 2>/dev/null)
+  if [ -n "$MODAL_IMPORTS" ]; then
+    echo "BLOCKING: Form pages must NOT use Modal/Dialog/Drawer/Popup components"
+    echo "Create/Edit forms MUST be full pages with their own URL routes"
+    echo "Found modal imports in page files:"
+    echo "$MODAL_IMPORTS"
+    echo "Fix: Create EntityCreatePage.tsx with route /create and EntityEditPage.tsx with route /:id/edit"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 9: Create/Edit pages must exist as separate route pages
+
+```bash
+# For each module with a list page, verify create and edit pages exist
+LIST_PAGES=$(find src/pages/ -name "*ListPage.tsx" -o -name "*sPage.tsx" 2>/dev/null | grep -v test)
+if [ -n "$LIST_PAGES" ]; then
+  for LIST_PAGE in $LIST_PAGES; do
+    PAGE_DIR=$(dirname "$LIST_PAGE")
+    MODULE_NAME=$(basename "$PAGE_DIR")
+    # Check for create page
+    CREATE_PAGE=$(find "$PAGE_DIR" -name "*CreatePage.tsx" 2>/dev/null)
+    if [ -z "$CREATE_PAGE" ]; then
+      echo "WARNING: Module $MODULE_NAME has a list page but no CreatePage — expected EntityCreatePage.tsx"
+    fi
+    # Check for edit page
+    EDIT_PAGE=$(find "$PAGE_DIR" -name "*EditPage.tsx" 2>/dev/null)
+    if [ -z "$EDIT_PAGE" ]; then
+      echo "WARNING: Module $MODULE_NAME has a list page but no EditPage — expected EntityEditPage.tsx"
+    fi
+  done
+fi
+```
+
+### POST-CHECK 10: Form pages must have companion test files
+
+```bash
+# Minimum requirement: if frontend pages exist, at least 1 test file must be present
+PAGE_FILES=$(find src/pages/ -name "*.tsx" ! -name "*.test.tsx" 2>/dev/null)
+if [ -n "$PAGE_FILES" ]; then
+  ALL_TESTS=$(find src/pages/ -name "*.test.tsx" 2>/dev/null)
+  if [ -z "$ALL_TESTS" ]; then
+    echo "BLOCKING: No frontend test files found in src/pages/"
+    echo "Every form page MUST have a companion .test.tsx file"
+    exit 1
+  fi
+fi
+
+# Every CreatePage and EditPage must have a .test.tsx file
+FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test)
+if [ -n "$FORM_PAGES" ]; then
+  for FORM_PAGE in $FORM_PAGES; do
+    TEST_FILE="${FORM_PAGE%.tsx}.test.tsx"
+    if [ ! -f "$TEST_FILE" ]; then
+      echo "BLOCKING: Form page missing test file: $FORM_PAGE"
+      echo "Expected: $TEST_FILE"
+      echo "All form pages MUST have companion test files (rendering, validation, submit, navigation)"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK 11: FK fields must NOT be plain text inputs (EntityLookup required)
+
+```bash
+# Check for FK fields rendered as plain text inputs in form pages
+FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test | grep -v node_modules)
+if [ -n "$FORM_PAGES" ]; then
+  # Detect FK input fields: <input> with name ending in "Id" (catches inputs with or without explicit type)
+  FK_INPUTS=$(grep -Pn '<input[^>]*name=["\x27][a-zA-Z]*Id["\x27]' $FORM_PAGES 2>/dev/null)
+  if [ -n "$FK_INPUTS" ]; then
+    # Filter out hidden inputs (legitimate for FK submission)
+    FK_TEXT_INPUTS=$(echo "$FK_INPUTS" | grep -Pv 'type=["\x27]hidden["\x27]')
+    if [ -n "$FK_TEXT_INPUTS" ]; then
+      echo "BLOCKING: FK fields rendered as plain text inputs — MUST use EntityLookup component"
+      echo "Users cannot type GUIDs manually. Use <EntityLookup /> from @/components/ui/EntityLookup"
+      echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
+      echo "$FK_TEXT_INPUTS"
+      exit 1
+    fi
+  fi
+
+  # Check for input placeholders mentioning "ID" or "id" or "Enter...Id"
+  FK_PLACEHOLDER=$(grep -Pn 'placeholder=["\x27].*[Ee]nter.*[Ii][Dd]|placeholder=["\x27].*[Gg][Uu][Ii][Dd]' $FORM_PAGES 2>/dev/null)
+  if [ -n "$FK_PLACEHOLDER" ]; then
+    echo "BLOCKING: Form has placeholder asking user to enter an ID/GUID — use EntityLookup instead"
+    echo "$FK_PLACEHOLDER"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 12: Backend APIs must support search parameter for EntityLookup
+
+```bash
+# Check that controller GetAll methods accept search parameter
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  for f in $CTRL_FILES; do
+    # Check if controller has GetAll but no search parameter
+    if grep -q "\[HttpGet\]" "$f" && grep -q "GetAll" "$f"; then
+      if ! grep -q "search" "$f"; then
+        echo "WARNING: Controller missing search parameter on GetAll: $f"
+        echo "GetAll endpoints MUST accept ?search= to enable EntityLookup on frontend"
+        echo "Fix: Add [FromQuery] string? search parameter to GetAll action"
+      fi
+    fi
+  done
+fi
+```
+
+### POST-CHECK 13: No hardcoded Tailwind colors in generated pages
+
+```bash
+# Scan all page and component files directly (works for uncommitted/untracked files, Windows/WSL compatible)
+ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$ALL_PAGES" ]; then
+  HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone)-' $ALL_PAGES 2>/dev/null)
+  if [ -n "$HARDCODED" ]; then
+    echo "WARNING: Pages should use CSS variables instead of hardcoded Tailwind colors"
+    echo "Fix: bg-[var(--bg-card)] instead of bg-white, text-[var(--text-primary)] instead of text-gray-900"
+    echo "$HARDCODED"
+  fi
+fi
+```
+
+### POST-CHECK 14: Routes seed data must match frontend contextRoutes
+
+```bash
+SEED_ROUTES=$(grep -Poh 'Route\s*=\s*"([^"]+)"' $(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null) 2>/dev/null | grep -oP '"[^"]+"' | tr -d '"' | sort -u)
+APP_TSX=$(find src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+if [ -n "$APP_TSX" ] && [ -n "$SEED_ROUTES" ]; then
+  FRONTEND_PATHS=$(grep -oP "path:\s*'([^']+)'" "$APP_TSX" | grep -oP "'[^']+'" | tr -d "'" | sort -u)
+  if [ -n "$FRONTEND_PATHS" ]; then
+    MISMATCH_FOUND=false
+    for SEED_ROUTE in $SEED_ROUTES; do
+      DEPTH=$(echo "$SEED_ROUTE" | tr '/' '\n' | grep -c '.')
+      if [ "$DEPTH" -lt 3 ]; then continue; fi
+      SEED_SUFFIX=$(echo "$SEED_ROUTE" | sed 's|^/[^/]*/||')
+      SEED_NORM=$(echo "$SEED_SUFFIX" | tr '[:upper:]' '[:lower:]' | tr -d '-')
+      MATCH_FOUND=false
+      for FE_PATH in $FRONTEND_PATHS; do
+        FE_BASE=$(echo "$FE_PATH" | sed 's|/list$||;s|/new$||;s|/:id.*||;s|/create$||')
+        FE_NORM=$(echo "$FE_BASE" | tr '[:upper:]' '[:lower:]' | tr -d '-')
+        if [ "$SEED_NORM" = "$FE_NORM" ]; then
+          MATCH_FOUND=true
+          break
+        fi
+      done
+      if [ "$MATCH_FOUND" = false ]; then
+        echo "BLOCKING: Seed data route has no matching frontend route: $SEED_ROUTE"
+        MISMATCH_FOUND=true
+      fi
+    done
+    if [ "$MISMATCH_FOUND" = true ]; then
+      echo "Fix: Ensure every NavigationSeedData route has a corresponding contextRoutes entry in App.tsx"
+      exit 1
+    fi
+  fi
+fi
+```
+
+### POST-CHECK 15: HasQueryFilter must not use Guid.Empty (OWASP A01)
+
+```bash
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  BAD_FILTERS=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
+  if [ -n "$BAD_FILTERS" ]; then
+    echo "BLOCKING (OWASP A01): HasQueryFilter uses Guid.Empty instead of runtime tenant isolation"
+    echo "$BAD_FILTERS"
+    echo ""
+    echo "Anti-pattern: .HasQueryFilter(e => e.TenantId != Guid.Empty)"
+    echo "Fix: Remove HasQueryFilter. Tenant isolation is handled by SmartStack base DbContext"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 16: GetAll methods must return PaginatedResult<T>
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_RETURNS=$(grep -Pn '(Task<\s*(?:List|IEnumerable|IList|ICollection|IReadOnlyList|IReadOnlyCollection)<).*GetAll' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_RETURNS" ]; then
+    echo "BLOCKING: GetAll methods must return PaginatedResult<T>, not List/IEnumerable"
+    echo "$BAD_RETURNS"
+    echo "Fix: Change return type to Task<PaginatedResult<{Entity}ResponseDto>>"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 17: i18n files must contain required structural keys
+
+```bash
+I18N_DIR="src/i18n/locales/fr"
+if [ -d "$I18N_DIR" ]; then
+  REQUIRED_KEYS="actions columns empty errors form labels messages validation"
+  for JSON_FILE in "$I18N_DIR"/*.json; do
+    [ ! -f "$JSON_FILE" ] && continue
+    BASENAME=$(basename "$JSON_FILE")
+    case "$BASENAME" in common.json|navigation.json) continue;; esac
+    for KEY in $REQUIRED_KEYS; do
+      if ! jq -e "has(\"$KEY\")" "$JSON_FILE" > /dev/null 2>&1; then
+        echo "BLOCKING: i18n file missing required key '$KEY': $JSON_FILE"
+        echo "Module i18n files MUST contain: $REQUIRED_KEYS"
+        exit 1
+      fi
+    done
+  done
+fi
+```
+
+### POST-CHECK 18: Entities must implement IAuditableEntity + Validators must have Create/Update pairs
+
+```bash
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$ENTITY_FILES" ]; then
+  for f in $ENTITY_FILES; do
+    if grep -q "ITenantEntity" "$f" && ! grep -q "IAuditableEntity" "$f"; then
+      echo "BLOCKING: Entity implements ITenantEntity but NOT IAuditableEntity: $f"
+      echo "Pattern: public class Entity : BaseEntity, ITenantEntity, IAuditableEntity"
+      exit 1
+    fi
+  done
+fi
+CREATE_VALIDATORS=$(find src/ -path "*/Validators/*" -name "Create*Validator.cs" 2>/dev/null)
+if [ -n "$CREATE_VALIDATORS" ]; then
+  for f in $CREATE_VALIDATORS; do
+    VALIDATOR_DIR=$(dirname "$f")
+    ENTITY_NAME=$(basename "$f" | sed 's/^Create\(.*\)Validator\.cs$/\1/')
+    if [ ! -f "$VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs" ]; then
+      echo "BLOCKING: Create${ENTITY_NAME}Validator exists but Update${ENTITY_NAME}Validator is missing"
+      echo "  Found: $f"
+      echo "  Expected: $VALIDATOR_DIR/Update${ENTITY_NAME}Validator.cs"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK 19: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
+
+```bash
+# NavigationContext IDs (business, platform, personal) are pre-seeded by SmartStack core
+# with hardcoded GUIDs. Client code MUST look them up by code at runtime, NEVER generate them.
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_CONST_FILES" ]; then
+  BAD_CONTEXT_ID=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_CONTEXT_ID" ]; then
+    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
+    echo "NavigationContext IDs are pre-seeded by SmartStack core with hardcoded GUIDs"
+    echo "Fix: Remove ContextId from SeedConstants. In SeedDataProvider, query:"
+    echo "  var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == \"business\", ct);"
+    echo "$BAD_CONTEXT_ID"
+    exit 1
+  fi
+fi
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
+  if [ -n "$BAD_CTX_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
+    echo "Context IDs (business, platform, personal) are pre-seeded by SmartStack core"
+    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
+    echo "$BAD_CTX_GUID"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 20: RolePermission seed data must NOT use deterministic role GUIDs
+
+```bash
+# System roles (admin, manager, contributor, viewer) are pre-seeded by SmartStack core.
+# RolePermission mappings MUST look up roles by Code at runtime, NEVER use deterministic GUIDs.
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_ROLE_GUID=$(grep -Pn 'DeterministicGuid\("role:' $SEED_ALL_FILES $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_ROLE_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for role detected (e.g., DeterministicGuid(\"role:admin\"))"
+    echo "System roles are pre-seeded by SmartStack core with their own IDs"
+    echo "Fix: In SeedRolePermissionsAsync(), look up roles by Code:"
+    echo "  var roles = await context.Roles.Where(r => r.IsSystem || r.ApplicationId != null).ToListAsync(ct);"
+    echo "  var role = roles.FirstOrDefault(r => r.Code == mapping.RoleCode);"
+    echo "$BAD_ROLE_GUID"
+    exit 1
+  fi
+fi
+# Also check for GenerateRoleGuid usage in RolePermission mapping files (not in ApplicationRolesSeedData itself)
+ROLE_PERM_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*RolesSeedData.cs" 2>/dev/null)
+if [ -n "$ROLE_PERM_FILES" ]; then
+  BAD_ROLE_REF=$(grep -Pn 'GenerateRoleGuid|GetAdminRoleId|GetManagerRoleId|GetViewerRoleId|GetContributorRoleId' $ROLE_PERM_FILES 2>/dev/null)
+  if [ -n "$BAD_ROLE_REF" ]; then
+    echo "WARNING: RolesSeedData uses hardcoded role GUID helpers instead of Code-based lookup"
+    echo "Fix: Use RoleCode string (e.g., 'admin') and resolve in SeedRolePermissionsAsync()"
+    echo "$BAD_ROLE_REF"
+  fi
+fi
+```
+
+### POST-CHECK 21: Services must NOT use TenantId!.Value (null-forgiving crash pattern)
+
+```bash
+# The !.Value pattern on Guid? throws InvalidOperationException (500) instead of clean 401
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_PATTERN=$(grep -Pn 'TenantId!\s*\.Value|TenantId!\s*\.ToString|\.TenantId!' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_PATTERN" ]; then
+    echo "BLOCKING: Services use TenantId!.Value — causes 500 instead of 401 when tenant context is missing"
+    echo "$BAD_PATTERN"
+    echo ""
+    echo "Fix: Replace with guard clause at the start of every method:"
+    echo "  var tenantId = _currentTenant.TenantId"
+    echo "      ?? throw new UnauthorizedAccessException(\"Tenant context is required\");"
+    echo ""
+    echo "This produces a clean 401 via GlobalExceptionHandlerMiddleware instead of an opaque 500."
+    exit 1
+  fi
+fi
+```
+
+**If ANY POST-CHECK fails → fix in step-03, re-validate.**