@atlashub/smartstack-cli 3.25.0 → 3.27.0

package/templates/skills/ralph-loop/references/core-seed-data.md

@@ -75,11 +75,20 @@ From `seedDataCore.navigationApplications[0]` in feature.json (generated by BA s
 
 ### GUID Generation Rule
 
+> **CRITICAL — NavigationContext IDs are NEVER generated as deterministic GUIDs.**
+> Contexts (`business`, `platform`, `personal`) are pre-seeded by SmartStack core with hardcoded GUIDs.
+> The `contextId` parameter in `GetApplicationEntry(Guid contextId)` is resolved at runtime
+> by querying `db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "business", ct)`.
+> **FORBIDDEN:** `GenerateDeterministicGuid("nav:business")` or any ContextId constant in SeedConstants.
+
 ```csharp
-// Deterministic GUID from context + application code
+// Deterministic GUID for APPLICATION (not context — contexts are pre-seeded by SmartStack core)
 public static readonly Guid ApplicationId =
     GenerateDeterministicGuid("navigation-application-{contextCode}.{appCode}");
 // Example: GenerateDeterministicGuid("navigation-application-business.humanresources")
+//
+// FORBIDDEN — Context IDs must NOT be generated:
+// public static readonly Guid BusinessContextId = GenerateDeterministicGuid("nav:business"); // WRONG!
 ```
 
 ### Template
@@ -723,20 +732,33 @@ If MCP `generate_permissions` fails, use the template above directly with values
 
 Creates the 4 standard application-scoped roles: Admin, Manager, Contributor, Viewer.
 
+> **CRITICAL — SmartStack core MAY already provide system roles (admin, manager, contributor, viewer).**
+> If system roles already exist in `auth_Roles`, do NOT create duplicates.
+> `SeedRolesAsync()` MUST check existence by Code, not just by ApplicationId.
+> **For RolePermission mappings:** ALWAYS look up roles by Code at runtime (in `SeedRolePermissionsAsync()`).
+> **FORBIDDEN:** Using `GenerateRoleGuid()`, `DeterministicGuid("role:admin")`, or any hardcoded role GUID
+> when creating RolePermission entries. The role GUIDs may differ from what's in the database.
+
 **CRITICAL:** This file is created **ONCE per application** (not per module).
-Without these roles, role-permission mappings in `SeedRolePermissionsAsync()` will fail silently.
 
 ### GUID Generation Rule
 
+> **WARNING:** These deterministic GUIDs are ONLY used for role creation (if roles don't already exist).
+> They MUST NEVER be used for RolePermission mapping — always look up roles by Code at runtime.
+
 ```csharp
 // Deterministic GUID from application ID + role type
+// WARNING: Only for role creation. NEVER use these GUIDs for RolePermission mapping.
+// RolePermissions MUST resolve roles by Code at runtime (see SeedRolePermissionsAsync).
 private static Guid GenerateRoleGuid(string roleType)
 {
     using var sha256 = System.Security.Cryptography.SHA256.Create();
     var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
     return new Guid(hash.Take(16).ToArray());
 }
-// roleType values: "admin", "manager", "contributor", "viewer"
+// FORBIDDEN in RolePermission mapping:
+// var roleId = GenerateRoleGuid("admin");     // WRONG — GUID may not match DB
+// var roleId = DeterministicGuid("role:admin"); // WRONG — use Code lookup instead
 ```
 
 ### Template
@@ -841,6 +863,11 @@ public class ApplicationRoleSeedEntry
 
 **File:** `Infrastructure/Persistence/Seeding/Data/{ModulePascal}/RolesSeedData.cs`
 
+> **CRITICAL:** This file uses `RoleCode` (string), NOT role GUIDs.
+> Roles are resolved by Code at runtime in `SeedRolePermissionsAsync()`.
+> **FORBIDDEN:** `DeterministicGuid("role:admin")`, `GenerateRoleGuid("admin")`, or any hardcoded Guid for roles.
+> SmartStack core pre-seeds system roles — their IDs are NOT deterministic from the client perspective.
+
 ### Context-Based Role Mapping
 
 | Context | Admin | Manager | Contributor | Viewer |
@@ -1019,15 +1046,17 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
     {
-        // Check idempotence
-        var applicationId = ApplicationRolesSeedData.ApplicationId;
-        var exists = await context.Roles
-            .AnyAsync(r => r.ApplicationId == applicationId, ct);
-        if (exists) return;
+        // Check idempotence — verify by Code (roles may already exist from SmartStack core)
+        var existingRoleCodes = await context.Roles
+            .Where(r => r.Code == "admin" || r.Code == "manager" || r.Code == "contributor" || r.Code == "viewer")
+            .Select(r => r.Code)
+            .ToListAsync(ct);
 
-        // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
+        // Only create roles that don't already exist (SmartStack core may pre-seed system roles)
         foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
         {
+            if (existingRoleCodes.Contains(entry.Code)) continue; // Skip if already exists
+
             var role = Role.Create(
                 entry.Code,
                 entry.Name,
@@ -1072,7 +1101,9 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             .AnyAsync(rp => rp.Permission!.Path.StartsWith("{contextCode}.{appCode}."), ct);
         if (exists) return;
 
-        // Resolve roles by Code
+        // CRITICAL: Resolve roles by Code from DB — NEVER use deterministic GUIDs.
+        // System roles (admin, manager, contributor, viewer) are pre-seeded by SmartStack core
+        // with their own IDs that do NOT match DeterministicGuid("role:admin").
         var roles = await context.Roles
             .Where(r => r.ApplicationId != null || r.IsSystem)
             .ToListAsync(ct);
@@ -1159,6 +1190,8 @@ Before marking the task as completed, verify ALL:
 **Application-Level (FIRST — before modules):**
 - [ ] `NavigationApplicationSeedData.cs` created (once per application, at `Infrastructure/Persistence/Seeding/Data/`)
 - [ ] Application GUID is deterministic (SHA256 of `"navigation-application-{contextCode}.{appCode}"`)
+- [ ] **NO ContextId constant in SeedConstants** — Context IDs are pre-seeded by SmartStack core (hardcoded GUIDs, NOT deterministic)
+- [ ] **SeedDataProvider queries context by code at runtime:** `db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "{contextCode}", ct)`
 - [ ] Application translations created (4 languages: fr, en, it, de, EntityType = Application)
 - [ ] `IClientSeedDataProvider.SeedNavigationAsync()` uses `NavigationApplicationSeedData` (NO hardcoded `{appLabel_en}` / `{appIcon}` placeholders)
 - [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (NO `{ApplicationGuid}` placeholder)
@@ -1172,6 +1205,8 @@ Before marking the task as completed, verify ALL:
 - [ ] `Permissions.cs` constants match seed data paths
 - [ ] MCP `generate_permissions` called (or fallback used)
 - [ ] Role-permission mappings assigned (Admin, Manager, Contributor, Viewer)
+- [ ] **RolePermission mappings use Code-based lookup** — NEVER `DeterministicGuid("role:admin")` or `GenerateRoleGuid()`
+- [ ] **SeedRolesAsync checks existence by Code** — SmartStack core may pre-seed system roles
 - [ ] `IClientSeedDataProvider` generated with 4 methods (Navigation, Roles, Permissions, RolePermissions)
 - [ ] Execution order: Navigation (application → modules → sections → resources) → Roles → Permissions → RolePermissions
 - [ ] Each Seed method is idempotent (checks existence before inserting)

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -373,6 +373,53 @@ if [ -n "$FR_I18N_FILES" ]; then
   done
 fi
 
+# POST-CHECK: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+if [ -n "$SEED_CONST_FILES" ]; then
+  BAD_CTX=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_CTX" ]; then
+    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
+    echo "Context IDs are pre-seeded by SmartStack core — look up by code at runtime"
+    echo "$BAD_CTX"
+    exit 1
+  fi
+fi
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
+  if [ -n "$BAD_CTX_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
+    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
+    echo "$BAD_CTX_GUID"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: RolePermission seed data must NOT use deterministic role GUIDs
+SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
+if [ -n "$SEED_ALL_FILES" ]; then
+  BAD_ROLE_GUID=$(grep -Pn 'DeterministicGuid\("role:' $SEED_ALL_FILES $SEED_CONST_FILES 2>/dev/null)
+  if [ -n "$BAD_ROLE_GUID" ]; then
+    echo "BLOCKING: Deterministic GUID for role detected"
+    echo "System roles are pre-seeded by SmartStack core — look up by Code at runtime"
+    echo "$BAD_ROLE_GUID"
+    exit 1
+  fi
+fi
+
+# POST-CHECK: Services must NOT use TenantId!.Value (crashes with 500 instead of 401)
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_PATTERN=$(grep -Pn 'TenantId!\s*\.Value|TenantId!\s*\.ToString|\.TenantId!' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_PATTERN" ]; then
+    echo "BLOCKING: TenantId!.Value causes 500 when tenant context is missing"
+    echo "Fix: var tenantId = _currentTenant.TenantId ?? throw new UnauthorizedAccessException(\"Tenant context is required\");"
+    echo "$BAD_PATTERN"
+    exit 1
+  fi
+fi
+
 # POST-CHECK: IAuditableEntity + Validator pairing
 ENTITY_FILES=$(find src/ -path "*/Domain/Entities/Business/*" -name "*.cs" 2>/dev/null)
 if [ -n "$ENTITY_FILES" ]; then