@atlashub/smartstack-cli 3.27.0 → 3.29.0

package/templates/skills/business-analyse/templates/tpl-progress.md

@@ -28,12 +28,13 @@
     □ Total: X tasks
 
   [SEEDDATA-CORE] Core Configuration (MANDATORY)
-    □ NavigationModuleConfiguration - Module navigation structure
-    □ PermissionsConfiguration - RBAC permissions setup
-    □ RolesConfiguration - Predefined roles
-    □ TenantConfiguration - Test tenants
-    □ UserConfiguration - Test users
-    Total: 5 CORE tasks
+    □ NavigationApplicationSeedData - Application navigation entry (once per app)
+    □ ApplicationRolesSeedData - Application-scoped roles (once per app)
+    □ NavigationModuleSeedData - Module navigation structure (per module)
+    □ PermissionsSeedData - RBAC permissions (per module)
+    □ RolesSeedData - Role-permission mappings (per module)
+    □ {App}SeedDataProvider - IClientSeedDataProvider (4 methods)
+    Total: 2 app-level + 3 per-module + 1 provider
 
   [SEEDDATA] Business Reference Data
     □ Seed {Entity1} reference data

package/templates/skills/ralph-loop/references/category-rules.md

@@ -79,25 +79,62 @@ Execution sequence:
 > "PermissionsSeedData", "RolesSeedData", or "IClientSeedDataProvider":
 > **THEN read `references/core-seed-data.md`** — this is MANDATORY, DO NOT improvise.
 
-**Rules:**
-- NavigationModuleSeedData.cs: deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
-- PermissionsSeedData.cs: MCP `generate_permissions` first, fallback to template
-- RolesSeedData.cs: context-based role mapping (Admin=CRUD, Manager=CRU, Contributor=CR, Viewer=R)
-- SeedConstants.cs: shared deterministic GUIDs
-- IClientSeedDataProvider: SeedNavigationAsync + SeedPermissionsAsync + SeedRolePermissionsAsync
+**Seed Data Chain (9 files minimum):**
+
+Application-level (created ONCE, shared across modules):
+- **NavigationApplicationSeedData.cs**: Application navigation entry (MUST be first). Provides ApplicationId.
+- **ApplicationRolesSeedData.cs**: 4 application-scoped roles (admin, manager, contributor, viewer). Provides role entries for SeedRolesAsync().
+
+Per-module:
+- **NavigationModuleSeedData.cs**: deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
+- **Permissions.cs**: Static permission constants (`Permissions.{Module}.Read`). Referenced by `[RequirePermission]`.
+- **PermissionsSeedData.cs**: MCP `generate_permissions` first, fallback to template
+- **RolesSeedData.cs**: code-based role-permission mapping (Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R)
+
+Per-module (MANDATORY when `seedDataCore.navigationSections` exists in feature.json):
+- **NavigationSectionSeedData**: section entries, section translations (4 languages), section-level permissions, and section-level role mappings — all within `NavigationModuleSeedData.cs`, `PermissionsSeedData.cs`, and `RolesSeedData.cs`
+- Section-level permissions: wildcard + CRUD per section (same pattern as module-level)
+- Section-level role mappings: Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R per section
+
+Infrastructure:
+- **SeedConstants.cs**: shared deterministic GUIDs (ApplicationId, ModuleIds)
+- **{App}SeedDataProvider.cs**: implements IClientSeedDataProvider with 4 methods
 - DI: `services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()`
 
+**Rules:**
+- IClientSeedDataProvider: SeedNavigationAsync + SeedRolesAsync + SeedPermissionsAsync + SeedRolePermissionsAsync
+- Admin=wildcard(*), Manager=CRU (read+create+update), Contributor=CR (read+create), Viewer=R (read only)
+
 **Business seed data (DevDataSeeder):**
 - ALL seeded business entities MUST include `TenantId = {tenantGuid}`
 - Reference entities (types, categories, statuses) MUST set TenantId
 - Use deterministic TenantId from SeedConstants (NEVER hardcoded inline)
 - DevDataSeeder MUST implement `IDevDataSeeder` with idempotent `SeedAsync()` method
 
+**Section route conventions (BLOCKING):**
+- `list` section route = module route (e.g., `/business/human-resources/employees`) — NO `/list` suffix
+- `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`) — NOT `/detail/:id`
+- Other sections (dashboard, approve, import) = module route + `/{section-kebab}` (normal)
+- FORBIDDEN: `/{module}/list`, `/{module}/detail/:id` — these are CRUD view modes, not sub-areas
+
 **FORBIDDEN:**
 - `Guid.NewGuid()` → use deterministic GUIDs
 - Empty seed data classes with only GUIDs and no seeding methods
 - Missing translations (must have all 4 languages)
 - Seeding business entities WITHOUT `TenantId`
+- Navigation section routes ending in `/list` or `/detail/:id`
+
+### POST-CHECK: Navigation translations diacritical marks
+
+After generating `NavigationTranslationSeedEntry` strings, verify ALL non-English translations contain proper diacritical marks:
+
+- **FR** must use: é, è, ê, ë, à, â, ç, ù, û, ô, î (e.g., "Employés" NOT "Employes", "Activités" NOT "Activites")
+- **DE** must use: ä, ö, ü, ß (e.g., "Aktivitäten" NOT "Aktivitaten")
+- **IT** must use: à, è, é, ì, ò, ù (e.g., "Attività" NOT "Attivita")
+
+Cross-reference navigation seed data labels with the corresponding frontend `i18n/index.ts` translations for consistency.
+
+**BLOCKING** if any `NavigationTranslationSeedEntry` for fr/de/it contains only ASCII characters where diacritical marks are expected in the target language.
 
 ---
 
@@ -290,6 +327,13 @@ fi
 - Reference/lookup entities (types, categories, statuses) MUST also have controllers — they are needed for dropdowns and configuration
 - Count: `controllers created >= entities in module`. If fewer → FAIL
 
+**Section-level controllers (CONDITIONAL: when `navSections[]` defined in feature.json):**
+- File path: `Api/Controllers/{ContextShort}/{App}/{Section}Controller.cs`
+- NavRoute attribute: `[NavRoute("{context}.{app}.{module}.{section}")]`
+- Permission attribute: `[RequirePermission(Permissions.{Module}.{Section}.{Action})]`
+- Route prefix: `api/{context}/{app}/{module}/{section}`
+- Each section gets its own controller with CRUD endpoints scoped to the section
+
 **FORBIDDEN:**
 - `[Authorize]` without specific permission → use `[RequirePermission]`
 - Returning domain entities directly
@@ -305,12 +349,13 @@ fi
 **FORBIDDEN:** `src/pages/{Module}/` (flat structure without Context/App)
 
 **Execution sequence (IN ORDER):**
+0. **Read back feature.json** (via `prd.source.featurePath`) — The PRD only carries the file list (structural skeleton). The behavioral specs (columnDefs, componentMapping, layout, rowActions, emptyState, tab structure, i18n key-value pairs, dashboard KPIs, state machine transitions) are ONLY in the original feature.json. Without this step, generated code will be generic and miss entity-specific UI details.
 1. `mcp__smartstack__scaffold_api_client` → API client + types + React Query hook
 2. `mcp__smartstack__scaffold_routes` (with `outputFormat: "clientRoutes"`) → route registry + route fragments
 3. **Wire routes to App.tsx (detect pattern: `contextRoutes` array OR JSX `<Route>`):**
    - **Pattern A** (`contextRoutes: ContextRouteExtensions` in App.tsx): add to `contextRoutes.{context}[]` with RELATIVE paths → auto-injected into both standard + tenant trees
    - **Pattern B** (JSX `<Route>` in App.tsx): insert `<Route>` entries inside correct Layout wrapper (BOTH standard AND tenant-prefixed `/t/:slug/...` blocks)
-4. Create pages using **`/ui-components` skill** (MANDATORY for entity lists, grids, tables, dashboards, charts). The skill ensures CSS variables, EntityCard, SmartTable, loading/error/empty states, and responsive grid patterns.
+4. Create pages using **`/ui-components` skill** — **LOAD the skill step files before creating any page.** This is MANDATORY for entity lists, grids, tables, dashboards, charts. The skill ensures CSS variables, EntityCard, SmartTable, loading/error/empty states, and responsive grid patterns. **Pages MUST use `t()` from `useTranslation()` for ALL visible text from the very first line of code.** Do NOT hardcode English strings with the intent of adding i18n later — the i18n keys are created in step 6 based on what keys the pages reference. Pattern: `t('{moduleLower}:actions.create', 'Create')`.
 5. Create preferences hook: `use{Module}Preferences.ts`
 6. Generate i18n (4 languages: fr, en, it, de) — see I18n section below for detailed rules
 7. `npm run typecheck` MUST pass (BLOCKING)
@@ -323,6 +368,18 @@ fi
 - FK fields: `EntityLookup` for searchable entity selection (NEVER plain text for Guid FK)
 - Dashboard: `StatCard`, Recharts components
 
+**Per-page /ui-components validation (MANDATORY before commit):**
+- After creating EACH page, verify it follows /ui-components patterns:
+  1. List pages: uses `DataTable` or `SmartTable` (NOT raw `<table>`)
+  2. List pages: uses `EntityCard` for card/grid views (NOT custom `<div>` cards)
+  3. All pages: ALL colors use CSS variables (`bg-[var(--xxx)]`) — ZERO hardcoded Tailwind colors
+  4. All pages: loading skeleton, error state with retry, empty state are present
+  5. All pages: ALL visible text uses `t()` from `useTranslation()`
+  6. Delete actions: use `ConfirmDialog` component (NOT `window.confirm()`)
+  7. Status displays: use `StatusBadge` with CSS variable colors (NOT inline styled spans)
+- **If ANY check fails: fix the page BEFORE moving to the next page**
+- The POST-CHECKs in step-02 enforce these rules with BLOCKING severity
+
 **Form pages (CRITICAL — ZERO modals/popups/drawers):**
 - Create form: `EntityCreatePage.tsx` with route `/{module}/create`
 - Edit form: `EntityEditPage.tsx` with route `/{module}/:id/edit`
@@ -340,6 +397,27 @@ fi
 | `business.*` | `BusinessLayout` | `/business` |
 | `personal.*` | `UserLayout` | `/personal/myspace` |
 
+**Route naming convention (CRITICAL — must match backend):**
+- Frontend route paths MUST use **kebab-case** matching the backend API route convention
+- Convention: `HumanResources` (C# namespace) → `human-resources` (URL segment)
+- ALL multi-word route segments MUST contain hyphens: `time-management`, `human-resources`, `leave-balance`
+- FORBIDDEN: `humanresources`, `timemanagement`, `leavebalance` (concatenated without hyphens)
+- Frontend path `/business/human-resources/clients` matches API `api/business/human-resources/clients`
+- Navigation seed data Route values MUST also use kebab-case
+- The POST-CHECK in step-02 will BLOCK if frontend routes don't match backend kebab-case convention
+
+**Section-level pages (CONDITIONAL: when `navSections[]` defined in feature.json):**
+- Page file: `src/pages/{ContextPascal}/{AppPascal}/{Module}/{Section}Page.tsx`
+- Route: nested as child of module route in App.tsx (e.g., `/business/human-resources/projects/timesheets`)
+- Add to `contextRoutes.{context}[]` (Pattern A) or as nested `<Route>` (Pattern B)
+- Each section page has its own route and permission check
+
+**React Router mapping for sections:**
+- `list` section → already the module's `index: true` route (NO separate `path: 'list'`)
+- `detail` section → already the module's `path: ':id'` route (NO separate `path: 'detail'`)
+- Other sections → `path: '{section-kebab}'` as child of module route
+- FORBIDDEN frontend paths: `path: 'list'`, `path: 'detail'` — these are handled by the module's index and :id routes
+
 **CSS:** Variables ONLY → `bg-[var(--bg-card)]`, `text-[var(--text-primary)]`
 
 **Form error handling (MANDATORY):**
@@ -348,6 +426,13 @@ fi
 - API errors (4xx, 5xx) MUST show a user-friendly error notification (toast/banner)
 - Forms MUST preserve user input on error (no data loss on failed submit)
 
+**Hook error handling pattern (MANDATORY):**
+- ALL hooks MUST preserve server validation errors from axios responses
+- Pattern: `catch (err) { if (axios.isAxiosError(err)) { return err.response?.data; } throw err; }`
+- NEVER discard `err.response.data` — it contains field-level validation errors from FluentValidation
+- Error messages MUST use i18n: `setError(t('{mod}:errors.saveFailed'))` — NEVER hardcoded English strings
+- Toast/notification messages MUST also use i18n
+
 **Dependency verification (BLOCKING):**
 - BEFORE writing any import, verify the package exists in `package.json`
 - If package not present: run `npm install {package}` BEFORE writing the import
@@ -372,6 +457,13 @@ useXxx with raw axios inside hooks           → hooks MUST use the shared apiCl
 placeholder="Enter ID" / "Enter GUID"       → EntityLookup provides search-based entity selection
 <Modal>/<Dialog>/<Drawer>/<Popup> for forms  → forms are FULL PAGES with own URL routes (/create, /:id/edit)
 useState(showCreateModal/editDialog)         → navigate to form page, NEVER toggle modal visibility
+<table>/<thead>/<tbody>                    → MUST use SmartTable or DataTable component
+bg-blue-600 / bg-red-500 / etc.           → MUST use CSS variables: bg-[var(--color-accent-600)]
+text-green-700 / text-gray-500 / etc.     → MUST use CSS variables: text-[var(--success-text)]
+window.confirm() / confirm()              → MUST use ConfirmDialog component with i18n
+Hardcoded English text in JSX (>Create<)  → MUST use t('{mod}:actions.create', 'Create')
+Hardcoded error strings in hooks           → MUST use t('{mod}:errors.loadFailed') in all hooks
+/business/humanresources/                  → MUST use kebab-case: /business/human-resources/
 ```
 
 ---
@@ -399,11 +491,14 @@ useState(showCreateModal/editDialog)         → navigate to form page, NEVER to
 **Usage pattern in TSX:** `t('{moduleLower}:actions.create', 'Create')` — ALWAYS namespace prefix + fallback value.
 
 **Rules:**
-- 4 JSON files: fr, en, it, de — ALL mandatory (not just fr/en)
+- 4 JSON files per module: fr, en, it, de — ALL mandatory (not just fr/en)
+- File structure: `src/i18n/locales/{lang}/{moduleLower}.json` — NEVER inline translations in index.ts
 - Identical key structures across all languages — same keys, translated values
-- All UI labels, validation messages, button text, empty states
+- All UI labels, validation messages, button text, empty states, error messages
 - Depends on frontend page completion (pages define which keys are needed)
 - Add entity-specific keys under `labels`, `columns`, `form` for each entity field
+- **Hooks MUST also use i18n** — error messages like "Failed to load" MUST use `t('{mod}:errors.loadFailed')`
+- **FORBIDDEN:** Inline translation objects in `i18n/index.ts` — use separate JSON files per language per module
 - Reference `smartstack-frontend.md` for the complete template
 
 ---

package/templates/skills/ralph-loop/references/compact-loop.md

@@ -69,6 +69,7 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
 
 1. Mark `task.status = 'in_progress'`, `task.started_at = now`
 2. **Read `references/category-rules.md`** for category-specific rules
+2bis. **For frontend tasks:** Also read back the original **feature.json** (via `prd.source.featurePath`) to access wireframe `componentMapping`, `columnDefs`, `layout`, `emptyState`, `rowActions`, and `i18n` keys that the PRD does NOT carry forward. The PRD only has the file list — the behavioral spec is in feature.json.
 3. Implement the task following SmartStack conventions
 4. Track `files_created` and `files_modified`
 
@@ -110,7 +111,7 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
 |----------|--------|
 | `infrastructure` with `_migrationMeta` | Migration sequence: `suggest_migration` MCP → `dotnet ef migrations add` → cleanup corrupted artifacts (`for d in src/*/bin?Debug; do [ -d "$d" ] && rm -rf "$d"; done`) → `dotnet ef database update` → `dotnet build` |
 | `infrastructure` with seed data keywords | **MANDATORY:** Read `references/core-seed-data.md` → implement templates → `dotnet build` |
-| `frontend` | MCP-first: `scaffold_api_client` → `scaffold_routes` (outputFormat: clientRoutes) → **wire to App.tsx (detect pattern: `contextRoutes` array OR JSX `<Route>`)** → create pages → `npm run typecheck && npm run lint` |
+| `frontend` | MCP-first: `scaffold_api_client` → `scaffold_routes` (outputFormat: clientRoutes) → **wire to App.tsx** → **LOAD `/ui-components` skill** before creating ANY page → create pages using skill patterns (SmartTable, EntityCard, CSS variables, StatusBadge) → ALL visible text via `t()` from first line → `npm run typecheck && npm run lint` → **run frontend POST-CHECKs (section 3bis below)** |
 | `test` | **Create tests:** `scaffold_tests` MCP → **Run:** `dotnet test --verbosity normal` → **Fix loop:** if fail → fix SOURCE CODE → rebuild → retest → repeat until 100% pass |
 | `validation` | `dotnet clean && dotnet restore && dotnet build` → `dotnet test` (full) → `validate_conventions` MCP |
 
@@ -161,7 +162,112 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
    ```
    If FAIL → fix → re-check → loop until pass
 
-3bis. **Dependency audit (if frontend tasks in batch):**
+3bis. **Frontend POST-CHECKs (BLOCKING — if frontend tasks in batch):**
+
+   > **CRITICAL:** These checks enforce /ui-components compliance, i18n, and route conventions.
+   > Without them, generated code silently regresses to raw HTML tables, hardcoded colors, and English-only text.
+
+   ```bash
+   # Resolve paths dynamically (handles web/ prefix)
+   PAGE_DIR=$(find . -path "*/src/pages" -not -path "*/node_modules/*" -type d 2>/dev/null | head -1)
+   HOOK_DIR=$(find . -path "*/src/hooks" -not -path "*/node_modules/*" -type d 2>/dev/null | head -1)
+   COMP_DIR=$(find . -path "*/src/components" -not -path "*/node_modules/*" -type d 2>/dev/null | head -1)
+   WEB_SRC=$(find . -name "App.tsx" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | head -1)
+
+   if [ -n "$PAGE_DIR" ]; then
+     # BLOCKING: No raw HTML <table> — MUST use SmartTable/DataTable
+     RAW_TABLES=$(grep -rPn '<table[\s>]|<thead[\s>]|<tbody[\s>]' "$PAGE_DIR" --include="*.tsx" 2>/dev/null)
+     if [ -n "$RAW_TABLES" ]; then
+       echo "BLOCKING: Raw HTML <table> detected — MUST use SmartTable or DataTable"
+       echo "$RAW_TABLES" | head -5
+       # FIX REQUIRED before commit
+     fi
+
+     # BLOCKING: No hardcoded Tailwind colors — MUST use CSS variables
+     HARDCODED_COLORS=$(grep -rPn '(?:bg|text|border|ring)-(?:red|blue|green|yellow|orange|purple|pink|indigo|teal|cyan|emerald|violet|fuchsia|rose|amber|lime|sky|slate|gray|zinc|neutral|stone)-\d{2,3}' "$PAGE_DIR" "$COMP_DIR" --include="*.tsx" 2>/dev/null | head -10)
+     if [ -n "$HARDCODED_COLORS" ]; then
+       echo "BLOCKING: Hardcoded Tailwind colors — MUST use CSS variables (bg-[var(--bg-secondary)])"
+       echo "$HARDCODED_COLORS" | head -5
+       # FIX REQUIRED before commit
+     fi
+
+     # BLOCKING: No window.confirm() — use ConfirmDialog component
+     BAD_CONFIRM=$(grep -rPn 'window\.confirm\s*\(' "$PAGE_DIR" --include="*.tsx" 2>/dev/null | grep -v '//')
+     if [ -n "$BAD_CONFIRM" ]; then
+       echo "BLOCKING: window.confirm() detected — use ConfirmDialog component with i18n"
+       echo "$BAD_CONFIRM"
+       # FIX REQUIRED before commit
+     fi
+
+     # BLOCKING: No hardcoded English UI text in JSX
+     HARDCODED_TEXT=$(grep -rPn '>\s*(Create|Edit|Delete|Save|Cancel|Search|Loading|Error|No .* found|Are you sure|Submit|Back|Actions|Status)\s*<' "$PAGE_DIR" --include="*.tsx" 2>/dev/null | grep -v test | grep -v '//' | head -10)
+     if [ -n "$HARDCODED_TEXT" ]; then
+       echo "BLOCKING: Hardcoded English text — ALL visible text MUST use t() from useTranslation()"
+       echo "$HARDCODED_TEXT" | head -5
+       # FIX REQUIRED before commit
+     fi
+
+     # BLOCKING: No modals/drawers for forms — forms are full pages
+     MODAL_IMPORTS=$(grep -rPn "import.*\b(Modal|Dialog|Drawer|Popup|Sheet)\b" "$PAGE_DIR" --include="*.tsx" 2>/dev/null)
+     if [ -n "$MODAL_IMPORTS" ]; then
+       echo "BLOCKING: Form modals/dialogs detected — forms MUST be full pages with own URL"
+       echo "$MODAL_IMPORTS"
+       # FIX REQUIRED before commit
+     fi
+   fi
+
+   if [ -n "$HOOK_DIR" ]; then
+     # BLOCKING: Hooks must use i18n for error messages
+     HARDCODED_ERRORS=$(grep -rPn "(setError|throw new Error)\(['\"][A-Z]" "$HOOK_DIR" --include="*.ts" --include="*.tsx" 2>/dev/null | grep -v "t(" | head -10)
+     if [ -n "$HARDCODED_ERRORS" ]; then
+       echo "BLOCKING: Hardcoded error messages in hooks — MUST use t('{mod}:errors.xxx')"
+       echo "$HARDCODED_ERRORS" | head -5
+       # FIX REQUIRED before commit
+     fi
+   fi
+
+   # BLOCKING: i18n file structure — 4 languages with module-specific JSON files
+   if [ -n "$WEB_SRC" ]; then
+     I18N_DIR="$WEB_SRC/i18n/locales"
+     if [ -d "$I18N_DIR" ]; then
+       for LANG in fr en it de; do
+         if [ ! -d "$I18N_DIR/$LANG" ]; then
+           echo "BLOCKING: Missing i18n locale directory: $I18N_DIR/$LANG"
+           # FIX REQUIRED before commit
+         fi
+         MODULE_JSONS=$(find "$I18N_DIR/$LANG" -name "*.json" ! -name "common.json" ! -name "navigation.json" 2>/dev/null)
+         if [ -z "$MODULE_JSONS" ]; then
+           echo "BLOCKING: No module translation files in $I18N_DIR/$LANG/"
+           # FIX REQUIRED before commit
+         fi
+       done
+     else
+       echo "BLOCKING: Missing i18n/locales directory"
+       # FIX REQUIRED before commit
+     fi
+   fi
+
+   # Cross-validate route conventions (frontend vs backend)
+   APP_TSX=$(find . -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+   API_CONTROLLERS=$(find . -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+   if [ -n "$APP_TSX" ] && [ -n "$API_CONTROLLERS" ]; then
+     API_SEGMENTS=$(grep -ohP '\[Route\("api/([^"]+)"\)\]' $API_CONTROLLERS | sed 's/\[Route("api\///;s/")\]//' | tr '/' '\n' | sort -u)
+     CLIENT_PATHS=$(grep -ohP "path:\s*['\"]([^'\"]+)['\"]" "$APP_TSX" | sed "s/path:\s*['\"]//;s/['\"]//" | sort -u)
+     for SEG in $API_SEGMENTS; do
+       if echo "$SEG" | grep -qP '[a-z]+-[a-z]+'; then
+         NO_HYPHEN=$(echo "$SEG" | tr -d '-')
+         if echo "$CLIENT_PATHS" | grep -q "$NO_HYPHEN"; then
+           echo "BLOCKING: Frontend uses '$NO_HYPHEN' but backend uses '$SEG' (kebab-case mismatch)"
+           # FIX REQUIRED before commit
+         fi
+       fi
+     done
+   fi
+   ```
+   If ANY POST-CHECK fails → fix the code → re-run ALL checks → loop until ALL pass.
+   **NEVER commit with failing POST-CHECKs.**
+
+3ter. **Dependency audit (if frontend tasks in batch):**
    ```bash
    cd {frontend_dir}
    npm ls --depth=0 2>&1 | grep "MISSING" && echo "FAIL: missing deps" && exit 1
@@ -203,7 +309,22 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
    ```
    If FAIL → migration is broken → fix → rebuild → DO NOT commit
 
-5bis. **Core Seed Data Integrity (BLOCKING — if seed data tasks in batch):**
+5bis. **Navigation section route CRUD suffix check (BLOCKING — if seed data tasks in batch):**
+   ```bash
+   # Detect /list or /detail/:id in navigation section routes
+   SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null)
+   if [ -n "$SEED_NAV_FILES" ]; then
+     CRUD_ROUTES=$(grep -rn 'Route.*=.*\/list\b\|Route.*=.*\/detail' $SEED_NAV_FILES 2>/dev/null | grep -v '//.*Route')
+     if [ -n "$CRUD_ROUTES" ]; then
+       echo "BLOCKING: Navigation section routes contain /list or /detail/:id suffixes"
+       echo "Convention: list → module route (no suffix), detail → module route + /:id"
+       echo "$CRUD_ROUTES"
+       # FIX REQUIRED before commit
+     fi
+   fi
+   ```
+
+5ter. **Core Seed Data Integrity (BLOCKING — if seed data tasks in batch):**
    ```bash
    # Verify NavigationApplicationSeedData.cs exists
    APP_SEED=$(find . -path "*/Seeding/Data/NavigationApplicationSeedData.cs" 2>/dev/null | head -1)