@atlashub/smartstack-cli 3.28.0 → 3.30.0

package/templates/skills/apex/references/smartstack-layers.md

@@ -63,7 +63,7 @@
 
 **Rules:**
 - **ALL services MUST inject `ICurrentUserService` + `ICurrentTenantService` and filter by `TenantId`** (see `smartstack-api.md` Service Pattern)
-- **ALL services MUST use guard clause:** `var tenantId = _currentTenant.TenantId ?? throw new UnauthorizedAccessException("Tenant context is required");`
+- **ALL services MUST use guard clause:** `var tenantId = _currentTenant.TenantId ?? throw new TenantContextRequiredException();` (returns 400, NOT 401 — a missing tenant is a bad request, not an auth failure)
 - **ALL services MUST inject `ILogger<T>`** for production diagnostics
 - CQRS with MediatR
 - FluentValidation for all commands
@@ -112,17 +112,26 @@
 | Roles seed | Templates below |
 | Provider | Templates below |
 
-### Seed Data Chain (7 files minimum)
+### Seed Data Chain (9 files minimum)
 
+**Application-level (created ONCE, shared across modules):**
 1. **NavigationApplicationSeedData.cs** — Application-level navigation entry (MUST be first)
-2. **NavigationModuleSeedData.cs** — Deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
-3. **NavigationSectionSeedData.cs** — Section-level navigation (if sections defined)
-4. **NavigationResourceSeedData.cs** — Resource-level navigation (if resources defined)
-5. **PermissionsSeedData.cs** — MCP `generate_permissions` first, fallback template
-6. **RolesSeedData.cs** — Code-based role mapping: Admin=CRUD, Manager=CRU, Contributor=CR, Viewer=R. **NEVER use deterministic GUIDs for roles** — system roles are pre-seeded by SmartStack core, look up by Code at runtime.
-7. **{App}SeedDataProvider.cs** — Implements IClientSeedDataProvider
+2. **ApplicationRolesSeedData.cs** — Application-scoped roles (admin, manager, contributor, viewer) with deterministic GUIDs. Provides role entries for SeedRolesAsync().
+
+**Per-module:**
+3. **NavigationModuleSeedData.cs** — Deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
+4. **NavigationSectionSeedData.cs** — Section-level navigation (if sections defined)
+5. **NavigationResourceSeedData.cs** — Resource-level navigation (if resources defined)
+6. **Permissions.cs** — Static permission constants: `public static class {Module} { public const string Read = "..."; }`. Referenced by `[RequirePermission(Permissions.{Module}.Read)]`.
+7. **PermissionsSeedData.cs** — MCP `generate_permissions` first, fallback template
+8. **RolesSeedData.cs** — Code-based role mapping: Admin=wildcard(*), Manager=CRU, Contributor=CR, Viewer=R. **NEVER use deterministic GUIDs for roles** — look up by Code at runtime.
+
+**Infrastructure (created ONCE per application):**
+9. **{App}SeedDataProvider.cs** — Implements IClientSeedDataProvider
    - `SeedNavigationAsync()` — seeds Application → Module → Section → Resource + translations
-   - `SeedPermissionsAsync()` + `SeedRolePermissionsAsync()` (roles resolved by Code, NOT by GUID)
+   - `SeedRolesAsync()` — seeds application-scoped roles from ApplicationRolesSeedData
+   - `SeedPermissionsAsync()` — seeds permission entries from PermissionsSeedData
+   - `SeedRolePermissionsAsync()` — maps roles to permissions (roles resolved by Code, NOT by GUID)
    - DI: `services.AddScoped<IClientSeedDataProvider, {App}SeedDataProvider>()`
 
 ### Deterministic GUID Pattern
@@ -177,7 +186,7 @@ private static Guid GenerateDeterministicGuid(string input)
 
 ```csharp
 private static string ToKebabCase(string value)
-    => System.Text.RegularExpressions.Regex.Replace(value, "(?<!^)([A-Z])", "-$1").ToLowerInvariant();
+    => System.Text.RegularExpressions.Regex.Replace(value, "([a-z])([A-Z])", "$1-$2").ToLowerInvariant();
 
 // Route construction:
 var appRoute = $"/{ToKebabCase(contextCode)}/{ToKebabCase(appCode)}";
@@ -190,6 +199,13 @@ var sectionRoute = $"{moduleRoute}/{ToKebabCase(sectionCode)}";
 // → "/business/human-resources/employees/departments"
 ```
 
+**ROUTE SPECIAL CASES (list and detail sections):**
+> `list` and `detail` are view modes of the module, NOT functional sub-areas.
+> - `list` section route = module route (e.g., `/business/human-resources/employees`) — NO `/list` suffix
+> - `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`) — NOT `/detail/:id`
+> - FORBIDDEN: `/employees/list`, `/employees/detail/:id`
+> - Other sections (dashboard, approve, import) = module route + `/{section-kebab}` (normal)
+
 **FORBIDDEN:**
 - `Guid.NewGuid()` → use deterministic GUIDs (SHA256)
 - `DeterministicGuid("nav:business")` for ContextId → context IDs are pre-seeded by SmartStack core, look up by code at runtime
@@ -259,6 +275,20 @@ const [loading, setLoading] = useState(true);
 **CSS:** Variables only → `bg-[var(--bg-card)]`, `text-[var(--text-primary)]`, `border-[var(--border-color)]`
 **Loader:** `Loader2` from `lucide-react` for spinners, `PageLoader` for Suspense fallback
 
+### Section Routes (when module has sections)
+
+If the module defines `{sections}`, generate frontend routes for EACH section as children of the module route:
+
+```tsx
+// Section routes are nested inside the module's children array
+{ path: '{section-kebab}', element: <Suspense fallback={<PageLoader />}><{Section}Page /></Suspense> },
+{ path: '{section-kebab}/create', element: <Suspense fallback={<PageLoader />}><Create{Section}Page /></Suspense> },
+{ path: '{section-kebab}/:id', element: <Suspense fallback={<PageLoader />}><{Section}DetailPage /></Suspense> },
+{ path: '{section-kebab}/:id/edit', element: <Suspense fallback={<PageLoader />}><Edit{Section}Page /></Suspense> },
+```
+
+Section pages live in `src/pages/{ContextPascal}/{AppPascal}/{Module}/{Section}/`.
+
 ### FK Fields in Forms (CRITICAL)
 
 Any entity property that is a FK Guid (e.g., `EmployeeId`, `DepartmentId`) MUST use the `EntityLookup` component — NEVER a plain text input. Users cannot type GUIDs manually.

package/templates/skills/apex/steps/step-02-plan.md

@@ -54,20 +54,25 @@ For EACH file in the plan, specify HOW it will be created/modified:
 | 4 | Application/Services/.../MyService.cs | create | MCP scaffold_extension |
 | 5 | Application/DTOs/.../MyDto.cs | create | MCP scaffold_extension |
 | 6 | Api/Controllers/.../MyController.cs | create | /controller skill |
-| 7 | Seeding/Data/.../NavigationModuleSeedData.cs | create | MCP generate_permissions |
-| 8 | Seeding/Data/.../PermissionsSeedData.cs | create | MCP generate_permissions |
-| 9 | Seeding/Data/.../RolesSeedData.cs | create | ref smartstack-layers.md |
+| 7 | Seeding/Data/NavigationApplicationSeedData.cs | create | ref smartstack-layers.md (once per app) |
+| 7b | Seeding/Data/ApplicationRolesSeedData.cs | create | ref smartstack-layers.md (once per app) |
+| 8 | Seeding/Data/.../NavigationModuleSeedData.cs | create | ref smartstack-layers.md |
+| 8b | Application/Authorization/Permissions.cs | create | MCP generate_permissions → static constants |
+| 9 | Seeding/Data/.../PermissionsSeedData.cs | create | MCP generate_permissions |
+| 10 | Seeding/Data/.../RolesSeedData.cs | create | ref smartstack-layers.md |
 
 ### Layer 2 — Frontend + I18n (parallel)
 
 | # | File | Action | Tool |
 |---|------|--------|------|
-| 10 | src/pages/{Ctx}/{App}/{Mod}/ListPage.tsx | create | /ui-components skill |
-| 10b | src/pages/{Ctx}/{App}/{Mod}/CreatePage.tsx | create | /ui-components skill (EntityLookup for FK fields) |
-| 10c | src/pages/{Ctx}/{App}/{Mod}/EditPage.tsx | create | /ui-components skill (EntityLookup for FK fields) |
-| 11 | src/services/api/{module}Api.ts | create | MCP scaffold_api_client |
-| 12 | src/routes/{module}.tsx | create | MCP scaffold_routes |
-| 13 | src/i18n/locales/{lang}/{module}.json | create | ref smartstack-frontend.md (4 languages: fr, en, it, de) |
+| 11 | src/pages/{Ctx}/{App}/{Mod}/ListPage.tsx | create | /ui-components skill |
+| 11b | src/pages/{Ctx}/{App}/{Mod}/CreatePage.tsx | create | /ui-components skill (EntityLookup for FK fields) |
+| 11c | src/pages/{Ctx}/{App}/{Mod}/EditPage.tsx | create | /ui-components skill (EntityLookup for FK fields) |
+| 11d | src/pages/{Ctx}/{App}/{Mod}/{Section}Page.tsx | create | /ui-components skill (per section in `{sections}`) |
+| 11e | src/pages/{Ctx}/{App}/{Mod}/{Section}DetailPage.tsx | create | /ui-components skill (per section in `{sections}`) |
+| 12 | src/services/api/{module}Api.ts | create | MCP scaffold_api_client |
+| 13 | src/routes/{module}.tsx | create | MCP scaffold_routes |
+| 14 | src/i18n/locales/{lang}/{module}.json | create | ref smartstack-frontend.md (4 languages: fr, en, it, de) |
 
 **FK Field Guidance:** If step-01 identified `fkFields[]`, every Create/Edit page MUST use `EntityLookup` for those fields (see `smartstack-frontend.md` section 6). The corresponding backend GetAll endpoints (Layer 1) MUST support `?search=` parameter.
 
@@ -75,8 +80,8 @@ For EACH file in the plan, specify HOW it will be created/modified:
 
 | # | File | Action | Tool |
 |---|------|--------|------|
-| 14 | tests/.../MyEntityTests.cs | create | MCP scaffold_tests |
-| 15 | tests/.../MyServiceTests.cs | create | MCP scaffold_tests |
+| 15 | tests/.../MyEntityTests.cs | create | MCP scaffold_tests |
+| 16 | tests/.../MyServiceTests.cs | create | MCP scaffold_tests |
 ```
 
 ---

package/templates/skills/apex/steps/step-03-execute.md

@@ -77,6 +77,8 @@ Execute each item from the plan sequentially using skills and MCP.
 - **FK FIELDS (CRITICAL):** Any Guid FK property (e.g., EmployeeId, DepartmentId) MUST use `EntityLookup` component — NEVER a plain text input. See `smartstack-frontend.md` section 6.
 - **ZERO modals/popups/drawers for forms — ALL forms are full pages with their own URL**
 - **Form tests: Generate `EntityCreatePage.test.tsx` and `EntityEditPage.test.tsx` (co-located)**
+- **SECTION PERMISSIONS:** After calling `MCP generate_permissions` for the module navRoute (3 segments: `{context}.{app}.{module}`), also call it for EACH section navRoute (4 segments: `{context}.{app}.{module}.{section}`)
+- **SECTION ROUTES:** After generating module routes, add section child routes to the module's `children` array. Wire `PermissionGuard` for section routes with section-level permissions.
 - Read `references/smartstack-frontend.md` for mandatory patterns (sections 3b + 8)
 - Generate i18n JSON files for all 4 languages (fr, en, it, de) — `src/i18n/locales/{lang}/{module}.json`
 - All pages must follow loading → error → content pattern with CSS variables
@@ -134,6 +136,10 @@ Spawn 2 teammates (Opus, full tools):
       → EntityEditPage.test.tsx (co-located next to page)
       → Cover: rendering, validation, submit, pre-fill, navigation, errors
       → See smartstack-frontend.md section 8 for test templates
+    - **SECTION PERMISSIONS:** After MCP generate_permissions for the module navRoute (3 segments),
+      also call MCP generate_permissions for EACH section navRoute (4 segments: {context}.{app}.{module}.{section})
+    - **SECTION ROUTES:** Add section child routes to the module's children array.
+      Wire PermissionGuard for section routes with section-level permissions.
     - I18n: Generate 4 JSON files per module namespace (fr, en, it, de)
       → Follow JSON template from smartstack-frontend.md
       → Keys: actions, labels, errors, validation, columns, form, messages, empty

package/templates/skills/apex/steps/step-04-examine.md

@@ -132,10 +132,12 @@ sqlcmd -S "(localdb)\MSSQLLocalDB" -Q "IF DB_ID('$DB_NAME') IS NOT NULL BEGIN AL
 | File | Checks |
 |------|--------|
 | NavigationApplicationSeedData | MUST be first, deterministic GUID for application (NOT for context — context is looked up by code), 4 lang translations |
+| ApplicationRolesSeedData | 4 roles (admin, manager, contributor, viewer), deterministic GUIDs, references NavigationApplicationSeedData.ApplicationId |
 | NavigationModuleSeedData | Deterministic GUIDs (SHA256), 4 languages, GetModuleEntry + GetTranslationEntries |
+| Permissions.cs | Static constants class with `public static class {Module} { Read, Create, Update, Delete }`, paths match PermissionsSeedData |
 | PermissionsSeedData | MCP generate_permissions used, paths match Permissions.cs, wildcard + CRUD |
-| RolesSeedData | Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R |
-| IClientSeedDataProvider | 3 Seed methods, idempotent, factory methods, SaveChanges per group |
+| RolesSeedData | Admin=wildcard(*), Manager=CRU, Contributor=CR, Viewer=R. Role-permission entries reference permission paths from PermissionsSeedData |
+| IClientSeedDataProvider | 4 Seed methods (Navigation, Roles, Permissions, RolePermissions), idempotent, factory methods, SaveChanges per group |
 | DI Registration | `services.AddScoped<IClientSeedDataProvider, {App}SeedDataProvider>()` |
 
 ---

package/templates/skills/application/references/frontend-verification.md

@@ -76,7 +76,7 @@ Verify exactly **4 language files** exist with identical key structures:
 Verify routes are:
 - **INSIDE** the Layout wrapper (`BusinessLayout`, `AdminLayout`, or `UserLayout`)
 - **NESTED** (not flat)
-- Following path convention: `/{context}/{application}/{module}`
+- Following path convention: `/{context}/{application_kebab}/{module_kebab}` (kebab-case)
 
 ### 5b. Route Wiring Check (BLOCKING)
 
@@ -98,6 +98,31 @@ Args:
 
 If `appWiring.issues` is not empty, fix the wiring before proceeding.
 
+### 5c. Route Kebab-Case Check (BLOCKING)
+
+Scan App.tsx route paths for non-kebab-case segments:
+
+**FORBIDDEN** — concatenated multi-word segments without hyphens:
+- `humanresources`, `timemanagement`, `mymodule` (when representing multi-word names)
+
+**REQUIRED** — proper kebab-case for multi-word segments:
+- `human-resources`, `time-management`
+
+**Verification steps:**
+
+1. Extract all route path strings from App.tsx (both `contextRoutes` and `<Route path="...">`)
+2. For each multi-word path segment, verify it uses hyphens (kebab-case)
+3. Cross-reference route paths with navigation seed data routes to ensure exact match
+4. Single-word segments are fine as-is (e.g., `employees`, `products`)
+
+**Grep check** — verify no multi-word segments without hyphens in route paths:
+```bash
+# Should return NO matches for multi-word segments without hyphens
+grep -E "path:\s*['\"]([a-z]+[A-Z]|[a-z]{2,}[a-z]{2,}/)" App.tsx
+```
+
+If ANY non-kebab-case multi-word route segment is found → **FIX IT** before continuing.
+
 ### 6. States Check
 
 Verify the list page includes:

package/templates/skills/application/steps/step-03-roles.md

@@ -251,7 +251,7 @@ rolePermissions.Add(new { RoleId = platformAdminRoleId, PermissionId = {permissi
 // Application-scoped: Admin → wildcard
 rolePermissions.Add(new { RoleId = appAdminRoleId, PermissionId = {permission_guids.wildcard}, AssignedAt = seedDate });
 
-// Application-scoped: Manager → CRUD
+// Application-scoped: Manager → CRU (read + create + update — no delete)
 rolePermissions.Add(new { RoleId = appManagerRoleId, PermissionId = {permission_guids.read}, AssignedAt = seedDate });
 rolePermissions.Add(new { RoleId = appManagerRoleId, PermissionId = {permission_guids.create}, AssignedAt = seedDate });
 rolePermissions.Add(new { RoleId = appManagerRoleId, PermissionId = {permission_guids.update}, AssignedAt = seedDate });

package/templates/skills/application/steps/step-05-frontend.md

@@ -35,6 +35,22 @@ From previous steps:
 | `{entity_code}` | kebab-case code |
 | `{labels}` | Object with fr, en, it, de |
 | `{api_route}` | API endpoint path |
+| `{application_kebab}` | kebab-case route segment for application (PascalCase → kebab-case, e.g., `HumanResources` → `human-resources`) |
+| `{module_kebab}` | kebab-case route segment for module (PascalCase → kebab-case, e.g., `TimeManagement` → `time-management`) |
+
+---
+
+## ROUTE NAMING RULE
+
+> **BLOCKING:** All route paths MUST use **kebab-case** to match navigation seed data exactly.
+>
+> - Transformation: `PascalCase` → `kebab-case` (e.g., `HumanResources` → `human-resources`)
+> - Single words stay lowercase: `Employees` → `employees`
+> - Multi-word segments MUST have hyphens: `TimeManagement` → `time-management`
+> - **FORBIDDEN:** `humanresources`, `timemanagement` (concatenated words without hyphens)
+> - **REQUIRED:** `human-resources`, `time-management` (proper kebab-case)
+>
+> Route paths MUST match the navigation seed data routes (which use `ToKebabCase()`).
 
 ---
 
@@ -123,10 +139,10 @@ Read App.tsx and detect which pattern is used:
   const contextRoutes: ContextRouteExtensions = {
     business: [
       // existing routes...
-      { path: '{application}/{module}/list', element: <{EntityName}ListPage /> },
-      { path: '{application}/{module}/new', element: <Create{EntityName}Page /> },
-      { path: '{application}/{module}/:id', element: <{EntityName}DetailPage /> },
-      { path: '{application}/{module}/:id/edit', element: <Create{EntityName}Page /> },
+      { path: '{application_kebab}/{module_kebab}', element: <{EntityName}ListPage /> },
+      { path: '{application_kebab}/{module_kebab}/new', element: <Create{EntityName}Page /> },
+      { path: '{application_kebab}/{module_kebab}/:id', element: <{EntityName}DetailPage /> },
+      { path: '{application_kebab}/{module_kebab}/:id/edit', element: <Create{EntityName}Page /> },
     ],
   };
   ```
@@ -139,7 +155,7 @@ Read App.tsx and detect which pattern is used:
   ```tsx
   <Route path="/business" element={<BusinessLayout />}>
     {/* ... existing routes ... */}
-    <Route path="{application}/{module}" element={<{EntityName}Page />} />
+    <Route path="{application_kebab}/{module_kebab}" element={<{EntityName}Page />} />
   </Route>
   ```
 
@@ -211,9 +227,9 @@ If the generated translations need customization (e.g., replacing generic title
 ### Route Configuration
 ```tsx
 // In routes.tsx - NESTED routes (not flat!)
-<Route path="{application}">
-  <Route index element={<Navigate to="{module}" replace />} />
-  <Route path="{module}" element={<{EntityName}Page />} />
+<Route path="{application_kebab}">
+  <Route index element={<Navigate to="{module_kebab}" replace />} />
+  <Route path="{module_kebab}" element={<{EntityName}Page />} />
 </Route>
 ```
 ```

package/templates/skills/application/templates-frontend.md

@@ -32,6 +32,26 @@ web/smartstack-web/src/
 
 ---
 
+## ROUTE PATH VARIABLES
+
+> **All route path segments MUST use kebab-case to match the navigation seed data.**
+
+| Variable | Description | Example |
+|----------|-------------|---------|
+| `$APPLICATION_KEBAB` | kebab-case of application code | `human-resources` |
+| `$MODULE_KEBAB` | kebab-case of module code | `time-management` |
+
+**Transformation rule:** `PascalCase` → `kebab-case` via regex `([a-z])([A-Z])` → `$1-$2` + `toLowerCase()`
+
+Examples:
+- `HumanResources` → `human-resources`
+- `TimeManagement` → `time-management`
+- `Employees` → `employees` (single word, no change needed)
+
+> **FORBIDDEN:** Using raw `$APPLICATION` or `$MODULE` in route paths — they may produce non-kebab-case URLs (e.g., `humanresources` instead of `human-resources`). Always use `$APPLICATION_KEBAB` and `$MODULE_KEBAB` for route paths.
+
+---
+
 ## TEMPLATE: MAIN PAGE
 
 ```tsx
@@ -47,8 +67,7 @@ export function $MODULE_PASCALPage() {
     <$MODULE_PASCALListView
       title={t('$module:title')}
       subtitle={t('$module:subtitle')}
-      basePath="/$CONTEXT/$APPLICATION/$MODULE"
-      createPath="/$CONTEXT/$APPLICATION/$MODULE/new"
+      createPath="new"
     />
   );
 }
@@ -91,7 +110,6 @@ interface PagedResult {
 interface $MODULE_PASCALListViewProps {
   title: string;
   subtitle?: string;
-  basePath: string;
   createPath?: string;
 }
 
@@ -100,7 +118,6 @@ const DEFAULT_COLUMNS = ['name', 'description', 'isActive', 'createdAt'];
 export function $MODULE_PASCALListView({
   title,
   subtitle,
-  basePath,
   createPath,
 }: $MODULE_PASCALListViewProps) {
   const { t } = useTranslation(['$module', 'common']);
@@ -270,7 +287,7 @@ export function $MODULE_PASCALListView({
                 <tr
                   key={item.id}
                   className="border-b border-[var(--item-color-border)] hover:bg-[var(--bg-hover)] cursor-pointer"
-                  onClick={() => navigate(`${basePath}/${item.id}`)}
+                  onClick={() => navigate(item.id)}
                 >
                   {visibleColumns.includes('name') && (
                     <td className="px-4 py-3 text-sm text-[var(--text-primary)] font-medium">
@@ -306,7 +323,7 @@ export function $MODULE_PASCALListView({
                       <button
                         onClick={(e) => {
                           e.stopPropagation();
-                          navigate(`${basePath}/${item.id}/edit`);
+                          navigate(`${item.id}/edit`);
                         }}
                         className="p-1 hover:bg-[var(--bg-tertiary)]"
                         style={{ borderRadius: 'var(--radius-button)' }}
@@ -346,9 +363,9 @@ export function $MODULE_PASCALListView({
                 color: 'var(--success-text)'
               } : undefined}
               stats={`${t('common:createdAt')}: ${new Date(item.createdAt).toLocaleDateString()}`}
-              onClick={() => navigate(`${basePath}/${item.id}`)}
+              onClick={() => navigate(item.id)}
               actions={[
-                { label: t('common:actions.view'), onClick: () => navigate(`${basePath}/${item.id}`), variant: 'primary' },
+                { label: t('common:actions.view'), onClick: () => navigate(item.id), variant: 'primary' },
               ]}
             />
           ))}
@@ -512,15 +529,15 @@ import { Create$MODULE_PASCALPage } from '@/pages/$CONTEXT/$APPLICATION/$MODULE/
 const contextRoutes: ContextRouteExtensions = {
   $CONTEXT: [
     // ... existing routes ...
-    { path: '$APPLICATION/$MODULE', element: <$MODULE_PASCALPage /> },
-    { path: '$APPLICATION/$MODULE/new', element: <Create$MODULE_PASCALPage /> },
-    { path: '$APPLICATION/$MODULE/:id', element: <$MODULE_PASCALDetailPage /> },
-    { path: '$APPLICATION/$MODULE/:id/edit', element: <Create$MODULE_PASCALPage /> },
+    { path: '$APPLICATION_KEBAB/$MODULE_KEBAB', element: <$MODULE_PASCALPage /> },
+    { path: '$APPLICATION_KEBAB/$MODULE_KEBAB/new', element: <Create$MODULE_PASCALPage /> },
+    { path: '$APPLICATION_KEBAB/$MODULE_KEBAB/:id', element: <$MODULE_PASCALDetailPage /> },
+    { path: '$APPLICATION_KEBAB/$MODULE_KEBAB/:id/edit', element: <Create$MODULE_PASCALPage /> },
   ],
 };
 ```
 
-**mergeRoutes auto-generates redirects** for intermediate paths (e.g., `$APPLICATION` → `$APPLICATION/$DEFAULT_MODULE`) so you don't need to add index redirects manually.
+**mergeRoutes auto-generates redirects** for intermediate paths (e.g., `$APPLICATION_KEBAB` → `$APPLICATION_KEBAB/$DEFAULT_MODULE_KEBAB`) so you don't need to add index redirects manually.
 
 **Context-to-Layout mapping (automatic via mergeRoutes):**
 
@@ -560,12 +577,12 @@ import { Create$MODULE_PASCALPage } from '@/pages/$CONTEXT/$APPLICATION/$MODULE/
   {/* ... existing routes stay here ... */}
 
   {/* NEW: $APPLICATION routes - added as children of the layout */}
-  <Route path="$APPLICATION">
-    <Route index element={<Navigate to="$DEFAULT_MODULE" replace />} />
-    <Route path="$MODULE" element={<$MODULE_PASCALPage />} />
-    <Route path="$MODULE/new" element={<Create$MODULE_PASCALPage />} />
-    <Route path="$MODULE/:id" element={<$MODULE_PASCALDetailPage />} />
-    <Route path="$MODULE/:id/edit" element={<Create$MODULE_PASCALPage />} />
+  <Route path="$APPLICATION_KEBAB">
+    <Route index element={<Navigate to="$DEFAULT_MODULE_KEBAB" replace />} />
+    <Route path="$MODULE_KEBAB" element={<$MODULE_PASCALPage />} />
+    <Route path="$MODULE_KEBAB/new" element={<Create$MODULE_PASCALPage />} />
+    <Route path="$MODULE_KEBAB/:id" element={<$MODULE_PASCALDetailPage />} />
+    <Route path="$MODULE_KEBAB/:id/edit" element={<Create$MODULE_PASCALPage />} />
   </Route>
 </Route>
 ```
@@ -576,7 +593,7 @@ import { Create$MODULE_PASCALPage } from '@/pages/$CONTEXT/$APPLICATION/$MODULE/
 ```tsx
 // ❌ WRONG — bypasses layout entirely, shell will NOT render
 const clientRoutes: RouteConfig[] = [
-  { path: '/business/$APPLICATION/$MODULE', element: <$MODULE_PASCALPage /> },
+  { path: '/business/$APPLICATION_KEBAB/$MODULE_KEBAB', element: <$MODULE_PASCALPage /> },
 ];
 ```
 
@@ -585,7 +602,7 @@ const clientRoutes: RouteConfig[] = [
 **FORBIDDEN — Flat routes outside layout:**
 ```tsx
 // ❌ WRONG (Pattern B only) — flat route bypasses layout
-<Route path="/$CONTEXT/$APPLICATION/$MODULE" element={<$MODULE_PASCALPage />} />
+<Route path="/$CONTEXT/$APPLICATION_KEBAB/$MODULE_KEBAB" element={<$MODULE_PASCALPage />} />
 ```
 
 ### Why nested/context routes?
@@ -612,6 +629,8 @@ These patterns are **strictly prohibited** in generated frontend code:
 | `rounded-lg`, `rounded-md` | `rounded-[var(--radius-card)]`, `rounded-[var(--radius-button)]` |
 | Custom `<div>` cards for entity lists | `<EntityCard>` component (MANDATORY) |
 | Flat routes outside Layout wrapper | Nested routes inside `<BusinessLayout>` / `<AdminLayout>` |
+| Route paths with PascalCase or concatenated words (e.g., `humanresources`, `timeManagement`) | Kebab-case route paths (e.g., `human-resources`, `time-management`) |
+| `navigate(\`${basePath}/${item.id}\`)` in list row click | `navigate(item.id)` (relative navigation, no path duplication) |
 | Only 2 languages (fr/en) | All 4 languages (fr/en/it/de) |
 | `[Authorize]` without permissions | `[RequirePermission("navRoute.action")]` per endpoint |
 | Missing error state | Error state with retry button (AlertCircle + underline) |
@@ -630,7 +649,7 @@ These patterns are **strictly prohibited** in generated frontend code:
 | ☐ Preferences hook created (`use$MODULE_PASCALPreferences.ts`) | |
 | ☐ API service created (uses `apiClient`, NOT raw axios) | |
 | ☐ Routes added inside Layout wrapper in App.tsx | |
-| ☐ Route path follows `/{context}/{application}/{module}` | |
+| ☐ Route path follows `/{context}/{application_kebab}/{module_kebab}` (kebab-case) | |
 
 ### Theme Compliance
 | Check | Status |

package/templates/skills/application/templates-seed.md

@@ -843,7 +843,7 @@ services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>();
 InitializeSmartStackAsync()
   1. MigrateAsync()                   -> Core schema created
   2. IDatabaseSeeder.SeedAsync()      -> System users, tenant
-  3. IClientSeedDataProvider.Seed*()  -> Navigation + Permissions + Roles CLIENT
+  3. IClientSeedDataProvider.Seed*()  -> Navigation + Roles + Permissions + RolePermissions CLIENT
   4. IDevDataSeeder.SeedAsync()       -> Dev data
   5. InitializeNavigationRoutingAsync -> Routes loaded (including client routes)
 ```
@@ -864,21 +864,37 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
     public async Task SeedNavigationAsync(ICoreDbContext context, CancellationToken ct)
     {
-        var exists = await context.NavigationApplications
-            .AnyAsync(a => a.Code == "{app_code}", ct);
-        if (exists) return;
-
-        var parentContext = await context.NavigationContexts
-            .FirstAsync(c => c.Code == "{context_code}", ct);
-
-        var app = NavigationApplication.Create(
-            parentContext.Id, "{app_code}", "{app_label_en}",
-            "{app_desc_en}", "{app_icon}", IconType.Lucide,
-            "/{context_code}/{app_code}", {display_order});
-        context.NavigationApplications.Add(app);
-        await ((DbContext)context).SaveChangesAsync(ct);
+        // NOTE: Idempotence is at MODULE level (not application level).
+        // If the application already exists, we reuse it and seed any missing modules.
+        // This allows adding Module 2+ to an existing application.
+        var existingApp = await context.NavigationApplications
+            .FirstOrDefaultAsync(a => a.Code == "{app_code}", ct);
+
+        NavigationApplication app;
+        if (existingApp != null)
+        {
+            app = existingApp; // Application already seeded — reuse for module seeding below
+        }
+        else
+        {
+            var parentContext = await context.NavigationContexts
+                .FirstAsync(c => c.Code == "{context_code}", ct);
+
+            app = NavigationApplication.Create(
+                parentContext.Id, "{app_code}", "{app_label_en}",
+                "{app_desc_en}", "{app_icon}", IconType.Lucide,
+                "/{context_code}/{app_code}", {display_order});
+            context.NavigationApplications.Add(app);
+            await ((DbContext)context).SaveChangesAsync(ct);
+
+            // Application translations (only when creating new application)
+            // foreach (var t in NavigationApplicationSeedData.GetTranslationEntries()) { ... }
+            await ((DbContext)context).SaveChangesAsync(ct);
+        }
 
-        // Create modules from {Module}NavigationSeedData
+        // Create modules (idempotent per-module — check each before inserting)
+        // var mod1Exists = await context.NavigationModules.AnyAsync(m => m.Code == "{module_code}" && m.ApplicationId == app.Id, ct);
+        // if (!mod1Exists) { var mod1 = NavigationModule.Create(...); context.NavigationModules.Add(mod1); }
         // Create module translations from {Module}NavigationSeedData.GetTranslationEntries()
 
         // Create sections from {Module}NavigationSeedData.GetSectionEntries(moduleId)
@@ -889,6 +905,27 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         // Use NavigationResource.Create(sectionId, code, label, entityType, route, displayOrder)
     }
 
+    public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
+    {
+        // Check idempotence
+        var exists = await context.Roles
+            .AnyAsync(r => r.ApplicationId == ApplicationRolesSeedData.ApplicationId, ct);
+        if (exists) return;
+
+        // Create application-scoped roles (Admin, Manager, Contributor, Viewer)
+        foreach (var entry in ApplicationRolesSeedData.GetRoleEntries())
+        {
+            var role = Role.Create(
+                entry.Code,
+                entry.Name,
+                entry.Description,
+                entry.ApplicationId,
+                entry.IsSystem);
+            context.Roles.Add(role);
+        }
+        await ((DbContext)context).SaveChangesAsync(ct);
+    }
+
     public async Task SeedPermissionsAsync(ICoreDbContext context, CancellationToken ct)
     {
         var exists = await context.Permissions
@@ -917,7 +954,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 |------|-------------|
 | Factory methods | `NavigationModule.Create(...)`, `NavigationSection.Create(...)`, `NavigationResource.Create(...)`, `Permission.CreateForModule(...)` - NEVER `new Entity()` |
 | Idempotence | Each Seed method checks existence before inserting |
-| SaveChanges per group | Navigation (modules → sections → resources) -> save -> Permissions -> save -> RolePermissions -> save |
+| SaveChanges per group | Navigation -> save -> Roles -> save -> Permissions -> save -> RolePermissions -> save |
 | Deterministic GUIDs | Use IDs from SeedData classes (not `Guid.NewGuid()`) |
 | FK resolution by Code | Parent modules found by `Code`, not hardcoded GUID |
 | Section/Resource conditionality | Only generate if `seedDataCore.navigationSections` / `seedDataCore.navigationResources` exist in feature.json |

package/templates/skills/business-analyse/SKILL.md

@@ -94,15 +94,17 @@ docs/business/
 
 **SeedData generation (step-03c):**
 
-The `specification.seedDataCore` contains **7 mandatory arrays** for database seeding:
+The `specification.seedDataCore` contains **9 mandatory arrays** for database seeding:
 
 | Array | Table | Source | Description |
 |-------|-------|--------|-------------|
+| `navigationApplications` | `core.nav_Applications` | Manual (step-03c) | Application entry (Level 2) — created ONCE per application |
+| `applicationRoles` | `core.auth_Roles` | Manual (step-03c) | Application-scoped roles (admin, manager, contributor, viewer) |
 | `navigationModules` | `core.nav_Modules` | Manual (step-03c) | Module entry (Level 3) |
 | **`navigationSections`** | **`core.nav_Sections`** | **Derived from `specification.sections[]`** | **Section entries (Level 4)** |
 | **`navigationResources`** | **`core.nav_Resources`** | **Derived from `specification.sections[].resources[]`** | **Resource entries (Level 5)** |
 | `navigationTranslations` | `core.nav_Translations` | Manual (i18n) | Multi-language labels |
-| `permissions` | `core.Permissions` | Manual (step-03c) | Permission definitions |
+| `permissions` | `core.Permissions` | Manual (step-03c) | Permission definitions ({path, action, description}) |
 | `rolePermissions` | `core.RolePermissions` | Manual (step-03c) | Role-permission mappings |
 | `permissionConstants` | `PermissionConstants.cs` | Manual (step-03c) | C# permission constants |
 

package/templates/skills/business-analyse/_shared.md

@@ -84,17 +84,25 @@ Level 1: Context (business)
 
 ### Route patterns
 ```
-/business/{application}/{module}/{section}              ← sidebar sections (list, dashboard, approve, etc.)
-/business/{application}/{module}/detail/:id             ← detail page (hidden from sidebar, reached by row click)
+/business/{application}/{module}                         ← list section (= module route, NO /list suffix)
+/business/{application}/{module}/:id                     ← detail page (= module route + /:id, NO /detail prefix)
+/business/{application}/{module}/{section}               ← other sidebar sections (dashboard, approve, import, etc.)
 ```
 
 **Detail page routing:**
 - The detail page uses a parameterized route with `:id`
 - It is NOT registered as a sidebar navigation entry (`navigation: "hidden"`)
 - It is reached by clicking a row in the `list` section (action: `navigate:detail`)
-- The back button navigates to `/business/{application}/{module}/list`
+- The back button navigates to `/business/{application}/{module}`
 - Route MUST be registered in frontend routing (App.tsx) alongside the list route
 
+> **ROUTE SPECIAL CASES (list and detail sections):**
+> `list` and `detail` are view modes of the module, NOT functional sub-areas.
+> - `list` route = module route (NO `/list` suffix) — React Router index route
+> - `detail` route = module route + `/:id` (NO `/detail/` prefix) — React Router `:id` child
+> - FORBIDDEN in navigation seed: `/module/list`, `/module/detail/:id`
+> - Other sections (dashboard, approve, import) add `/{section-kebab}` normally
+
 ### Standard Sections per Module
 
 > **RULE: Sections are functional zones, NOT CRUD operations.**
@@ -196,7 +204,12 @@ generate_feature_id():
 
 ## Permission Path Format
 
-**Format:** `business.{application}.{module}.{action}`
+| Level | Format | Example |
+|-------|--------|---------|
+| Module | `{context}.{app}.{module}.{action}` | `business.sales.orders.read` |
+| Section | `{context}.{app}.{module}.{section}.{action}` | `business.sales.orders.dashboard.read` |
+
+> **Rule:** Use module-level permissions for standard CRUD. Use section-level permissions only when a section requires distinct access control (e.g., dashboard, approve, import).
 
 | Action | Permission | Usage |
 |--------|------------|-------|

package/templates/skills/business-analyse/react/schema.md

@@ -489,7 +489,7 @@ export interface SeedDataNavTranslation {
 }
 
 export interface SeedDataPermission {
-  path: string;                // Full path: business.{app}.{module}.{resource}.{action}
+  path: string;                // Module-level: business.{app}.{module}.{action} or section-level: business.{app}.{module}.{section}.{action}
   action: string;
   description?: string;
 }