@atlashub/smartstack-cli 3.28.0 → 3.30.0

package/templates/skills/business-analyse/steps/step-03c-compile.md

@@ -236,16 +236,18 @@ Roles × resources × operations with full paths.
 >     { "path": "business.{app}.{module}.create", "action": "create", "description": "Create new records" },
 >     { "path": "business.{app}.{module}.update", "action": "update", "description": "Update existing records" },
 >     { "path": "business.{app}.{module}.delete", "action": "delete", "description": "Delete records" },
->     { "path": "business.{app}.{module}.export", "action": "export", "description": "Export data" }
+>     { "path": "business.{app}.{module}.export", "action": "export", "description": "Export data" },
+>     { "path": "business.{app}.{module}.dashboard.read", "action": "read", "description": "View dashboard (section-level)" }
 >   ],
 >   "roleAssignments": [
->     { "role": "{App} Admin", "permissions": ["business.{app}.{module}.read", "business.{app}.{module}.create", "business.{app}.{module}.update", "business.{app}.{module}.delete", "business.{app}.{module}.export"] },
->     { "role": "{App} Manager", "permissions": ["business.{app}.{module}.read", "business.{app}.{module}.create", "business.{app}.{module}.update"] },
+>     { "role": "{App} Admin", "permissions": ["business.{app}.{module}.read", "business.{app}.{module}.create", "business.{app}.{module}.update", "business.{app}.{module}.delete", "business.{app}.{module}.export", "business.{app}.{module}.dashboard.read"] },
+>     { "role": "{App} Manager", "permissions": ["business.{app}.{module}.read", "business.{app}.{module}.create", "business.{app}.{module}.update", "business.{app}.{module}.dashboard.read"] },
 >     { "role": "{App} Viewer", "permissions": ["business.{app}.{module}.read"] }
 >   ]
 > }
 > ```
 > **STRUCTURE:** Object with 2 arrays: `permissions[]` and `roleAssignments[]`
+> **Permission levels:** Module-level = `business.{app}.{module}.{action}` (4 segments). Section-level = `business.{app}.{module}.{section}.{action}` (5 segments, for sections needing distinct access like dashboard, approve, import).
 > **FORBIDDEN:** Do NOT use a flat array with `resource`/`roles` fields. Always use the nested structure above.
 
 #### 8e. Navigation
@@ -257,7 +259,7 @@ Module → Sections → Resources (levels 3-4-5 of the hierarchy).
 > {
 >   "entries": [
 >     { "level": "module", "code": "{module}", "labels": {"fr": "...", "en": "..."}, "route": "/business/{app}/{module}", "icon": "list" },
->     { "level": "section", "code": "list", "labels": {"fr": "Liste", "en": "List", "it": "Elenco", "de": "Liste"}, "route": "/business/{app}/{module}/list", "icon": "list" },
+>     { "level": "section", "code": "list", "labels": {"fr": "Liste", "en": "List", "it": "Elenco", "de": "Liste"}, "route": "/business/{app}/{module}", "icon": "list" },
 >     { "level": "section", "code": "dashboard", "labels": {"fr": "Dashboard", "en": "Dashboard"}, "route": "/business/{app}/{module}/dashboard", "icon": "chart-bar", "isNew": true }
 >   ]
 > }
@@ -274,13 +276,12 @@ Module → Sections → Resources (levels 3-4-5 of the hierarchy).
 >     { "code": "{module}", "label": "{Module Name}", "icon": "list", "route": "/business/{app}/{module}", "parentCode": "{app}", "sort": 1 }
 >   ],
 >   "navigationSections": [
->     { "code": "list", "label": "Liste", "icon": "List", "route": "/business/{app}/{module}/list", "parentCode": "{module}", "permission": "business.{app}.{module}.read", "sort": 1 },
->     { "code": "detail", "label": "Détail", "icon": "FileText", "route": "/business/{app}/{module}/detail/:id", "parentCode": "{module}", "permission": "business.{app}.{module}.read", "sort": 2 },
->     { "code": "create", "label": "Créer", "icon": "Plus", "route": "/business/{app}/{module}/create", "parentCode": "{module}", "permission": "business.{app}.{module}.create", "sort": 3 }
+>     { "code": "list", "label": "Liste", "icon": "List", "route": "/business/{app}/{module}", "parentCode": "{module}", "permission": "business.{app}.{module}.read", "sort": 1 },
+>     { "code": "detail", "label": "Détail", "icon": "FileText", "route": "/business/{app}/{module}/:id", "parentCode": "{module}", "permission": "business.{app}.{module}.read", "sort": 2, "navigation": "hidden" },
+>     { "code": "dashboard", "label": "Dashboard", "icon": "BarChart", "route": "/business/{app}/{module}/dashboard", "parentCode": "{module}", "permission": "business.{app}.{module}.dashboard.read", "sort": 3 }
 >   ],
 >   "navigationResources": [
 >     { "code": "{module}-grid", "type": "SmartTable", "entity": "{Entity}", "parentCode": "list", "permission": "business.{app}.{module}.read" },
->     { "code": "{module}-form", "type": "SmartForm", "entity": "{Entity}", "parentCode": "create", "permission": "business.{app}.{module}.create" },
 >     { "code": "{module}-detail-card", "type": "DetailCard", "entity": "{Entity}", "parentCode": "detail", "permission": "business.{app}.{module}.read" }
 >   ],
 >   "navigationTranslations": [
@@ -291,7 +292,8 @@ Module → Sections → Resources (levels 3-4-5 of the hierarchy).
 >   ],
 >   "permissions": [
 >     { "path": "business.{app}.{module}.read", "action": "read", "description": "View {module}" },
->     { "path": "business.{app}.{module}.create", "action": "create", "description": "Create {module}" }
+>     { "path": "business.{app}.{module}.create", "action": "create", "description": "Create {module}" },
+>     { "path": "business.{app}.{module}.dashboard.read", "action": "read", "description": "View {module} dashboard (section-level)" }
 >   ],
 >   "rolePermissions": [
 >     { "role": "{App} Admin", "permissionPath": "business.{app}.{module}.*" },
@@ -305,7 +307,13 @@ Module → Sections → Resources (levels 3-4-5 of the hierarchy).
 > ```
 > **MANDATORY:** All 7 arrays must be present. Each element must be an object, NOT a string.
 > **CRITICAL:** `navigationSections` and `navigationResources` are DERIVED from `specification.sections[]` — use the transform algorithm below (section 8f-bis).
+> **IMPORTANT:** `create` and `edit` are NEVER sections — they are action pages reached via buttons. Do NOT include them in `navigationSections`. Only include actual sidebar sections (list, dashboard, approve, import, etc.) and hidden route sections (detail).
 > **FORBIDDEN:** Do NOT use `navigationModule` (singular string), `permissions` as flat string array, `rolePermissions` as flat object, `permissionsConstants` as comma-separated string.
+>
+> **FORBIDDEN in navigation routes:**
+> - `/business/{app}/{module}/list` → use `/business/{app}/{module}` (list IS the module route)
+> - `/business/{app}/{module}/detail/:id` → use `/business/{app}/{module}/:id`
+> - Navigation routes must match React Router paths exactly
 
 #### 8f-bis. Transform Sections into Navigation SeedData
 

package/templates/skills/business-analyse/steps/step-03d-validate.md

@@ -15,6 +15,21 @@ next_step: steps/step-03a1-setup.md OR steps/step-04a-collect.md (conditional)
 - This step VALIDATES the specification from step-03c, writes it to feature.json, and decides loop continuation
 - ALWAYS verify specification completeness before writing
 - ALL communication in `{language}`
+
+## MODE DETECTION (inherited from step-03a1)
+
+> **CRITICAL: Re-check your execution mode before proceeding.**
+
+**IF you are running as a TEAM AGENT** (your prompt contains `PROPOSE & REVIEW` or `team-lead` as recipient):
+  → **NEVER** use `AskUserQuestion` in ANY section below (sections 9d, 10, 12)
+  → Section 9d: if validation fails, AUTO-CORRECT silently (no user options)
+  → Section 12: **SKIP ENTIRELY** — go directly to section 12-bis (Agent Mode)
+  → After writing feature.json, send `PROPOSAL_READY` to team lead via SendMessage
+  → NEVER present options/menus to the user — you are an autonomous agent
+
+**IF you are running in the MAIN CONVERSATION** (classic inline mode):
+  → Normal interactive mode — use `AskUserQuestion` as documented
+  → Section 12-bis does NOT apply to you
 - **ID NAMING RULE (MANDATORY, NO EXCEPTION):**
   All IDs MUST include a module prefix to guarantee application-wide uniqueness.
   The prefix is derived from the module code initials (2-4 chars):
@@ -85,7 +100,7 @@ IF failures.length > 0:
 - Every FR has ≥1 linked BR
 - All BR references exist in analysis.businessRules
 - All actors appear in permissionMatrix
-- Permission paths use full format: `business.{app}.{module}.{resource}.{action}`
+- Permission paths use correct format: module-level `business.{app}.{module}.{action}` or section-level `business.{app}.{module}.{section}.{action}`
 - rolePermissions paths match permissions paths
 - API routes use consistent prefix
 
@@ -167,6 +182,10 @@ if (entityAutoFixCount > 0) {
 
 #### 9d. Decision
 
+> **TEAM AGENT MODE:** If running as team agent, SKIP AskUserQuestion. On FAIL → auto-correct silently. On PASS → proceed directly to section 11 (write). NEVER present options to the user.
+
+**INLINE MODE ONLY (main conversation):**
+
 IF validation PASS:
   Display summary, ask client for confirmation
 
@@ -482,6 +501,10 @@ Uses the **same mapping** as step-05b-deploy.md — only difference is `moduleSp
 
 ### 12. Loop Decision
 
+> **TEAM AGENT MODE: SKIP THIS ENTIRE SECTION.** If you are a team agent (your prompt contains `PROPOSE & REVIEW`), go directly to **section 12-bis** below. Section 12 is for inline mode ONLY. You MUST NOT load the next step or advance the module loop — the team lead handles orchestration.
+
+**INLINE MODE ONLY (main conversation):**
+
 ```
 ba-writer.advanceModuleLoop({feature_id})
 → Increments currentModuleIndex
@@ -595,7 +618,24 @@ SendMessage({
 })
 ```
 
-**STOP HERE** — do NOT loop to next module. The team lead handles module ordering and will spawn a new agent for the next module.
+Then WAIT — the team lead will send you a `shutdown_request`.
+Do NOT loop to next module. The team lead handles module ordering and will spawn a new agent for the next module.
+
+### E. Shutdown (MANDATORY)
+
+When you receive a `shutdown_request` from the team lead:
+
+```
+SendMessage({
+  type: "shutdown_response",
+  request_id: "{requestId from the shutdown_request message}",
+  approve: true
+})
+```
+
+This terminates your process. Do NOT output any text after `shutdown_response`.
+
+**Sequence reminder:** APPROVED → MODULE_COMPLETE → shutdown_request → shutdown_response (4 separate steps, never skip).
 
 ---
 

package/templates/skills/business-analyse/steps/step-04b-analyze.md

@@ -36,13 +36,15 @@ FOR each module in completedModules:
 
 **3b. Permission Path Format**
 
-Verify all permission paths follow the pattern:
-`business.{app}.{module}.{resource}.{action}`
+Verify all permission paths follow one of these patterns:
+- Module-level: `business.{app}.{module}.{action}` (4 segments)
+- Section-level: `business.{app}.{module}.{section}.{action}` (5 segments)
 
 Check for:
 - Inconsistent app prefix → ERROR
 - Missing module segment → ERROR
-- Shortcut paths (not full format) → ERROR
+- Fewer than 4 segments (shortcut paths) → ERROR
+- More than 5 segments → ERROR
 
 **3c. Role Hierarchy Coherence**
 

package/templates/skills/business-analyse/steps/step-05a-handoff.md

@@ -17,7 +17,7 @@ next_step: steps/step-05b-deploy.md
 - **NEVER** invent entities/FRs/BRs not in feature.json
 - **ALL** API routes from specification.apiEndpoints (exact copy)
 - **Permission** paths from specification.permissionMatrix (full format)
-- **ALWAYS** generate 5 CORE SeedData task entries per module
+- **ALWAYS** generate CORE SeedData entries: 2 app-level (NavigationApplication + ApplicationRoles) + per module (NavigationModule + NavigationSections + Permissions + Roles)
 
 ## YOUR TASK
 
@@ -197,7 +197,7 @@ See [references/handoff-file-templates.md](../references/handoff-file-templates.
 | **4.3 Infrastructure** | `analysis.entities[]` | EF Configurations, DbSet, DI. **DEPENDENCY:** Each EF config task MUST `dependsOn` its corresponding domain entity task. |
 | **4.4 API** | `specification.apiEndpoints[]` | Controllers with `{ContextShort}` mapping |
 | **4.5 Frontend** | `specification.uiWireframes[]` | Pages, Components, Hooks + wireframe traceability |
-| **4.6 SeedData** | `specification.seedDataCore` | 5 CORE + business + IClientSeedDataProvider |
+| **4.6 SeedData** | `specification.seedDataCore` | 2 app-level + per module CORE (NavigationModule + NavigationSections + Permissions + Roles) + business + IClientSeedDataProvider |
 | **4.7 Tests** | All layers | Unit, Integration, Security tests |
 
 #### Route Convention (CRITICAL)
@@ -252,7 +252,7 @@ For NavigationSeedData tasks in `handoff.filesToCreate`, add:
 **Critical rules:**
 - All backend paths include `{ContextPascal}/{ApplicationName}/` hierarchy
 - Frontend pages MUST have `linkedWireframes[]` + `wireframeAcceptanceCriteria`
-- SeedData: 5 CORE entries ALWAYS + IClientSeedDataProvider for client projects
+- SeedData: 2 app-level CORE (NavigationApplication + ApplicationRoles) + per-module CORE (NavigationModule + NavigationSections + Permissions + Roles) + IClientSeedDataProvider for client projects
 - **Acceptance Criteria Mapping:** Each task's `acceptanceCriteria` MUST be derived from its own `linkedFRs[]` entries (lookup FR → `acceptanceCriteria`). NEVER map by sequential FR index — use the task's explicit linkedFRs to resolve the correct criteria.
 - Path convention: `Persistence/Seeding/Data/` (NEVER `Data/SeedData/`)
 
@@ -462,7 +462,7 @@ const seedDataCore = {
     description: m.description,
     icon: inferIconFromModule(m) || "folder",  // MUST be non-null — use sensible default
     iconType: "lucide",
-    route: `/business/${master.metadata.application.toLowerCase()}/${m.code.toLowerCase()}`,
+    route: `/${contextCode}/${toKebabCase(appCode)}/${toKebabCase(m.code)}`,
     displayOrder: (i + 1) * 10
   })),
 
@@ -472,7 +472,11 @@ const seedDataCore = {
       code: s.code,
       label: s.description?.split(':')[0] || s.code,
       description: s.description || "",
-      route: s.code === "detail" ? null : `/${s.code}`,
+      route: s.code === "list"
+        ? `/${contextCode}/${toKebabCase(appCode)}/${toKebabCase(m.code)}`
+        : s.code === "detail"
+          ? `/${contextCode}/${toKebabCase(appCode)}/${toKebabCase(m.code)}/:id`
+          : `/${contextCode}/${toKebabCase(appCode)}/${toKebabCase(m.code)}/${toKebabCase(s.code)}`,
       displayOrder: (j + 1) * 10,
       navigation: s.code === "detail" ? "hidden" : "visible"
     }))
@@ -500,22 +504,26 @@ const seedDataCore = {
     }));
   }),
 
-  permissions: master.cadrage.applicationRoles.flatMap(role =>
-    master.modules.map(m => ({
-      role: role.role,
-      module: m.code,
-      pattern: role.permissionPattern.replace('*', `${m.code.toLowerCase()}.*`),
-      level: role.level
-    }))
-  ),
+  permissions: master.modules.flatMap(m => {
+    const basePath = `business.${master.metadata.application.toLowerCase()}.${m.code.toLowerCase()}`;
+    const actions = ['read', 'create', 'update', 'delete'];
+    return [
+      { path: `${basePath}.*`, action: '*', description: `Full ${m.name || m.code} access` },
+      ...actions.map(action => ({
+        path: `${basePath}.${action}`,
+        action: action,
+        description: `${action.charAt(0).toUpperCase() + action.slice(1)} ${m.name || m.code}`
+      }))
+    ];
+  }),
 
   rolePermissions: master.cadrage.applicationRoles.map(role => ({
     role: role.role,
     level: role.level,
     permissions: master.modules.map(m => `business.${master.metadata.application.toLowerCase()}.${m.code.toLowerCase()}.${
       role.level === 'admin' ? '*' :
-      role.level === 'manager' ? 'read,create,update,validate' :
-      role.level === 'contributor' ? 'read,create,update' : 'read'
+      role.level === 'manager' ? 'read,create,update' :
+      role.level === 'contributor' ? 'read,create' : 'read'
     }`)
   })),
 

package/templates/skills/business-analyse/templates/tpl-handoff.md

@@ -84,16 +84,17 @@ FRONTEND:
 ### 3.2 SeedData Core (CRITICAL -- without these, module is invisible and returns 403)
 
 > **Source:** `feature.json.specification.seedDataCore` (generated in step-02)
-> **5 mandatory files** for every new module (4 EF Core HasData + 1 Application code).
-> Derive content EXACTLY from `specification.seedDataCore` sections (navigationModules, navigationTranslations, permissions, rolePermissions, permissionConstants).
+> **5 core files + NavigationSectionSeedData when sections are defined** for every new module.
+> Derive content EXACTLY from `specification.seedDataCore` sections (navigationModules, navigationSections, navigationTranslations, permissions, rolePermissions, permissionConstants).
 
 | # | File | Layer | Content |
 |---|------|-------|---------|
 | 1 | `NavigationModuleConfiguration.cs` | Infrastructure (HasData) | Module entry in `nav_Modules` |
-| 2 | `NavigationTranslationConfiguration.cs` | Infrastructure (HasData) | 4 translations (fr, en, it, de) per nav entity |
-| 3 | `PermissionConfiguration.cs` | Infrastructure (HasData) | Wildcard + CRUD permissions in `nav_Permissions` |
-| 4 | `Permissions.cs` | Application (code) | Compile-time constants for `[RequirePermission]` |
-| 5 | `RolePermissionConfiguration.cs` | Infrastructure (HasData) | Role->Permission for {App} Admin, {App} Manager, {App} Contributor, {App} Viewer |
+| 2 | `NavigationSectionSeedData.cs` | Infrastructure (HasData) | Section entries (list, dashboard, etc.) with full absolute routes. **MANDATORY when sections defined.** |
+| 3 | `NavigationTranslationConfiguration.cs` | Infrastructure (HasData) | 4 translations (fr, en, it, de) per nav entity |
+| 4 | `PermissionConfiguration.cs` | Infrastructure (HasData) | Wildcard + CRUD permissions in `nav_Permissions` |
+| 5 | `Permissions.cs` | Application (code) | Compile-time constants for `[RequirePermission]` |
+| 6 | `RolePermissionConfiguration.cs` | Infrastructure (HasData) | Role->Permission for {App} Admin, {App} Manager, {App} Contributor, {App} Viewer |
 
 ### 3.3 Frontend
 
@@ -136,7 +137,7 @@ From: `feature.specification.seedDataCore` (5 core files), `feature.specificatio
 > **IMPORTANT :** Les données des 5 fichiers SeedData Core doivent être dérivées de `specification.seedDataCore` :
 > - `navigationModules` → NavigationModuleConfiguration.cs
 > - `navigationTranslations` → NavigationTranslationConfiguration.cs
-> - `permissions` → PermissionConfiguration.cs (format complet : `business.{app}.{module}.{resource}.{action}`)
+> - `permissions` → PermissionConfiguration.cs (module-level: `business.{app}.{module}.{action}`, section-level: `business.{app}.{module}.{section}.{action}`)
 > - `rolePermissions` → RolePermissionConfiguration.cs
 > - `permissionConstants` → Permissions.cs (PascalCase constants)
 
@@ -163,8 +164,9 @@ From: `feature.specification.seedDataCore` (5 core files), `feature.specificatio
 
 **SeedData Core (CRITICAL):**
 - [ ] Navigation module entry (HasData in NavigationModuleConfiguration.cs)
+- [ ] Navigation section entries (NavigationSectionSeedData.cs — MANDATORY when sections defined, with full absolute routes)
 - [ ] Navigation translations (4 languages in NavigationTranslationConfiguration.cs)
-- [ ] Permissions (HasData in PermissionConfiguration.cs: wildcard + CRUD)
+- [ ] Permissions (HasData in PermissionConfiguration.cs: wildcard + CRUD + section-level)
 - [ ] Permission constants (Permissions.cs in Application layer)
 - [ ] Role-Permission assignments (HasData in RolePermissionConfiguration.cs: 4 roles)
 - [ ] EF Core migration created (includes all HasData seeds)

package/templates/skills/business-analyse/templates/tpl-progress.md

@@ -28,12 +28,13 @@
     □ Total: X tasks
 
   [SEEDDATA-CORE] Core Configuration (MANDATORY)
-    □ NavigationModuleConfiguration - Module navigation structure
-    □ PermissionsConfiguration - RBAC permissions setup
-    □ RolesConfiguration - Predefined roles
-    □ TenantConfiguration - Test tenants
-    □ UserConfiguration - Test users
-    Total: 5 CORE tasks
+    □ NavigationApplicationSeedData - Application navigation entry (once per app)
+    □ ApplicationRolesSeedData - Application-scoped roles (once per app)
+    □ NavigationModuleSeedData - Module navigation structure (per module)
+    □ PermissionsSeedData - RBAC permissions (per module)
+    □ RolesSeedData - Role-permission mappings (per module)
+    □ {App}SeedDataProvider - IClientSeedDataProvider (4 methods)
+    Total: 2 app-level + 3 per-module + 1 provider
 
   [SEEDDATA] Business Reference Data
     □ Seed {Entity1} reference data

package/templates/skills/ralph-loop/references/category-rules.md

@@ -79,25 +79,50 @@ Execution sequence:
 > "PermissionsSeedData", "RolesSeedData", or "IClientSeedDataProvider":
 > **THEN read `references/core-seed-data.md`** — this is MANDATORY, DO NOT improvise.
 
-**Rules:**
-- NavigationModuleSeedData.cs: deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
-- PermissionsSeedData.cs: MCP `generate_permissions` first, fallback to template
-- RolesSeedData.cs: context-based role mapping (Admin=CRUD, Manager=CRU, Contributor=CR, Viewer=R)
-- SeedConstants.cs: shared deterministic GUIDs
-- IClientSeedDataProvider: SeedNavigationAsync + SeedPermissionsAsync + SeedRolePermissionsAsync
+**Seed Data Chain (9 files minimum):**
+
+Application-level (created ONCE, shared across modules):
+- **NavigationApplicationSeedData.cs**: Application navigation entry (MUST be first). Provides ApplicationId.
+- **ApplicationRolesSeedData.cs**: 4 application-scoped roles (admin, manager, contributor, viewer). Provides role entries for SeedRolesAsync().
+
+Per-module:
+- **NavigationModuleSeedData.cs**: deterministic GUIDs (SHA256), 4 languages (fr, en, it, de)
+- **Permissions.cs**: Static permission constants (`Permissions.{Module}.Read`). Referenced by `[RequirePermission]`.
+- **PermissionsSeedData.cs**: MCP `generate_permissions` first, fallback to template
+- **RolesSeedData.cs**: code-based role-permission mapping (Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R)
+
+Per-module (MANDATORY when `seedDataCore.navigationSections` exists in feature.json):
+- **NavigationSectionSeedData**: section entries, section translations (4 languages), section-level permissions, and section-level role mappings — all within `NavigationModuleSeedData.cs`, `PermissionsSeedData.cs`, and `RolesSeedData.cs`
+- Section-level permissions: wildcard + CRUD per section (same pattern as module-level)
+- Section-level role mappings: Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R per section
+
+Infrastructure:
+- **SeedConstants.cs**: shared deterministic GUIDs (ApplicationId, ModuleIds)
+- **{App}SeedDataProvider.cs**: implements IClientSeedDataProvider with 4 methods
 - DI: `services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()`
 
+**Rules:**
+- IClientSeedDataProvider: SeedNavigationAsync + SeedRolesAsync + SeedPermissionsAsync + SeedRolePermissionsAsync
+- Admin=wildcard(*), Manager=CRU (read+create+update), Contributor=CR (read+create), Viewer=R (read only)
+
 **Business seed data (DevDataSeeder):**
 - ALL seeded business entities MUST include `TenantId = {tenantGuid}`
 - Reference entities (types, categories, statuses) MUST set TenantId
 - Use deterministic TenantId from SeedConstants (NEVER hardcoded inline)
 - DevDataSeeder MUST implement `IDevDataSeeder` with idempotent `SeedAsync()` method
 
+**Section route conventions (BLOCKING):**
+- `list` section route = module route (e.g., `/business/human-resources/employees`) — NO `/list` suffix
+- `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`) — NOT `/detail/:id`
+- Other sections (dashboard, approve, import) = module route + `/{section-kebab}` (normal)
+- FORBIDDEN: `/{module}/list`, `/{module}/detail/:id` — these are CRUD view modes, not sub-areas
+
 **FORBIDDEN:**
 - `Guid.NewGuid()` → use deterministic GUIDs
 - Empty seed data classes with only GUIDs and no seeding methods
 - Missing translations (must have all 4 languages)
 - Seeding business entities WITHOUT `TenantId`
+- Navigation section routes ending in `/list` or `/detail/:id`
 
 ### POST-CHECK: Navigation translations diacritical marks
 
@@ -302,6 +327,13 @@ fi
 - Reference/lookup entities (types, categories, statuses) MUST also have controllers — they are needed for dropdowns and configuration
 - Count: `controllers created >= entities in module`. If fewer → FAIL
 
+**Section-level controllers (CONDITIONAL: when `navSections[]` defined in feature.json):**
+- File path: `Api/Controllers/{ContextShort}/{App}/{Section}Controller.cs`
+- NavRoute attribute: `[NavRoute("{context}.{app}.{module}.{section}")]`
+- Permission attribute: `[RequirePermission(Permissions.{Module}.{Section}.{Action})]`
+- Route prefix: `api/{context}/{app}/{module}/{section}`
+- Each section gets its own controller with CRUD endpoints scoped to the section
+
 **FORBIDDEN:**
 - `[Authorize]` without specific permission → use `[RequirePermission]`
 - Returning domain entities directly
@@ -374,6 +406,18 @@ fi
 - Navigation seed data Route values MUST also use kebab-case
 - The POST-CHECK in step-02 will BLOCK if frontend routes don't match backend kebab-case convention
 
+**Section-level pages (CONDITIONAL: when `navSections[]` defined in feature.json):**
+- Page file: `src/pages/{ContextPascal}/{AppPascal}/{Module}/{Section}Page.tsx`
+- Route: nested as child of module route in App.tsx (e.g., `/business/human-resources/projects/timesheets`)
+- Add to `contextRoutes.{context}[]` (Pattern A) or as nested `<Route>` (Pattern B)
+- Each section page has its own route and permission check
+
+**React Router mapping for sections:**
+- `list` section → already the module's `index: true` route (NO separate `path: 'list'`)
+- `detail` section → already the module's `path: ':id'` route (NO separate `path: 'detail'`)
+- Other sections → `path: '{section-kebab}'` as child of module route
+- FORBIDDEN frontend paths: `path: 'list'`, `path: 'detail'` — these are handled by the module's index and :id routes
+
 **CSS:** Variables ONLY → `bg-[var(--bg-card)]`, `text-[var(--text-primary)]`
 
 **Form error handling (MANDATORY):**

package/templates/skills/ralph-loop/references/compact-loop.md

@@ -309,7 +309,22 @@ Batch: {batch.length} [{firstCategory}] → {batch.map(t => `[${t.id}] ${t.descr
    ```
    If FAIL → migration is broken → fix → rebuild → DO NOT commit
 
-5bis. **Core Seed Data Integrity (BLOCKING — if seed data tasks in batch):**
+5bis. **Navigation section route CRUD suffix check (BLOCKING — if seed data tasks in batch):**
+   ```bash
+   # Detect /list or /detail/:id in navigation section routes
+   SEED_NAV_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null)
+   if [ -n "$SEED_NAV_FILES" ]; then
+     CRUD_ROUTES=$(grep -rn 'Route.*=.*\/list\b\|Route.*=.*\/detail' $SEED_NAV_FILES 2>/dev/null | grep -v '//.*Route')
+     if [ -n "$CRUD_ROUTES" ]; then
+       echo "BLOCKING: Navigation section routes contain /list or /detail/:id suffixes"
+       echo "Convention: list → module route (no suffix), detail → module route + /:id"
+       echo "$CRUD_ROUTES"
+       # FIX REQUIRED before commit
+     fi
+   fi
+   ```
+
+5ter. **Core Seed Data Integrity (BLOCKING — if seed data tasks in batch):**
    ```bash
    # Verify NavigationApplicationSeedData.cs exists
    APP_SEED=$(find . -path "*/Seeding/Data/NavigationApplicationSeedData.cs" 2>/dev/null | head -1)