@atlashub/smartstack-cli 3.28.0 → 3.30.0

package/templates/skills/ralph-loop/references/core-seed-data.md

@@ -415,6 +415,13 @@ public static readonly Guid {ResourcePascal}ResourceId =
 
 ### Section Methods (add to {ModulePascal}NavigationSeedData.cs)
 
+> **ROUTE SPECIAL CASES (list and detail):**
+> The `list` and `detail` sections are view modes of the module, NOT functional sub-areas.
+> - `list` section route = module route (e.g., `/business/human-resources/employees`) — NO `/list` suffix
+> - `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`) — NOT `/detail/:id`
+> - FORBIDDEN: `/{module}/list`, `/{module}/detail/:id`
+> - Other sections (dashboard, approve, import) = module route + `/{section-kebab}` (normal)
+
 ```csharp
 // --- Add AFTER GetTranslationEntries() in {ModulePascal}NavigationSeedData.cs ---
 
@@ -439,7 +446,12 @@ public static IEnumerable<NavigationSectionSeedEntry> GetSectionEntries(Guid mod
             Description = "{section1_desc_en}",
             Icon = "{section1_icon}",
             IconType = IconType.Lucide,
-            Route = ToKebabCase($"/{contextCode}/{appCode}/{moduleCode}/{section1Code}"),
+            // ROUTE CONVENTION:
+            // - "list" section → same as module route (no extra segment)
+            // - "detail" section → module route + "/:id"
+            // - Other sections → module route + "/{section-kebab}"
+            // FORBIDDEN: "/employees/list", "/employees/detail/:id"
+            Route = "{section_route}",  // From seedDataCore.navigationSections[].route
             DisplayOrder = {section1_sort},
             IsActive = true
         }
@@ -521,6 +533,17 @@ public static IEnumerable<NavigationResourceSeedEntry> GetResourceEntries(Guid s
     {
         entries.AddRange(new[]
         {
+            // RESOURCE ROUTE CONVENTION:
+            // Resources inherit their parent section's resolved route as base:
+            // - Under "list" section → base = module route (no /list)
+            // - Under "detail" section → base = module route (no /detail, resource routes don't include /:id)
+            // - Under other sections → base = module route + /{section-kebab}
+            // Then append: /{resource-kebab}
+            //
+            // Example: resource "export" under section "dashboard":
+            //   Route = /business/human-resources/employees/dashboard/export
+            // Example: resource "employees-grid" under section "list":
+            //   Route = /business/human-resources/employees/employees-grid (NOT /employees/list/employees-grid)
             new NavigationResourceSeedEntry
             {
                 Id = {Resource1Pascal}ResourceId,
@@ -528,7 +551,9 @@ public static IEnumerable<NavigationResourceSeedEntry> GetResourceEntries(Guid s
                 Code = "{resource1Code}",
                 Label = "{resource1_label_en}",
                 EntityType = "{resource1_entity}",
-                Route = ToKebabCase($"/{contextCode}/{appCode}/{moduleCode}/{section1Code}/{resource1Code}"),
+                // Use parent section's resolved route + /{resource-kebab}
+                // For "list"/"detail" sections, the section route = module route (no /list or /detail segment)
+                Route = "{resource_route}",  // From seedDataCore: parent section route + /{resource-kebab}
                 DisplayOrder = 1
             }
             // Repeat for each resource in this section...
@@ -579,9 +604,10 @@ public class NavigationResourceSeedEntry
 | `{section_label_xx}` | `specification.navigation.entries[]` where `level == "section"` → `labels.xx` |
 | `{section_icon}` | `seedDataCore.navigationSections[].icon` |
 | `{section_sort}` | `seedDataCore.navigationSections[].sort` |
-| `{section_route}` | `seedDataCore.navigationSections[].route` |
+| `{section_route}` | `seedDataCore.navigationSections[].route` — **SPECIAL CASES:** `list` → module route (no `/list`), `detail` → module route + `/:id` (no `/detail/:id`), others → module route + `/{section-kebab}` |
 | `{resourceCode}` | `seedDataCore.navigationResources[].code` |
 | `{resource_entity}` | `seedDataCore.navigationResources[].entity` |
+| `{resource_route}` | Computed from parent section route + `/{resource-kebab}`. **SPECIAL CASES:** if parent section is `list` → module route + `/{resource-kebab}` (no `/list/`), if parent is `detail` → module route + `/{resource-kebab}` (no `/detail/`). |
 | `{parentSectionCode}` | `seedDataCore.navigationResources[].parentCode` |
 
 ---
@@ -718,6 +744,50 @@ public class PermissionSeedEntry
 }
 ```
 
+### Step C2: Section-Level Permissions (CONDITIONAL: only if `navSections[]` defined)
+
+> When `seedDataCore.navigationSections` exists and is non-empty in feature.json,
+> add section-level permission GUIDs and entries to `PermissionsSeedData.cs`.
+
+```csharp
+// --- Add to {ModulePascal}PermissionsSeedData class AFTER module-level permissions ---
+
+// Section-level permissions (for each section in navSections[])
+public static readonly Guid {SectionPascal}WildcardPermId = GenerateGuid("{navRoute}.{sectionCode}.*");
+public static readonly Guid {SectionPascal}ReadPermId = GenerateGuid("{navRoute}.{sectionCode}.read");
+public static readonly Guid {SectionPascal}CreatePermId = GenerateGuid("{navRoute}.{sectionCode}.create");
+public static readonly Guid {SectionPascal}UpdatePermId = GenerateGuid("{navRoute}.{sectionCode}.update");
+public static readonly Guid {SectionPascal}DeletePermId = GenerateGuid("{navRoute}.{sectionCode}.delete");
+// Repeat for each section...
+
+// Add to GetPermissionEntries() — AFTER module-level entries:
+// Section: {sectionCode}
+new PermissionSeedEntry { Id = {SectionPascal}WildcardPermId, Path = "{navRoute}.{sectionCode}.*", Level = PermissionLevel.Section, Action = PermissionAction.Access, IsWildcard = true, ModuleId = moduleId, Description = "Full {sectionLabel} access" },
+new PermissionSeedEntry { Id = {SectionPascal}ReadPermId, Path = "{navRoute}.{sectionCode}.read", Level = PermissionLevel.Section, Action = PermissionAction.Read, IsWildcard = false, ModuleId = moduleId, Description = "View {sectionLabel}" },
+new PermissionSeedEntry { Id = {SectionPascal}CreatePermId, Path = "{navRoute}.{sectionCode}.create", Level = PermissionLevel.Section, Action = PermissionAction.Create, IsWildcard = false, ModuleId = moduleId, Description = "Create {sectionLabel}" },
+new PermissionSeedEntry { Id = {SectionPascal}UpdatePermId, Path = "{navRoute}.{sectionCode}.update", Level = PermissionLevel.Section, Action = PermissionAction.Update, IsWildcard = false, ModuleId = moduleId, Description = "Update {sectionLabel}" },
+new PermissionSeedEntry { Id = {SectionPascal}DeletePermId, Path = "{navRoute}.{sectionCode}.delete", Level = PermissionLevel.Section, Action = PermissionAction.Delete, IsWildcard = false, ModuleId = moduleId, Description = "Delete {sectionLabel}" },
+// Repeat for each section...
+```
+
+Also add section-level constants to `Permissions.cs` (Application layer):
+
+```csharp
+public static class {ModulePascal}
+{
+    // ... existing module-level permissions ...
+
+    // Section-level (for each section in navSections[])
+    public static class {SectionPascal}
+    {
+        public const string View = "{navRoute}.{sectionCode}.read";
+        public const string Create = "{navRoute}.{sectionCode}.create";
+        public const string Update = "{navRoute}.{sectionCode}.update";
+        public const string Delete = "{navRoute}.{sectionCode}.delete";
+    }
+}
+```
+
 ### Step D: MCP Fallback
 
 If MCP `generate_permissions` fails, use the template above directly with values derived from the PRD `coreSeedData.permissions[]`.
@@ -897,7 +967,7 @@ public static class {ModulePascal}RolesSeedData
         // Admin: wildcard access
         yield return new RolePermissionSeedEntry { RoleCode = "admin", PermissionPath = "{navRoute}.*" };
 
-        // Manager: CRUD
+        // Manager: CRU (read + create + update — no delete)
         yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.read" };
         yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.create" };
         yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.update" };
@@ -908,6 +978,23 @@ public static class {ModulePascal}RolesSeedData
 
         // Viewer: R
         yield return new RolePermissionSeedEntry { RoleCode = "viewer", PermissionPath = "{navRoute}.read" };
+
+        // --- Section-level role mappings (CONDITIONAL: for each section in navSections[]) ---
+        // Admin: wildcard per section
+        yield return new RolePermissionSeedEntry { RoleCode = "admin", PermissionPath = "{navRoute}.{sectionCode}.*" };
+
+        // Manager: CRU per section (read + create + update — no delete)
+        yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.{sectionCode}.read" };
+        yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.{sectionCode}.create" };
+        yield return new RolePermissionSeedEntry { RoleCode = "manager", PermissionPath = "{navRoute}.{sectionCode}.update" };
+
+        // Contributor: CR per section
+        yield return new RolePermissionSeedEntry { RoleCode = "contributor", PermissionPath = "{navRoute}.{sectionCode}.read" };
+        yield return new RolePermissionSeedEntry { RoleCode = "contributor", PermissionPath = "{navRoute}.{sectionCode}.create" };
+
+        // Viewer: R per section
+        yield return new RolePermissionSeedEntry { RoleCode = "viewer", PermissionPath = "{navRoute}.{sectionCode}.read" };
+        // Repeat block for each section in navSections[]...
     }
 }
 
@@ -960,43 +1047,63 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
     public async Task SeedNavigationAsync(ICoreDbContext context, CancellationToken ct)
     {
         // --- Application (from NavigationApplicationSeedData) ---
+        // NOTE: Idempotence is at MODULE level (not application level).
+        // If the application already exists, we load it and continue to seed any missing modules.
+        // This allows adding Module 2+ to an existing application without re-running the full seed.
         var appEntry = NavigationApplicationSeedData.GetApplicationEntry(Guid.Empty); // contextId resolved below
-        var exists = await context.NavigationApplications
-            .AnyAsync(a => a.Code == appEntry.Code, ct);
-        if (exists) return;
+        var existingApp = await context.NavigationApplications
+            .FirstOrDefaultAsync(a => a.Code == appEntry.Code, ct);
 
-        var parentContext = await context.NavigationContexts
-            .FirstAsync(c => c.Code == "{contextCode}", ct);
-
-        // Re-get entry with resolved contextId
-        appEntry = NavigationApplicationSeedData.GetApplicationEntry(parentContext.Id);
-        var app = NavigationApplication.Create(
-            appEntry.ContextId, appEntry.Code, appEntry.Label,
-            appEntry.Description, appEntry.Icon, appEntry.IconType,
-            appEntry.Route, appEntry.DisplayOrder);
-        context.NavigationApplications.Add(app);
-        await ((DbContext)context).SaveChangesAsync(ct);
-
-        // --- Application translations (4 languages, from NavigationApplicationSeedData) ---
-        foreach (var t in NavigationApplicationSeedData.GetTranslationEntries())
+        NavigationApplication app;
+        if (existingApp != null)
         {
-            context.NavigationTranslations.Add(
-                NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+            app = existingApp; // Application already seeded — reuse it for module seeding below
+        }
+        else
+        {
+            var parentContext = await context.NavigationContexts
+                .FirstAsync(c => c.Code == "{contextCode}", ct);
+
+            // Re-get entry with resolved contextId
+            appEntry = NavigationApplicationSeedData.GetApplicationEntry(parentContext.Id);
+            app = NavigationApplication.Create(
+                appEntry.ContextId, appEntry.Code, appEntry.Label,
+                appEntry.Description, appEntry.Icon, appEntry.IconType,
+                appEntry.Route, appEntry.DisplayOrder);
+            context.NavigationApplications.Add(app);
+            await ((DbContext)context).SaveChangesAsync(ct);
+
+            // --- Application translations (4 languages, from NavigationApplicationSeedData) ---
+            foreach (var t in NavigationApplicationSeedData.GetTranslationEntries())
+            {
+                context.NavigationTranslations.Add(
+                    NavigationTranslation.Create(t.EntityType, t.EntityId, t.LanguageCode, t.Label, t.Description));
+            }
+            await ((DbContext)context).SaveChangesAsync(ct);
         }
-        await ((DbContext)context).SaveChangesAsync(ct);
 
-        // --- Modules ---
+        // --- Modules (idempotent per-module — allows adding Module 2+ later) ---
         // Module: {Module1}
-        var mod1Entry = {Module1Pascal}NavigationSeedData.GetModuleEntry(app.Id);
-        var mod1 = NavigationModule.Create(
-            mod1Entry.ApplicationId, mod1Entry.Code, mod1Entry.Label,
-            mod1Entry.Description, mod1Entry.Icon, mod1Entry.IconType,
-            mod1Entry.Route, mod1Entry.DisplayOrder);
-        context.NavigationModules.Add(mod1);
+        var mod1Exists = await context.NavigationModules
+            .AnyAsync(m => m.Code == "{module1Code}" && m.ApplicationId == app.Id, ct);
+        if (!mod1Exists)
+        {
+            var mod1Entry = {Module1Pascal}NavigationSeedData.GetModuleEntry(app.Id);
+            var mod1 = NavigationModule.Create(
+                mod1Entry.ApplicationId, mod1Entry.Code, mod1Entry.Label,
+                mod1Entry.Description, mod1Entry.Icon, mod1Entry.IconType,
+                mod1Entry.Route, mod1Entry.DisplayOrder);
+            context.NavigationModules.Add(mod1);
+        }
 
-        // Repeat for each module...
+        // Repeat for each module (each with its own idempotence check)...
         await ((DbContext)context).SaveChangesAsync(ct);
 
+        // Resolve module entities for section/resource seeding (works for both new AND existing modules)
+        var mod1Entity = await context.NavigationModules
+            .FirstAsync(m => m.Code == "{module1Code}" && m.ApplicationId == app.Id, ct);
+        // Repeat for each module...
+
         // --- Module translations ---
         foreach (var t in {Module1Pascal}NavigationSeedData.GetTranslationEntries())
         {
@@ -1008,7 +1115,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
         // --- Sections (if seedDataCore.navigationSections exists) ---
         // Module 1 sections
-        foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1.Id))
+        foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1Entity.Id))
         {
             var sec = NavigationSection.Create(
                 secEntry.ModuleId, secEntry.Code, secEntry.Label,
@@ -1030,7 +1137,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
         // --- Resources (if seedDataCore.navigationResources exists) ---
         // Module 1 resources (resolved per section)
-        foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1.Id))
+        foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1Entity.Id))
         {
             foreach (var resEntry in {Module1Pascal}NavigationSeedData.GetResourceEntries(secEntry.Id))
             {
@@ -1102,8 +1209,9 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         if (exists) return;
 
         // CRITICAL: Resolve roles by Code from DB — NEVER use deterministic GUIDs.
-        // System roles (admin, manager, contributor, viewer) are pre-seeded by SmartStack core
-        // with their own IDs that do NOT match DeterministicGuid("role:admin").
+        // Application-scoped roles (admin, manager, contributor, viewer) are created by
+        // SeedRolesAsync() above. System roles use their own IDs that do NOT match
+        // DeterministicGuid("role:admin").
         var roles = await context.Roles
             .Where(r => r.ApplicationId != null || r.IsSystem)
             .ToListAsync(ct);
@@ -1122,10 +1230,22 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         {
             var role = roles.FirstOrDefault(r => r.Code == mapping.RoleCode);
             var perm = permissions.FirstOrDefault(p => p.Path == mapping.PermissionPath);
-            if (role != null && perm != null)
+
+            if (role == null)
             {
-                context.RolePermissions.Add(RolePermission.Create(role.Id, perm.Id, "system"));
+                // CRITICAL: Role not found — SeedRolesAsync() may not have run.
+                // This causes silent permission failure → 401 on protected pages.
+                Console.WriteLine($"[SEED WARNING] Role '{mapping.RoleCode}' not found. Role-permission mapping skipped for '{mapping.PermissionPath}'.");
+                continue;
             }
+
+            if (perm == null)
+            {
+                Console.WriteLine($"[SEED WARNING] Permission '{mapping.PermissionPath}' not found. Role-permission mapping skipped for role '{mapping.RoleCode}'.");
+                continue;
+            }
+
+            context.RolePermissions.Add(RolePermission.Create(role.Id, perm.Id, "system"));
         }
 
         await ((DbContext)context).SaveChangesAsync(ct);

package/templates/skills/ralph-loop/references/task-transform-legacy.md

@@ -177,9 +177,9 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
     const permissions = coreSeedData.permissions || [];
     const rolePerms = coreSeedData.rolePermissions || [];
     tasks.push({
-      id: taskId, description: `[infrastructure] Create core seed data for ${moduleCode}: NavigationModuleSeedData, PermissionsSeedData, RolesSeedData`,
+      id: taskId, description: `[infrastructure] Create core seed data for ${moduleCode}: NavigationApplicationSeedData, ApplicationRolesSeedData, NavigationModuleSeedData, PermissionsSeedData, RolesSeedData`,
       status: "pending", category: "infrastructure", dependencies: infraDepId ? [infraDepId] : [],
-      acceptance_criteria: `NavigationModuleSeedData (${navModules.length} nav); PermissionsSeedData (${permissions.length} perms); RolesSeedData (${rolePerms.length} roles); SeedConstants; dotnet build passes`,
+      acceptance_criteria: `NavigationApplicationSeedData (app-level, once); ApplicationRolesSeedData (4 roles); NavigationModuleSeedData (${navModules.length} nav); PermissionsSeedData (${permissions.length} perms); RolesSeedData (${rolePerms.length} roles); SeedConstants; dotnet build passes`,
       started_at: null, completed_at: null, iteration: null, commit_hash: null,
       files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode,
       _seedDataMeta: {
@@ -199,7 +199,7 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
       id: taskId, description: `[infrastructure] Create IClientSeedDataProvider for core seed data injection`,
       status: "pending", category: "infrastructure",
       dependencies: [lastIdByCategory["infrastructure"] || lastIdByCategory["domain"]].filter(Boolean),
-      acceptance_criteria: "SeedNavigationAsync + SeedPermissionsAsync + SeedRolePermissionsAsync; DI registered; idempotent",
+      acceptance_criteria: "SeedNavigationAsync + SeedRolesAsync + SeedPermissionsAsync + SeedRolePermissionsAsync; DI registered; idempotent",
       started_at: null, completed_at: null, iteration: null, commit_hash: null,
       files_changed: { created: [], modified: [] }, validation: null, error: null, module: moduleCode,
       _providerMeta: {

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -178,6 +178,102 @@ fi
 - If `auth_Permissions` is empty → all authorization checks reject → 403 on every endpoint
 - These are **foundational** — without them, ALL subsequent features (frontend, API, tests) are useless
 
+**POST-CHECK: Section route/permission completeness (BLOCKING — when sections defined)**
+
+After generating section seed data, verify completeness:
+
+```bash
+# 1. Verify every NavigationSection seed route has a frontend route match
+SECTION_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" -exec grep -l 'GetSectionEntries' {} \; 2>/dev/null)
+if [ -n "$SECTION_SEED_FILES" ]; then
+  echo "Sections defined — verifying frontend route matches..."
+  SECTION_ROUTES=$(grep -ohP 'Route\s*=\s*ToKebabCase\(\$?"([^"]+)"\)' $SECTION_SEED_FILES 2>/dev/null | grep -i section)
+  APP_TSX="$WEB_SRC/App.tsx"
+  if [ -n "$APP_TSX" ] && [ -n "$SECTION_ROUTES" ]; then
+    while IFS= read -r ROUTE; do
+      ROUTE_PATH=$(echo "$ROUTE" | grep -oP '"([^"]+)"' | tr -d '"')
+      if [ -n "$ROUTE_PATH" ] && ! grep -q "$ROUTE_PATH" "$APP_TSX" 2>/dev/null; then
+        echo "WARNING: Section route '$ROUTE_PATH' not found in App.tsx — add frontend route"
+      fi
+    done <<< "$SECTION_ROUTES"
+  fi
+
+  # 2. Verify section-level permissions exist when sections are defined
+  PERM_SEED=$(find . -path "*/Seeding/Data/*" -name "PermissionsSeedData.cs" 2>/dev/null)
+  if [ -n "$PERM_SEED" ]; then
+    for PS in $PERM_SEED; do
+      HAS_SECTION_PERMS=$(grep -c 'sectionCode\|SectionPascal\|Level = PermissionLevel.Section' "$PS" 2>/dev/null)
+      if [ "$HAS_SECTION_PERMS" -eq 0 ]; then
+        echo "BLOCKING: Sections defined but PermissionsSeedData missing section-level permissions: $PS"
+        echo "Fix: Add section-level permission GUIDs and entries per core-seed-data.md Step C2"
+        exit 1
+      fi
+    done
+  fi
+
+  # 3. Verify section-level role mappings exist
+  ROLE_SEED=$(find . -path "*/Seeding/Data/*" -name "RolesSeedData.cs" 2>/dev/null)
+  if [ -n "$ROLE_SEED" ]; then
+    for RS in $ROLE_SEED; do
+      HAS_SECTION_ROLES=$(grep -c 'sectionCode' "$RS" 2>/dev/null)
+      if [ "$HAS_SECTION_ROLES" -eq 0 ]; then
+        echo "BLOCKING: Sections defined but RolesSeedData missing section-level role mappings: $RS"
+        echo "Fix: Add section-level role-permission entries per core-seed-data.md section 5"
+        exit 1
+      fi
+    done
+  fi
+fi
+```
+
+**POST-CHECK: Navigation section route CRUD suffix detection (BLOCKING)**
+
+After generating NavigationSeedData files with sections, verify no route contains `/list` or `/detail` suffixes:
+
+```bash
+# Detect CRUD suffixes in navigation section routes
+CRUD_ROUTES=$(grep -rn 'Route.*=.*\/list\b\|Route.*=.*\/detail' Infrastructure/Persistence/Seeding/Data/ 2>/dev/null | grep -v '//.*Route')
+
+if [ -n "$CRUD_ROUTES" ]; then
+  echo "BLOCKING: Navigation section routes contain CRUD suffixes"
+  echo "Convention:"
+  echo "  - 'list' section route = module route (NO /list suffix)"
+  echo "  - 'detail' section route = module route + /:id (NOT /detail/:id)"
+  echo "  - Other sections = module route + /{section-kebab}"
+  echo ""
+  echo "Found:"
+  echo "$CRUD_ROUTES"
+  echo ""
+  echo "Fix: Remove /list suffix (use module route), replace /detail/:id with /:id"
+  exit 1
+fi
+```
+
+**Why this matters:**
+- React Router defines NO `/list` child route — the module route IS the list view
+- React Router uses `/:id` for detail views, NOT `/detail/:id`
+- Mismatch causes 404 on navigation menu click
+
+**POST-CHECK: Permission path segment count (WARNING — when permissions defined)**
+
+```bash
+PERM_FILES=$(find Infrastructure/Persistence/Seeding/Data/ -name "PermissionsSeedData.cs" 2>/dev/null)
+if [ -n "$PERM_FILES" ]; then
+  MALFORMED=$(grep -oP 'Path\s*=\s*"([^"]+)"' $PERM_FILES | grep -oP '"[^"]+"' | tr -d '"' | while read -r path; do
+    DOTS=$(echo "$path" | tr -cd '.' | wc -c)
+    if echo "$path" | grep -qP '\.\*$'; then continue; fi
+    if [ "$DOTS" -lt 3 ] || [ "$DOTS" -gt 5 ]; then
+      echo "  Unexpected segment count ($((DOTS+1))): $path"
+    fi
+  done)
+  if [ -n "$MALFORMED" ]; then
+    echo "WARNING: Permission paths with unexpected segment count:"
+    echo "$MALFORMED"
+    echo "  Expected: 4 segments (module-level) or 5 segments (section-level)"
+  fi
+fi
+```
+
 **POST-CHECK: DefaultTenantId cross-schema FK validation (WARNING)**
 
 After generating SeedConstants.cs and DevDataSeeder, verify that `DefaultTenantId` is not a phantom GUID that doesn't exist in `core.tenant_Tenants`:
@@ -602,12 +698,24 @@ if [ -n "$SERVICE_FILES" ]; then
   BAD_PATTERN=$(grep -Pn 'TenantId!\s*\.Value|TenantId!\s*\.ToString|\.TenantId!' $SERVICE_FILES 2>/dev/null)
   if [ -n "$BAD_PATTERN" ]; then
     echo "BLOCKING: TenantId!.Value causes 500 when tenant context is missing"
-    echo "Fix: var tenantId = _currentTenant.TenantId ?? throw new UnauthorizedAccessException(\"Tenant context is required\");"
+    echo "Fix: var tenantId = _currentTenant.TenantId ?? throw new TenantContextRequiredException();"
+    echo "NEVER use UnauthorizedAccessException for tenant context — it returns 401 which clears the frontend token."
     echo "$BAD_PATTERN"
     exit 1
   fi
 fi
 
+# POST-CHECK: Services must NOT use UnauthorizedAccessException for tenant context (causes token clearing)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_UNAUTH=$(grep -Pn 'UnauthorizedAccessException.*[Tt]enant' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_UNAUTH" ]; then
+    echo "BLOCKING: Services use UnauthorizedAccessException for tenant context — causes 401 which clears the frontend token"
+    echo "$BAD_UNAUTH"
+    echo "Fix: var tenantId = _currentTenant.TenantId ?? throw new TenantContextRequiredException();"
+    exit 1
+  fi
+fi
+
 # POST-CHECK: IAuditableEntity + Validator pairing
 ENTITY_FILES=$(find src/ -path "*/Domain/Entities/Business/*" -name "*.cs" 2>/dev/null)
 if [ -n "$ENTITY_FILES" ]; then