@atlashub/smartstack-cli 3.30.0 → 3.32.0

package/templates/skills/apex/references/post-checks.md

@@ -28,13 +28,22 @@ SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Se
 if [ -n "$SERVICE_FILES" ]; then
   # Check each service file has TenantId reference (either _currentUser.TenantId or TenantId filter)
   for f in $SERVICE_FILES; do
-    if ! grep -q "TenantId" "$f"; then
-      echo "BLOCKING (OWASP A01): Service missing TenantId filter: $f"
-      echo "Every service query MUST filter by _currentUser.TenantId"
+    # Accept either _currentTenant.TenantId (strict guard clause or nullable usage)
+    # or entities with IOptionalTenantEntity/IScopedTenantEntity (optional tenant pattern)
+    HAS_TENANT_FILTER=$(grep -c "TenantId" "$f")
+    HAS_OPTIONAL_ENTITY=false
+    if grep -q "IOptionalTenantEntity\|IScopedTenantEntity" "$f"; then
+      HAS_OPTIONAL_ENTITY=true
+    fi
+
+    if [ "$HAS_TENANT_FILTER" -eq 0 ] && [ "$HAS_OPTIONAL_ENTITY" = false ]; then
+      echo "BLOCKING (OWASP A01): Service missing TenantId filter or optional tenant entity: $f"
+      echo "Every service query MUST filter by _currentTenant.TenantId"
+      echo "OR work with entities that implement IOptionalTenantEntity/IScopedTenantEntity"
       exit 1
     fi
     if grep -q "Guid.Empty" "$f"; then
-      echo "BLOCKING (OWASP A01): Service uses Guid.Empty instead of _currentUser.TenantId: $f"
+      echo "BLOCKING (OWASP A01): Service uses Guid.Empty instead of _currentTenant.TenantId: $f"
       exit 1
     fi
   done
@@ -123,19 +132,35 @@ if [ -n "$ROUTE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 8: Forms must be full pages with routes — ZERO modals/popups/drawers
+### POST-CHECK 8: Forms must be full pages with routes — ZERO modals/popups/drawers/slide-overs
 
 ```bash
-# Check for modal/dialog/drawer imports in page files (create/edit forms)
+# Check for modal/dialog/drawer/slide-over imports AND inline form state in page files
 PAGE_FILES=$(find src/pages/ -name "*.tsx" 2>/dev/null)
 if [ -n "$PAGE_FILES" ]; then
-  MODAL_IMPORTS=$(grep -Pn "import.*(?:Modal|Dialog|Drawer|Popup|Sheet)" $PAGE_FILES 2>/dev/null)
+  FAIL=false
+
+  # 8a. Component imports (Modal, Dialog, Drawer, etc.)
+  MODAL_IMPORTS=$(grep -Pn "import.*(?:Modal|Dialog|Drawer|Popup|Sheet|SlideOver|Overlay)" $PAGE_FILES 2>/dev/null)
   if [ -n "$MODAL_IMPORTS" ]; then
-    echo "BLOCKING: Form pages must NOT use Modal/Dialog/Drawer/Popup components"
-    echo "Create/Edit forms MUST be full pages with their own URL routes"
-    echo "Found modal imports in page files:"
+    echo "BLOCKING: Form pages must NOT use Modal/Dialog/Drawer/Popup/SlideOver components"
     echo "$MODAL_IMPORTS"
+    FAIL=true
+  fi
+
+  # 8b. Inline form state (catches drawers/slide-overs built without external components)
+  FORM_STATE=$(grep -Pn "useState.*(?:isOpen|showModal|showDialog|showCreate|showEdit|showForm|isCreating|isEditing|showDrawer|showPanel|showSlideOver|selectedEntity|editingEntity)" $PAGE_FILES 2>/dev/null)
+  if [ -n "$FORM_STATE" ]; then
+    echo "BLOCKING: Inline form state detected — forms embedded in ListPage as drawers/panels"
+    echo "Create/Edit forms MUST be separate page components with their own URL routes"
+    echo "$FORM_STATE"
+    FAIL=true
+  fi
+
+  if [ "$FAIL" = true ]; then
+    echo ""
     echo "Fix: Create EntityCreatePage.tsx with route /create and EntityEditPage.tsx with route /:id/edit"
+    echo "NEVER embed create/edit forms as inline drawers, panels, or slide-overs in ListPage"
     exit 1
   fi
 fi
@@ -193,31 +218,64 @@ if [ -n "$FORM_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 11: FK fields must NOT be plain text inputs (EntityLookup required)
+### POST-CHECK 11: FK fields must use EntityLookup — NO `<input>`, NO `<select>` (BLOCKING)
 
 ```bash
-# Check for FK fields rendered as plain text inputs in form pages
-FORM_PAGES=$(find src/pages/ -name "*CreatePage.tsx" -o -name "*EditPage.tsx" 2>/dev/null | grep -v test | grep -v node_modules)
-if [ -n "$FORM_PAGES" ]; then
-  # Detect FK input fields: <input> with name ending in "Id" (catches inputs with or without explicit type)
-  FK_INPUTS=$(grep -Pn '<input[^>]*name=["\x27][a-zA-Z]*Id["\x27]' $FORM_PAGES 2>/dev/null)
+# Check ALL page files for FK fields rendered as <input> or <select> instead of EntityLookup
+# Scans ALL .tsx files (not just CreatePage/EditPage — forms may be embedded in ListPage drawers)
+ALL_PAGES=$(find src/pages/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$ALL_PAGES" ]; then
+  FAIL=false
+
+  # 1. Detect <input> with name/value binding to FK fields (fields ending in "Id")
+  FK_INPUTS=$(grep -Pn '<input[^>]*(?:name|value)=["\x27{][^>]*[a-zA-Z]Id["\x27}]' $ALL_PAGES 2>/dev/null | grep -Pv 'type=["\x27]hidden["\x27]')
   if [ -n "$FK_INPUTS" ]; then
-    # Filter out hidden inputs (legitimate for FK submission)
-    FK_TEXT_INPUTS=$(echo "$FK_INPUTS" | grep -Pv 'type=["\x27]hidden["\x27]')
-    if [ -n "$FK_TEXT_INPUTS" ]; then
-      echo "BLOCKING: FK fields rendered as plain text inputs — MUST use EntityLookup component"
-      echo "Users cannot type GUIDs manually. Use <EntityLookup /> from @/components/ui/EntityLookup"
-      echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
-      echo "$FK_TEXT_INPUTS"
-      exit 1
-    fi
+    echo "BLOCKING: FK fields rendered as <input> — MUST use EntityLookup component"
+    echo "$FK_INPUTS"
+    FAIL=true
   fi
 
-  # Check for input placeholders mentioning "ID" or "id" or "Enter...Id"
-  FK_PLACEHOLDER=$(grep -Pn 'placeholder=["\x27].*[Ee]nter.*[Ii][Dd]|placeholder=["\x27].*[Gg][Uu][Ii][Dd]' $FORM_PAGES 2>/dev/null)
+  # 2. Detect <select> with value binding to FK fields (e.g., value={formData.departmentId})
+  FK_SELECTS=$(grep -Pn '<select[^>]*value=\{[^}]*[a-zA-Z]Id\b' $ALL_PAGES 2>/dev/null)
+  if [ -n "$FK_SELECTS" ]; then
+    echo "BLOCKING: FK fields rendered as <select> dropdown — MUST use EntityLookup component"
+    echo "A <select> loaded from API state is NOT a valid substitute for EntityLookup."
+    echo "EntityLookup provides: debounced search, paginated results, display name resolution."
+    echo "$FK_SELECTS"
+    FAIL=true
+  fi
+
+  # 3. Detect onChange handlers setting FK fields from <select> (e.g., setFormData({...formData, departmentId: e.target.value}))
+  FK_SELECT_ONCHANGE=$(grep -Pn 'onChange=.*[a-zA-Z]Id[^a-zA-Z].*e\.target\.value' $ALL_PAGES 2>/dev/null)
+  if [ -n "$FK_SELECT_ONCHANGE" ]; then
+    echo "BLOCKING: FK field set via e.target.value (select/input pattern) — use EntityLookup onChange(id)"
+    echo "$FK_SELECT_ONCHANGE"
+    FAIL=true
+  fi
+
+  # 4. Check for placeholders mentioning "ID", "GUID", or "Select..." for FK fields
+  FK_PLACEHOLDER=$(grep -Pn 'placeholder=["\x27].*(?:[Ee]nter.*[Ii][Dd]|[Gg][Uu][Ii][Dd]|[Ss]elect.*[Ee]mployee|[Ss]elect.*[Dd]epartment|[Ss]elect.*[Pp]osition|[Ss]elect.*[Pp]roject|[Ss]elect.*[Cc]ategory)' $ALL_PAGES 2>/dev/null)
   if [ -n "$FK_PLACEHOLDER" ]; then
-    echo "BLOCKING: Form has placeholder asking user to enter an ID/GUID — use EntityLookup instead"
+    echo "BLOCKING: Form has placeholder for FK field selection — use EntityLookup search instead"
     echo "$FK_PLACEHOLDER"
+    FAIL=true
+  fi
+
+  # 5. Detect <option> elements with GUID-like values (sign of FK <select>)
+  FK_OPTIONS=$(grep -Pn '<option[^>]*value=\{[^}]*\.id\}' $ALL_PAGES 2>/dev/null)
+  if [ -n "$FK_OPTIONS" ]; then
+    echo "BLOCKING: <option> with entity .id value detected — this is a FK <select> anti-pattern"
+    echo "Replace the entire <select>/<option> block with <EntityLookup />"
+    echo "$FK_OPTIONS"
+    FAIL=true
+  fi
+
+  if [ "$FAIL" = true ]; then
+    echo ""
+    echo "Fix: Replace ALL FK fields with <EntityLookup /> from @/components/ui/EntityLookup"
+    echo "See smartstack-frontend.md section 6 for the EntityLookup pattern"
+    echo "FORBIDDEN for FK Guid fields: <input>, <select>, <option>, e.target.value"
+    echo "REQUIRED: <EntityLookup apiEndpoint={...} mapOption={...} value={...} onChange={...} />"
     exit 1
   fi
 fi
@@ -242,7 +300,7 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 13: No hardcoded Tailwind colors in generated pages
+### POST-CHECK 13: No hardcoded Tailwind colors in generated pages (BLOCKING)
 
 ```bash
 # Scan all page and component files directly (works for uncommitted/untracked files, Windows/WSL compatible)
@@ -250,9 +308,24 @@ ALL_PAGES=$(find src/pages/ src/components/ -name "*.tsx" 2>/dev/null | grep -v
 if [ -n "$ALL_PAGES" ]; then
   HARDCODED=$(grep -Pn '(bg|text|border)-(?!\[)(red|blue|green|gray|white|black|slate|zinc|neutral|stone)-' $ALL_PAGES 2>/dev/null)
   if [ -n "$HARDCODED" ]; then
-    echo "WARNING: Pages should use CSS variables instead of hardcoded Tailwind colors"
-    echo "Fix: bg-[var(--bg-card)] instead of bg-white, text-[var(--text-primary)] instead of text-gray-900"
+    echo "BLOCKING: Pages MUST use CSS variables instead of hardcoded Tailwind colors"
+    echo "SmartStack uses a theme system — hardcoded colors break dark mode and custom themes"
+    echo ""
+    echo "Fix mapping:"
+    echo "  bg-white         → bg-[var(--bg-card)]"
+    echo "  bg-gray-50       → bg-[var(--bg-primary)]"
+    echo "  text-gray-900    → text-[var(--text-primary)]"
+    echo "  text-gray-500    → text-[var(--text-secondary)]"
+    echo "  border-gray-200  → border-[var(--border-color)]"
+    echo "  bg-blue-600      → bg-[var(--color-accent-500)]"
+    echo "  text-blue-600    → text-[var(--color-accent-500)]"
+    echo "  text-red-500     → text-[var(--error-text)]"
+    echo "  bg-green-500     → bg-[var(--success-bg)]"
+    echo ""
+    echo "See references/smartstack-frontend.md section 4 for full variable reference"
+    echo ""
     echo "$HARDCODED"
+    exit 1
   fi
 fi
 ```
@@ -509,7 +582,35 @@ if [ -n "$SERVICE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 22: Permissions.cs static constants must exist (BLOCKING)
+### POST-CHECK 22: Cross-tenant entities must use Guid? TenantId
+
+```bash
+for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev/null); do
+  if grep -q "IOptionalTenantEntity\|IScopedTenantEntity" "$entity"; then
+    if grep -q "public Guid TenantId" "$entity" && ! grep -q "public Guid? TenantId" "$entity"; then
+      echo "BLOCKING: Entity with IOptionalTenantEntity/IScopedTenantEntity must use Guid? TenantId (nullable)"
+      exit 1
+    fi
+  fi
+done
+echo "POST-CHECK 22: OK"
+```
+
+### POST-CHECK 23: Scoped entities must have EntityScope property
+
+```bash
+for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev/null); do
+  if grep -q "IScopedTenantEntity" "$entity"; then
+    if ! grep -q "EntityScope\|Scope" "$entity"; then
+      echo "BLOCKING: Entity with IScopedTenantEntity must have EntityScope Scope property"
+      exit 1
+    fi
+  fi
+done
+echo "POST-CHECK 23: OK"
+```
+
+### POST-CHECK 24: Permissions.cs static constants must exist (BLOCKING)
 
 ```bash
 # Every module with controllers MUST have a Permissions.cs with static constants
@@ -527,7 +628,7 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 23: ApplicationRolesSeedData.cs must exist (BLOCKING)
+### POST-CHECK 25: ApplicationRolesSeedData.cs must exist (BLOCKING)
 
 ```bash
 # If any RolesSeedData exists, ApplicationRolesSeedData MUST also exist
@@ -544,7 +645,7 @@ if [ -n "$ROLE_SEED" ]; then
 fi
 ```
 
-### POST-CHECK 24b: Section route completeness (NavigationSection → frontend route + permissions)
+### POST-CHECK 25b: Section route completeness (NavigationSection → frontend route + permissions)
 
 ```bash
 # Every NavigationSection seed data route MUST have a corresponding frontend route in App.tsx
@@ -593,7 +694,7 @@ if [ -n "$SECTION_SEED_FILES" ] && [ -n "$PERM_FILE" ]; then
 fi
 ```
 
-### POST-CHECK 25: FORBIDDEN route patterns — /list and /detail/:id (BLOCKING)
+### POST-CHECK 26: FORBIDDEN route patterns — /list and /detail/:id (BLOCKING)
 
 ```bash
 # 1. Check seed data for FORBIDDEN suffixes
@@ -624,7 +725,7 @@ fi
 echo "OK: No forbidden /list or /detail route patterns found"
 ```
 
-### POST-CHECK 26: Permission path segment count (WARNING)
+### POST-CHECK 27: Permission path segment count (WARNING)
 
 ```bash
 PERM_FILES=$(find src/ -path "*/Seeding/Data/*" -name "PermissionsSeedData.cs" 2>/dev/null)
@@ -646,7 +747,7 @@ if [ -n "$PERM_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 24: IClientSeedDataProvider must have 4 methods + DI registration (BLOCKING)
+### POST-CHECK 28: IClientSeedDataProvider must have 4 methods + DI registration (BLOCKING)
 
 ```bash
 PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
@@ -676,4 +777,243 @@ if [ -n "$PROVIDER" ]; then
 fi
 ```
 
+### POST-CHECK 29: i18n must use separate JSON files per language (not embedded in index.ts)
+
+```bash
+# Translations MUST be in src/i18n/locales/{lang}/{module}.json, NOT embedded in a single .ts file
+TSX_FILES=$(find src/pages/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$TSX_FILES" ]; then
+  # Check if i18n locales directory exists
+  if [ ! -d "src/i18n/locales" ]; then
+    echo "BLOCKING: Missing src/i18n/locales/ directory"
+    echo "Translations must be in separate JSON files: src/i18n/locales/{fr,en,it,de}/{module}.json"
+    echo "NEVER embed translations in src/i18n/index.ts or a single TypeScript file"
+    exit 1
+  fi
+
+  # Check for embedded translations in index.ts (common anti-pattern)
+  I18N_INDEX=$(find src/i18n/ -maxdepth 1 -name "index.ts" -o -name "index.tsx" -o -name "config.ts" 2>/dev/null)
+  if [ -n "$I18N_INDEX" ]; then
+    EMBEDDED=$(grep -Pn '^\s*(resources|translations)\s*[:=]\s*\{' $I18N_INDEX 2>/dev/null)
+    if [ -n "$EMBEDDED" ]; then
+      echo "BLOCKING: Translations embedded in i18n config file — must be in separate JSON files"
+      echo "Found embedded translations in:"
+      echo "$EMBEDDED"
+      echo ""
+      echo "Fix: Move translations to src/i18n/locales/{fr,en,it,de}/{module}.json"
+      echo "The i18n config should import from locales/ directory, not contain inline translations"
+      exit 1
+    fi
+  fi
+
+  # Verify all 4 language directories exist
+  for LANG in fr en it de; do
+    if [ ! -d "src/i18n/locales/$LANG" ]; then
+      echo "BLOCKING: Missing language directory: src/i18n/locales/$LANG/"
+      echo "SmartStack requires 4 languages: fr, en, it, de"
+      exit 1
+    fi
+  done
+
+  # Verify at least one JSON file exists per language
+  for LANG in fr en it de; do
+    JSON_COUNT=$(find "src/i18n/locales/$LANG" -name "*.json" 2>/dev/null | wc -l)
+    if [ "$JSON_COUNT" -eq 0 ]; then
+      echo "BLOCKING: No translation JSON files in src/i18n/locales/$LANG/"
+      echo "Each module must have a {module}.json file per language"
+      exit 1
+    fi
+  done
+fi
+```
+
+### POST-CHECK 30: Pages must use useTranslation hook (no hardcoded user-facing strings)
+
+```bash
+# Verify that page components use i18n — detect hardcoded strings in JSX
+PAGE_FILES=$(find src/pages/ -name "*.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$PAGE_FILES" ]; then
+  # Check that at least 80% of pages import useTranslation
+  TOTAL_PAGES=$(echo "$PAGE_FILES" | wc -l)
+  I18N_PAGES=$(grep -l "useTranslation" $PAGE_FILES 2>/dev/null | wc -l)
+  if [ "$TOTAL_PAGES" -gt 0 ] && [ "$I18N_PAGES" -eq 0 ]; then
+    echo "BLOCKING: No page files use useTranslation — all user-facing text must be translated"
+    echo "Found $TOTAL_PAGES page files but 0 use useTranslation"
+    echo ""
+    echo "Fix: Import and use useTranslation in every page component:"
+    echo "  const { t } = useTranslation(['{module}']);"
+    echo "  t('{module}:title', 'Fallback text')"
+    exit 1
+  fi
+
+  # Check for common hardcoded English strings in JSX (heuristic)
+  HARDCODED_TEXT=$(grep -Pn '>\s*(Create|Edit|Delete|Save|Cancel|Search|Loading|Error|No data|Not found|Submit|Back|Actions|Name|Status|Description)\s*<' $PAGE_FILES 2>/dev/null | grep -v '{t(' | head -10)
+  if [ -n "$HARDCODED_TEXT" ]; then
+    echo "WARNING: Possible hardcoded user-facing strings detected in JSX"
+    echo "All user-facing text MUST use t('namespace:key', 'Fallback')"
+    echo "$HARDCODED_TEXT"
+  fi
+fi
+```
+
+### POST-CHECK 31: List/Detail pages must include DocToggleButton (documentation panel)
+
+```bash
+# Every list and detail page MUST have DocToggleButton for inline documentation access
+LIST_PAGES=$(find src/pages/ -name "*ListPage.tsx" -o -name "*sPage.tsx" 2>/dev/null | grep -v node_modules | grep -v "\.test\.")
+if [ -n "$LIST_PAGES" ]; then
+  MISSING_DOC=0
+  for PAGE in $LIST_PAGES; do
+    if ! grep -q "DocToggleButton" "$PAGE" 2>/dev/null; then
+      echo "WARNING: Page missing DocToggleButton: $PAGE"
+      echo "  Import: import { DocToggleButton } from '@/components/docs/DocToggleButton';"
+      echo "  Place in header actions: <DocToggleButton />"
+      MISSING_DOC=$((MISSING_DOC + 1))
+    fi
+  done
+  if [ "$MISSING_DOC" -gt 0 ]; then
+    echo ""
+    echo "WARNING: $MISSING_DOC pages missing DocToggleButton — users cannot access inline documentation"
+    echo "See smartstack-frontend.md section 7 for placement pattern"
+  fi
+fi
+```
+
+### POST-CHECK 32: Module documentation must be generated (doc-data.ts)
+
+```bash
+# After frontend pages exist, /documentation should have been called
+TSX_PAGES=$(find src/pages/ -name "*.tsx" -not -name "*.test.*" 2>/dev/null | grep -v node_modules | grep -v "docs/")
+DOC_DATA=$(find src/pages/docs/ -name "doc-data.ts" 2>/dev/null)
+if [ -n "$TSX_PAGES" ] && [ -z "$DOC_DATA" ]; then
+  echo "WARNING: Frontend pages exist but no documentation generated"
+  echo "Fix: Invoke /documentation {module} --type user to generate doc-data.ts"
+  echo "The DocToggleButton in page headers will link to this documentation"
+fi
+```
+
+### POST-CHECK 33: Pagination type must be PaginatedResult<T> — no aliases (BLOCKING)
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+ALL_FILES="$SERVICE_FILES $CTRL_FILES"
+if [ -n "$(echo $ALL_FILES | tr -d ' ')" ]; then
+  BAD_NAMES=$(grep -Pn 'PagedResult<|PaginatedResultDto<|PaginatedResponse<|PageResultDto<' $ALL_FILES 2>/dev/null)
+  if [ -n "$BAD_NAMES" ]; then
+    echo "BLOCKING: Pagination type must be PaginatedResult<T> — found non-canonical names"
+    echo "$BAD_NAMES"
+    echo "FORBIDDEN type names: PagedResult, PaginatedResultDto, PaginatedResponse, PageResultDto"
+    echo "Fix: Use PaginatedResult<T> from SmartStack.Application.Common.Models everywhere"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 34: Code generation — ICodeGenerator must be registered for auto-generated entities (BLOCKING)
+
+```bash
+# If feature.json has entities with codePattern.strategy != "manual",
+# verify that ICodeGenerator<Entity> is registered in DI
+FEATURE_FILES=$(find docs/ -name "feature.json" 2>/dev/null)
+DI_FILE=$(find src/ -name "DependencyInjection.cs" -path "*/Infrastructure/*" 2>/dev/null | head -1)
+if [ -n "$FEATURE_FILES" ] && [ -n "$DI_FILE" ]; then
+  for FEATURE in $FEATURE_FILES; do
+    ENTITIES_WITH_CODE=$(python3 -c "
+import json, sys
+try:
+  with open('$FEATURE') as f:
+    data = json.load(f)
+  for e in data.get('analysis', {}).get('entities', []):
+    cp = e.get('codePattern', {})
+    if cp.get('strategy', 'manual') != 'manual':
+      print(e['name'])
+except: pass
+" 2>/dev/null)
+    for ENTITY in $ENTITIES_WITH_CODE; do
+      if ! grep -q "ICodeGenerator<$ENTITY>" "$DI_FILE" 2>/dev/null; then
+        echo "BLOCKING: Entity $ENTITY has auto-generated code pattern but ICodeGenerator<$ENTITY> is not registered in DI"
+        echo "Fix: Add CodeGenerator<$ENTITY> registration in DependencyInjection.cs — see references/code-generation.md"
+        exit 1
+      fi
+    done
+  done
+fi
+```
+
+### POST-CHECK 35: Code regex must support hyphens (BLOCKING)
+
+```bash
+VALIDATOR_FILES=$(find src/ -path "*/Validators/*" -name "*Validator.cs" 2>/dev/null)
+if [ -n "$VALIDATOR_FILES" ]; then
+  OLD_REGEX=$(grep -rn '\^\\[a-z0-9_\\]+\$' $VALIDATOR_FILES 2>/dev/null | grep -v '\-')
+  if [ -n "$OLD_REGEX" ]; then
+    echo "BLOCKING: Code validator uses old regex without hyphen support"
+    echo "$OLD_REGEX"
+    echo "Fix: Update regex to ^[a-z0-9_-]+$ to support auto-generated codes with hyphens"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 36: CreateDto must NOT have Code field when service uses ICodeGenerator (WARNING)
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  for f in $SERVICE_FILES; do
+    if grep -q "ICodeGenerator" "$f"; then
+      ENTITY=$(basename "$f" | sed 's/Service\.cs$//')
+      DTO_FILE=$(find src/ -path "*/DTOs/*" -name "Create${ENTITY}Dto.cs" 2>/dev/null | head -1)
+      if [ -n "$DTO_FILE" ] && grep -q "public string Code" "$DTO_FILE"; then
+        echo "WARNING: Create${ENTITY}Dto has Code field but service uses ICodeGenerator (code is auto-generated)"
+        echo "Fix: Remove Code from Create${ENTITY}Dto — it is auto-generated by ICodeGenerator<${ENTITY}>"
+      fi
+    fi
+  done
+fi
+```
+
+### POST-CHECK 37: Translation seed data must have idempotency guard (BLOCKING)
+
+```bash
+PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
+if [ -n "$PROVIDER" ]; then
+  # Check if NavigationTranslations.Add is used WITHOUT a preceding AnyAsync guard
+  # Pattern: any .Add(NavigationTranslation.Create(...)) that is NOT inside an AnyAsync check
+  TRANSLATION_ADDS=$(grep -c "NavigationTranslations.Add" "$PROVIDER" 2>/dev/null)
+  TRANSLATION_GUARDS=$(grep -c "NavigationTranslations.AnyAsync" "$PROVIDER" 2>/dev/null)
+
+  if [ "$TRANSLATION_ADDS" -gt 0 ] && [ "$TRANSLATION_GUARDS" -eq 0 ]; then
+    echo "BLOCKING: Translation seed data inserts without idempotency guard in $PROVIDER"
+    echo "Fix: Before each NavigationTranslations.Add block, check existence:"
+    echo "  if (!await context.NavigationTranslations.AnyAsync("
+    echo "      t => t.EntityId == {Module}NavigationSeedData.{Module}ModuleId"
+    echo "           && t.EntityType == NavigationEntityType.Module, ct))"
+    echo "  { foreach (var t in ...) { context.NavigationTranslations.Add(...); } }"
+    echo "The unique index IX_nav_Translations_EntityType_EntityId_LanguageCode will crash on duplicates."
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 38: Resource seed data must use actual section IDs from DB (BLOCKING)
+
+```bash
+PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
+if [ -n "$PROVIDER" ]; then
+  # Check if NavigationResource.Create uses secEntry.Id or resEntry.SectionId (deterministic GUIDs)
+  # instead of actualSection.Id (real DB ID). This causes FK_nav_Resources_nav_Sections_SectionId violation.
+  if grep -Pn 'NavigationResource\.Create\(' "$PROVIDER" | grep -q 'resEntry\.SectionId\|secEntry\.Id'; then
+    echo "BLOCKING: Resource seed data uses deterministic GUID as SectionId in $PROVIDER"
+    echo "NavigationSection.Create() generates its own ID — deterministic seed GUIDs do NOT exist in nav_Sections."
+    echo "Fix: Query actual section from DB before creating resources:"
+    echo "  var actualSection = await context.NavigationSections"
+    echo "      .FirstAsync(s => s.Code == secEntry.Code && s.ModuleId == modEntity.Id, ct);"
+    echo "  NavigationResource.Create(actualSection.Id, ...)  // NOT secEntry.Id or resEntry.SectionId"
+    exit 1
+  fi
+fi
+```
+
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**