@atlashub/smartstack-cli 3.36.0 → 3.38.0

package/templates/skills/apex/references/planning-layer-mapping.md

@@ -0,0 +1,151 @@
+# Planning — Layer Mapping, Skill Assignment, Parallelization Strategy
+
+> **Loaded by:** step-02-plan.md (sections 1-4)
+> **Purpose:** Map analyzed elements to layers, assign skills/MCP tools, and identify parallelization opportunities.
+
+---
+
+## Map Changes to Layers
+
+For each element identified in step-01, assign to a SmartStack layer:
+
+| Layer | Category | Order |
+|-------|----------|-------|
+| 0 | Domain (entities, enums, exceptions) | Sequential |
+| 0 | Infrastructure - EF Configs | Sequential |
+| 0 | Infrastructure - Migration (BLOCKING) | Sequential |
+| 1 | Application (services, DTOs, validators) | Parallel |
+| 1 | API (controllers) | Parallel |
+| 1 | Infrastructure - Seed Data | Parallel |
+| 2 | Frontend (pages, components) | Parallel |
+| 2 | I18n (translations) | Parallel |
+| 3 | Tests | Sequential |
+
+---
+
+## Entity Definition Template
+
+Each entity in the plan MUST include:
+
+```yaml
+Entity: {EntityName}
+  - tenantMode: strict | optional | scoped | none
+  - codePattern: auto-generated strategy (if applicable)
+  - fkFields: [{field, targetEntity}] (if applicable)
+  - acceptance criteria: [AC1, AC2, ...]
+```
+
+The `tenantMode` decision (from step-01) drives:
+- EF query filters
+- Seed data approach
+- API authorization
+
+See `smartstack-layers.md` for tenant mode seed data strategies.
+
+---
+
+## Assign Skill/MCP per File
+
+For EACH file in the plan, specify HOW it will be created/modified.
+
+**Format:**
+
+```markdown
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 1 | Domain/Entities/.../MyEntity.cs | create | MCP scaffold_extension |
+| 2 | Infrastructure/.../MyEntityConfiguration.cs | create | MCP scaffold_extension |
+| 3 | Migration | create | MCP suggest_migration + dotnet ef |
+```
+
+---
+
+## Layer 0 — Domain + Infrastructure (sequential)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 1 | Domain/Entities/.../Entity.cs | create | MCP scaffold_extension |
+| 2 | Infrastructure/.../EntityConfiguration.cs | create | MCP scaffold_extension |
+| 3 | Infrastructure/Migrations/ | create | MCP suggest_migration + dotnet ef |
+
+---
+
+## Layer 1 — Application + API + Seed Data (parallel)
+
+**Backend:** Application/API/Seed Data
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 4 | Application/Services/.../Service.cs | create | MCP scaffold_extension |
+| 5 | Application/DTOs/.../Dto.cs | create | MCP scaffold_extension |
+| 6 | Api/Controllers/.../Controller.cs | create | /controller skill or MCP scaffold_extension |
+| 7 | Seeding/Data/NavigationApplicationSeedData.cs | create | Reference smartstack-layers.md (once per app) |
+| 7b | Seeding/Data/ApplicationRolesSeedData.cs | create | Reference smartstack-layers.md (once per app) |
+| 7c | Infrastructure/Services/CodeGeneration/ | create | Reference code-generation.md (per entity with codePattern != manual) |
+| 8 | Seeding/Data/.../NavigationModuleSeedData.cs | create | Reference core-seed-data.md (4 langs: fr, en, it, de) |
+| 8c | ↳ (same file) Section methods | add | Reference core-seed-data.md §2b (if sections exist) |
+| 8d | ↳ (same file) Resource methods | add | Reference core-seed-data.md §2b (if resources exist) |
+| 8b | Application/Authorization/Permissions.cs | create | MCP generate_permissions |
+| 9 | Seeding/Data/.../PermissionsSeedData.cs | create | MCP generate_permissions |
+| 10 | Seeding/Data/.../RolesSeedData.cs | create | Reference smartstack-layers.md |
+| 10b | Seeding/{App}SeedDataProvider.cs | create | Reference core-seed-data.md (IClientSeedDataProvider + DI) |
+
+**Frontend:** API Client, Routes, Pages, I18n
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 11 | src/pages/{App}/{Mod}/ListPage.tsx | create | /ui-components skill |
+| 11b | src/pages/{App}/{Mod}/CreatePage.tsx | create | /ui-components skill (FK: EntityLookup) |
+| 11c | src/pages/{App}/{Mod}/EditPage.tsx | create | /ui-components skill (FK: EntityLookup) |
+| 11d | src/pages/{App}/{Mod}/{Section}Page.tsx | create | /ui-components skill (per section in `{sections}`) |
+| 11e | src/pages/{App}/{Mod}/{Section}DetailPage.tsx | create | /ui-components skill (per section) |
+| 12 | src/services/api/{module}Api.ts | create | MCP scaffold_api_client |
+| 13 | src/routes/{module}.tsx | create | MCP scaffold_routes |
+| 14 | src/i18n/locales/{lang}/{module}.json | create | Reference smartstack-frontend.md (4 languages) |
+
+**FK Field Guidance:** If step-01 identified `fkFields[]`, every Create/Edit page MUST use `EntityLookup` for those fields (see `smartstack-frontend.md` section 6). The corresponding backend GetAll endpoints (Layer 1) MUST support `?search=` parameter.
+
+---
+
+## Layer 2b — Documentation (after frontend pages exist)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 14b | src/pages/docs/business/{app}/{module}/doc-data.ts | create | /documentation skill |
+| 14c | src/pages/docs/business/{app}/{module}/index.tsx | create | /documentation skill |
+
+---
+
+## Layer 3 — Tests (sequential)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 15 | tests/.../EntityTests.cs | create | MCP scaffold_tests |
+| 16 | tests/.../ServiceTests.cs | create | MCP scaffold_tests |
+
+---
+
+## Identify Parallelization (Agent Teams)
+
+If NOT economy_mode AND Layer 1 has both backend and frontend work:
+
+**Create agent teams to execute Layer 1 backend and frontend in parallel.**
+
+See `references/agent-teams-protocol.md` for team creation, teammate spawning, task coordination, and shutdown procedures.
+
+---
+
+## Delegate Mode Fast Path
+
+When `/ralph-loop` invokes `/apex -d {prd_path}`, PRD tasks already define the scope:
+
+Map each PRD task to a layer based on `task.category`:
+- `domain` → Layer 0
+- `infrastructure` → Layer 0
+- `application` → Layer 1
+- `api` → Layer 1
+- `seedData` → Layer 1
+- `frontend` → Layer 2
+- `test` → Layer 3
+
+For each task: infer file_path, action, and tool from category. SKIP user checkpoint. Jump to "Estimated Commits" section.

package/templates/skills/apex/references/post-checks.md

@@ -14,7 +14,7 @@ if [ -n "$SEED_FILES" ]; then
   if [ -n "$BAD_ROUTES" ]; then
     echo "BLOCKING: Navigation routes must be full paths starting with /"
     echo "$BAD_ROUTES"
-    echo "Expected: \"/business/human-resources\" NOT \"humanresources\""
+    echo "Expected: \"/human-resources\" NOT \"humanresources\""
     exit 1
   fi
 fi
@@ -512,35 +512,7 @@ if [ -n "$CREATE_VALIDATORS" ]; then
 fi
 ```
 
-### POST-CHECK 19: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
-
-```bash
-# NavigationContext IDs (business, platform, personal) are pre-seeded by SmartStack core
-# with hardcoded GUIDs. Client code MUST look them up by code at runtime, NEVER generate them.
-SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
-SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
-if [ -n "$SEED_CONST_FILES" ]; then
-  BAD_CONTEXT_ID=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
-  if [ -n "$BAD_CONTEXT_ID" ]; then
-    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
-    echo "NavigationContext IDs are pre-seeded by SmartStack core with hardcoded GUIDs"
-    echo "Fix: Remove ContextId from SeedConstants. In SeedDataProvider, query:"
-    echo "  var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == \"business\", ct);"
-    echo "$BAD_CONTEXT_ID"
-    exit 1
-  fi
-fi
-if [ -n "$SEED_ALL_FILES" ]; then
-  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
-  if [ -n "$BAD_CTX_GUID" ]; then
-    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
-    echo "Context IDs (business, platform, personal) are pre-seeded by SmartStack core"
-    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
-    echo "$BAD_CTX_GUID"
-    exit 1
-  fi
-fi
-```
+### POST-CHECK 19: (REMOVED — Context level no longer exists in SmartStack navigation hierarchy)
 
 ### POST-CHECK 20: RolePermission seed data must NOT use deterministic role GUIDs
 
@@ -764,12 +736,12 @@ if [ -n "$PERM_FILES" ]; then
     PATH_VAL=$(echo "$line" | grep -oP '"[^"]*\.[^"]*"' | tr -d '"')
     if [ -n "$PATH_VAL" ]; then
       DOTS=$(echo "$PATH_VAL" | tr -cd '.' | wc -c)
-      # Module permissions: 3 dots (context.app.module.action = 4 segments = 3+1)
-      # Section permissions: 4 dots (context.app.module.section.action = 5 segments = 4+1)
+      # Module permissions: 2 dots (app.module.action = 3 segments = 2+1)
+      # Section permissions: 3 dots (app.module.section.action = 4 segments = 3+1)
       # Wildcard: ends with .* (valid at any level)
       if echo "$PATH_VAL" | grep -qP '\.\*$'; then
         continue  # Wildcards are valid
-      elif [ "$DOTS" -lt 3 ] || [ "$DOTS" -gt 5 ]; then
+      elif [ "$DOTS" -lt 2 ] || [ "$DOTS" -gt 4 ]; then
         echo "WARNING: Permission path has unexpected segment count ($((DOTS+1)) segments): $PATH_VAL"
       fi
     fi
@@ -1072,7 +1044,7 @@ fi
 ```bash
 # NavRoute segments are navigation entity Codes joined by dots.
 # Multi-word codes MUST use kebab-case (e.g., "human-resources", NOT "humanresources").
-# Verified from SmartStack.app: "business.support-client.my-tickets", "platform.administration.access-requests"
+# Verified from SmartStack.app: "support-client.my-tickets", "administration.access-requests"
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
@@ -1084,7 +1056,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: NavRoute segment '$SEG' in $f appears to be concatenated multi-word without hyphens"
           echo "  Full NavRoute: $NAVROUTE_VAL"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention (from SmartStack.app): 'business.support-client.my-tickets'"
+          echo "  SmartStack convention (from SmartStack.app): 'support-client.my-tickets'"
           exit 1
         fi
       done
@@ -1110,8 +1082,8 @@ fi
 
 ```bash
 # Permission codes in [RequirePermission] and Permissions.cs MUST use kebab-case for multi-word segments.
-# SmartStack.app convention: "business.support-client.my-tickets.read" (kebab-case everywhere)
-# FORBIDDEN: "business.humanresources.employees.read" — must be "business.human-resources.employees.read"
+# SmartStack.app convention: "support-client.my-tickets.read" (kebab-case everywhere)
+# FORBIDDEN: "humanresources.employees.read" — must be "human-resources.employees.read"
 
 # Check [RequirePermission] attributes in controllers
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
@@ -1126,7 +1098,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: Permission code segment '$SEG' in $f appears concatenated without hyphens"
           echo "  Full permission: $PERM"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention: 'business.support-client.my-tickets.read'"
+          echo "  SmartStack convention: 'support-client.my-tickets.read'"
           exit 1
         fi
       done
@@ -1378,8 +1350,8 @@ fi
 ### POST-CHECK 48: NavRoute attribute values must use kebab-case (BLOCKING)
 
 ```bash
-# Root cause (test-apex-007): Controllers had [NavRoute("business.humanresources.employees")]
-# instead of [NavRoute("business.human-resources.employees")]. This causes route mismatch with
+# Root cause (test-apex-007): Controllers had [NavRoute("humanresources.employees")]
+# instead of [NavRoute("human-resources.employees")]. This causes route mismatch with
 # seed data and permission codes, resulting in 404s at runtime.
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
@@ -1476,4 +1448,137 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
+### POST-CHECK 51: RolesSeedData must map standard role-permission matrix (BLOCKING)
+
+```bash
+# SmartStack standard role-permission matrix:
+#   Admin    = wildcard (*) — full access
+#   Manager  = CRU (read + create + update) — no delete
+#   Contributor = CR (read + create) — no update, no delete
+#   Viewer   = R (read only)
+# If RolesSeedData deviates from this matrix, the RBAC model is broken.
+ROLE_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*RolesSeedData.cs" ! -name "ApplicationRolesSeedData.cs" 2>/dev/null)
+if [ -n "$ROLE_SEED_FILES" ]; then
+  FAIL=false
+  for f in $ROLE_SEED_FILES; do
+    # Skip ApplicationRolesSeedData (defines roles, not mappings)
+    BASENAME=$(basename "$f")
+    if [ "$BASENAME" = "ApplicationRolesSeedData.cs" ]; then continue; fi
+
+    # Check Admin has wildcard
+    HAS_ADMIN_WILDCARD=$(grep -Pc '(admin|Admin).*\*' "$f" 2>/dev/null)
+    if [ "$HAS_ADMIN_WILDCARD" -eq 0 ]; then
+      # Also accept .Access or wildcard pattern
+      HAS_ADMIN_ACCESS=$(grep -Pc '(admin|Admin).*(Access|Wildcard|IsWildcard)' "$f" 2>/dev/null)
+      if [ "$HAS_ADMIN_ACCESS" -eq 0 ]; then
+        echo "BLOCKING: Admin role missing wildcard (*) permission in $f"
+        echo "Fix: Admin must map to wildcard permission (navRoute.*) or use IsWildcard=true"
+        FAIL=true
+      fi
+    fi
+
+    # Check Viewer has NO delete/create/update
+    VIEWER_WRITE=$(grep -Pc '(viewer|Viewer).*(\.delete|\.create|\.update|Delete|Create|Update)' "$f" 2>/dev/null)
+    if [ "$VIEWER_WRITE" -gt 0 ]; then
+      echo "BLOCKING: Viewer role has write permissions (create/update/delete) in $f"
+      echo "Fix: Viewer must only have read permission. Remove create/update/delete mappings."
+      FAIL=true
+    fi
+
+    # Check Manager has NO delete
+    MANAGER_DELETE=$(grep -Pc '(manager|Manager).*(\.delete|Delete)' "$f" 2>/dev/null)
+    if [ "$MANAGER_DELETE" -gt 0 ]; then
+      echo "WARNING: Manager role has delete permission in $f"
+      echo "SmartStack standard: Manager = CRU (no delete). Verify this is intentional."
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 52: PermissionAction enum must use valid typed values only (BLOCKING)
+
+```bash
+# Valid PermissionAction enum values: Access(0), Read(1), Create(2), Update(3), Delete(4),
+# Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)
+# FORBIDDEN: Enum.Parse<PermissionAction>("...") — runtime crash if value doesn't exist
+# FORBIDDEN: (PermissionAction)99 or any cast beyond 0-10
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  FAIL=false
+  for f in $SEED_FILES; do
+    # Check for Enum.Parse<PermissionAction> usage
+    ENUM_PARSE=$(grep -Pn 'Enum\.Parse<PermissionAction>' "$f" 2>/dev/null)
+    if [ -n "$ENUM_PARSE" ]; then
+      echo "BLOCKING: Enum.Parse<PermissionAction> detected — runtime crash risk: $f"
+      echo "$ENUM_PARSE"
+      echo "Fix: Use typed enum directly: PermissionAction.Read (NOT Enum.Parse<PermissionAction>(\"Read\"))"
+      FAIL=true
+    fi
+
+    # Check for invalid cast values (PermissionAction)N where N > 10
+    INVALID_CAST=$(grep -Pn '\(PermissionAction\)\s*([1-9]\d{1,}|[2-9]\d)' "$f" 2>/dev/null)
+    if [ -n "$INVALID_CAST" ]; then
+      echo "BLOCKING: Invalid PermissionAction cast detected (value > 10): $f"
+      echo "$INVALID_CAST"
+      echo "Valid values: Access(0), Read(1), Create(2), Update(3), Delete(4), Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 53: Navigation translation completeness — 4 languages per level (BLOCKING)
+
+```bash
+# Every navigation seed data file must provide translations for ALL 4 languages (fr, en, it, de).
+# If sections exist (GetSectionEntries), GetSectionTranslationEntries MUST also exist.
+# If resources exist (GetResourceEntries), resource translation entries MUST also exist.
+NAV_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" ! -name "*Application*" 2>/dev/null)
+if [ -n "$NAV_SEED_FILES" ]; then
+  FAIL=false
+  for f in $NAV_SEED_FILES; do
+    # Check module translations have all 4 languages
+    LANG_COUNT=$(grep -c 'LanguageCode\s*=' "$f" 2>/dev/null)
+    HAS_FR=$(grep -c '"fr"' "$f" 2>/dev/null)
+    HAS_EN=$(grep -c '"en"' "$f" 2>/dev/null)
+    HAS_IT=$(grep -c '"it"' "$f" 2>/dev/null)
+    HAS_DE=$(grep -c '"de"' "$f" 2>/dev/null)
+
+    if [ "$HAS_FR" -eq 0 ] || [ "$HAS_EN" -eq 0 ] || [ "$HAS_IT" -eq 0 ] || [ "$HAS_DE" -eq 0 ]; then
+      echo "BLOCKING: Missing language(s) in navigation translations: $f"
+      echo "  fr=$HAS_FR, en=$HAS_EN, it=$HAS_IT, de=$HAS_DE (all must be > 0)"
+      echo "Fix: Add NavigationTranslationSeedEntry for all 4 languages (fr, en, it, de)"
+      FAIL=true
+    fi
+
+    # If sections exist, section translations MUST exist
+    HAS_SECTION_ENTRIES=$(grep -c 'GetSectionEntries' "$f" 2>/dev/null)
+    HAS_SECTION_TRANSLATIONS=$(grep -c 'GetSectionTranslationEntries' "$f" 2>/dev/null)
+    if [ "$HAS_SECTION_ENTRIES" -gt 0 ] && [ "$HAS_SECTION_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Sections defined but GetSectionTranslationEntries() missing: $f"
+      echo "Fix: Add GetSectionTranslationEntries() with 4 languages per section (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+
+    # If resources exist, resource translations MUST exist
+    HAS_RESOURCE_ENTRIES=$(grep -c 'GetResourceEntries' "$f" 2>/dev/null)
+    HAS_RESOURCE_TRANSLATIONS=$(grep -Pc 'ResourceTranslation|GetResourceTranslation|NavigationEntityType\.Resource.*LanguageCode' "$f" 2>/dev/null)
+    if [ "$HAS_RESOURCE_ENTRIES" -gt 0 ] && [ "$HAS_RESOURCE_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Resources defined but resource translations missing: $f"
+      echo "Fix: Add resource translation entries with 4 languages per resource (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**

package/templates/skills/apex/references/smartstack-api.md

@@ -79,7 +79,7 @@ public enum EntityScope
 ```csharp
 using SmartStack.Domain.Common;
 
-namespace {ProjectName}.Domain.Entities.{Context}.{App}.{Module};
+namespace {ProjectName}.Domain.Entities.{App}.{Module};
 
 public class {Name} : BaseEntity, ITenantEntity, IAuditableEntity
 {
@@ -299,7 +299,7 @@ using SmartStack.Application.Common.Interfaces.Identity;
 using SmartStack.Application.Common.Interfaces.Tenants;
 using SmartStack.Application.Common.Interfaces.Persistence;
 
-namespace {ProjectName}.Infrastructure.Services.{Context}.{App}.{Module};
+namespace {ProjectName}.Infrastructure.Services.{App}.{Module};
 
 public class {Name}Service : I{Name}Service
 {
@@ -432,10 +432,10 @@ using Microsoft.AspNetCore.Mvc;
 using SmartStack.Api.Routing;
 using SmartStack.Api.Authorization;
 
-namespace {ProjectName}.Api.Controllers.{Context}.{App};
+namespace {ProjectName}.Api.Controllers.{App};
 
 [ApiController]
-[NavRoute("{context}.{app}.{module}")]
+[NavRoute("{app}.{module}")]
 [Authorize]
 public class {Name}Controller : ControllerBase
 {
@@ -500,10 +500,10 @@ public class {Name}Controller : ControllerBase
 **CRITICAL:** Use `[RequirePermission(Permissions.{Module}.{Action})]` on EVERY endpoint — NEVER `[Authorize]` alone (no RBAC enforcement).
 
 **CRITICAL — Permission paths use IDENTICAL segments to NavRoute codes (kebab-case):**
-- NavRoute: `business.human-resources.employees` → Permission: `business.human-resources.employees.read`
-- NavRoute: `business.human-resources.employees.leaves` → Permission: `business.human-resources.employees.leaves.read`
-- FORBIDDEN: `business.humanresources.employees.read` (no kebab-case — mismatches NavRoute)
-- SmartStack.app convention: `business.support-client.my-tickets.read` (always kebab-case)
+- NavRoute: `human-resources.employees` → Permission: `human-resources.employees.read`
+- NavRoute: `human-resources.employees.leaves` → Permission: `human-resources.employees.leaves.read`
+- FORBIDDEN: `humanresources.employees.read` (no kebab-case — mismatches NavRoute)
+- SmartStack.app convention: `support-client.my-tickets.read` (always kebab-case)
 
 ### Section-Level Controller (NavRoute with 4 segments)
 
@@ -512,11 +512,11 @@ When a module has sections, each section gets its own controller with a 4-segmen
 ```csharp
 // Section-level controller: navRoute has 4 segments
 [ApiController]
-[NavRoute("{context}.{app}.{module}.{section}")]
+[NavRoute("{app}.{module}.{section}")]
 [Authorize]
 public class {Section}Controller : ControllerBase
 {
-    // Example: business.human-resources.employees.departments
+    // Example: human-resources.employees.departments
     [HttpGet]
     [RequirePermission(Permissions.{Section}.Read)]
     public async Task<ActionResult<PaginatedResult<{Section}ResponseDto>>> GetAll(
@@ -531,12 +531,12 @@ public class {Section}Controller : ControllerBase
 **NavRoute segment rules:**
 | Level | NavRoute format | Example |
 |-------|----------------|---------|
-| Module | `{context}.{app}.{module}` (3 segments) | `business.human-resources.employees` |
-| Section | `{context}.{app}.{module}.{section}` (4 segments) | `business.human-resources.employees.departments` |
+| Module | `{app}.{module}` (2 segments) | `human-resources.employees` |
+| Section | `{app}.{module}.{section}` (3 segments) | `human-resources.employees.departments` |
 
 **Namespace:** `SmartStack.Api.Routing` (NOT `SmartStack.Api.Core.Routing`)
 
-**NavRoute resolves at startup from DB:** `platform.administration.users` → `api/platform/administration/users`
+**NavRoute resolves at startup from DB:** `administration.users` → `api/administration/users`
 
 ### Sub-Resource Pattern (NavRoute Suffix)
 
@@ -545,7 +545,7 @@ When an entity is a child of another entity (e.g., LeaveTypes under Leaves), use
 ```csharp
 // Sub-resource controller: types are nested under leaves
 [ApiController]
-[NavRoute("business.human-resources.employees.leaves", Suffix = "types")]
+[NavRoute("human-resources.employees.leaves", Suffix = "types")]
 [Authorize]
 public class LeaveTypesController : ControllerBase
 {
@@ -582,22 +582,22 @@ public async Task<ActionResult<PaginatedResult<LeaveTypeResponseDto>>> GetAllLea
 
 | Level | Route Format | Example |
 |-------|-------------|---------|
-| Application | `/{context}/{app-kebab}` | `/business/human-resources` |
-| Module | `/{context}/{app-kebab}/{module-kebab}` | `/business/human-resources/employees` |
-| Section | `/{context}/{app-kebab}/{module-kebab}/{section-kebab}` | `/business/human-resources/employees/departments` |
-| Resource | `/{context}/{app-kebab}/{module-kebab}/{section-kebab}/{resource-kebab}` | `/business/human-resources/employees/departments/export` |
+| Application | `/{app-kebab}` | `/human-resources` |
+| Module | `/{app-kebab}/{module-kebab}` | `/human-resources/employees` |
+| Section | `/{app-kebab}/{module-kebab}/{section-kebab}` | `/human-resources/employees/departments` |
+| Resource | `/{app-kebab}/{module-kebab}/{section-kebab}/{resource-kebab}` | `/human-resources/employees/departments/export` |
 
 **ROUTE SPECIAL CASES (list and detail sections):**
 > The `list` and `detail` sections are NOT functional sub-areas — they are view modes of the module itself.
 > Their navigation routes MUST NOT add extra segments:
-> - `list` section route = module route (e.g., `/business/human-resources/employees`)
-> - `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`)
+> - `list` section route = module route (e.g., `/human-resources/employees`)
+> - `detail` section route = module route + `/:id` (e.g., `/human-resources/employees/:id`)
 > - FORBIDDEN: `/employees/list`, `/employees/detail/:id`
 > - Other sections (dashboard, approve, import, etc.) = module route + `/{section-kebab}` (normal behavior)
 
 **Rules:**
 - Routes ALWAYS start with `/`
-- Routes ALWAYS include the full hierarchy from context to current level
+- Routes ALWAYS include the full hierarchy from application to current level
 - Routes ALWAYS use kebab-case (NOT PascalCase, NOT camelCase)
 - Code identifiers stay PascalCase in C# (`HumanResources`) but routes are kebab-case (`human-resources`)
 
@@ -612,24 +612,14 @@ private static string ToKebabCase(string value)
 
 ### SeedConstants Pattern
 
-> **CRITICAL — NavigationContext IDs are NEVER generated.**
-> Contexts (`business`, `platform`, `personal`) are pre-seeded by SmartStack core with hardcoded GUIDs.
-> You MUST query the context by code at runtime in the SeedDataProvider:
-> `var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "business", ct);`
-> **FORBIDDEN:** `DeterministicGuid("nav:business")` or any ContextId constant in SeedConstants.
-
 ```csharp
 public static class SeedConstants
 {
     // Deterministic GUIDs (SHA256-based, reproducible across environments)
     // NOTE: Application/Module/Section/Resource IDs are deterministic.
-    //       Context IDs are NOT — they are pre-seeded by SmartStack core.
-    public static readonly Guid ApplicationId = DeterministicGuid("nav:business.human-resources");
-    public static readonly Guid ModuleId = DeterministicGuid("nav:business.human-resources.employees");
-    public static readonly Guid SectionId = DeterministicGuid("nav:business.human-resources.employees.departments");
-
-    // FORBIDDEN — Context IDs are NOT deterministic, they come from SmartStack core:
-    // public static readonly Guid BusinessContextId = DeterministicGuid("nav:business"); // WRONG!
+    public static readonly Guid ApplicationId = DeterministicGuid("nav:human-resources");
+    public static readonly Guid ModuleId = DeterministicGuid("nav:human-resources.employees");
+    public static readonly Guid SectionId = DeterministicGuid("nav:human-resources.employees.departments");
 
     private static Guid DeterministicGuid(string input)
     {
@@ -647,30 +637,25 @@ public static class SeedConstants
 ### Navigation Seed Data Example
 
 ```csharp
-// CRITICAL: Look up the context by code — NEVER use a hardcoded/deterministic GUID
-var businessCtx = await db.NavigationContexts
-    .FirstOrDefaultAsync(c => c.Code == "business", ct);
-if (businessCtx == null) return; // Context not yet seeded by SmartStack core
-
-// Application: /business/human-resources
+// Application: /human-resources
 var app = NavigationApplication.Create(
-    businessCtx.Id, "human-resources", "Human Resources", "HR Management",
+    "human-resources", "Human Resources", "HR Management",
     "Users", IconType.Lucide,
-    "/business/human-resources",  // FULL PATH — starts with /, kebab-case
+    "/human-resources",  // FULL PATH — starts with /, kebab-case
     10);
 
-// Module: /business/human-resources/employees
+// Module: /human-resources/employees
 var module = NavigationModule.Create(
     app.Id, "employees", "Employees", "Employee management",
     "UserCheck", IconType.Lucide,
-    "/business/human-resources/employees",  // FULL PATH — includes parent
+    "/human-resources/employees",  // FULL PATH — includes parent
     10);
 
-// Section: /business/human-resources/employees/departments
+// Section: /human-resources/employees/departments
 var section = NavigationSection.Create(
     module.Id, "departments", "Departments", "Manage departments",
     "Building2", IconType.Lucide,
-    "/business/human-resources/employees/departments",  // FULL PATH
+    "/human-resources/employees/departments",  // FULL PATH
     10);
 ```
 
@@ -678,10 +663,9 @@ var section = NavigationSection.Create(
 
 | Mistake | Reality |
 |---------|---------|
-| `"humanresources"` as route | Must be `"/business/human-resources"` (full path, kebab-case) |
-| `"employees"` as route | Must be `"/business/human-resources/employees"` (includes parent) |
+| `"humanresources"` as route | Must be `"/human-resources"` (full path, kebab-case) |
+| `"employees"` as route | Must be `"/human-resources/employees"` (includes parent) |
 | `Guid.NewGuid()` in seed data | Must use deterministic GUIDs (SHA256) |
-| `DeterministicGuid("nav:business")` for ContextId | Context IDs are pre-seeded by SmartStack core — look up by code |
 | Missing translations | Must have 4 languages: fr, en, it, de |
 | Missing NavigationApplicationSeedData | Menu invisible without Application level |
 
@@ -747,9 +731,9 @@ services.AddValidatorsFromAssemblyContaining<Create{Name}DtoValidator>();
 | `ICurrentUser` in service code | Does NOT exist — use `ICurrentUserService` + `ICurrentTenantService` |
 | `_currentTenant.TenantId!.Value` | Crashes with 500 — use `?? throw new TenantContextRequiredException()` |
 | `UnauthorizedAccessException("Tenant context is required")` | Returns 401 → clears frontend token. Use `TenantContextRequiredException()` (400) |
-| Route `"humanresources"` in seed data | Must be full path `"/business/human-resources"` |
+| Route `"humanresources"` in seed data | Must be full path `"/human-resources"` |
 | Route without leading `/` | All routes must start with `/` |
-| `business.humanresources.employees.read` in permissions | Permission segments MUST match NavRoute kebab-case: `business.human-resources.employees.read` |
+| `humanresources.employees.read` in permissions | Permission segments MUST match NavRoute kebab-case: `human-resources.employees.read` |
 | `Permission.Create()` | Does NOT exist — use `CreateForModule()`, `CreateForSection()`, etc. |
 | `GetAllAsync()` without search param | ALL GetAll endpoints MUST support `?search=` for EntityLookup |
 | `string Date` in DTO | Date-only fields MUST use `DateOnly`, NEVER `string` |