@atlashub/smartstack-cli 3.37.0 → 3.38.0

package/templates/skills/apex/references/post-checks.md

@@ -14,7 +14,7 @@ if [ -n "$SEED_FILES" ]; then
   if [ -n "$BAD_ROUTES" ]; then
     echo "BLOCKING: Navigation routes must be full paths starting with /"
     echo "$BAD_ROUTES"
-    echo "Expected: \"/business/human-resources\" NOT \"humanresources\""
+    echo "Expected: \"/human-resources\" NOT \"humanresources\""
     exit 1
   fi
 fi
@@ -512,35 +512,7 @@ if [ -n "$CREATE_VALIDATORS" ]; then
 fi
 ```
 
-### POST-CHECK 19: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
-
-```bash
-# NavigationContext IDs (business, platform, personal) are pre-seeded by SmartStack core
-# with hardcoded GUIDs. Client code MUST look them up by code at runtime, NEVER generate them.
-SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
-SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
-if [ -n "$SEED_CONST_FILES" ]; then
-  BAD_CONTEXT_ID=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
-  if [ -n "$BAD_CONTEXT_ID" ]; then
-    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
-    echo "NavigationContext IDs are pre-seeded by SmartStack core with hardcoded GUIDs"
-    echo "Fix: Remove ContextId from SeedConstants. In SeedDataProvider, query:"
-    echo "  var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == \"business\", ct);"
-    echo "$BAD_CONTEXT_ID"
-    exit 1
-  fi
-fi
-if [ -n "$SEED_ALL_FILES" ]; then
-  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
-  if [ -n "$BAD_CTX_GUID" ]; then
-    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
-    echo "Context IDs (business, platform, personal) are pre-seeded by SmartStack core"
-    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
-    echo "$BAD_CTX_GUID"
-    exit 1
-  fi
-fi
-```
+### POST-CHECK 19: (REMOVED — Context level no longer exists in SmartStack navigation hierarchy)
 
 ### POST-CHECK 20: RolePermission seed data must NOT use deterministic role GUIDs
 
@@ -764,12 +736,12 @@ if [ -n "$PERM_FILES" ]; then
     PATH_VAL=$(echo "$line" | grep -oP '"[^"]*\.[^"]*"' | tr -d '"')
     if [ -n "$PATH_VAL" ]; then
       DOTS=$(echo "$PATH_VAL" | tr -cd '.' | wc -c)
-      # Module permissions: 3 dots (context.app.module.action = 4 segments = 3+1)
-      # Section permissions: 4 dots (context.app.module.section.action = 5 segments = 4+1)
+      # Module permissions: 2 dots (app.module.action = 3 segments = 2+1)
+      # Section permissions: 3 dots (app.module.section.action = 4 segments = 3+1)
       # Wildcard: ends with .* (valid at any level)
       if echo "$PATH_VAL" | grep -qP '\.\*$'; then
         continue  # Wildcards are valid
-      elif [ "$DOTS" -lt 3 ] || [ "$DOTS" -gt 5 ]; then
+      elif [ "$DOTS" -lt 2 ] || [ "$DOTS" -gt 4 ]; then
         echo "WARNING: Permission path has unexpected segment count ($((DOTS+1)) segments): $PATH_VAL"
       fi
     fi
@@ -1072,7 +1044,7 @@ fi
 ```bash
 # NavRoute segments are navigation entity Codes joined by dots.
 # Multi-word codes MUST use kebab-case (e.g., "human-resources", NOT "humanresources").
-# Verified from SmartStack.app: "business.support-client.my-tickets", "platform.administration.access-requests"
+# Verified from SmartStack.app: "support-client.my-tickets", "administration.access-requests"
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
@@ -1084,7 +1056,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: NavRoute segment '$SEG' in $f appears to be concatenated multi-word without hyphens"
           echo "  Full NavRoute: $NAVROUTE_VAL"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention (from SmartStack.app): 'business.support-client.my-tickets'"
+          echo "  SmartStack convention (from SmartStack.app): 'support-client.my-tickets'"
           exit 1
         fi
       done
@@ -1110,8 +1082,8 @@ fi
 
 ```bash
 # Permission codes in [RequirePermission] and Permissions.cs MUST use kebab-case for multi-word segments.
-# SmartStack.app convention: "business.support-client.my-tickets.read" (kebab-case everywhere)
-# FORBIDDEN: "business.humanresources.employees.read" — must be "business.human-resources.employees.read"
+# SmartStack.app convention: "support-client.my-tickets.read" (kebab-case everywhere)
+# FORBIDDEN: "humanresources.employees.read" — must be "human-resources.employees.read"
 
 # Check [RequirePermission] attributes in controllers
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
@@ -1126,7 +1098,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: Permission code segment '$SEG' in $f appears concatenated without hyphens"
           echo "  Full permission: $PERM"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention: 'business.support-client.my-tickets.read'"
+          echo "  SmartStack convention: 'support-client.my-tickets.read'"
           exit 1
         fi
       done
@@ -1378,8 +1350,8 @@ fi
 ### POST-CHECK 48: NavRoute attribute values must use kebab-case (BLOCKING)
 
 ```bash
-# Root cause (test-apex-007): Controllers had [NavRoute("business.humanresources.employees")]
-# instead of [NavRoute("business.human-resources.employees")]. This causes route mismatch with
+# Root cause (test-apex-007): Controllers had [NavRoute("humanresources.employees")]
+# instead of [NavRoute("human-resources.employees")]. This causes route mismatch with
 # seed data and permission codes, resulting in 404s at runtime.
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
@@ -1476,4 +1448,137 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
+### POST-CHECK 51: RolesSeedData must map standard role-permission matrix (BLOCKING)
+
+```bash
+# SmartStack standard role-permission matrix:
+#   Admin    = wildcard (*) — full access
+#   Manager  = CRU (read + create + update) — no delete
+#   Contributor = CR (read + create) — no update, no delete
+#   Viewer   = R (read only)
+# If RolesSeedData deviates from this matrix, the RBAC model is broken.
+ROLE_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*RolesSeedData.cs" ! -name "ApplicationRolesSeedData.cs" 2>/dev/null)
+if [ -n "$ROLE_SEED_FILES" ]; then
+  FAIL=false
+  for f in $ROLE_SEED_FILES; do
+    # Skip ApplicationRolesSeedData (defines roles, not mappings)
+    BASENAME=$(basename "$f")
+    if [ "$BASENAME" = "ApplicationRolesSeedData.cs" ]; then continue; fi
+
+    # Check Admin has wildcard
+    HAS_ADMIN_WILDCARD=$(grep -Pc '(admin|Admin).*\*' "$f" 2>/dev/null)
+    if [ "$HAS_ADMIN_WILDCARD" -eq 0 ]; then
+      # Also accept .Access or wildcard pattern
+      HAS_ADMIN_ACCESS=$(grep -Pc '(admin|Admin).*(Access|Wildcard|IsWildcard)' "$f" 2>/dev/null)
+      if [ "$HAS_ADMIN_ACCESS" -eq 0 ]; then
+        echo "BLOCKING: Admin role missing wildcard (*) permission in $f"
+        echo "Fix: Admin must map to wildcard permission (navRoute.*) or use IsWildcard=true"
+        FAIL=true
+      fi
+    fi
+
+    # Check Viewer has NO delete/create/update
+    VIEWER_WRITE=$(grep -Pc '(viewer|Viewer).*(\.delete|\.create|\.update|Delete|Create|Update)' "$f" 2>/dev/null)
+    if [ "$VIEWER_WRITE" -gt 0 ]; then
+      echo "BLOCKING: Viewer role has write permissions (create/update/delete) in $f"
+      echo "Fix: Viewer must only have read permission. Remove create/update/delete mappings."
+      FAIL=true
+    fi
+
+    # Check Manager has NO delete
+    MANAGER_DELETE=$(grep -Pc '(manager|Manager).*(\.delete|Delete)' "$f" 2>/dev/null)
+    if [ "$MANAGER_DELETE" -gt 0 ]; then
+      echo "WARNING: Manager role has delete permission in $f"
+      echo "SmartStack standard: Manager = CRU (no delete). Verify this is intentional."
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 52: PermissionAction enum must use valid typed values only (BLOCKING)
+
+```bash
+# Valid PermissionAction enum values: Access(0), Read(1), Create(2), Update(3), Delete(4),
+# Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)
+# FORBIDDEN: Enum.Parse<PermissionAction>("...") — runtime crash if value doesn't exist
+# FORBIDDEN: (PermissionAction)99 or any cast beyond 0-10
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  FAIL=false
+  for f in $SEED_FILES; do
+    # Check for Enum.Parse<PermissionAction> usage
+    ENUM_PARSE=$(grep -Pn 'Enum\.Parse<PermissionAction>' "$f" 2>/dev/null)
+    if [ -n "$ENUM_PARSE" ]; then
+      echo "BLOCKING: Enum.Parse<PermissionAction> detected — runtime crash risk: $f"
+      echo "$ENUM_PARSE"
+      echo "Fix: Use typed enum directly: PermissionAction.Read (NOT Enum.Parse<PermissionAction>(\"Read\"))"
+      FAIL=true
+    fi
+
+    # Check for invalid cast values (PermissionAction)N where N > 10
+    INVALID_CAST=$(grep -Pn '\(PermissionAction\)\s*([1-9]\d{1,}|[2-9]\d)' "$f" 2>/dev/null)
+    if [ -n "$INVALID_CAST" ]; then
+      echo "BLOCKING: Invalid PermissionAction cast detected (value > 10): $f"
+      echo "$INVALID_CAST"
+      echo "Valid values: Access(0), Read(1), Create(2), Update(3), Delete(4), Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 53: Navigation translation completeness — 4 languages per level (BLOCKING)
+
+```bash
+# Every navigation seed data file must provide translations for ALL 4 languages (fr, en, it, de).
+# If sections exist (GetSectionEntries), GetSectionTranslationEntries MUST also exist.
+# If resources exist (GetResourceEntries), resource translation entries MUST also exist.
+NAV_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" ! -name "*Application*" 2>/dev/null)
+if [ -n "$NAV_SEED_FILES" ]; then
+  FAIL=false
+  for f in $NAV_SEED_FILES; do
+    # Check module translations have all 4 languages
+    LANG_COUNT=$(grep -c 'LanguageCode\s*=' "$f" 2>/dev/null)
+    HAS_FR=$(grep -c '"fr"' "$f" 2>/dev/null)
+    HAS_EN=$(grep -c '"en"' "$f" 2>/dev/null)
+    HAS_IT=$(grep -c '"it"' "$f" 2>/dev/null)
+    HAS_DE=$(grep -c '"de"' "$f" 2>/dev/null)
+
+    if [ "$HAS_FR" -eq 0 ] || [ "$HAS_EN" -eq 0 ] || [ "$HAS_IT" -eq 0 ] || [ "$HAS_DE" -eq 0 ]; then
+      echo "BLOCKING: Missing language(s) in navigation translations: $f"
+      echo "  fr=$HAS_FR, en=$HAS_EN, it=$HAS_IT, de=$HAS_DE (all must be > 0)"
+      echo "Fix: Add NavigationTranslationSeedEntry for all 4 languages (fr, en, it, de)"
+      FAIL=true
+    fi
+
+    # If sections exist, section translations MUST exist
+    HAS_SECTION_ENTRIES=$(grep -c 'GetSectionEntries' "$f" 2>/dev/null)
+    HAS_SECTION_TRANSLATIONS=$(grep -c 'GetSectionTranslationEntries' "$f" 2>/dev/null)
+    if [ "$HAS_SECTION_ENTRIES" -gt 0 ] && [ "$HAS_SECTION_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Sections defined but GetSectionTranslationEntries() missing: $f"
+      echo "Fix: Add GetSectionTranslationEntries() with 4 languages per section (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+
+    # If resources exist, resource translations MUST exist
+    HAS_RESOURCE_ENTRIES=$(grep -c 'GetResourceEntries' "$f" 2>/dev/null)
+    HAS_RESOURCE_TRANSLATIONS=$(grep -Pc 'ResourceTranslation|GetResourceTranslation|NavigationEntityType\.Resource.*LanguageCode' "$f" 2>/dev/null)
+    if [ "$HAS_RESOURCE_ENTRIES" -gt 0 ] && [ "$HAS_RESOURCE_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Resources defined but resource translations missing: $f"
+      echo "Fix: Add resource translation entries with 4 languages per resource (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**

package/templates/skills/apex/references/smartstack-api.md

@@ -79,7 +79,7 @@ public enum EntityScope
 ```csharp
 using SmartStack.Domain.Common;
 
-namespace {ProjectName}.Domain.Entities.{Context}.{App}.{Module};
+namespace {ProjectName}.Domain.Entities.{App}.{Module};
 
 public class {Name} : BaseEntity, ITenantEntity, IAuditableEntity
 {
@@ -299,7 +299,7 @@ using SmartStack.Application.Common.Interfaces.Identity;
 using SmartStack.Application.Common.Interfaces.Tenants;
 using SmartStack.Application.Common.Interfaces.Persistence;
 
-namespace {ProjectName}.Infrastructure.Services.{Context}.{App}.{Module};
+namespace {ProjectName}.Infrastructure.Services.{App}.{Module};
 
 public class {Name}Service : I{Name}Service
 {
@@ -432,10 +432,10 @@ using Microsoft.AspNetCore.Mvc;
 using SmartStack.Api.Routing;
 using SmartStack.Api.Authorization;
 
-namespace {ProjectName}.Api.Controllers.{Context}.{App};
+namespace {ProjectName}.Api.Controllers.{App};
 
 [ApiController]
-[NavRoute("{context}.{app}.{module}")]
+[NavRoute("{app}.{module}")]
 [Authorize]
 public class {Name}Controller : ControllerBase
 {
@@ -500,10 +500,10 @@ public class {Name}Controller : ControllerBase
 **CRITICAL:** Use `[RequirePermission(Permissions.{Module}.{Action})]` on EVERY endpoint — NEVER `[Authorize]` alone (no RBAC enforcement).
 
 **CRITICAL — Permission paths use IDENTICAL segments to NavRoute codes (kebab-case):**
-- NavRoute: `business.human-resources.employees` → Permission: `business.human-resources.employees.read`
-- NavRoute: `business.human-resources.employees.leaves` → Permission: `business.human-resources.employees.leaves.read`
-- FORBIDDEN: `business.humanresources.employees.read` (no kebab-case — mismatches NavRoute)
-- SmartStack.app convention: `business.support-client.my-tickets.read` (always kebab-case)
+- NavRoute: `human-resources.employees` → Permission: `human-resources.employees.read`
+- NavRoute: `human-resources.employees.leaves` → Permission: `human-resources.employees.leaves.read`
+- FORBIDDEN: `humanresources.employees.read` (no kebab-case — mismatches NavRoute)
+- SmartStack.app convention: `support-client.my-tickets.read` (always kebab-case)
 
 ### Section-Level Controller (NavRoute with 4 segments)
 
@@ -512,11 +512,11 @@ When a module has sections, each section gets its own controller with a 4-segmen
 ```csharp
 // Section-level controller: navRoute has 4 segments
 [ApiController]
-[NavRoute("{context}.{app}.{module}.{section}")]
+[NavRoute("{app}.{module}.{section}")]
 [Authorize]
 public class {Section}Controller : ControllerBase
 {
-    // Example: business.human-resources.employees.departments
+    // Example: human-resources.employees.departments
     [HttpGet]
     [RequirePermission(Permissions.{Section}.Read)]
     public async Task<ActionResult<PaginatedResult<{Section}ResponseDto>>> GetAll(
@@ -531,12 +531,12 @@ public class {Section}Controller : ControllerBase
 **NavRoute segment rules:**
 | Level | NavRoute format | Example |
 |-------|----------------|---------|
-| Module | `{context}.{app}.{module}` (3 segments) | `business.human-resources.employees` |
-| Section | `{context}.{app}.{module}.{section}` (4 segments) | `business.human-resources.employees.departments` |
+| Module | `{app}.{module}` (2 segments) | `human-resources.employees` |
+| Section | `{app}.{module}.{section}` (3 segments) | `human-resources.employees.departments` |
 
 **Namespace:** `SmartStack.Api.Routing` (NOT `SmartStack.Api.Core.Routing`)
 
-**NavRoute resolves at startup from DB:** `platform.administration.users` → `api/platform/administration/users`
+**NavRoute resolves at startup from DB:** `administration.users` → `api/administration/users`
 
 ### Sub-Resource Pattern (NavRoute Suffix)
 
@@ -545,7 +545,7 @@ When an entity is a child of another entity (e.g., LeaveTypes under Leaves), use
 ```csharp
 // Sub-resource controller: types are nested under leaves
 [ApiController]
-[NavRoute("business.human-resources.employees.leaves", Suffix = "types")]
+[NavRoute("human-resources.employees.leaves", Suffix = "types")]
 [Authorize]
 public class LeaveTypesController : ControllerBase
 {
@@ -582,22 +582,22 @@ public async Task<ActionResult<PaginatedResult<LeaveTypeResponseDto>>> GetAllLea
 
 | Level | Route Format | Example |
 |-------|-------------|---------|
-| Application | `/{context}/{app-kebab}` | `/business/human-resources` |
-| Module | `/{context}/{app-kebab}/{module-kebab}` | `/business/human-resources/employees` |
-| Section | `/{context}/{app-kebab}/{module-kebab}/{section-kebab}` | `/business/human-resources/employees/departments` |
-| Resource | `/{context}/{app-kebab}/{module-kebab}/{section-kebab}/{resource-kebab}` | `/business/human-resources/employees/departments/export` |
+| Application | `/{app-kebab}` | `/human-resources` |
+| Module | `/{app-kebab}/{module-kebab}` | `/human-resources/employees` |
+| Section | `/{app-kebab}/{module-kebab}/{section-kebab}` | `/human-resources/employees/departments` |
+| Resource | `/{app-kebab}/{module-kebab}/{section-kebab}/{resource-kebab}` | `/human-resources/employees/departments/export` |
 
 **ROUTE SPECIAL CASES (list and detail sections):**
 > The `list` and `detail` sections are NOT functional sub-areas — they are view modes of the module itself.
 > Their navigation routes MUST NOT add extra segments:
-> - `list` section route = module route (e.g., `/business/human-resources/employees`)
-> - `detail` section route = module route + `/:id` (e.g., `/business/human-resources/employees/:id`)
+> - `list` section route = module route (e.g., `/human-resources/employees`)
+> - `detail` section route = module route + `/:id` (e.g., `/human-resources/employees/:id`)
 > - FORBIDDEN: `/employees/list`, `/employees/detail/:id`
 > - Other sections (dashboard, approve, import, etc.) = module route + `/{section-kebab}` (normal behavior)
 
 **Rules:**
 - Routes ALWAYS start with `/`
-- Routes ALWAYS include the full hierarchy from context to current level
+- Routes ALWAYS include the full hierarchy from application to current level
 - Routes ALWAYS use kebab-case (NOT PascalCase, NOT camelCase)
 - Code identifiers stay PascalCase in C# (`HumanResources`) but routes are kebab-case (`human-resources`)
 
@@ -612,24 +612,14 @@ private static string ToKebabCase(string value)
 
 ### SeedConstants Pattern
 
-> **CRITICAL — NavigationContext IDs are NEVER generated.**
-> Contexts (`business`, `platform`, `personal`) are pre-seeded by SmartStack core with hardcoded GUIDs.
-> You MUST query the context by code at runtime in the SeedDataProvider:
-> `var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == "business", ct);`
-> **FORBIDDEN:** `DeterministicGuid("nav:business")` or any ContextId constant in SeedConstants.
-
 ```csharp
 public static class SeedConstants
 {
     // Deterministic GUIDs (SHA256-based, reproducible across environments)
     // NOTE: Application/Module/Section/Resource IDs are deterministic.
-    //       Context IDs are NOT — they are pre-seeded by SmartStack core.
-    public static readonly Guid ApplicationId = DeterministicGuid("nav:business.human-resources");
-    public static readonly Guid ModuleId = DeterministicGuid("nav:business.human-resources.employees");
-    public static readonly Guid SectionId = DeterministicGuid("nav:business.human-resources.employees.departments");
-
-    // FORBIDDEN — Context IDs are NOT deterministic, they come from SmartStack core:
-    // public static readonly Guid BusinessContextId = DeterministicGuid("nav:business"); // WRONG!
+    public static readonly Guid ApplicationId = DeterministicGuid("nav:human-resources");
+    public static readonly Guid ModuleId = DeterministicGuid("nav:human-resources.employees");
+    public static readonly Guid SectionId = DeterministicGuid("nav:human-resources.employees.departments");
 
     private static Guid DeterministicGuid(string input)
     {
@@ -647,30 +637,25 @@ public static class SeedConstants
 ### Navigation Seed Data Example
 
 ```csharp
-// CRITICAL: Look up the context by code — NEVER use a hardcoded/deterministic GUID
-var businessCtx = await db.NavigationContexts
-    .FirstOrDefaultAsync(c => c.Code == "business", ct);
-if (businessCtx == null) return; // Context not yet seeded by SmartStack core
-
-// Application: /business/human-resources
+// Application: /human-resources
 var app = NavigationApplication.Create(
-    businessCtx.Id, "human-resources", "Human Resources", "HR Management",
+    "human-resources", "Human Resources", "HR Management",
     "Users", IconType.Lucide,
-    "/business/human-resources",  // FULL PATH — starts with /, kebab-case
+    "/human-resources",  // FULL PATH — starts with /, kebab-case
     10);
 
-// Module: /business/human-resources/employees
+// Module: /human-resources/employees
 var module = NavigationModule.Create(
     app.Id, "employees", "Employees", "Employee management",
     "UserCheck", IconType.Lucide,
-    "/business/human-resources/employees",  // FULL PATH — includes parent
+    "/human-resources/employees",  // FULL PATH — includes parent
     10);
 
-// Section: /business/human-resources/employees/departments
+// Section: /human-resources/employees/departments
 var section = NavigationSection.Create(
     module.Id, "departments", "Departments", "Manage departments",
     "Building2", IconType.Lucide,
-    "/business/human-resources/employees/departments",  // FULL PATH
+    "/human-resources/employees/departments",  // FULL PATH
     10);
 ```
 
@@ -678,10 +663,9 @@ var section = NavigationSection.Create(
 
 | Mistake | Reality |
 |---------|---------|
-| `"humanresources"` as route | Must be `"/business/human-resources"` (full path, kebab-case) |
-| `"employees"` as route | Must be `"/business/human-resources/employees"` (includes parent) |
+| `"humanresources"` as route | Must be `"/human-resources"` (full path, kebab-case) |
+| `"employees"` as route | Must be `"/human-resources/employees"` (includes parent) |
 | `Guid.NewGuid()` in seed data | Must use deterministic GUIDs (SHA256) |
-| `DeterministicGuid("nav:business")` for ContextId | Context IDs are pre-seeded by SmartStack core — look up by code |
 | Missing translations | Must have 4 languages: fr, en, it, de |
 | Missing NavigationApplicationSeedData | Menu invisible without Application level |
 
@@ -747,9 +731,9 @@ services.AddValidatorsFromAssemblyContaining<Create{Name}DtoValidator>();
 | `ICurrentUser` in service code | Does NOT exist — use `ICurrentUserService` + `ICurrentTenantService` |
 | `_currentTenant.TenantId!.Value` | Crashes with 500 — use `?? throw new TenantContextRequiredException()` |
 | `UnauthorizedAccessException("Tenant context is required")` | Returns 401 → clears frontend token. Use `TenantContextRequiredException()` (400) |
-| Route `"humanresources"` in seed data | Must be full path `"/business/human-resources"` |
+| Route `"humanresources"` in seed data | Must be full path `"/human-resources"` |
 | Route without leading `/` | All routes must start with `/` |
-| `business.humanresources.employees.read` in permissions | Permission segments MUST match NavRoute kebab-case: `business.human-resources.employees.read` |
+| `humanresources.employees.read` in permissions | Permission segments MUST match NavRoute kebab-case: `human-resources.employees.read` |
 | `Permission.Create()` | Does NOT exist — use `CreateForModule()`, `CreateForSection()`, etc. |
 | `GetAllAsync()` without search param | ALL GetAll endpoints MUST support `?search=` for EntityLookup |
 | `string Date` in DTO | Date-only fields MUST use `DateOnly`, NEVER `string` |

package/templates/skills/apex/references/smartstack-frontend.md

@@ -15,7 +15,7 @@
 ```tsx
 // Named exports — use .then() to wrap
 const EmployeesPage = lazy(() =>
-  import('@/pages/Business/HumanResources/Employees/EmployeesPage')
+  import('@/pages/HumanResources/Employees/EmployeesPage')
     .then(m => ({ default: m.EmployeesPage }))
 );
 
@@ -32,7 +32,7 @@ import { PageLoader } from '@/components/ui/PageLoader';
 // Route element wrapping
 element: (
   <Suspense fallback={<PageLoader />}>
-    <PermissionGuard permissions={ROUTES['business.hr.employees'].permissions}>
+    <PermissionGuard permissions={ROUTES['hr.employees'].permissions}>
       <EmployeesPage />
     </PermissionGuard>
   </Suspense>
@@ -49,7 +49,7 @@ element: (
 **FORBIDDEN:**
 ```tsx
 // WRONG: static import in route file
-import { EmployeesPage } from '@/pages/Business/HumanResources/Employees/EmployeesPage';
+import { EmployeesPage } from '@/pages/HumanResources/Employees/EmployeesPage';
 
 // WRONG: no Suspense wrapper
 element: <EmployeesPage />
@@ -65,7 +65,7 @@ element: <EmployeesPage />
 **CORRECT — Lazy imports in client App.tsx:**
 ```tsx
 const ClientsListPage = lazy(() =>
-  import('@/pages/Business/HumanResources/Clients/ClientsListPage')
+  import('@/pages/HumanResources/Clients/ClientsListPage')
     .then(m => ({ default: m.ClientsListPage }))
 );
 ```
@@ -73,7 +73,7 @@ const ClientsListPage = lazy(() =>
 **FORBIDDEN — Static imports in client App.tsx:**
 ```tsx
 // WRONG: Static import kills code splitting
-import { ClientsListPage } from '@/pages/Business/HumanResources/Clients/ClientsListPage';
+import { ClientsListPage } from '@/pages/HumanResources/Clients/ClientsListPage';
 ```
 
 > **Note:** The `smartstackRoutes.tsx` from the npm package may use static imports internally — this is acceptable for the package. But client `App.tsx` code MUST always use lazy imports for business pages.
@@ -425,8 +425,8 @@ const handleTabClick = (tab: TabKey) => {
 
 | Action | Route pattern | Page component | File location |
 |--------|--------------|----------------|---------------|
-| Create | `/{module}/create` | `EntityCreatePage` | `src/pages/{Context}/{App}/{Module}/EntityCreatePage.tsx` |
-| Edit | `/{module}/:id/edit` | `EntityEditPage` | `src/pages/{Context}/{App}/{Module}/EntityEditPage.tsx` |
+| Create | `/{module}/create` | `EntityCreatePage` | `src/pages/{App}/{Module}/EntityCreatePage.tsx` |
+| Edit | `/{module}/:id/edit` | `EntityEditPage` | `src/pages/{App}/{Module}/EntityEditPage.tsx` |
 
 ### Create Page Template
 
@@ -562,11 +562,11 @@ export function EntityEditPage() {
 ```tsx
 // In route files — form pages are also lazy-loaded
 const EntityCreatePage = lazy(() =>
-  import('@/pages/Business/HumanResources/Employees/EntityCreatePage')
+  import('@/pages/HumanResources/Employees/EntityCreatePage')
     .then(m => ({ default: m.EntityCreatePage }))
 );
 const EntityEditPage = lazy(() =>
-  import('@/pages/Business/HumanResources/Employees/EntityEditPage')
+  import('@/pages/HumanResources/Employees/EntityEditPage')
     .then(m => ({ default: m.EntityEditPage }))
 );
 
@@ -610,7 +610,7 @@ const EntityEditPage = lazy(() =>
 // PermissionGuard for section-level routes
 element: (
   <Suspense fallback={<PageLoader />}>
-    <PermissionGuard permissions={ROUTES['business.app.module.section'].permissions}>
+    <PermissionGuard permissions={ROUTES['app.module.section'].permissions}>
       <SectionPage />
     </PermissionGuard>
   </Suspense>
@@ -742,7 +742,7 @@ interface EntityLookupOption {
 }
 
 interface EntityLookupProps {
-  /** API endpoint to search entities (e.g., '/api/business/human-resources/employees') */
+  /** API endpoint to search entities (e.g., '/api/human-resources/employees') */
   apiEndpoint: string;
   /** Currently selected entity ID */
   value: string | null;
@@ -948,7 +948,7 @@ import { EntityLookup } from '@/components/ui/EntityLookup';
 
 // Inside the form:
 <EntityLookup
-  apiEndpoint="/api/business/human-resources/employees"
+  apiEndpoint="/api/human-resources/employees"
   value={formData.employeeId}
   onChange={(id) => handleChange('employeeId', id)}
   label={t('module:form.employee', 'Employee')}
@@ -964,7 +964,7 @@ import { EntityLookup } from '@/components/ui/EntityLookup';
 
 // For DepartmentId FK:
 <EntityLookup
-  apiEndpoint="/api/business/human-resources/departments"
+  apiEndpoint="/api/human-resources/departments"
   value={formData.departmentId}
   onChange={(id) => handleChange('departmentId', id)}
   label={t('module:form.department', 'Department')}
@@ -1077,7 +1077,7 @@ public async Task<PaginatedResult<EntityResponseDto>> GetAllAsync(
 **CORRECT — ONLY this pattern:**
 ```tsx
 <EntityLookup
-  apiEndpoint="/api/business/human-resources/departments"
+  apiEndpoint="/api/human-resources/departments"
   value={formData.departmentId}
   onChange={(id) => handleChange('departmentId', id)}
   label={t('module:form.department', 'Department')}
@@ -1156,7 +1156,7 @@ The `DocRenderer` shared component renders all 8 documentation sections (overvie
 If the automatic route mapping doesn't work for your module, pass a custom URL:
 
 ```tsx
-<DocToggleButton customDocUrl="/docs/business/human-resources/employees" />
+<DocToggleButton customDocUrl="/docs/human-resources/employees" />
 ```
 
 ### Rules
@@ -1181,7 +1181,7 @@ Before marking frontend tasks as complete, verify:
 - [ ] No hardcoded strings in JSX — all text goes through `t()`
 - [ ] CSS uses variables only — no hardcoded Tailwind colors (BLOCKING POST-CHECK 13)
 - [ ] Pages follow loading → error → content pattern
-- [ ] Pages use `src/pages/{Context}/{App}/{Module}/` hierarchy
+- [ ] Pages use `src/pages/{App}/{Module}/` hierarchy
 - [ ] API calls use generated hooks or `apiClient` (never raw axios)
 - [ ] Components use SmartTable/SmartFilter/EntityCard (never raw HTML tables)
 - [ ] **FK fields use `EntityLookup` — ZERO plain text inputs for Guid FK fields**
@@ -1470,7 +1470,7 @@ And in the module-specific translation files (e.g., `employees.json`):
 ### Test File Convention
 
 ```
-src/pages/{Context}/{App}/{Module}/
+src/pages/{App}/{Module}/
 ├── EntityCreatePage.tsx
 ├── EntityCreatePage.test.tsx    ← MANDATORY
 ├── EntityEditPage.tsx