@atlashub/smartstack-cli 3.37.0 → 3.39.0

package/templates/skills/apex/references/execution-layer1-rules.md

@@ -0,0 +1,96 @@
+# Layer 1: Execution Rules — Application + API + Seed Data
+
+> **Loaded by:** step-03-execute.md (section: Layer 1)
+> **Purpose:** Critical rules for Layer 1 execution — NavRoute, permissions, validators, code generation, frontend patterns.
+
+---
+
+## NavRoute and Permission Kebab-Case (CRITICAL)
+
+**ALL NavRoute segments and permission codes MUST use kebab-case for multi-word identifiers.**
+
+Root cause (test-apex-007): Controllers had `[NavRoute("humanresources.employees")]` instead of `[NavRoute("human-resources.employees")]`. This mismatched seed data routes and permission codes, causing 404s and permission denials at runtime.
+
+**Rules:**
+- NavRoute: `human-resources.employees` (NEVER `humanresources.employees`)
+- Permissions: `human-resources.employees.read` (segments MATCH NavRoute exactly)
+- Seed data codes: `human-resources` (NEVER `humanresources`)
+- C# class names stay PascalCase (`HumanResourcesController`) — only route/permission strings use kebab-case
+- POST-CHECKs 41 + 48 validate this. Fix BEFORE committing.
+
+---
+
+## Controller Route Attribute (BLOCKING)
+
+**Controllers with `[NavRoute]` must NOT have `[Route]` attribute.**
+
+Root cause (test-apex-007): ALL 7 controllers had BOTH `[Route("api/...")]` AND `[NavRoute("...")]`. In SmartStack, `[NavRoute]` resolves routes dynamically from Navigation entities in the database at startup. Having `[Route]` alongside causes route conflicts → all endpoints return 404.
+
+**Rules:**
+- `[NavRoute("app.module")]` is the ONLY route attribute needed on controllers
+- **FORBIDDEN:** `[Route("api/human-resources/employees")]` alongside `[NavRoute]`
+- **FORBIDDEN:** `[Route("api/[controller]")]` alongside `[NavRoute]`
+- If generating via MCP `scaffold_extension` with `navRoute` option → output is correct (NavRoute only)
+- If generating via `/controller` skill → verify NO `[Route]` is added
+- POST-CHECK 50 validates this. Fix BEFORE committing.
+
+---
+
+## Validators DI Registration (CRITICAL)
+
+After creating validators, they MUST be registered in DI. Without registration, `[FromBody]` DTOs are never validated.
+
+```csharp
+In DependencyInjection.cs (or ServiceCollectionExtensions.cs):
+  services.AddValidatorsFromAssemblyContaining<Create{Entity}DtoValidator>();
+```
+
+POST-CHECK 46 validates this. If validators exist but no DI registration → BLOCKING.
+
+---
+
+## Date Fields — Use DateOnly (CRITICAL)
+
+**ALL date-only fields in DTOs MUST use `DateOnly`, NEVER `string`.**
+
+Root cause (test-apex-007): WorkLog DTO had `string Date` instead of `DateOnly Date`. This causes: no date validation, inconsistent date formats, parsing errors.
+
+**Type mapping for DTOs:**
+
+| Domain type | DTO type | Example |
+|-------------|----------|---------|
+| `DateTime` | `DateTime` | `CreatedAt`, `UpdatedAt` |
+| Date-only field | `DateOnly` | `Date`, `StartDate`, `EndDate`, `BirthDate` |
+| `string` for date | **FORBIDDEN** | Never use `string` for dates |
+| `DateTime` for date-only | **Avoid** | Use `DateOnly` when no time component needed |
+
+POST-CHECK 47 validates this. If a DTO has `string` type for a property named `*Date*` → BLOCKING.
+
+---
+
+## Code Generation (if entities have codePattern != "manual")
+
+For each entity with auto-generated code pattern (from feature.json or step-02 decisions):
+
+```
+1. Create CodePatternConfig for the entity (strategy, prefix, digits from codePattern)
+2. Register ICodeGenerator<TEntity> in DependencyInjection.cs (Infrastructure layer)
+   → See references/code-generation.md for DI registration pattern
+3. Update CreateDto: REMOVE Code property (auto-generated, not user-provided)
+4. Update CreateDtoValidator: REMOVE Code regex rule (not in DTO anymore)
+5. Update service CreateAsync: inject ICodeGenerator<TEntity>, call NextCodeAsync()
+   → Code is auto-generated BEFORE entity creation
+   → See references/code-generation.md for service integration pattern
+6. Keep Code in ResponseDto (returned to frontend after creation)
+7. Keep Code in UpdateDto ONLY if code is mutable (rare — discuss with user)
+```
+
+**CRITICAL:** If `codePattern.strategy == "manual"` (or no codePattern), keep the current behavior: Code stays in CreateDto, user provides it, validator has regex rule.
+
+---
+
+## Sequential vs Parallel Execution
+
+**If economy_mode:** Execute each item from the plan sequentially using skills and MCP.
+
+**If NOT economy_mode:** See `references/agent-teams-protocol.md` for parallel team-based execution with exec-backend and exec-frontend teammates.

package/templates/skills/apex/references/initialization-challenge-flow.md

@@ -0,0 +1,110 @@
+# Initialization — Challenge Flow & Hierarchy Definition
+
+> **Loaded by:** step-00-init.md (sections 4-5)
+> **Purpose:** Detailed flow for challenging user hierarchy assumptions and defining the 4-level navigation structure.
+
+---
+
+## Challenge Questions Reference
+
+> **Complete question templates with validation:**
+> Load `references/challenge-questions.md` for the actual YAML question blocks and validation logic.
+
+---
+
+## 4-Level Navigation Hierarchy (BLOCKING RULE)
+
+SmartStack uses a **4-level navigation hierarchy:**
+- **Level 1: Application** — e.g., "HumanResources", "ProjectManagement"
+- **Level 2: Module** — e.g., "Employees", "Timesheet"
+- **Level 3: Section** — e.g., "List", "Dashboard", "Approval"
+- **Level 4: Resource** — e.g., "Export", "Settings" (optional)
+
+**BLOCKING RULE:** Every module MUST have at least one section. A module without sections produces an incomplete navigation tree, broken seed data, and missing frontend routes.
+
+---
+
+## Step 4: Validate Application Level (4a)
+
+Load application question from `references/challenge-questions.md` section 4a.
+
+**If `{app_name}` was clearly inferred from the task description:**
+- Skip question, use inferred value
+
+**If unclear:**
+- Present question with best guess as recommended option
+- Options:
+  1. "Inferred app name (Recommended)" + description
+  2. "New application" + option to create
+  3. "Existing application" + option to select from scanned projects
+- If "New application": collect `{app_name}`, `{app_code}`, `{app_icon}`, `{app_labels}` (4 langs)
+- If "Existing application": scan `**/Seeding/Data/**/NavigationApplicationSeedData.cs` and present discovered apps
+
+---
+
+## Step 4b: Validate Module Level
+
+Load module question from `references/challenge-questions.md` section 4b.
+
+**If `{module_code}` was clearly inferred:**
+- Skip question
+
+**If unclear:**
+- Present question with best guess(es) as options
+- Options:
+  1. "Inferred module code (Recommended)" + from task description
+  2. "Alternative suggestions" + based on keywords
+- User selects or enters custom value
+- Store as `{module_code}` (kebab-case)
+
+---
+
+## Step 4c: Define Sections (MANDATORY — at least one)
+
+Load section questions from `references/challenge-questions.md` section 4c.
+
+**BLOCKING VALIDATION:** Sections list MUST contain at least one entry before proceeding.
+
+Infer section suggestions from:
+1. Task description (extract nouns/concepts that suggest functional sub-areas)
+2. PRD/feature.json if available (module.sections)
+3. Common patterns: "list" (default for simple CRUD), "dashboard", "settings", "reports"
+
+**Question format:**
+```yaml
+question: "What sections should the module '{module_code}' contain?
+           (Select at least one — use 'Other' to add custom sections)"
+options:
+  - label: "<inferred section 1>"
+    description: "Primary functional area based on module purpose"
+  - label: "<inferred section 2>"
+    description: "Secondary functional area"
+  - label: "<inferred section 3>"
+    description: "Additional area inferred from context"
+multiSelect: true
+```
+
+**Validation (BLOCKING):**
+```
+IF {sections}.length == 0:
+  DISPLAY: "Every module must have at least one section."
+  → Re-ask the sections question
+  → DO NOT proceed to next step
+```
+
+**Store for each section:**
+```yaml
+sections:
+  - code: "section-kebab"
+    labels: { fr: "...", en: "...", it: "...", de: "..." }
+    icon: "LucideIconName"
+    displayOrder: 10
+```
+
+---
+
+## Delegate Mode Skip (if -d)
+
+When `/ralph-loop` invokes `/apex -d {prd_path}`, ALL hierarchy is extracted from the PRD file:
+- Skip sections 2-4 (no interactive questions)
+- Jump directly to section 3 (MCP verify)

package/templates/skills/apex/references/planning-layer-mapping.md

@@ -0,0 +1,151 @@
+# Planning — Layer Mapping, Skill Assignment, Parallelization Strategy
+
+> **Loaded by:** step-02-plan.md (sections 1-4)
+> **Purpose:** Map analyzed elements to layers, assign skills/MCP tools, and identify parallelization opportunities.
+
+---
+
+## Map Changes to Layers
+
+For each element identified in step-01, assign to a SmartStack layer:
+
+| Layer | Category | Order |
+|-------|----------|-------|
+| 0 | Domain (entities, enums, exceptions) | Sequential |
+| 0 | Infrastructure - EF Configs | Sequential |
+| 0 | Infrastructure - Migration (BLOCKING) | Sequential |
+| 1 | Application (services, DTOs, validators) | Parallel |
+| 1 | API (controllers) | Parallel |
+| 1 | Infrastructure - Seed Data | Parallel |
+| 2 | Frontend (pages, components) | Parallel |
+| 2 | I18n (translations) | Parallel |
+| 3 | Tests | Sequential |
+
+---
+
+## Entity Definition Template
+
+Each entity in the plan MUST include:
+
+```yaml
+Entity: {EntityName}
+  - tenantMode: strict | optional | scoped | none
+  - codePattern: auto-generated strategy (if applicable)
+  - fkFields: [{field, targetEntity}] (if applicable)
+  - acceptance criteria: [AC1, AC2, ...]
+```
+
+The `tenantMode` decision (from step-01) drives:
+- EF query filters
+- Seed data approach
+- API authorization
+
+See `smartstack-layers.md` for tenant mode seed data strategies.
+
+---
+
+## Assign Skill/MCP per File
+
+For EACH file in the plan, specify HOW it will be created/modified.
+
+**Format:**
+
+```markdown
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 1 | Domain/Entities/.../MyEntity.cs | create | MCP scaffold_extension |
+| 2 | Infrastructure/.../MyEntityConfiguration.cs | create | MCP scaffold_extension |
+| 3 | Migration | create | MCP suggest_migration + dotnet ef |
+```
+
+---
+
+## Layer 0 — Domain + Infrastructure (sequential)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 1 | Domain/Entities/.../Entity.cs | create | MCP scaffold_extension |
+| 2 | Infrastructure/.../EntityConfiguration.cs | create | MCP scaffold_extension |
+| 3 | Infrastructure/Migrations/ | create | MCP suggest_migration + dotnet ef |
+
+---
+
+## Layer 1 — Application + API + Seed Data (parallel)
+
+**Backend:** Application/API/Seed Data
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 4 | Application/Services/.../Service.cs | create | MCP scaffold_extension |
+| 5 | Application/DTOs/.../Dto.cs | create | MCP scaffold_extension |
+| 6 | Api/Controllers/.../Controller.cs | create | /controller skill or MCP scaffold_extension |
+| 7 | Seeding/Data/NavigationApplicationSeedData.cs | create | Reference smartstack-layers.md (once per app) |
+| 7b | Seeding/Data/ApplicationRolesSeedData.cs | create | Reference smartstack-layers.md (once per app) |
+| 7c | Infrastructure/Services/CodeGeneration/ | create | Reference code-generation.md (per entity with codePattern != manual) |
+| 8 | Seeding/Data/.../NavigationModuleSeedData.cs | create | Reference core-seed-data.md (4 langs: fr, en, it, de) |
+| 8c | ↳ (same file) Section methods | add | Reference core-seed-data.md §2b (if sections exist) |
+| 8d | ↳ (same file) Resource methods | add | Reference core-seed-data.md §2b (if resources exist) |
+| 8b | Application/Authorization/Permissions.cs | create | MCP generate_permissions |
+| 9 | Seeding/Data/.../PermissionsSeedData.cs | create | MCP generate_permissions |
+| 10 | Seeding/Data/.../RolesSeedData.cs | create | Reference smartstack-layers.md |
+| 10b | Seeding/{App}SeedDataProvider.cs | create | Reference core-seed-data.md (IClientSeedDataProvider + DI) |
+
+**Frontend:** API Client, Routes, Pages, I18n
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 11 | src/pages/{App}/{Mod}/ListPage.tsx | create | /ui-components skill |
+| 11b | src/pages/{App}/{Mod}/CreatePage.tsx | create | /ui-components skill (FK: EntityLookup) |
+| 11c | src/pages/{App}/{Mod}/EditPage.tsx | create | /ui-components skill (FK: EntityLookup) |
+| 11d | src/pages/{App}/{Mod}/{Section}Page.tsx | create | /ui-components skill (per section in `{sections}`) |
+| 11e | src/pages/{App}/{Mod}/{Section}DetailPage.tsx | create | /ui-components skill (per section) |
+| 12 | src/services/api/{module}Api.ts | create | MCP scaffold_api_client |
+| 13 | src/routes/{module}.tsx | create | MCP scaffold_routes |
+| 14 | src/i18n/locales/{lang}/{module}.json | create | Reference smartstack-frontend.md (4 languages) |
+
+**FK Field Guidance:** If step-01 identified `fkFields[]`, every Create/Edit page MUST use `EntityLookup` for those fields (see `smartstack-frontend.md` section 6). The corresponding backend GetAll endpoints (Layer 1) MUST support `?search=` parameter.
+
+---
+
+## Layer 2b — Documentation (after frontend pages exist)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 14b | src/pages/docs/business/{app}/{module}/doc-data.ts | create | /documentation skill |
+| 14c | src/pages/docs/business/{app}/{module}/index.tsx | create | /documentation skill |
+
+---
+
+## Layer 3 — Tests (sequential)
+
+| # | File | Action | Tool |
+|---|------|--------|------|
+| 15 | tests/.../EntityTests.cs | create | MCP scaffold_tests |
+| 16 | tests/.../ServiceTests.cs | create | MCP scaffold_tests |
+
+---
+
+## Identify Parallelization (Agent Teams)
+
+If NOT economy_mode AND Layer 1 has both backend and frontend work:
+
+**Create agent teams to execute Layer 1 backend and frontend in parallel.**
+
+See `references/agent-teams-protocol.md` for team creation, teammate spawning, task coordination, and shutdown procedures.
+
+---
+
+## Delegate Mode Fast Path
+
+When `/ralph-loop` invokes `/apex -d {prd_path}`, PRD tasks already define the scope:
+
+Map each PRD task to a layer based on `task.category`:
+- `domain` → Layer 0
+- `infrastructure` → Layer 0
+- `application` → Layer 1
+- `api` → Layer 1
+- `seedData` → Layer 1
+- `frontend` → Layer 2
+- `test` → Layer 3
+
+For each task: infer file_path, action, and tool from category. SKIP user checkpoint. Jump to "Estimated Commits" section.

package/templates/skills/apex/references/post-checks.md

@@ -14,7 +14,7 @@ if [ -n "$SEED_FILES" ]; then
   if [ -n "$BAD_ROUTES" ]; then
     echo "BLOCKING: Navigation routes must be full paths starting with /"
     echo "$BAD_ROUTES"
-    echo "Expected: \"/business/human-resources\" NOT \"humanresources\""
+    echo "Expected: \"/human-resources\" NOT \"humanresources\""
     exit 1
   fi
 fi
@@ -512,35 +512,7 @@ if [ -n "$CREATE_VALIDATORS" ]; then
 fi
 ```
 
-### POST-CHECK 19: SeedConstants must NOT contain ContextId (pre-seeded by SmartStack core)
-
-```bash
-# NavigationContext IDs (business, platform, personal) are pre-seeded by SmartStack core
-# with hardcoded GUIDs. Client code MUST look them up by code at runtime, NEVER generate them.
-SEED_CONST_FILES=$(find src/ -path "*/Seeding/*" -name "SeedConstants.cs" 2>/dev/null)
-SEED_ALL_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
-if [ -n "$SEED_CONST_FILES" ]; then
-  BAD_CONTEXT_ID=$(grep -Pn 'ContextId\s*=' $SEED_CONST_FILES 2>/dev/null)
-  if [ -n "$BAD_CONTEXT_ID" ]; then
-    echo "BLOCKING: SeedConstants must NOT contain a ContextId constant"
-    echo "NavigationContext IDs are pre-seeded by SmartStack core with hardcoded GUIDs"
-    echo "Fix: Remove ContextId from SeedConstants. In SeedDataProvider, query:"
-    echo "  var ctx = await db.NavigationContexts.FirstOrDefaultAsync(c => c.Code == \"business\", ct);"
-    echo "$BAD_CONTEXT_ID"
-    exit 1
-  fi
-fi
-if [ -n "$SEED_ALL_FILES" ]; then
-  BAD_CTX_GUID=$(grep -Pn 'DeterministicGuid\("nav:(business|platform|personal)"\)' $SEED_ALL_FILES 2>/dev/null)
-  if [ -n "$BAD_CTX_GUID" ]; then
-    echo "BLOCKING: Deterministic GUID for NavigationContext detected"
-    echo "Context IDs (business, platform, personal) are pre-seeded by SmartStack core"
-    echo "Fix: Look up context by code at runtime in SeedDataProvider.SeedNavigationAsync()"
-    echo "$BAD_CTX_GUID"
-    exit 1
-  fi
-fi
-```
+### POST-CHECK 19: (REMOVED — Context level no longer exists in SmartStack navigation hierarchy)
 
 ### POST-CHECK 20: RolePermission seed data must NOT use deterministic role GUIDs
 
@@ -764,12 +736,12 @@ if [ -n "$PERM_FILES" ]; then
     PATH_VAL=$(echo "$line" | grep -oP '"[^"]*\.[^"]*"' | tr -d '"')
     if [ -n "$PATH_VAL" ]; then
       DOTS=$(echo "$PATH_VAL" | tr -cd '.' | wc -c)
-      # Module permissions: 3 dots (context.app.module.action = 4 segments = 3+1)
-      # Section permissions: 4 dots (context.app.module.section.action = 5 segments = 4+1)
+      # Module permissions: 2 dots (app.module.action = 3 segments = 2+1)
+      # Section permissions: 3 dots (app.module.section.action = 4 segments = 3+1)
       # Wildcard: ends with .* (valid at any level)
       if echo "$PATH_VAL" | grep -qP '\.\*$'; then
         continue  # Wildcards are valid
-      elif [ "$DOTS" -lt 3 ] || [ "$DOTS" -gt 5 ]; then
+      elif [ "$DOTS" -lt 2 ] || [ "$DOTS" -gt 4 ]; then
         echo "WARNING: Permission path has unexpected segment count ($((DOTS+1)) segments): $PATH_VAL"
       fi
     fi
@@ -1072,7 +1044,7 @@ fi
 ```bash
 # NavRoute segments are navigation entity Codes joined by dots.
 # Multi-word codes MUST use kebab-case (e.g., "human-resources", NOT "humanresources").
-# Verified from SmartStack.app: "business.support-client.my-tickets", "platform.administration.access-requests"
+# Verified from SmartStack.app: "support-client.my-tickets", "administration.access-requests"
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
@@ -1084,7 +1056,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: NavRoute segment '$SEG' in $f appears to be concatenated multi-word without hyphens"
           echo "  Full NavRoute: $NAVROUTE_VAL"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention (from SmartStack.app): 'business.support-client.my-tickets'"
+          echo "  SmartStack convention (from SmartStack.app): 'support-client.my-tickets'"
           exit 1
         fi
       done
@@ -1110,8 +1082,8 @@ fi
 
 ```bash
 # Permission codes in [RequirePermission] and Permissions.cs MUST use kebab-case for multi-word segments.
-# SmartStack.app convention: "business.support-client.my-tickets.read" (kebab-case everywhere)
-# FORBIDDEN: "business.humanresources.employees.read" — must be "business.human-resources.employees.read"
+# SmartStack.app convention: "support-client.my-tickets.read" (kebab-case everywhere)
+# FORBIDDEN: "humanresources.employees.read" — must be "human-resources.employees.read"
 
 # Check [RequirePermission] attributes in controllers
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
@@ -1126,7 +1098,7 @@ if [ -n "$CTRL_FILES" ]; then
           echo "BLOCKING: Permission code segment '$SEG' in $f appears concatenated without hyphens"
           echo "  Full permission: $PERM"
           echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources'"
-          echo "  SmartStack convention: 'business.support-client.my-tickets.read'"
+          echo "  SmartStack convention: 'support-client.my-tickets.read'"
           exit 1
         fi
       done
@@ -1378,8 +1350,8 @@ fi
 ### POST-CHECK 48: NavRoute attribute values must use kebab-case (BLOCKING)
 
 ```bash
-# Root cause (test-apex-007): Controllers had [NavRoute("business.humanresources.employees")]
-# instead of [NavRoute("business.human-resources.employees")]. This causes route mismatch with
+# Root cause (test-apex-007): Controllers had [NavRoute("humanresources.employees")]
+# instead of [NavRoute("human-resources.employees")]. This causes route mismatch with
 # seed data and permission codes, resulting in 404s at runtime.
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
@@ -1476,4 +1448,137 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
+### POST-CHECK 51: RolesSeedData must map standard role-permission matrix (BLOCKING)
+
+```bash
+# SmartStack standard role-permission matrix:
+#   Admin    = wildcard (*) — full access
+#   Manager  = CRU (read + create + update) — no delete
+#   Contributor = CR (read + create) — no update, no delete
+#   Viewer   = R (read only)
+# If RolesSeedData deviates from this matrix, the RBAC model is broken.
+ROLE_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*RolesSeedData.cs" ! -name "ApplicationRolesSeedData.cs" 2>/dev/null)
+if [ -n "$ROLE_SEED_FILES" ]; then
+  FAIL=false
+  for f in $ROLE_SEED_FILES; do
+    # Skip ApplicationRolesSeedData (defines roles, not mappings)
+    BASENAME=$(basename "$f")
+    if [ "$BASENAME" = "ApplicationRolesSeedData.cs" ]; then continue; fi
+
+    # Check Admin has wildcard
+    HAS_ADMIN_WILDCARD=$(grep -Pc '(admin|Admin).*\*' "$f" 2>/dev/null)
+    if [ "$HAS_ADMIN_WILDCARD" -eq 0 ]; then
+      # Also accept .Access or wildcard pattern
+      HAS_ADMIN_ACCESS=$(grep -Pc '(admin|Admin).*(Access|Wildcard|IsWildcard)' "$f" 2>/dev/null)
+      if [ "$HAS_ADMIN_ACCESS" -eq 0 ]; then
+        echo "BLOCKING: Admin role missing wildcard (*) permission in $f"
+        echo "Fix: Admin must map to wildcard permission (navRoute.*) or use IsWildcard=true"
+        FAIL=true
+      fi
+    fi
+
+    # Check Viewer has NO delete/create/update
+    VIEWER_WRITE=$(grep -Pc '(viewer|Viewer).*(\.delete|\.create|\.update|Delete|Create|Update)' "$f" 2>/dev/null)
+    if [ "$VIEWER_WRITE" -gt 0 ]; then
+      echo "BLOCKING: Viewer role has write permissions (create/update/delete) in $f"
+      echo "Fix: Viewer must only have read permission. Remove create/update/delete mappings."
+      FAIL=true
+    fi
+
+    # Check Manager has NO delete
+    MANAGER_DELETE=$(grep -Pc '(manager|Manager).*(\.delete|Delete)' "$f" 2>/dev/null)
+    if [ "$MANAGER_DELETE" -gt 0 ]; then
+      echo "WARNING: Manager role has delete permission in $f"
+      echo "SmartStack standard: Manager = CRU (no delete). Verify this is intentional."
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 52: PermissionAction enum must use valid typed values only (BLOCKING)
+
+```bash
+# Valid PermissionAction enum values: Access(0), Read(1), Create(2), Update(3), Delete(4),
+# Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)
+# FORBIDDEN: Enum.Parse<PermissionAction>("...") — runtime crash if value doesn't exist
+# FORBIDDEN: (PermissionAction)99 or any cast beyond 0-10
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  FAIL=false
+  for f in $SEED_FILES; do
+    # Check for Enum.Parse<PermissionAction> usage
+    ENUM_PARSE=$(grep -Pn 'Enum\.Parse<PermissionAction>' "$f" 2>/dev/null)
+    if [ -n "$ENUM_PARSE" ]; then
+      echo "BLOCKING: Enum.Parse<PermissionAction> detected — runtime crash risk: $f"
+      echo "$ENUM_PARSE"
+      echo "Fix: Use typed enum directly: PermissionAction.Read (NOT Enum.Parse<PermissionAction>(\"Read\"))"
+      FAIL=true
+    fi
+
+    # Check for invalid cast values (PermissionAction)N where N > 10
+    INVALID_CAST=$(grep -Pn '\(PermissionAction\)\s*([1-9]\d{1,}|[2-9]\d)' "$f" 2>/dev/null)
+    if [ -n "$INVALID_CAST" ]; then
+      echo "BLOCKING: Invalid PermissionAction cast detected (value > 10): $f"
+      echo "$INVALID_CAST"
+      echo "Valid values: Access(0), Read(1), Create(2), Update(3), Delete(4), Export(5), Import(6), Approve(7), Reject(8), Assign(9), Execute(10)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 53: Navigation translation completeness — 4 languages per level (BLOCKING)
+
+```bash
+# Every navigation seed data file must provide translations for ALL 4 languages (fr, en, it, de).
+# If sections exist (GetSectionEntries), GetSectionTranslationEntries MUST also exist.
+# If resources exist (GetResourceEntries), resource translation entries MUST also exist.
+NAV_SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" ! -name "*Application*" 2>/dev/null)
+if [ -n "$NAV_SEED_FILES" ]; then
+  FAIL=false
+  for f in $NAV_SEED_FILES; do
+    # Check module translations have all 4 languages
+    LANG_COUNT=$(grep -c 'LanguageCode\s*=' "$f" 2>/dev/null)
+    HAS_FR=$(grep -c '"fr"' "$f" 2>/dev/null)
+    HAS_EN=$(grep -c '"en"' "$f" 2>/dev/null)
+    HAS_IT=$(grep -c '"it"' "$f" 2>/dev/null)
+    HAS_DE=$(grep -c '"de"' "$f" 2>/dev/null)
+
+    if [ "$HAS_FR" -eq 0 ] || [ "$HAS_EN" -eq 0 ] || [ "$HAS_IT" -eq 0 ] || [ "$HAS_DE" -eq 0 ]; then
+      echo "BLOCKING: Missing language(s) in navigation translations: $f"
+      echo "  fr=$HAS_FR, en=$HAS_EN, it=$HAS_IT, de=$HAS_DE (all must be > 0)"
+      echo "Fix: Add NavigationTranslationSeedEntry for all 4 languages (fr, en, it, de)"
+      FAIL=true
+    fi
+
+    # If sections exist, section translations MUST exist
+    HAS_SECTION_ENTRIES=$(grep -c 'GetSectionEntries' "$f" 2>/dev/null)
+    HAS_SECTION_TRANSLATIONS=$(grep -c 'GetSectionTranslationEntries' "$f" 2>/dev/null)
+    if [ "$HAS_SECTION_ENTRIES" -gt 0 ] && [ "$HAS_SECTION_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Sections defined but GetSectionTranslationEntries() missing: $f"
+      echo "Fix: Add GetSectionTranslationEntries() with 4 languages per section (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+
+    # If resources exist, resource translations MUST exist
+    HAS_RESOURCE_ENTRIES=$(grep -c 'GetResourceEntries' "$f" 2>/dev/null)
+    HAS_RESOURCE_TRANSLATIONS=$(grep -Pc 'ResourceTranslation|GetResourceTranslation|NavigationEntityType\.Resource.*LanguageCode' "$f" 2>/dev/null)
+    if [ "$HAS_RESOURCE_ENTRIES" -gt 0 ] && [ "$HAS_RESOURCE_TRANSLATIONS" -eq 0 ]; then
+      echo "BLOCKING: Resources defined but resource translations missing: $f"
+      echo "Fix: Add resource translation entries with 4 languages per resource (ref core-seed-data.md §2b)"
+      FAIL=true
+    fi
+  done
+  if [ "$FAIL" = true ]; then
+    exit 1
+  fi
+fi
+```
+
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**