@atlashub/smartstack-cli 3.4.1 → 3.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "3.4.1",
+  "version": "3.5.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/skills/_shared.md

@@ -21,7 +21,7 @@ Domain → Application → Infrastructure → API → Web
 |-------|-----------------|-----------|------------------|
 | Domain | Entities, ValueObjects | `SmartStack.Domain.{Context}.{App}.{Module}` | `Domain/{Context}/{App}/{Module}/` |
 | Application | Interfaces (Common), DTOs | `SmartStack.Application.Common.Interfaces` / `.{Context}.{App}.{Module}.DTOs` | `Application/Common/Interfaces/` + `Application/{Context}/{App}/{Module}/DTOs/` |
-| Infrastructure | Service Impl, EF Core | `SmartStack.Infrastructure.Services.{Module}` | `Infrastructure/Services/{Module}/` + `Persistence/Configurations/{Module}/` |
+| Infrastructure | Service Impl, EF Core | `SmartStack.Infrastructure.Services.{Context}.{App}.{Module}` | `Infrastructure/Services/{Context}/{App}/{Module}/` + `Persistence/Configurations/{Context}/{App}/{Module}/` |
 | API | Controllers, Middleware | `SmartStack.Api.Controllers.{Context}` | `Api/Controllers/{Context}/` |
 | Web | React components, pages | N/A | `pages/{context}/{app}/{module}/` + `components/{context}/{module}/` |
 

package/templates/skills/application/steps/step-04-backend.md

@@ -86,9 +86,9 @@ Args:
 
 The tool generates (paths organized by navRoute hierarchy `{context}.{application}.{module}`):
 - `Domain/{Context}/{Application}/{Module}/{EntityName}.cs` - Entity with BaseEntity
-- `Infrastructure/Persistence/Configurations/{Module}/{EntityName}Configuration.cs` - EF Config
+- `Infrastructure/Persistence/Configurations/{Context}/{Application}/{Module}/{EntityName}Configuration.cs` - EF Config
 - `Application/Common/Interfaces/I{EntityName}Service.cs` - Service Interface
-- `Infrastructure/Services/{Module}/{EntityName}Service.cs` - Service Implementation
+- `Infrastructure/Services/{Context}/{Application}/{Module}/{EntityName}Service.cs` - Service Implementation
 - `Api/Controllers/{controller_folder}/{Application}/{EntityName}Controller.cs` - REST Controller
 - `Application/{Context}/{Application}/{Module}/DTOs/{EntityName}ResponseDto.cs` - Response DTO
 - `Application/{Context}/{Application}/{Module}/DTOs/Create{EntityName}Dto.cs` - Create request
@@ -103,8 +103,8 @@ The tool generates (paths organized by navRoute hierarchy `{context}.{applicatio
 - `Domain/{Context}/{Application}/{Module}/{EntityName}.cs`
 
 ### Infrastructure Layer
-- `Persistence/Configurations/{Module}/{EntityName}Configuration.cs`
-- `Services/{Module}/{EntityName}Service.cs`
+- `Persistence/Configurations/{Context}/{Application}/{Module}/{EntityName}Configuration.cs`
+- `Services/{Context}/{Application}/{Module}/{EntityName}Service.cs`
 
 ### Application Layer
 - `Common/Interfaces/I{EntityName}Service.cs`

package/templates/skills/application/templates-backend.md

@@ -83,7 +83,7 @@ public interface I$MODULE_PASCALService
 ## TEMPLATE: SERVICE IMPLEMENTATION
 
 ```csharp
-// src/SmartStack.Infrastructure/Services/$MODULE_PASCAL/$MODULE_PASCALService.cs
+// src/SmartStack.Infrastructure/Services/$CONTEXT_PASCAL/$APPLICATION_PASCAL/$MODULE_PASCAL/$MODULE_PASCALService.cs
 
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
@@ -91,7 +91,7 @@ using SmartStack.Application.Common.Interfaces;
 using SmartStack.Application.$CONTEXT_PASCAL.$APPLICATION_PASCAL.$MODULE_PASCAL.DTOs;
 using SmartStack.Domain.$CONTEXT_PASCAL.$APPLICATION_PASCAL.$MODULE_PASCAL;
 
-namespace SmartStack.Infrastructure.Services.$MODULE_PASCAL;
+namespace SmartStack.Infrastructure.Services.$CONTEXT_PASCAL.$APPLICATION_PASCAL.$MODULE_PASCAL;
 
 public class $MODULE_PASCALService : I$MODULE_PASCALService
 {
@@ -359,13 +359,13 @@ public class $ENTITY_PASCAL : BaseEntity
 ## TEMPLATE: EF CONFIGURATION
 
 ```csharp
-// src/SmartStack.Infrastructure/Persistence/Configurations/$MODULE_PASCAL/$ENTITY_PASCALConfiguration.cs
+// src/SmartStack.Infrastructure/Persistence/Configurations/$CONTEXT_PASCAL/$APPLICATION_PASCAL/$MODULE_PASCAL/$ENTITY_PASCALConfiguration.cs
 
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Metadata.Builders;
 using SmartStack.Domain.$CONTEXT_PASCAL.$APPLICATION_PASCAL.$MODULE_PASCAL;
 
-namespace SmartStack.Infrastructure.Persistence.Configurations.$MODULE_PASCAL;
+namespace SmartStack.Infrastructure.Persistence.Configurations.$CONTEXT_PASCAL.$APPLICATION_PASCAL.$MODULE_PASCAL;
 
 public class $ENTITY_PASCALConfiguration : IEntityTypeConfiguration<$ENTITY_PASCAL>
 {

package/templates/skills/business-analyse/_architecture.md

@@ -63,9 +63,9 @@
 | **Domain** | `{Project}.Domain/Business/{Application}/{Module}/` | `Domain/Business/Operations/FreeBicke/FreeBicke.cs` |
 | **Application/DTOs** | `{Project}.Application/Business/{Application}/{Module}/DTOs/` | `Application/Business/Operations/FreeBicke/DTOs/FreeBickeDto.cs` |
 | **Application/Interfaces** | `{Project}.Application/Common/Interfaces/` | `Application/Common/Interfaces/IFreeBickeService.cs` |
-| **Infrastructure/Config** | `{Project}.Infrastructure/Persistence/Configurations/{Module}/` | `Configurations/FreeBicke/FreeBickeConfiguration.cs` |
-| **Infrastructure/Services** | `{Project}.Infrastructure/Services/{Module}/` | `Services/FreeBicke/FreeBickeService.cs` |
-| **Infrastructure/SeedData** | `{Project}.Infrastructure/Persistence/Seeding/Data/{Module}/` | `Seeding/Data/FreeBicke/FreeBickeSeedData.cs` |
+| **Infrastructure/Config** | `{Project}.Infrastructure/Persistence/Configurations/{Context}/{Application}/{Module}/` | `Configurations/Business/Operations/FreeBicke/FreeBickeConfiguration.cs` |
+| **Infrastructure/Services** | `{Project}.Infrastructure/Services/{Context}/{Application}/{Module}/` | `Services/Business/Operations/FreeBicke/FreeBickeService.cs` |
+| **Infrastructure/SeedData** | `{Project}.Infrastructure/Persistence/Seeding/Data/{Context}/{Application}/{Module}/` | `Seeding/Data/Business/Operations/FreeBicke/FreeBickeSeedData.cs` |
 | **API/Controllers** | `{Project}.Api/Controllers/Business/{Application}/` | `Controllers/Business/Operations/FreeBickeController.cs` |
 | **Frontend/Pages** | `web/src/pages/business/{application}/{module}/` | `pages/business/operations/freebicke/page.tsx` |
 | **Frontend/i18n** | `web/src/i18n/locales/{lang}/{module}.json` | `locales/fr/freebicke.json` |

package/templates/skills/business-analyse/steps/step-05b-deploy.md

@@ -78,6 +78,49 @@ prd.json generated for module {moduleCode}:
 - prd.json version: "2.0.0"
 - source.type: "ba-handoff-programmatic"
 
+**POST-CHECK (BLOCKING — DO NOT SKIP):**
+
+After `ss derive-prd` execution, read the generated prd-{moduleCode}.json and verify structural integrity:
+
+```javascript
+const prd = readJSON(`.ralph/prd-${moduleCode}.json`);
+const featureHandoff = moduleFeature.handoff.filesToCreate;
+
+// 1. Verify structure: filesToCreate MUST be under implementation (NOT root level)
+if (prd.filesToCreate && !prd.implementation?.filesToCreate) {
+  BLOCKING_ERROR("prd.json has filesToCreate at ROOT level — this is NOT from ss derive-prd");
+  BLOCKING_ERROR("Re-run: ss derive-prd --feature {path} --output .ralph/prd-{moduleCode}.json");
+  STOP;
+}
+
+// 2. Verify ALL 7 categories present and match feature.json
+const categories = ['domain', 'application', 'infrastructure', 'api', 'frontend', 'seedData', 'tests'];
+for (const cat of categories) {
+  const prdCount = prd.implementation.filesToCreate[cat]?.length ?? 0;
+  const featureCount = featureHandoff[cat]?.length ?? 0;
+  if (prdCount !== featureCount) {
+    BLOCKING_ERROR(`${cat}: prd has ${prdCount} files but feature.json has ${featureCount}`);
+  }
+}
+```
+
+Display verification table:
+
+```
+POST-CHECK: prd-{moduleCode}.json integrity
+| Category       | feature.json | prd.json | Match |
+|----------------|-------------|----------|-------|
+| domain         | {n}         | {n}      | OK/FAIL |
+| application    | {n}         | {n}      | OK/FAIL |
+| infrastructure | {n}         | {n}      | OK/FAIL |
+| api            | {n}         | {n}      | OK/FAIL |
+| frontend       | {n}         | {n}      | OK/FAIL |
+| seedData       | {n}         | {n}      | OK/FAIL |
+| tests          | {n}         | {n}      | OK/FAIL |
+```
+
+IF ANY category shows FAIL → **STOP AND RE-RUN `ss derive-prd`**. DO NOT proceed with incomplete PRD.
+
 ---
 
 ### 2. Initialize Progress Tracker

package/templates/skills/business-analyse/templates/tpl-handoff.md

@@ -47,8 +47,8 @@ BACKEND:
 - src/{project_namespace}.Domain/Business/ -> Entity structure + folder hierarchy
 - src/{project_namespace}.Application/Business/ -> DTOs + service interfaces
 - src/{project_namespace}.Application/Common/Interfaces/ -> Service contracts
-- src/{project_namespace}.Infrastructure/Persistence/Configurations/ -> EF Core configs (subfolder per module)
-- src/{project_namespace}.Infrastructure/Services/ -> Service implementations (subfolder per module)
+- src/{project_namespace}.Infrastructure/Persistence/Configurations/ -> EF Core configs (subfolder per context/app/module)
+- src/{project_namespace}.Infrastructure/Services/ -> Service implementations (subfolder per context/app/module)
 - src/{project_namespace}.Infrastructure/Persistence/Seeding/Data/ -> SeedData patterns
 
 SEED DATA (CRITICAL):
@@ -76,8 +76,8 @@ FRONTEND:
 | DTOs | `Application/Business/{Application}/{Module}/DTOs/{Entity}Dto.cs` | Response, Create, Update records |
 | Mapping | `Application/Business/{Application}/{Module}/DTOs/{Entity}MappingExtensions.cs` | Entity <-> DTO mapping |
 | Permission Constants | `Application/Business/{Application}/{Module}/Permissions.cs` | Compile-time constants |
-| EF Configuration | `Infrastructure/Persistence/Configurations/{Module}/{Entity}Configuration.cs` | Table + indexes + HasData |
-| Service Implementation | `Infrastructure/Services/{Module}/{Entity}Service.cs` | Business logic |
+| EF Configuration | `Infrastructure/Persistence/Configurations/{Context}/{Application}/{Module}/{Entity}Configuration.cs` | Table + indexes + HasData |
+| Service Implementation | `Infrastructure/Services/{Context}/{Application}/{Module}/{Entity}Service.cs` | Business logic |
 | Controller | `Api/Controllers/Business/{Application}/{Module}Controller.cs` | NavRoute + RequirePermission |
 
 ### 3.2 SeedData Core (CRITICAL -- without these, module is invisible and returns 403)
@@ -156,8 +156,8 @@ From: `feature.specification.seedDataCore` (5 core files), `feature.specificatio
 **Folder Conventions:**
 - [ ] Domain entities in `Domain/Business/{Application}/{Module}/`
 - [ ] Application DTOs in `Application/Business/{Application}/{Module}/DTOs/`
-- [ ] Infrastructure configs in `Configurations/{Module}/`
-- [ ] Infrastructure services in `Services/{Module}/`
+- [ ] Infrastructure configs in `Configurations/{Context}/{Application}/{Module}/`
+- [ ] Infrastructure services in `Services/{Context}/{Application}/{Module}/`
 - [ ] Controller in `Controllers/Business/{Application}/`
 
 **SeedData Core (CRITICAL):**

package/templates/skills/ralph-loop/steps/step-01-task.md

@@ -136,7 +136,10 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
     { key: "tests",          category: "test" }
   ];
 
-  const filesToCreate = prdJson.implementation?.filesToCreate || {};
+  // Support BOTH formats: nested (from ss derive-prd) and flat (LLM-generated)
+  const filesToCreate = prdJson.implementation?.filesToCreate
+                     || prdJson.filesToCreate
+                     || {};
 
   // 1. Generate tasks from implementation.filesToCreate (primary source)
   //    CRITICAL: Frontend and i18n tasks are CONSOLIDATED into ONE module-level task each.
@@ -175,15 +178,23 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
       }
 
       // Build acceptance criteria from linked FRs and UCs
+      // Support both nested (requirements.functionalRequirements) and flat (functionalRequirements) formats
+      const allFRs = prdJson.requirements?.functionalRequirements || prdJson.functionalRequirements || [];
       const linkedFRs = (fileSpec.linkedFRs || [])
         .map(frId => {
-          const fr = prdJson.requirements?.functionalRequirements?.find(f => f.id === frId);
+          const fr = allFRs.find(f => f.id === frId);
           return fr ? fr.statement : frId;
         });
-      const criteria = linkedFRs.length > 0
+      let criteria = linkedFRs.length > 0
         ? `Implements: ${linkedFRs.join("; ")}`
         : `File ${fileSpec.path} created and compiles correctly`;
 
+      // Enhance acceptance criteria for API tasks with permission enforcement
+      const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+      if (layer.category === "api" && permMatrix?.permissions?.length > 0) {
+        criteria += "; MANDATORY: [RequirePermission] attributes on every endpoint (NOT [Authorize])";
+      }
+
       tasks.push({
         id: taskId,
         description: fileSpec.description
@@ -273,18 +284,250 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
     taskId++;
   }
 
+  // 1d. GUARDRAIL: Inject missing layer tasks when filesToCreate is incomplete
+  //     This handles LLM-generated PRDs that omit layers present in the source data.
+  //     Uses architecture data (entities, apiEndpoints, sections, wireframes) as fallback.
+
+  const entities = prdJson.architecture?.entities || prdJson.entities || [];
+  const apiEndpoints = prdJson.architecture?.apiEndpoints || prdJson.apiEndpoints || [];
+  const sections = prdJson.architecture?.sections || prdJson.sections || [];
+  const wireframes = prdJson.specification?.uiWireframes || prdJson.uiWireframes || [];
+  const dashboards = prdJson.specification?.dashboards || prdJson.dashboards || [];
+
+  const hasDomainTasks = tasks.some(t => t.category === 'domain');
+  const hasInfraTasks = tasks.some(t => t.category === 'infrastructure');
+  const hasApiTasks = tasks.some(t => t.category === 'api');
+  const hasFrontendTasks = frontendFiles.length > 0; // Already handled in 1b
+  const hasTestTasks = tasks.some(t => t.category === 'test');
+
+  // INJECT consolidated infrastructure task if missing
+  if (!hasInfraTasks && entities.length > 0) {
+    const domainDepId = lastIdByCategory["domain"];
+    tasks.push({
+      id: taskId,
+      description: `[infrastructure] Create EF Core configurations, services, and seed data for module ${moduleCode} (${entities.length} entities)`,
+      status: "pending",
+      category: "infrastructure",
+      dependencies: domainDepId ? [domainDepId] : [],
+      acceptance_criteria: `EF Core configs for all ${entities.length} entities; Service implementations; DbSet in ExtensionsDbContext; DI registration; Seed data`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["infrastructure"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [infrastructure] task from ${entities.length} entities`);
+  }
+
+  // INJECT consolidated API task if missing
+  if (!hasApiTasks && apiEndpoints.length > 0) {
+    const appDepId = lastIdByCategory["application"] || lastIdByCategory["infrastructure"];
+    const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+    const hasPermissions = permMatrix?.permissions?.length > 0;
+
+    tasks.push({
+      id: taskId,
+      description: `[api] Create API controllers for module ${moduleCode} (${apiEndpoints.length} endpoints)`,
+      status: "pending",
+      category: "api",
+      dependencies: appDepId ? [appDepId] : [],
+      acceptance_criteria: [
+        `Controllers for all ${apiEndpoints.length} endpoints`,
+        hasPermissions
+          ? "MANDATORY: [RequirePermission(Permissions.{Action})] on EVERY endpoint (NOT generic [Authorize])"
+          : "Authorization attributes",
+        "Swagger docs"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["api"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [api] task from ${apiEndpoints.length} endpoints`);
+  }
+
+  // CRITICAL: INJECT consolidated frontend task if missing
+  // This is the MOST COMMON failure mode — LLM-generated PRDs often omit frontend
+  if (!hasFrontendTasks && (sections.length > 0 || wireframes.length > 0 || apiEndpoints.length > 0)) {
+    const apiDepId = lastIdByCategory["api"] || lastIdByCategory["application"];
+
+    // Derive frontend file list from available data sources
+    const derivedFrontendFiles = [];
+
+    // From wireframes → pages
+    for (const wf of wireframes) {
+      const screenId = wf.screen || wf.id;
+      derivedFrontendFiles.push({
+        path: `web/src/pages/${moduleCode}/${screenId}.tsx`,
+        type: screenId.includes('dashboard') ? 'DashboardPage' : 'Page',
+        linkedWireframes: [screenId],
+        linkedUCs: wf.linkedUCs || [],
+      });
+    }
+
+    // From dashboards → dashboard pages (if not already from wireframes)
+    for (const dash of dashboards) {
+      const dashId = dash.code || dash.id;
+      if (!derivedFrontendFiles.some(f => f.path.includes(dashId))) {
+        derivedFrontendFiles.push({
+          path: `web/src/pages/${moduleCode}/${dashId}.tsx`,
+          type: 'DashboardPage',
+          linkedWireframes: [dashId],
+          dashboardRef: dashId,
+        });
+      }
+    }
+
+    // From API endpoints → API client service
+    if (apiEndpoints.length > 0) {
+      derivedFrontendFiles.push({
+        path: `web/src/services/api/${moduleCode}Api.ts`,
+        type: 'ApiService',
+      });
+    }
+
+    const allWireframeIds = derivedFrontendFiles.flatMap(f => f.linkedWireframes || []);
+
+    tasks.push({
+      id: taskId,
+      description: `[frontend] Generate COMPLETE frontend for module ${moduleCode} via MCP scaffold tools (${derivedFrontendFiles.length} files: pages, components, hooks, API client)`,
+      status: "pending",
+      category: "frontend",
+      dependencies: apiDepId ? [apiDepId] : [],
+      acceptance_criteria: [
+        "MCP scaffold_api_client called → API client + types generated",
+        "MCP scaffold_routes called → routes.tsx updated with nested routes inside Layout wrapper",
+        allWireframeIds.length > 0 ? "Pages match wireframes: " + allWireframeIds.join(", ") : "Pages created for all UI sections",
+        "SmartTable for lists (NOT HTML tables), EntityCard for grids (NOT custom divs)",
+        "CSS variables ONLY (NO hardcoded Tailwind colors like bg-blue-600)",
+        "useNavigate + useParams for routing, NOT window.location",
+        "Loading/error/empty states on all pages",
+        "4-language i18n keys (fr, en, it, de)",
+        "npm run typecheck passes"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: derivedFrontendFiles.map(f => f.path), modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _frontendMeta: {
+        wireframes: allWireframeIds,
+        filesToCreate: derivedFrontendFiles,
+        source: "guardrail-derived"
+      }
+    });
+    lastIdByCategory["frontend"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [frontend] task derived from ${wireframes.length} wireframes + ${dashboards.length} dashboards + ${apiEndpoints.length} endpoints`);
+
+    // Also inject i18n task if not already present
+    if (i18nFiles.length === 0) {
+      tasks.push({
+        id: taskId,
+        description: `[i18n] Generate i18n translations for module ${moduleCode} (4 languages: fr, en, it, de)`,
+        status: "pending",
+        category: "i18n",
+        dependencies: [lastIdByCategory["frontend"]],
+        acceptance_criteria: "4 JSON files (fr, en, it, de) with identical keys; all UI labels translated",
+        started_at: null, completed_at: null, iteration: null, commit_hash: null,
+        files_changed: { created: [], modified: [] },
+        validation: null, error: null, module: moduleCode
+      });
+      lastIdByCategory["i18n"] = taskId;
+      taskId++;
+    }
+  }
+
+  // INJECT consolidated test task if missing
+  if (!hasTestTasks && entities.length > 0) {
+    const apiDepId = lastIdByCategory["api"] || lastIdByCategory["application"];
+    tasks.push({
+      id: taskId,
+      description: `[test] Create unit and integration tests for module ${moduleCode}`,
+      status: "pending",
+      category: "test",
+      dependencies: apiDepId ? [apiDepId] : [],
+      acceptance_criteria: "Domain unit tests + service unit tests + controller integration tests; dotnet test passes; coverage >= 80%",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["test"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [test] task`);
+  }
+
+  // 1e. GUARDRAIL: Inject seedData tasks when core seed data exists but filesToCreate.seedData is empty
+  //     This is the MOST CRITICAL guardrail — without core seed data, the application has:
+  //     - No navigation menu entries
+  //     - No RBAC permissions in the database
+  //     - No role-permission mappings
+  //     - Controllers accessible to ANY authenticated user
+  const coreSeedData = prdJson.seedData?.core
+                    || prdJson.seedDataCore
+                    || prdJson.specification?.seedDataCore;
+  const hasSeedDataTasks = (filesToCreate["seedData"]?.length ?? 0) > 0;
+  const hasSeedDataInTasks = tasks.some(t =>
+    t.description?.includes("SeedData") || t.description?.includes("seed data"));
+
+  if (coreSeedData && !hasSeedDataTasks && !hasSeedDataInTasks) {
+    const infraDepId = lastIdByCategory["infrastructure"] || lastIdByCategory["domain"];
+
+    // Derive navigation/permissions/roles from coreSeedData
+    const navModules = coreSeedData.navigationModules || coreSeedData.navigation || [];
+    const permissions = coreSeedData.permissions || [];
+    const rolePerms = coreSeedData.rolePermissions || [];
+
+    // Inject consolidated core seedData task
+    tasks.push({
+      id: taskId,
+      description: `[infrastructure] Create core seed data files for module ${moduleCode}: NavigationModuleSeedData, PermissionsSeedData, RolesSeedData, SeedConstants`,
+      status: "pending",
+      category: "infrastructure",
+      dependencies: infraDepId ? [infraDepId] : [],
+      acceptance_criteria: [
+        `NavigationModuleSeedData.cs with ${navModules.length} navigation module(s)`,
+        `PermissionsSeedData.cs with ${permissions.length} permission(s) from seedData.core`,
+        `RolesSeedData.cs with ${rolePerms.length} role-permission mapping(s)`,
+        "SeedConstants.cs with deterministic GUIDs",
+        "All seed data classes are static with GetSeedData() method"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/NavigationModuleSeedData.cs`,
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/PermissionsSeedData.cs`,
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/RolesSeedData.cs`,
+        "src/Infrastructure/Persistence/Seeding/Data/SeedConstants.cs"
+      ], modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _seedDataMeta: { source: "guardrail-derived", coreSeedData }
+    });
+    lastIdByCategory["infrastructure"] = taskId;
+    taskId++;
+    console.log(`GUARDRAIL: Injected missing [infrastructure] core seed data task from seedData.core (${navModules.length} nav, ${permissions.length} perms, ${rolePerms.length} roles)`);
+  }
+
   // 2. Add IClientSeedDataProvider task for client projects (ExtensionsDbContext)
   // This is MANDATORY - without it, core seed data (navigation, permissions, roles) is dead code
   const hasClientSeedData = filesToCreate["seedData"]?.some(f =>
     f.type === "IClientSeedDataProvider" || f.path?.includes("SeedDataProvider"));
-  if (!hasClientSeedData && filesToCreate["seedData"]?.length > 0) {
+  const hasProviderInTasks = tasks.some(t =>
+    t.description?.includes("IClientSeedDataProvider") || t.description?.includes("SeedDataProvider"));
+
+  // Trigger when: seedData files exist OR coreSeedData exists (fallback for incomplete PRDs)
+  if (!hasClientSeedData && !hasProviderInTasks &&
+      (filesToCreate["seedData"]?.length > 0 || coreSeedData)) {
     tasks.push({
       id: taskId,
-      description: `[infrastructure] Create IClientSeedDataProvider to inject core seed data at runtime`,
+      description: `[infrastructure] Create IClientSeedDataProvider to inject core seed data (navigation, permissions, roles) at runtime`,
       status: "pending",
       category: "infrastructure",
       dependencies: [lastIdByCategory["infrastructure"] || lastIdByCategory["domain"]].filter(Boolean),
-      acceptance_criteria: "IClientSeedDataProvider implements SeedNavigationAsync, SeedPermissionsAsync, SeedRolePermissionsAsync; registered in DI",
+      acceptance_criteria: [
+        "Implements IClientSeedDataProvider with SeedNavigationAsync, SeedPermissionsAsync, SeedRolePermissionsAsync",
+        "Registered in DI: services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()",
+        "All methods are idempotent (check existence before inserting)",
+        "Consumes seed data from NavigationModuleSeedData, PermissionsSeedData, RolesSeedData"
+      ].join("; "),
       started_at: null, completed_at: null, iteration: null, commit_hash: null,
       files_changed: { created: ["src/Infrastructure/Persistence/Seeding/{AppPascalName}SeedDataProvider.cs"], modified: ["src/Infrastructure/DependencyInjection.cs"] },
       validation: null, error: null, module: moduleCode