@atlashub/smartstack-cli 3.4.1 → 3.6.0

package/templates/skills/ralph-loop/steps/step-01-task.md

@@ -136,7 +136,10 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
     { key: "tests",          category: "test" }
   ];
 
-  const filesToCreate = prdJson.implementation?.filesToCreate || {};
+  // Support BOTH formats: nested (from ss derive-prd) and flat (LLM-generated)
+  const filesToCreate = prdJson.implementation?.filesToCreate
+                     || prdJson.filesToCreate
+                     || {};
 
   // 1. Generate tasks from implementation.filesToCreate (primary source)
   //    CRITICAL: Frontend and i18n tasks are CONSOLIDATED into ONE module-level task each.
@@ -175,15 +178,23 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
       }
 
       // Build acceptance criteria from linked FRs and UCs
+      // Support both nested (requirements.functionalRequirements) and flat (functionalRequirements) formats
+      const allFRs = prdJson.requirements?.functionalRequirements || prdJson.functionalRequirements || [];
       const linkedFRs = (fileSpec.linkedFRs || [])
         .map(frId => {
-          const fr = prdJson.requirements?.functionalRequirements?.find(f => f.id === frId);
+          const fr = allFRs.find(f => f.id === frId);
           return fr ? fr.statement : frId;
         });
-      const criteria = linkedFRs.length > 0
+      let criteria = linkedFRs.length > 0
         ? `Implements: ${linkedFRs.join("; ")}`
         : `File ${fileSpec.path} created and compiles correctly`;
 
+      // Enhance acceptance criteria for API tasks with permission enforcement
+      const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+      if (layer.category === "api" && permMatrix?.permissions?.length > 0) {
+        criteria += "; MANDATORY: [RequirePermission] attributes on every endpoint (NOT [Authorize])";
+      }
+
       tasks.push({
         id: taskId,
         description: fileSpec.description
@@ -273,21 +284,276 @@ function transformPrdJsonToRalphV2(prdJson, moduleCode) {
     taskId++;
   }
 
+  // 1d. GUARDRAIL: Inject missing layer tasks when filesToCreate is incomplete
+  //     This handles LLM-generated PRDs that omit layers present in the source data.
+  //     Uses architecture data (entities, apiEndpoints, sections, wireframes) as fallback.
+
+  const entities = prdJson.architecture?.entities || prdJson.entities || [];
+  const apiEndpoints = prdJson.architecture?.apiEndpoints || prdJson.apiEndpoints || [];
+  const sections = prdJson.architecture?.sections || prdJson.sections || [];
+  const wireframes = prdJson.specification?.uiWireframes || prdJson.uiWireframes || [];
+  const dashboards = prdJson.specification?.dashboards || prdJson.dashboards || [];
+
+  const hasDomainTasks = tasks.some(t => t.category === 'domain');
+  const hasInfraTasks = tasks.some(t => t.category === 'infrastructure');
+  const hasApiTasks = tasks.some(t => t.category === 'api');
+  const hasFrontendTasks = frontendFiles.length > 0; // Already handled in 1b
+  const hasTestTasks = tasks.some(t => t.category === 'test');
+
+  // INJECT consolidated infrastructure task if missing
+  if (!hasInfraTasks && entities.length > 0) {
+    const domainDepId = lastIdByCategory["domain"];
+    tasks.push({
+      id: taskId,
+      description: `[infrastructure] Create EF Core configurations, services, and seed data for module ${moduleCode} (${entities.length} entities)`,
+      status: "pending",
+      category: "infrastructure",
+      dependencies: domainDepId ? [domainDepId] : [],
+      acceptance_criteria: `EF Core configs for all ${entities.length} entities; Service implementations; DbSet in ExtensionsDbContext; DI registration; Seed data`,
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["infrastructure"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [infrastructure] task from ${entities.length} entities`);
+  }
+
+  // INJECT consolidated API task if missing
+  if (!hasApiTasks && apiEndpoints.length > 0) {
+    const appDepId = lastIdByCategory["application"] || lastIdByCategory["infrastructure"];
+    const permMatrix = prdJson.architecture?.permissionMatrix || prdJson.permissionMatrix;
+    const hasPermissions = permMatrix?.permissions?.length > 0;
+
+    tasks.push({
+      id: taskId,
+      description: `[api] Create API controllers for module ${moduleCode} (${apiEndpoints.length} endpoints)`,
+      status: "pending",
+      category: "api",
+      dependencies: appDepId ? [appDepId] : [],
+      acceptance_criteria: [
+        `Controllers for all ${apiEndpoints.length} endpoints`,
+        hasPermissions
+          ? "MANDATORY: [RequirePermission(Permissions.{Action})] on EVERY endpoint (NOT generic [Authorize])"
+          : "Authorization attributes",
+        "Swagger docs"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["api"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [api] task from ${apiEndpoints.length} endpoints`);
+  }
+
+  // CRITICAL: INJECT consolidated frontend task if missing
+  // This is the MOST COMMON failure mode — LLM-generated PRDs often omit frontend
+  if (!hasFrontendTasks && (sections.length > 0 || wireframes.length > 0 || apiEndpoints.length > 0)) {
+    const apiDepId = lastIdByCategory["api"] || lastIdByCategory["application"];
+
+    // Derive frontend file list from available data sources
+    const derivedFrontendFiles = [];
+
+    // From wireframes → pages
+    for (const wf of wireframes) {
+      const screenId = wf.screen || wf.id;
+      derivedFrontendFiles.push({
+        path: `web/src/pages/${moduleCode}/${screenId}.tsx`,
+        type: screenId.includes('dashboard') ? 'DashboardPage' : 'Page',
+        linkedWireframes: [screenId],
+        linkedUCs: wf.linkedUCs || [],
+      });
+    }
+
+    // From dashboards → dashboard pages (if not already from wireframes)
+    for (const dash of dashboards) {
+      const dashId = dash.code || dash.id;
+      if (!derivedFrontendFiles.some(f => f.path.includes(dashId))) {
+        derivedFrontendFiles.push({
+          path: `web/src/pages/${moduleCode}/${dashId}.tsx`,
+          type: 'DashboardPage',
+          linkedWireframes: [dashId],
+          dashboardRef: dashId,
+        });
+      }
+    }
+
+    // From API endpoints → API client service
+    if (apiEndpoints.length > 0) {
+      derivedFrontendFiles.push({
+        path: `web/src/services/api/${moduleCode}Api.ts`,
+        type: 'ApiService',
+      });
+    }
+
+    const allWireframeIds = derivedFrontendFiles.flatMap(f => f.linkedWireframes || []);
+
+    tasks.push({
+      id: taskId,
+      description: `[frontend] Generate COMPLETE frontend for module ${moduleCode} via MCP scaffold tools (${derivedFrontendFiles.length} files: pages, components, hooks, API client)`,
+      status: "pending",
+      category: "frontend",
+      dependencies: apiDepId ? [apiDepId] : [],
+      acceptance_criteria: [
+        "MCP scaffold_api_client called → API client + types generated",
+        "MCP scaffold_routes called → routes.tsx updated with nested routes inside Layout wrapper",
+        allWireframeIds.length > 0 ? "Pages match wireframes: " + allWireframeIds.join(", ") : "Pages created for all UI sections",
+        "SmartTable for lists (NOT HTML tables), EntityCard for grids (NOT custom divs)",
+        "CSS variables ONLY (NO hardcoded Tailwind colors like bg-blue-600)",
+        "useNavigate + useParams for routing, NOT window.location",
+        "Loading/error/empty states on all pages",
+        "4-language i18n keys (fr, en, it, de)",
+        "npm run typecheck passes"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: derivedFrontendFiles.map(f => f.path), modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _frontendMeta: {
+        wireframes: allWireframeIds,
+        filesToCreate: derivedFrontendFiles,
+        source: "guardrail-derived"
+      }
+    });
+    lastIdByCategory["frontend"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [frontend] task derived from ${wireframes.length} wireframes + ${dashboards.length} dashboards + ${apiEndpoints.length} endpoints`);
+
+    // Also inject i18n task if not already present
+    if (i18nFiles.length === 0) {
+      tasks.push({
+        id: taskId,
+        description: `[i18n] Generate i18n translations for module ${moduleCode} (4 languages: fr, en, it, de)`,
+        status: "pending",
+        category: "i18n",
+        dependencies: [lastIdByCategory["frontend"]],
+        acceptance_criteria: "4 JSON files (fr, en, it, de) with identical keys; all UI labels translated",
+        started_at: null, completed_at: null, iteration: null, commit_hash: null,
+        files_changed: { created: [], modified: [] },
+        validation: null, error: null, module: moduleCode
+      });
+      lastIdByCategory["i18n"] = taskId;
+      taskId++;
+    }
+  }
+
+  // INJECT consolidated test task if missing
+  if (!hasTestTasks && entities.length > 0) {
+    const apiDepId = lastIdByCategory["api"] || lastIdByCategory["application"];
+    tasks.push({
+      id: taskId,
+      description: `[test] Create unit and integration tests for module ${moduleCode}`,
+      status: "pending",
+      category: "test",
+      dependencies: apiDepId ? [apiDepId] : [],
+      acceptance_criteria: "Domain unit tests + service unit tests + controller integration tests; dotnet test passes; coverage >= 80%",
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [], modified: [] },
+      validation: null, error: null, module: moduleCode
+    });
+    lastIdByCategory["test"] = taskId;
+    taskId++;
+    console.log(`⚠️ GUARDRAIL: Injected missing [test] task`);
+  }
+
+  // 1e. GUARDRAIL: Inject seedData tasks when core seed data exists but filesToCreate.seedData is empty
+  //     This is the MOST CRITICAL guardrail — without core seed data, the application has:
+  //     - No navigation menu entries
+  //     - No RBAC permissions in the database
+  //     - No role-permission mappings
+  //     - Controllers accessible to ANY authenticated user
+  const coreSeedData = prdJson.seedData?.core
+                    || prdJson.seedDataCore
+                    || prdJson.specification?.seedDataCore;
+  const hasSeedDataTasks = (filesToCreate["seedData"]?.length ?? 0) > 0;
+  const hasSeedDataInTasks = tasks.some(t =>
+    t.description?.includes("SeedData") || t.description?.includes("seed data"));
+
+  if (coreSeedData && !hasSeedDataTasks && !hasSeedDataInTasks) {
+    const infraDepId = lastIdByCategory["infrastructure"] || lastIdByCategory["domain"];
+
+    // Derive navigation/permissions/roles from coreSeedData
+    const navModules = coreSeedData.navigationModules || coreSeedData.navigation || [];
+    const permissions = coreSeedData.permissions || [];
+    const rolePerms = coreSeedData.rolePermissions || [];
+
+    // Inject consolidated core seedData task
+    tasks.push({
+      id: taskId,
+      description: `[infrastructure] Create core seed data files for module ${moduleCode}: NavigationModuleSeedData, PermissionsSeedData, RolesSeedData, SeedConstants`,
+      status: "pending",
+      category: "infrastructure",
+      dependencies: infraDepId ? [infraDepId] : [],
+      acceptance_criteria: [
+        `NavigationModuleSeedData.cs with ${navModules.length} navigation module(s)`,
+        `PermissionsSeedData.cs with ${permissions.length} permission(s) from seedData.core`,
+        `RolesSeedData.cs with ${rolePerms.length} role-permission mapping(s)`,
+        "SeedConstants.cs with deterministic GUIDs",
+        "All seed data classes are static with GetSeedData() method"
+      ].join("; "),
+      started_at: null, completed_at: null, iteration: null, commit_hash: null,
+      files_changed: { created: [
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/NavigationModuleSeedData.cs`,
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/PermissionsSeedData.cs`,
+        `src/Infrastructure/Persistence/Seeding/Data/${moduleCode}/RolesSeedData.cs`,
+        "src/Infrastructure/Persistence/Seeding/Data/SeedConstants.cs"
+      ], modified: [] },
+      validation: null, error: null, module: moduleCode,
+      _seedDataMeta: {
+        source: "guardrail-derived",
+        coreSeedData,
+        navRoute: prdJson.project?.navRoute
+          || (permissions?.[0]?.path?.split('.').slice(0, -1).join('.'))
+          || `business.${prdJson.project?.application || 'app'}.${moduleCode}`,
+        contextCode: prdJson.project?.context
+          || coreSeedData.navigationModules?.[0]?.route?.split('/')?.[1]
+          || 'business',
+        appCode: prdJson.project?.application
+          || coreSeedData.navigationModules?.[0]?.route?.split('/')?.[2],
+        appLabels: prdJson.project?.labels || null
+      }
+    });
+    lastIdByCategory["infrastructure"] = taskId;
+    taskId++;
+    console.log(`GUARDRAIL: Injected missing [infrastructure] core seed data task from seedData.core (${navModules.length} nav, ${permissions.length} perms, ${rolePerms.length} roles)`);
+  }
+
   // 2. Add IClientSeedDataProvider task for client projects (ExtensionsDbContext)
   // This is MANDATORY - without it, core seed data (navigation, permissions, roles) is dead code
   const hasClientSeedData = filesToCreate["seedData"]?.some(f =>
     f.type === "IClientSeedDataProvider" || f.path?.includes("SeedDataProvider"));
-  if (!hasClientSeedData && filesToCreate["seedData"]?.length > 0) {
+  const hasProviderInTasks = tasks.some(t =>
+    t.description?.includes("IClientSeedDataProvider") || t.description?.includes("SeedDataProvider"));
+
+  // Trigger when: seedData files exist OR coreSeedData exists (fallback for incomplete PRDs)
+  if (!hasClientSeedData && !hasProviderInTasks &&
+      (filesToCreate["seedData"]?.length > 0 || coreSeedData)) {
     tasks.push({
       id: taskId,
-      description: `[infrastructure] Create IClientSeedDataProvider to inject core seed data at runtime`,
+      description: `[infrastructure] Create IClientSeedDataProvider to inject core seed data (navigation, permissions, roles) at runtime`,
       status: "pending",
       category: "infrastructure",
       dependencies: [lastIdByCategory["infrastructure"] || lastIdByCategory["domain"]].filter(Boolean),
-      acceptance_criteria: "IClientSeedDataProvider implements SeedNavigationAsync, SeedPermissionsAsync, SeedRolePermissionsAsync; registered in DI",
+      acceptance_criteria: [
+        "Implements IClientSeedDataProvider with SeedNavigationAsync, SeedPermissionsAsync, SeedRolePermissionsAsync",
+        "Registered in DI: services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()",
+        "All methods are idempotent (check existence before inserting)",
+        "Consumes seed data from NavigationModuleSeedData, PermissionsSeedData, RolesSeedData"
+      ].join("; "),
       started_at: null, completed_at: null, iteration: null, commit_hash: null,
       files_changed: { created: ["src/Infrastructure/Persistence/Seeding/{AppPascalName}SeedDataProvider.cs"], modified: ["src/Infrastructure/DependencyInjection.cs"] },
-      validation: null, error: null, module: moduleCode
+      validation: null, error: null, module: moduleCode,
+      _providerMeta: {
+        consumesSeedDataFiles: [
+          `Infrastructure/Persistence/Seeding/Data/${moduleCode}/NavigationModuleSeedData.cs`,
+          `Infrastructure/Persistence/Seeding/Data/${moduleCode}/PermissionsSeedData.cs`,
+          `Infrastructure/Persistence/Seeding/Data/${moduleCode}/RolesSeedData.cs`
+        ],
+        navRoute: prdJson.project?.navRoute
+          || `business.${prdJson.project?.application || 'app'}.${moduleCode}`,
+        contextCode: prdJson.project?.context || 'business',
+        appCode: prdJson.project?.application
+      }
     });
     lastIdByCategory["infrastructure"] = taskId;
     taskId++;

package/templates/skills/ralph-loop/steps/step-02-execute.md

@@ -435,15 +435,30 @@ A validation task is ONLY complete when:
 
 When executing `infrastructure` category tasks, follow these rules strictly:
 
-1. **Seed data files** MUST go under `Infrastructure/Persistence/Seeding/Data/{Module}/`
+1. **Core seed data (navigation, permissions, roles) — CONDITIONAL REFERENCE LOADING:**
+
+   > **IF** the current task description contains "seed data", "SeedData",
+   > "NavigationModule", "PermissionsSeedData", "RolesSeedData", or "IClientSeedDataProvider":
+   > **THEN read `references/core-seed-data.md`** for COMPLETE execution guidance including:
+   > - Parameter extraction from PRD seedDataCore / task `_seedDataMeta`
+   > - MCP `generate_permissions` call sequence (primary) with fallback templates
+   > - `NavigationModuleSeedData.cs` template (deterministic GUIDs, 4 languages)
+   > - `PermissionsSeedData.cs` template (wraps MCP output)
+   > - `RolesSeedData.cs` template (context-based role mapping)
+   > - `IClientSeedDataProvider` complete implementation template
+   > - DI registration pattern
+   > - Verification checklist (BLOCKING)
+   >
+   > **This reference is MANDATORY for seed data tasks. Do NOT improvise.**
+
+   **Directory convention:** All seed data files MUST go under `Infrastructure/Persistence/Seeding/Data/{Module}/`
    - NEVER use `Infrastructure/Data/SeedData/` or `Data/SeedData/`
-   - Each module gets 5 core files: NavigationModuleSeedData.cs, PermissionsSeedData.cs, RolesSeedData.cs, TenantSeedData.cs, UserSeedData.cs
 
 2. **IClientSeedDataProvider** (client projects with `extensions` DbContext):
    - Generate at `Infrastructure/Persistence/Seeding/{AppPascalName}SeedDataProvider.cs`
    - Register in DI: `services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>()`
    - Must implement: SeedNavigationAsync, SeedPermissionsAsync, SeedRolePermissionsAsync
-   - See `/application` skill step-03b-provider for the full pattern
+   - **Complete template and rules in `references/core-seed-data.md`**
 
 3. **DevDataSeeder** for domain entity seed data:
    - Located at `Infrastructure/Persistence/Seeding/DevDataSeeder.cs`
@@ -514,15 +529,29 @@ Only fr/en translations                      → MUST have 4 languages (fr, en,
 | `business.*` | `BusinessLayout` | `/business` |
 | `personal.*` | `UserLayout` | `/personal/myspace` |
 
-**API/Controller task guidance (MANDATORY folder hierarchy):**
+**Backend folder hierarchy (MANDATORY for ALL layers):**
 
-When executing `api` category tasks, follow these rules strictly:
+> **CRITICAL:** ALL backend files MUST be organized by `{ContextPascal}/{ApplicationName}/{ModuleName}/` hierarchy.
+> Derive from PRD `project.application` and feature.json `metadata.context`.
+> The file paths in prd.json already include this hierarchy — follow them exactly.
 
-1. **Controllers MUST be organized by context and application folders:**
-   - Path: `Api/Controllers/{ContextShort}/{Application}/{EntityName}Controller.cs`
-   - If no application sub-level: `Api/Controllers/{ContextShort}/{EntityName}Controller.cs`
+When executing `domain`, `application`, `infrastructure`, `api`, or `test` category tasks:
 
-2. **Context-to-folder mapping (from navRoute):**
+1. **ALL layers use context/application/module folder hierarchy:**
+
+   | Layer | Path Pattern |
+   |-------|-------------|
+   | Domain | `Domain/Entities/{ContextPascal}/{App}/{Module}/{Entity}.cs` |
+   | Domain Enums | `Domain/Enums/{ContextPascal}/{App}/{Module}/{Enum}.cs` |
+   | Domain Exceptions | `Domain/Exceptions/{ContextPascal}/{App}/{Module}/{Exception}.cs` |
+   | Application Services | `Application/Services/{ContextPascal}/{App}/{Module}/{Service}.cs` |
+   | Application DTOs | `Application/DTOs/{ContextPascal}/{App}/{Module}/{Dto}.cs` |
+   | Application Validators | `Application/Validators/{ContextPascal}/{App}/{Module}/{Validator}.cs` |
+   | Infrastructure Configs | `Infrastructure/Persistence/Configurations/{ContextPascal}/{App}/{Module}/{Config}.cs` |
+   | API Controllers | `Api/Controllers/{ContextShort}/{App}/{Entity}Controller.cs` |
+   | Tests | `Tests/Unit/Domain/{ContextPascal}/{App}/{Module}/{Tests}.cs` |
+
+2. **Controller context-to-folder mapping (`{ContextShort}`):**
 
    | NavRoute Prefix | Controller Folder |
    |-----------------|-------------------|
@@ -531,12 +560,7 @@ When executing `api` category tasks, follow these rules strictly:
    | `business.*` | `Business` |
    | `personal.*` | `User` |
 
-3. **Sub-folders for applications/modules with multiple controllers:**
-   - `Admin/Tenants/` for tenant-related controllers
-   - `Admin/AI/` for AI-related controllers
-   - `Admin/Communications/` for communication controllers
-
-4. **Reference:** SmartStack.app `Api/Controllers/` for the canonical structure
+3. **Reference:** SmartStack.app `Api/Controllers/` for the canonical structure
 
 ### 4. Explore Context (if needed)
 

package/templates/skills/ralph-loop/steps/step-04-check.md

@@ -168,7 +168,64 @@ if (hasQueue) {
   const queue = readJSON(queuePath);
   const currentModule = queue.modules[queue.currentIndex];
 
-  // Mark current module as completed
+  // ✅ FIX #4: MODULE COMPLETENESS CHECK (MANDATORY before advancing)
+  // A module is NOT complete unless all expected layers have at least one completed task.
+  // This prevents marking a module as "done" when only backend was implemented.
+  const completedCategories = new Set(
+    prd.tasks.filter(t => t.status === 'completed').map(t => t.category)
+  );
+  const expectedCategories = ['domain', 'infrastructure', 'application', 'api', 'frontend', 'test'];
+  const missingCategories = expectedCategories.filter(c => !completedCategories.has(c));
+
+  if (missingCategories.length > 0) {
+    console.log(`
+╔══════════════════════════════════════════════════════════════════╗
+║  ⚠️ MODULE INCOMPLETE: Missing layers                           ║
+╠══════════════════════════════════════════════════════════════════╣
+║  Module: ${currentModule.code}                                   ║
+║  Missing: ${missingCategories.join(', ')}                        ║
+╠══════════════════════════════════════════════════════════════════╣
+║  Injecting guardrail tasks for missing layers...                 ║
+╚══════════════════════════════════════════════════════════════════╝
+    `);
+
+    // Inject guardrail tasks for each missing category
+    let maxId = Math.max(...prd.tasks.map(t => t.id));
+    const lastCompletedByCategory = {};
+    for (const task of prd.tasks) {
+      if (task.status === 'completed') lastCompletedByCategory[task.category] = task.id;
+    }
+
+    for (const cat of missingCategories) {
+      maxId++;
+      const depId = cat === 'frontend'
+        ? (lastCompletedByCategory['api'] || lastCompletedByCategory['application'])
+        : cat === 'test'
+        ? (lastCompletedByCategory['api'] || lastCompletedByCategory['frontend'])
+        : (lastCompletedByCategory['domain'] || lastCompletedByCategory['infrastructure']);
+
+      prd.tasks.push({
+        id: maxId,
+        description: `[${cat}] GUARDRAIL: Generate missing ${cat} layer for module ${currentModule.code}`,
+        status: 'pending',
+        category: cat,
+        dependencies: depId ? [depId] : [],
+        acceptance_criteria: `${cat} layer fully implemented for module ${currentModule.code}`,
+        started_at: null, completed_at: null, iteration: null, commit_hash: null,
+        files_changed: { created: [], modified: [] },
+        validation: null, error: null, module: currentModule.code
+      });
+      console.log(`  → Injected task ${maxId}: [${cat}] guardrail for ${currentModule.code}`);
+    }
+
+    prd.updated_at = new Date().toISOString();
+    writeJSON('.ralph/prd.json', prd);
+
+    // DO NOT mark module as complete — continue the COMPACT LOOP with new tasks
+    // Fall through to section 5 (COMPACT LOOP)
+  } else {
+
+  // Mark current module as completed (only when ALL layers verified)
   currentModule.status = 'completed';
   queue.completedModules++;
 
@@ -231,6 +288,7 @@ if (hasQueue) {
 ║  ${queue.modules.map(m => m.code + ": " + m.status).join("\n║  ")} ║
 ╚══════════════════════════════════════════════════════════════════╝
   `);
+  } // end else (module completeness check passed)
 }
 ```
 
@@ -430,9 +488,19 @@ Batch: {tasksToExecute.length} task(s) [{firstCategory}]
   8. Generate 4-language i18n (fr, en, it, de)
   9. `npm run typecheck` MUST pass
 
-**IF category = "infrastructure":** Seed data in `Infrastructure/Persistence/Seeding/Data/{Module}/`
+**IF category = "domain":** Entities in `Domain/Entities/{ContextPascal}/{App}/{Module}/`, Enums in `Domain/Enums/{ContextPascal}/{App}/{Module}/`
 
-**IF category = "api":** Controllers in `Api/Controllers/{Context}/{App}/{Entity}Controller.cs`
+**IF category = "application":** Services in `Application/Services/{ContextPascal}/{App}/{Module}/`, DTOs in `Application/DTOs/{ContextPascal}/{App}/{Module}/`
+
+**IF category = "infrastructure":**
+  - EF configs in `Infrastructure/Persistence/Configurations/{ContextPascal}/{App}/{Module}/`
+  - Seed data in `Infrastructure/Persistence/Seeding/Data/{Module}/`
+  - **IF task description contains "seed data", "SeedData", or "IClientSeedDataProvider":**
+    Read `references/core-seed-data.md` for COMPLETE execution guidance (parameter extraction,
+    MCP `generate_permissions` call, code templates, IClientSeedDataProvider, verification checklist).
+    **Do NOT improvise core seed data generation.**
+
+**IF category = "api":** Controllers in `Api/Controllers/{ContextShort}/{App}/{Entity}Controller.cs`
 
 After ALL tasks in batch executed:
 - Run `mcp__smartstack__validate_conventions` ONCE for the whole batch
@@ -581,17 +649,32 @@ Completion Check:
 1. ALL tasks have `status: "completed"` or `status: "skipped"`
 2. Zero tasks with `status: "blocked"` or `status: "failed"`
 3. The statement is genuinely true
+4. **Multi-module:** ALL modules in `modules-queue.json` have `status: "completed"`
 
 **False promises to escape the loop are FORBIDDEN.**
 
 **Always update `prd.status` and `prd.updated_at` before proceeding.**
 
+**NEVER DELEGATE THE LOOP:**
+- NEVER use the Task tool to spawn a sub-agent for Ralph loop execution.
+- Sub-agents lose ALL skill context and WILL stop prematurely.
+- The ONLY acceptable Task usage: isolated read-only research (e.g., Context7 docs lookup).
+
+**MODULE COMPLETENESS (multi-module):**
+- Before advancing to the next module, verify ALL expected layers have completed tasks.
+- Expected layers: domain, infrastructure, application, api, frontend, test.
+- If any layer is missing, inject guardrail tasks and continue the COMPACT LOOP.
+- A module with only backend tasks is NOT complete.
+
 **LOOP CONTINUATION IS MANDATORY:**
 - After the first full iteration (step-01→02→03→04), ALL subsequent iterations use the COMPACT LOOP in section 5.
 - DO NOT re-read step-01, step-02, step-03 files. You already know the instructions.
 - DO NOT stop and wait for user input between iterations.
 - DO NOT output a summary and pause. The loop is AUTONOMOUS.
-- The ONLY reasons to stop: completion, max iterations, dead-end, or user interruption.
+- DO NOT decide to stop because "quality over quantity" or "this is enough for now".
+- DO NOT stop after completing one module when others remain in the queue.
+- DO NOT reduce scope autonomously ("I'll skip frontend/tests to save time").
+- The ONLY reasons to stop: ALL tasks complete (all modules), max iterations, dead-end, or user Ctrl+C.
 - Stopping for any other reason is a **BUG** that wastes user time and context.
 - **BATCH tasks of the same category** to reduce iterations (max 5 per batch).
 - Prefer compact output (1-2 lines per task) over verbose output during the loop.