@atlashub/smartstack-cli 3.43.0 → 3.44.0

package/templates/skills/apex/references/post-checks.md

@@ -3,43 +3,34 @@
 > **Referenced by:** step-04-examine.md (section 6b)
 > These checks run on the actual generated files. Model-interpreted checks are unreliable.
 
-### POST-CHECK 1: Navigation routes must be full paths starting with /
+## Run MCP Tools FIRST
 
-```bash
-# Find all seed data files and check route values
-SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
-if [ -n "$SEED_FILES" ]; then
-  # Check for short routes (no leading /) in Create() calls for navigation entities
-  BAD_ROUTES=$(grep -Pn 'NavigationApplication\.Create\(|NavigationModule\.Create\(|NavigationSection\.Create\(|NavigationResource\.Create\(' $SEED_FILES | grep -v '"/[a-z]')
-  if [ -n "$BAD_ROUTES" ]; then
-    echo "BLOCKING: Navigation routes must be full paths starting with /"
-    echo "$BAD_ROUTES"
-    echo "Expected: \"/human-resources\" NOT \"humanresources\""
-    exit 1
-  fi
-fi
-```
+Before running these bash checks, call these 3 MCP tools (they cover ~10 additional checks automatically):
+
+1. `mcp__smartstack__validate_conventions()` — covers: controller routes, NavRoute kebab-case, naming conventions
+2. `mcp__smartstack__validate_security()` — covers: tenant isolation, TenantId filters, authorization, Guid.Empty, TenantId!.Value patterns
+3. `mcp__smartstack__validate_frontend_routes()` — covers: lazy loading in routes, route alignment
+
+**The checks below provide defense-in-depth** — they catch patterns the MCP tools may miss and serve as a safety net.
+
+---
 
-### POST-CHECK 2: All services must filter by TenantId (OWASP A01)
+## Security — Tenant Isolation & Authorization (defense-in-depth with MCP)
+
+### POST-CHECK S1: All services must filter by TenantId (OWASP A01)
 
 ```bash
-# Find all service implementation files
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
 if [ -n "$SERVICE_FILES" ]; then
-  # Check each service file has TenantId reference (either _currentUser.TenantId or TenantId filter)
   for f in $SERVICE_FILES; do
-    # Accept either _currentTenant.TenantId (strict guard clause or nullable usage)
-    # or entities with IOptionalTenantEntity/IScopedTenantEntity (optional tenant pattern)
     HAS_TENANT_FILTER=$(grep -c "TenantId" "$f")
     HAS_OPTIONAL_ENTITY=false
     if grep -q "IOptionalTenantEntity\|IScopedTenantEntity" "$f"; then
       HAS_OPTIONAL_ENTITY=true
     fi
-
     if [ "$HAS_TENANT_FILTER" -eq 0 ] && [ "$HAS_OPTIONAL_ENTITY" = false ]; then
       echo "BLOCKING (OWASP A01): Service missing TenantId filter or optional tenant entity: $f"
       echo "Every service query MUST filter by _currentTenant.TenantId"
-      echo "OR work with entities that implement IOptionalTenantEntity/IScopedTenantEntity"
       exit 1
     fi
     if grep -q "Guid.Empty" "$f"; then
@@ -50,14 +41,12 @@ if [ -n "$SERVICE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 3: Controllers must use [RequirePermission], not just [Authorize] (BLOCKING)
+### POST-CHECK S2: Controllers must use [RequirePermission], not just [Authorize] (BLOCKING)
 
 ```bash
-# Find all controller files
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
-    # Check controller has at least one RequirePermission attribute
     if grep -q "\[Authorize\]" "$f" && ! grep -q "\[RequirePermission" "$f"; then
       echo "BLOCKING: Controller uses [Authorize] without [RequirePermission]: $f"
       echo "[Authorize] alone provides NO RBAC enforcement — any authenticated user has access"
@@ -68,38 +57,104 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 4: Seed data must not use Guid.NewGuid()
-
-```bash
-SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
-if [ -n "$SEED_FILES" ]; then
-  BAD_GUIDS=$(grep -n "Guid.NewGuid()" $SEED_FILES 2>/dev/null)
-  if [ -n "$BAD_GUIDS" ]; then
-    echo "BLOCKING: Seed data must use deterministic GUIDs (SHA256), not Guid.NewGuid()"
-    echo "$BAD_GUIDS"
-    exit 1
-  fi
-fi
-```
-
-### POST-CHECK 5: Services must inject ICurrentTenantService (tenant isolation)
+### POST-CHECK S3: Services must inject ICurrentTenantService (tenant isolation)
 
 ```bash
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
 if [ -n "$SERVICE_FILES" ]; then
   for f in $SERVICE_FILES; do
-    # Accept either ICurrentTenantService or ICurrentUser (legacy) for tenant context
     if ! grep -qE "ICurrentTenantService|ICurrentUser" "$f"; then
       echo "BLOCKING: Service missing tenant context injection: $f"
       echo "All services MUST inject ICurrentTenantService for tenant isolation"
-      echo "Pattern: private readonly ICurrentTenantService _currentTenant;"
       exit 1
     fi
   done
 fi
 ```
 
-### POST-CHECK 6: Translation files must exist for all 4 languages (if frontend)
+### POST-CHECK S4: HasQueryFilter must not use Guid.Empty (OWASP A01)
+
+```bash
+CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
+if [ -n "$CONFIG_FILES" ]; then
+  BAD_FILTER=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
+  if [ -n "$BAD_FILTER" ]; then
+    echo "BLOCKING (OWASP A01): HasQueryFilter uses Guid.Empty — bypasses tenant isolation: $BAD_FILTER"
+    echo "The EF global query filter MUST use the injected TenantId, not Guid.Empty"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK S5: Services must NOT use TenantId!.Value (null-forgiving crash pattern)
+
+```bash
+SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$SERVICE_FILES" ]; then
+  BAD_PATTERN=$(grep -Pn 'TenantId!\.' $SERVICE_FILES 2>/dev/null)
+  if [ -n "$BAD_PATTERN" ]; then
+    echo "BLOCKING: TenantId!.Value (null-forgiving) detected — NullReferenceException risk: $BAD_PATTERN"
+    echo "Fix: Use guard clause: var tenantId = _currentTenant.TenantId ?? throw new TenantContextRequiredException();"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK S6: Pages must use lazy loading (no static page imports in routes)
+
+```bash
+APP_TSX=$(find src/ -name "App.tsx" -not -path "*/node_modules/*" 2>/dev/null | head -1)
+ROUTE_FILES=$(find src/routes/ -name "*.tsx" -o -name "*.ts" 2>/dev/null)
+if [ -n "$APP_TSX" ]; then
+  STATIC_IMPORTS=$(grep -Pn "^import .+ from '@/pages/" "$APP_TSX" $ROUTE_FILES 2>/dev/null)
+  if [ -n "$STATIC_IMPORTS" ]; then
+    echo "BLOCKING: Static page imports in route files — MUST use React.lazy()"
+    echo "Static imports load ALL pages upfront, killing initial load performance"
+    echo "$STATIC_IMPORTS"
+    echo "Fix: const Page = lazy(() => import('@/pages/...').then(m => ({ default: m.Page })))"
+    exit 1
+  fi
+fi
+```
+
+---
+
+## Backend — Entity, Service & Controller Checks
+
+### POST-CHECK 1: Navigation routes must be full paths starting with /
+
+```bash
+# Find all seed data files and check route values
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  # Check for short routes (no leading /) in Create() calls for navigation entities
+  BAD_ROUTES=$(grep -Pn 'NavigationApplication\.Create\(|NavigationModule\.Create\(|NavigationSection\.Create\(|NavigationResource\.Create\(' $SEED_FILES | grep -v '"/[a-z]')
+  if [ -n "$BAD_ROUTES" ]; then
+    echo "BLOCKING: Navigation routes must be full paths starting with /"
+    echo "$BAD_ROUTES"
+    echo "Expected: \"/human-resources\" NOT \"humanresources\""
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK 2: Seed data must not use deterministic/sequential/fixed GUIDs
+
+```bash
+SEED_FILES=$(find src/ -path "*/Seeding/Data/*" -name "*.cs" 2>/dev/null)
+if [ -n "$SEED_FILES" ]; then
+  BAD_GUIDS=$(grep -Pn 'GenerateDeterministicGuid|GenerateGuid\(int|11111111-1111-1111-1111-' $SEED_FILES 2>/dev/null)
+  if [ -n "$BAD_GUIDS" ]; then
+    echo "BLOCKING: Seed data must use Guid.NewGuid(), not deterministic/sequential/fixed GUIDs"
+    echo "$BAD_GUIDS"
+    exit 1
+  fi
+fi
+```
+
+## Frontend — CSS, Forms, Components, I18n
+
+### POST-CHECK 3: Translation files must exist for all 4 languages (if frontend)
 
 ```bash
 # Find all i18n namespaces used in tsx files
@@ -117,22 +172,7 @@ if [ -n "$TSX_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 7: Pages must use lazy loading (no static page imports in routes)
-
-```bash
-ROUTE_FILES=$(find src/routes/ -name "*.tsx" -o -name "*.ts" 2>/dev/null)
-if [ -n "$ROUTE_FILES" ]; then
-  STATIC_PAGE_IMPORTS=$(grep -Pn "^import .+ from '@/pages/" $ROUTE_FILES 2>/dev/null)
-  if [ -n "$STATIC_PAGE_IMPORTS" ]; then
-    echo "BLOCKING: Route files must use React.lazy() for page imports, not static imports"
-    echo "$STATIC_PAGE_IMPORTS"
-    echo "Fix: const Page = lazy(() => import('@/pages/...').then(m => ({ default: m.Page })));"
-    exit 1
-  fi
-fi
-```
-
-### POST-CHECK 8: Forms must be full pages with routes — ZERO modals/popups/drawers/slide-overs
+### POST-CHECK 4: Forms must be full pages with routes — ZERO modals/popups/drawers/slide-overs
 
 ```bash
 # Check for modal/dialog/drawer/slide-over imports AND inline form state in page files
@@ -166,7 +206,7 @@ if [ -n "$PAGE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 9: Create/Edit pages must exist as separate route pages (BLOCKING)
+### POST-CHECK 5: Create/Edit pages must exist as separate route pages (BLOCKING)
 
 ```bash
 # For each module with a list page, verify create and edit pages exist
@@ -219,7 +259,7 @@ if [ "$FAIL" = true ]; then
 fi
 ```
 
-### POST-CHECK 10: Form pages must have companion test files
+### POST-CHECK 6: Form pages must have companion test files
 
 ```bash
 # Minimum requirement: if frontend pages exist, at least 1 test file must be present
@@ -248,7 +288,7 @@ if [ -n "$FORM_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 11: FK fields must use EntityLookup — NO `<input>`, NO `<select>` (BLOCKING)
+### POST-CHECK 7: FK fields must use EntityLookup — NO `<input>`, NO `<select>` (BLOCKING)
 
 ```bash
 # Check ALL page files for FK fields rendered as <input> or <select> instead of EntityLookup
@@ -311,7 +351,7 @@ if [ -n "$ALL_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 12: Backend APIs must support search parameter for EntityLookup
+### POST-CHECK 8: Backend APIs must support search parameter for EntityLookup
 
 ```bash
 # Check that controller GetAll methods accept search parameter
@@ -330,7 +370,7 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 13: No hardcoded Tailwind colors in generated pages (BLOCKING)
+### POST-CHECK 9: No hardcoded Tailwind colors in generated pages (BLOCKING)
 
 ```bash
 # Scan all page and component files directly (works for uncommitted/untracked files, Windows/WSL compatible)
@@ -360,7 +400,9 @@ if [ -n "$ALL_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 14: Routes seed data must match frontend application routes
+## Seed Data — Navigation, Roles, Permissions
+
+### POST-CHECK 10: Routes seed data must match frontend application routes
 
 ```bash
 SEED_ROUTES=$(grep -Poh 'Route\s*=\s*"([^"]+)"' $(find src/ -path "*/Seeding/Data/*" -name "*NavigationSeedData.cs" 2>/dev/null) 2>/dev/null | grep -oP '"[^"]+"' | tr -d '"' | sort -u)
@@ -431,24 +473,7 @@ if [ -n "$APP_TSX" ]; then
 fi
 ```
 
-### POST-CHECK 15: HasQueryFilter must not use Guid.Empty (OWASP A01)
-
-```bash
-CONFIG_FILES=$(find src/ -path "*/Configurations/*" -name "*Configuration.cs" 2>/dev/null)
-if [ -n "$CONFIG_FILES" ]; then
-  BAD_FILTERS=$(grep -Pn 'HasQueryFilter.*Guid\.Empty' $CONFIG_FILES 2>/dev/null)
-  if [ -n "$BAD_FILTERS" ]; then
-    echo "BLOCKING (OWASP A01): HasQueryFilter uses Guid.Empty instead of runtime tenant isolation"
-    echo "$BAD_FILTERS"
-    echo ""
-    echo "Anti-pattern: .HasQueryFilter(e => e.TenantId != Guid.Empty)"
-    echo "Fix: Remove HasQueryFilter. Tenant isolation is handled by SmartStack base DbContext"
-    exit 1
-  fi
-fi
-```
-
-### POST-CHECK 16: GetAll methods must return PaginatedResult<T>
+### POST-CHECK 11: GetAll methods must return PaginatedResult<T>
 
 ```bash
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
@@ -463,7 +488,7 @@ if [ -n "$SERVICE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 17: i18n files must contain required structural keys
+### POST-CHECK 12: i18n files must contain required structural keys
 
 ```bash
 I18N_DIR="src/i18n/locales/fr"
@@ -484,7 +509,7 @@ if [ -d "$I18N_DIR" ]; then
 fi
 ```
 
-### POST-CHECK 18: Entities must implement IAuditableEntity + Validators must have Create/Update pairs
+### POST-CHECK 13: Entities must implement IAuditableEntity + Validators must have Create/Update pairs
 
 ```bash
 ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
@@ -512,9 +537,7 @@ if [ -n "$CREATE_VALIDATORS" ]; then
 fi
 ```
 
-### POST-CHECK 19: (REMOVED — Context level no longer exists in SmartStack navigation hierarchy)
-
-### POST-CHECK 20: RolePermission seed data must NOT use deterministic role GUIDs
+### POST-CHECK 14: RolePermission seed data must NOT use deterministic role GUIDs
 
 ```bash
 # System roles (admin, manager, contributor, viewer) are pre-seeded by SmartStack core.
@@ -545,46 +568,7 @@ if [ -n "$ROLE_PERM_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 21: Services must NOT use TenantId!.Value (null-forgiving crash pattern)
-
-```bash
-# The !.Value pattern on Guid? throws InvalidOperationException (500) instead of clean 401
-SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
-if [ -n "$SERVICE_FILES" ]; then
-  BAD_PATTERN=$(grep -Pn 'TenantId!\s*\.Value|TenantId!\s*\.ToString|\.TenantId!' $SERVICE_FILES 2>/dev/null)
-  if [ -n "$BAD_PATTERN" ]; then
-    echo "BLOCKING: Services use TenantId!.Value — causes 500 instead of 400 when tenant context is missing"
-    echo "$BAD_PATTERN"
-    echo ""
-    echo "Fix: Replace with guard clause at the start of every method:"
-    echo "  var tenantId = _currentTenant.TenantId"
-    echo "      ?? throw new TenantContextRequiredException();"
-    echo ""
-    echo "This produces a clean 400 Bad Request via GlobalExceptionHandlerMiddleware."
-    echo "NEVER use UnauthorizedAccessException for tenant context — it returns 401 which clears the frontend token."
-    exit 1
-  fi
-fi
-
-# POST-CHECK: Services must NOT use UnauthorizedAccessException for tenant context (causes token clearing)
-if [ -n "$SERVICE_FILES" ]; then
-  BAD_UNAUTH=$(grep -Pn 'UnauthorizedAccessException.*[Tt]enant' $SERVICE_FILES 2>/dev/null)
-  if [ -n "$BAD_UNAUTH" ]; then
-    echo "BLOCKING: Services use UnauthorizedAccessException for tenant context — causes 401 which clears the frontend token"
-    echo "$BAD_UNAUTH"
-    echo ""
-    echo "Fix: Replace with:"
-    echo "  var tenantId = _currentTenant.TenantId"
-    echo "      ?? throw new TenantContextRequiredException();"
-    echo ""
-    echo "TenantContextRequiredException returns 400 Bad Request (does not clear token)."
-    echo "UnauthorizedAccessException returns 401 Unauthorized (clears token + redirects to login)."
-    exit 1
-  fi
-fi
-```
-
-### POST-CHECK 22: Cross-tenant entities must use Guid? TenantId
+### POST-CHECK 15: Cross-tenant entities must use Guid? TenantId
 
 ```bash
 for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev/null); do
@@ -595,10 +579,10 @@ for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev
     fi
   fi
 done
-echo "POST-CHECK 22: OK"
+echo "POST-CHECK 15: OK"
 ```
 
-### POST-CHECK 23: Scoped entities must have EntityScope property
+### POST-CHECK 16: Scoped entities must have EntityScope property
 
 ```bash
 for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev/null); do
@@ -609,10 +593,10 @@ for entity in $(find src/ -path "*/Domain/*" -name "*.cs" ! -name "I*.cs" 2>/dev
     fi
   fi
 done
-echo "POST-CHECK 23: OK"
+echo "POST-CHECK 16: OK"
 ```
 
-### POST-CHECK 24: Permissions.cs static constants must exist (BLOCKING)
+### POST-CHECK 17: Permissions.cs static constants must exist (BLOCKING)
 
 ```bash
 # Every module with controllers MUST have a Permissions.cs with static constants
@@ -630,7 +614,7 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 25: ApplicationRolesSeedData.cs must exist (BLOCKING)
+### POST-CHECK 18: ApplicationRolesSeedData.cs must exist (BLOCKING)
 
 ```bash
 # If any RolesSeedData exists, ApplicationRolesSeedData MUST also exist
@@ -668,14 +652,14 @@ if [ -n "$SECTION_SEED_FILES" ] && [ -n "$APP_TSX" ]; then
   done
 fi
 
-# Controllers with section-level [NavRoute] (4 segments) must have matching [RequirePermission]
+# All controllers with [NavRoute] must have matching [RequirePermission]
 CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
 if [ -n "$CTRL_FILES" ]; then
   for f in $CTRL_FILES; do
-    # Match NavRoute with 4 dot-separated segments (section-level)
-    SECTION_NAVROUTE=$(grep -oP 'NavRoute\("[a-z]+\.[a-z]+\.[a-z]+\.[a-z]+"\)' "$f" 2>/dev/null)
+    # Match NavRoute with 2+ dot-separated segments (minimum: app.module)
+    SECTION_NAVROUTE=$(grep -oP 'NavRoute\("[a-z-]+\.[a-z-]+' "$f" 2>/dev/null)
     if [ -n "$SECTION_NAVROUTE" ] && ! grep -q "\[RequirePermission" "$f"; then
-      echo "BLOCKING: Section controller has [NavRoute] but no [RequirePermission]: $f"
+      echo "BLOCKING: Controller has [NavRoute] but no [RequirePermission]: $f"
       echo "Fix: Add [RequirePermission(Permissions.{Section}.{Action})] on each endpoint"
       exit 1
     fi
@@ -690,13 +674,13 @@ if [ -n "$SECTION_SEED_FILES" ] && [ -n "$PERM_FILE" ]; then
     PASCAL=$(echo "$CODE" | sed 's/^./\U&/')
     if ! grep -q "static class $PASCAL" "$PERM_FILE" 2>/dev/null; then
       echo "WARNING: Section '$CODE' in seed data has no matching Permissions.$PASCAL static class"
-      echo "Fix: Add section-level permissions via MCP generate_permissions with 4-segment navRoute"
+      echo "Fix: Add section-level permissions via MCP generate_permissions with 3-segment navRoute (app.module.section)"
     fi
   done
 fi
 ```
 
-### POST-CHECK 26: FORBIDDEN route patterns — /list and /detail/:id (BLOCKING)
+### POST-CHECK 19: FORBIDDEN route patterns — /list and /detail/:id (BLOCKING)
 
 ```bash
 # 1. Check seed data for FORBIDDEN suffixes
@@ -727,7 +711,7 @@ fi
 echo "OK: No forbidden /list or /detail route patterns found"
 ```
 
-### POST-CHECK 27: Permission path segment count (WARNING)
+### POST-CHECK 20: Permission path segment count (WARNING)
 
 ```bash
 PERM_FILES=$(find src/ -path "*/Seeding/Data/*" -name "PermissionsSeedData.cs" 2>/dev/null)
@@ -749,7 +733,7 @@ if [ -n "$PERM_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 28: IClientSeedDataProvider must have 4 methods + DI registration (BLOCKING)
+### POST-CHECK 21: IClientSeedDataProvider must have 4 methods + DI registration (BLOCKING)
 
 ```bash
 PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
@@ -779,7 +763,7 @@ if [ -n "$PROVIDER" ]; then
 fi
 ```
 
-### POST-CHECK 29: i18n must use separate JSON files per language (not embedded in index.ts)
+### POST-CHECK 22: i18n must use separate JSON files per language (not embedded in index.ts)
 
 ```bash
 # Translations MUST be in src/i18n/locales/{lang}/{module}.json, NOT embedded in a single .ts file
@@ -829,7 +813,7 @@ if [ -n "$TSX_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 30: Pages must use useTranslation hook (no hardcoded user-facing strings)
+### POST-CHECK 23: Pages must use useTranslation hook (no hardcoded user-facing strings)
 
 ```bash
 # Verify that page components use i18n — detect hardcoded strings in JSX
@@ -858,7 +842,7 @@ if [ -n "$PAGE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 31: List/Detail pages must include DocToggleButton (documentation panel)
+### POST-CHECK 24: List/Detail pages must include DocToggleButton (documentation panel)
 
 ```bash
 # Every list and detail page MUST have DocToggleButton for inline documentation access
@@ -881,7 +865,7 @@ if [ -n "$LIST_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 32: Module documentation must be generated (doc-data.ts)
+### POST-CHECK 25: Module documentation must be generated (doc-data.ts)
 
 ```bash
 # After frontend pages exist, /documentation should have been called
@@ -894,7 +878,7 @@ if [ -n "$TSX_PAGES" ] && [ -z "$DOC_DATA" ]; then
 fi
 ```
 
-### POST-CHECK 33: Pagination type must be PaginatedResult<T> — no aliases (BLOCKING)
+### POST-CHECK 26: Pagination type must be PaginatedResult<T> — no aliases (BLOCKING)
 
 ```bash
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
@@ -912,7 +896,9 @@ if [ -n "$(echo $ALL_FILES | tr -d ' ')" ]; then
 fi
 ```
 
-### POST-CHECK 34: Code generation — ICodeGenerator must be registered for auto-generated entities (BLOCKING)
+## Infrastructure — Migration & Build
+
+### POST-CHECK 27: Code generation — ICodeGenerator must be registered for auto-generated entities (BLOCKING)
 
 ```bash
 # If feature.json has entities with codePattern.strategy != "manual",
@@ -943,7 +929,7 @@ except: pass
 fi
 ```
 
-### POST-CHECK 35: Code regex must support hyphens (BLOCKING)
+### POST-CHECK 28: Code regex must support hyphens (BLOCKING)
 
 ```bash
 VALIDATOR_FILES=$(find src/ -path "*/Validators/*" -name "*Validator.cs" 2>/dev/null)
@@ -958,7 +944,7 @@ if [ -n "$VALIDATOR_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 36: CreateDto must NOT have Code field when service uses ICodeGenerator (WARNING)
+### POST-CHECK 29: CreateDto must NOT have Code field when service uses ICodeGenerator (WARNING)
 
 ```bash
 SERVICE_FILES=$(find src/ -path "*/Services/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
@@ -976,7 +962,7 @@ if [ -n "$SERVICE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 37: Translation seed data must have idempotency guard (BLOCKING)
+### POST-CHECK 30: Translation seed data must have idempotency guard (BLOCKING)
 
 ```bash
 PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
@@ -999,16 +985,16 @@ if [ -n "$PROVIDER" ]; then
 fi
 ```
 
-### POST-CHECK 38: Resource seed data must use actual section IDs from DB (BLOCKING)
+### POST-CHECK 31: Resource seed data must use actual section IDs from DB (BLOCKING)
 
 ```bash
 PROVIDER=$(find src/ -path "*/Seeding/*SeedDataProvider.cs" 2>/dev/null | head -1)
 if [ -n "$PROVIDER" ]; then
-  # Check if NavigationResource.Create uses secEntry.Id or resEntry.SectionId (deterministic GUIDs)
+  # Check if NavigationResource.Create uses secEntry.Id or resEntry.SectionId (seed-time GUIDs)
   # instead of actualSection.Id (real DB ID). This causes FK_nav_Resources_nav_Sections_SectionId violation.
   if grep -Pn 'NavigationResource\.Create\(' "$PROVIDER" | grep -q 'resEntry\.SectionId\|secEntry\.Id'; then
-    echo "BLOCKING: Resource seed data uses deterministic GUID as SectionId in $PROVIDER"
-    echo "NavigationSection.Create() generates its own ID — deterministic seed GUIDs do NOT exist in nav_Sections."
+    echo "BLOCKING: Resource seed data uses seed-time GUID as SectionId in $PROVIDER"
+    echo "NavigationSection.Create() generates its own ID — seed-time GUIDs do NOT exist in nav_Sections."
     echo "Fix: Query actual section from DB before creating resources:"
     echo "  var actualSection = await context.NavigationSections"
     echo "      .FirstAsync(s => s.Code == secEntry.Code && s.ModuleId == modEntity.Id, ct);"
@@ -1018,28 +1004,7 @@ if [ -n "$PROVIDER" ]; then
 fi
 ```
 
-### POST-CHECK 39: Controllers must NOT have [Route] alongside [NavRoute] (BLOCKING)
-
-```bash
-# [NavRoute] REPLACES [Route] — it resolves HTTP routes from the navigation DB at startup.
-# Having both is redundant and may cause route conflicts.
-CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
-if [ -n "$CTRL_FILES" ]; then
-  for f in $CTRL_FILES; do
-    HAS_NAVROUTE=$(grep -P '\[NavRoute\(' "$f" 2>/dev/null)
-    HAS_ROUTE=$(grep -P '\[Route\(' "$f" 2>/dev/null)
-    if [ -n "$HAS_NAVROUTE" ] && [ -n "$HAS_ROUTE" ]; then
-      echo "BLOCKING: Controller has both [Route] and [NavRoute] — [NavRoute] replaces [Route]: $f"
-      echo "  Found [NavRoute]: $HAS_NAVROUTE"
-      echo "  Found [Route]:    $HAS_ROUTE"
-      echo "Fix: Remove the [Route(\"api/...\")] attribute. [NavRoute] resolves routes from navigation DB at startup."
-      exit 1
-    fi
-  done
-fi
-```
-
-### POST-CHECK 40: NavRoute segments must use kebab-case for multi-word codes (BLOCKING)
+### POST-CHECK 32: NavRoute segments must use kebab-case for multi-word codes (BLOCKING)
 
 ```bash
 # NavRoute segments are navigation entity Codes joined by dots.
@@ -1078,7 +1043,7 @@ if [ -n "$SEED_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 41: Permission codes must use kebab-case matching NavRoute codes (BLOCKING)
+### POST-CHECK 33: Permission codes must use kebab-case matching NavRoute codes (BLOCKING)
 
 ```bash
 # Permission codes in [RequirePermission] and Permissions.cs MUST use kebab-case for multi-word segments.
@@ -1143,7 +1108,7 @@ if [ -n "$SEED_PERM_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 42: Frontend navigate() calls must have matching route definitions (BLOCKING)
+### POST-CHECK 34: Frontend navigate() calls must have matching route definitions (BLOCKING)
 
 ```bash
 # Detect dead links: navigate() calls to paths that don't have corresponding page components.
@@ -1182,7 +1147,7 @@ if [ -n "$PAGE_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 43: Detail page tabs must NOT navigate() — content switches locally (BLOCKING)
+### POST-CHECK 35: Detail page tabs must NOT navigate() — content switches locally (BLOCKING)
 
 ```bash
 # Tabs on detail pages MUST use local state (setActiveTab) — NEVER navigate() to other pages.
@@ -1223,7 +1188,7 @@ if [ -n "$DETAIL_PAGES" ]; then
 fi
 ```
 
-### POST-CHECK 44: Migration ModelSnapshot must contain ALL entities registered in DbContext (BLOCKING)
+### POST-CHECK 36: Migration ModelSnapshot must contain ALL entities registered in DbContext (BLOCKING)
 
 ```bash
 # Root cause (test-apex-007): 7 entities registered in DbContext but migration only covered 3.
@@ -1258,7 +1223,7 @@ if [ -n "$SNAPSHOT" ] && [ -n "$DBCONTEXT" ]; then
 fi
 ```
 
-### POST-CHECK 45: I18n namespace files must be registered in i18n config (BLOCKING)
+### POST-CHECK 37: I18n namespace files must be registered in i18n config (BLOCKING)
 
 ```bash
 # Root cause (test-apex-007): i18n JSON files existed in src/i18n/locales/ but were never
@@ -1287,7 +1252,7 @@ if [ -n "$I18N_CONFIG" ]; then
 fi
 ```
 
-### POST-CHECK 46: FluentValidation validators must be registered via DI (BLOCKING)
+### POST-CHECK 38: FluentValidation validators must be registered via DI (BLOCKING)
 
 ```bash
 # Root cause (test-apex-007): Validators existed but were never registered in DI.
@@ -1322,7 +1287,7 @@ if [ -n "$VALIDATOR_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 47: Date/date properties in DTOs must use DateOnly, not string (BLOCKING)
+### POST-CHECK 39: Date/date properties in DTOs must use DateOnly, not string (BLOCKING)
 
 ```bash
 # Root cause (test-apex-007): WorkLog DTO had Date property typed as string instead of DateOnly.
@@ -1347,45 +1312,10 @@ if [ -n "$DTO_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 48: NavRoute attribute values must use kebab-case (BLOCKING)
+### POST-CHECK 40: Every module with entities must have a migration covering them (BLOCKING)
 
 ```bash
-# Root cause (test-apex-007): Controllers had [NavRoute("humanresources.employees")]
-# instead of [NavRoute("human-resources.employees")]. This causes route mismatch with
-# seed data and permission codes, resulting in 404s at runtime.
-CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
-if [ -n "$CTRL_FILES" ]; then
-  FAIL=false
-  for f in $CTRL_FILES; do
-    NAVROUTE_VALS=$(grep -oP 'NavRoute\("([^"]+)"' "$f" 2>/dev/null | grep -oP '"[^"]+"' | tr -d '"')
-    for NR in $NAVROUTE_VALS; do
-      # Check each segment for concatenated multi-word without hyphens
-      SEGMENTS=$(echo "$NR" | tr '.' '\n')
-      for SEG in $SEGMENTS; do
-        # Detect segments that look like concatenated words (lowercase, 8+ chars, no hyphens)
-        # Use a simpler heuristic: lowercase-only segment with known multi-word patterns
-        if echo "$SEG" | grep -qP '^[a-z]{8,}$'; then
-          # Additional check: does it contain a known multi-word pattern?
-          if echo "$SEG" | grep -qP '(human|project|leave|client|support|email|time|work|resource)'; then
-            echo "BLOCKING: NavRoute segment '$SEG' in $f appears to be concatenated multi-word without hyphens"
-            echo "  Full NavRoute: $NR"
-            echo "  Fix: Use kebab-case: e.g., 'humanresources' → 'human-resources', 'projectmanagement' → 'project-management'"
-            FAIL=true
-          fi
-        fi
-      done
-    done
-  done
-  if [ "$FAIL" = true ]; then
-    exit 1
-  fi
-fi
-```
-
-### POST-CHECK 49: Every module with entities must have a migration covering them (BLOCKING)
-
-```bash
-# Complementary to POST-CHECK 44 — checks from the entity side.
+# Complementary to POST-CHECK 36 — checks from the entity side.
 # Finds entity .cs files in Domain/ and verifies they appear in at least one migration file.
 ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null | grep -v test)
 MIGRATION_DIR=$(find src/ -path "*/Migrations" -type d 2>/dev/null | head -1)
@@ -1415,7 +1345,7 @@ if [ -n "$ENTITY_FILES" ] && [ -n "$MIGRATION_DIR" ]; then
 fi
 ```
 
-### POST-CHECK 50: Controllers must NOT have both [Route] and [NavRoute] attributes (BLOCKING)
+### POST-CHECK 41: Controllers must NOT have both [Route] and [NavRoute] attributes (BLOCKING)
 
 ```bash
 # Root cause (test-apex-007): All 7 controllers had BOTH [Route("api/...")] and [NavRoute("...")].
@@ -1448,7 +1378,7 @@ if [ -n "$CTRL_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 51: RolesSeedData must map standard role-permission matrix (BLOCKING)
+### POST-CHECK 42: RolesSeedData must map standard role-permission matrix (BLOCKING)
 
 ```bash
 # SmartStack standard role-permission matrix:
@@ -1498,7 +1428,7 @@ if [ -n "$ROLE_SEED_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 52: PermissionAction enum must use valid typed values only (BLOCKING)
+### POST-CHECK 43: PermissionAction enum must use valid typed values only (BLOCKING)
 
 ```bash
 # Valid PermissionAction enum values: Access(0), Read(1), Create(2), Update(3), Delete(4),
@@ -1533,7 +1463,7 @@ if [ -n "$SEED_FILES" ]; then
 fi
 ```
 
-### POST-CHECK 53: Navigation translation completeness — 4 languages per level (BLOCKING)
+### POST-CHECK 44: Navigation translation completeness — 4 languages per level (BLOCKING)
 
 ```bash
 # Every navigation seed data file must provide translations for ALL 4 languages (fr, en, it, de).
@@ -1581,4 +1511,138 @@ if [ -n "$NAV_SEED_FILES" ]; then
 fi
 ```
 
-**If ANY POST-CHECK fails → fix in step-03, re-validate.**
+---
+
+## Architecture — Clean Architecture Layer Isolation
+
+### POST-CHECK A1: Domain must not import other layers (BLOCKING)
+
+```bash
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Application|Infrastructure|Api)[\w.]*;' $DOMAIN_FILES 2>/dev/null)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Domain layer imports Application/Infrastructure/Api — violates Clean Architecture"
+    echo "Domain is the core, it must not depend on any other layer"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Move shared types to Domain or remove the dependency"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK A2: Application must not import Infrastructure or Api (BLOCKING)
+
+```bash
+APP_FILES=$(find src/ -path "*/Application/*" -name "*.cs" 2>/dev/null)
+if [ -n "$APP_FILES" ]; then
+  BAD_IMPORTS=$(grep -Pn 'using\s+[\w.]*\.(Infrastructure|Api)[\w.]*;' $APP_FILES 2>/dev/null)
+  if [ -n "$BAD_IMPORTS" ]; then
+    echo "BLOCKING: Application layer imports Infrastructure/Api — violates Clean Architecture"
+    echo "Application defines interfaces, Infrastructure implements them"
+    echo "$BAD_IMPORTS"
+    echo "Fix: Define an interface in Application and implement it in Infrastructure"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK A3: Controllers must not inject DbContext (BLOCKING)
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_DBCONTEXT=$(grep -Pn 'private\s+readonly\s+\w*DbContext|DbContext\s+\w+[,)]' $CTRL_FILES 2>/dev/null)
+  if [ -n "$BAD_DBCONTEXT" ]; then
+    echo "BLOCKING: Controller injects DbContext directly — violates Clean Architecture"
+    echo "Controllers must use Application services, not access the database directly"
+    echo "$BAD_DBCONTEXT"
+    echo "Fix: Create an Application service with the required business logic and inject it instead"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK A4: API must return DTOs, not Domain entities (WARNING)
+
+```bash
+# Scan controller return types for Domain entity names without Dto/Response/ViewModel suffix
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+ENTITY_FILES=$(find src/ -path "*/Domain/Entities/*" -name "*.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ] && [ -n "$ENTITY_FILES" ]; then
+  ENTITY_NAMES=$(grep -ohP 'public\s+class\s+(\w+)\s*:' $ENTITY_FILES 2>/dev/null | grep -oP '\w+(?=\s*:)' | grep -v '^public$' | sort -u)
+  for ENTITY in $ENTITY_NAMES; do
+    BAD_RETURN=$(grep -Pn "ActionResult<$ENTITY>|ActionResult<IEnumerable<$ENTITY>>|ActionResult<List<$ENTITY>>" $CTRL_FILES 2>/dev/null)
+    if [ -n "$BAD_RETURN" ]; then
+      echo "WARNING: Controller returns Domain entity '$ENTITY' instead of a DTO"
+      echo "$BAD_RETURN"
+      echo "Fix: Return ${ENTITY}ResponseDto instead of $ENTITY"
+    fi
+  done
+fi
+```
+
+### POST-CHECK A5: Service interfaces in Application, implementations in Infrastructure (WARNING)
+
+```bash
+# Check for service implementations (non-interface classes) in Application or Api layers
+APP_SERVICES=$(find src/ -path "*/Application/*" -name "*Service.cs" ! -name "I*Service.cs" 2>/dev/null)
+if [ -n "$APP_SERVICES" ]; then
+  for f in $APP_SERVICES; do
+    if grep -q 'public class.*Service' "$f" 2>/dev/null; then
+      echo "WARNING: Service implementation found in Application layer: $f"
+      echo "Fix: Move implementation to Infrastructure/Services/. Application should only contain interfaces."
+    fi
+  done
+fi
+
+# Check for service interfaces (I*Service) in Domain or Api layers
+DOMAIN_INTERFACES=$(find src/ -path "*/Domain/*" -name "I*Service.cs" 2>/dev/null)
+API_INTERFACES=$(find src/ -path "*/Api/*" -name "I*Service.cs" 2>/dev/null)
+for f in $DOMAIN_INTERFACES $API_INTERFACES; do
+  if [ -n "$f" ] && grep -q 'public interface.*Service' "$f" 2>/dev/null; then
+    echo "WARNING: Service interface found outside Application layer: $f"
+    echo "Fix: Move to Application/Interfaces/"
+  fi
+done
+```
+
+### POST-CHECK A6: No EF Core attributes in Domain entities (BLOCKING)
+
+```bash
+DOMAIN_FILES=$(find src/ -path "*/Domain/*" -name "*.cs" 2>/dev/null)
+if [ -n "$DOMAIN_FILES" ]; then
+  BAD_EF=$(grep -Pn '\[Table\(|\[Column\(|\[Index\(|using\s+Microsoft\.EntityFrameworkCore' $DOMAIN_FILES 2>/dev/null)
+  if [ -n "$BAD_EF" ]; then
+    echo "BLOCKING: EF Core attributes or using directives found in Domain layer"
+    echo "Domain entities must be persistence-ignorant — EF configuration belongs in Infrastructure"
+    echo "$BAD_EF"
+    echo "Fix: Move [Table], [Column], [Index] to IEntityTypeConfiguration<T> in Infrastructure/Persistence/Configurations/"
+    exit 1
+  fi
+fi
+```
+
+### POST-CHECK A7: No direct repository usage in controllers (WARNING)
+
+```bash
+CTRL_FILES=$(find src/ -path "*/Controllers/*" -name "*Controller.cs" 2>/dev/null)
+if [ -n "$CTRL_FILES" ]; then
+  BAD_REPO=$(grep -Pn 'IRepository<|IGenericRepository<|private\s+readonly\s+IRepository|private\s+readonly\s+IGenericRepository' $CTRL_FILES 2>/dev/null)
+  if [ -n "$BAD_REPO" ]; then
+    echo "WARNING: Controller injects repository directly — should use Application services"
+    echo "$BAD_REPO"
+    echo "Fix: Controllers should depend on Application services (I*Service), not repositories"
+  fi
+fi
+```
+
+---
+
+## Summary
+
+After running all checks above, report the total count:
+- **N BLOCKING** issues must be fixed before committing
+- **M WARNING** issues should be reviewed but are non-blocking
+
+**If ANY POST-CHECK fails → fix in step-06, re-validate.**