@atlashub/smartstack-cli 3.43.0 → 3.45.0

package/templates/skills/apex/references/core-seed-data.md

@@ -11,6 +11,11 @@
 
 ## 1. Parameter Extraction
 
+> **IMPORTANT — `navRoute` in seed data = permission root (2 segments: `app.module`).**
+> This matches the controller `[NavRoute]` attribute for module-level controllers (also 2 segments: `app.module`).
+> The seed data `navRoute` serves as the base for module-level permissions (`navRoute.read`, `navRoute.create`).
+> Section-level permissions extend it: `navRoute.{sectionCode}.read`.
+
 Extract navigation hierarchy from the task's `_seedDataMeta` (populated by guardrail 1e):
 
 ```javascript
@@ -26,7 +31,8 @@ const permissions = coreSeedData.permissions || [];
 const rolePerms = coreSeedData.rolePermissions || [];
 
 // Derived context (from guardrail or PRD)
-const navRoute = meta.navRoute;         // e.g. "human-resources.projects"
+// NOTE: navRoute here = permission root (2 segments), same as module-level controller NavRoute
+const navRoute = meta.navRoute;         // e.g. "human-resources.projects" (permission root)
 const appCode = meta.appCode;           // e.g. "human-resources"
 const moduleCode = task.module;         // e.g. "projects"
 
@@ -41,7 +47,7 @@ if (!navRoute) {
 
 | Variable | Example | Source |
 |----------|---------|--------|
-| `navRoute` | `human-resources.projects` | `_seedDataMeta.navRoute` |
+| `navRoute` | `human-resources.projects` (permission root, 2 segments) | `_seedDataMeta.navRoute` |
 | `appCode` | `human-resources` | `_seedDataMeta.appCode` |
 | `moduleCode` | `projects` | `task.module` |
 | `navModules[]` | `[{code, label, icon, route, translations}]` | `coreSeedData.navigationModules` |
@@ -73,12 +79,9 @@ From `seedDataCore.navigationApplications[0]` in feature.json (generated by BA s
 
 ### GUID Generation Rule
 
-
 ```csharp
-// Deterministic GUID for APPLICATION
-public static readonly Guid ApplicationId =
-    GenerateDeterministicGuid("navigation-application-{appCode}");
-// Example: GenerateDeterministicGuid("navigation-application-human-resources")
+// Random GUID — idempotence handled by Code-based lookups
+public static readonly Guid ApplicationId = Guid.NewGuid();
 ```
 
 ### Template
@@ -95,9 +98,8 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
 /// </summary>
 public static class NavigationApplicationSeedData
 {
-    // Deterministic GUID for this application
-    public static readonly Guid ApplicationId =
-        GenerateDeterministicGuid("navigation-application-{appCode}");
+    // Random GUID — resolved by Code at runtime for idempotence
+    public static readonly Guid ApplicationId = Guid.NewGuid();
 
     /// <summary>
     /// Returns navigation application entry for seeding into core.nav_Applications.
@@ -161,12 +163,8 @@ public static class NavigationApplicationSeedData
         };
     }
 
-    private static Guid GenerateDeterministicGuid(string seed)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
+    // Idempotence is handled by Code-based lookups at runtime
 
     /// <summary>
     /// Converts PascalCase route segments to kebab-case for web URLs.
@@ -222,17 +220,8 @@ public class NavigationApplicationSeedEntry
 ### GUID Generation Rule
 
 ```csharp
-// NEVER use Guid.NewGuid() — ALWAYS deterministic
-private static Guid GenerateDeterministicGuid(string seed)
-{
-    using var sha256 = System.Security.Cryptography.SHA256.Create();
-    var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
-    return new Guid(hash.Take(16).ToArray());
-}
-
-// Usage: GUIDs are derived from the navigation path
-public static readonly Guid ModuleId = GenerateDeterministicGuid("navigation-module-{navRoute}");
-// Example: GenerateDeterministicGuid("navigation-module-human-resources.projects")
+// ALWAYS use Guid.NewGuid() — avoids conflicts between projects/tenants/environments
+public static readonly Guid ModuleId = Guid.NewGuid();
 ```
 
 ### Template
@@ -248,9 +237,8 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data.{ModulePascal}
 /// </summary>
 public static class {ModulePascal}NavigationSeedData
 {
-    // Deterministic GUID for this module
-    public static readonly Guid {ModulePascal}ModuleId =
-        GenerateDeterministicGuid("navigation-module-{navRoute}");
+    // Random GUID — resolved by Code at runtime for idempotence
+    public static readonly Guid {ModulePascal}ModuleId = Guid.NewGuid();
 
     /// <summary>
     /// Returns navigation module entry for seeding into core.nav_Modules.
@@ -315,12 +303,7 @@ public static class {ModulePascal}NavigationSeedData
         };
     }
 
-    private static Guid GenerateDeterministicGuid(string seed)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
 
     /// <summary>
     /// Converts PascalCase route segments to kebab-case for web URLs.
@@ -390,15 +373,11 @@ public class NavigationTranslationSeedEntry
 ### GUID Generation Rules
 
 ```csharp
-// Section GUID: deterministic from navRoute + section code
-public static readonly Guid {SectionPascal}SectionId =
-    GenerateDeterministicGuid("navigation-section-{navRoute}.{sectionCode}");
-// Example: GenerateDeterministicGuid("navigation-section-human-resources.employees.list")
-
-// Resource GUID: deterministic from navRoute + section code + resource code
-public static readonly Guid {ResourcePascal}ResourceId =
-    GenerateDeterministicGuid("navigation-resource-{navRoute}.{sectionCode}.{resourceCode}");
-// Example: GenerateDeterministicGuid("navigation-resource-human-resources.employees.list.employees-grid")
+// Section GUID: random
+public static readonly Guid {SectionPascal}SectionId = Guid.NewGuid();
+
+// Resource GUID: random
+public static readonly Guid {ResourcePascal}ResourceId = Guid.NewGuid();
 ```
 
 ### Section Methods (add to {ModulePascal}NavigationSeedData.cs)
@@ -413,9 +392,8 @@ public static readonly Guid {ResourcePascal}ResourceId =
 ```csharp
 // --- Add AFTER GetTranslationEntries() in {ModulePascal}NavigationSeedData.cs ---
 
-// Deterministic GUIDs for sections
-public static readonly Guid {Section1Pascal}SectionId =
-    GenerateDeterministicGuid("navigation-section-{navRoute}.{section1Code}");
+// Random GUIDs for sections
+public static readonly Guid {Section1Pascal}SectionId = Guid.NewGuid();
 // Repeat for each section...
 
 /// <summary>
@@ -504,9 +482,8 @@ public static IEnumerable<NavigationTranslationSeedEntry> GetSectionTranslationE
 ```csharp
 // --- Add AFTER GetSectionTranslationEntries() ---
 
-// Deterministic GUIDs for resources
-public static readonly Guid {Resource1Pascal}ResourceId =
-    GenerateDeterministicGuid("navigation-resource-{navRoute}.{parentSectionCode}.{resource1Code}");
+// Random GUIDs for resources
+public static readonly Guid {Resource1Pascal}ResourceId = Guid.NewGuid();
 // Repeat for each resource...
 
 /// <summary>
@@ -660,7 +637,7 @@ Args:
 
 MCP returns:
 - `Permissions.cs` nested class (Application layer constants)
-- Permission seed entries with deterministic GUIDs
+- Permission seed entries with random GUIDs
 
 ### Step B: Write Permissions.cs (Application layer)
 
@@ -699,12 +676,12 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data.{ModulePascal}
 /// </summary>
 public static class {ModulePascal}PermissionsSeedData
 {
-    // Deterministic GUIDs for permissions
-    public static readonly Guid WildcardPermId = GenerateGuid("{navRoute}.*");
-    public static readonly Guid ReadPermId = GenerateGuid("{navRoute}.read");
-    public static readonly Guid CreatePermId = GenerateGuid("{navRoute}.create");
-    public static readonly Guid UpdatePermId = GenerateGuid("{navRoute}.update");
-    public static readonly Guid DeletePermId = GenerateGuid("{navRoute}.delete");
+    // Random GUIDs for permissions
+    public static readonly Guid WildcardPermId = Guid.NewGuid();
+    public static readonly Guid ReadPermId = Guid.NewGuid();
+    public static readonly Guid CreatePermId = Guid.NewGuid();
+    public static readonly Guid UpdatePermId = Guid.NewGuid();
+    public static readonly Guid DeletePermId = Guid.NewGuid();
 
     public static IEnumerable<PermissionSeedEntry> GetPermissionEntries(Guid moduleId)
     {
@@ -718,12 +695,8 @@ public static class {ModulePascal}PermissionsSeedData
         };
     }
 
-    private static Guid GenerateGuid(string path)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"permission-{path}"));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
+    // Permissions are resolved by Path at runtime, not by fixed GUIDs
 }
 
 public class PermissionSeedEntry
@@ -747,11 +720,11 @@ public class PermissionSeedEntry
 // --- Add to {ModulePascal}PermissionsSeedData class AFTER module-level permissions ---
 
 // Section-level permissions (for each section in navSections[])
-public static readonly Guid {SectionPascal}WildcardPermId = GenerateGuid("{navRoute}.{sectionCode}.*");
-public static readonly Guid {SectionPascal}ReadPermId = GenerateGuid("{navRoute}.{sectionCode}.read");
-public static readonly Guid {SectionPascal}CreatePermId = GenerateGuid("{navRoute}.{sectionCode}.create");
-public static readonly Guid {SectionPascal}UpdatePermId = GenerateGuid("{navRoute}.{sectionCode}.update");
-public static readonly Guid {SectionPascal}DeletePermId = GenerateGuid("{navRoute}.{sectionCode}.delete");
+public static readonly Guid {SectionPascal}WildcardPermId = Guid.NewGuid();
+public static readonly Guid {SectionPascal}ReadPermId = Guid.NewGuid();
+public static readonly Guid {SectionPascal}CreatePermId = Guid.NewGuid();
+public static readonly Guid {SectionPascal}UpdatePermId = Guid.NewGuid();
+public static readonly Guid {SectionPascal}DeletePermId = Guid.NewGuid();
 // Repeat for each section...
 
 // Add to GetPermissionEntries() — AFTER module-level entries:
@@ -807,22 +780,13 @@ Creates the 4 standard application-scoped roles: Admin, Manager, Contributor, Vi
 
 ### GUID Generation Rule
 
-> **WARNING:** These deterministic GUIDs are ONLY used for role creation (if roles don't already exist).
-> They MUST NEVER be used for RolePermission mapping — always look up roles by Code at runtime.
+> **NOTE:** Role GUIDs are random (`Guid.NewGuid()`). Roles are resolved by Code at runtime.
+> RolePermission mapping MUST look up roles by Code, not by GUID.
 
 ```csharp
-// Deterministic GUID from application ID + role type
-// WARNING: Only for role creation. NEVER use these GUIDs for RolePermission mapping.
-// RolePermissions MUST resolve roles by Code at runtime (see SeedRolePermissionsAsync).
-private static Guid GenerateRoleGuid(string roleType)
-{
-    using var sha256 = System.Security.Cryptography.SHA256.Create();
-    var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
-    return new Guid(hash.Take(16).ToArray());
-}
-// FORBIDDEN in RolePermission mapping:
-// var roleId = GenerateRoleGuid("admin");     // WRONG — GUID may not match DB
-// var roleId = DeterministicGuid("role:admin"); // WRONG — use Code lookup instead
+// All role GUIDs are random — ALWAYS resolve roles by Code at runtime
+// FORBIDDEN in RolePermission mapping: hardcoded GUIDs of any kind
+// CORRECT: var role = roles.FirstOrDefault(r => r.Code == "admin");
 ```
 
 ### Template
@@ -839,13 +803,13 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
 /// </summary>
 public static class ApplicationRolesSeedData
 {
-    // Application ID from NavigationApplicationSeedData (deterministic GUID)
+    // Application ID from NavigationApplicationSeedData
     public static readonly Guid ApplicationId = NavigationApplicationSeedData.ApplicationId;
 
-    public static readonly Guid AdminRoleId = GenerateRoleGuid("admin");
-    public static readonly Guid ManagerRoleId = GenerateRoleGuid("manager");
-    public static readonly Guid ContributorRoleId = GenerateRoleGuid("contributor");
-    public static readonly Guid ViewerRoleId = GenerateRoleGuid("viewer");
+    public static readonly Guid AdminRoleId = Guid.NewGuid();
+    public static readonly Guid ManagerRoleId = Guid.NewGuid();
+    public static readonly Guid ContributorRoleId = Guid.NewGuid();
+    public static readonly Guid ViewerRoleId = Guid.NewGuid();
 
     public static IEnumerable<ApplicationRoleSeedEntry> GetRoleEntries()
     {
@@ -898,12 +862,8 @@ public static class ApplicationRolesSeedData
         };
     }
 
-    private static Guid GenerateRoleGuid(string roleType)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
+    // Roles are resolved by Code at runtime
 }
 
 public class ApplicationRoleSeedEntry
@@ -1144,7 +1104,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
 
         // --- Resources (idempotent — use ACTUAL section IDs from DB, not deterministic seed IDs) ---
         // CRITICAL: NavigationSection.Create() generates its own ID in DB.
-        // The deterministic GUID from GetSectionEntries() is NOT the actual SectionId.
+        // The GUID from GetSectionEntries() is NOT the actual SectionId in DB.
         // We MUST query the real section by Code+ModuleId to get the actual DB ID,
         // otherwise FK_nav_Resources_nav_Sections_SectionId will fail.
         foreach (var secEntry in {Module1Pascal}NavigationSeedData.GetSectionEntries(mod1Entity.Id))
@@ -1226,7 +1186,7 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
             .AnyAsync(rp => rp.Permission!.Path.StartsWith("{appCode}."), ct);
         if (exists) return;
 
-        // CRITICAL: Resolve roles by Code from DB — NEVER use deterministic GUIDs.
+        // CRITICAL: Resolve roles by Code from DB — NEVER use hardcoded GUIDs.
         // Application-scoped roles (admin, manager, contributor, viewer) are created by
         // SeedRolesAsync() above. System roles use their own IDs that do NOT match
         // DeterministicGuid("role:admin").
@@ -1334,7 +1294,7 @@ Before marking the task as completed, verify ALL:
 - [ ] `ApplicationRolesSeedData.ApplicationId` references `NavigationApplicationSeedData.ApplicationId` (NO `{ApplicationGuid}` placeholder)
 
 **Module-Level:**
-- [ ] Deterministic GUIDs (NEVER `Guid.NewGuid()`) — SHA256 of path
+- [ ] Random GUIDs via `Guid.NewGuid()` (no deterministic/sequential/fixed values)
 - [ ] 4 languages for each navigation entity (fr, en, it, de)
 - [ ] `ApplicationRolesSeedData.cs` created (once per application)
 - [ ] 4 application roles defined: Admin, Manager, Contributor, Viewer
@@ -1398,7 +1358,7 @@ public class {Module}DevDataSeeder : IDevDataSeeder
         {
             new {EntityType}
             {
-                Id = GenerateDeterministicGuid("{entity-type}-{code}"),
+                Id = Guid.NewGuid(),
                 Code = "{code}",
                 Name = "{name}",
                 TenantId = SeedConstants.DefaultTenantId,  // MANDATORY
@@ -1410,12 +1370,7 @@ public class {Module}DevDataSeeder : IDevDataSeeder
         await context.SaveChangesAsync(ct);
     }
 
-    private static Guid GenerateDeterministicGuid(string seed)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(seed));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
 }
 ```