@atlashub/smartstack-cli 3.43.0 → 3.45.0

package/templates/skills/apex/steps/step-04-examine.md

@@ -130,14 +130,51 @@ fi
 
 ---
 
-## 4-5. Build & Migration Validation
+## 4. Build Verification
 
-> **Reference:** Load `references/examine-build-validation.md` for detailed procedures:
-> - Build verification (dotnet clean → restore → build + npm typecheck)
-> - Error classification (categories A-F per error-classification.md)
-> - Migration validation (pending changes, SQL Server apply, cleanup)
-> - Integration tests (real SQL Server LocalDB)
-> - Test database management
+```bash
+# Backend
+dotnet clean && dotnet restore && dotnet build
+# Note: WSL bin\Debug cleanup handled by PostToolUse hook (wsl-dotnet-cleanup.sh)
+
+# Frontend (if applicable)
+npm run typecheck
+```
+
+**BLOCKING:** Both must pass. If failure, classify error per `references/error-classification.md` (categories A-F).
+
+---
+
+## 5. Migration Validation (if needs_migration)
+
+```bash
+INFRA_PROJECT=$(ls src/*Infrastructure*/*.csproj 2>/dev/null | head -1)
+API_PROJECT=$(ls src/*Api*/*.csproj 2>/dev/null | head -1)
+
+# Pending model changes check (BLOCKING if pending)
+dotnet ef migrations has-pending-model-changes \
+  --project "$INFRA_PROJECT" \
+  --startup-project "$API_PROJECT"
+
+# Migration application test (SQL Server LocalDB)
+DB_NAME="SmartStack_Apex_Examine_$(date +%s)"
+CONN_STRING="Server=(localdb)\\MSSQLLocalDB;Database=$DB_NAME;Integrated Security=true;TrustServerCertificate=true;Connect Timeout=120;"
+dotnet ef database update \
+  --connection "$CONN_STRING" \
+  --project "$INFRA_PROJECT" \
+  --startup-project "$API_PROJECT"
+
+# Integration tests on real SQL Server (if project exists)
+INT_TEST_PROJECT=$(ls tests/*Tests.Integration*/*.csproj 2>/dev/null | head -1)
+if [ -n "$INT_TEST_PROJECT" ]; then
+  dotnet test "$INT_TEST_PROJECT" --no-build --verbosity normal
+fi
+
+# Cleanup
+sqlcmd -S "(localdb)\MSSQLLocalDB" -Q "IF DB_ID('$DB_NAME') IS NOT NULL BEGIN ALTER DATABASE [$DB_NAME] SET SINGLE_USER WITH ROLLBACK IMMEDIATE; DROP DATABASE [$DB_NAME]; END" 2>/dev/null
+```
+
+**BLOCKING** if migration fails on SQL Server (common: SQLite-only syntax, column type mismatches, missing FK targets).
 
 ---
 
@@ -145,11 +182,11 @@ fi
 
 | File | Checks |
 |------|--------|
-| NavigationApplicationSeedData | MUST be first, deterministic GUID for application (NOT for context — context is looked up by code), 4 lang translations |
-| ApplicationRolesSeedData | 4 roles (admin, manager, contributor, viewer), deterministic GUIDs, references NavigationApplicationSeedData.ApplicationId |
-| NavigationModuleSeedData | Deterministic GUIDs (SHA256), 4 languages (fr, en, it, de), GetModuleEntry + GetTranslationEntries |
-| ↳ Section methods (same file) | (conditional: if sections exist) GetSectionEntries + GetSectionTranslationEntries, 4 languages, deterministic GUIDs, query actual module from DB for FK |
-| ↳ Resource methods (same file) | (conditional: if resources exist) GetResourceEntries + resource translations, 4 languages, deterministic GUIDs, query actual section from DB for FK |
+| NavigationApplicationSeedData | MUST be first, random GUID via Guid.NewGuid() (resolved by Code at runtime), 4 lang translations |
+| ApplicationRolesSeedData | 4 roles (admin, manager, contributor, viewer), random GUIDs, references NavigationApplicationSeedData.ApplicationId |
+| NavigationModuleSeedData | Random GUIDs (`Guid.NewGuid()`), 4 languages (fr, en, it, de), GetModuleEntry + GetTranslationEntries |
+| ↳ Section methods (same file) | (conditional: if sections exist) GetSectionEntries + GetSectionTranslationEntries, 4 languages, random GUIDs, query actual module from DB for FK |
+| ↳ Resource methods (same file) | (conditional: if resources exist) GetResourceEntries + resource translations, 4 languages, random GUIDs, query actual section from DB for FK |
 | Permissions.cs | Static constants class with `public static class {Module} { Read, Create, Update, Delete }`, paths match PermissionsSeedData |
 | PermissionsSeedData | MCP generate_permissions used, paths match Permissions.cs, wildcard + CRUD |
 | RolesSeedData | Admin=wildcard(*), Manager=CRU, Contributor=CR, Viewer=R. Role-permission entries reference permission paths from PermissionsSeedData |
@@ -160,7 +197,10 @@ fi
 
 ## 6b. BLOCKING POST-CHECKs
 
-Load and execute all checks from `references/post-checks.md`.
+> **MCP FIRST:** Run `validate_conventions`, `validate_security`, and `validate_frontend_routes` before bash checks.
+> These 3 MCP tools cover ~10 additional checks automatically.
+
+Load and execute all checks from `references/post-checks.md` (6 security defense-in-depth + 44 convention checks).
 
 **If ANY POST-CHECK fails → fix in step-03, re-validate.**
 
@@ -193,18 +233,18 @@ AC2: {criterion} → PASS / FAIL (evidence: {file:line or test})
 | DB tests | Integration tests on SQL Server | PASS / N/A |
 | Frontend | routes, lazy loading, forms as pages, i18n (4 langs + keys) | PASS / N/A |
 | Security | TenantId filter, RequirePermission, no Guid.Empty, no !.Value | PASS / N/A |
-| Seed data | completeness, deterministic GUIDs, no ContextId/RoleId constants | PASS / N/A |
+| Seed data | completeness, random GUIDs (Guid.NewGuid()), no ContextId/RoleId constants | PASS / N/A |
 | Code quality | PaginatedResult, EntityLookup (no FK select/input), CSS vars, search param | PASS / N/A |
-| Migration completeness | ModelSnapshot covers ALL DbSet entities (POST-CHECK 44, 49) | PASS / N/A |
-| NavRoute kebab-case | NavRoute + permissions use kebab-case (POST-CHECK 48) | PASS / N/A |
-| DateOnly DTOs | Date fields use DateOnly not string (POST-CHECK 47) | PASS / N/A |
-| I18n registration | Namespaces registered in i18n config (POST-CHECK 45) | PASS / N/A |
-| Validators DI | FluentValidation registered in DI (POST-CHECK 46) | PASS / N/A |
-| Route/NavRoute conflict | No [Route] alongside [NavRoute] on controllers (POST-CHECK 50) | PASS / N/A |
-| Role-permission matrix | Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R (POST-CHECK 51) | PASS / N/A |
-| PermissionAction enum | No Enum.Parse, only typed enum values 0-10 (POST-CHECK 52) | PASS / N/A |
-| Navigation translations | 4 langs per level, section/resource translations present (POST-CHECK 53) | PASS / N/A |
-| POST-CHECKs | 53 checks from references/post-checks.md | PASS / N/A |
+| Migration completeness | ModelSnapshot covers ALL DbSet entities (POST-CHECK 36, 40) | PASS / N/A |
+| NavRoute kebab-case | NavRoute + permissions use kebab-case (POST-CHECK 32) | PASS / N/A |
+| DateOnly DTOs | Date fields use DateOnly not string (POST-CHECK 39) | PASS / N/A |
+| I18n registration | Namespaces registered in i18n config (POST-CHECK 37) | PASS / N/A |
+| Validators DI | FluentValidation registered in DI (POST-CHECK 38) | PASS / N/A |
+| Route/NavRoute conflict | No [Route] alongside [NavRoute] on controllers (POST-CHECK 41) | PASS / N/A |
+| Role-permission matrix | Admin=wildcard, Manager=CRU, Contributor=CR, Viewer=R (POST-CHECK 42) | PASS / N/A |
+| PermissionAction enum | No Enum.Parse, only typed enum values 0-10 (POST-CHECK 43) | PASS / N/A |
+| Navigation translations | 4 langs per level, section/resource translations present (POST-CHECK 44) | PASS / N/A |
+| POST-CHECKs | 3 MCP tools + 50 bash checks (6 security + 44 convention) | PASS / N/A |
 | Acceptance criteria | AC1..ACn | {X}/{Y} PASS |
 ```
 

package/templates/skills/apex/steps/step-05-deep-review.md

@@ -54,7 +54,7 @@ For each changed file, check:
 - [ ] Frontend in correct hierarchy (App/Module)
 
 **SmartStack conventions:**
-- [ ] Deterministic GUIDs in seed data (not Guid.NewGuid())
+- [ ] Random GUIDs in seed data via Guid.NewGuid() (no deterministic/sequential/fixed)
 - [ ] 4 languages in translations
 - [ ] CSS variables (not hardcoded colors)
 - [ ] SmartTable/SmartForm (not raw HTML tables/forms)

package/templates/skills/apex/steps/step-08-run-tests.md

@@ -24,10 +24,25 @@ dotnet build --no-restore
 
 ---
 
-## 2. Run Full Test Suite
+## 2. Run Full Test Suite (backend + frontend in parallel)
 
 ```bash
-dotnet test --no-build --verbosity normal
+# Run backend and frontend tests in parallel when both exist
+WEB_DIR=$(find . -name "vitest.config.ts" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | head -1)
+
+if [ -n "$WEB_DIR" ]; then
+  # Both exist → run in parallel
+  dotnet test --no-build --verbosity normal &
+  BACKEND_PID=$!
+  (cd "$WEB_DIR" && npm run test) &
+  FRONTEND_PID=$!
+  wait $BACKEND_PID; BACKEND_RC=$?
+  wait $FRONTEND_PID; FRONTEND_RC=$?
+  [ $BACKEND_RC -ne 0 ] || [ $FRONTEND_RC -ne 0 ] && echo "FAILURES DETECTED"
+else
+  # Backend only
+  dotnet test --no-build --verbosity normal
+fi
 ```
 
 ---
@@ -86,22 +101,15 @@ questions:
 
 ---
 
-## 5. Frontend Tests + Typecheck (if applicable)
+## 5. Typecheck (if applicable)
 
-```bash
-# Run frontend tests first
-WEB_DIR=$(find . -name "vitest.config.ts" -not -path "*/node_modules/*" -exec dirname {} \; 2>/dev/null | head -1)
-if [ -n "$WEB_DIR" ]; then
-  cd "$WEB_DIR"
-  npm run test
-  cd -
-fi
+> **Note:** Frontend tests already ran in parallel with backend tests in section 2.
 
-# Then typecheck
+```bash
 npm run typecheck
 ```
 
-**BOTH MUST PASS.** If frontend tests fail, apply the same fix loop as backend (fix CODE, not tests, max 5 iterations).
+**MUST PASS.** If frontend tests failed in section 2, apply the same fix loop as backend (fix CODE, not tests, max 5 iterations).
 
 ---
 

package/templates/skills/application/references/application-roles-template.md

@@ -22,7 +22,7 @@ var role = roles.FirstOrDefault(r => r.Code == mapping.RoleCode);  // "admin", "
 
 ## Solution: Application Roles Seed Data
 
-Create application-scoped roles with deterministic GUIDs and valid `Code` values.
+Create application-scoped roles with random GUIDs (`Guid.NewGuid()`) and valid `Code` values.
 
 ---
 
@@ -48,14 +48,13 @@ namespace {BaseNamespace}.Infrastructure.Persistence.Seeding.Data;
 /// </summary>
 public static class ApplicationRolesSeedData
 {
-    // Deterministic GUIDs for application roles
-    // Generated from: "role-{applicationId}-{roleType}"
+    // Random GUIDs — idempotence is handled by Code-based lookups, not fixed IDs
     public static readonly Guid ApplicationId = NavigationApplicationSeedData.ApplicationId;
 
-    public static readonly Guid AdminRoleId = GenerateRoleGuid("admin");
-    public static readonly Guid ManagerRoleId = GenerateRoleGuid("manager");
-    public static readonly Guid ContributorRoleId = GenerateRoleGuid("contributor");
-    public static readonly Guid ViewerRoleId = GenerateRoleGuid("viewer");
+    public static readonly Guid AdminRoleId = Guid.NewGuid();
+    public static readonly Guid ManagerRoleId = Guid.NewGuid();
+    public static readonly Guid ContributorRoleId = Guid.NewGuid();
+    public static readonly Guid ViewerRoleId = Guid.NewGuid();
 
     /// <summary>
     /// Returns application-scoped role entries for seeding into core.auth_Roles.
@@ -111,12 +110,8 @@ public static class ApplicationRolesSeedData
         };
     }
 
-    private static Guid GenerateRoleGuid(string roleType)
-    {
-        using var sha256 = System.Security.Cryptography.SHA256.Create();
-        var hash = sha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes($"role-{ApplicationId}-{roleType}"));
-        return new Guid(hash.Take(16).ToArray());
-    }
+    // No deterministic GUID generation — all IDs are random via Guid.NewGuid()
+    // Roles are resolved by Code at runtime, not by fixed GUIDs
 }
 
 /// <summary>Seed entry DTO for application role.</summary>
@@ -141,7 +136,7 @@ public class ApplicationRoleSeedEntry
 |-------------|-------------|---------|
 | `{BaseNamespace}` | Root namespace of the client project | `SmartStack.Modules.RessourcesHumaines` |
 | `{AppLabel}` | Human-readable application label (EN) | `Human Resources` |
-| `ApplicationId` | Deterministic GUID from `NavigationApplicationSeedData.ApplicationId` — NO placeholder needed | Auto-resolved |
+| `ApplicationId` | From `NavigationApplicationSeedData.ApplicationId` — resolved at runtime via Code lookup | Auto-resolved |
 
 ---
 
@@ -194,7 +189,7 @@ public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
 Before marking the task as completed, verify:
 
 - [ ] `ApplicationRolesSeedData.cs` created in `Infrastructure/Persistence/Seeding/Data/`
-- [ ] Deterministic GUIDs used (NEVER `Guid.NewGuid()`)
+- [ ] Random GUIDs used via `Guid.NewGuid()` (no deterministic/sequential/fixed values)
 - [ ] 4 roles defined: Admin, Manager, Contributor, Viewer
 - [ ] Each role has a valid `Code` value ("admin", "manager", "contributor", "viewer")
 - [ ] Each role has `ApplicationId` set to the application GUID

package/templates/skills/application/references/backend-entity-seeding.md

@@ -8,16 +8,17 @@
 
 Follow SmartStack.app pattern:
 - Static class with `internal static IEnumerable<{EntityName}SeedItem> GetAll{EntityName}s()`
-- Use deterministic GUIDs (NEVER `Guid.NewGuid()`)
+- ALWAYS use `Guid.NewGuid()` — avoids conflicts between projects/tenants/environments
+- Idempotence is handled by `AnyAsync()` checks (by Code/Name), NOT by fixed IDs
 - Include 3-5 sample entities with varied, realistic data
 - For multi-tenant: organize by tenant using `GetTenant1{EntityName}s()` helpers
 
 ```csharp
 public static class {EntityName}SeedData
 {
-    public static readonly Guid Sample1Id = Guid.Parse("...");
-    public static readonly Guid Sample2Id = Guid.Parse("...");
-    public static readonly Guid Sample3Id = Guid.Parse("...");
+    public static readonly Guid Sample1Id = Guid.NewGuid();
+    public static readonly Guid Sample2Id = Guid.NewGuid();
+    public static readonly Guid Sample3Id = Guid.NewGuid();
 
     internal static IEnumerable<{EntityName}SeedItem> GetAll{EntityName}s()
     {
@@ -59,7 +60,7 @@ private async Task Seed{EntityName}sAsync(CancellationToken cancellationToken)
     foreach (var seedItem in {EntityName}SeedData.GetAll{EntityName}s())
     {
         var entity = {EntityName}.Create(/* map seedItem properties */);
-        typeof({EntityName}).GetProperty("Id")?.SetValue(entity, seedItem.Id);
+        // Factory method generates a random GUID — no need to override
         _context.{EntityName}s.Add(entity);
         createdCount++;
     }

package/templates/skills/application/references/backend-seeding-and-dto-output.md

@@ -23,7 +23,7 @@ questions:
 **If user selects YES:**
 
 See [references/backend-entity-seeding.md](../references/backend-entity-seeding.md) for the full seeding pattern:
-1. **SeedData file** (`{EntityName}SeedData.cs`) — static class with deterministic GUIDs, 3-5 samples
+1. **SeedData file** (`{EntityName}SeedData.cs`) — static class with `Guid.NewGuid()`, 3-5 samples
 2. **DevDataSeeder update** — add `Seed{EntityName}sAsync()` method with idempotent check
 
 **If user selects NO:**

package/templates/skills/application/references/nav-fallback-procedure.md

@@ -16,11 +16,10 @@
    Glob: **/Persistence/Configurations/Navigation/Navigation*Configuration.cs
    ```
 
-2. **Read NavigationTranslationConfiguration.cs** - Find the last GUID index:
+2. **Read NavigationTranslationConfiguration.cs** - Check existing translations:
    ```
-   Search for: the last call to GenerateGuid(index++)
-   The index variable starts at 1 and increments per translation entry.
-   Your new translations MUST continue from the next index value.
+   All translation IDs use Guid.NewGuid() — no sequence to track.
+   Just verify no duplicate EntityType+EntityId+LanguageCode combinations.
    ```
 
 3. **Read Navigation{Level}Configuration.cs** - Check existing entities:
@@ -51,18 +50,16 @@ Read the parent SeedData class and find the GUID matching `{parent_path}`.
 
 ## F3. Generate Navigation Entity GUID
 
-Generate a deterministic GUID for the new navigation entity:
+Generate a random GUID for the new navigation entity:
 
 ```csharp
-// Use SHA256 hash of the full_path for deterministic generation
-using var sha256 = System.Security.Cryptography.SHA256.Create();
-var hash = sha256.ComputeHash(Encoding.UTF8.GetBytes("navigation-{level}-{full_path}"));
-var guid = new Guid(hash.Take(16).ToArray());
+// ALWAYS use Guid.NewGuid() — avoids conflicts between projects/tenants/environments
+var guid = Guid.NewGuid();
 ```
 
 **Rules:**
-- NEVER use `Guid.NewGuid()`
-- Read existing SeedData GUIDs to verify no collision
+- ALWAYS use `Guid.NewGuid()` — no deterministic, no sequential, no fixed values
+- Idempotence is handled by Code-based lookups, not by fixed IDs
 - Store result as `{navigation_guid}`
 
 ## F4. Write Navigation Entity Seed
@@ -128,7 +125,7 @@ Add 4 translation entries to `NavigationTranslationConfiguration.cs`:
 
 // {level}: {code} translations
 translations.Add(new {
-    Id = GenerateGuid(index++),
+    Id = Guid.NewGuid(),
     EntityType = NavigationEntityType.{Level},
     EntityId = Navigation{Level}SeedData.{PascalCode}Id,  // or Guid.Parse("{navigation_guid}")
     LanguageCode = "fr",
@@ -137,7 +134,7 @@ translations.Add(new {
     CreatedAt = seedDate
 });
 translations.Add(new {
-    Id = GenerateGuid(index++),
+    Id = Guid.NewGuid(),
     EntityType = NavigationEntityType.{Level},
     EntityId = Navigation{Level}SeedData.{PascalCode}Id,
     LanguageCode = "en",
@@ -146,7 +143,7 @@ translations.Add(new {
     CreatedAt = seedDate
 });
 translations.Add(new {
-    Id = GenerateGuid(index++),
+    Id = Guid.NewGuid(),
     EntityType = NavigationEntityType.{Level},
     EntityId = Navigation{Level}SeedData.{PascalCode}Id,
     LanguageCode = "it",
@@ -155,7 +152,7 @@ translations.Add(new {
     CreatedAt = seedDate
 });
 translations.Add(new {
-    Id = GenerateGuid(index++),
+    Id = Guid.NewGuid(),
     EntityType = NavigationEntityType.{Level},
     EntityId = Navigation{Level}SeedData.{PascalCode}Id,
     LanguageCode = "de",
@@ -175,9 +172,9 @@ translations.Add(new {
 ## F7. Validation Checklist
 
 Before proceeding, verify:
-- [ ] Deterministic GUID generated (not NewGuid())
+- [ ] Random GUID generated via Guid.NewGuid()
 - [ ] 4 languages present (fr, en, it, de)
-- [ ] Translation index continues existing sequence (no gaps, no collisions)
+- [ ] No duplicate EntityType+EntityId+LanguageCode combinations
 - [ ] Parent GUID correctly references existing entity
 - [ ] Route path matches `/{app}/{module}` pattern
 - [ ] DisplayOrder is consistent with existing entities

package/templates/skills/application/references/provider-template.md

@@ -86,11 +86,11 @@ public class {AppPascalName}SeedDataProvider : IClientSeedDataProvider
         //     t => t.EntityId == secEntry.Id && t.EntityType == NavigationEntityType.Section, ct))
 
         // --- Resources (idempotent — use ACTUAL section IDs from DB) ---
-        // CRITICAL: NavigationSection.Create() generates its own ID. Deterministic seed GUIDs
-        // do NOT match actual SectionId in DB → FK_nav_Resources_nav_Sections_SectionId violation.
-        // MUST query actual section: var actualSection = await context.NavigationSections
+        // CRITICAL: NavigationSection.Create() generates its own random ID.
+        // MUST query actual section from DB to get real ID for FK references:
+        // var actualSection = await context.NavigationSections
         //     .FirstAsync(s => s.Code == secEntry.Code && s.ModuleId == modEntity.Id, ct);
-        // Then use actualSection.Id (NOT secEntry.Id) for NavigationResource.Create() and AnyAsync
+        // Then use actualSection.Id for NavigationResource.Create() and AnyAsync
     }
 
     public async Task SeedRolesAsync(ICoreDbContext context, CancellationToken ct)
@@ -172,6 +172,6 @@ services.AddScoped<IClientSeedDataProvider, {AppPascalName}SeedDataProvider>();
 3. **Translation guard pattern**: `if (!await context.NavigationTranslations.AnyAsync(t => t.EntityId == {id} && t.EntityType == ..., ct))` — MANDATORY before every translation batch insert
 4. **SaveChangesAsync per group**: Navigation → save → Roles → save → Permissions → save → RolePermissions → save
 4. **Execution order**: `SeedRolesAsync()` MUST be called BEFORE `SeedRolePermissionsAsync()` (roles must exist before mapping)
-5. **Deterministic GUIDs**: Use IDs from SeedData classes (not `Guid.NewGuid()`)
+5. **Random GUIDs**: ALWAYS use `Guid.NewGuid()` — resolve FKs by Code lookup, not fixed IDs
 6. **Resolve FK by Code**: Parent modules and roles are found by `Code`, not hardcoded GUID
 7. **Order property**: Use `100` as default. If multiple providers exist, they run in Order sequence

package/templates/skills/application/references/roles-client-project-handling.md

@@ -15,7 +15,7 @@
 See [references/application-roles-template.md](../references/application-roles-template.md) for the complete template.
 
 **Key requirements:**
-- Deterministic GUIDs based on `role-{applicationId}-{roleType}`
+- Random GUIDs via `Guid.NewGuid()` — roles are resolved by Code at runtime
 - 4 roles: Admin, Manager, Contributor, Viewer
 - Each role has a valid `Code` property ("admin", "manager", "contributor", "viewer")
 - `ApplicationId` references the navigation application GUID

package/templates/skills/application/references/roles-fallback-procedure.md

@@ -24,26 +24,21 @@ Read the file to determine:
 
 | Role | GUID |
 |------|------|
-| SuperAdmin | `11111111-1111-1111-1111-111111111111` |
-| PlatformAdmin | `22222222-2222-2222-2222-222222222222` |
-| TenantAdmin | `33333333-3333-3333-3333-333333333333` |
-| StandardUser | `44444444-4444-4444-4444-444444444444` |
+| SuperAdmin | Resolved by Code at runtime (NEVER hardcoded) |
+| PlatformAdmin | Resolved by Code at runtime (NEVER hardcoded) |
+| TenantAdmin | Resolved by Code at runtime (NEVER hardcoded) |
+| StandardUser | Resolved by Code at runtime (NEVER hardcoded) |
 
 **IMPORTANT:** Read the actual `RoleSeedData.cs` or `RoleConfiguration.cs` in the target project to confirm the actual role GUIDs. The above are defaults; the project may use different values.
 
-**Application-scoped roles** (deterministic GUIDs based on application):
+**Application-scoped roles** (resolved by Code at runtime):
 
 ```csharp
-// Read the existing GenerateDeterministicGuid method in RolePermissionConfiguration.cs
-// Typically uses MD5 hash:
-private static Guid GenerateDeterministicGuid(Guid applicationId, string roleType)
-{
-    using var md5 = System.Security.Cryptography.MD5.Create();
-    var input = $"{applicationId}-{roleType}";
-    var hash = md5.ComputeHash(System.Text.Encoding.UTF8.GetBytes(input));
-    return new Guid(hash);
-}
-// roleType values: "admin", "manager", "contributor", "viewer"
+// ALWAYS resolve roles by Code at runtime — NEVER use deterministic/hardcoded GUIDs
+// Role IDs are generated via Guid.NewGuid() at seed time
+// Lookups use:
+var role = await context.Roles.FirstOrDefaultAsync(r => r.Code == "admin", ct);
+// roleCode values: "admin", "manager", "contributor", "viewer"
 ```
 
 Find the `applicationId` from `NavigationApplicationSeedData.cs` matching `{full_path}`.

package/templates/skills/application/steps/step-01-navigation.md

@@ -141,7 +141,7 @@ The SeedData files will be consumed by the `IClientSeedDataProvider` generated a
 See [references/nav-fallback-procedure.md](../references/nav-fallback-procedure.md) for the complete 8-step fallback:
 - **F1:** Read existing Configuration/SeedData files to determine state
 - **F2:** Determine parent GUID by level
-- **F3:** Generate deterministic GUID (SHA256, never NewGuid())
+- **F3:** Generate random GUID via Guid.NewGuid()
 - **F4:** Write navigation entity seed (SeedData class or inline HasData)
 - **F5:** Write 4 translation entries (continue existing index sequence)
 - **F6-F8:** Store result, validation checklist, summary

package/templates/skills/application/steps/step-02-permissions.md

@@ -63,7 +63,7 @@ Args:
 The tool returns:
 - Permissions.cs nested class structure
 - PermissionConfiguration.cs HasData() entries
-- Deterministic GUIDs for each permission
+- Random GUIDs via Guid.NewGuid() for each permission
 
 ### 4. Present Permissions.cs Output
 
@@ -130,7 +130,7 @@ Write it as usual.
 Instead, create:
 - `Infrastructure/Persistence/Seeding/Data/{Domain}/{Module}PermissionSeedData.cs`
 
-Content: static class with deterministic GUIDs and method `GetPermissionEntries()`.
+Content: static class with `Guid.NewGuid()` and method `GetPermissionEntries()`.
 These entries will be consumed by the `IClientSeedDataProvider` at step 03b.
 
 ### 4. Store Permission GUIDs
@@ -179,7 +179,7 @@ If MCP call fails:
 - MCP generate_permissions called successfully
 - Permissions.cs code displayed
 - PermissionConfiguration.cs HasData displayed
-- Deterministic GUIDs (not placeholders)
+- Random GUIDs via Guid.NewGuid() (not placeholders, not deterministic)
 - Permission GUIDs stored for role assignment
 - Proceeded to step-03-roles.md
 

package/templates/skills/application/steps/step-03b-provider.md

@@ -84,6 +84,7 @@ Adapt the template:
 - Replace `{app_code}` with the kebab-case application code
 - Fill in the actual navigation, permission, and role-permission creation logic
   using the helper methods from the SeedData classes
+- **CRITICAL:** Follow the 7 critical rules: factory methods, idempotence, execution order, SaveChangesAsync order, random GUIDs via Guid.NewGuid(), FK by Code, Order property
 
 ### 3. Register in DI