@atlashub/smartstack-cli 3.53.0 → 3.54.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@atlashub/smartstack-cli",
-  "version": "3.53.0",
+  "version": "3.54.0",
   "description": "SmartStack Claude Code automation toolkit - GitFlow, EF Core migrations, prompts and more",
   "author": {
     "name": "SmartStack",

package/templates/skills/apex/references/core-seed-data.md

@@ -1390,3 +1390,29 @@ public class {Module}DevDataSeeder : IDevDataSeeder
 > **Pipeline validation:**
 > - ralph-loop POST-CHECK warns if GUID not found in project config
 > - validate-feature step-05 verifies FK exists in real database via SQL query
+
+---
+
+## DataExportEndpoint Seed Data Pattern
+
+When adding a new export endpoint, add seed data in `DataExportEndpointConfiguration.cs`:
+
+```csharp
+builder.HasData(new {
+    Id = new Guid("{random-guid}"),
+    NavigationApplicationId = NavigationApplicationSeedData.{App}AppId,
+    NavigationModuleId = NavigationModuleSeedData.{Module}ModuleId,
+    Code = "{entity-code}",
+    Name = "{Entity} Export",
+    Description = "Export {entity} data with metadata",
+    RouteTemplate = "/api/v1/export/{entity-code}",
+    RequiredPermission = "{app}.{module}.export",
+    EntityType = "{Entity}",
+    IsActive = true,
+    DefaultRateLimitPerMinute = 60,
+    DefaultMaxPageSize = 1000,
+    CreatedAt = seedDate
+});
+```
+
+Requires matching controller in `Controllers/DataExport/v1/Export{Entity}Controller.cs`.

package/templates/skills/apex/references/smartstack-api.md

@@ -810,6 +810,40 @@ services.AddValidatorsFromAssemblyContaining<Create{Name}DtoValidator>();
 
 ---
 
+## External Application & Data Export Pattern
+
+### Entities
+
+| Entity | Table | Description |
+|--------|-------|-------------|
+| `ExternalApplication` | `auth_ExternalApplications` | Machine-to-machine API account (ClientId, ClientSecret, IsActive, IP whitelist) |
+| `ExternalApplicationRole` | `auth_ExternalApplicationRoles` | Role assignment per app (AppId, RoleId, optional TenantId) |
+| `ExternalApplicationExportAccess` | `auth_ExternalApplicationExportAccesses` | Per-app access to specific export endpoint (IsEnabled, RateLimitPerMinute, MaxPageSize) |
+| `DataExportEndpoint` | `auth_DataExportEndpoints` | Registry of available export APIs (Code, RouteTemplate, RequiredPermission, EntityType) |
+| `ExternalAppAuditLog` | `auth_ExternalAppAuditLogs` | Audit trail for all API calls (Authentication, DataExport actions) |
+
+### Architecture (3-layer security)
+
+1. **Authentication** — JWT assertion signed with ClientSecret → ExternalApplicationAuthService validates → generates SmartStack JWT with permissions resolved via ExternalApplicationRole → Role → RolePermission chain
+2. **Authorization** — RequirePermissionFilter checks JWT claims (e.g., `administration.users.export`)
+3. **Access Control** — DataExportAccessMiddleware verifies per-app endpoint access in ExternalApplicationExportAccess table
+
+### Rate Limiting
+
+ExternalAppRateLimitPolicy resolves limits: app override → endpoint default → 60/min fallback.
+Partition key: `{clientId}:{endpointCode}`.
+
+### Seed Data
+
+DataExportEndpoints are seeded in DataExportEndpointConfiguration.cs with FK to NavigationApplication and NavigationModule. Each endpoint maps to a controller in `Controllers/DataExport/v1/`.
+
+### Controller Pattern
+
+Export controllers: `[Route("api/v1/export")]` + `[RequirePermission]` + `[EnableRateLimiting]`
+Management controllers: `[NavRoute("api.accounts")]` with CustomSegment
+
+---
+
 ## PaginatedResult Pattern
 
 > **Canonical type for ALL paginated responses.** One name, one contract, everywhere.

package/templates/skills/application/references/backend-table-prefix-mapping.md

@@ -19,6 +19,7 @@
 | `support.*` | `support_` | `Support` | Table: `support_Tickets`, Controller: `Controllers/Support/TicketsController.cs` |
 | `*` (business apps) | `ref_` or domain-specific | `{ApplicationPascal}` | Table: `ref_Products`, Controller: `Controllers/Sales/ProductsController.cs` |
 | `myspace.*` | `usr_` | `MySpace` | Table: `usr_Preferences`, Controller: `Controllers/MySpace/PreferencesController.cs` |
+| `api.*` | `auth_` or `ext_` | `Api` | Table: `auth_ExternalApplications`, Controller: `Controllers/Platform/Api/ExternalApplications/` |
 
 ---
 

package/templates/skills/business-analyse/patterns/suggestion-catalog.md

@@ -26,6 +26,7 @@ Suggests companion modules based on primary module type:
 | **Permissions/Security** | permission, role, access, authority, rbac | UserRoles, Groups, Policies, Audit, Delegation | Permission systems need fine-grained control, group policies, and audit trails |
 | **Notifications** | notification, alert, email, message, broadcast | Templates, Channels, Scheduling, Preferences | Notification systems need template management, multi-channel support, scheduling |
 | **Reporting** | report, dashboard, analytics, BI, metrics | Dashboards, Exports, Scheduling, AlertRules | Reporting needs visualization, scheduled distribution, and data export |
+| **API Management / Integrations** | api, external, integration, webhook, export, data-export, machine-to-machine | ExternalApps, DataExportEndpoints, ExportAccess, AuditLogs, ApiKeys | API platforms need app registration, key management, granular endpoint access, rate limiting, and audit logging |
 
 ---
 
@@ -66,6 +67,7 @@ Suggests system integrations based on requirements:
 | **Geographical features** | Maps/Location Service | Spatial data handling | Add section with provider selection, geocoding, distance calculation |
 | **Data synchronization** | Event Bus/Messaging | Async data consistency | Add section with message types, subscription strategy, retry logic |
 | **File storage** | Cloud Storage Integration | Large file handling | Add section with provider selection, access control, cleanup policy |
+| **Machine-to-machine API** | External app, M2M, JWT assertion, API key | Data Export API | Add section with app registration, key generation, endpoint-level access grants, per-app rate limits, and audit log |
 
 ---